COPPA isn’t new, either, but it has seen some significant amendments over the past year that are worth mentioning. COPPA, which went into effect in early 2000, protects children under 13 from the online collection of personal information. As a result, many sites today often disallow children under 13 from using their services or require parental permission for disclosure of any personal information. In September 2011, the FTC announced proposed revisions to COPPA that expand the definition of what it means to collect data from children. These new rules would include regulations on data retention and deletion and would require any third parties to whom a child’s information is disclosed to have policies in place to protect the information.
1. Vol. 78 Thursday,
No. 12 January 17, 2013
Part II
Federal Trade Commission
16 CFR Part 312
Children’s Online Privacy Protection Rule; Final Rule
pmangrum on DSK3VPTVN1PROD with
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM17JAR2.SGM 17JAR2
2. 3972 Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
FEDERAL TRADE COMMISSION SNPRM’’).2 After careful review and and for activities that support the
consideration of the entire rulemaking internal operations of a Web site or
16 CFR Part 312 record, including public comments online service.
RIN 3084–AB20 submitted by interested parties, and
B. Background
based upon its experience in enforcing
Children’s Online Privacy Protection and administering the Rule, the The COPPA Rule, 16 CFR part 312,
Rule Commission has determined to adopt issued pursuant to the Children’s
amendments to the COPPA Rule. These Online Privacy Protection Act
AGENCY: Federal Trade Commission amendments to the final Rule will help (‘‘COPPA’’ or ‘‘COPPA statute’’), 15
(‘‘FTC’’ or ‘‘Commission’’). to ensure that COPPA continues to meet U.S.C. 6501 et seq., became effective on
ACTION: Final rule amendments. its originally stated goals to minimize April 21, 2000. The Rule imposes
the collection of personal information certain requirements on operators of
SUMMARY: The Commission amends the
from children and create a safer, more Web sites or online services directed to
Children’s Online Privacy Protection
secure online experience for them, even children under 13 years of age, and on
Rule (‘‘COPPA Rule’’ or ‘‘Rule’’),
as online technologies, and children’s operators of other Web sites or online
consistent with the requirements of the
uses of such technologies, evolve. services that have actual knowledge that
Children’s Online Privacy Protection
The final Rule amendments modify they are collecting personal information
Act, to clarify the scope of the Rule and the definitions of operator to make clear online from a child under 13 years of
strengthen its protections for children’s that the Rule covers an operator of a age (collectively, ‘‘operators’’). Among
personal information, in light of changes child-directed site or service where it other things, the Rule requires that
in online technology since the Rule integrates outside services, such as plug- operators provide notice to parents and
went into effect in April 2000. The final ins or advertising networks, that collect obtain verifiable parental consent prior
amended Rule includes modifications to personal information from its visitors; to collecting, using, or disclosing
the definitions of operator, personal Web site or online service directed to personal information from children
information, and Web site or online children to clarify that the Rule covers under 13 years of age.3 The Rule also
service directed to children. The a plug-in or ad network when it has requires operators to keep secure the
amended Rule also updates the actual knowledge that it is collecting information they collect from children,
requirements set forth in the notice, personal information through a child- and prohibits them from conditioning
parental consent, confidentiality and directed Web site or online service; Web children’s participation in activities on
security, and safe harbor provisions, and site or online service directed to the collection of more personal
adds a new provision addressing data children to allow a subset of child- information than is reasonably
retention and deletion. directed sites and services to necessary to participate in such
DATES: The amended Rule will become differentiate among users, and requiring activities.4 The Rule contains a ‘‘safe
effective on July 1, 2013. such properties to provide notice and harbor’’ provision enabling industry
ADDRESSES: The complete public record obtain parental consent only for users groups or others to submit to the
of this proceeding will be available at who self-identify as under age 13; Commission for approval self-regulatory
www.ftc.gov. Requests for paper copies personal information to include guidelines that would implement the
of this amended Rule and Statement of geolocation information and persistent Rule’s protections.5
Basis and Purpose (‘‘SBP’’) should be identifiers that can be used to recognize The Commission initiated review of
sent to: Public Reference Branch, a user over time and across different the COPPA Rule in April 2010 when it
Federal Trade Commission, 600 Web sites or online services; and published a document in the Federal
Pennsylvania Avenue NW., Room 130, support for internal operations to Register seeking public comment on
Washington, DC 20580. expand the list of defined activities. whether the rapid-fire pace of
FOR FURTHER INFORMATION CONTACT: The Rule amendments also streamline technological changes to the online
Phyllis H. Marcus or Mamie Kresses, and clarify the direct notice environment over the preceding five
Attorneys, Division of Advertising requirements to ensure that key years warranted any changes to the
Practices, Bureau of Consumer information is presented to parents in a Rule.6 The Commission’s request for
Protection, Federal Trade Commission, succinct ‘‘just-in-time’’ notice; expand public comment examined each aspect
600 Pennsylvania Avenue NW., the non-exhaustive list of acceptable of the COPPA Rule, posing 28 questions
Washington, DC 20580, (202) 326–2854 methods for obtaining prior verifiable for the public’s consideration.7 The
or (202) 326–2070. parental consent; create three new Commission also held a public
SUPPLEMENTARY INFORMATION: exceptions to the Rule’s notice and roundtable to discuss in detail several of
consent requirements; strengthen data the areas where public comment was
Statement of Basis and Purpose security protections by requiring sought.8
I. Overview and Background operators to take reasonable steps to The Commission received 70
release children’s personal information comments from industry
A. Overview only to service providers and third representatives, advocacy groups,
This document states the basis and parties who are capable of maintaining academics, technologists, and
purpose for the Commission’s decision the confidentiality, security, and
to adopt certain amendments to the integrity of such information; require 3 See 16 CFR 312.3.
COPPA Rule that were proposed and reasonable data retention and deletion 4 See 16 CFR 312.7 and 312.8.
published for public comment on procedures; strengthen the 5 See 16 CFR 312.10.
September 27, 2011 (‘‘2011 NPRM’’),1 Commission’s oversight of self- 6 See Request for Public Comment on the Federal
Trade Commission’s Implementation of the
pmangrum on DSK3VPTVN1PROD with
and supplemental amendments that regulatory safe harbor programs; and
Children’s Online Privacy Protection Rule (‘‘2010
were proposed and published for public institute voluntary pre-approval FRN’’), 75 FR 17089 (Apr. 5, 2010).
comment on August 6, 2012 (‘‘2012 mechanisms for new consent methods 7 Id.
8 Information about the June 2010 public
1 2011 NPRM, 76 FR 59804, available at http:// 2 2012 SNPRM, 77 FR 46643, available at http:// roundtable is located at http://www.ftc.gov/bcp/
ftc.gov/os/2011/09/110915coppa.pdf. ftc.gov/os/2012/08/120801copparule.pdf. workshops/coppa/index.shtml.
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
3. Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations 3973
individual members of the public in II. Modifications to the Rule to the definition of collects or collection
response to the April 5, 2010 request for is intended to clarify the longstanding
A. Section 312.2: Definitions
public comment.9 After reviewing the Commission position that an operator
comments, the Commission issued the 1. Definition of Collects or Collection that provides a field or open forum for
2011 NPRM, which set forth several a. Collects or Collection, Paragraph (1) a child to enter personal information
proposed changes to the COPPA Rule.10 will not be shielded from liability
In the 2011 NPRM, the Commission merely because entry of personal
The Commission received over 350 proposed amending paragraph (1) to
comments in response to the 2011 information is not mandatory to
change the phrase ‘‘requesting that participate in the activity. It recognizes
NPRM.11 After reviewing these children submit personal information the reality that such an operator must
comments, and based upon its online’’ to ‘‘requesting, prompting, or have in place a system to provide notice
experience in enforcing and encouraging a child to submit personal to and obtain consent from parents to
administering the Rule, in the 2012 information online.’’ The proposal was deal with the moment when the
SNPRM, the Commission sought to clarify that the Rule covers the online information is ‘‘gathered.’’ 18 Otherwise,
additional public comment on a second collection of personal information both once the child posts the personal
set of proposed modifications to the when an operator requires it to information, it will be too late to obtain
Rule. participate in an online activity, and parental consent.
The 2012 SNPRM proposed when an operator merely prompts or After reviewing the comments, the
modifying the definitions of both encourages a child to provide such Commission has decided to modify
operator and Web site or online service information.13 The comments received paragraph (1) of the definition of
directed to children to allocate and divided roughly equally between collects or collection as proposed in the
support of and opposition to the 2011 NPRM.
clarify the responsibilities under
proposed change to paragraph (1). Those
COPPA when independent entities or b. Collects or Collection, Paragraph (2)
in favor cited the increased clarity of the
third parties, e.g., advertising networks revised language as compared to the Section 312.2(b) of the Rule defines
or downloadable software kits (‘‘plug- existing language.14 ‘‘collects or collection’’ to cover
ins’’), collect information from users Several commenters opposed the enabling children to publicly post
through child-directed sites and revised language of paragraph (1). For personal information (e.g., on social
services. In addition, the 2012 SNPRM example, the National Cable and networking sites or on blogs), ‘‘except
proposed to further modify the Telecommunications Association where the operator deletes all
definition of Web site or online service (‘‘NCTA’’) expressed concern that the individually identifiable information
directed to children to permit Web sites revised language suggests that ‘‘COPPA from postings by children before they
or online services that are directed both obligations are triggered even without are made public, and also deletes such
to children and to a broader audience to the actual or intended collection of information from the operator’s
comply with COPPA without treating all personal information.’’ 15 NCTA asked records.’’ 19 This exception, often
users as children. The Commission also the Commission to clarify that referred to as the ‘‘100% deletion
proposed modifying the definition of ‘‘prompting’’ or ‘‘encouraging’’ does not standard,’’ was designed to enable sites
screen or user name to cover only those trigger COPPA unless an operator and services to make interactive content
situations where a screen or user name actually collects personal information available to children, without providing
functions in the same manner as online from a child.16 parental notice and obtaining consent,
contact information. Finally, the The Rule defines collection as ‘‘the provided that all personal information
Commission proposed to further modify gathering of any personal information was deleted prior to posting.20
the revised definitions of support for from a child by any means,’’ and the The 2010 FRN sought comment on
terms ‘‘prompting’’ and ‘‘encouraging’’ whether to change the 100% deletion
internal operations and persistent
are merely exemplars of the means by standard, whether automated systems
identifiers. The Commission received 99
which an operator gathers personal used to review and post child content
comments in response to the 2012
information from a child.17 This change could meet this standard, and whether
SNPRM.12 After reviewing these
additional comments, the Commission 13 One commenter, Go Daddy, expressed concern 18 Several other commenters raised concern that
now announces this final amended that the definition of collects or collection is silent the language ‘‘prompting, or encouraging’’ could
COPPA Rule. as to personal information acquired from children make sites or services that post third-party ‘‘Like’’
offline that is uploaded, stored, or distributed to or ‘‘Tweet This’’ buttons subject to COPPA. See
third parties by operators. Go Daddy (comment 59, Association for Competitive Technology (comment
9 Public comments in response to the
2011 NPRM), at 2. However, Congress limited the 5, 2011 NPRM), at 6; Direct Marketing Association
Commission’s 2010 FRN are located at http:// scope of COPPA to information that an operator (‘‘DMA’’) (comment 37, 2011 NPRM), at 6; see also
www.ftc.gov/os/comments/copparulerev2010/ collects online from a child; COPPA does not American Association of Advertising Agencies
index.shtm. Comments cited herein to the Federal govern information collected by an operator offline. (comment 2, 2011 NPRM), at 2–3; Interactive
Register Notice are designated as such, and are See 15 U.S.C. 6501(8) (defining the personal Advertising Bureau (‘‘IAB’’) (comment 73, 2011
identified by commenter name, comment number, information as ‘‘individually identifiable NPRM), at 12. The collection of personal
and, where applicable, page number. information about an individual collected online information by plug-ins on child-directed sites is
10 See supra note 1. * * *.’’); 144 Cong. Rec. S11657 (Oct. 7, 1998) addressed fully in the discussion regarding changes
11 Public comments in response to the 2011 (Statement of Sen. Bryan) (‘‘This is an online to the definition of operator. See Part II.A.4.a., infra.
NPRM are located at http://www.ftc.gov/os/ children’s privacy bill, and its reach is limited to 19 Under the Rule, operators who offered services
comments/copparulereview2011/. Comments cited information collected online from a child.’’). such as social networking, chat, and bulletin boards
14 See Institute for Public Representation
herein to the 2011 NPRM are designated as such, and who did not pre-strip (i.e., completely delete)
and are identified by commenter name, comment (comment 71, 2011 NPRM), at 19; kidSAFE Seal such information were deemed to have ‘‘disclosed’’
number, and, where applicable, page number. Program (comment 81, 2011 NPRM), at 5; personal information under COPPA’s definition of
Alexandra Lang (comment 87, 2011 NPRM), at 1.
pmangrum on DSK3VPTVN1PROD with
12 Public comments in response to the 2012 disclosure. See 16 CFR 312.2.
15 NCTA (comment 113, 2011 NPRM), at 17–18.
SNPRM are available online at http://ftc.gov/os/ 20 See P. Marcus, Remarks from COPPA’s
16 Id.
comments/copparulereview2012/index.shtm. Exceptions to Parental Consent Panel at the Federal
Comments cited herein to the SNPRM are 17 See 16 CFR 312.2: ‘‘Collects or collection means Trade Commission’s Roundtable: Protecting Kids’
designated as such, and are identified by the gathering of any personal information from a Privacy Online 310 (June 2, 2010), available at
commenter name, comment number, and, where child by any means, including but not limited to http://www.ftc.gov/bcp/workshops/coppa/
applicable, page number. * * * ’’ COPPARuleReview_Transcript.pdf.
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
4. 3974 Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
the Commission had provided sufficient burden of COPPA on children’s free to support internal operations—
guidance on the deletion of personal expression.28 312.5(c)(7)—clearly articulates the
information.21 In response, several The Commission is persuaded that the specific criteria under which an
commenters urged a new standard, 100% deletion standard should be operator will be exempt from the Rule’s
arguing that the 100% deletion replaced with a reasonable measures notice and consent requirements in
standard, while well-intentioned, was standard. The reasonable measures connection with the passive collection
an impediment to operators’ standard strikes the right balance in of a persistent identifier.32 Accordingly,
implementation of sophisticated ensuring that operators have effective, the Commission adopts the definition of
automated filtering technologies that comprehensive measures in place to collects or collection as proposed in the
may actually aid in the detection and prevent public online disclosure of 2011 NPRM.
removal of personal information.22 children’s personal information and
In the 2011 NPRM, the Commission ensure its deletion from their records, 2. Definition of Disclose or Disclosure
stated that the 100% deletion standard while also retaining the flexibility In the 2011 NPRM, the Commission
set an unrealistic hurdle to operators’ operators need to innovate and improve proposed making several minor
implementation of automated filtering their mechanisms for detecting and modifications to Section 312.2 of the
systems that could promote engaging deleting such information. Therefore, Rule’s definition of disclosure,
and appropriate online content for the final Rule amends paragraph (2) of including broadening the title of the
children, while ensuring strong privacy the definition of collects or collection to definition to disclose or disclosure to
protections by design. To address this, adopt the reasonable measures standard clarify that in every instance in which
the Commission proposed replacing the proposed in the 2011 NPRM. the Rule refers to instances where an
100% deletion standard with a operator ‘‘disclose[s]’’ information, the
c. Collects or Collection, Paragraph (3) definition of disclosure shall apply.33 In
‘‘reasonable measures’’ standard. Under
this approach, an operator would not be In the 2011 NPRM, the Commission addition, the Commission proposed
deemed to have collected personal proposed to modify paragraph (3) of the moving the definitions of release of
information if it takes reasonable Rule’s definition of collects or collection personal information and support for
measures to delete all or virtually all to clarify that it includes all means of the internal operations of the Web site
personal information from a child’s passively collecting personal or online service contained within the
postings before they are made public, information from children online, definition of disclosure to make them
and also to delete such information from irrespective of the technology used. The stand-alone definitions within Section
its records.’’23 Commission sought to accomplish this 312.2 of the Rule.34
Although the Institute for Public by removing from the original definition One commenter asked the
Representation raised concerns about the language ‘‘or use of any identifying Commission to modify paragraph (2) of
the effectiveness of automated filtering code linked to an individual, such as a the proposed definition by adding an
techniques,24 most comments were cookie.’’29 opening clause linking it to the
resoundingly in favor of the ‘‘reasonable The Commission received several definition of collects or collection.35
measures’’ standard. For example, one comments supporting,30 and several While this commenter did not state its
commenter stated that the revised comments opposing,31 this proposed reasons for the proposed change, the
language would enable the use of change. Those opposing the change Commission believes that the language
automated procedures that could generally believed that this change of paragraph (2) is sufficiently clear so
provide ‘‘increased consistency and somehow expanded the definition of as not to warrant making the change
more effective monitoring than human personal information. As support for suggested. Therefore, the Commission
monitors,’’25 while another noted that it their argument, these commenters also modifies the definition of disclosure or
would open the door to ‘‘cost-efficient referenced the Commission’s proposal disclosure as proposed in the 2011
and reliable means of monitoring to include persistent identifiers within NPRM.
children’s communications.’’26 Several the definition of personal information. 3. Definition of Online Contact
commenters noted that the proposed The Commission believes that
Information
reasonable measures standard would paragraph (3), as proposed in the 2011
likely encourage the creation of more NPRM, is sufficiently understandable. Section 312.2 of the Rule defines
rich, interactive online content for The paragraph does nothing to alter the online contact information as ‘‘an email
children.27 Another commenter noted fact that the Rule covers only the address or any other substantially
that the revised provision, by offering collection of personal information. similar identifier that permits direct
greater flexibility for technological Moreover, the final Rule’s exception for contact with a person online.’’ The 2011
solutions, should help minimize the the limited use of persistent identifiers NPRM proposed clarifications to the
definition to flag that the term broadly
21 See 75 FR at 17090, Question 9. 28 See TechFreedom (comment 159, 2011 NPRM), covers all identifiers that permit direct
22 See Entertainment Software Association at 6.
(‘‘ESA’’) (comment 20, 2010 FRN), at 13–14; R. 29 76 FR at 59808. 32 See Part II.C.10.g., infra.
Newton (comment 46, 2010 FRN), at 4; Privo, Inc. 30 Privacy Rights Clearinghouse indicated its 33 See 2011 NPRM, 76 FR at 59809.
(comment 50, 2010 FRN), at 5; B. Szoka (comment belief that this change would give operators added 34 The Commission intended this change to
59, 2010 FRN), at 19; see also Wired Safety incentive to notify parents of their information clarify what was meant by the terms release of
(comment 68, 2010 FRN), at 15. collection practices, particularly with regard to personal information and support for the internal
23 See 76 FR at 59808.
online tracking and behavioral advertising. See operations of the Web site or online service, where
24 See Institute for Public Representation
Privacy Rights Clearinghouse (comment 131, 2011 those terms are referenced elsewhere in the Rule
(comment 71, 2011 NPRM), at 19. NPRM), at 2; see also Consumers Union (comment and are not directly connected with the terms
25 See NCTA (comment 113, 2011 NPRM), at 8. 29, 2011 NPRM), at 2; kidSAFE Seal Program disclose or disclosure.
pmangrum on DSK3VPTVN1PROD with
26 DMA (comment 37, 2011 NPRM), at 7. (comment 81, 2011 NPRM), at 6. 35 See kidSAFE Seal Program (comment 81, 2011
27 See DMA id.; Institute for Public 31 See DMA (comment 37, 2011 NPRM), at 9–10; NPRM), at 8 (‘‘[P]aragraph (b) under the definition
Representation (comment 71, 2011 NPRM), at 3; IAB (comment 73, 2011 NPRM), at 12; NCTA of ‘‘disclose or disclosure’’ should have the
kidSAFE Seal Program (comment 81, 2011 NPRM), (comment 113, 2011 NPRM), at 17–18; National following opening clause: Subject to paragraph (b)
at 5; NCTA (comment 113, 2011 NPRM), at 8; Toy Retail Federation (comment 114, 2011 NPRM), at 2– under the definition of ‘‘collects or collection,’’
Industry Association (comment 163, 2011 NPRM), 3; TechAmerica (comment 157, 2011 NPRM), at 5– making personal information collected by an
at 8. 6. operator from a child publicly available * * *.’’).
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
5. Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations 3975
contact with a person online and to Commission recognizes that including there would be no incentive for child-
ensure consistency between the mobile phone numbers within the directed content providers to police
definition of online contact information definition of online contact information their sites or services, and personal
and the use of that term within the could provide operators with a useful information would be collected from
definition of personal information.36 tool for initiating the parental notice young children, thereby undermining
The proposed revised definition process through either SMS text or a congressional intent. The Commission
identified commonly used online phone call. It also recognizes that there also proposed imputing the child-
identifiers, including email addresses, may be advantages to parents for an directed nature of the content site to the
instant messaging (‘‘IM’’) user operator to initiate contact via SMS text entity collecting the personal
identifiers, voice over Internet protocol B among them, that parents generally information only if that entity knew or
(‘‘VOIP’’) identifiers, and video chat have their mobile phones with them and had reason to know that it was
user identifiers, while also clarifying that SMS text is simple and collecting personal information through
that the list of identifiers was non- convenient.40 However, the statute did a child-directed site.43
exhaustive and would encompass other not contemplate mobile phone numbers Most of the comments opposed the
substantially similar identifiers that as a form of online contact information, Commission’s proposed modifications.
permit direct contact with a person and the Commission therefore has Industry comments challenged the
online.37 The Commission received few determined not to include mobile phone Commission’s statutory authority for
comments addressing this proposed numbers within the definition.41 Thus, both changes and the breadth of the
change. the final Rule adopts the definition of language, and warned of the potential
One commenter opposed the online contact information as proposed for adverse consequences. In essence,
modification, asserting that IM, VOIP, in the 2012 SNPRM. many industry comments argued that
and video chat user identifiers do not 4. Definitions of Operator and Web Site the Commission may not apply COPPA
function in the same way as email or Online Service Directed to Children where independent third parties collect
addresses. The commenter’s rationale personal information through child-
for this argument was that not all IM In the 2012 SNPRM, the Commission directed sites,44 and that even if the
identifiers reveal the IM system in use, proposed modifying the definitions of Commission had some authority,
which information is needed to directly both operator and Web site or online exercising it would be impractical
contact a user.38 The Commission does service directed to children to allocate because of the structure of the ‘‘online
not find this argument persuasive. and clarify the responsibilities under ecosystem.’’45 Many privacy and
COPPA when independent entities or children’s advocates agreed with the
While an IM address may not reveal the
third parties, e.g., advertising networks 2012 SNPRM proposal to hold child-
IM program provider in every instance,
or downloadable plug-ins, collect directed content providers strictly
it very often does. Moreover, several IM
information from users through child- liable, but some expressed concern
programs allow users of different
directed sites and services. Under the about holding plug-ins and advertising
messenger programs to communicate
proposed revisions, the child-directed
across different messaging platforms. networks to a lesser standard.46
content provider would be strictly liable For the reasons discussed below, the
Like email, instant messaging is a
for personal information collected by Commission, with some modifications
communications tool that allows people
third parties through its site. The to the proposed Rule language, will
to communicate one-to-one or in groups
Commission reasoned that, although the
B sometimes in a faster, more real-time retain the strict liability standard for
child-directed site or service may not
fashion than through email. The child-directed content providers that
own, control, or have access to the
Commission finds, therefore, that IM allow other online services to collect
personal information collected, such
identifiers provide a potent means to personal information through their sites.
information is collected on its behalf
contact a child directly. The Commission will deem a plug-in or
due to the benefits it receives by adding
Another commenter asked the other service to be a covered co-operator
more attractive content, functionality, or
Commission to expand the definition of only where it has actual knowledge that
advertising revenue. The Commission
online contact information to include it is collecting information through a
also noted that the primary-content
mobile phone numbers. The commenter child-directed site.
provider is in the best position to know
noted that, given the Rule’s coverage of that its site or service is directed to a. Strict Liability for Child-Directed
mobile apps and web-based text children, and is appropriately Content Sites: Definition of Operator
messaging programs, operators would positioned to give notice and obtain
benefit greatly from collecting a parent’s Implementing strict liability as
consent.42 By contrast, if the described above requires modifying the
mobile phone number (instead of an Commission failed to impose
email address) in order to initiate current definition of operator. The Rule,
obligations on the content providers, which mirrors the statutory language,
contact for notice and consent.39 The
defines operator in pertinent part, as
particular, to reach parents using contact
36 The Rule’s definition of personal information
information ‘‘relevant to their ecosystem.’’
included the sub-category ‘‘an email address or 40 At the same time, the Commission believes it
43 In so doing, the Commission noted that it
other online contact information, including but not may be impractical to expect children to correctly believed it could hold the information collection
limited to an instant messaging user identifier, or distinguish between mobile and land-line phones entity strictly liable for such collection because,
a screen name that reveals an individual’s email when asked for their parents’ mobile numbers. when operating on child-directed properties, that
address.’’ The 2011 NPRM proposed replacing that 41 Moreover, given that the final Rule’s definition portion of an otherwise general audience service
sub-category of personal information with online of online contact information encompasses a broad, could be deemed directed to children. 2012
contact information. non-exhaustive list of online identifiers, operators SNPRM, 77 FR at 46644–46645.
37 76 FR at 59810. 44 See, e.g., Facebook (comment 33, 2012
will not be unduly burdened by the Commission’s
SNPRM), at 3–4.
pmangrum on DSK3VPTVN1PROD with
38 See DMA (comment 37, 2011 NPRM), at 11.
determination that cell phone numbers are not
39 kidSAFE Seal Program (comment 81, 2011 online contact information. 45 See Microsoft (comment 66, 2012 SNPRM), at
NPRM), at 7. Acknowledging the Commission’s 42 2012 SNPRM, 77 FR at 46644. The Commission 6; IAB (comment 49, 2012 SNPRM), at 5; DMA
position that cell phone numbers are outside of the acknowledged that this decision reversed a (comment 28, 2012 SNPRM), at 5.
statutory definition of online contact information, previous policy choice to place the burden of notice 46 See, e.g., Institute for Public Representation
kidSAFE advocates for a statutory change, if and consent entirely upon the information (comment 52, 2012 SNPRM), at 20; Common Sense
needed, to enable mobile app operators, in collection entity. Media (comment 20, 2012 SNPRM), at 6.
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
6. 3976 Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
‘‘any person who operates a Web site small app developers, would face entity might actually be collecting data
located on the Internet or an online unreasonable compliance costs and that through the child-directed property.57
service and who collects or maintains the proposed revisions might choke off Finally, many commenters expressed
personal information from or about the their monetization opportunities,52 thus concern that the language describing
users of or visitors to such Web site or decreasing the incentive for developers ‘‘on whose behalf’’ reaches so broadly as
online service, or on whose behalf such to create engaging and educational to cover not only child-directed content
information is collected or maintained, content for children.53 They also argued sites, but also marketplace platforms
where such Web site or online service that a strict liability standard is such as Apple’s iTunes App Store and
is operated for commercial purposes, Google’s Android market (now Google
impractical given the current online
including any person offering products Play) if they offered child-directed apps
ecosystem, which does not rely on close
or services for sale through that Web site on their platforms.58 These commenters
working relationships and urged the Commission to revise the
or online service, involving commerce
* * *’’ 47 communication between content language of the Rule to exclude such
In the 2012 SNPRM, the Commission providers and third parties that help platforms.
proposed adding a proviso to that monetize that content.54 Some After considering the comments, the
definition stating that personal commenters urged the Commission to Commission retains a strict liability
information is collected or maintained consider a safe harbor for content standard for child-directed sites and
on behalf of an operator where it is providers that exercise some form of services that allow other online services
collected in the interest of, as a due diligence regarding the information to collect personal information through
representative of, or for the benefit of, collection practices of plug-ins present their sites.59 The Commission disagrees
the operator. on their site.55 with the views of commenters that this
Industry, particularly online content Privacy organizations generally is contrary to Congressional intent or
publishers, including app developers, the Commission’s statutory authority.
supported imposing strict liability on
criticized this proposed change.48 The Commission does not believe
content providers. They agreed with the
Industry comments argued that the Congress intended the loophole
Commission’s statement in the 2012 advocated by many in industry:
phrase ‘‘on whose behalf’’ in the statute
SNPRM that the first-party content Personal information being collected
applies only to agents and service
providers,49 and that the Commission provider is in a position to control from children through child-directed
lacks the authority to interpret the which plug-ins and software downloads properties with no one responsible for
phrase more broadly to include any it integrates into its site and that it such collection.
incidental benefit that results when two benefits by allowing information Nor is the Commission persuaded by
parties enter a commercial collection by such third parties.56 They comments arguing that the phrase ‘‘on
transaction.50 Many commenters also noted how unreasonable it would whose behalf’’ must be read extremely
pointed to an operator’s post-collection be for parents to try to decipher which narrowly, encompassing only an agency
responsibilities under COPPA, e.g., relationship. Case law supports a
mandated data security and affording 52 See Center for Democracy & Technology broader interpretation of that phrase.60
parents deletion rights, as evidence that (‘‘CDT’’) (comment 15, 2012 SNPRM), at 4–5; DMA Even some commenters opposed to the
(comment 28, 2012 SNPRM), at 5; Google (comment Commission’s interpretation have
Congress intended to cover only those 41, 2012, SNPRM), at 3–4; Lynette Mattke
entities that control or have access to (comment 63, 2012 SNPRM). 57 See Institute for Public Representation
the personal information.51 53 See Google (comment 41, 2012 SNPRM), at 3;
(comment 52, 2012 SNPRM), at 19; Common Sense
Commenters also raised a number of Application Developers Alliance (comment 5, 2012 Media (comment 20, 2012 SNPRM), at 5.
policy objections. Many argued that SNPRM), at 5; Association for Competitive 58 See CDT (comment 15, 2012 SNPRM), at 5;
child-directed properties, particularly Technology (comment 6, 2012 SNPRM), at 5; The Apple (comment 4, 2012 SNPRM), at 3–4; Assert ID
Walt Disney Co. (comment 96, 2012 SNPRM), at 4; (comment 6, 2012 SNPRM), at 5.
ConnectSafely (comment 21, 2012 SNPRM), at 2. 59 Although this issue is framed in terms of child-
47 15 U.S.C. 6501(2). The Rule’s definition of
54 See Application Developers Alliance (comment
operator reflects the statutory language. See 16 CFR directed content providers integrating plug-ins or
5, 2012 SNPRM), at 3; Online Publishers other online services into their sites because that is
312.2.
48 See, e.g., Application Developers Alliance
Association (comment 72, 2012 SNPRM), at 11; The by far the most likely scenario, the same strict
Walt Disney Co. (comment 96, 2012 SNPRM), at 4; liability standard would apply to a general audience
(comment 5, 2012 SNPRM), at 3–4; Association of
DMA (comment 28, 2012 SNPRM), at 4. content provider that allows a plug-in to collect
Competitive Technology (comment 7, 2012 55 See, e.g., Online Publishers Association personal information from a specific user when the
SNPRM), at 4–5; IAB (comment 49, 2012 SNPRM), provider has actual knowledge the user is a child.
at 5–6; Online Publishers Association (comment 72, (comment 72, 2012 SNPRM), at 11 (publisher
60 National Organization for Marriage v. Daluz,
2012 SNPRM), at 10–11; Magazine Publishers of should be entitled to rely on third party’s
representations about its information practices); 654 F.3d 115, 121 (1st Cir. 2011) (statute requiring
America (comment 61, 2012 SNPRM), at 3–5; The
The Walt Disney Co. (comment 96, 2012 SNPRM), expenditure reports by independent PAC to the
Walt Disney Co. (comment 96, 2012 SNPRM), at 4–
at 5 (operator of a site directed to children should treasurer of the candidate ‘‘on whose behalf’’ the
5; S. Weiner (comment 97, 2012 SNPRM), at 1–2;
be permitted to rely on the representations made by expenditure was made meant to the candidate who
WiredSafety (comment 98, 2012 SNPRM), at 3.
49 See DMA (comment 28, 2012 SNPRM), at 12; third parties regarding their personal information stands to benefit from the independent
collection practices, as long as the operator has expenditure’s advocacy); accord American Postal
Internet Commerce Coalition (comment 53, 2012 Workers Union v. United States Postal Serv., 595 F.
SNPRM), at 5; TechAmerica (comment 87, 2012 undertaken reasonable efforts to limit any
Supp 1352 (D.D.C. 1984) (Postal Union’s activities
SNPRM), at 2–3. unauthorized data collection); Internet Commerce
held to be ‘‘on behalf of’’ a political campaign
50 See, e.g., Gibson, Dunn & Crutcher (comment Coalition (comment 53, 2012 SNPRM), at 6 (the
where evidence showed union was highly
39, 2012 SNPRM), at 7–9; Facebook (comment 33, Commission should state that operators whose sites politicized, with goal of electing a particular
2012 SNPRM), at 6 (entities acting primarily for or services are targeted to children should bind candidate); Sedwick Claims Mgmt. Servs. v. Barrett
their own benefit not considered to be acting on third party operators whom they know are Business Servs., Inc., 2007 WL 1053303 (D. Or.
behalf of another party). collecting personal information through their sites 2007) (noting that 9th Circuit has interpreted the
51 See, e.g., Business Software Alliance (comment or services to comply with COPPA with regard to phrase ‘‘on behalf of’’ to include both ‘‘to the
that information collection).
pmangrum on DSK3VPTVN1PROD with
12, 2012 SNPRM), at 2–4; Internet Commerce benefit of’’ and in a representative capacity); United
56 See Institute for Public Representation
Coalition (comment 53, 2012 SNPRM), at 5; see States v. Dish Network, LLC, 2010 U.S. Dist. LEXIS
also, e.g., IAB (comment 49, 2012 SNPRM), at 5; (comment 52, 2012 SNPRM), at 18–19; Common 8957, 10 (C.D. Ill. Feb. 3, 2010) (reiterating the
DMA (comment 28, 2012 SNPRM), at 6; Online Sense Media (comment 20, 2012 SNPRM), at 4–6; court’s previous opinion that the plain meaning of
Publishers Association (comment 72, 2012 EPIC (comment 31, 2012 SNPRM), at 5–6; Catholic the phrases ‘‘on whose behalf’’ or ‘‘on behalf of’’ is
SNPRM), at 10–11; The Walt Disney Co. (comment Bishops (comment 92, 2012 SNPRM), at 3; CDT an act by a representative of, or an act for the benefit
96, 2012 SNPRM), at 3–5. (comment 15, 2012 SNPRM), at 3. of, another).
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
7. Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations 3977
acknowledged that the Commission’s by the commenters in response to the Commission, in applying its
proposal is based on ‘‘an accurate 2012 SNPRM will be eased by the more prosecutorial discretion, will consider
recognition that online content limited definition of persistent the level of due diligence a primary-
monetization is accomplished through a identifiers, the more expansive content site exercises, the Commission
complex web of inter-related activities definition of support for internal will not provide a safe harbor from
by many parties,’’ and have noted that operations adopted in the Final Rule, liability.
to act on behalf of another is to do what and the newly-created exception to the When it issued the 2012 SNPRM, the
that person would ordinarily do herself Rule’s notice and parental consent Commission never intended the
if she could.61 That appears to be requirements that applies when an language describing ‘‘on whose behalf’’
precisely the reason many first-party operator collects only a persistent to encompass platforms, such as Google
content providers integrate these identifier and only to support the Play or the App Store, when such stores
services. As one commenter pointed operator’s internal operations.65 merely offer the public access to
out, content providers ‘‘have chosen to The Commission considered someone else’s child-directed content.
devote their resources to develop great including the ‘‘due-diligence’’ safe In these instances, the Commission
content, and to let partners help them harbor for child-directed content meant the language to cover only those
monetize that content. In part, these app providers that many of the comments entities that designed and controlled the
developers and publishers have made proposed.66 Nevertheless, as many other content, i.e., the app developer or site
this choice because collecting and comments pointed out, it cannot be the owner. Accordingly, the Commission
handling children’s data internally responsibility of parents to try to pierce has revised the language proposed in
would require them to take on liability the complex infrastructure of entities the 2012 SNPRM to clarify that personal
risk and spend compliance resources that may be collecting their children’s information will be deemed to be
that they do not have.’’ 62 Moreover, personal information through any one collected on behalf of an operator where
content-providing sites and services site.67 For child-directed properties, one it benefits by allowing another person to
often outsource the monetization of entity, at least, must be strictly collect personal information directly
those sites ‘‘to partners’’ because they responsible for providing parents notice from users of such operator’s site or
do not have the desire to handle it and obtaining consent when personal service, thereby limiting the provision’s
themselves.63 information is collected through that coverage to operators that design or
In many cases, child-directed site. The Commission believes that the control the child-directed content.69
properties integrate plug-ins to enhance primary-content site or service is in the Accordingly, the Final Rule shall state
the functionality or content of their best position to know which plug-ins it that personal information is collected or
properties or gain greater publicity integrates into its site, and is also in the maintained on behalf of an operator
through social media in an effort to best position to give notice and obtain when it is collected or maintained by an
drive more traffic to their sites and consent from parents.68 Although the agent or service provider of the operator;
services. Child-directed properties also or the operator benefits by allowing
may obtain direct compensation or 65 See Part II.A.5.b., infra (discussion of persistent
another person to collect personal
increased revenue from advertising identifiers and support of internal operations).
66 The type of due diligence advocated ranged information directly from users of such
networks or other plug-ins. These operator’s Web site or online service.
from essentially relying on a plug-in or advertising
benefits to child-directed properties are network’s privacy policy to requiring an affirmative
not merely incidental; as the comments contract. See, e.g., The Walt Disney Co. (comment b. Operators Collecting Personal
point out, the benefits may be crucial to 96, 2012 SNPRM), at 5 (operator should be able to Information Through Child-Directed
their continued viability.64 rely on third party’s representations about its Sites and Online Services: Moving to an
information collection practices, if operator makes
The Commission recognizes the reasonable efforts to limit unauthorized data Actual Knowledge Standard
potential burden that strict liability collection); Gibson, Dunn & Crutcher (comment 39, In the 2012 SNPRM, the Commission
places on child-directed content 2012 SNPRM), at 23–24 (provide a safe harbor for
proposed holding responsible as a co-
providers, particularly small app operators that certify they do not receive, own, or
control any personal information collected by third operator any site or online service that
developers. The Commission also parties; alternatively, grant a safe harbor for ‘‘knows or has reason to know’’ it is
appreciates the potential for operators that also certify they do not receive a collecting personal information through
discouraging dynamic child-directed specific benefit from the collection, or that obtain
a host Web site or online service
content. Nevertheless, when it enacted third party’s certification of COPPA compliance);
Internet Commerce Coalition (comment 53, 2012 directed to children. Many commenters
COPPA, Congress imposed absolute SNPRM), at 6–7 (provide a safe harbor for operators criticized this standard. Industry
requirements on child-directed sites and whose policies prohibit third party collection on comments contended that such a
services regarding restrictions on the their sites).
standard is contrary to the statutory
67 See Common Sense Media (comment 20, 2012
collection of personal information; those
SNPRM), at 4–5; EPIC (comment 31, 2012 SNPRM), mandate that general audience services
requirements cannot be avoided through at 6; Institute for Public Representation (comment be liable only if they have actual
outsourcing offerings to other operators 52, 2012 SNPRM), at 18–19. knowledge they are collecting
in the online ecosystem. The 68 Some commenters, although not conceding the
information from a child.70 They further
Commission believes that the potential need to impose strict liability on any party, noted
burden on child-directed sites discussed that if the burden needed to fall on either the
69 This clarification to the term ‘‘on behalf of’’ is
primary content provider or the plug-in, it was
better to place it on the party that controlled the intended only to address platforms in instances
61 Application Developers Alliance (comment 5, child-directed nature of the content. See, e.g., CTIA where they function as an conduit to someone else’s
2012 SNPRM), at 2; see also Gibson, Dunn & (comment 24, 2012 SNPRM), at 8–9; CDT (comment content. Platforms may well wear multiple hats and
Crutcher (comment 39, 2012 SNPRM), at 7. 15, 2012 SNPRM), at 4–5. Not surprisingly, industry are still responsible for complying with COPPA if
62 Application Developers Alliance (comment 5, they themselves collect personal information
members primarily in the business of providing
2012 SNPRM), at 4. content did not share this view. See, e.g., directly from children.
pmangrum on DSK3VPTVN1PROD with
63 Id.; see also Association for Competitive Association for Competitive Technology (comment 70 See Business Software Alliance (comment 12,
Technology (comment 7, 2012 SNPRM), at 5; see 7, 2012 SNPRM), at 4–5; Business Software Alliance 2012 SNPRM), at 4–5; Digital Advertising Alliance
generally DMA (comment 28, 2012 SNPRM), at 5; (comment 12, 2012 SNPRM), at 2–4; Entertainment (comment 27, 2012 SNPRM), at 2; Google (comment
Facebook (comment 33, 2012 SNPRM), at 3; Online Software Association (comment 32, 2102 SNPRM), 41, 2012 SNPRM), at 4; Internet Commerce
Publishers Association (comment 72, 2012 at 9; Online Publishers Association (comment 72, Coalition (comment 53, 2012 SNPRM), at 7;
SNPRM), at 11. 2012 SNPRM), at 10–11; The Walt Disney Co. Magazine Publishers of America (comment 61, 2012
64 Id. (comment 96, 2012 SNPRM), at 6. Continued
VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2