Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for Proposed Amendments to
the Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
(1) Necessity for Collecting the Information
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. § 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection and use
of personally identifiable information from and about children1 on the Internet. The underlying
goals of the Act are to: (1) enhance parental involvement in children’s online activities in order
to protect the privacy of children in the online environment; (2) limit the collection of personal
information from children without parental consent; (3) help protect the safety of children in
online fora that permit users to publicly post identifying information online; and (4) maintain the
security of children’s personal information collected online. See 144 Cong. Rec. S11657 (Oct. 7,
1998) (statement of Sen. Bryan).
The COPPA Rule (“Rule”), 16 C.F.R. Part 312, imposes requirements on operators of
websites or online services directed to children under 13 years of age or that have actual
knowledge that they are collecting personal information online from children under age 13.
Among other things, the Rule:
(1)
(2)
(3)
(4)
(5)
requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (Section 312.3);
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (Section 312.4);
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (Section 312.5);
requires operators to provide reasonable means to enable a parent to review the
information (Section 312.6);
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (Section 312.8).
In addition to the disclosure requirements imposed on covered operators, the Rule
contains reporting requirements for entities voluntarily seeking approval as a COPPA safe
harbor self-regulatory program (Section 312.10).
The Rule’s requirements are necessary because they expressly implement the Act’s
requirements and goals.
The proposed amendments to the Rule would, among other things:
1
A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. 6501(2).
(1)
(2)
(3)
(4)
(5)
expand the definition of “personal information,” potentially increasing the number of
operators subject to the Rule, pursuant to the proposed revised 312.2;
eliminate the sliding scale “email plus” method2 for obtaining parental consent, pursuant
to the proposed revised Section 312.5;
require that operators’ direct notices to parents contain more detailed information about
their information collection practices, pursuant to the proposed revised Section 312.4(c);
require a safe harbor applicant to submit a more detailed proposal than what the current
Rule mandates, pursuant to the proposed revised Section 312.11(b);
require approved safe harbors to conduct a comprehensive review of all member
operators’ information policies, practices, and representations at least annually, pursuant
to the proposed new Section 312.11(d).
The objectives of the proposed amendments are to modernize the Rule to ensure that
children’s online privacy continues to be protected, as directed by Congress, as new online
technologies evolve, and to clarify existing obligations for operators under the Rule. The
COPPA provides the authority for the amendments proposed.
(2) Use of the Information
The proposed amendment to Section 312.4(c), requiring operators to provide parents with
a more detailed direct notice, will better enable parents to determine whether to: permit their
children to provide personal information online; seek access from a website or online service
operator to review their children’s personal information; and/or object to any further collection,
maintenance, or use of such information.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule’s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burdens imposed by the Rule, consistent with the aims of the
Government Paperwork Elimination Act, 44 U.S.C. § 3504 note. In particular, Section 312.4(b)
2
“Email plus” is the mechanism available under a “sliding scale,” which allows for less reliable methods of
obtaining parental consent where the collection is for internal purposes only. Under the current Rule,
operators collecting personal information only for internal use may use the “email plus” method of obtaining
verifiable parental consent. Through this method, operators obtain consent through an email from the parent,
provided that the email is coupled with an additional step to provide greater assurance that the person
providing consent is the parent. This includes, for example, obtaining a postal address or telephone number
from the parent and confirming the parent’s consent by letter or telephone call, or sending a delayed
confirmatory email to the parent after receiving consent. As discussed further in the associated Notice of
Proposed Rulemaking, the Commission believes that the continued reliance on email plus has inhibited the
development of more reliable methods of obtaining verifiable parental consent and that this method has
outlived its usefulness. To encourage development of new consent mechanisms, and to provide transparency
regarding consent mechanisms that may be proposed, the Commission proposes to establish a process in the
Rule through which parties may, on a voluntary basis, seek Commission approval of a particular consent
mechanism.
2
of the Rule requires that notices be posted online on the operators’ website or online service, and
Section 312.4(c) expressly contemplates that operators shall “tak[e] into account available
technology” in ensuring that parents receive direct notice of their information practices. Notice
under Section 312.4(c) incorporates by reference the requirement of Section 312.5(b) that
operators obtain a parent’s consent through methods “reasonably calculated, in light of available
technology, to ensure that the person providing consent is the child’s parent.”
The proposed amendments to Section 312.5 would permit operators to use electronic
scans, video conferencing, and identity verification using government issued forms of
identification as approved methods of parental consent. Each of these methods offers operators
additional means to reduce their burden of compliance with the Rule. In addition, the proposed
amendments create two new processes for recognition and approval of parental consent
mechanisms that will enable operators to develop new consent methods that take into account
technological advancements in the industry.
Thus, the Rule provides operators with the flexibility to employ appropriate, reasonable
information technologies to comply with the notice and consent requirements.
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government
agencies.
(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the proposed Rule to minimize the compliance burden of
these requirements as much as possible. The proposed revisions to the Rule’s notice provisions
streamline the requirements for the online notice. See Section 312.4(b). The proposed
amendments to the direct notice requirements, while requiring operators to disclose additional
information to parents, provide explicit, easy-to-follow requirements for operators dependent
upon their particular information collection practices. See Section 312.4(c). This guidance will
help eliminate much of the administrative and legal costs that might be incurred by a small or
other business trying to determine how to comply with the Rule’s notice requirements in
connection with their own information practices. The Commission’s adoption of these
“performance” standards allows regulated entities to meet the Rule’s requirements in ways
suited to their particular businesses.
3
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of
the COPPA.3 Parental notice under the proposed amended Rule works in tandem with the
statute’s mandated parental consent requirement.4 Thus, the proposed Rule amendments do not
require notices any more frequently than necessary for operators to comply with the statute and
to enable parents to make an informed decision about an operator’s collection, maintenance, use,
or disclosure of their children’s personal information. Moreover, safe harbor applications
continue to be filed solely upon the initiative of the filer.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The proposed “collection” is consistent with all applicable OMB PRA guidelines under
5 C.F.R. § 1320.11. No collection inconsistent with such guidelines is being proposed.
(8) Consultation Outside the Agency
The Commission sought public comment on its associated PRA burden analysis during
the original rulemaking process. 64 Fed. Reg. 22,750, 22,261 (April 27, 1999). In addition,
when crafting the Rule, staff informally consulted with members of the website and online
service industry and also met with federal, state, and local law enforcement agencies. Staff
balanced the need for requiring compliance in accordance with the statute against the need to
minimize the burden associated with such compliance.5 The Commission again seeks public
comment on the PRA burdens in connection with the proposed Rule amendments.
(9) Payments or Gifts to Respondents
Not applicable. The Commission makes no payments or gifts to respondents in
connection with the proposed requirements.
3
See 15 U.S.C. §§ 6502(b)(1)(A) (requiring website notice) and (B) (notice to parents upon request). These
requirements are reflected in the Commission’s Rule at Sections 312.3(a) (online notice), proposed 312.4(b)
and (c) (form and content of online and direct to parent notices), and 312.6(a) (notice to parents upon their
request).
4
See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent) and § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at Sections 312.4 (form and contents of
notices) and 312.5 (parental consent and exceptions).
5
Most recently, the Commission again sought public comment on PRA aspects of the Rule, as required by 5
C.F.R. 1320.8(d). See 76 Fed. Reg. 31,334 (May 31, 2011). No comments were received. OMB has
approved the Rule’s existing information collection requirements through July 31, 2014.
4
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice (i.e., disclosure) of
information practices by website and online service operators to the public and specifically to
parents of children from whom personal information is sought to be collected.6
(12) Hours Burden
Number of Respondents:
An estimated 2,000 existing operators; 100 new operators per year
4 existing safe harbor programs; an estimated 1 new applicant per year
The Commission is unaware of any empirical evidence concerning the number of
operators subject to the Rule. Commission staff, however, estimates that approximately 2,000
operators may be subject to the Rule’s requirements. This estimate is based on the
Commission’s compliance monitoring efforts in the area of children’s privacy, data received by
the Commission in preparing its most recent studies of food marketing to children and marketing
of violent entertainment to children, and the recent growth in interactive mobile applications that
may be directed to children.
For this burden analysis, the Commission retains its recently published estimate of 100
new operators per year7 for a prospective three-year PRA clearance period. The Commission
also retains its estimate that no more than one additional safe harbor applicant will submit a
request within the next three years.
The proposed changes to the definition of “personal information” would expand the
definition to encompass additional types of information and thereby potentially increase the
number of operators subject to the Rule. The Commission believes, however, that the number of
operators subject to the Rule’s requirements will not change significantly as a result of the
6
Although not applicable to the “information collection” requirements for which the Commission is seeking
OMB approval, the COPPA and the Rule do contain provisions to ensure the confidentiality, security, and
integrity of personal information collected from children by website and online service operators. See 15
U.S.C. § 6502(b)(1)(D); 16 C.F.R. § 312.8 (confidentiality, security, and integrity). In addition, the proposed
amendments to the Rule include new language to Section 312.8 that would require an operator to “take
reasonable measures to ensure that any service provider or any third party to whom it releases children’s
personal information has in place reasonable procedures to protect the confidentiality, security, and integrity
of such personal information.” Moreover, under proposed Section 312.10, the Commission would add a data
retention and deletion requirement that would further ensure the confidentiality, security, and integrity of the
personal information collected from children.
7
See Agency Information Collection Activities; Submission for OMB Review; Comment Request; Extension,
76 FR 31334 (May 31, 2011) (“FTC COPPA PRA Extension”).
5
proposed definitional revisions. Even though altering the definition of personal information
potentially expands the pool of covered operators, other proposed changes in the Rule should
offset much of this potential expansion. Specifically, these offsets include provisions allowing
the use of persistent identifiers to support the internal operations of a website or online service,
and permitting the use of reasonable measures such as automated filtering to strip out personal
information before posting children's content in interactive venues. The Commission also
anticipates many of these potentially new operators will make adjustments to their information
collection practices so that they will not be collecting personal information from children, as
defined by the Rule.
Estimated annual hours burden: 40,770 hours
(a)
Recordkeeping Requirements: 170 hours
The proposed Rule amendments do not impose any new significant recordkeeping
requirements on operators. The proposed amendments do impose additional recordkeeping
requirements on voluntary safe harbor programs, however. Commission staff estimates that in
the year of implementation (“Year 1”), the four existing safe harbor programs will require no
more than 100 hours to set up and implement a new recordkeeping system to comply with the
proposed amendments.8 In later years, once compliant systems are established, the burden for
these entities should be negligible – no more than one hour each year.9 Thus, annualized burden
per year for a prospective three-year clearance for existing safe harbor programs is 34 hours per
safe harbor program (100 + 1 + 1 = 102 hours; 102 hours ÷ 3 = 34 hour per year). Accordingly,
for the four existing safe harbor programs, cumulative annualized recordkeeping burden would
be 136 hours.
For a new entrant, the initial burden of establishing recordkeeping systems and the
burden of maintenance thereafter should be no more than for the existing safe harbors.
Assuming, as noted above, that there will be one new safe harbor entrant per a given three-year
PRA clearance period, the incremental annualized recordkeeping burden for the entrant under
the proposed amendments would be 34 hours.
Thus, cumulative annualized recordkeeping burden for new and existing safe harbor
applicants would be 170 hours.
8
See, e.g., Telemarketing Sales Rule (“TSR”), Notice of Proposed Rulemaking, 74 FR 41988, 42013 (Aug.
19, 2009). Arguably, this estimate conservatively errs upward in the instant context.
9
Id.
6
(b)
Disclosure Requirements: 40,000 hours
(1)
New Operators
Under the existing OMB clearance for the Rule, the Commission has already accounted
for the time that new operators will spend to craft a privacy policy (approximately 60 hours per
operator), design mechanisms to provide the required online privacy notice and, where
applicable, direct notice to parents in order to obtain verifiable consent. The proposed
amendments should no more than minimally add to, if at all, the time required to accomplish this
task because their effect primarily is to transfer required information from the privacy policy to
the direct notice.
(2)
Existing Operators
In Year 1, operators would have a one-time burden to re-design their existing privacy
policies and direct notice procedures that would not carry over to the second and third years of
prospective PRA clearance. In addition, existing operators that currently use the email plus
method would incur burden in Year 1 for converting to a more reliable method of obtaining
verifiable parental consent. The Commission estimates that an existing operator’s time to make
these changes would be no more than that for a new entrant crafting its online and direct notices
for the first time, i.e., 60 hours. Annualized over three years of PRA clearance, this amounts to
20 hours ((60 hours + 0 + 0) ÷ 3) per year. Aggregated for the estimated 2,000 existing
operators, annualized disclosure burden would be 40,000 hours.
(c)
Voluntary Reporting Requirements for Safe Harbor Programs: 600 hours
In order to apply to the Commission for approval as a safe harbor program, the Rule
includes specific reporting requirements that all safe harbor applicants must provide in their
applications.10 The Commission previously has estimated that a prospective safe harbor
organization requires 265 hours to prepare and submit its safe harbor proposal.11 The proposed
Rule amendments, however, require a safe harbor applicant to submit a more detailed proposal
than what the current Rule mandates. Existing safe harbor programs will thus need to submit a
revised application and new safe harbor applicants will have to provide greater detail than they
would under the current Rule. The Commission estimates this added information would entail
approximately 60 additional hours for safe harbor applicants to prepare. Accordingly, the
aggregate incremental burden for this added one-time preparation is 300 hours (60 hours x 5 safe
harbors) or, annualized for an average single year per three-year PRA clearance, 100 hours.
10
See Section 312.10(c). Approved self-regulatory guidelines can be found on the FTC’s website at
http://www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.
11
For PRA purposes, annualized over the course of three years of clearance, this averages roughly 100 hours
per year given that the 265 hours is a one-time, not recurring, expenditure of time for an applicant.
7
The proposed amendments to the Rule require approved safe harbor programs to audit
their members at least annually and to submit periodic reports to the Commission on the results
of their audits of members. As such, this will increase currently cleared burden estimates
pertaining to approved safe harbors. The burden for conducting member audits and preparing
the reports will likely vary for each safe harbor program depending on the number of members.
The Commission estimates that conducting audits and preparing reports will require
approximately 100 hours per program per year. Aggregated for five safe harbor programs, this
amounts to an increased disclosure burden of 500 hours per year. The cumulative yearly
reporting burden for five safe harbor applicants to provide the proposed added information and
to conduct and prepare the proposed audits and reports is 600 hours.
Estimated annual cost burden: $5,333,420
(a)
Recordkeeping
Based on an estimate of 170 hours for existing and new safe harbor programs, annualized
per year (i.e., when averaged over a three-year PRA clearance span), and applying a skilled labor
rate of $26/hour,12 associated labor costs are $4,420 per year.
(b)
Disclosure
The Commission assumes that the time spent on compliance for operators would be
apportioned five to one between legal (lawyers or similar professionals) and technical (e.g.,
computer programmers) personnel.13 As noted above, the Commission estimates a total of
40,000 hours disclosure burden, annualized, for 2,000 existing operators. Thus, apportioned five
to one, this amounts to, rounded, 33,333 hours of legal, and 6,667 hours of technical, assistance.
Applying hourly rates of $150 and $36, respectively, for these personnel categories,14 associated
labor costs would total approximately $5,240,000.
(c)
Reporting
The Commission assumes that the task to prepare safe harbor program applications will
12
This rounded figure is derived from the mean hourly earnings shown for computer support specialists found
in the Bureau of Labor Statistics National Compensation Survey: Occupational Earnings in the United States,
2010, at Table 3, available at http://www.bls.gov/ncs/ocs/sp/nctb1477.pdf (“National Compensation Survey
Table 3”).
13
See FTC COPPA PRA Extension, 76 FR at 31335 n. 1.
14
The estimated rate of $150 per hour is roughly midway between Bureau of Labor Statistics (BLS) mean
hourly wages for lawyers (approximately $54) in the most recent whole-year data (2010) available online and
what Commission staff believes more generally reflects hourly attorney costs ($250) associated with
Commission information collection activities. The $36 estimate of mean hourly wages for computer
programmers also is based on the most recent whole-year BLS data. See National Compensation Survey
Table 3.
8
be performed primarily by lawyers at a mean labor rate of $150 an hour. Thus, applied to an
assumed industry total of 500 hours per year for this task, associated yearly labor costs would
total $75,000.
The Commission assumes reports will be prepared by compliance officers, at a labor rate
of $28. Applied to an assumed industry total of 500 hours per year for this task, associated
yearly labor costs would be $14,000. Cumulatively, labor costs for the above-noted reporting
requirements total approximately $89,000 per year.
15
(13) Estimated Capital/Other Non-Labor Costs Burden
Capital and start-up costs associated with the Rule are minimal. Because websites will
already be substantially equipped with the computer equipment and software necessary to
comply with the Rule’s proposed notice requirements, the primary costs incurred by the websites
are the aforementioned estimated labor costs.
(14) Cost to the Federal Government
Because Commission staff anticipates that the incremental cost to the FTC to administer
the proposed amendments will be de minimis, it retains the FTC’s most recently cleared
estimates of costs to the agency to implement the Rule: $425,000. This consists of
approximately 3 attorney/investigator work years at approximately $415,000 per year and travel
costs or other expenses associated with enforcing and administering the Rule of approximately
$10,000. Clerical and other support services are included in these estimates.
(15) Program Changes or Adjustments
The proposed changes to the definition of “personal information” would expand the
definition to encompass additional types of information and thereby potentially increase the
number of operators subject to the Rule. As explained under item (12) above, however, FTC
staff believes there other proposed changes to the Rule will offset much of that potential
increase.
The proposed amendment to eliminate the sliding scale “email plus” method for
obtaining parental consent may increase the burden for the limited category of operators whose
information collection practices to date have enabled them to use this relatively low cost method
of obtaining parental consent. Existing operators that currently use the email plus method would
incur burden in the first year of implementation to convert to a more reliable method of
obtaining verifiable parental consent.
The proposed Rule amendments require a safe harbor applicant to submit a more detailed
proposal than what the current Rule mandates. Existing safe harbor programs will thus need to
15
See National Compensation Survey Table 3.
9
submit a revised application and new safe harbor applicants will have to provide greater detail
than they would under the current Rule.
Burden estimates for these effects, where applicable, are detailed above in response to
item (12).
(16) Statistical Use of Information
There are no plans to publish information associated with the proposed requirements for
statistical use.
(17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.
10
File Type | application/pdf |
File Title | H:\COPPA 2011 rulemaking\COPPA NPRM SS 2011 fin_mtd.wpd |
Author | ggreenfield |
File Modified | 2011-09-09 |
File Created | 2011-09-09 |