64fr59888 Coppa

8/3/2019 64fr59888 Coppa

1/30

59804 Federal Register / Vol. 76, No. 187/ Tuesday, September 27, 2011/ Proposed Rules

1See Childrens Online Privacy Protection Rule,16 CFR 312.3.

2See 16 CFR 312.7 and 312.8.3See 16 CFR 312.10; Childrens Online Privacy

Protection Rule, 64 FR 59888, 59906, 59908, 59915(Nov. 3, 1999), available athttp://www.ftc.gov/os/1999/10/64Fr59888.pdf.

4See 15 U.S.C. 6507; 16 CFR 312.11.5See Childrens Online Privacy Protection Rule,

71 FR 13247 (Mar. 15, 2006) (retention of rulewithout modification).

6The Commission generally reviews each of itstrade regulation rules approximately every tenyears. Under this schedule, the next COPPA Rulereview was originally set for 2017.

7See Request for Public Comment on the FederalTrade Commissions Implementation of theChildrens Online Privacy Protection Rule (2010Rule Review), 75 FR 17089 (Apr. 5, 2010).

8 Id.9 Information about the June 2, 2010 COPPA

Roundtable is located at http://www.ftc.gov/bcp/workshops/coppa/index.shtml.

10Public comments in response to theCommissions April 5, 2010 Federal Register

FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084AB20

Childrens Online Privacy ProtectionRule

AGENCY: Federal Trade Commission(FTC or Commission).

ACTION: Proposed rule; request forcomment.

SUMMARY: The Commission proposes toamend the Childrens Online PrivacyProtection Rule (COPPA Rule orRule), consistent with therequirements of the Childrens OnlinePrivacy Protection Act to respond tochanges in online technology, includingin the mobile marketplace, and, whereappropriate, to streamline the Rule.After extensive consideration of public

input, the Commission proposes tomodify certain of the Rules definitions,and to update the requirements set forthin the notice, parental consent,confidentiality and security, and safeharbor provisions. In addition, theCommission proposes adding a newprovision addressing data retention anddeletion.

DATES: Written comments must bereceived on or before November 28,2011.

ADDRESSES: Interested parties may file acomment online or on paper, by

following the instructions in theRequest for Comment part of theSUPPLEMENTARY INFORMATION section

below. Write COPPA Rule Review, 16CFR Part 312, Project No. P104503 onyour comment, and file your commentonline at https://

ftcpublic.commentworks.com/ftc/2011copparulereview,by following theinstructions on the Web-based form. Ifyou prefer to file your comment onpaper, write COPPA Rule Review, 16CFR Part 312, Project No. P104503 onyour comment, and mail or deliver yourcomment to the following address:

Federal Trade Commission, Office of theSecretary, Room H113 (Annex E), 600Pennsylvania Avenue, NW.,Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT:Phyllis H. Marcus or Mamie Kresses,Attorneys, Division of AdvertisingPractices, Bureau of ConsumerProtection, Federal Trade Commission,600 Pennsylvania Avenue, NW.,Washington, DC 20580, (202) 3262854,or (202) 3262070.

SUPPLEMENTARY INFORMATION:

I. Background

The COPPA Rule, 16 CFR part 312,issued pursuant to the ChildrensOnline Privacy Protection Act(COPPA or COPPA statute), 15U.S.C. 6501 et seq.,became effective onApril 21, 2000. The Rule imposescertain requirements on operators ofWeb sites or online services directed tochildren under 13 years of age, and onoperators of other Web sites or onlineservices that have actual knowledge thatthey are collecting personal informationonline from a child under 13 years ofage (collectively, operators). Amongother things, the Rule requires thatoperators provide notice to parents andobtain verifiable parental consent priorto collecting, using, or disclosingpersonal information from childrenunder 13 years of age.1 The Rule alsorequires operators to keep secure theinformation they collect from childrenand prohibits them from conditioning

childrens participation in activities onthe collection of more personalinformation than is reasonablynecessary to participate in suchactivities.2 The Rule contains a safeharbor provision enabling industrygroups or others to submit to theCommission for approval self-regulatoryguidelines that would implement theRules protections.3

The Commission initiated a review ofthe Rule on April 21, 2005, pursuant toSection 6507 of the COPPA statute,which required the Commission toconduct a review within five years of

the Rules effective date.4

Afterconsidering extensive public comment,the Commission determined in March2006 to retain the Rule without change.5

The Commission remains deeplycommitted to helping to create a safer,more secure online experience forchildren and takes seriously thechallenge to ensure that COPPAcontinues to meet its originally statedgoals, even as online technologies, andchildrens uses of such technologies,evolve. In light of the rapid-fire pace oftechnological change since theCommissions 2005 review, includingan explosion in childrens use of mobile

devices, the proliferation of onlinesocial networking and interactivegaming, the Commission initiated

review of the COPPA Rule in April 2010on an accelerated schedule.6

On April 5, 2010, the Commissionpublished a document in the FederalRegister seeking public comment onwhether technological changes to theonline environment over the precedingfive years warranted any changes to theRule.7 The Commissions request for

public comment examined each aspectof the COPPA Rule, posing 28 questionsfor the publics consideration.8 TheCommission identified several areaswhere public comment would beespecially useful, includingexamination of whether: The Rulesexisting definitions are sufficiently clearand comprehensive, or warrantmodification or expansion, consistentwith the COPPA statute; additionaltechnological methods to obtainverifiable parental consent should beadded to the COPPA Rule, and whetherany of the consent methods currently

included should be removed; whetherthe Rule provisions on protecting theconfidentiality and security of personalinformation are sufficiently clear andcomprehensive; and the Rules criteriaand process for Commission approvaland oversight of safe harbor programsshould be modified in any way. Thecomment period closed on July 12,2010. During the comment period, on

June 2, 2010, the Commission held apublic roundtable to discuss in detailseveral of the areas where publiccomment was sought, including theapplication of COPPAs definitions ofInternet, website, and online

service to new devices andtechnologies, the COPPA statutes actualknowledge standard for generalaudience Web sites and online services,the definition of personalinformation, emerging parental consentmechanisms, and COPPAs exceptionsto prior parental consent.9

In addition to the dialogue at thepublic roundtable, the Commissionreceived 70 comments from industryrepresentatives, advocacy groups,academics, technologists, andindividual members of the public inresponse to the April 5, 2010 request for

public comment.10

The comments

VerDate Mar2010 16:57 Sep 26, 2011 Jkt 223001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 E:\FR\FM\27SEP3.SGM 27SEP3
http://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/bcp/workshops/coppa/index.shtmlhttp://www.ftc.gov/bcp/workshops/coppa/index.shtmlhttps://ftcpublic.commentworks.com/ftc/2011copparulereviewhttps://ftcpublic.commentworks.com/ftc/2011copparulereviewhttps://ftcpublic.commentworks.com/ftc/2011copparulereviewhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/bcp/workshops/coppa/index.shtmlhttp://www.ftc.gov/bcp/workshops/coppa/index.shtmlhttps://ftcpublic.commentworks.com/ftc/2011copparulereviewhttps://ftcpublic.commentworks.com/ftc/2011copparulereviewhttps://ftcpublic.commentworks.com/ftc/2011copparulereview

8/3/2019 64fr59888 Coppa

2/30

59805Federal Register / Vol. 76, No. 187/ Tuesday, September 27, 2011/ Proposed Rules

document are located at http://www.ftc.gov/os/comments/copparulerev2010/index.shtm.Comments have been numbered based uponalphabetical order. Comments are cited hereinidentified by commenter name, comment number,and, where applicable, page number.

11See 15 U.S.C. 6502(1).12See Andrew Bergen (comment 4); Common

Sense Media (comment 12).13See Sharon Anderson (comment 2); Kevin

Brook (comment 6); Center for Democracy andTechnology (CDT) (comment 8), at 5; CTIA(comment 14), at 10; Facebook (comment 22), at 2;Elatia Grimshaw (comment 26); Interactive

Advertising Bureau (IAB) (comment 34), at 67;Harold Levy (comment 37); Motion PictureAssociation of America (MPAA) (comment 42), at4; National Cable & Television Association(comment 44), at 5 n.16; NetChoice (comment 45),at 2; Promotion Marketing Association (PMA)(comment 51), at 5; Berin Szoka (comment 59), at6; Toy Industry Association of America (comment63), at 5. Five commenters urged the Commissionto consider lowering or eliminating COPPAs age topermit younger children access to a variety ofeducational online offerings. See Eric MacDonald(comment 38); Mark Moran (comment 41);Steingreaber (comment 58); Karla Talbot (comment60); Daniel Widrew (comment 67).

14See Institute for Public Representation(comment 33), at 42.

15See Childrens Online Privacy Protection Act of1998, S. 2326, 105th Cong. 3(a)(2)(iii) (1998).

16See 15 U.S.C. 6502.17 See Protection of Childrens Privacy on the

World Wide Web: Hearing on S. 2326 Before theSubcomm. on Communications of the S. Comm. onCommerce, Science & Transportation, 105th Cong.(1998), at 5 (Statement of Robert Pitofsky,Chairman, Federal Trade Commission), available athttp://www.ftc.gov/os/1998/09/priva998.htm(Children are not fully capable of understandingthe consequences of divulging personal informationonline.).

18See Protecting Youths in an Online World:Hearing Before the Subcomm. on ConsumerProtection, Product Safety, and Insurance of the S.Comm. on Commerce, Science & Transportation,

111th Cong. 1415 (2010) (Statement of JessicaRich, Deputy Director, Bureau of ConsumerProtection, Federal Trade Commission), available athttp://www.ftc.gov/os/testimony/100715toopatestimony.pdf.

19For example, research shows that teens tend tobe more impulsive than adults and that they maynot think as clearly as adults about theconsequences of what they do. See, e.g., Transcriptof Exploring Privacy, A Roundtable Series (Mar. 17,2010), Panel 3: Addressing Sensitive Information,available at http://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdf;Chris Hoofnagle, Jennifer King,Su Li, and Joseph Turow, How Different Are YoungAdults from Older Adults When It Comes toInformation Privacy Attitudes & Policies?(April 14,2010), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864.As a result, they

may voluntarily disclose more information onlinethan they should. On social networking sites, youngpeople may share personal details that leave themvulnerable to identity theft. SeeJavelin Strategy andResearch, 2010 Identity Fraud Survey Report(Feb.2010), available at https://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdf.They may also share details that could adverselyaffect their potential employment or collegeadmissions. See e.g., Commonsense Media, Is SocialNetworking Changing Childhood? A National Poll(Aug. 10, 2009), available at http://www.commonsensemedia.org/teen-social-media(indicating that 28 percent of teens have sharedpersonal information online that they would notnormally share publicly).

20 Id.21See, e.g., American Amusement Mach. Assn v.

Kendrick, 244 F.3d 572 (7th Cir. 2001) (citingErznoznikv. City of Jacksonville, 422 U.S. 205, 21214 (1975)); Tinkerv. Des Moines Indep. Sch. Dist.,393 U.S. 503, 51114 (1969).

22See ACLUv. Ashcroft, 534 F.3d 181, 196 (3dCir. 2008) (citing ACLUv. Gonzales, 478 F. Supp.2d 775, 806 (E.D. Pa. 2007) (Requiring users to gothrough an age verification process would lead toa distinct loss of personal privacy.); see also Bolgerv. Youngs Drug Prods. Corp., 463 U.S. 60, 73 (1983)(citing Butlerv. Michigan, 352 U.S. 380, 383 (1957)(The Government may not reduce the adult

population * * * to reading only what is fit forchildren.). See also Berin Szoka (comment 59), at6.

23See A Preliminary FTC Staff Report onProtecting Consumer Privacy in an Era of RapidChange: A Proposed Framework for Businesses andPolicymakers, 3636 (Dec. 1, 2010), available athttp://www.ftc.gov/os/2010/12/101201privacyreport.pdf; Protecting Youths in anOnline World, supra note 18, at 1415 (The FTCbelieves that its upcoming privacyrecommendations based on its roundtablediscussions will greatly benefit teens. TheCommission expects that the privacy proposalsemerging from this initiative will provide teensboth a greater understanding of how their data isused and a greater ability to control such data.).

addressed the efficacy of the Rulegenerally, and several possible areas forchange.

II. COPPAs Definition of Child

The COPPA statute, and by extension,the COPPA Rule, defines as a child anindividual under the age of 13. 11 Afew commenters suggested that

COPPAs protections be broadened tocover a range of adolescents over age 12and urged the Commission to seek astatutory change from Congress.12 Bycontrast, the majority of commenterswho addressed this issue expressedconcern that expanding COPPAscoverage to teenagers would raise anumber of constitutional, privacy, andpractical issues.13

Recognizing the difficulties ofextending COPPA to children ages 13 orolder, at least one commenter, theInstitute for Public Representation,proposed the need for alternative

privacy protections for teenagers. Thiscommenter, while not proposing astatutory change to the definition ofchild, called on the Commission todevelop a set of privacy protections forteens, consistent with the FairInformation Practices Principles created

by the Organization for EconomicCooperation and Development, thatwould require understandable notices,limited information collection, an opt-inconsent process, and access and controlrights to data collected from them.14

In the course of drafting COPPA,Congress looked closely at whetheradolescents should be covered by thelaw. Congress initially considered arequirement that operators make

reasonable efforts to provide parentswith notice and an opportunity toprevent or curtail the collection or useof personal information collected fromchildren over the age of 12 and underthe age of 17.15 Ultimately, however,Congress decided to define a child asan individual under age 13.16 TheCommission supported this assessment

at the time, based in part on the viewthat young children under age 13 do notpossess the level of knowledge orjudgment to make appropriatedeterminations about when and if todivulge personal information over theInternet.17 The Commission continuesto believe that the statutory definition ofa child remains appropriate.18

Although teens face particular privacychallenges online,19 COPPAs parentalnotice and consent approach is notdesigned to address such issues.COPPAs parental notice and consentmodel works fairly well for young

children, but the Commission continues

to believe that it would be less effectiveor appropriate for adolescents.20 COPPArelies on children providing operatorswith parental contact information at theoutset to initiate the consent process.The COPPA model would be difficult toimplement for teenagers, as many would

be less likely than young children toprovide their parents contact

information, and more likely to falsifythis information or lie about their agesin order to participate in onlineactivities. In addition, courts haverecognized that as children age, theyhave an increased constitutional right toaccess information and expressthemselves publicly.21 Finally, giventhat adolescents are more likely thanyoung children to spend a greaterproportion of their time on Web sitesand online services that also appeal toadults, the practical difficulties inexpanding COPPAs reach toadolescents might unintentionally

burden the right of adults to engage inonline speech.22 For all of these reasons,the Commission declines to advocate fora change to the statutory definition ofchild.

Although the Commission does notrecommend that Congress expandCOPPA to cover teenagers, theCommission believes that it is essentialthat teens, like adults, be provided withclear information about uses of theirdata and be given meaningful choicesabout such uses. Therefore, theCommission is exploring new privacyapproaches that will ensure that teens

and adultsbenefit from strongerprivacy protections than are currentlygenerally available.23

http://www.ftc.gov/os/comments/copparulerev2010/index.shtmhttp://www.ftc.gov/os/comments/copparulerev2010/index.shtmhttp://www.ftc.gov/os/1998/09/priva998.htmhttp://www.ftc.gov/os/testimony/100715toopatestimony.pdfhttp://www.ftc.gov/os/testimony/100715toopatestimony.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864https://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttp://www.commonsensemedia.org/teen-social-mediahttp://www.commonsensemedia.org/teen-social-mediahttp://www.ftc.gov/os/2010/12/101201privacyreport.pdfhttp://www.ftc.gov/os/2010/12/101201privacyreport.pdfhttp://www.ftc.gov/os/1998/09/priva998.htmhttp://www.commonsensemedia.org/teen-social-mediahttp://www.commonsensemedia.org/teen-social-mediahttp://www.ftc.gov/os/2010/12/101201privacyreport.pdfhttp://www.ftc.gov/os/2010/12/101201privacyreport.pdfhttp://www.ftc.gov/os/testimony/100715toopatestimony.pdfhttp://www.ftc.gov/os/testimony/100715toopatestimony.pdfhttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864http://www.ftc.gov/os/comments/copparulerev2010/index.shtmhttp://www.ftc.gov/os/comments/copparulerev2010/index.shtmhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttp://htc-01.media.globix.net/COMP008760MOD1/ftc_web/transcripts/031710_sess3.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdfhttps://www.javelinstrategy.com/uploads/files/1004.R_2010IdentityFraudSurveyConsumer.pdf

8/3/2019 64fr59888 Coppa

3/30


24See 15 U.S.C. 6503(a)(1).25See MPAA (comment 42), at 10 (Congress

deliberately selected the actual knowledge standardbecause it served the objective of protecting youngchildren without constraining appropriate datacollection and use by operators of general audienceWeb sites. This standard was selected to serve the

goals of COPPA without imposing excessiveburdensincluding burdens that could easilyconstrain innovationon general audience sitesand online services).

26The original scope of COPPA, as indicated inS. 2326 and H.R. 4667, would have applied to anycommercial Web site or online service used by anoperator to knowingly collect information fromchildren. See Childrens Online Privacy ProtectionAct of 1998, S. 2326, 105th Cong. 2(11)(A)(iii)(1998); Electronic Privacy Bill of Rights Act of 1998,H.R. 4667, 105th Cong. 105(7)(A)(iii) (1998).Under federal case law, the term knowinglyencompasses actual, implied, and constructiveknowledge. See Schmittv. FMA Alliance, 398 F.3d995, 997 (8th Cir. 2005); Freeman United CoalMining Co. v. Federal Mine Safety and HealthReview Commn, 108 F.3d 358, 363 (D.C. Cir. 1997).

Upon the consideration of testimony from various

witnesses, Congress modified the knowledgestandard in the final legislation to require actualknowledge. See Internet Privacy Hearing: Hearingon S. 2326 Before the Subcomm. onCommunications of the S. Comm. on Commerce,Science, and Transportation, 105th Cong. 1069(1998). Actual knowledge is generally understoodfrom case law to establish a far stricter standardthan constructive knowledge or knowledge impliedfrom the ambient facts. See United States v.DiSanto, 86 F.3d 1238, 1257 (1st Cir. 1996) (citingUnited States v. Spinney, 65 F.3d 231, 236 (1st Cir.1995), for the proposition that when consideringthe question of knowledge [it is helpful] to recallthat the length of the hypothetical knowledgecontinuum is marked by constructiveknowledge at one end and actual knowledge at

the other with various gradations, such as noticeof likelihood in the poorly charted area thatstretches between the poles).

27See Childrens Online Privacy Protection Rule,Statement of Basis and Purpose (1999 Statementof Basis and Purpose), 64 FR 59888, 59889 (Nov.3, 1999), available athttp://www.ftc.gov/os/1999/10/64Fr59888.pdf.

28See id. at 59892 (Actual knowledge will bepresent, for example, where an operator learns ofa childs age or grade from the childs registrationat the site or from a concerned parent who haslearned that his child is participating at the site. Inaddition, although the COPPA does not requireoperators of general audience sites to investigate theages of their sites visitors, the Commission notesthat it will examine closely sites that do not directlyask age or grade, but instead ask age identifyingquestions, such as what type of school do you goto: (a) elementary; (b) middle; (c) high school; (d)college. Through such questions, operators mayacquire actual knowledge that they are dealing withchildren under 13).

29

See CTIA (comment 14), at 2; Direct MarketingAssociation (DMA) (comment 17), at 8; MPAA(comment 42), at 9; Toy Industry Association, Inc.(comment 63), at 5; Jeffrey Greenbaum, Partner,Frankfurt Kurnit Klein & Selz PC, and J. Beckwith(Becky) Burr, Partner, WilmerHale, Remarks fromThe Actual Knowledge Standard in TodaysOnline EnvironmentPanel at the Federal TradeCommissions Roundtable: Protecting Kids PrivacyOnline 7879 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.

30See Sharon Anderson (comment 2); Boku(comment 5); CDT (comment 9), at 6; CTIA(comment 14), at 2; DMA (comment 17), at 8;Facebook (comment 22), at 7; IAB (comment 34), at6.

31See CTIA (comment 14), at 2; DMA (comment17), at 8; Facebook (comment 22), at 78.

32See Harry A. Valetk (comment 66), at 4.33See Institute for Public Representation

(comment 33), at 34 (urging the Commission tomake clear that an operator can gain actualknowledge where it obtains age information from asource other than the child and where it creates acategory for behavioral advertising to childrenunder age 13. Simply, if an operator decides on,or uses, or purports to know the fact that someoneis a child, then that operator has actual knowledgethat it is dealing with a child.); Microsoft(comment 39), at 8 (asking the Commission toprovide clear guidance on how operators can bettermeet COPPAs objectives of providing access to richmedia content while not undermining parentalinvolvement).

34For example, the Commission proposesdefining as personal information persistentidentifiers and screen or user names where they are

III. COPPAs Actual KnowledgeStandard

The COPPA statute applies to twotypes of operators: (1) Those whooperate Web sites or online servicesdirected to children and collect personalinformation, and (2) those who haveactual knowledge that they are

collecting personal information from achild under age 13.24 The second prong,commonly known as the actualknowledge standard, holds operators ofWeb sites directed to teenagers, adults,or to a general audience, liable forproviding COPPAs protections onlywhen they know they are collectingpersonal information from a COPPA-covered child (i.e., one under age 13).COPPA therefore was never intended toapply to the entire Internet, but ratherto a subset of Web sites and onlineservices.25

Congress did not define the termactual knowledge in the COPPA

statute, nor did the Commission definethe term in the Rule. The case lawmakes clear that actual knowledge doesnot equate to knowledge fairly implied

by the circumstances; nor is actualknowledge constructive knowledge,as that term is interpreted and appliedlegally.26 Therefore, the Commission

has advised that operators of generalaudience Web sites are not required toinvestigate the ages of their users.27 Bycontrast, however, operators that askforor otherwise collectinformationestablishing that a user is under the ageof 13 trigger COPPAs verifiable parentalconsent and all other requirements.28

In general, commenters to the Rulereview expressed widespread supportfor Congresss retention of the statutoryactual knowledge standard. Supportersfind that the standard providesnecessary certainty regarding the

boundaries of operators legal liabilityfor COPPA violations.29 Commentersgenerally felt strongly that a lesserstandard, e.g., constructive or impliedknowledge, would cause extremeuncertainty for operators of generalaudience Web sites or online servicesseeking to comply with the law sincethey would be obliged either to make

guesses about the presence of underagechildren or to deny access to a wideswath of participants, not only youngchildren.30 According to commenters,such actions would result in greater datacollection from all users, includingchildren, in order to determine whoshould receive COPPA protections (or,alternatively, be denied access to a site).Commenters viewed this result as

contradictory to COPPAs goal ofminimizing data collection.31

A handful of commenters argued fora different standard. One commenterurged the Commission to requirecommercial Web site operators to makereasonable efforts to determine if a childis registering online, taking intoconsideration available technology.32

According to this commenter, Web siteoperators otherwise face minimal legalrisk and business incentive toproactively institute privacy protectionsfor children online. Other commenters,such as the Institute for PublicRepresentation and Microsoft, urged theCommission to adopt clearer guidanceon when an operator will be consideredto have obtained actual knowledge thatit has collected personal informationfrom a child.33

Despite the limitations of the actualknowledge standard, the Commission ispersuaded that this remains the correct

standard to be applied to operators ofWeb sites and online services that arenot directed to children. Accordingly,the Commission does not advocate thatCongress amend the COPPA statutesactual knowledge requirement at thistime. Actual knowledge is far moreworkable, and provides greatercertainty, than other legal standards thatmight be applied to the universe ofgeneral audience Web sites and onlineservices. This is because the actualknowledge standard is triggered only atthe point at which an operator becomesaware of a childs age. By contrast,

imposing a lesser reasonable efforts orconstructive knowledge standardmight require operators to ferret througha host of circumstantial information todetermine who may or may not be achild.

As described in detail below, withthis Notice of Proposed Rulemaking, theCommission is proposing severalmodifications to the Rules definition ofpersonal information. 34 Were the

http://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/os/1999/10/64Fr59888.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf

8/3/2019 64fr59888 Coppa

4/30


used for functions other than or in addition tosupport for the internal operations of a Web site oronline service. The Commission also proposesincluding identifiers that link the activities of achild across different Web sites or online services,as well as digital files containing a childs image orvoice, in the definition. See infra Part V.A.(4).

35See 2010 Rule Review, supra note 7, at 17090.36See CDT (comment 8), at 2; Edward Felten, Dir.

and Professor of Computer Sci. and Pub. Affairs,

Princeton Univ. (currently Chief Technologist at theFederal Trade Commission), Remarks from TheApplication of COPPAs Definitions of Internet,Website, and Online Service to New Devicesand Technologies Panel at the Federal TradeCommissions Roundtable: Protecting Kids PrivacyOnline 1314 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf([T]his was andstill is a spot-on definition of what Internetmeansworldwide interconnection and the use ofTCP or IP or any of that suite of protocols.).

37See CDT (comment 8), at 2. However, twocommenters urged the Commission to considermodifying or expanding the definition of Internetso as to expressly acknowledge the convergence oftechnologies, e.g., mobile devices and other

applications that are platform neutral or capable ofstoring and transmitting data in the manner of apersonal computer. See Electronic PrivacyInformation Center (EPIC) (comment 19), at 78;Jayne Hitchcock (comment 29).

38See AT&T (comment 3), at 5; Spratt (comment57); Edward Felten, supra note 36, at 15.

39SeeJohn B. Morris, Jr., General Counsel andDirector, Internet Standards, Technology and PolicyProject, CDT, and Angela Campbell, Institute for

Public Representation, Georgetown Univ. Law Ctr.,Remarks from The Application of COPPAsDefinitions of Internet, Web site, and OnlineService to New Devices and Technologies Panel atthe Federal Trade Commissions Roundtable:Protecting Kids Privacy Online 1617 (June 2,2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.One commentermentioned that the terms Internet and onlinewere seemingly intended by Congress to be usedinterchangeably to mean the interconnectedworld-wide network of networks. SeeEntertainment Software Association (comment 20),at 15 (citing the legislative history, 144 Cong. Rec.S848283, Statement of Sen. Bryan (1998)). But seeEdward Felten, supra note 36, at 19.

40See, e.g., Angela Campbell, supra note 39, at3031.

41

The FTC has brought a number of cases allegingviolations of COPPA in connection with theoperation of an online service, including: UnitedStates v. W3 Innovations LLC, No. CV1103958(N.D. Cal., filed Aug. 12, 2011) (child-directedmobile applications); United States v. Playdom,Inc., No. SA CV1100724 (C.D. Cal., filed May 11,2011) (online virtual worlds); United States v. SonyBMG Music Entertainment, No. 08 Civ. 10730(S.D.N.Y, filed Dec. 10, 2008) (social networkingservice); United States v. Industrious Kid, Inc., No.CV080639 (N.D. Cal., filed Jan. 28, 2008) (socialnetworking service); United States v.Xanga.com,Inc., No. 06CIV6853 (S.D.N.Y., filed Sept. 7,2006) (social networking service); and United Statesv. Bonzi Software, Inc., No. CV041048 (C.D. Cal.,filed Feb. 14, 2004) (desktop software application).

42See 2010 Rule Review, supra note 7, at 17090(Question 11); see also Denise Tayloe, President,Privo, Inc., Remarks from Emerging ParentalVerification Access and Methods Panel at theFederal Trade Commissions Roundtable: ProtectingKids Privacy Online 27 (June 2, 2010), available athttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf(questioningwhether a text to vote marketing campaign iscovered by COPPA).

43See CTIA (comment 14), at 25 (citing theFederal Communications Commissions rules andregulations implementing the CANSPAM Act of2003 and the Telephone Consumer Protection Actof 1991, finding that phone-to-phone SMS is notcaptured by Section 14 of CANSPAM becausesuch messages do not have references to Internetdomains). The Commission agrees that wheremobile services do not traverse the Internet or awide-area network, COPPA will not apply. SeeMichael Altschul, Senior Vice President and Gen.Counsel, CTIA, Remarks from The Application ofCOPPAs Definitions of Internet, Web site, andOnline Service to New Devices and TechnologiesPanel at the Federal Trade CommissionsRoundtable: Protecting Kids Privacy Online at 1921 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.

44See Edward Felten, supra note 36, at 2728.45For example, online texting services offered by

TextFree, Textie, and textPlus+ that permit users tocommunicate via text message over the Internet.

46For example, text alert coupon and notificationservices offered by retailers such as Target and JCPenney.

Commission to recommend thatCongress change COPPAs actualknowledge standard, the changes theCommission proposes to the Rulesdefinitions might prove infeasible ifapplied across the entire Internet. Theimpact of the proposed changes to thedefinition of personal information aresignificantly narrowed by the fact that

COPPA only applies to the finiteuniverse of Web sites and onlineservices directed to children and Websites and online services with actualknowledge.

IV. COPPAs Coverage of EvolvingTechnologies

The Commissions April 5, 2010Federal Register document soughtpublic input on the implications forCOPPA enforcement raised bytechnologies such as mobilecommunications, interactive television,interactive gaming, and other evolvingmedia.35 The Commissions June 2,2010 roundtable featured significantdiscussion on the breadth of the termsInternet, website located on theInternet, and online service as theyrelate to the statute and the Rule.

Commenters and roundtableparticipants expressed a consensus that

both the COPPA statute and Rule arewritten broadly enough to encompassmany new technologies without theneed for new statutory language.36 First,there is widespread agreement that thestatutes definition of Internet,covering the myriad of computer andtelecommunications facilities, including

equipment and operating software,which comprise the interconnectedworld-wide network of networks thatemploy the Transmission ControlProtocol/Internet Protocol, is deviceneutral.37

While neither the COPPA statute northe Rule defines a Web site located onthe Internet, the term is broadlyunderstood to cover content that userscan access through a browser on anordinary computer or mobile device.38Likewise, the term online service

broadly covers any service availableover the Internet, or that connects to the

Internet or a wide-area network.39 TheCommission agrees with commentersthat a host of current technologies thataccess the Internet or a wide areanetwork are online services currentlycovered by COPPA and the Rule. Thisincludes mobile applications that allowchildren to play network-connectedgames, engage in social networkingactivities, purchase goods or servicesonline, receive behaviorally targetedadvertisements, or interact with othercontent or services.40 Likewise, Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-

enabled location based services, also areonline services covered by COPPA andthe Rule. The Commission does not

believe that the term online serviceneeds to be further defined either in thestatute or in the Rule.41

Although many mobile activities areonline services, it is less clear whetherall short message services (SMS) andmultimedia messaging services(MMS) are covered by COPPA.42 Onecommenter maintained that SMS andMMS text messages cross wirelessservice providers networks and shortmessage service centers, not the public

Internet, and therefore that suchservices are not Internet-based and arenot online services. 43 However,another panelist at the Commissions

June 2, 2010 roundtable cautioned thatnot all texting programs are exemptfrom COPPAs coverage.44 For instance,mobile applications that enable users tosend text messages from their web-enabled devices without routingthrough a carrier-issued phone numberconstitute online services.45 Likewise,retailers premium texting and coupontexting programs that register usersonline and send text messages from the

Internet to users mobile phone numbersare online services.46The Commission will continue to

assess emerging technologies todetermine whether or not theyconstitute Web sites located on theInternet or online services subject toCOPPAs coverage.

V. Proposed Modifications to the Rule

As discussed above, commentersexpressed a consensus that, given itsflexibility and coverage, the COPPARule continues to be useful in helping

http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf

8/3/2019 64fr59888 Coppa

5/30


47Operators who offer services such as social

networking, chat, bulletin boards and who do notpre-strip (i.e., completely delete) such informationare deemed to have disclosed personalinformation under COPPAs definition ofdisclosure. See 16 CFR 312.2.

48See Phyllis Marcus, Remarks from COPPAsExceptions to Parental ConsentPanel at the FederalTrade Commissions Roundtable: Protecting KidsPrivacy Online 310 (June 2, 2010), available athttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.

49See Entertainment Software Association(comment 20), at 1314; Rebecca Newton (comment46), at 4; see also WiredSafety.org (comment 68), at15.

50See Berin Szoka (comment 59), SzokaResponses to Questions for the Record, at 19 ([T]heFTC could * * * allow operators, at least in somecircumstances, to use an automated system of

review and/or posting to satisfy the existingdeletion exception to the definition of collection.In other words, sites could potentially allowchildren to communicate with each other throughchat rooms, message boards, and other socialnetworking tools withouthaving to obtain verifiableparental consent if they had in place algorithmicfilters that would automatically detect personalinformation such as a string of seven or ten digitsthat seems to correspond to a phone number, astring of eight digits that might correspond to aSocial Security number, a street address, a name,or even a personal photoand prevent childrenfrom sharing that information in ways that make theinformation publicly available); see also Privo(comment 50), at 5.

51See EPIC (comment 19), at 67.

52 In fact, inquiries about automated filteringsystems, and whether they could ever meet theCommissions current 100% deletion standard, areamong the most frequent calls to the Commissions

COPPA hotline.53 In the Commissions experience, establishing abroad standard of reasonableness permits industryto innovate specific security methods that best suitparticular needs, and the Commission has setsimilar reasonableness standards in otherenforcement arenas. For example, in its lawenforcement actions involving breaches of datasecurity, the Commission consistently has requiredrespondents to establish and maintaincomprehensive information security programs thatare reasonably designed to protect the security,confidentiality, and integrity of personalinformation collected from or about consumers.See, e.g., Ceridian Corp., FTC Dkt. No. C4325 (June15, 2011); Lookout Servs., Inc., FTC Dkt. No. C4326 (June 15, 2011).

to protect children as they engage in awide variety of online activities. TheCommissions experience in enforcingthe Rule, and public input receivedthrough the Rule review process,however, demonstrate the need toupdate certain Rule provisions. Afterextensive consideration, theCommission proposes modifications to

the Rule in the following five areas:Definitions, Notice, Parental Consent,Confidentiality and Security ofChildrens Personal Information, andSafe Harbor Programs. In addition tomodifying these provisions, theCommission proposes adding a newRule section addressing data retentionand deletion. Each of these changes isdiscussed in detail below.

A. Definitions (16 CFR 312.2)

The Commission proposes to modifyparticular definitions to update theRules coverage and, in certain cases, to

streamline the Rules language. TheCommission proposes modifications tothe definitions of collects orcollection, online contactinformation, personal information,support for the internal operations ofthe Web site or online service, andWeb site or online service directed tochildren. The Commission alsoproposes a minor structural change tothe Rules definition of disclosure.

(1) Collects or Collection

Section 312.2 of the Rule definescollects or collection as:

[T]he gathering of any personalinformation from a child by any means,including but not limited to:

(a) Requesting that children submitpersonal information online;

(b) Enabling children to make personalinformation publicly available through a chatroom, message board, or other means, exceptwhere the operator deletes all individuallyidentifiable information from postings bychildren before they are made public, andalso deletes such information from theoperators records; or

(c) The passive tracking or use of anyidentifying code linked to an individual,such as a cookie.

The Commission proposes amending

paragraph (a) to change the termrequesting that children submitpersonal information online torequesting, prompting, or encouraginga child to submit personal informationonline in order to clarify that the Rulecovers the online collection of personalinformation both when an operatormandatorily requires it, and when anoperator merely prompts or encouragesa child to provide such information.

Section 312.2(b) currently definescollects or collection to includeenabling children to publicly post

personal information (e.g., on socialnetworking sites or on blogs), exceptwhere the operator deletes allindividually identifiable informationfrom postings by children before theyare made public, and also deletes suchinformation from the operatorsrecords.47 This aspect of COPPAsdefinition of collects or collection has

come to be known as the 100%deletion standard. 48 Severalcommenters indicated that thisstandard, while well-meaning, serves asan impediment to operatorsimplementation of sophisticatedfiltering technologies that might aid inthe detection and removal of personalinformation.49 Some commenters urgedthe Commission to revise the Rule tospecify the particular types of filteringmechanismsfor example, white lists,

black lists, or algorithmic systemsthatthe Commission believes conform to theRules current 100% deletion

requirement.50

One commenter urgedthe Commission to exercise caution inmodifying the Rule to permit the use ofautomated filtering systems to strippersonal information from posts prior toposting; this commenter urged theCommission to make clear that the useof an automated system would notprovide an operator with a safe harborfrom enforcement action in the case ofan inadvertent disclosure of personalinformation.51

The Commission has undertaken thisRule review with an eye towards

encouraging the continuing growth ofengaging, diverse, and appropriateonline content for children that includesstrong privacy protections by design.Children increasingly seek interactiveonline environments where they canexpress themselves, and operatorsshould be encouraged to developinnovative technologies to attract

children to age-appropriate onlinecommunities while preventing themfrom divulging their personalinformation. Unfortunately, Web sitesthat provide children with only limitedcommunications options often fail tocapture their imaginations for very long.After careful consideration, theCommission believes that the 100%deletion standard has set an unrealistichurdle to operators development andimplementation of automated filteringsystems.52 In its place, the Commissionproposes a reasonable measuresstandard whereby operators who

employ technologies reasonablydesigned to capture all or virtually allpersonal information inputted bychildren should not be deemed to havecollected personal information. Thisproposed change is intended toencourage the development of systems,either automated, manual, or acombination thereof, to detect anddelete all or virtually all personalinformation that may be submitted bychildren prior to its public posting.53

Finally, the Commission proposessimplifying paragraph (c) of the Rulesdefinition of collects or collection to

clarify that it includes all means ofpassive tracking of a child online,irrespective of the technology used. Theproposed paragraph removes thelanguage or use of any identifying codelinked to an individual, such as acookie and simply states passivetracking of a child online.

Therefore, the Commission proposesto amend the definition of collects orcollection so that it reads:

http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdfhttp://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf

8/3/2019 64fr59888 Coppa

6/30


54

One commenter, EPIC, expressed the opinionthat the Rules reference to information collectedby any means in the definition of collects orcollection is ambiguous with regard to informationacquired offline that is uploaded, stored, ordistributed to third parties by operators. See EPIC(comment 19), at 5. However, Congress limited thescope of COPPA to information that an operatorcollects online from a child; COPPA does notgovern information collected offline. See 15 U.S.C.6501(8) (defining the personal information asindividually identifiable information about anindividual collected online. * * *); 144 Cong.Rec. S11657 (Oct. 7, 1998) (Statement of Sen.Bryan) (This is an online childrens privacy bill,and its reach is limited to information collectedonline from a child.).

55The Commission also proposes minor changesto the definition of support for the internaloperations of a Web site or online service, asdescribed in Part V.A(5). below.

56For example, the term support for the internaloperations of the Web site or online service isincluded within the proposed revisions to thedefinition of personal information. See infra PartV.A.(5). The term release of personal informationis included within the proposed revised provisionto 312.8 regarding Confidentiality, security, andintegrity of personal information collected fromchildren. See infra Part V.D.

57See, e.g., discussion regarding 16 CFR 312.8(confidentiality, security and integrity of childrenspersonal information), infra Part V.D.

58See infra Part V.(5)(b) and (c).59See WiredSafety.org (comment 68), at 17.

Collects or collection means the gatheringof any personal information from a child byany means, including but not limited to:

(a) Requesting, prompting, or encouraginga child to submit personal informationonline;

(b) Enabling a child to make personalinformation publicly available in identifiableform. An operator shall not be considered tohave collected personal information under

this paragraph if it takes reasonable measuresto delete all or virtually all personalinformation from a childs postings beforethey are made public and also to delete suchinformation from its records; or,

(c) The passive tracking of a child online.54

(2) Disclosure

Section 312.2 of the Rule definesdisclosure as:

(a) The release of personal informationcollected from a child in identifiable form byan operator for any purpose, except where anoperator provides such information to aperson who provides support for the internaloperations of the Web site or online service

and who does not disclose or use thatinformation for any other purpose. Forpurposes of this definition:

(1) Release of personal information meansthe sharing, selling, renting, or any othermeans of providing personal information toany third party, and

(2) Support for the internal operations ofthe Web site or online service means thoseactivities necessary to maintain the technicalfunctioning of the Web site or online service,or to fulfill a request of a child as permitted

by 312.5(c)(2) and (3); or, (b) Makingpersonal information collected from a child

by an operator publicly available inidentifiable form, by any means, including bya public posting through the Internet, or

through a personal home page posted on aWeb site or online service; a pen pal service;an electronic mail service; a message board;or a chat room.

The Commission proposes makingseveral minor modifications to thisdefinition that are consistent with thestatutory definition. First, theCommission proposes broadening thetitle of this definition from disclosureto disclose or disclosure to clarify thatin every instance in which the Rulerefers to instances where an operatordisclose[s] information, the definition

of disclosure shall apply. In addition,the Commmission proposes moving thedefinitions of release of personalinformation and support for theinternal operations of the Web site oronline service contained within thedefinition of disclosure to stand-alonedefinitions within 312.2 of the Rule.55This change will clarify what is

intended by the terms release ofpersonal information and support forthe internal operations of the Web siteor online service where those terms arereferenced elsewhere in the Rule andwhere they are not directly connectedwith the terms disclose ordisclosure.56

Therefore, the Commission proposesto amend the definition of disclosureto read:

Disclose or disclosure means, with respectto personal information:

(a) The release of personal informationcollected by an operator from a child in

identifiable form for any purpose, exceptwhere an operator provides such informationto a person who provides support for theinternal operations of the Web site or onlineservice; and,

(b) Making personal information collectedby an operator from a child publicly availablein identifiable form by any means, including

but not limited to a public posting throughthe Internet, or through a personal home pageor screen posted on a Web site or onlineservice; a pen pal service; an electronic mailservice; a message board; or a chat room.

(3) Release of personal information

The Commission proposes to definethe term release of personal

information separately from its currentinclusion within the definition ofdisclosure. Since the term applies toprovisions of the Rule that do not relatesolely to disclosures,57 this stand-alonedefinition will provide greater clarity asto the terms applicability throughoutthe Rule. In addition, the Commissionproposes technical changes to clarifythat the term release of personalinformation primarily addresses

business-to-business uses of personalinformation. Public disclosure ofpersonal information is covered byparagraph (b) of the definition of

disclosure. Therefore, theCommission proposes to revise thedefinition of release of personalinformation so that it reads:

Release of personal information means thesharing, selling, renting, or transfer ofpersonal information to any third party.

(4) Support for the internal operations

of the Web site or online serviceThe Commission also proposes

separating out the term support for theinternal operations of the Web site oronline service from the definition ofdisclosure. The Commissionrecognizes that the term support forinternal operations of the Web site oronline servicei.e., activitiesnecessary to maintain the technicalfunctioning of the Web site or onlineserviceis an important limitingconcept that warrants furtherexplanation. The Rule recognizes thatinformation that is collected by

operators for the sole purpose of supportfor internal operations should be treateddifferently than information that is usedfor broader purposes.

The term currently is a part of thedefinitions of disclosure and thirdparty within the Rule. As explained

below, the Commission proposes toexpand the definition of personalinformation to include screen or usernames and persistent identifiers,when such items are used for functionsother than or in addition to support forthe internal operations of the Web siteor online service. 58 In proposing tocreate a separate definition of support

for the internal operations of a Web siteor online service, the Commission alsoproposes to expand that definition toinclude activities necessary to protectthe security or integrity of the Web siteor online service. With this change, theCommission recognizes operators needto protect themselves or their users fromsecurity threats, fraud, denial of serviceattacks, user misbehavior, or otherthreats to operators internaloperations.59 In addition, theCommission proposes adding thelimitation that information collected forsuch purposes may not be used or

disclosed for any other purpose, so thatif there is a secondary use of theinformation, it becomes personalinformation under the Rule.

The Commission recognizes thatoperators use persistent identifiers andscreen names to aid the functionalityand technical stability of Web sites andonline services and to provide a gooduser experience, and the Commissiondoes not intend to limit operators


8/3/2019 64fr59888 Coppa

7/30


60 Id.61The Rule currently defines as personal

information an e-mail address or other onlinecontact information, including but not limited to aninstant messaging user identifier, or a screen namethat reveals an individuals e-mail address. 16 CFR312.2 (paragraph (c), definition of personalinformation). The Commission also proposesremoving the listing of identifiers from thedefinition of personal information and substitutingthe simple phrase online contact informationinstead. See infra Part V.A.(4)(a). By doing so, theCommission hopes to streamline the Rulesdefinitions in a way that is useful and accessible foroperators.

62The term telephone number includeslandline, web-based, and mobile phone numbers.

6315 U.S.C. 6502(8). The Federal TradeCommission originally used the authority granted

under Section 6502(8)(F) to define personalinformation under the COPPA Rule to include thefollowing pieces of information not specificallylisted in the statute:

Other online contact information, including butnot limited to an instant messaging user identifier;

A screen name that reveals an individuals e-mail address;

A persistent identifier, such as a customernumber held in a cookie or a processor serialnumber, where such identifier is associated withindividually identifiable information; and,

A combination of a last name or photograph ofthe individual with other information such that thecombination permits physical or online contacting.

64See supra Part V.A.(4)(a).

65See, e.g., OpenId, Windows Live ID, and theFacebook Platform.

66See paragraph (f) to the definition of personalinformation. 16 CFR 312.2.

ability to collect such information fromchildren for those purposes. However,the Commission also recognizes thatsuch identifiers may be used in moreexpansive ways that affect childrensprivacy. In the sections that follow, theCommission sets forth the parameterswithin which operators may collect anduse screen names and persistent

identifiers without triggering COPPAsapplication.60

The Commission proposes to revisethe definition of support for theinternal operations of Web site or onlineservice so that it states:

Support for the internal operations of theWeb site or online service means thoseactivities necessary to maintain the technicalfunctioning of the Web site or online service,to protect the security or integrity of the Website or online service, or to fulfill a requestof a child as permitted by 312.5(c)(3) and(4), and the information collected for suchpurposes is not used or disclosed for anyother purpose.

(5) Online Contact Information

Section 312.2 of the Rule definesonline contact information as an e-mail address or any other substantiallysimilar identifier that permits directcontact with a person online. TheCommission proposes to clarify thisdefinition to flag that the term covers allidentifiers that permit direct contactwith a person online, and to eliminateany inconsistency between the stand-alone definition of online contactinformation and the use of the sameterm within the Rules definition of

personal information.61

The reviseddefinition set forth below addscommonly used forms of onlineidentifiers, including instant messaginguser identifiers, voice over internetprotocol (VOIP) identifiers, and videochat user identifiers. The proposeddefinition makes clear, however, thatthe identifiers included are not intendedto be exhaustive, and may include othersubstantially similar identifiers thatpermit direct contact with a persononline.

Therefore, the Commission proposesto amend the definition of onlinecontact information to state:

Online contact information means an e-mail address or any other substantiallysimilar identifier that permits direct contactwith a person online, including but notlimited to, an instant messaging useridentifier, a voice over internet protocol(VOIP) identifier, or a video chat useridentifier.

(6) Personal Information

The COPPA statute defines personalinformation as individually identifiableinformation about an individualcollected online, including:

(A) A first and last name;(B) A home or other physical address

including street name and name of acity or town;

(C) An e-mail address;(D) A telephone number; 62(E) A Social Security number;(F) Any other identifier that the

Commission determines permits thephysical or online contacting of aspecific individual; or

(G) information concerning the childor the parents of that child that the Website collects online from the child andcombines with an identifier described inthis paragraph.63

As explained below, the Commissionproposes to use this statutorily grantedauthority in paragraph (F) to modify,and in certain cases, expand, upon theRules definition of personalinformation to reflect technologicalchanges.

a. Online Contact Information (RevisedParagraph (c))

The Commission proposes to replace

existing paragraph (c) of the Rulesdefinition of personal information,which refers to an e-mail address orother online contact informationincluding but not limited to an instantmessaging user identifier, or a screenname that reveals an individuals e-mailaddress, with the broader term onlinecontact information, as newlydefined.64 Moreover, as discussedimmediately below, the Commission

proposes to move the existing referenceto a screen name to a separate itemwithin the definition of personalinformation.

b. Screen or User Names (RevisedParagraph (d))

Currently, screen names areconsidered personal information

under COPPA only when they reveal anindividuals e-mail address. TheCommission proposes instead thatscreen (or user) names be categorized aspersonal information when they areused for functions other than, or inaddition to, support for the internaloperations of the Web site or onlineservice. This change reflects the realitythat screen and user names increasinglyhave become portable across multipleWeb sites or online services, and permitthe direct contact of a specificindividual online regardless of whetherthe screen or user names contain an e-

mail address.65

The proposed definition exemptsscreen or user names that are usedsolely to maintain the technicalfunctioning of the Web site or onlineservice. This qualification is intended toretain operators ability to utilize screenor user names within a Web site oronline service (absent the collection,use, or disclosure ofotherpersonalinformation) without obtaining priorparental consent. Accordingly, anoperator may allow children to establishscreen names for use within a site orservice. Such screen names may be usedfor access to the site or service, toidentify users to each other, and torecall user settings. However, where thescreen or user name is used for purposesother than to maintain the technicalfunctioning of the Web site or onlineservice, the screen name becomespersonal information under theproposed Rule.

c. Persistent Identifiers (RevisedParagraph (g)) and Identifiers Linking aChilds Online Activities (NewParagraph (h))

The existing Rule includes aspersonal information a persistent

identifier, such as a customer numberheld in a cookie or a processor serialnumber, where such identifier isassociated with individually identifiableinformation.66 In its 1999 Statement ofBasis and Purpose, the Commissiondiscussed persistent identifiers thatautomatically are collected by Websites, such as static IP addresses and


8/3/2019 64fr59888 Coppa

8/30


67See 1999 Statement of Basis and Purpose, 64

FR 59888, 5989293.68Commission staff recognized in its 2009 online

behavioral advertising report that, in the contextof online behavioral advertising, the traditionalnotion of what constitutes PII versus non-PII isbecoming less and less meaningful and should not,by itself, determine the protections provided forconsumer data. FTC Staff Report: Self-RegulatoryPrinciples for Online Behavioral Advertising, 2122(Feb. 2009), available athttp://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.Similarly, theFederal Trade Commission 2010 Staff PrivacyReport cited widespread recognition amongindustry and academics that the traditionaldistinction between the two categories of data haseroded, and that information practices andrestrictions that rely on this distinction are losingtheir relevance. See Protecting Consumer Privacy inan Era of Rapid Change, supra note 23, at 3536.

69

See 144 Cong. Rec. S8482 (July 17, 1998)(Statement of Sen. Bryan) (Unfortunately, the samemarvelous advances in computer andtelecommunication technology that allow ourchildren to reach out to new resources ofknowledge and cultural experiences are also leavingthem unwittingly vulnerable to exploitation andharm by deceptive marketers and criminals * * *.Much of this information appears to be harmless,but companies are attempting to build a wealth ofinformation about you and your family without anadults approvala profile that will enable them totarget and to entice your children to purchase arange of products. The Internet gives marketers thecapability of interacting with your children anddeveloping a relationship without yourknowledge).

70See 2010 Rule Review, supra note 7, at 17090.71See, e.g., BOKU (comment 5); CDT (comment

8); DMA (comment 17), at 69; EntertainmentSoftware Association (comment 20), at 1718;Google, Inc. (comment 24), at 67; Institute forPublic Representation (comment 33), at 21; IAB(comment 34), at 35; Interstate CommerceCoalition (comment 35), at 2; Microsoft Corporation(comment 39), at 910; MPAA (comment 42), at 67; NetChoice (comment 45), at 67; Paul Ohm(comment 48); TechAmerica (comment 61), at 56;Toy Industry Association, Inc. (comment 63), at 710; TRUSTe (comment 64), at 35.

72See Google, Inc. (comment 24), at 7; InternetCommerce Coalition (comment 35), at 23.

73See, e.g., Entertainment Software Association(comment 20), at 18; Interstate Commerce Coalition(comment 35), at 2.

74See Toy Industry Association, Inc. (comment63), at 9; TRUSTe (comment 64), at 5.

75See Facebook (comment 22), at 6; MicrosoftCorporation (comment 39), at 9; Toy IndustryAssociation, Inc. (comment 63), at 7.

76See CDT (comment 8, at 8) (referring to theNetwork Advertising Initiatives 2008 NAIPrinciples Code of Conduct); EntertainmentSoftware Association (comment 20), at 19 (referringto the Self-Regulatory Principles for OnlineBehavioral Advertisingissued by the AmericanAssociation of Advertising Agencies, Association ofNational Advertisers, Direct Marketing Association,Interactive Advertising Bureau, and Council ofBetter Business Bureaus in July 2009); Facebook(comment 22), at 7.

77See Common Sense Media (comment 12), at 8;EPIC (comment 19), at 9; Institute for PublicRepresentation (comment 33), at 21.

processor serial numbers, stating thatunless such identifiers are associatedwith other individually identifiablepersonal information, they would notfall within the Rules definition ofpersonal information. Moreover, withrespect to information stored in cookies,the Commission stated that [i]f theoperator either collects individually

identifiable information using thecookie or collects non-individuallyidentifiable information using thecookie that is combined with anidentifier, then the informationconstitutes personal information underthe Rule, regardless of where it isstored.67 Taken together, thesestatements limit COPPAs coverage ofpersistent identifiers solely to thoseidentifiers that are otherwise linked topersonal information as defined bythe Rule.

Developments in technology in theintervening twelve years since the

COPPA Rule was issued, and theresulting implications for consumerprivacy, have led to a widespreadreexamination of the concept ofpersonal information and of the typesof information COPPA should cover.68While it is clear that COPPA always wasintended to regulate an operators abilityto obtain information from, and market

back to, children,69 methods ofmarketing online have burgeoned inrecent years. In this regard, theCommission sought comment onwhether certain identifiers, such as IP

address, zip code, date of birth, gender,and information collected in connectionwith online behavioral advertising,should now be included within theRules definition of personalinformation.70

Numerous comments to the Rulereview addressed this question.71Several commenters opposed such an

expansion, pointing out that thecollection of certain identifiers, such asIP addresses, are integral to the deliveryof online content.72 According to thesecommenters, if an IP address, on itsown, were to be included within thedefinition of personal information,virtually every Web site or onlineservice directed to children would besubject to COPPAs requirements,regardless of whether any additionalinformation is collected, used, ordisclosed, because a browserscommunication with a Web sitetypically reveals the users IP address to

the Web site operator. Commentersespecially expressed concern aboutoperators ability to obtain priorverifiable parental consent in suchsituations.73 In addition, somecommenters noted that an IP addressmay not lead an operator to a specificindividual, but rather, indicate only aparticular computer or computingdevice shared by a number ofindividuals.74

Several other commenters addressedthe question of whether identifiers suchas cookies or other technologies used totrack online activities should beincluded within the definition of

personal information. As with thecomments regarding IP addresses, thesecommenters maintained that uses ofcookies and other tracking devices donot result in the contacting of specificindividuals online as contemplated byCongress in the COPPA statute.75Moreover, some commenters assertedthat these technologies can be used for

a number of beneficial purposes, e.g.,some operators use cookies to protectchildren from inappropriate advertising(and conversely, to deliver onlyappropriate advertising); other operatorsuse cookies to personalize childrensonline experiences. Finally, thesecommenters contended that expandingCOPPA to include cookies and other

online behavioral advertisingtechnologies is unnecessary becauseexisting self-regulatory principles foronline behavioral advertising aresufficient to curtail targeted advertisingto children.76

By contrast, several commentersasserted that identifiers such as cookiesand IP addresses can be used by onlineoperators to track and communicatewith specific individuals and should beincluded within COPPAs categories ofinformation considered to be personal.77

After careful consideration, theCommission believes that persistent

identifiers can permit the contacting ofa specific individual, and thus, with thelimitations described below, should beincluded as part of a revised definitionof personal information in the COPPARule. The Commission does not agreewith commenters who argue thatpersistent identifiers only allowoperators to contact a specific device orcomputer. Information that permits thephysical or online contacting of aspecific individual does not meaninformation that permits the contactingof only a single individual, to theexclusion of all other individuals. Forexample, the COPPA statute includeswithin the definition of personalinformation a home address alone or aphone number aloneinformation thatis often applicable to an entirehousehold. The Commission believesthis reflects the judgment of Congressthat an operator who collects thisinformation is reasonably likely to beable to contact a specific individual,even without having collected otheridentifying information. TheCommission believes the same is true ofpersistent identifiers.

Moreover, increasingly, consumeraccess to computers is shifting from the

model of a single, family-shared,

http://www.ftc.gov/os/2009/02/P085400behavadreport.pdfhttp://www.ftc.gov/os/2009/02/P085400behavadreport.pdfhttp://www.ftc.gov/os/2009/02/P085400behavadreport.pdfhttp://www.ftc.gov/os/2009/02/P085400behavadreport.pdf

8/3/2019 64fr59888 Coppa

9/30


78See Common Sense Media, Do Smart Phones =Smart Kids? The Impact of the Mobile Explosion onAmericas Kids, Families, and Schools (Apr. 2010),available athttp://www.commonsensemedia.org/smartphones-smartkids(citing a study from theNPD Group, Inc. finding that 20% of U.S. childrenages 414 owned a cell phone in 2008); N. Jackson,More Kids Can Work Smartphones Than Can TieTheir Own Shoes, The Atlantic (Jan. 24, 2011),available at http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/; see also S.Smith, Now Its Personal: Mobile Nears thePrivacy Third Rail, Behavioral Insider (Apr. 22,2011), available athttp://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196(warningthat [m]any of the arguments used to assuageworries about digital privacy online are simply lesseffective [in the mobile space]. When data can betied to specific device IDs, times and location,insistence that the resulting data is anonymized(no matter how true it may be) is very hard for thelayman to swallow.).

79Sometimes called processor serial numbers,device serial numbers, or unique deviceidentifier, unique identifiers refer to software-readable or physical numbers embedded bymanufacturers into individual processors ordevices. See, e.g.,J. Valentino-DeVries, UniquePhone ID Numbers Explained, Wall St. J. (Dec. 19,2010), available athttp://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/.

80See CDT (comment 9), at 78; DMA (comment17), at 6; Entertainment Software Association(comment 20), 1718; Google (comment 24), 7;Internet Commerce Coalition (comment 35), at 23;and TechAmerica (comment 61), at 6.

81As some commenters noted, it would beimpracticable to obtain verifiable parental consentprior to the collection of an IP address for purposes

of delivering online content, since Web siteoperators would not know at that point in time thatthe Web site visitor was a child, and would haveno means of obtaining consent from that childsparent. See, e.g., Internet Commerce Coalition(comment 35), at 2.

82See 144 Cong. Rec. S8482 (July 17, 1998)(Statement of Sen. Bryan).

83See Boku (comment 5) (encouraging theCommission to regulate the use of identifiers suchas IP address, device data, or any other dataautomatically captured during interaction with auser and a web site rather than the data captureitself or the storage of such data; see also CDT(comment 8), at 8 (asserting that a prohibition onthe mere collection of this data would underminethe very functioning of the Internet).

84 Online behavioral advertising is the practiceof tracking an individuals online activities in orderto deliver advertising tailored to the individualsinterests. See Self-Regulatory Principles for OnlineBehavioral Advertising, supra note 68, at i.

85DMA (comment 17), at 7 (directing the

Commissions attention to Self-RegulatoryPrinciples for Online Behavioral Advertising(July2009), at 1617, available at http://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdf. See also Entertainment SoftwareAssociation (comment 20), at 19; Facebook(comment 22), at 7; IAB (comment 34), at 3;Microsoft (comment 39), at 910; Mobile MarketingAssociation (comment 40), at 3; Toy IndustryAssociation (comment 63), at 9.

86Although it is unclear from the record beforethe Commission whether operators currently aredirecting online behavioral advertising to children(various members of industry have informedCommission staff that they do not believe suchactivity is occurring while media reports haveindicated the widespread presence of tracking tools

personal computer to the widespreaddistribution of person-specific, Internet-enabled, handheld devices to eachmember within a household, includingchildren.78 Such handheld devices oftenhave one or more unique identifiersassociated with them that can be usedto persistently link a user across Websites and online services, including

mobile applications.79 With this changein computing use, operators now have a

better ability to link a particularindividual to a particular computingdevice.

At the same time, the Commission ismindful of the concerns raised bycommenters that including persistentidentifiers within the definition ofpersonal information, without furtherqualification, would hinder operatorsability to provide basic online servicesto children. Several commentersindicated that Web sites and onlineservices must identify and use IP

addresses to deliver content tocomputers; if IP addresses, withoutmore, were treated as personalinformation under COPPA, a site orservice would be liable for collectingpersonal information as soon as a childlanded on its home page or screen.80The Commission agrees that such anapproach is over-broad andunworkable.81

The Commission believes that when apersistent identifier is used only tosupport the internal operations of a Website or online service, rather than tocompile data on specific computerusers, the concerns underlying COPPAspurpose are not present.82 Accordingly,the Commission proposes to modify thedefinition of personal information by

revising paragraph (g), and adding aparagraph (h), as follows:

(g) A persistent identifier, including butnot limited to, a customer number held in acookie, an Internet Protocol (IP) address, aprocessor or device serial number, or uniquedevice identifier, where such persistentidentifier is used for functions other than orin addition to support for the internaloperations of the Web site or online service;

(h) an identifier that links the activities ofa child across different Web sites or onlineservices;

Proposed paragraph (g)which coverspersistent identifiers where they areused for functions other than, or in

addition to, support for the internaloperations of the Web site or onlineserviceis designed not to interferewith operators ability to deliver contentto children within the ordinaryoperation of their Web sites or onlineservices. This limitation takes intoaccount the comments expressingconcern about the potential for COPPAto interfere with the ordinary operationof Web sites or online services.83 Thenew language in the definition wouldpermit operators use of persistentidentifiers for purposes such as userauthentication, improving site

navigation, maintaining userpreferences, serving contextualadvertisements, and protecting againstfraud or theft. However, the newlanguage would require parentalnotification and consent prior to thecollection of persistent identifiers wherethey are used for purposes such asamassing data on a childs onlineactivities or behaviorally targetingadvertising to the child. Therefore,operators such as network advertisersmay not claim the collection ofpersistent identifiers as a technical

function under the support for internaloperations exemption.

New paragraph (h) of the definition ofpersonal information is intended toserve as a catch-all category covering theonline gathering of information about achild over time for the purposes ofeither online profiling or delivering

behavioral advertising to that child.84

For example, an advertising network oranalytics service that tracks a child useracross a set of Web sites or onlineservices, but stores this information ina separate database rather than with thepersistent identifier, would be deemedto have collected personal informationfrom the child under this proposedparagraph.

Several commenters stated thatindustry self-regulatory efforts moreeffectively address the treatment ofonline behavioral advertising tochildren than would regulation in thisarea. For example, citing the industrys2009 Self-Regulatory Principles forOnline Behavioral Advertising, theDirect Marketing Association assertedthat robust self-regulation is the bestand most appropriate way to addressprivacy concerns in connection withonline behavioral advertising, includingconcerns related to children. 85

The Commission finds this argumentunpersuasive. Although self-regulationcan play an important role in consumerprotection, Congress specificallydirected the Commission to promulgateand implement regulations covering theonline collection, use, and disclosure ofchildrens personal information. To the

extent that childrens personalinformation is collected in connectionwith behavioral advertising, suchinformation should be protected underthe Rule. While self-regulatory programscan be valuable in promotingcompliance, the proposed revisionimplements the COPPA statute and isenforceable by law.86

http://www.commonsensemedia.org/smartphones-smartkidshttp://www.commonsensemedia.org/smartphones-smartkidshttp://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/http://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/http://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdfhttp://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdfhttp://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdfhttp://www.commonsensemedia.org/smartphones-smartkidshttp://www.commonsensemedia.org/smartphones-smartkidshttp://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdfhttp://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdfhttp://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdfhttp://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/http://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=149196http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/http://www.theatlantic.com/technology/archive/2011/01/more-kids-can-work-smartphones-than-can-tie-their-own-shoes/70101/

8/3/2019 64fr59888 Coppa

10/30


on childrens Web sites, see Steven Stecklow, Onthe Web, Children Face Intensive Tracking, Wall St.J., Sept. 17, 2010), the Commission notes that theself-regulatory guidelines cited by the commentersdo not expressly require prior parental consent forsuch advertising to occur. Rather, operators whoadhere to such guidelines are merely cautioned thatthey should comply with COPPA when engaging inonline behavioral advertising. See Self-RegulatoryPrinciples for Online Behavioral Advertising, supranote 85, at 1617 (Entities should not collect

personal information, as defined in the ChildrensOnline Privacy Protection Act (COPPA), fromchildren they have actual knowledge are under theage of 13 or from sites directed to children underthe age of 13 for Online Behavioral Advertising, orengage in Online Behavioral Advertising directed tochildren they have actual knowledge are under theage of 13 except as compliant with the COPPA).Moreover, the self-regulatory standards cited bycommenters do not collectively represent alloperators subject to COPPA.

87 In addition to the personal information thatmay be viewable in a photograph or video,geolocation data is commonly embedded as hiddenmetadata within these digital images. These datausually consist of latitude and longitudecoordinates, and may also include altitude, bearing,distance, and place names. Such geolocationinformation may be used by operators and may also

be accessed by the viewing public. The Commissionproposes to specifically enumerate geolocationinformation as a separate category of personalinformation under the Rule. See infra PartV.A.(4)(e).

88See M. Geuss, Facebook Facial RecognitionCould Get Creepy: new facial recognitiontechnology used to identify your friends in photoscould have some interesting applicationsandsome scary possibilities, PC World (Apr. 26, 2011),available at http://www.pcworld.com/article/226228/facebook_facial_recognition_its_quiet_rise_and_dangerous_future.html(discussing Facebooks facial recognitiontechnology, and similar technologies offered byservices such as Viewdle, Fotobounce, Picasa,iPhoto, and Face.com).

89Although the Commission received littlecomment on this topic, one individual commenter,as well as the Commission-approved COPPA safeharbor, TRUSTe, strongly supported this approach.See Gregory Schiller (comment 47); Office of theState Attorney15th Judicial Circuit in and forPalm Beach County, Florida (comment 47); TRUSTe(comment 64), at 4; Maureen Cooney, Chief PrivacyOfficer, TRUSTe, Remarks from COPPAs Definitionof Personal InformationPanel at the FederalTrade Commissions Roundtable: Protecting KidsPrivacy Online at 19192 (June 2, 2010), availableat http://www.ftc.gov/bcp/workshops/coppa/COPPARuleReview_Transcript.pdf.

90For example, geolocation-based navigation

tools help users reach destinations, find localbusinesses or events, find friends and engage insocial networking, check in at certain locations,and link their location to other activities. Manyusers access geolocation services through mobiledevices. However, devices such as laptop anddesktop computers, tablets, and in-car navigationand assistance systems also may be used to accesssuch services. Geolocation information may be usedonce for a single purpose

64fr59888 Coppa

Documents

Transcript of 64fr59888 Coppa