Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for
the Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. § 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection and use
of personally identifiable information from and about children1 on the Internet.
(1) Necessity for Collecting the Information
The underlying goals of the Act are to: (1) enhance parental involvement in children’s
online activities in order to protect the privacy of children in the online environment; (2) limit the
collection of personal information from children without parental consent; (3) help protect the
safety of children in online fora such as chat rooms, home pages, and pen-pal services in which
children may make public postings of identifying information; and (4) maintain the security of
children’s personal information collected online. See 144 Cong. Rec. S11657 (Oct. 7, 1998)
(statement of Sen. Bryan).
The COPPA Rule, 16 C.F.R. Part 312, imposes requirements on operators of websites or
online services directed to children under 13 years of age or that have actual knowledge that they
are collecting personal information online from children of such age. Among other things, the
Rule:
requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (Section 312.3);
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (Section 312.4);
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (Section 312.5);
requires operators to provide reasonable means to enable a parent to review the
information (Section 312.6);
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (Section 312.8).
1
A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. § 6501(2).
1
The Rule’s requirements are necessary because: (a) they are expressly mandated by the
Act; and (b) they ensure that parents know what personal information operators seek to collect
from their children online and how it will be used or disclosed, thereby facilitating parental
decision-making whether to consent to the collection of such information.
The Rule additionally contains reporting requirements for entities voluntarily seeking
approval as a COPPA safe harbor self-regulatory program, and reporting and recordkeeping
requirements for all approved safe harbor programs. Section 312.11(c) requires that applicants
for safe harbor status submit to the Federal Trade Commission (“Commission”) certain specific
documents and information, including, among other things, a copy of the guidelines for which
approval is sought and a statement explaining how the guidelines and related assessment
mechanism meet the Rule’s requirements. Section 312.11(d) requires that approved safe harbor
programs keep records of consumer complaints (alleging violations of the guidelines),
disciplinary actions taken against subject operators, and results of independent assessments of
operators’ compliance with the guidelines for 3 years.
(2) Use of the Information
Providing the online disclosure information described above enables parents to determine
whether: to permit their children to provide personal information online; to seek access from a
website or online service operator to review their children’s personal information; and whether to
object to any further collection, maintenance, or use of such information.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule’s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burdens imposed by the Rule, consistent with the aims of the
Government Paperwork Elimination Act, 44 U.S.C. § 3504 note. In particular, Section 312.4(d)
of the Rule requires that notices be posted online on the operators’ website or online service, and
Section 312.4(b) expressly contemplates that operators shall “tak[e] into account available
technology” in ensuring that parents receive direct notice of their information practices. Section
312.5(b)(1) requires operators to “make reasonable efforts to obtain verifiable parental consent,
taking into consideration available technology” in designing consent mechanisms. Section
312.5(b)(2), which contains a non-exclusive list of acceptable methods for obtaining consent,
identifies methods for obtaining consent that take advantage of new technologies. The notice
provisions in Sections 312.5(c)(2), 312.5(c)(4), and 312.5(c)(5) also require consideration of
available technology. Thus, the Rule provides operators with the flexibility to employ
appropriate, reasonable information technologies to comply with the notice and consent
requirements.
2
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government agencies.
(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the Rule to minimize the compliance burden of these
requirements as much as possible. The notice requirements are expressly mandated by the Act,
as described above. The Commission’s Rule implements these requirements by providing
guidance on the contents of such notices while allowing operators (including small businesses) to
determine the most cost-effective means of disseminating such notices.
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of the
Act. The statute requires both that notice be given online and that separate notice regarding the
operator’s information practices be given to parents.2 Parental notice under the Rule works in
tandem with the statute’s mandated parental consent requirement.3 Thus, the Rule does not
require notices any more frequently than necessary for operators to comply with the statute and to
enable parents to make an informed decision about an operator’s collection, maintenance, use, or
disclosure of their children’s personal information.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The “collection of information” under the final amendments is consistent with all
applicable OMB PRA guidelines under 5 C.F.R. § 1320.10.
(8) Consultation Outside the Agency
As required by the PRA, the FTC provided opportunity for public comment before
requesting that OMB extend its existing clearance for subpart N. See 83 Fed. Reg. 49,557 (Oct.
2, 2018). Of the comments received, two commenters appear to support strengthening the
See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Rule at Sections 312.3(a) (online notice), 312.4(c) (content of direct notice to
parent), and 312.6(a) (notice to parents upon their request).
2
See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at Sections 312.4 (content of notices)
and 312.5 (parental consent and exceptions).
3
3
Rule’s substantive requirements for covered operators. The Electronic Privacy Information
Center (EPIC) observed, among other things, that “[t]he quality, utility, and clarity of disclosure
requirements would be improved by adding restrictions on the personal data collected” and that
the Commission “should consider additional use limitations for children’s data.” An individual
commented: “There ought not be any exception to requiring prior notice to the parents nor the
need for [sic] limiting those exceptions. Disclosure of information is not a negotiable Reality.
Who, Why, When, How...infinitum.” In essence, these comments suggest that the required
disclosures would be more valuable if the Rule’s substantive requirements were changed to add
additional requirements (and added corresponding disclosure requirements) or to remove
exceptions to the notice requirements. The Commission periodically reviews the Rule to ensure
that it effectively protects children’s online privacy, as directed by Congress, as new online
technologies evolve, and to clarify existing obligations for operators under the Rule. As noted
below, the Commission recently revised the Rule in 2013.4 The Commission will take these
comments under advisement in evaluating the Rule’s continued effectiveness. The other
comments were non-germane.
Pursuant to PRA implementing regulations under 5 C.F.R. Part 1320, the Commission is
providing a second opportunity for public comment on the instant burden analysis
contemporaneous with this submission.
(9) Payments or Gifts to Respondents
Not applicable.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice of information practices by
website and online service operators to the public and specifically to parents of children from
whom personal information is sought to be collected.
4
See note 6 and accompanying text.
4
(12) Estimated Annual Hours Burden and Associated Labor Cost
1.
Estimated annual hours burden: 17,700 hours5
(a)
New entrant web operators’ disclosure burden
Based on public comments on the Commission’s 2013 final amendments to the COPPA
Rule, FTC staff estimates that the Rule affects approximately 280 new operators per year.7
Staff maintains its longstanding estimate that new web operators will require, on average,
approximately 60 hours crafting a privacy policy, designing mechanisms to provide the required
online privacy notice and, where applicable, the direct notice to parents.8 Applied to the
estimated number of new operators per year, this yields a cumulative yearly total of 16,800 hours
(280 new operators x 60 hours each).
6
(b)
Safe harbor applicant reporting requirements
Operators can comply with the COPPA Rule by meeting the terms of industry
self-regulatory guidelines that the Commission approves after notice and comment.9 While the
submission of industry self-regulatory guidelines to the agency is voluntary, the COPPA Rule
sets out the criteria for approval of guidelines and the materials that must be submitted as part of
a safe harbor application. Staff estimates that it would require, on average, 265 hours per new
safe harbor program applicant to prepare and submit its safe harbor proposal in accordance with
Section 312.11(c) of the Rule. In the past, industry sources have confirmed that this estimate is
reasonable and advised that all of this time would be attributable to the efforts of lawyers.
Given that several safe harbor programs are already available to website operators, FTC staff
believes that it is unlikely that more than one additional safe harbor applicant will submit a
request within the next three years of PRA clearance sought. Thus, annualized burden
attributable to this requirement would be approximately 88 hours per year (265 hours ÷3 years)
or, roughly, 100 hours, for the estimated one additional safe harbor applicant.
This discussion and the associated burden estimates concern strictly recurring compliance obligations under
the COPPA Rule. Details underlying the estimates within this Burden Statement can be found in the October
2, 2018 Federal Register Notice. However, this cumulative total corrects the 17,500 hours estimate that
appeared in the FTC’s associated Federal Register Notice of October 2, 2018 (83 Fed. Reg. 49557) as the
aggregation of the associated burden estimate that appeared in 1. (a)-(c) of that document.
5
6
78 Fed. Reg. 3972, 4005 (Jan. 17, 2013).
This consists of, for example, certain traditional website operators, mobile app developers, plug-in
developers, and advertising networks.
7
See, e.g., 80 Fed. Reg. 57818 (Sept. 25, 2015); 80 Fed. Reg. 76491 (Dec. 9, 2015); 78 Fed. Reg. at 4005; 76
Fed. Reg. 31334 (May 31, 2011); 73 Fed. Reg. 35689 (June 24, 2008); 70 Fed. Reg. 21107 (Apr. 22, 2005).
8
See Section 312.11(c). Approved self-regulatory guidelines can be found on the FTC’s website at
http://www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.
9
5
Staff believes that most of the records submitted with a safe harbor request would be
those that these entities have kept in the ordinary course of business, and that any incremental
effort associated with maintaining the results of independent assessments or other records under
Section 312.11(d)(3) also would be in the normal course of business. Under 5 CFR
1320.3(b)(2), OMB excludes from the definition of PRA burden the time and financial resources
needed to comply with agency-imposed recordkeeping, disclosure, or reporting requirements that
customarily would be undertaken independently in the normal course of business.
(c)
Annual audit and report for safe harbor programs
The COPPA Rule requires safe harbor programs to audit their members at least annually
and to submit annual reports to the Commission on the aggregate results of these member audits.
The burden for conducting member audits and preparing these reports likely will vary for each
safe harbor program depending on the number of members. Commission staff estimates that
conducting audits and preparing reports will require approximately 100 hours per program per
year. Aggregated for one new safe harbor (100 hours) and seven existing (700 hours) safe
harbor programs, this amounts to an estimated cumulative reporting burden of 800 hours per
year.
(d)
Safe harbor program recordkeeping requirements
FTC staff believes that most of the records listed in the COPPA Rule’s safe harbor
recordkeeping provisions consist of documentation that such parties have kept in the ordinary
course of business irrespective of the COPPA Rule. As noted above, OMB excludes from the
definition of PRA burden, among other things, recordkeeping requirements that customarily
would be undertaken independently in the normal course of business. In staff’s view, any
incremental burden, such as that for maintaining the results of independent assessments under
section 312.11(d), would be marginal.
2.
Estimated annual labor costs: $5,768,900
(a)
New entrant web operators’ disclosure burden
Consistent with its past estimates and based on its 2013 rulemaking record, FTC staff
assumes that the time spent on compliance for new operators covered by the COPPA Rule would
be apportioned five to one between legal (outside counsel lawyers or similar professionals) and
technical (e.g., computer programmers, software developers, and information security analysts)
personnel. Staff therefore estimates that outside counsel costs will account for 14,000 of the
estimated 16,800 hours required as estimated in 1(a) above. Regarding outside counsel costs,
FTC staff believes it reasonable to assume that the workload among law firm partners and
associates for COPPA compliance questions would be distributed among attorneys at varying
levels of seniority, and be weighted most heavily to junior attorneys. Assuming two-thirds of
such work is done by junior associates at a rate of approximately $300 per hour, and one-third by
senior partners at approximately $600 per hour, the weighted average of outside counsel costs
6
would be about $400 per hour.10 Computer programmers responsible for posting privacy
policies and implementing direct notices and parental consent mechanisms would account for the
remaining 2,800 hours. FTC staff estimates an hourly wage of $44 for technical assistance,
based on Bureau of Labor Statistics (“BLS”) data.11 Accordingly, associated annual labor costs
would be $5,723,200 [(14,000 hours x $400/hour) + (2,800 hours x $44/hour)] for the estimated
280 new operators.
(b)
Safe harbor applicant reporting requirements
Previously, industry sources have advised that all of the labor to comply with new safe
harbor applicant requirements would be attributable to the efforts of in-house lawyers. To
determine in-house legal costs, FTC staff applied an approximate average between the BLS
reported mean hourly wage of $68 for lawyers,12 and a rough approximation of in-house hourly
attorney rates ($300) that staff believes more generally reflects the costs associated with
Commission information collection activities, which yields an approximate hourly rate of $185.
Accordingly, applying the estimated time for these tasks (100 hours) for the one new safe harbor
applicant estimated in 1(b) above to the assumed hourly wage for in-house counsel ($185) yields
$18,500 in labor costs per year.
(c)
Annual audit and report for safe harbor programs
Commission staff assumes that compliance officers, at a labor rate of $34, will prepare
annual reports.13 Accordingly, applied to the 800 hours estimated per year in 1(c) above for all
safe harbor programs, this amounts to $27,200 in aggregate yearly labor costs.
These estimates are drawn from the “Laffey Matrix.” The Laffey Matrix is a fee schedule used by many
United States courts for determining the reasonable hourly rates in the District of Columbia for attorneys’ fee
awards under federal fee-shifting statutes. It is used here as a proxy for market rates for litigation counsel in
the Washington, DC area. For 2018, rates in table range from $302 per hour for most junior associates to
$602 per hour for most senior partners. See Laffey Matrix, Civil Division of the United States Attorney’s
Office for the District of Columbia, United States Attorney’s Office, District of Columbia, Laffey Matrix B
2015-2018, available at https://www.justice.gov/usao-dc/file/796471/download.
10
The estimated mean hourly wages for technical labor support ($44) is based on an average of the salaries for
computer programmers, software developers, information security analysts, and web developers as reported by
the Bureau of Labor statistics. See Occupational Employment and Wages – May 2017, Table 1 (National
employment and wage data from the Occupational Employment Statistics survey by occupation, May 2017),
available at http://www.bls.gov/news.release/ocwage.nr0.htm (hereinafter, “BLS Table 1”).
11
12
See BLS Table 1 (lawyers, $68.22).
See BLS Table 1 (compliance officers, $34.39). The rounding to $34 per hour was also incorporated into
the calculations published in the FTC’s Oct. 2, 2018 Federal Register Notice, but had there been
parenthetically shown incorrectly as $32.69. That was a prior BLS figure that had informed the FTC’s
corresponding estimate in 2015, when it had last pursued renewed OMB clearance under the instant OMB
control number.
13
7
(d)
Safe harbor program recordkeeping requirements
For the reasons stated in 1.(d) above, associated labor costs, for PRA purposes, would be
nil or marginal.
(13) Estimated Capital/Other Non-Labor Costs Burden
Because websites will already be equipped with the computer equipment and software
necessary to comply with the Rule’s notice requirements, the predominant costs incurred by the
websites are the aforementioned estimated labor costs. Similarly, industry members should
already have in place the means to retain and store the records that must be kept under the Rule’s
safe harbor recordkeeping provisions, because they are likely to have been keeping these records
independent of the Rule. Capital and start-up costs associated with the Rule are minimal.
(14) Cost to the Federal Government
Enforcing and monitoring compliance of the COPPA Rule will require approximately 4
attorney/investigator work years at approximately $800,000 per year. The Rule allows
companies to apply for approval of parental consent methods not currently enumerated in Section
312.5(b), for additional activities to be included within the definition of support for internal
operations, and for approval to become a COPPA Safe Harbor program. Staff will be required
to evaluate these applications and make recommendations to the Commission. The Rule also
requires existing safe harbor programs to provide annual reports to the Commission that FTC
staff will be required to evaluate. Moreover, FTC staff will be necessary for educational
activities and participating in panels and other presentations regarding the Rule. In addition,
travel costs or other expenses associated with enforcing and administering the Rule will be
approximately $18,000. Thus, the approximate total cost to the FTC in connection with these
cumulative enforcement and monitoring activities will be $818,000. Clerical and other support
services are included in these estimates.
(15) Program Changes or Adjustments
The population estimates affected are corrected upward as is the total estimated burden
hours for the activities covered above and in the FTC’s Federal Register Notices associated with
this clearance request.14 As with prior clearance submissions for the COPPA Rule, FTC staff
Although then, as now, the FTC narratively accounted for seven existing COPPA safe harbor programs and
an estimated one new entrant (for a total of eight safe harbors), staff had not updated in the associated
information collection worksheet in ROCIS prior estimates that had accounted for six total safe harbors (five
existing and an estimated one new entrant). A list of existing safe harbors appear at
https://www.ftc.gov/safe-harbor-program. Moreover, as noted supra footnote 5 and accompanying text, total
current estimated burden hours is 17,700 hours (16,800 + 100 + 800), not 17,500 hours as had been misstated
14
8
believes that associated capital and start-up costs are minimal. Labor costs increase, however,
for updated hourly wage inputs and for the appropriately increased population affected.
(16) Plans for Tabulation and Publication
Not applicable.
17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.
in the FTC’s Federal Register Notice of October 2, 2018.
9
File Type | application/pdf |
File Modified | 2019-01-31 |
File Created | 2019-01-31 |