2022 COPPA PRA Supporting Statement

2022 COPPA PRA Supporting Statement.pdf

The Children's Online Privacy Protection Rule

OMB: 3084-0117

Document [pdf]
Download: pdf | pdf
Federal Trade Commission
Supporting Statement for the Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
OMB Control No. 3084-0117
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. § 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection and use
of personally identifiable information from children 1 on the Internet. The COPPA Rule, 16
C.F.R. Part 312, implements this mandate by requiring commercial websites to, among other
things, provide notice and obtain parental consent before collecting, using, or disclosing personal
information from children under age thirteen, with limited exceptions.
(1) Necessity for Collecting the Information
The underlying goals of the COPPA are to: (1) enhance parental involvement in
children’s online activities in order to protect the privacy of children in the online environment;
(2) limit the collection of personal information from children without parental consent; (3) help
protect the safety of children in online fora such as chat rooms, home pages, and pen-pal services
in which children may make public postings of identifying information; and (4) maintain the
security of children’s personal information collected online. See 144 Cong. Rec. S11657 (Oct.
7, 1998) (statement of Sen. Bryan).
The COPPA Rule, 16 C.F.R. Part 312, imposes requirements on operators of websites or
online services directed to children under 13 years of age or that have actual knowledge that they
are collecting personal information online from children of such age. Among other things, the
Rule:
•

requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses, specifies the placement
and content of the required online notice, and describes the contents of the direct notice to
parents (Section 312.4);

•

requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (Section 312.5);

•

requires operators to provide reasonable means to enable a parent to review the
information (Section 312.6);

•

requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (Section 312.8).

1

A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. § 6501(2).

1

The Rule’s requirements are necessary because: (a) they are expressly mandated by the
Act; and (b) they ensure that parents know what personal information operators seek to collect
from their children online and how it will be used or disclosed, thereby facilitating parental
decision-making whether to consent to the collection of such information.
The Rule contains reporting requirements for entities voluntarily seeking approval as a
COPPA safe harbor self-regulatory program, and reporting and recordkeeping requirements for
all approved safe harbor programs. Section 312.11(c) requires that applicants for safe harbor
status submit to the Federal Trade Commission (“Commission”) certain specific documents and
information, including, among other things, a copy of the guidelines for which approval is sought
and a statement explaining how the guidelines and related assessment mechanism meet the
Rule’s requirements. Section 312.11(d) requires that approved safe harbor programs keep
records of consumer complaints (alleging violations of the guidelines), disciplinary actions taken
against subject operators, and results of independent assessments of operators’ compliance with
the guidelines for 3 years.
(2) Use of the Information
Providing the online disclosures described above enables parents to determine whether:
to permit their children to provide personal information online; to seek access from a website or
online service operator to review their children’s personal information; and whether to object to
any further collection, maintenance, or use of such information.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the industry regulated, the Rule’s notice
requirements make use of information technology to reduce the burdens imposed by the Rule,
consistent with the aims of the Government Paperwork Elimination Act, 44 U.S.C. § 3504 note.
In particular, Section 312.4(d) of the Rule requires that notices be posted online on the operators’
website or online service, and Section 312.4(b) expressly contemplates that operators shall
“tak[e] into account available technology” in ensuring that parents receive direct notice of their
information practices. Section 312.5(b)(1) requires operators to “make reasonable efforts to
obtain verifiable parental consent, taking into consideration available technology” in designing
consent mechanisms. Section 312.5(b)(2), which contains a non-exclusive list of acceptable
methods for obtaining consent, identifies methods for obtaining consent that take advantage of
new technologies. The notice provisions in Sections 312.5(c)(2), 312.5(c)(4), and 312.5(c)(5)
also require consideration of available technology. Thus, the Rule provides operators with the
flexibility to employ appropriate, reasonable information technologies to comply with the notice
and consent requirements.

2

(4) Efforts to Identify Duplication
The Rule’s notice requirements do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government agencies.
(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the Rule to minimize the compliance burden of these
requirements as much as possible. The notice requirements are expressly mandated by the Act,
as described above. The Rule implements these requirements by providing guidance on the
contents of such notices while allowing operators (including small businesses) to determine the
most cost-effective means of disseminating such notices.
(6) Consequences of Conducting Collection Less Frequently
Less frequent disclosures would violate the express statutory language and intent of the
Act. The statute requires both that notice be given online and that notice regarding the
operator’s information practices be given to parents upon request. 2 Parental notice under the
Rule works in tandem with the COPPA’s mandated parental consent requirement. 3 Thus, the
Rule does not require notices any more frequently than necessary for operators to comply with
the statute and to enable parents to make an informed decision about an operator’s collection,
maintenance, use, or disclosure of their children’s personal information.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The collection of information under the final amendments is consistent with all applicable
OMB PRA guidelines under 5 C.F.R. § 1320.10.
(8) Consultation Outside the Agency
The Commission periodically reviews the Rule to obtain public input and ensure it
continues to effectively protects children’s online privacy. The Commission initiated a
retrospective review of the Rule in 2019. 4
2

See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Rule at Sections 312.3(a) (online notice), 312.4(c) (content of direct notice to
parent), and 312.6(a) (notice to parents upon their request).

3

See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at Sections 312.4 (content of notices)
and 312.5 (parental consent and exceptions).

4

84 FR 35842 (July 25, 2019).

3

As required by the PRA, the FTC provided opportunity for public comment before
requesting that OMB extend its existing clearance. See 86 Fed. Reg. 55609 (Oct. 6, 2021). No
relevant comments were received. Pursuant to PRA implementing regulations under 5 C.F.R.
Part 1320, the Commission is providing a second opportunity for public comment
contemporaneous with this submission.
(9) Payments or Gifts to Respondents
Not applicable.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice of information practices by
website and online service operators to the public and specifically to parents of children from
whom personal information is sought to be collected.
(12) Estimated Annual Hours Burden and Associated Labor Cost
1.

Annual hours burden: 17,600 hours
(a)

New entrant web operators’ disclosure burden

FTC staff estimates that the Rule affects approximately 280 new operators per year. 5
Staff maintains its longstanding estimate that new operators of websites and online services will
require, on average, approximately 60 hours to draft a privacy policy, design mechanisms to
provide the required online privacy notice and, where applicable, the direct notice to parents. 6
This yields an estimated annual hours burden 16,800 hours (280 respondents × 60 hours).
(b)

Safe harbor applicant reporting requirements

Operators can comply with the COPPA Rule by meeting the terms of Commissionapproved self-regulatory program guidelines. 7 While the submission of industry self-regulatory
guidelines to the agency is voluntary, the COPPA Rule sets out the criteria for approval of
guidelines and the materials that must be submitted as part of a safe harbor application. Based
on industry input, staff estimates that it would require, on average, 265 hours per new safe harbor
program applicant to prepare and submit its safe harbor proposal in accordance with Section
5 This consists of certain traditional website and online service operators, mobile app developers, plug-in
developers, and advertising networks.
6 See, e.g., 80 FR 76491 (Dec. 9, 2015); 84 FR 1466 (Feb. 4, 2019).
7 See Section 312.11(c), (g). Approved self-regulatory guidelines can be found on the FTC’s website at
http://www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.

4

312.11(c) of the Rule. 8 Given that several safe harbor programs are already available to website
and online service operators, FTC staff anticipates that no more than one additional safe harbor
applicant is likely submit a request within the next three years of PRA clearance. Thus, FTC
staff estimates that annualized burden attributable to this requirement would be approximately 88
hours per year (265 hours ÷ 3 years), which is rounded to 100 hours.
(c)

Annual audit and report for safe harbor programs

The COPPA Rule requires safe harbor programs to audit their members and submit
annual reports to the Commission on the aggregate results of these member audits. The burden
for conducting member audits and preparing these reports likely varies by safe harbor program
depending on the number of members. Commission staff estimates that conducting audits and
preparing reports will require approximately 100 hours per program per year. Aggregated for
one new safe harbor (100 hours) and six existing (600 hours) safe harbor programs, this amounts
to an estimated cumulative reporting burden of 700 hours per year (7 respondents × 100 hours).
(d)

Safe harbor program recordkeeping requirements

FTC staff understands that most of the records listed in the COPPA Rule’s safe harbor
recordkeeping provisions consist of documentation that covered entities retain in the ordinary
course of business irrespective of the COPPA Rule. As noted above, OMB excludes from the
definition of PRA burden, among other things, recordkeeping requirements that customarily
would be undertaken independently in the normal course of business. In staff’s view, any
incremental burden, such as that for maintaining the results of independent assessments under
section 312.11(d), would be marginal.
2.

Estimated annual labor costs: $5,783,700
(a)

New entrant web operators’ disclosure burden

Consistent with its past estimates and based on its 2013 rulemaking record, FTC staff
assumes that the time spent on compliance for new operators covered by the COPPA Rule would
be apportioned five to one between legal (outside counsel lawyers or similar professionals) and
technical (e.g., computer programmers, software developers, and information security analysts)
personnel. Staff therefore estimates that outside counsel costs will account for 14,000 of the
estimated 16,800 hours required as estimated in Section 1(a) above. FTC anticipates that the
workload among law firm partners and associates for assisting with COPPA compliance would
be distributed among attorneys at varying levels of seniority. Assuming two-thirds of such work
is done by junior associates at a rate of approximately $300 per hour, and one-third by senior
partners at approximately $600 per hour, the weighted average of outside counsel costs would be
8 Staff believes that most of the records submitted with a safe harbor request would be those that these entities have
kept in the ordinary course of business. Under 5 CFR 1320.3(b)(2), OMB excludes from the definition of PRA
burden the time and financial resources needed to comply with agency-imposed recordkeeping, disclosure, or
reporting requirements that customarily would be undertaken independently in the normal course of business.

5

approximately $400 per hour. 9 FTC staff anticipates that computer programmers responsible
for posting privacy policies and implementing direct notices and parental consent mechanisms
would account for the remaining 2,800 hours. FTC staff estimates an hourly wage of $49
(rounded to the nearest dollar) for technical assistance, based on Bureau of Labor Statistics
(“BLS”) data. 10 Accordingly, associated annual labor costs would be $5,737,200 [(14,000 hours
× $400/hour) + (2,800 hours × $49/hour)] for the estimated 280 new operators.
(b)

Safe harbor applicant reporting requirements

Industry sources have advised that all of the labor to comply with new safe harbor
applicant requirements would be attributable to the efforts of in-house lawyers. To determine
in-house legal costs, FTC staff applied an approximate average between the BLS reported mean
hourly wage for lawyers ($69.86), 11 and estimated in-house hourly attorney rates ($300) that are
likely to reflect the costs associated with some safe harbor applicant costs. This yields an
approximate hourly rate of $185. Applying this hourly labor cost estimate to the hours burden
associated with approval for a new safe harbor application yields an estimated annual labor cost
burden of $18,500 (100 hours × $185).
(c)

Annual audit and report for safe harbor programs

Commission staff assumes that compliance officers at a mean hourly wage of $35, will
prepare annual reports. 12 Applying this hourly labor cost estimate to the hours burden
associated with preparing annual audit reports yields an estimated annual labor cost burden of
$24,500 (700 hours × $35).
(d)

Safe harbor program recordkeeping requirements

For the reasons stated in Section 1(d) above, FTC staff anticipates that the labor costs
associated with safe harbor program recordkeeping are de minimis.

9 These estimates are drawn from the “Laffey Matrix.” The Laffey Matrix is a fee schedule used by many United
States courts for determining the reasonable hourly rates in the District of Columbia for attorneys’ fee awards under
federal fee-shifting statutes. It is used here as a proxy for market rates for litigation counsel in the Washington, DC
area. For 2020-2021, rates in table range from $333 per hour for most junior associates to $665 per hour for the
most senior partners. See Laffey Matrix, Civil Division of the United States Attorney’s Office for the District of
Columbia, United States Attorney’s Office, District of Columbia, Laffey Matrix B 2015-2021, available at
https://www.justice.gov/usao-dc/page/file/1305941/download.
10 The estimated mean hourly wages for technical labor support ($44) is based on an average of the mean hourly
wage for computer programmers, software developers, information security analysts, and web developers as
reported by the Bureau of Labor statistics. See Occupational Employment and Wages – May 2020, Table 1
(National employment and wage data from the Occupational Employment Statistics survey by occupation, May
2020), available at https://www.bls.gov/news.release/ocwage.t01.htm (hereinafter, “BLS Table 1”).
11 See BLS Table 1 (attorneys).
12 See BLS Table 1 (compliance officers, $35.03).

6

(13) Estimated Capital/Other Non-Labor Costs Burden
FTC staff understands that covered website and online service operators already have in
place the computer equipment and software necessary to comply with the Rule’s notice
requirements. Accordingly, the predominant costs incurred by website and online service
operators are the aforementioned labor costs. Similarly, FTC staff anticipates that covered
entities already have in place the means to retain and store the records that must be kept under
the Rule’s safe harbor recordkeeping provisions, because they are likely to retain such records
independent of the Rule. Accordingly, FTC staff estimates that the capital and non-labor costs
associated with Rule compliance are de minimis.
(14) Cost to the Federal Government
The Rule allows companies to apply for approval of parental consent methods not
currently enumerated in Section 312.5(b), for additional activities to be included within the
definition of support for internal operations, and for approval to become a COPPA Safe Harbor
program. Staff will be required to evaluate these applications and make recommendations to the
Commission. The Rule also requires existing safe harbor programs to provide annual reports to
the Commission that FTC staff will be required to evaluate. Moreover, FTC staff will undertake
business and consumer education activities and participate in panels and other presentations
regarding the Rule.
These activities and other enforcement and compliance monitoring for the COPPA Rule
will require approximately 4 attorney/investigator work years for a total cost of approximately
$800,000 per year. In addition, travel costs or other expenses associated with enforcing and
administering the Rule are anticipated to total approximately $18,000. Thus, the approximate
total cost to the FTC in connection with these cumulative enforcement and monitoring activities
will be $818,000. Clerical and other support services are included in these estimates.
(15) Program Changes or Adjustments
There are no program changes or adjustments. The overall burden estimates for the
COPPA Rule’s information collection requirements has decreased by 100 hours for this renewal
period because one participant in the agency’s COPPA Safe Harbor Program left the program
during the previous renewal period. As required by COPPA, the Safe Harbor Program allows
industry participants to submit for Commission approval self-regulatory guidelines that
implement the protections of the COPPA Rule. As a result of this change, the overall burden
estimate for the IC titled “Annual audit and report for existing and one new safe harbor(s)” has
decreased by 1 respondent (from 8 respondents to 7) and by 100 hours (from 800 hours to 700
hours). In addition, for this clearance renewal period, staff has updated their labor cost
estimates to take into account updated BLS wage data.

7

(16) Plans for Tabulation and Publication
There are no plans to publish tabulations of information associated with the Rule’s
requirements.
17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
The FTC certifies that this collection of information is consistent with the requirements
of 5 CFR 1320.9, and the related provisions of 5 CFR 1320.8(b)(3), and is not seeking an
exemption to these certification requirements.

8


File Typeapplication/pdf
File Modified2022-02-25
File Created2022-02-25

© 2024 OMB.report | Privacy Policy