COPPA '11 SS fin_mtd

Supporting Statement for
Information Collection Provisions of
The Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
(1) Necessity for Collecting the Information
The Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. § 6501 et seq.,
prohibits unfair and deceptive acts and practices in connection with the collection and use of
personally identifiable information from and about children1 on the Internet. The underlying
goals of the Act are: (1) to enhance parental involvement in children’s online activities in order
to protect the privacy of children in the online environment; (2) to help protect the safety of
children in online fora such as chat rooms, home pages, and pen-pal services in which children
may make public postings of identifying information; (3) to maintain the security of children’s
personal information collected online; and (4) to limit the collection of personal information
from children without parental consent. See 144 Cong. Rec. S11657 (Oct. 7, 1998) (statement of
Sen. Bryan).
The COPPA Rule (“Rule”), 16 C.F.R. Part 312, imposes requirements on operators of
websites or online services directed to children under 13 years of age or that have actual
knowledge that they are collecting personal information online from children of such age.
Among other things, the Rule:
(1)
(2)
(3)
(4)
(5)

requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (section 312.3);
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (section 312.4);
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (section 312.5);
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (section 312.8); and
requires operators to provide reasonable means to enable a parent to review the
information (section 312.6).

The Rule’s requirements are necessary because: (a) they are expressly mandated by the
Act; and (b) they ensure that parents know what personal information operators seek to collect
from their children online and how it will be used or disclosed, thereby facilitating parental
decision-making whether to consent to the collection of such information.
The Rule additionally contains reporting requirements for entities voluntarily seeking
approval as a COPPA safe harbor self-regulatory program, and reporting and recordkeeping
requirements for all approved safe harbor programs. Section 312.10(c) requires that applicants
for safe harbor status submit to the Federal Trade Commission (“Commission”) certain specific
1

A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. 6501(2).

documents and information, including, among other things, a copy of the guidelines for which
approval is sought and a statement explaining how the guidelines and related assessment
mechanism meet the Rule’s requirements. Section 312.10(d) requires these applicants to keep
for 3 years records of consumer complaints (alleging violations of the guidelines), disciplinary
actions taken against subject operators, and results of independent assessments of operators’
compliance with the guidelines.
(2) Use of the Information
Providing the online disclosure information described above enables parents to determine
whether: to permit their children to provide personal information online; to seek access from a
website or online service operator to review their children’s personal information; and whether
to object to any further collection, maintenance, or use of such information.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule’s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burden of such requirements, thereby consistent with the aims of
the Government Paperwork Elimination Act, 44 U.S.C. § 3504 note. In particular, section
312.4(b) of the Rule requires that notices be posted online on the operators’ website or online
service, and section 312.4(c) expressly contemplates that operators shall “tak[e] into account
available technology” in ensuring that parents receive direct notice of their information practices.
Notice under section 312.4(c) incorporates by reference the requirement of section 312.5(b) that
operators obtain a parent’s consent through methods “reasonably calculated, in light of available
technology, to ensure that the person providing consent is the child’s parent.” Section 312.6,
which requires operators to provide requesting parents with information regarding, and the
ability to review, personal information collected from their children, also requires the operator to
“ensure that the requestor is a parent of that child, taking into account available technology.”
The Rule provides operators with the flexibility to employ appropriate, reasonable information
technologies to comply with the notice, consent, and right to review requirements.
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government
agencies.
(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the Rule to minimize the compliance burden of these
requirements as much as possible. The notice requirements are expressly mandated by the
COPPA, as described above. The Commission’s Rule implements these requirements by
providing guidance on the contents of such notices while allowing operators (including small
businesses) to determine the most cost-effective means of disseminating such notices.
2

Specifically, the notice that the COPPA requires to be posted online has been interpreted
under the Commission’s Rule in the least burdensome manner possible, i.e., by permitting a
hyperlink to such notice, rather than the complete text of such notice, on the home page of the
website and other web page(s) or other online location(s) where personal information is collected
from children. See section 312.4(b). The direct notice provision also is flexible, requiring the
operator to make “reasonable efforts, taking into account available technology, to ensure” that
the notice reaches parents. See section 312.4(c). The Commission’s adoption of these
“performance” standards allows regulated entities to meet the Rule’s requirements in ways
suited to their particular businesses.
At the same time, the Rule reduces compliance burdens by giving regulated parties clear
and detailed guidance on the required contents of the notices. This guidance helps eliminate
much of the administrative and legal costs that might be incurred by a small or other business
trying to determine what needs to be included in a notice in order to comply with the Rule.
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of
the COPPA. The statute requires both that notice be given online and that separate notice
regarding the operator’s information practices be given to parents.2 Parental notice under the
Rule works in tandem with the statute’s mandated parental consent requirement.3 Thus, the Rule
does not require notices any more frequently than is necessary for operators to comply with the
statute and to enable parents to make an informed decision about an operator’s collection,
maintenance, use, or disclosure of their children’s personal information. Moreover, section
310.12 safe harbor applications are filed solely upon the initiative of the filer.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The proposed “collection” is consistent with all applicable OMB PRA guidelines under
5 C.F.R. § 1320.5. No collection inconsistent with such guidelines is being proposed.

2

See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Commission’s Rule at sections 312.3(a) (online notice), 312.4(b) and (c)
(form and content of online and direct to parent notices), and 312.6(a) (notice to parents upon their request), as
discussed earlier.

3

See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at sections 312.4 (form and contents of
notices) and 312.5 (parental consent and exceptions), as discussed earlier.

3

(8) Consultation Outside the Agency
The Commission sought public comment on its associated PRA burden analysis during
the original rulemaking process. 64 Fed. Reg. 22,750, 22,261 (April 27, 1999). In addition,
when crafting the Rule, staff informally consulted with members of the website and online
service industry and also met with federal, state, and local law enforcement agencies. Staff
balanced the need for requiring compliance in accordance with the express terms of the statute
against the need to minimize the burden associated with such compliance.
In connection with the instant clearance request, the Commission again sought public
comment on PRA aspects of the Rule, as required by 5 C.F.R. 1320.8(d). 76 Fed. Reg. 7,211
(Feb. 9, 2011). No comments were received. The FTC is currently providing another
opportunity for public comment while seeking OMB approval to extend the existing clearance
for the Rule’s information collection requirements.
(9) Payments or Gifts to Respondents
Not applicable. The Commission makes no payments or gifts to respondents in
connection with the proposed requirements.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice (i.e., disclosure) of
information practices by website and online service operators to the public and specifically to
parents of children from whom personal information is sought to be collected.4
(12) Hours Burden
Estimated annual hours burden: 6,100 hours
(a) Disclosure Requirements: 6,000 hours
The FTC staff estimates that roughly 100 new web entrants each year will fall within the
Rule’s coverage and that, on average, new entrants will spend approximately 60 hours crafting a
privacy policy, designing mechanisms to provide the required online privacy notice and, where

4

Although not applicable to the “information collection” requirements for which the Commission is seeking
OMB approval, the COPPA and the Rule do contain strict provisions to ensure the confidentiality, security,
and integrity of personal information collected from children by website and online service operators. See 15
U.S.C. § 6502(b)(1)(D); 16 C.F.R. § 312.8 (confidentiality, security, and integrity).

4

applicable, the direct notice to parents.5 Accordingly, staff estimates that complying with the
Rule’s disclosure requirements will require approximately 6,000 hours (100 new web entrants x
60 hours per entrant). Consistent with prior estimates, FTC staff estimates that the time spent on
compliance would be apportioned five to one between legal (lawyers or similar professionals)
and technical (computer programmers) personnel. Staff therefore estimates that lawyers or
similar professionals who craft privacy policies will account for 5,000 of the 6,000 hours
required. Computer programmers responsible for posting privacy policies and implementing
direct notices and parental consent mechanisms will account for the remaining 1,000 hours.
Website operators that have previously created or adjusted their sites to comply with the
Rule will incur no further burden associated with the Rule, unless they opt to change their
policies and information collection in ways that will further invoke the Rule’s provisions.
Moreover, staff believes that existing COPPA-compliant operators who introduce additional
sites beyond those they already have created will incur minimal, if any, incremental PRA
burden. This is because such operators already have been through the start-up phase and can
carry over the results of that to the new sites they create.
(b) Voluntary Reporting Requirements for Safe Harbor Programs: 100 hours
In order to apply to the Commission for approval as a safe harbor program, the Rule
includes specific reporting requirements that all safe harbor applicants must provide in their
applications.6 Staff retains its estimate that it would require, on average, 265 hours per new safe
harbor program applicant to prepare and submit its safe harbor proposal in accordance with
Section 312.12(c) of the Rule. Given that several safe harbor programs are already available to
website operators, FTC staff believes that it is unlikely that more than one additional safe harbor
applicant will submit a request within the next three years of PRA clearance sought. Thus,
annualized burden attributable to this requirement would be approximately 88 hours per year
(265 hours ÷3 years) or, roughly, 100 hours. Staff believes that most of the records submitted
with a safe harbor request would be those that these entities have kept in the ordinary course of
business, and that any incremental effort associated with maintaining the results of independent
assessments or other records under Section 312.10(d)(3) also would be in the normal course of
business. In accordance with the regulations implementing the PRA, the burden estimate
excludes effort expended for these activities. 5 CFR 1320.3(b)(2).
Accordingly, FTC staff estimates that total burden per year for disclosure requirements
affecting new web entrants and reporting requirements for safe harbor applications would be

5

Although the FTC staff cannot determine with certainty the number of new entrants potentially subject to
the Rule, the staff believes this estimate is reasonable based upon current trends. The staff retains its estimate
of 60 hours per new entrant. This estimate has been published for comment in prior FTC notices regarding
renewed clearance for the Rule, and the Commission has not received any comments challenging it. See, e.g.,
73 FR 35689 (June 24, 2008); 70 FR 21107 (April 22, 2005).
6

See Section 312.10(c). Approved self-regulatory guidelines can be found on the FTC’s website at
http://www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.

5

approximately 6,100 hours.

6

Estimated annual cost burden:
Labor costs are derived by applying appropriate hourly cost figures to the burden hours
described above. Staff assumes hourly rates of $150 and $36, respectively, for lawyers or
similar professionals and computer programmers.7 Based on these inputs, staff further estimates
that associated annual labor costs for new entrants would be $801,000 [(5,100 hours x $150 per
hour for legal) + (1,000 hours x $36 per hour for computer programmers)] and $15,000 for safe
harbor applicants (100 hours per year x $150 per hour), for a total labor cost of approximately
$816,000.
(13) Estimated Capital/Other Non-Labor Costs Burden
Capital and start-up costs associated with the Rule are minimal. Because websites will
already be substantially equipped with the computer equipment and software necessary to
comply with the Rule’s notice requirements, the primary costs incurred by the websites are the
aforementioned estimated labor costs.
(14) Cost to the Federal Government
Enforcing and monitoring compliance with the notice requirements of the COPPA will
require approximately 3 attorney/investigator work years at approximately $415,000 per year. In
addition, travel costs or other expenses associated with enforcing and administering the Rule will
be approximately $10,000. Thus, the approximate total cost to the Commission in connection
with enforcing and monitoring compliance with the COPPA will be $425,000. Clerical and
other support services are included in these estimates.
(15) Program Changes or Adjustments
There are no program changes. The only adjustment is the increased estimate of the
number of web entrants (prior estimate: 30; current estimate: 100) and the associated cumulative
hours burden and labor costs tied to that increased estimate.
(16) Statistical Use of Information
There are no plans to publish information associated with the proposed requirements for
statistical use.

7

FTC staff estimates average legal costs at $150 per hour, which is roughly midway between
Bureau of Labor Statistics (BLS) mean hourly wages shown for attorneys (approximately $56) in
the most recent whole-year data (2009) available online and what staff believes more generally
reflects hourly attorney costs ($250) associated with Commission information collection
activities. The $36 estimate for computer programmers is also based on the most recent wholeyear BLS data available online. See National Compensation Survey: Occupational Earnings in
the United States, 2009, at Table 3, available at http://www.bls.gov/ncs/ocs/sp/nctb1346.pdf.
7

(17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.

8