Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for
the Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. § 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection and use
of personally identifiable information from and about children1 on the Internet.
(1) Necessity for Collecting the Information
The underlying goals of the Act are to: (1) enhance parental involvement in children’s
online activities in order to protect the privacy of children in the online environment; (2) limit the
collection of personal information from children without parental consent; (3) help protect the
safety of children in online fora such as chat rooms, home pages, and pen-pal services in which
children may make public postings of identifying information; and (4) maintain the security of
children’s personal information collected online. See 144 Cong. Rec. S11657 (Oct. 7, 1998)
(statement of Sen. Bryan).
The COPPA Rule, 16 C.F.R. Part 312, imposes requirements on operators of websites or
online services directed to children under 13 years of age or that have actual knowledge that they
are collecting personal information online from children of such age. Among other things, the
Rule:
$
requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (Section 312.3);
$
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (Section 312.4);
$
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children=s personal information (Section 312.5);
$
requires operators to provide reasonable means to enable a parent to review the
information (Section 312.6);
$
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (Section 312.8).
1
A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. ' 6501(2).
The Rule’s requirements are necessary because: (a) they are expressly mandated by the
Act; and (b) they ensure that parents know what personal information operators seek to collect
from their children online and how it will be used or disclosed, thereby facilitating parental
decision-making whether to consent to the collection of such information.
The Rule additionally contains reporting requirements for entities voluntarily seeking
approval as a COPPA safe harbor self-regulatory program, and reporting and recordkeeping
requirements for all approved safe harbor programs. Section 312.11(c) requires that applicants
for safe harbor status submit to the Federal Trade Commission (“Commission”) certain specific
documents and information, including, among other things, a copy of the guidelines for which
approval is sought and a statement explaining how the guidelines and related assessment
mechanism meet the Rule’s requirements. Section 312.11(d) requires that approves safe harbor
programs keep for 3 years records of consumer complaints (alleging violations of the guidelines),
disciplinary actions taken against subject operators, and results of independent assessments of
operators’ compliance with the guidelines.
(2) Use of the Information
Providing the online disclosure information described above enables parents to determine
whether: to permit their children to provide personal information online; to seek access from a
website or online service operator to review their children’s personal information; and whether to
object to any further collection, maintenance, or use of such information.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule=s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burdens imposed by the Rule, consistent with the aims of the
Government Paperwork Elimination Act, 44 U.S.C. § 3504 note. In particular, Section 312.4(d)
of the Rule requires that notices be posted online on the operators’ website or online service, and
Section 312.4(b) expressly contemplates that operators shall “tak[e] into account available
technology” in ensuring that parents receive direct notice of their information practices. Section
312.5(b)(1) requires operators to “make reasonable efforts to obtain verifiable parental consent,
taking into consideration available technology” in designing consent mechanisms. Section
312.5(b)(2), which contains a non-exclusive list of acceptable methods for obtaining consent,
identifies methods for obtaining consent that take advantage of new technologies. The notice
provisions in Sections 312.5(c)(2), 312.5(c)(4), and 312.5(c)(5) also require consideration of
available technology. Thus, the Rule provides operators with the flexibility to employ
appropriate, reasonable information technologies to comply with the notice and consent
requirements.
2
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government agencies.
(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the Rule to minimize the compliance burden of these
requirements as much as possible. The notice requirements are expressly mandated by the Act,
as described above. The Commission’s Rule implements these requirements by providing
guidance on the contents of such notices while allowing operators (including small businesses) to
determine the most cost-effective means of disseminating such notices.
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of the
Act. The statute requires both that notice be given online and that separate notice regarding the
operator’s information practices be given to parents.2 Parental notice under the Rule works in
tandem with the statute’s mandated parental consent requirement.3 Thus, the Rule does not
require notices any more frequently than necessary for operators to comply with the statute and to
enable parents to make an informed decision about an operator’s collection, maintenance, use, or
disclosure of their children=s personal information.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The “collection of information” under the final amendments is consistent with all
applicable OMB PRA guidelines under 5 C.F.R. § 1320.10.
(8) Consultation Outside the Agency
As required by the PRA, the FTC provided opportunity for public comment before
requesting that OMB extend its existing clearance for subpart N. See 80 Fed. Reg. 57,818 (Sept.
25, 2015). No relevant comments were received. Pursuant to PRA implementing regulations
2
See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Rule at Sections 312.3(a) (online notice), 312.4 (c) (content of direct notice to
parent), and 312.6(a) (notice to parents upon their request).
3
See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at Sections 312.4 (content of notices)
and 312.5 (parental consent and exceptions).
3
under 5 C.F.R. Part 1320, the Commission is providing a second opportunity for public comment
on the instant burden analysis contemporaneous with this submission.
(9) Payments or Gifts to Respondents
Not applicable.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice of information practices by
website and online service operators to the public and specifically to parents of children from
whom personal information is sought to be collected.
(12) Estimated Annual Hours Burden and Associated Labor Cost
1.
Estimated annual hours burden: 17,500 hours4
(a)
New entrant web operators’ disclosure burden
Based on public comments on the Commission’s 2013 final amendments to the COPPA
Rule,5 FTC staff estimates that the Rule affects approximately 280 new operators per year.6
Staff maintains its longstanding estimate that new web operators will require, on average,
approximately 60 hours crafting a privacy policy, designing mechanisms to provide the required
online privacy notice and, where applicable, the direct notice to parents.7 Applied to the
estimated number of new operators per year, this yields a cumulative yearly total of 16,800 hours
(280 new operators x 60 hours each).
4
This discussion and the associated burden estimates concern strictly recurring compliance obligations under
the COPPA Rule. “One-time” adjustments associated with entities’ initial steps to comply with the January
17, 2013 final amendments to the COPPA Rule, 78 Fed. Reg. 3972, already have been undertaken and
accounted for in the FTC’s previously published and cleared estimates associated with the final rulemaking
(ICR Reference No: 201212-3084-001).
5
78 Fed. Reg. at 4005.
6
This consists of certain traditional website operators, mobile app developers, plug-in developers, and
advertising networks.
7
See, e.g., 78 Fed. Reg. at 4006; 76 Fed. Reg. 31,334 (May 31, 2011); 73 Fed. Reg. 35,689 (June 24, 2008);
70 Fed. Reg. 21,107 (April 22, 2005).
4
(b)
Safe harbor applicant reporting requirements
Operators can comply with the COPPA Rule by meeting the terms of industry
self-regulatory guidelines that the Commission approves after notice and comment.8 While the
submission of industry self-regulatory guidelines to the agency is voluntary, the COPPA Rule
sets out the criteria for approval of guidelines and the materials that must be submitted as part of
a safe harbor application. Staff estimates that it would require, on average, 265 hours per new
safe harbor program applicant to prepare and submit its safe harbor proposal in accordance with
Section 312.11(c) of the Rule. In the past, industry sources have confirmed that this estimate is
reasonable and advised that all of this time would be attributable to the efforts of lawyers.
Given that several safe harbor programs are already available to website operators, FTC staff
believes that it is unlikely that more than one additional safe harbor applicant will submit a
request within the next three years of PRA clearance sought. Thus, annualized burden
attributable to this requirement would be approximately 88 hours per year (265 hours ÷3 years)
or, roughly, 100 hours, for the estimated one additional safe harbor applicant.
Staff believes that most of the records submitted with a safe harbor request would be
those that these entities have kept in the ordinary course of business, and that any incremental
effort associated with maintaining the results of independent assessments or other records under
Section 312.11(d)(3) also would be in the normal course of business. Under 5 CFR
1320.3(b)(2), OMB excludes from the definition of PRA burden the time and financial resources
needed to comply with agency-imposed recordkeeping, disclosure, or reporting requirements that
customarily would be undertaken independently in the normal course of business.
(c)
Annual audit and report for safe harbor programs
The COPPA Rule requires safe harbor programs to audit their members at least annually
and to submit annual reports to the Commission on the aggregate results of these member audits.
The burden for conducting member audits and preparing these reports likely will vary for each
safe harbor program depending on the number of members. Commission staff estimates that
conducting audits and preparing reports will require approximately 100 hours per program per
year. Aggregated for one new safe harbor (100 hours) and seven existing (700 hours) safe
harbor programs, this amounts to an estimated cumulative reporting burden of 800 hours per
year.
(d)
Safe harbor program recordkeeping requirements
FTC staff believes that most of the records listed in the COPPA Rule’s safe harbor
recordkeeping provisions consist of documentation that such parties have kept in the ordinary
course of business irrespective of the COPPA Rule. As noted above, OMB excludes from the
definition of PRA burden, among other things, recordkeeping requirements that customarily
8
See Section 312.11(c). Approved self-regulatory guidelines can be found on the FTC’s website at
http://www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.
5
would be undertaken independently in the normal course of business. In staff’s view, any
incremental burden, such as that for maintaining the results of independent assessments under
section 312.11(d), would be marginal.
2.
Estimated annual labor costs: $5,342,500
Based on its experience with previously approved safe harbor programs, FTC staff
anticipates that in-house counsel (primarily senior) will perform the legal tasks associated with
safe harbor applications. Conversely, based on the 2013 rulemaking record, staff assumes that
outside counsel will perform legal services tied to Rule compliance by new entrant web
operators.
For in-house legal costing, FTC staff applies to its analysis below an approximate
mid-way between the mean hourly wage for lawyers ($64.179), as appearing within the most
recent annual compilation available online from the Bureau of Labor Statistics, and what
Commission staff believes more generally reflects a rough approximation of hourly attorney
costs ($300) associated with Commission information collection activities: $185, rounded
upward.
Regarding outside counsel costs, the National Law Journal noted in connection with its
2014 Billing Survey (“survey”) of law firms that the average rate for partner billing was “about”
$500, and that the average associate billing rate was $306. 10 Commission staff believes it
reasonable to assume that the workload among law firm partners and associates for COPPA
compliance questions could be competently addressed and efficiently distributed among
attorneys at varying levels of seniority, but would be weighted most heavily to more junior
attorneys. Thus, assuming an apportionment of two-thirds of such work is done by associates,
and one-third by partners, a weighted average tied to the average firm-wide associate and average
firm-wide partner rates, respectively, in the National Law Journal 2014 survey would be about
$370 per hour.
Labor costing for other assumed relevant categories (technical assistance, compliance
officers) is detailed within the discussion below.
9
See Occupational Employment and Wages – May 2014, Table 1 (National employment and wage data from
the Occupational Employment Statistics survey by occupation, May 2014), available at
http://www.bls.gov/news.release/ocwage.nr0.htm (hereinafter, “BLS Table 1”).
10
Cf. Civil Division of the United States Attorney’s Office for the District of Columbia, United States
Attorney’s Office, District of Columbia, Laffey Matrix B 2014-2015, available at
http://www.justice.gov/sites/default/files/usao-dc/legacy/2014/07/14/Laffey%20Matrix_2014-2015.pdf
(updated “Laffey Matrix” for calculating “reasonable” attorney fees in suits in which fee shifting as statutorily
authorized can be evidence of prevailing market rates for litigation counsel in the Washington, DC area; rates
in table range from $255 per hour for most junior associates to $520 per hour for most senior partners).
6
(a)
New entrant web operators’ disclosure burden
Consistent with its past estimates, FTC staff assumes that the time spent on compliance
for new operators and existing operators covered by the COPPA Rule would be apportioned five
to one between legal (lawyers or similar professionals) and technical (e.g., computer
programmers, software developers, and information security analysts) personnel. Staff therefore
estimates that lawyers or similar professionals who craft privacy policies will account for 14,000
of the estimated 16,800 hours required. Computer programmers responsible for posting privacy
policies and implementing direct notices and parental consent mechanisms will account for the
remaining 2,800 hours. FTC staff estimates an hourly wage of $42 for technical assistance,
based on BLS data.11 Accordingly, paired with the above-noted estimated rate for outside
counsel assistance, associated labor costs would be $5,297,600 [(14,000 hours x $370/hour) +
(2,800 hours x $42/hour)].
(b)
Safe harbor applicant reporting requirements
Previously, industry sources have advised that all of the labor to comply with these
requirements would be attributable to the efforts of lawyers. Accordingly, applying the
estimated time stated above for these tasks (100 hours, annualized and rounded up) to the
above-noted assumed hourly wage for in-house counsel ($185) yields $18,500 in labor cost per
year.
(c)
Annual audit and report for safe harbor programs
Commission staff assumes that annual reports will be prepared by compliance officers, at
a labor rate of $33.12 Accordingly, applied to the above-stated estimates per year of 100 hours
for a new safe harbor program and 700 hours, cumulatively, per year, for seven existing safe
harbor programs, this amounts to $26,400 in aggregate yearly labor cost.
(d)
Safe harbor program recordkeeping requirements
For the reasons stated in 1.(d) above, associated labor costs, for PRA purposes, would be
nil or marginal.
(13) Estimated Capital/Other Non-Labor Costs Burden
Because websites will already be equipped with the computer equipment and software
necessary to comply with the Rule’s notice requirements, the predominant costs incurred by the
websites are the aforementioned estimated labor costs. Similarly, industry members should
11
The estimated mean hourly wages for technical labor support ($42) is based on an average of the salaries for
computer programmers, software developers, information security analysts, and web developers as reported by
the BLS. See BLS Table 1.
12
See BLS Table 1 (compliance officers, $32.69).
7
already have in place the means to retain and store the records that must be kept under the Rule’s
safe harbor recordkeeping provisions, because they are likely to have been keeping these records
independent of the Rule. Capital and start-up costs associated with the Rule are minimal.
(14) Cost to the Federal Government
Enforcing and monitoring compliance of the COPPA Rule will require approximately 4
attorney/investigator work years at approximately $600,000 per year. The Rule allows
companies to apply for approval of parental consent methods not currently enumerated in Section
312.5(b), for additional activities to be included within the definition of support for internal
operations, and for approval to become a COPPA Safe Harbor program. Staff will be required
to evaluate these applications and make recommendations to the Commission. The Rule also
requires existing safe harbor programs to provide annual reports to the Commission that FTC
staff will be required to evaluate. Moreover, FTC staff will be necessary for educational
activities and participating in panels and other presentations regarding the Rule. In addition,
travel costs or other expenses associated with enforcing and administering the Rule will be
approximately $15,000. Thus, the approximate total cost to the FTC in connection with these
cumulative enforcement and monitoring activities will be $615,000. Clerical and other support
services are included in these estimates.
(15) Program Changes or Adjustments
With the removal of prior calculations for one-time burden presented by the 2013 final
rule amendments, estimated hours burden totals equal that of the pre-amended Rule: 17,500
hours. As before, capital and start-up costs associated with the Rule are minimal. Labor costs
increase, however, for updated hourly wage inputs.
(16) Plans for Tabulation and Publication
Not applicable.
17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.
8
File Type | application/pdf |
File Modified | 2015-12-03 |
File Created | 2015-12-03 |