Successfully reported this slideshow.

Children’s Online Privacy Protection


Published on

COPPA isn’t new, either, but it has seen some significant amendments over the past year that are worth mentioning. COPPA, which went into effect in early 2000, protects children under 13 from the online collection of personal information. As a result, many sites today often disallow children under 13 from using their services or require parental permission for disclosure of any personal information. In September 2011, the FTC announced proposed revisions to COPPA that expand the definition of what it means to collect data from children. These new rules would include regulations on data retention and deletion and would require any third parties to whom a child’s information is disclosed to have policies in place to protect the information.

  • Be the first to comment

  • Be the first to like this

Children’s Online Privacy Protection

  1. 1. Vol. 78 Thursday, No. 12 January 17, 2013 Part II Federal Trade Commission 16 CFR Part 312 Children’s Online Privacy Protection Rule; Final Rulepmangrum on DSK3VPTVN1PROD with VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:FRFM17JAR2.SGM 17JAR2
  2. 2. 3972 Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations FEDERAL TRADE COMMISSION SNPRM’’).2 After careful review and and for activities that support the consideration of the entire rulemaking internal operations of a Web site or 16 CFR Part 312 record, including public comments online service. RIN 3084–AB20 submitted by interested parties, and B. Background based upon its experience in enforcing Children’s Online Privacy Protection and administering the Rule, the The COPPA Rule, 16 CFR part 312, Rule Commission has determined to adopt issued pursuant to the Children’s amendments to the COPPA Rule. These Online Privacy Protection Act AGENCY: Federal Trade Commission amendments to the final Rule will help (‘‘COPPA’’ or ‘‘COPPA statute’’), 15 (‘‘FTC’’ or ‘‘Commission’’). to ensure that COPPA continues to meet U.S.C. 6501 et seq., became effective on ACTION: Final rule amendments. its originally stated goals to minimize April 21, 2000. The Rule imposes the collection of personal information certain requirements on operators of SUMMARY: The Commission amends the from children and create a safer, more Web sites or online services directed to Children’s Online Privacy Protection secure online experience for them, even children under 13 years of age, and on Rule (‘‘COPPA Rule’’ or ‘‘Rule’’), as online technologies, and children’s operators of other Web sites or online consistent with the requirements of the uses of such technologies, evolve. services that have actual knowledge that Children’s Online Privacy Protection The final Rule amendments modify they are collecting personal information Act, to clarify the scope of the Rule and the definitions of operator to make clear online from a child under 13 years of strengthen its protections for children’s that the Rule covers an operator of a age (collectively, ‘‘operators’’). Among personal information, in light of changes child-directed site or service where it other things, the Rule requires that in online technology since the Rule integrates outside services, such as plug- operators provide notice to parents and went into effect in April 2000. The final ins or advertising networks, that collect obtain verifiable parental consent prior amended Rule includes modifications to personal information from its visitors; to collecting, using, or disclosing the definitions of operator, personal Web site or online service directed to personal information from children information, and Web site or online children to clarify that the Rule covers under 13 years of age.3 The Rule also service directed to children. The a plug-in or ad network when it has requires operators to keep secure the amended Rule also updates the actual knowledge that it is collecting information they collect from children, requirements set forth in the notice, personal information through a child- and prohibits them from conditioning parental consent, confidentiality and directed Web site or online service; Web children’s participation in activities on security, and safe harbor provisions, and site or online service directed to the collection of more personal adds a new provision addressing data children to allow a subset of child- information than is reasonably retention and deletion. directed sites and services to necessary to participate in such DATES: The amended Rule will become differentiate among users, and requiring activities.4 The Rule contains a ‘‘safe effective on July 1, 2013. such properties to provide notice and harbor’’ provision enabling industry ADDRESSES: The complete public record obtain parental consent only for users groups or others to submit to the of this proceeding will be available at who self-identify as under age 13; Commission for approval self-regulatory Requests for paper copies personal information to include guidelines that would implement the of this amended Rule and Statement of geolocation information and persistent Rule’s protections.5 Basis and Purpose (‘‘SBP’’) should be identifiers that can be used to recognize The Commission initiated review of sent to: Public Reference Branch, a user over time and across different the COPPA Rule in April 2010 when it Federal Trade Commission, 600 Web sites or online services; and published a document in the Federal Pennsylvania Avenue NW., Room 130, support for internal operations to Register seeking public comment on Washington, DC 20580. expand the list of defined activities. whether the rapid-fire pace of FOR FURTHER INFORMATION CONTACT: The Rule amendments also streamline technological changes to the online Phyllis H. Marcus or Mamie Kresses, and clarify the direct notice environment over the preceding five Attorneys, Division of Advertising requirements to ensure that key years warranted any changes to the Practices, Bureau of Consumer information is presented to parents in a Rule.6 The Commission’s request for Protection, Federal Trade Commission, succinct ‘‘just-in-time’’ notice; expand public comment examined each aspect 600 Pennsylvania Avenue NW., the non-exhaustive list of acceptable of the COPPA Rule, posing 28 questions Washington, DC 20580, (202) 326–2854 methods for obtaining prior verifiable for the public’s consideration.7 The or (202) 326–2070. parental consent; create three new Commission also held a public SUPPLEMENTARY INFORMATION: exceptions to the Rule’s notice and roundtable to discuss in detail several of consent requirements; strengthen data the areas where public comment was Statement of Basis and Purpose security protections by requiring sought.8 I. Overview and Background operators to take reasonable steps to The Commission received 70 release children’s personal information comments from industry A. Overview only to service providers and third representatives, advocacy groups, This document states the basis and parties who are capable of maintaining academics, technologists, and purpose for the Commission’s decision the confidentiality, security, and to adopt certain amendments to the integrity of such information; require 3 See 16 CFR 312.3. COPPA Rule that were proposed and reasonable data retention and deletion 4 See 16 CFR 312.7 and 312.8. published for public comment on procedures; strengthen the 5 See 16 CFR 312.10. September 27, 2011 (‘‘2011 NPRM’’),1 Commission’s oversight of self- 6 See Request for Public Comment on the Federal Trade Commission’s Implementation of thepmangrum on DSK3VPTVN1PROD with and supplemental amendments that regulatory safe harbor programs; and Children’s Online Privacy Protection Rule (‘‘2010 were proposed and published for public institute voluntary pre-approval FRN’’), 75 FR 17089 (Apr. 5, 2010). comment on August 6, 2012 (‘‘2012 mechanisms for new consent methods 7 Id. 8 Information about the June 2010 public 1 2011 NPRM, 76 FR 59804, available at http:// 2 2012 SNPRM, 77 FR 46643, available at http:// roundtable is located at workshops/coppa/index.shtml. VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
  3. 3. Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations 3973 individual members of the public in II. Modifications to the Rule to the definition of collects or collection response to the April 5, 2010 request for is intended to clarify the longstanding A. Section 312.2: Definitions public comment.9 After reviewing the Commission position that an operator comments, the Commission issued the 1. Definition of Collects or Collection that provides a field or open forum for 2011 NPRM, which set forth several a. Collects or Collection, Paragraph (1) a child to enter personal information proposed changes to the COPPA Rule.10 will not be shielded from liability In the 2011 NPRM, the Commission merely because entry of personal The Commission received over 350 proposed amending paragraph (1) to comments in response to the 2011 information is not mandatory to change the phrase ‘‘requesting that participate in the activity. It recognizes NPRM.11 After reviewing these children submit personal information the reality that such an operator must comments, and based upon its online’’ to ‘‘requesting, prompting, or have in place a system to provide notice experience in enforcing and encouraging a child to submit personal to and obtain consent from parents to administering the Rule, in the 2012 information online.’’ The proposal was deal with the moment when the SNPRM, the Commission sought to clarify that the Rule covers the online information is ‘‘gathered.’’ 18 Otherwise, additional public comment on a second collection of personal information both once the child posts the personal set of proposed modifications to the when an operator requires it to information, it will be too late to obtain Rule. participate in an online activity, and parental consent. The 2012 SNPRM proposed when an operator merely prompts or After reviewing the comments, the modifying the definitions of both encourages a child to provide such Commission has decided to modify operator and Web site or online service information.13 The comments received paragraph (1) of the definition of directed to children to allocate and divided roughly equally between collects or collection as proposed in the support of and opposition to the 2011 NPRM. clarify the responsibilities under proposed change to paragraph (1). Those COPPA when independent entities or b. Collects or Collection, Paragraph (2) in favor cited the increased clarity of the third parties, e.g., advertising networks revised language as compared to the Section 312.2(b) of the Rule defines or downloadable software kits (‘‘plug- existing language.14 ‘‘collects or collection’’ to cover ins’’), collect information from users Several commenters opposed the enabling children to publicly post through child-directed sites and revised language of paragraph (1). For personal information (e.g., on social services. In addition, the 2012 SNPRM example, the National Cable and networking sites or on blogs), ‘‘except proposed to further modify the Telecommunications Association where the operator deletes all definition of Web site or online service (‘‘NCTA’’) expressed concern that the individually identifiable information directed to children to permit Web sites revised language suggests that ‘‘COPPA from postings by children before they or online services that are directed both obligations are triggered even without are made public, and also deletes such to children and to a broader audience to the actual or intended collection of information from the operator’s comply with COPPA without treating all personal information.’’ 15 NCTA asked records.’’ 19 This exception, often users as children. The Commission also the Commission to clarify that referred to as the ‘‘100% deletion proposed modifying the definition of ‘‘prompting’’ or ‘‘encouraging’’ does not standard,’’ was designed to enable sites screen or user name to cover only those trigger COPPA unless an operator and services to make interactive content situations where a screen or user name actually collects personal information available to children, without providing functions in the same manner as online from a child.16 parental notice and obtaining consent, contact information. Finally, the The Rule defines collection as ‘‘the provided that all personal information Commission proposed to further modify gathering of any personal information was deleted prior to posting.20 the revised definitions of support for from a child by any means,’’ and the The 2010 FRN sought comment on terms ‘‘prompting’’ and ‘‘encouraging’’ whether to change the 100% deletion internal operations and persistent are merely exemplars of the means by standard, whether automated systems identifiers. The Commission received 99 which an operator gathers personal used to review and post child content comments in response to the 2012 information from a child.17 This change could meet this standard, and whether SNPRM.12 After reviewing these additional comments, the Commission 13 One commenter, Go Daddy, expressed concern 18 Several other commenters raised concern that now announces this final amended that the definition of collects or collection is silent the language ‘‘prompting, or encouraging’’ could COPPA Rule. as to personal information acquired from children make sites or services that post third-party ‘‘Like’’ offline that is uploaded, stored, or distributed to or ‘‘Tweet This’’ buttons subject to COPPA. See third parties by operators. Go Daddy (comment 59, Association for Competitive Technology (comment 9 Public comments in response to the 2011 NPRM), at 2. However, Congress limited the 5, 2011 NPRM), at 6; Direct Marketing Association Commission’s 2010 FRN are located at http:// scope of COPPA to information that an operator (‘‘DMA’’) (comment 37, 2011 NPRM), at 6; see also collects online from a child; COPPA does not American Association of Advertising Agencies index.shtm. Comments cited herein to the Federal govern information collected by an operator offline. (comment 2, 2011 NPRM), at 2–3; Interactive Register Notice are designated as such, and are See 15 U.S.C. 6501(8) (defining the personal Advertising Bureau (‘‘IAB’’) (comment 73, 2011 identified by commenter name, comment number, information as ‘‘individually identifiable NPRM), at 12. The collection of personal and, where applicable, page number. information about an individual collected online information by plug-ins on child-directed sites is 10 See supra note 1. * * *.’’); 144 Cong. Rec. S11657 (Oct. 7, 1998) addressed fully in the discussion regarding changes 11 Public comments in response to the 2011 (Statement of Sen. Bryan) (‘‘This is an online to the definition of operator. See Part II.A.4.a., infra. NPRM are located at children’s privacy bill, and its reach is limited to 19 Under the Rule, operators who offered services comments/copparulereview2011/. Comments cited information collected online from a child.’’). such as social networking, chat, and bulletin boards 14 See Institute for Public Representation herein to the 2011 NPRM are designated as such, and who did not pre-strip (i.e., completely delete) and are identified by commenter name, comment (comment 71, 2011 NPRM), at 19; kidSAFE Seal such information were deemed to have ‘‘disclosed’’ number, and, where applicable, page number. Program (comment 81, 2011 NPRM), at 5; personal information under COPPA’s definition of Alexandra Lang (comment 87, 2011 NPRM), at 1.pmangrum on DSK3VPTVN1PROD with 12 Public comments in response to the 2012 disclosure. See 16 CFR 312.2. 15 NCTA (comment 113, 2011 NPRM), at 17–18. SNPRM are available online at 20 See P. Marcus, Remarks from COPPA’s 16 Id. comments/copparulereview2012/index.shtm. Exceptions to Parental Consent Panel at the Federal Comments cited herein to the SNPRM are 17 See 16 CFR 312.2: ‘‘Collects or collection means Trade Commission’s Roundtable: Protecting Kids’ designated as such, and are identified by the gathering of any personal information from a Privacy Online 310 (June 2, 2010), available at commenter name, comment number, and, where child by any means, including but not limited to applicable, page number. * * * ’’ COPPARuleReview_Transcript.pdf. VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
  4. 4. 3974 Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations the Commission had provided sufficient burden of COPPA on children’s free to support internal operations— guidance on the deletion of personal expression.28 312.5(c)(7)—clearly articulates the information.21 In response, several The Commission is persuaded that the specific criteria under which an commenters urged a new standard, 100% deletion standard should be operator will be exempt from the Rule’s arguing that the 100% deletion replaced with a reasonable measures notice and consent requirements in standard, while well-intentioned, was standard. The reasonable measures connection with the passive collection an impediment to operators’ standard strikes the right balance in of a persistent identifier.32 Accordingly, implementation of sophisticated ensuring that operators have effective, the Commission adopts the definition of automated filtering technologies that comprehensive measures in place to collects or collection as proposed in the may actually aid in the detection and prevent public online disclosure of 2011 NPRM. removal of personal information.22 children’s personal information and In the 2011 NPRM, the Commission ensure its deletion from their records, 2. Definition of Disclose or Disclosure stated that the 100% deletion standard while also retaining the flexibility In the 2011 NPRM, the Commission set an unrealistic hurdle to operators’ operators need to innovate and improve proposed making several minor implementation of automated filtering their mechanisms for detecting and modifications to Section 312.2 of the systems that could promote engaging deleting such information. Therefore, Rule’s definition of disclosure, and appropriate online content for the final Rule amends paragraph (2) of including broadening the title of the children, while ensuring strong privacy the definition of collects or collection to definition to disclose or disclosure to protections by design. To address this, adopt the reasonable measures standard clarify that in every instance in which the Commission proposed replacing the proposed in the 2011 NPRM. the Rule refers to instances where an 100% deletion standard with a operator ‘‘disclose[s]’’ information, the c. Collects or Collection, Paragraph (3) definition of disclosure shall apply.33 In ‘‘reasonable measures’’ standard. Under this approach, an operator would not be In the 2011 NPRM, the Commission addition, the Commission proposed deemed to have collected personal proposed to modify paragraph (3) of the moving the definitions of release of information if it takes reasonable Rule’s definition of collects or collection personal information and support for measures to delete all or virtually all to clarify that it includes all means of the internal operations of the Web site personal information from a child’s passively collecting personal or online service contained within the postings before they are made public, information from children online, definition of disclosure to make them and also to delete such information from irrespective of the technology used. The stand-alone definitions within Section its records.’’23 Commission sought to accomplish this 312.2 of the Rule.34 Although the Institute for Public by removing from the original definition One commenter asked the Representation raised concerns about the language ‘‘or use of any identifying Commission to modify paragraph (2) of the effectiveness of automated filtering code linked to an individual, such as a the proposed definition by adding an techniques,24 most comments were cookie.’’29 opening clause linking it to the resoundingly in favor of the ‘‘reasonable The Commission received several definition of collects or collection.35 measures’’ standard. For example, one comments supporting,30 and several While this commenter did not state its commenter stated that the revised comments opposing,31 this proposed reasons for the proposed change, the language would enable the use of change. Those opposing the change Commission believes that the language automated procedures that could generally believed that this change of paragraph (2) is sufficiently clear so provide ‘‘increased consistency and somehow expanded the definition of as not to warrant making the change more effective monitoring than human personal information. As support for suggested. Therefore, the Commission monitors,’’25 while another noted that it their argument, these commenters also modifies the definition of disclosure or would open the door to ‘‘cost-efficient referenced the Commission’s proposal disclosure as proposed in the 2011 and reliable means of monitoring to include persistent identifiers within NPRM. children’s communications.’’26 Several the definition of personal information. 3. Definition of Online Contact commenters noted that the proposed The Commission believes that Information reasonable measures standard would paragraph (3), as proposed in the 2011 likely encourage the creation of more NPRM, is sufficiently understandable. Section 312.2 of the Rule defines rich, interactive online content for The paragraph does nothing to alter the online contact information as ‘‘an email children.27 Another commenter noted fact that the Rule covers only the address or any other substantially that the revised provision, by offering collection of personal information. similar identifier that permits direct greater flexibility for technological Moreover, the final Rule’s exception for contact with a person online.’’ The 2011 solutions, should help minimize the the limited use of persistent identifiers NPRM proposed clarifications to the definition to flag that the term broadly 21 See 75 FR at 17090, Question 9. 28 See TechFreedom (comment 159, 2011 NPRM), covers all identifiers that permit direct 22 See Entertainment Software Association at 6. (‘‘ESA’’) (comment 20, 2010 FRN), at 13–14; R. 29 76 FR at 59808. 32 See Part II.C.10.g., infra. Newton (comment 46, 2010 FRN), at 4; Privo, Inc. 30 Privacy Rights Clearinghouse indicated its 33 See 2011 NPRM, 76 FR at 59809. (comment 50, 2010 FRN), at 5; B. Szoka (comment belief that this change would give operators added 34 The Commission intended this change to 59, 2010 FRN), at 19; see also Wired Safety incentive to notify parents of their information clarify what was meant by the terms release of (comment 68, 2010 FRN), at 15. collection practices, particularly with regard to personal information and support for the internal 23 See 76 FR at 59808. online tracking and behavioral advertising. See operations of the Web site or online service, where 24 See Institute for Public Representation Privacy Rights Clearinghouse (comment 131, 2011 those terms are referenced elsewhere in the Rule (comment 71, 2011 NPRM), at 19. NPRM), at 2; see also Consumers Union (comment and are not directly connected with the terms 25 See NCTA (comment 113, 2011 NPRM), at 8. 29, 2011 NPRM), at 2; kidSAFE Seal Program disclose or disclosure.pmangrum on DSK3VPTVN1PROD with 26 DMA (comment 37, 2011 NPRM), at 7. (comment 81, 2011 NPRM), at 6. 35 See kidSAFE Seal Program (comment 81, 2011 27 See DMA id.; Institute for Public 31 See DMA (comment 37, 2011 NPRM), at 9–10; NPRM), at 8 (‘‘[P]aragraph (b) under the definition Representation (comment 71, 2011 NPRM), at 3; IAB (comment 73, 2011 NPRM), at 12; NCTA of ‘‘disclose or disclosure’’ should have the kidSAFE Seal Program (comment 81, 2011 NPRM), (comment 113, 2011 NPRM), at 17–18; National following opening clause: Subject to paragraph (b) at 5; NCTA (comment 113, 2011 NPRM), at 8; Toy Retail Federation (comment 114, 2011 NPRM), at 2– under the definition of ‘‘collects or collection,’’ Industry Association (comment 163, 2011 NPRM), 3; TechAmerica (comment 157, 2011 NPRM), at 5– making personal information collected by an at 8. 6. operator from a child publicly available * * *.’’). VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
  5. 5. Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations 3975 contact with a person online and to Commission recognizes that including there would be no incentive for child- ensure consistency between the mobile phone numbers within the directed content providers to police definition of online contact information definition of online contact information their sites or services, and personal and the use of that term within the could provide operators with a useful information would be collected from definition of personal information.36 tool for initiating the parental notice young children, thereby undermining The proposed revised definition process through either SMS text or a congressional intent. The Commission identified commonly used online phone call. It also recognizes that there also proposed imputing the child- identifiers, including email addresses, may be advantages to parents for an directed nature of the content site to the instant messaging (‘‘IM’’) user operator to initiate contact via SMS text entity collecting the personal identifiers, voice over Internet protocol B among them, that parents generally information only if that entity knew or (‘‘VOIP’’) identifiers, and video chat have their mobile phones with them and had reason to know that it was user identifiers, while also clarifying that SMS text is simple and collecting personal information through that the list of identifiers was non- convenient.40 However, the statute did a child-directed site.43 exhaustive and would encompass other not contemplate mobile phone numbers Most of the comments opposed the substantially similar identifiers that as a form of online contact information, Commission’s proposed modifications. permit direct contact with a person and the Commission therefore has Industry comments challenged the online.37 The Commission received few determined not to include mobile phone Commission’s statutory authority for comments addressing this proposed numbers within the definition.41 Thus, both changes and the breadth of the change. the final Rule adopts the definition of language, and warned of the potential One commenter opposed the online contact information as proposed for adverse consequences. In essence, modification, asserting that IM, VOIP, in the 2012 SNPRM. many industry comments argued that and video chat user identifiers do not 4. Definitions of Operator and Web Site the Commission may not apply COPPA function in the same way as email or Online Service Directed to Children where independent third parties collect addresses. The commenter’s rationale personal information through child- for this argument was that not all IM In the 2012 SNPRM, the Commission directed sites,44 and that even if the identifiers reveal the IM system in use, proposed modifying the definitions of Commission had some authority, which information is needed to directly both operator and Web site or online exercising it would be impractical contact a user.38 The Commission does service directed to children to allocate because of the structure of the ‘‘online not find this argument persuasive. and clarify the responsibilities under ecosystem.’’45 Many privacy and COPPA when independent entities or children’s advocates agreed with the While an IM address may not reveal the third parties, e.g., advertising networks 2012 SNPRM proposal to hold child- IM program provider in every instance, or downloadable plug-ins, collect directed content providers strictly it very often does. Moreover, several IM information from users through child- liable, but some expressed concern programs allow users of different directed sites and services. Under the about holding plug-ins and advertising messenger programs to communicate proposed revisions, the child-directed across different messaging platforms. networks to a lesser standard.46 content provider would be strictly liable For the reasons discussed below, the Like email, instant messaging is a for personal information collected by Commission, with some modifications communications tool that allows people third parties through its site. The to the proposed Rule language, will to communicate one-to-one or in groups Commission reasoned that, although the B sometimes in a faster, more real-time retain the strict liability standard for child-directed site or service may not fashion than through email. The child-directed content providers that own, control, or have access to the Commission finds, therefore, that IM allow other online services to collect personal information collected, such identifiers provide a potent means to personal information through their sites. information is collected on its behalf contact a child directly. The Commission will deem a plug-in or due to the benefits it receives by adding Another commenter asked the other service to be a covered co-operator more attractive content, functionality, or Commission to expand the definition of only where it has actual knowledge that advertising revenue. The Commission online contact information to include it is collecting information through a also noted that the primary-content mobile phone numbers. The commenter child-directed site. provider is in the best position to know noted that, given the Rule’s coverage of that its site or service is directed to a. Strict Liability for Child-Directed mobile apps and web-based text children, and is appropriately Content Sites: Definition of Operator messaging programs, operators would positioned to give notice and obtain benefit greatly from collecting a parent’s Implementing strict liability as consent.42 By contrast, if the described above requires modifying the mobile phone number (instead of an Commission failed to impose email address) in order to initiate current definition of operator. The Rule, obligations on the content providers, which mirrors the statutory language, contact for notice and consent.39 The defines operator in pertinent part, as particular, to reach parents using contact 36 The Rule’s definition of personal information information ‘‘relevant to their ecosystem.’’ included the sub-category ‘‘an email address or 40 At the same time, the Commission believes it 43 In so doing, the Commission noted that it other online contact information, including but not may be impractical to expect children to correctly believed it could hold the information collection limited to an instant messaging user identifier, or distinguish between mobile and land-line phones entity strictly liable for such collection because, a screen name that reveals an individual’s email when asked for their parents’ mobile numbers. when operating on child-directed properties, that address.’’ The 2011 NPRM proposed replacing that 41 Moreover, given that the final Rule’s definition portion of an otherwise general audience service sub-category of personal information with online of online contact information encompasses a broad, could be deemed directed to children. 2012 contact information. non-exhaustive list of online identifiers, operators SNPRM, 77 FR at 46644–46645. 37 76 FR at 59810. 44 See, e.g., Facebook (comment 33, 2012 will not be unduly burdened by the Commission’s SNPRM), at 3–4.pmangrum on DSK3VPTVN1PROD with 38 See DMA (comment 37, 2011 NPRM), at 11. determination that cell phone numbers are not 39 kidSAFE Seal Program (comment 81, 2011 online contact information. 45 See Microsoft (comment 66, 2012 SNPRM), at NPRM), at 7. Acknowledging the Commission’s 42 2012 SNPRM, 77 FR at 46644. The Commission 6; IAB (comment 49, 2012 SNPRM), at 5; DMA position that cell phone numbers are outside of the acknowledged that this decision reversed a (comment 28, 2012 SNPRM), at 5. statutory definition of online contact information, previous policy choice to place the burden of notice 46 See, e.g., Institute for Public Representation kidSAFE advocates for a statutory change, if and consent entirely upon the information (comment 52, 2012 SNPRM), at 20; Common Sense needed, to enable mobile app operators, in collection entity. Media (comment 20, 2012 SNPRM), at 6. VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
  6. 6. 3976 Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations ‘‘any person who operates a Web site small app developers, would face entity might actually be collecting data located on the Internet or an online unreasonable compliance costs and that through the child-directed property.57 service and who collects or maintains the proposed revisions might choke off Finally, many commenters expressed personal information from or about the their monetization opportunities,52 thus concern that the language describing users of or visitors to such Web site or decreasing the incentive for developers ‘‘on whose behalf’’ reaches so broadly as online service, or on whose behalf such to create engaging and educational to cover not only child-directed content information is collected or maintained, content for children.53 They also argued sites, but also marketplace platforms where such Web site or online service that a strict liability standard is such as Apple’s iTunes App Store and is operated for commercial purposes, Google’s Android market (now Google impractical given the current online including any person offering products Play) if they offered child-directed apps ecosystem, which does not rely on close or services for sale through that Web site on their platforms.58 These commenters working relationships and urged the Commission to revise the or online service, involving commerce * * *’’ 47 communication between content language of the Rule to exclude such In the 2012 SNPRM, the Commission providers and third parties that help platforms. proposed adding a proviso to that monetize that content.54 Some After considering the comments, the definition stating that personal commenters urged the Commission to Commission retains a strict liability information is collected or maintained consider a safe harbor for content standard for child-directed sites and on behalf of an operator where it is providers that exercise some form of services that allow other online services collected in the interest of, as a due diligence regarding the information to collect personal information through representative of, or for the benefit of, collection practices of plug-ins present their sites.59 The Commission disagrees the operator. on their site.55 with the views of commenters that this Industry, particularly online content Privacy organizations generally is contrary to Congressional intent or publishers, including app developers, the Commission’s statutory authority. supported imposing strict liability on criticized this proposed change.48 The Commission does not believe content providers. They agreed with the Industry comments argued that the Congress intended the loophole Commission’s statement in the 2012 advocated by many in industry: phrase ‘‘on whose behalf’’ in the statute SNPRM that the first-party content Personal information being collected applies only to agents and service providers,49 and that the Commission provider is in a position to control from children through child-directed lacks the authority to interpret the which plug-ins and software downloads properties with no one responsible for phrase more broadly to include any it integrates into its site and that it such collection. incidental benefit that results when two benefits by allowing information Nor is the Commission persuaded by parties enter a commercial collection by such third parties.56 They comments arguing that the phrase ‘‘on transaction.50 Many commenters also noted how unreasonable it would whose behalf’’ must be read extremely pointed to an operator’s post-collection be for parents to try to decipher which narrowly, encompassing only an agency responsibilities under COPPA, e.g., relationship. Case law supports a mandated data security and affording 52 See Center for Democracy & Technology broader interpretation of that phrase.60 parents deletion rights, as evidence that (‘‘CDT’’) (comment 15, 2012 SNPRM), at 4–5; DMA Even some commenters opposed to the (comment 28, 2012 SNPRM), at 5; Google (comment Commission’s interpretation have Congress intended to cover only those 41, 2012, SNPRM), at 3–4; Lynette Mattke entities that control or have access to (comment 63, 2012 SNPRM). 57 See Institute for Public Representation the personal information.51 53 See Google (comment 41, 2012 SNPRM), at 3; (comment 52, 2012 SNPRM), at 19; Common Sense Commenters also raised a number of Application Developers Alliance (comment 5, 2012 Media (comment 20, 2012 SNPRM), at 5. policy objections. Many argued that SNPRM), at 5; Association for Competitive 58 See CDT (comment 15, 2012 SNPRM), at 5; child-directed properties, particularly Technology (comment 6, 2012 SNPRM), at 5; The Apple (comment 4, 2012 SNPRM), at 3–4; Assert ID Walt Disney Co. (comment 96, 2012 SNPRM), at 4; (comment 6, 2012 SNPRM), at 5. ConnectSafely (comment 21, 2012 SNPRM), at 2. 59 Although this issue is framed in terms of child- 47 15 U.S.C. 6501(2). The Rule’s definition of 54 See Application Developers Alliance (comment operator reflects the statutory language. See 16 CFR directed content providers integrating plug-ins or 5, 2012 SNPRM), at 3; Online Publishers other online services into their sites because that is 312.2. 48 See, e.g., Application Developers Alliance Association (comment 72, 2012 SNPRM), at 11; The by far the most likely scenario, the same strict Walt Disney Co. (comment 96, 2012 SNPRM), at 4; liability standard would apply to a general audience (comment 5, 2012 SNPRM), at 3–4; Association of DMA (comment 28, 2012 SNPRM), at 4. content provider that allows a plug-in to collect Competitive Technology (comment 7, 2012 55 See, e.g., Online Publishers Association personal information from a specific user when the SNPRM), at 4–5; IAB (comment 49, 2012 SNPRM), provider has actual knowledge the user is a child. at 5–6; Online Publishers Association (comment 72, (comment 72, 2012 SNPRM), at 11 (publisher 60 National Organization for Marriage v. Daluz, 2012 SNPRM), at 10–11; Magazine Publishers of should be entitled to rely on third party’s representations about its information practices); 654 F.3d 115, 121 (1st Cir. 2011) (statute requiring America (comment 61, 2012 SNPRM), at 3–5; The The Walt Disney Co. (comment 96, 2012 SNPRM), expenditure reports by independent PAC to the Walt Disney Co. (comment 96, 2012 SNPRM), at 4– at 5 (operator of a site directed to children should treasurer of the candidate ‘‘on whose behalf’’ the 5; S. Weiner (comment 97, 2012 SNPRM), at 1–2; be permitted to rely on the representations made by expenditure was made meant to the candidate who WiredSafety (comment 98, 2012 SNPRM), at 3. 49 See DMA (comment 28, 2012 SNPRM), at 12; third parties regarding their personal information stands to benefit from the independent collection practices, as long as the operator has expenditure’s advocacy); accord American Postal Internet Commerce Coalition (comment 53, 2012 Workers Union v. United States Postal Serv., 595 F. SNPRM), at 5; TechAmerica (comment 87, 2012 undertaken reasonable efforts to limit any Supp 1352 (D.D.C. 1984) (Postal Union’s activities SNPRM), at 2–3. unauthorized data collection); Internet Commerce held to be ‘‘on behalf of’’ a political campaign 50 See, e.g., Gibson, Dunn & Crutcher (comment Coalition (comment 53, 2012 SNPRM), at 6 (the where evidence showed union was highly 39, 2012 SNPRM), at 7–9; Facebook (comment 33, Commission should state that operators whose sites politicized, with goal of electing a particular 2012 SNPRM), at 6 (entities acting primarily for or services are targeted to children should bind candidate); Sedwick Claims Mgmt. Servs. v. Barrett their own benefit not considered to be acting on third party operators whom they know are Business Servs., Inc., 2007 WL 1053303 (D. Or. behalf of another party). collecting personal information through their sites 2007) (noting that 9th Circuit has interpreted the 51 See, e.g., Business Software Alliance (comment or services to comply with COPPA with regard to phrase ‘‘on behalf of’’ to include both ‘‘to the that information collection).pmangrum on DSK3VPTVN1PROD with 12, 2012 SNPRM), at 2–4; Internet Commerce benefit of’’ and in a representative capacity); United 56 See Institute for Public Representation Coalition (comment 53, 2012 SNPRM), at 5; see States v. Dish Network, LLC, 2010 U.S. Dist. LEXIS also, e.g., IAB (comment 49, 2012 SNPRM), at 5; (comment 52, 2012 SNPRM), at 18–19; Common 8957, 10 (C.D. Ill. Feb. 3, 2010) (reiterating the DMA (comment 28, 2012 SNPRM), at 6; Online Sense Media (comment 20, 2012 SNPRM), at 4–6; court’s previous opinion that the plain meaning of Publishers Association (comment 72, 2012 EPIC (comment 31, 2012 SNPRM), at 5–6; Catholic the phrases ‘‘on whose behalf’’ or ‘‘on behalf of’’ is SNPRM), at 10–11; The Walt Disney Co. (comment Bishops (comment 92, 2012 SNPRM), at 3; CDT an act by a representative of, or an act for the benefit 96, 2012 SNPRM), at 3–5. (comment 15, 2012 SNPRM), at 3. of, another). VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2
  7. 7. Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations 3977 acknowledged that the Commission’s by the commenters in response to the Commission, in applying its proposal is based on ‘‘an accurate 2012 SNPRM will be eased by the more prosecutorial discretion, will consider recognition that online content limited definition of persistent the level of due diligence a primary- monetization is accomplished through a identifiers, the more expansive content site exercises, the Commission complex web of inter-related activities definition of support for internal will not provide a safe harbor from by many parties,’’ and have noted that operations adopted in the Final Rule, liability. to act on behalf of another is to do what and the newly-created exception to the When it issued the 2012 SNPRM, the that person would ordinarily do herself Rule’s notice and parental consent Commission never intended the if she could.61 That appears to be requirements that applies when an language describing ‘‘on whose behalf’’ precisely the reason many first-party operator collects only a persistent to encompass platforms, such as Google content providers integrate these identifier and only to support the Play or the App Store, when such stores services. As one commenter pointed operator’s internal operations.65 merely offer the public access to out, content providers ‘‘have chosen to The Commission considered someone else’s child-directed content. devote their resources to develop great including the ‘‘due-diligence’’ safe In these instances, the Commission content, and to let partners help them harbor for child-directed content meant the language to cover only those monetize that content. In part, these app providers that many of the comments entities that designed and controlled the developers and publishers have made proposed.66 Nevertheless, as many other content, i.e., the app developer or site this choice because collecting and comments pointed out, it cannot be the owner. Accordingly, the Commission handling children’s data internally responsibility of parents to try to pierce has revised the language proposed in would require them to take on liability the complex infrastructure of entities the 2012 SNPRM to clarify that personal risk and spend compliance resources that may be collecting their children’s information will be deemed to be that they do not have.’’ 62 Moreover, personal information through any one collected on behalf of an operator where content-providing sites and services site.67 For child-directed properties, one it benefits by allowing another person to often outsource the monetization of entity, at least, must be strictly collect personal information directly those sites ‘‘to partners’’ because they responsible for providing parents notice from users of such operator’s site or do not have the desire to handle it and obtaining consent when personal service, thereby limiting the provision’s themselves.63 information is collected through that coverage to operators that design or In many cases, child-directed site. The Commission believes that the control the child-directed content.69 properties integrate plug-ins to enhance primary-content site or service is in the Accordingly, the Final Rule shall state the functionality or content of their best position to know which plug-ins it that personal information is collected or properties or gain greater publicity integrates into its site, and is also in the maintained on behalf of an operator through social media in an effort to best position to give notice and obtain when it is collected or maintained by an drive more traffic to their sites and consent from parents.68 Although the agent or service provider of the operator; services. Child-directed properties also or the operator benefits by allowing may obtain direct compensation or 65 See Part II.A.5.b., infra (discussion of persistent another person to collect personal increased revenue from advertising identifiers and support of internal operations). 66 The type of due diligence advocated ranged information directly from users of such networks or other plug-ins. These operator’s Web site or online service. from essentially relying on a plug-in or advertising benefits to child-directed properties are network’s privacy policy to requiring an affirmative not merely incidental; as the comments contract. See, e.g., The Walt Disney Co. (comment b. Operators Collecting Personal point out, the benefits may be crucial to 96, 2012 SNPRM), at 5 (operator should be able to Information Through Child-Directed their continued viability.64 rely on third party’s representations about its Sites and Online Services: Moving to an information collection practices, if operator makes The Commission recognizes the reasonable efforts to limit unauthorized data Actual Knowledge Standard potential burden that strict liability collection); Gibson, Dunn & Crutcher (comment 39, In the 2012 SNPRM, the Commission places on child-directed content 2012 SNPRM), at 23–24 (provide a safe harbor for proposed holding responsible as a co- providers, particularly small app operators that certify they do not receive, own, or control any personal information collected by third operator any site or online service that developers. The Commission also parties; alternatively, grant a safe harbor for ‘‘knows or has reason to know’’ it is appreciates the potential for operators that also certify they do not receive a collecting personal information through discouraging dynamic child-directed specific benefit from the collection, or that obtain a host Web site or online service content. Nevertheless, when it enacted third party’s certification of COPPA compliance); Internet Commerce Coalition (comment 53, 2012 directed to children. Many commenters COPPA, Congress imposed absolute SNPRM), at 6–7 (provide a safe harbor for operators criticized this standard. Industry requirements on child-directed sites and whose policies prohibit third party collection on comments contended that such a services regarding restrictions on the their sites). standard is contrary to the statutory 67 See Common Sense Media (comment 20, 2012 collection of personal information; those SNPRM), at 4–5; EPIC (comment 31, 2012 SNPRM), mandate that general audience services requirements cannot be avoided through at 6; Institute for Public Representation (comment be liable only if they have actual outsourcing offerings to other operators 52, 2012 SNPRM), at 18–19. knowledge they are collecting in the online ecosystem. The 68 Some commenters, although not conceding the information from a child.70 They further Commission believes that the potential need to impose strict liability on any party, noted burden on child-directed sites discussed that if the burden needed to fall on either the 69 This clarification to the term ‘‘on behalf of’’ is primary content provider or the plug-in, it was better to place it on the party that controlled the intended only to address platforms in instances 61 Application Developers Alliance (comment 5, child-directed nature of the content. See, e.g., CTIA where they function as an conduit to someone else’s 2012 SNPRM), at 2; see also Gibson, Dunn & (comment 24, 2012 SNPRM), at 8–9; CDT (comment content. Platforms may well wear multiple hats and Crutcher (comment 39, 2012 SNPRM), at 7. 15, 2012 SNPRM), at 4–5. Not surprisingly, industry are still responsible for complying with COPPA if 62 Application Developers Alliance (comment 5, they themselves collect personal information members primarily in the business of providing 2012 SNPRM), at 4. content did not share this view. See, e.g., directly from children.pmangrum on DSK3VPTVN1PROD with 63 Id.; see also Association for Competitive Association for Competitive Technology (comment 70 See Business Software Alliance (comment 12, Technology (comment 7, 2012 SNPRM), at 5; see 7, 2012 SNPRM), at 4–5; Business Software Alliance 2012 SNPRM), at 4–5; Digital Advertising Alliance generally DMA (comment 28, 2012 SNPRM), at 5; (comment 12, 2012 SNPRM), at 2–4; Entertainment (comment 27, 2012 SNPRM), at 2; Google (comment Facebook (comment 33, 2012 SNPRM), at 3; Online Software Association (comment 32, 2102 SNPRM), 41, 2012 SNPRM), at 4; Internet Commerce Publishers Association (comment 72, 2012 at 9; Online Publishers Association (comment 72, Coalition (comment 53, 2012 SNPRM), at 7; SNPRM), at 11. 2012 SNPRM), at 10–11; The Walt Disney Co. Magazine Publishers of America (comment 61, 2012 64 Id. (comment 96, 2012 SNPRM), at 6. Continued VerDate Mar<15>2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM17JAR2.SGM 17JAR2