Proposed Rule2023-28569
Children's Online Privacy Protection Rule
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 11, 2024
Issuing agencies
Federal Trade Commission
Abstract
The Commission proposes to amend the Children's Online Privacy Protection Rule, consistent with the requirements of the Children's Online Privacy Protection Act. The proposed modifications are intended to respond to changes in technology and online practices, and where appropriate, to clarify and streamline the Rule. The proposed modifications, which are based on the FTC's review of public comments and its enforcement experience, are intended to clarify the scope of the Rule and/or strengthen its protection of personal information collected from children.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 8 (Thursday, January 11, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 8 (Thursday, January 11, 2024)]
[Proposed Rules]
[Pages 2034-2076]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-28569]
[[Page 2033]]
Vol. 89
Thursday,
No. 8
January 11, 2024
Part III
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Part 312
Children's Online Privacy Protection Rule; Proposed Rule
��Federal Register / Vol. 89 , No. 8 / Thursday, January 11, 2024 /
Proposed Rules��
[[Page 2034]]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 312
RIN 3084-AB20
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Commission proposes to amend the Children's Online Privacy
Protection Rule, consistent with the requirements of the Children's
Online Privacy Protection Act. The proposed modifications are intended
to respond to changes in technology and online practices, and where
appropriate, to clarify and streamline the Rule. The proposed
modifications, which are based on the FTC's review of public comments
and its enforcement experience, are intended to clarify the scope of
the Rule and/or strengthen its protection of personal information
collected from children.
DATES: Comments must be received by March 11, 2024.
ADDRESSES: Interested parties may file a comment online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``COPPA Rule Review,
Project No. P195404'' on your comment and file your comment online at
<a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on the web-
based form. If you prefer to file your comment on paper, mail your
comment to the following address: Federal Trade Commission, Office of
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex E),
Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Manmeet Dhindsa (202-326-2877) or
James Trilling (202-326-3497), Division of Privacy and Identity
Protection, Bureau of Consumer Protection, Federal Trade Commission.
SUPPLEMENTARY INFORMATION:
I. Background
Congress enacted the Children's Online Privacy Protection Act
(``COPPA'' or ``COPPA statute''), 15 U.S.C. 6501 et seq., in 1998. The
COPPA statute directed the Federal Trade Commission (``Commission'' or
``FTC'') to promulgate regulations implementing COPPA's requirements.
On November 3, 1999, the Commission issued its Children's Online
Privacy Protection Rule, 16 CFR part 312 (``COPPA Rule'' or ``Rule''),
which became effective on April 21, 2000.\1\ Section 6506 of the COPPA
statute and Sec. 312.11 of the initial Rule required that the
Commission initiate a review no later than five years after the initial
Rule's effective date to evaluate the Rule's implementation. The
Commission commenced this mandatory review on April 21, 2005.\2\ After
receiving and considering extensive public comment, the Commission
determined in March 2006 to retain the COPPA Rule without change.\3\ In
2010, the Commission once again undertook a review of the COPPA Rule to
determine whether the Rule was keeping pace with changing technology.
After notice and comment, the Commission issued final amendments to the
Rule, which became effective on July 1, 2013 (``2013 Amendments'').\4\
---------------------------------------------------------------------------
\1\ Children's Online Privacy Protection Rule, Statement of
Basis and Purpose, 64 FR 59888 (Nov. 3, 1999), available at <a href="https://www.federalregister.gov/documents/1999/11/03/99-27740/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/1999/11/03/99-27740/childrens-online-privacy-protection-rule</a>.
\2\ Children's Online Privacy Protection Rule, Request for
Public Comment, 70 FR 21107 (Apr. 22, 2005), available at <a href="https://www.federalregister.gov/documents/2005/04/22/05-8160/childrens-online-privacy-protection-rule-request-for-comments">https://www.federalregister.gov/documents/2005/04/22/05-8160/childrens-online-privacy-protection-rule-request-for-comments</a>.
\3\ Children's Online Privacy Protection Rule, Retention of Rule
Without Modification, 71 FR 13247 (Mar. 15, 2006), available at
<a href="https://www.federalregister.gov/documents/2006/03/15/06-2356/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/2006/03/15/06-2356/childrens-online-privacy-protection-rule</a>.
\4\ See Children's Online Privacy Protection Rule, Statement of
Basis and Purpose, 78 FR 3972 (Jan. 17, 2013), available at <a href="https://www.federalregister.gov/documents/2013/01/17/2012-31341/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/2013/01/17/2012-31341/childrens-online-privacy-protection-rule</a>.
---------------------------------------------------------------------------
The COPPA Rule imposes certain requirements on operators of
websites \5\ or online services directed to children under 13 years of
age, and on operators of websites or online services that have actual
knowledge that they are collecting personal information online from a
child under 13 years of age (collectively, ``operators''). The Rule
requires that operators provide notice to parents and obtain verifiable
parental consent before collecting, using, or disclosing personal
information from children under 13 years of age.\6\ Additionally, the
Rule requires that operators must provide parents the opportunity to
review the types or categories of personal information collected from
their child, the opportunity to delete the collected information, and
the opportunity to prevent further use or future collection of personal
information from their child.\7\ The Rule also requires operators to
keep personal information they collect from children secure, including
by imposing retention and deletion requirements, and prohibits them
from conditioning children's participation in activities on the
collection of more personal information than is reasonably necessary to
participate in such activities.\8\ The Rule contains a ``safe harbor''
provision enabling industry groups or others to submit to the
Commission for approval self-regulatory guidelines that would implement
the Rule's protections.\9\
---------------------------------------------------------------------------
\5\ See Part IV for further discussion of the Commission's
proposal to change the term ``Web site'' to ``Web site'' throughout
the Rule. This Notice of Proposed Rulemaking incorporates this
proposed change in all instances in which the term ``Web site'' is
used.
\6\ 16 CFR 312.3, 312.4, and 312.5.
\7\ 16 CFR 312.3 and 312.6.
\8\ 16 CFR 312.3, 312.7, 312.8, and 312.10.
\9\ 16 CFR 312.11.
---------------------------------------------------------------------------
The 2013 Amendments \10\ revised the COPPA Rule to address changes
in the way children use and access the internet, including through the
increased use of mobile devices and social networking. In particular,
the 2013 Amendments:
---------------------------------------------------------------------------
\10\ 78 FR 3972.
---------------------------------------------------------------------------
<bullet> Modified the definition of ``operator'' to make clear that
the Rule covers an operator of a child-directed website or online
service that integrates outside services--such as plug-ins or
advertising networks--that collect personal information from the
website's or online service's visitors, and expanded the definition of
``website or online service directed to children'' to clarify that
those outside services are subject to the Rule where they have actual
knowledge that they are collecting personal information directly from
users of a child-directed website or online service;
<bullet> Permitted a subset of child-directed websites or online
services that do not target children as their primary audience to
differentiate among users, requiring them to comply with the Rule's
obligations only as to users who identify as under the age of 13;
<bullet> Expanded the definition of ``personal information'' to
include geolocation information; photos, videos and audio files
containing a child's image or voice; and persistent identifiers that
can be used to recognize a user over time and across different websites
or online services;
<bullet> Streamlined the direct notice requirements to ensure that
key information is presented to parents in a succinct ``just-in-time''
notice;
<bullet> Expanded the non-exhaustive list of acceptable methods for
obtaining prior verifiable parental consent;
<bullet> Created three new exceptions to the Rule's notice and
consent requirements, including for the use of persistent identifiers
for the support for the internal operations of a website or online
service;
[[Page 2035]]
<bullet> Strengthened data security protections by requiring
operators to take reasonable steps to release children's personal
information only to service providers and third parties who are capable
of maintaining the confidentiality, security, and integrity of such
information, and required reasonable data retention and deletion
procedures; and
<bullet> Strengthened the Commission's oversight of self-regulatory
safe harbor programs.\11\
---------------------------------------------------------------------------
\11\ Id.
---------------------------------------------------------------------------
On July 25, 2019, the FTC announced in the Federal Register that it
was again undertaking a review of the COPPA Rule, noting that questions
had arisen about the Rule's application to the educational technology
(``ed tech'') sector, voice-enabled connected devices, and general
audience platforms that host third-party child-directed content (``2019
Rule Review Initiation'').\12\ The Commission sought public comment on
these and other issues in its 2019 Rule Review Initiation. In addition
to its standard regulatory review questions to determine whether the
Commission should retain, eliminate, or modify the COPPA Rule, the
Commission asked whether the 2013 Amendments have resulted in stronger
protections for children and whether the revisions have had any
negative consequences. The Commission also posed specific questions
about the Rule's provisions, including the Rule's definitions, notice
and consent requirements, access and deletion rights, security
requirements, and safe harbor provisions.
---------------------------------------------------------------------------
\12\ See Children's Online Privacy Protection Rule, Request for
Public Comment, 84 FR 35842 (July 25, 2019), available at <a href="https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online">https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online</a>.
---------------------------------------------------------------------------
During the comment period, the Commission held a public workshop on
October 7, 2019, to discuss in detail several of the areas where it
sought public comment (``COPPA Workshop'').\13\ Specific discussion
included such topics as application of the COPPA Rule to the ed tech
sector, how the development of new technologies and business models
have affected children's privacy, and whether the 2013 Amendments have
worked as intended.
---------------------------------------------------------------------------
\13\ See The Future of the COPPA Rule: An FTC Workshop (Oct. 7,
2019), available at <a href="https://www.ftc.gov/news-events/events/2019/10/future-coppa-rule-ftc-workshop">https://www.ftc.gov/news-events/events/2019/10/future-coppa-rule-ftc-workshop</a>; 84 FR 35842.
---------------------------------------------------------------------------
In response to the 2019 Rule Review Initiation, the Commission
received more than 175,000 comments from various stakeholders,
including industry representatives, video content creators, consumer
advocacy groups, academics, technologists, FTC-approved COPPA Safe
Harbor programs, members of Congress, and individual members of the
public. While many of these comments expressed overall support for
COPPA,\14\ the comments identified a number of areas where the
Commission could provide additional clarification or guidance about the
COPPA Rule's requirements. The comments also proposed a number of
potential changes to the Rule.
---------------------------------------------------------------------------
\14\ See, e.g., Joint Comment of the Attorneys General of New
Mexico, Connecticut, Delaware, the District of Columbia, Idaho,
Illinois, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts,
Michigan, Minnesota, Mississippi, Nebraska, Nevada, New York, North
Carolina, Oregon, Pennsylvania, Tennessee, Vermont, Virginia, and
Washington (``Joint Attorneys General''), at 2 (``As more and more
of our lives are lived online, and as digital tools make their way
into our schools and into our lives at ever-earlier ages, rules like
the COPPA Rule must continue not only to exist, but grow and adapt
to ever-changing regulatory landscapes''); SuperAwesome Inc.
(``SuperAwesome''), at 8 (``As a result of the rapid evolution of
the [I]nternet economy and in particular services that rely on user
data, the need for the COPPA Rule has never been greater''); Privacy
Vaults Online, Inc. (``PRIVO''), at 2 (``In PRIVO's experience, both
children and operators benefit when COPPA-compliant processes are in
place to permit operators to offer relevant content to children and
permit children to engage with that content in an appropriate and
permissioned manner''); The LEGO Group (``Lego''), at 3 (``COPPA has
played and continues to play an important role in raising awareness
of the importance of protecting children's privacy online. COPPA has
been effective because of its future-proof language, which has
allowed it to protect against real harms today, that were not clear
when the Rule was enacted in 1998''); Internet Association, at 1
(``Nearly 20 years after its adoption, COPPA remains an important
mechanism for preserving parental choice with respect to the privacy
and security of personal information about children under 13'');
Consumer Reports, at 5 (``Due to the increase in connected products
generally, and children's products specifically, there is only
heightened need for the COPPA rules in the coming years''); and
Association of National Advertisers (``ANA''), at 3 (``The current
COPPA Rule is protective of children's privacy interests and
generally workable for businesses. The FTC has given parents the
ability to protect children's privacy and entities clear `rules of
the road' regarding how to comply with COPPA''). But see Committee
for Justice, at 2 (``In addition to being ineffective at preventing
the personal information of children from being collected without
parental consent, [COPPA's] approach has the effect of burdening
sites targeted towards children''); International Center for Law &
Economics (``ICLE''), at 3 (regarding the aggregate costs and
benefits of the Rule, ``[t]he benefits are unclear, but the costs--
in the form of restricting the ability of family-friendly content
creators to monetize their products--are real''); Connected Camps,
at 1-3 (stating that COPPA has resulted in a number of unintended
consequences based on mistaken assumptions).
---------------------------------------------------------------------------
Following consideration of the submitted public comments,
viewpoints expressed during the COPPA Workshop, and the Commission's
experience enforcing the Rule, the Commission proposes modifying most
provisions of the Rule. Part II of this notice of proposed rulemaking
(``NPRM'') discusses commenters' calls to expand the COPPA Rule's
coverage by amending the definition of ``website or online service
directed to children'' or by changing the Rule's actual knowledge
standard. Part III of this NPRM discusses commenters' viewpoints on
whether the Commission should permit general audience platforms that
allow third parties to upload content to the platform to rebut the
presumption that all users of uploaded child-directed content are
children. Part IV addresses the Commission's proposed modifications to
the Rule. Parts V-X provide information about requests for comment, the
Paperwork Reduction Act, the Regulatory Flexibility Act, communications
by outside parties to the Commissioners or their advisors, questions
for the proposed revisions to the Rule, a list of subjects in the Rule,
and the amended text of the Rule.
II. Comments on Expanding the COPPA Rule's Coverage
As part of its 2019 Rule Review Initiation, the Commission
requested comment on questions regarding whether the Commission should
revise the definition of ``website or online service directed to
children.'' In response, the Commission received various comments
regarding expanding the COPPA Rule's coverage by either amending the
definition of ``website or online service directed to children'' or by
changing the Rule's actual knowledge standard. This Part includes
discussion of comments advocating for and against such expansions.
A. Amending the Definition of ``Website or Online Service Directed to
Children''
In its 2019 Rule Review Initiation, the Commission asked for
comment on various aspects of the Rule's definition of ``website or
online service directed to children.'' Among other questions, the
Commission asked whether it should amend the definition to address
websites and online services that do not include traditionally child-
oriented activities but still have large numbers of child users.\15\
---------------------------------------------------------------------------
\15\ Other aspects of this definition are discussed in Part
IV.A.5.
---------------------------------------------------------------------------
Some commenters argued that the definition of ``website or online
service directed to children'' should be modified to include sites and
services with large numbers of children, those with a certain
percentage of child users, or those that include child-attractive
[[Page 2036]]
content.\16\ For example, FTC-approved COPPA Safe Harbor program PRIVO
asserted that general audience services with large numbers of children
should be required to comply with COPPA, noting that ``[s]ervices not
targeted to children that have large numbers of children must be
addressed as it can result in online harm to the child due to inherent
privacy and safety risks.'' \17\ PRIVO further argued that the
Commission should define thresholds for the number of child users at
which COPPA's protections must be provided.\18\ Similarly, Common Sense
Media encouraged the Commission to interpret the definition of
``website or online service directed to children'' to include ``sites
and services that attract, or are likely to be accessed by,
disproportionate numbers of children.'' \19\
---------------------------------------------------------------------------
\16\ See, e.g., Children's Advertising Review Unit (``CARU''),
at 6-7; PRIVO, at 7; Common Sense Media, at 12.
\17\ PRIVO, at 7.
\18\ Id.
\19\ Common Sense Media, at 12, 15-17.
---------------------------------------------------------------------------
However, other commenters opposed expanding the definition of
``website or online service directed to children'' in such ways.\20\
For example, The Toy Association opposed the adoption of a numerical or
percentage audience threshold as a determinative factor in identifying
child-directed websites or online services.\21\ Similarly, panelists
during the COPPA Workshop noted that ``[a]ttractive to children is very
different from targeted to children,'' \22\ and that COPPA's statutory
language is ``child-directed'' and not ``child-attractive.'' \23\
Commenters raised additional concerns with expanding the definition to
include sites and services that do not include child-oriented
activities but have large numbers of children, including because such a
change would be inconsistent with the statute,\24\ decrease online
offerings for children,\25\ be unduly burdensome to operators of non-
child-directed websites or online services,\26\ and lead to regulatory
uncertainty.\27\ Some commenters also noted that this amendment would
be unnecessary since the definition already includes ``competent and
reliable empirical evidence regarding audience composition'' as a
factor to consider in determining whether a site or service is directed
to children.\28\
---------------------------------------------------------------------------
\20\ See, e.g., Computer & Communications Industry Association
(``CCIA''), at 6-7; U.S. Chamber of Commerce, at 3-4; ANA, at 6-7;
Network Advertising Initiative (``NAI''), at 3-5; ViacomCBS Inc.
(``Viacom''), at 5-6; Internet Association, at 9; Entertainment
Software Association (``ESA''), at 8-12; TechFreedom, at 18.
\21\ The Toy Association, at 9-10 (adding that ``[d]oing so is
inconsistent with traditional norms for advertising and risks
undermining the intent of the statute by elevating a single factor
over others. Such an approach is also entirely inconsistent with how
the FTC and advertising self-regulatory bodies handle
advertising'').
\22\ P. Aftab, Remarks from the Scope of the COPPA Rule panel at
The Future of the COPPA Rule: An FTC Workshop 52 (Oct. 7, 2019),
available at <a href="https://www.ftc.gov/news-events/events/2019/10/future-coppa-rule-ftc-workshop">https://www.ftc.gov/news-events/events/2019/10/future-coppa-rule-ftc-workshop</a>.
\23\ See D. McGowan, Remarks from the Scope of the COPPA Rule
panel at The Future of the COPPA Rule: An FTC Workshop 48 (Oct. 7,
2019), available at <a href="https://www.ftc.gov/news-events/events/2019/10/future-coppa-rule-ftc-workshop">https://www.ftc.gov/news-events/events/2019/10/future-coppa-rule-ftc-workshop</a>.
\24\ See, e.g., CCIA, at 6; NAI, at 3; ANA, at 6; Viacom, at 5-
6; U.S. Chamber of Commerce, at 3-4.
\25\ See, e.g., ANA, at 7 (noting that ``[b]roadening the Rule's
scope by making it applicable to websites or online services that do
not include traditionally child-oriented activities, but that have
large numbers of child users, would negatively impact consumers and
children because operators would be disincentivized from producing
content, products, and online services that, while not directed to
them, have the potential to attract child users'').
\26\ See, e.g., CCIA, at 7 (noting that ``[a]udience metrics
alone are a poor basis for determining COPPA applicability because
they can shift over time, may be highly responsive to fads, cannot
necessarily be predicted by an operator at the outset of (launching
a website or online service, and cannot be reliably calculated'').
\27\ See, e.g., ESA, at 8.
\28\ See, e.g., CCIA, at 6-7; ANA, at 6-7.
---------------------------------------------------------------------------
During the Rule review that resulted in the 2013 Amendments, the
Commission considered amending the definition of ``website or online
service directed to children'' to cover sites or services that
``[b]ased on the overall content of the website or online service,
[are] likely to attract an audience that includes a disproportionately
large percentage of children under age 13 as compared to the percentage
of such children in the general population. . . .'' \29\ In response,
the Commission received numerous comments raising concerns that such a
standard was vague, potentially unconstitutional, and unduly expansive,
and could lead to widespread age-screening and more intensive age
verification across all websites and online services.\30\ In ultimately
declining to adopt this standard, the Commission stated it did not
intend to expand the reach of the Rule to include additional sites and
services.
---------------------------------------------------------------------------
\29\ Children's Online Privacy Protection Rule, Supplemental
Notice of Proposed Rulemaking; Request for Comment, 77 FR 46643,
46646 (Aug. 6, 2012), available at <a href="https://www.federalregister.gov/documents/2012/08/06/2012-19115/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/2012/08/06/2012-19115/childrens-online-privacy-protection-rule</a>.
\30\ See 78 FR 3972 at 3983-3984.
---------------------------------------------------------------------------
The Commission again declines to modify the Rule in this manner.
The definition of ``website or online service directed to children''
includes a number of factors the Commission will consider in
determining whether a particular website or online service is child-
directed, including consideration of ``competent and reliable empirical
evidence regarding audience composition.'' Because the Commission
already considers the demographics of a website's or online service's
user base in its determination, the Commission does not believe it is
necessary to modify the definition.
Similarly, the Commission also previously considered amending the
Rule to set forth that websites and online services with a specified
percentage of child users would be considered directed to children. As
part of the Rule review that led to the 2013 Amendments, the Institute
for Public Representation recommended that the Commission amend the
Rule so that a website per se should be deemed ``directed to children''
if audience demographics show that 20% or more of its visitors are
children under age 13.\31\ The Commission determined not to adopt this
as a per se legal standard, in part because the Commission noted that
the definition of ``website or online service directed to children''
already positions the Commission to consider empirical evidence of the
number of child users on a site.
---------------------------------------------------------------------------
\31\ Children's Online Privacy Protection Rule, Proposed Rule;
Request for Comment, 76 FR 59804, 59814 (Sept. 27, 2011), available
at <a href="https://www.federalregister.gov/documents/2011/09/27/2011-24314/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/2011/09/27/2011-24314/childrens-online-privacy-protection-rule</a>.
---------------------------------------------------------------------------
While the Commission continues to believe that there are good
reasons not to ground COPPA liability simply on an assessment of the
percentage of a site's or service's audience that is under 13, the
Commission would like to obtain additional comment on whether it should
provide an exemption under which an operator's site or service would
not be deemed child-directed if the operator undertakes an analysis of
the site's or service's audience composition and determines that no
more than a specific percentage of its users are likely to be children
under 13. In particular, the Commission seeks comment on (1) whether
the Rule should provide an exemption or other incentive to encourage
operators to conduct an analysis of their sites' or services' user
bases; (2) what the reliable means are by which operators can determine
the likely ages of a site's or service's users; (3) whether and how the
COPPA Rule should identify such means; (4) what the appropriate
percentage of users should be to qualify for this potential exemption;
\32\ and (5)
[[Page 2037]]
whether such an exemption would be inconsistent with the COPPA Rule's
multi-factor test for determining whether a website or online service,
or a portion thereof, is directed to children.
---------------------------------------------------------------------------
\32\ Because this exemption would rely on a single factor (i.e.,
audience composition) to exempt sites or services from being deemed
child-directed, the Commission anticipates that the appropriate
percentage to qualify for this exemption would be very low.
---------------------------------------------------------------------------
B. Changing the COPPA Rule's ``Actual Knowledge'' Standard
In responding to the Commission's request for comment on the
definition of ``website or online service directed to children,'' a
number of commenters recommended that the Commission revise COPPA's
actual knowledge standard by moving to a constructive knowledge
standard.\33\ Namely, these commenters sought to bring within COPPA's
jurisdiction those operators that have reason to know they may be
collecting information from a child and those operators that willfully
avoid gaining actual knowledge that they are collecting information
from a child. Common Sense Media, for example, encouraged the
Commission to broaden its view of ``actual knowledge'' to prevent the
``willful disregard that children's personal[ ] information is being
collected.'' \34\ Other commenters, referencing the California Consumer
Privacy Act, similarly recommended that COPPA's actual knowledge
standard should cover operators of general audience sites and services
that ignore or willfully disregard the age of their users.\35\
Children's privacy advocate 5Rights Foundation further recommended that
the Commission should consider current and historic audience
composition evidence of both the specific service and similar services
in determining whether an operator has met the actual knowledge
standard.\36\
---------------------------------------------------------------------------
\33\ See, e.g., London School of Economics and Political
Science, at 9 (noting that the FTC should re-examine its definition
of child-directed websites and online services to include
```constructive knowledge' i.e., what an operator ought to know
about its users if they have carried their work in due diligence'')
(bold typeface omitted); S. Egelman, at 3-4 (asserting that ``actual
knowledge'' should include third-party recipients of data from a
mobile app that can be identified as child-directed); Color of
Change, at 4-5 (advocating that the FTC should move from an actual
knowledge standard to a constructive knowledge standard);
SuperAwesome, at 18 (recommending the Commission amend the
definition of ``website or online service directed to children'' to
include situations where an operator has, or should be reasonably
expected to have, actual knowledge that it is collecting information
from children or from users of a child-directed website or online
service).
\34\ Common Sense Media, at 12.
\35\ 5Rights Foundation, at 3-4; Consumer Reports, at 8-9.
\36\ 5Rights Foundation, at 4.
---------------------------------------------------------------------------
A number of industry commenters opposed the Commission adopting a
constructive knowledge standard. Several of these commenters pointed to
the COPPA statute's language \37\ and argued that the Commission lacks
authority to change the actual knowledge standard.\38\ Others asserted
that a constructive knowledge standard would result in operators
collecting additional data from all users, including children, and
might lead to a reduction in available online content because operators
may decide to withdraw content intended for teenagers and young adults
to avoid the risk of interacting with children.\39\ Additionally, the
Association of National Advertisers stated that a constructive
knowledge standard would conflict with the Commission's long-
established position that operators are not obligated to investigate
the age of their users \40\ and would increase uncertainty about
companies' potential COPPA obligations.\41\ Similarly, Engine, a non-
profit policy organization, noted that moving from the ``bright-line''
standard of actual knowledge to a less clear constructive knowledge
standard could disproportionately burden small companies and start-
ups.\42\
---------------------------------------------------------------------------
\37\ 15 U.S.C. 6502(a)(1) (providing that ``[i]t is unlawful for
an operator of a website or online service directed to children, or
any operator that has actual knowledge that it is collecting
personal information from a child, to collect personal information
from a child in a manner that violates the regulations prescribed
under subsection (b)'').
\38\ See, e.g., ANA, at 4-5; Interactive Advertising Bureau
(``IAB''), at 4-5; internet Association, at 19; Software &
Information Industry Association (``SIIA''), at 4; The Toy
Association, at 3, 8, 10, 16.
\39\ See, e.g., Family Online Safety Institute (``FOSI''), at 6
(noting that ``[i]f a constructive knowledge standard were imposed,
it is likely that all general audience sites and services would
start treating all users as children, or turn off any services that
might benefit minors clearly older than 13. This would have serious
implications for free speech, or could lead to an increase in age
gating, which is ineffective and often results--paradoxically--in
increased collection of data from all users, including children'');
Digital Content Next, at 1 (stating that ``[w]e believe that
expanding the actual knowledge standard might inadvertently harm the
privacy of children in two ways. First, if COPPA were expanded to
apply in situations where a company has no actual knowledge that the
consumer is under 13 years of age or when the company is not
providing services directed to children, companies would need to
collect significantly more data from children and their parents or
guardians to meet the obligations of COPPA including obtaining
consent. Second, in order to avoid COPPA compliance, some companies
may decide to withdraw content that is intended for teenagers or
young adults in order to avoid the risk of interacting with
children'').
\40\ See, e.g., 64 FR 59888 at 59892 (noting that ``COPPA does
not require operators of general audience sites to investigate the
ages of their site's visitors . . .'').
\41\ See ANA, at 5.
\42\ Engine, at 5.
---------------------------------------------------------------------------
The Commission declines to change the Rule to bring operators of
general audience sites and services under COPPA's jurisdiction based on
constructive knowledge. As the Commission noted in 2011, Congress has
already rejected a constructive knowledge approach with respect to
COPPA. Specifically, the legislative history indicates that Congress
originally drafted COPPA to apply to operators that ``knowingly''
collect personal information from children, a standard which would
include actual, implied, or constructive knowledge.\43\ After
consideration of witness testimony, however, Congress modified the
knowledge standard in the final legislation to require ``actual
knowledge.'' \44\ This deliberate decision to reject the more expansive
approach makes clear that Congress did not intend for the ``actual
knowledge'' standard to be read to include the concept of constructive
knowledge. The Commission rejected calls for a move to a lesser
knowledge standard for general audience operators while considering the
2013 Amendments,\45\ and the Commission again declines to do so.\46\
---------------------------------------------------------------------------
\43\ See 76 FR 59804 at 59806, n. 26 (citing Senate and House
bills), noting that ``Under federal case law, the term `knowingly'
encompasses actual, implied, and constructive knowledge.''
\44\ Id. (citing internet Privacy Hearing: Hearing on S. 2326
Before the Subcomm. On Commc'ns of the S. Comm. On Commerce,
Science, & Transp., 105th Cong. 1069 (1998)).
\45\ See 76 FR 59804 at 59806.
\46\ As noted above, various commenters recommended that the
Rule's actual knowledge standard cover operators of general audience
sites and services that ignore or willfully disregard the age of
their users. See, e.g., Common Sense Media, at 12; 5Rights
Foundation, at 3-4; Consumer Reports, at 8-9.
The concept of actual knowledge includes willful disregard. See,
e.g., Glob.-Tech Appliances, Inc. v. SEB S.A., 563 U.S. 754, 766
(2011) (noting that ``[i]t is also said that persons who know enough
to blind themselves to direct proof of critical facts in effect have
actual knowledge of those facts''). Therefore, the Rule already
applies to instances in which an operator of a general audience site
or service willfully disregards the fact that a particular user is a
child.
---------------------------------------------------------------------------
III. Comments on the Rebuttable Presumption
Operators of websites or online services directed to children that
collect personal information from their users must comply with COPPA
regardless of whether they have actual knowledge that a particular user
is, in fact, a child. Accordingly, as a practical matter, operators of
child-directed sites and services must presume that all users are
children.\47\
---------------------------------------------------------------------------
\47\ See, e.g., 78 FR 3972 at 3984 (``The Commission retains its
longstanding position that child-directed sites or services whose
primary target audience is children must continue to presume all
users are children and to provide COPPA protections accordingly'').
---------------------------------------------------------------------------
Through the 2013 Amendments, the Commission extended COPPA
liability to operators that have actual knowledge
[[Page 2038]]
they are collecting personal information directly from the users of
another website or online service that is child-directed.\48\ Under the
Rule, such an operator ``has effectively adopted that child-directed
content as its own and that portion of its service may appropriately be
deemed to be directed to children.'' \49\
---------------------------------------------------------------------------
\48\ See 16 CFR 312.2, definition of ``website or online service
directed to children,'' paragraph 2.
\49\ 78 FR 3972 at 3978.
---------------------------------------------------------------------------
The Commission sought comments in its 2019 Rule Review Initiation
on whether it should permit general audience platforms that allow third
parties to upload content to the platform to rebut the presumption that
all users of uploaded child-directed content are in fact children. In
seeking comment on this issue, the Commission stated that absent actual
knowledge that the uploaded content is child-directed, the platform
operator is not responsible for complying with the Rule. Therefore, the
FTC noted that the platform operator may have an incentive to avoid
gaining knowledge about the nature of the uploaded content.\50\ The
Commission asked whether allowing general audience platform operators
to rebut this presumption, thereby allowing them to treat users under
age 13 differently from older users, would incentivize platform
operators to take affirmative steps to identify child-directed content
and treat users of that content in accordance with the Rule. The
Commission also asked about the types of steps platforms could take to
overcome the presumption that all users of child-directed content are
children.
---------------------------------------------------------------------------
\50\ 84 FR 35842 at 35845-35846. In extending liability to
operators of general audience sites and services with actual
knowledge, the Commission discussed, but expressly rejected,
imposing a ``reason to know'' standard. 78 FR 3972 at 3977-78.
Accordingly, the 2013 Amendments do not impose a duty on operators
of general audience websites and online services to investigate
whether they are collecting personal information from users of
child-directed sites or services.
---------------------------------------------------------------------------
Relying on a variety of arguments, many consumer and privacy
advocates opposed the notion of modifying the Rule to allow operators
of general audience platforms to rebut the presumption that users of
child-directed content uploaded to the platform by third parties are
children. For example, a coalition of consumer organizations argued
against allowing general audience platforms to rebut the presumption,
pointing to the fact that families often share devices, accounts, and
apps and that, as a result, many children likely access child-directed
content while logged into a parent's account. Because of this, they
argued that if the FTC modifies the presumption, ``it would lead to
widespread mislabeling of children as adults and large numbers of
under-protected children.'' \51\ Other commenters echoed the concern
that because users in a household may share devices that are
persistently signed in, operators may incorrectly determine that a user
is an adult.\52\
---------------------------------------------------------------------------
\51\ Georgetown University Law Center's Institute for Public
Representation submitted a joint comment on behalf of the following
nineteen consumer groups: Campaign for a Commercial-Free Childhood;
The Center for Digital Democracy; Alana Institute; American Academy
of Pediatrics; Badass Teachers Association; Berkeley Media Studies
Group; Consumer Action; Consumer Watchdog; Defending the Early
Years; Electronic Frontier Foundation; Obligation, Inc.; P.E.A.C.E
(Peace Educators Allied for Children Everywhere); Parent Coalition
for Student Privacy; Parents Across America; Parents Television
Council; Public Citizen; Story of Stuff; TRUCE (Teachers Resisting
Unhealthy Childhood Entertainment); and U.S. PIRG (``Joint Consumer
Groups''), at iii, 35-36.
\52\ See, e.g., Consumer Reports, at 19 (``[B]rowsers and other
connected services are increasingly using always-logged-in features
in order to make the browsing experience more seamless across
devices . . . Although this allows the company to easily sync data
across devices, it means that if a child then uses that device to go
to YouTube [K]ids or another service it will appear that an adult is
logged on and viewing the content''); SuperAwesome, at 28 (``Given
the prevalence of shared devices, the only current method to safely
detect whether a child or an adult is viewing particular content is
by virtue of the type of content. E.g., preschool content is mostly
likely viewed by preschoolers. We are particularly concerned about
logged-in parents on kids' content, where there is a presumption
that the adult is enjoying the kids' content. In our experience,
this is rarely the case. In the vast majority of situations it is a
child using an adult's device. For this reason, the only safe
approach is to default to considering the user a child based on a
subjective assessment of the content'') (bold typeface omitted).
---------------------------------------------------------------------------
Another commenter, while acknowledging the ``perverse incentive''
operators have to avoid gaining actual knowledge, raised concern about
operators' ability to effectively establish which of their users are
children.\53\ The commenter argued that, until operators are
transparent about methods used to determine which users are children
and such methods are deemed effective, permitting operators to rebut
the presumption may result in children being treated as adults.\54\
---------------------------------------------------------------------------
\53\ 5Rights Foundation, at 4 (also arguing that that the most
privacy-protective way of addressing the incentive is to make it
more difficult for operators to avoid gaining actual knowledge). See
also Consumer Reports, at 18-19 (raising concern about the lack of
transparency as to how general audience services determine the
population of children that use the service).
\54\ 5Rights Foundation, at 4.
---------------------------------------------------------------------------
One commenter argued that, ``in the vast majority of cases,'' users
of child-directed content are, in fact, children.\55\ This commenter
further stated that allowing operators to rebut the presumption would
prioritize allowing companies to engage in targeted advertising over
ensuring that general audience platforms comply with COPPA.\56\ Another
commenter noted that, despite the alleged existence of subcultures of
adult viewership of kids' content, the adult viewership of such content
is likely very small.\57\ The commenter further argued that protecting
those adults' right to receive personalized advertising does not
outweigh the risk of collecting personal data from children and
tracking them online.\58\
---------------------------------------------------------------------------
\55\ Consumer Reports, at 19.
\56\ Id.
\57\ SuperAwesome, at 27.
\58\ Id. See also P. Aftab, at 15 (arguing that the convenience
of adults accessing child-directed material should not outweigh
children's privacy).
---------------------------------------------------------------------------
A number of State Attorneys General argued that modifying the Rule
to allow rebuttal is unlikely to incentivize platforms to identify and
police child-directed content.\59\ These commenters claimed that, even
with the ability to rebut the presumption, platforms would have a
greater incentive not to know about the presence of child-directed
content because this would allow them to collect data for targeted ads
from all users.\60\ Additionally, an FTC-approved COPPA Safe Harbor
program argued that allowing rebuttal would ``be complex and unfairly
benefit large tech companies who may be the only companies with the
wherewithal, rich customer data, and back-end infrastructure to meet
the criteria for rebuttal.'' \61\
---------------------------------------------------------------------------
\59\ Joint Attorneys General, at 13-14 (adding that they do not
support permitting a rebuttable presumption absent robust measures--
beyond logged in status or periodic reauthorization--to confirm a
user is 13 or older, stating that such measures can include
requiring operators to ask during the account creation process
whether a child ever uses the account holder's device).
\60\ Id. At 13.
\61\ kidSAFE, at 13 (also suggesting that the Rule's existing
mixed audience category could potentially serve the underlying
purpose of not treating child-directed content audiences as
exclusively under 13).
---------------------------------------------------------------------------
On the other hand, a number of industry commenters supported
allowing general audience platforms to rebut the presumption that all
users of child-directed content are necessarily children. Google argued
that rebuttal ``with the appropriate safeguards, would allow those
users to benefit from social engagement with the content and would
allow content creators to benefit from increased monetization options,
supporting continued investment in such content.'' \62\ Without the
ability to rebut the presumption, Google argued that platforms must
degrade adults' user
[[Page 2039]]
experience, including by preventing interactivity with other adults.
Google also distinguished general audience platforms with third-party
content from ``static'' child-directed websites intended for a single
audience, noting that such platforms ``have significant adult user
bases that engage with traditionally child-directed content.'' \63\
---------------------------------------------------------------------------
\62\ Google, at 7-8, 11-12 (also arguing that allowing rebuttal
does not require a Rule modification because the presumption is not
codified in the COPPA statute or Rule).
\63\ Id. At 8.
---------------------------------------------------------------------------
Other commenters made similar arguments. One trade association
stated that some general audience platforms ``have significant adult
user bases'' and feature child-directed content that may appeal to
users of varying ages, such as crafting or science education
content.\64\ It claimed that the audience presumption harms adult users
of child-directed content by denying them the ability ``to find
community, learn, and discover new content.'' \65\ Another trade
association noted that adults might want ``to interact with child-
directed content for a variety of reasons, including nostalgia or to
find content suitable for their children or students.'' \66\
---------------------------------------------------------------------------
\64\ SIIA, at 5.
\65\ Id.
\66\ CCIA, at 13.
---------------------------------------------------------------------------
A majority of the commenters that support modifying the Rule to
permit rebuttal also recommended against the Commission proscribing
specific means by which a general audience platform could rebut the
presumption, calling instead for a flexible, standards-based approach
that would allow platforms to employ a variety of measures to overcome
the presumption. For example, citing ``advancements in technology and
age-screening,'' one trade association recommended allowing rebuttal
through reliance on a neutral age gate combined with additional steps
to confirm identity, such as re-entry of a password.\67\ The commenter
also suggested that the Commission allow industry to explore
alternative methods such as fingerprint, voiceprint, or device PIN.\68\
Other commenters recommended similar flexibility in approach.\69\
---------------------------------------------------------------------------
\67\ internet Association, at 18-19.
\68\ Id. At 19.
\69\ See Centre for Information Policy Leadership (``CIPL''), at
7 (supporting rebuttal where platforms take reasonable steps such as
a neutral age gate plus additional verification, adding that the
Commission should permit companies to adopt their own approach as
long as they meet certain standards set by FTC); CCIA, at 14
(recommending the FTC adopt an ``adaptable standards-based
approach'' for permitting general audience services to treat adult
users interacting with child-directed content as adults, including
the use of neutral age screening in conjunction with periodic
password reauthorization and ``verification methods that may be
appropriate in additional contexts, such as submitting a voiceprint
or device PIN''); Google, at 10-11 (recommending the FTC adopt a
``reasonably calculated'' standard similar to the parental consent
standard that provides reasonable assurance that the person engaging
with the content is an adult, and further suggesting use of a
neutral age gate in combination with such mechanisms as password re-
authentication, fingerprint, or device PINs); SIIA, at 5 (supporting
a ``standards-based approach to rebut presumption relying on neutral
age gates plus additional steps like password authorization or
alternative verification methods''); U.S. Chamber of Commerce, at 7
(supporting an adaptable standards-based approach rather than
prescriptive measures); Yoti, at 16 (supporting the various
mechanisms suggested in the Commission's 2019 Rule Review
Initiation, but adding that because some may not work in certain
circumstances, they should be options as opposed to a mandatory
list).
---------------------------------------------------------------------------
Many of the comments supporting rebuttal of the presumption also
argued against tying rebuttal to a requirement that the platform
investigate and identify child-directed content on the platform. These
commenters asserted that such a requirement would change the Rule's
actual knowledge standard to a constructive knowledge standard, which
would ``contravene [c]ongressional intent'' \70\ and impose an
unreasonable burden on platforms that would chill investment into the
production of child-directed content.\71\ One commenter cautioned that
requiring the platform operators to identify whether uploaded content
is child-directed could raise First Amendment concerns.\72\
---------------------------------------------------------------------------
\70\ CCIA, at 14.
\71\ See U.S. Chamber of Commerce, at 7; ANA, at 5-6; Google, at
11.
\72\ Center for Democracy & Technology (``CDT''), at 9 (further
adding that the Commission should not consider costs and benefits
unrelated to privacy (e.g., exposure to age-inappropriate content)
as such concerns fall outside COPPA's statutory focus). But see
SuperAwesome, at 29 (recommending the Commission consider costs and
benefits unrelated to privacy, noting that allowing a rebuttal
``will significantly increase the risk of exposing children to
inappropriate content, including inappropriate advertising, and
potentially dangerous user-generated content'').
---------------------------------------------------------------------------
After reviewing the submitted comments, the Commission does not
propose modifying the Rule to permit general audience platforms to
rebut the presumption that all users of child-directed content are
children. The Commission finds persuasive the concerns raised in the
comments about the practicality of allowing operators of such platforms
to rebut this presumption. In particular, the Commission believes that
the reality of parents and children sharing devices, along with account
holders remaining perpetually logged into their accounts, could make it
difficult for an operator to distinguish reliably between those users
who are children and those who are not.
The Commission recognizes that allowing platforms to rebut the
presumption would permit additional forms of monetization and, in some
instances, provide additional functionality and convenience for adults
interacting with child-directed content. Such benefits, however, simply
do not outweigh the important goal of protecting children's privacy.
Moreover, as set forth in the Commission's 2019 Rule Review Initiation,
the reason for considering whether to allow platforms to rebut the
audience presumption was to create an incentive for them to ``identify
and police child-directed content uploaded by others.'' \73\ Many
commenters supporting the addition of this rebuttal expressed strong
opposition to such a duty, thereby undercutting the rationale for
modifying the Rule.
---------------------------------------------------------------------------
\73\ 84 FR 35842 at 35846.
---------------------------------------------------------------------------
Finally, through its recognition of the ``mixed audience'' category
of websites and online services, the Commission essentially allows
operators to rebut the presumption as to the users of a subset of
child-directed sites and services that do not target children as their
primary audience. For example, where third-party content on a platform
is child-directed under the Rule's multi-factor test but the platform
does not target children as its primary audience, the operator can
request age information and provide COPPA protections only to those
users who are under 13. The Commission believes the mixed audience
category affords operators an appropriate degree of flexibility.\74\
---------------------------------------------------------------------------
\74\ While it is possible that the sharing of devices between
parents and children can lead to complexities in determining the
``mixed audience'' nature of a website or online service, the
Commission believes on balance that there is value in continuing to
allow for a mixed audience designation.
---------------------------------------------------------------------------
IV. Proposed Modifications to the Rule
As discussed in Part I, comments reflect overall support for COPPA
and a recognition that it is an important and helpful tool for
protecting children's online privacy. Additionally, many comments
indicate support for the 2013 Amendments.\75\
---------------------------------------------------------------------------
\75\ See, e.g., SuperAwesome; PRIVO; ESA; Electronic Privacy
Information Center (``EPIC''); and Joint Consumer Groups. But see,
e.g., Skyship Entertainment; J. Johnston (J House Vlogs); H. and S.
Jho (Sockeye Media LLC); and ICLE. These commenters, many of whom
are content creators on YouTube, opposed the Rule changes and/or the
FTC's 2019 enforcement action against Google LLC and its subsidiary
YouTube, LLC (``YouTube Case''), Federal Trade Commission & People
of the State of New York v. Google LLC & YouTube, LLC, Case No.
1:19-cv-2642 (D.D.C. 2019), available at <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3083-google-llc-youtube-llc">https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3083-google-llc-youtube-llc</a>.
These commenters asserted that the 2013 Amendments and the YouTube
Case have affected the availability of children's content on YouTube
due to creators' inability to monetize through personalized
advertisements. Additional commenters criticized the 2013 Amendments
for other reasons, such as purported negative consequences to
industry or beliefs that the 2013 Amendments strayed from the
purpose of the COPPA statute. See, e.g., Committee for Justice;
TechFreedom; and Competitive Enterprise Institute.
---------------------------------------------------------------------------
[[Page 2040]]
Despite this overall support, the Commission believes it is
appropriate to modify a number of the Rule's provisions in light of the
record developed through the 2019 Rule Review Initiation--including the
COPPA Workshop and the large number of public comments received--as
well as the FTC's two decades of experience enforcing the Rule. The
Commission intends these modifications to update certain aspects of the
Rule, taking into account technological and other relevant
developments, and to provide additional clarity to operators on the
Rule's existing requirements. Specifically, the Commission proposes
modifying most provisions of the Rule, namely the following areas:
Definitions; Notice; Parental Consent; Parental Right to Review;
Confidentiality, Security, and Integrity of Children's Personal
Information; Data Retention and Deletion; and Safe Harbor Programs. In
addition, the Commission proposes minor modifications to the sections
on Scope of Regulations and Voluntary Commission Approval Processes to
address technical corrections.
Additionally, the Commission proposes some revisions to the Rule to
address spelling, grammatical, and punctuation issues. For example, as
noted above, the Commission proposes to modify Sec. 312.1 regarding
the scope of regulations, specifically to change the location of
commas. Similarly, the Commission proposes amending the Rule to change
the term ``Web site'' to ``website'' throughout the Rule, including in
various definitions that use this term. This construction aligns with
the COPPA statute's use of the term, as well as how that term is
currently used in today's marketplace. This NPRM incorporates this
proposed change in all instances in which the term ``Web site'' is
used. The Commission does not intend for these proposed modifications
to alter existing obligations or create new obligations under the Rule.
A. Definitions (16 CFR 312.2)
The Commission proposes to modify a number of the Rule's
definitions in order to update the Rule's coverage and functionality
and, in certain areas, to provide greater clarity regarding the Rule's
intended application. The Commission proposes modifications to the
definitions of ``online contact information'' and ``personal
information.'' The Commission also proposes modifications to the
definition of ``website or online service directed to children,''
including by adding a stand-alone definition for ``mixed audience
website or online service.'' Additionally, the Commission proposes
adding definitions for ``school'' and ``school-authorized education
purpose.'' These two new definitions relate to the Rule's proposed new
parental consent exception--a codification of longstanding Commission
guidance by which operators rely on school authorization to collect
personal information in limited circumstances rather than on parental
consent. Finally, the Commission proposes modifications to the second
paragraph of the definition of ``support for the internal operations of
the website or online service.''
1. Online Contact Information
Section 312.2 of the Rule defines ``online contact information'' as
``an email address or any other substantially similar identifier that
permits direct contact with a person online, including but not limited
to, an instant messaging user identifier, a voice over internet
protocol (VOIP) identifier, or a video chat user identifier.'' Online
contact information is considered ``personal information'' under the
Rule. Under certain parental consent exceptions, the Rule permits
operators to collect online contact information from a child for
certain purposes, such as initiating the process of obtaining
verifiable parental consent, without first obtaining verifiable
parental consent.
To improve the Rule's functionality, the Commission proposes
amending this definition by adding ``an identifier such as a mobile
telephone number provided the operator uses it only to send a text
message'' to the non-exhaustive list of identifiers that constitute
``online contact information.'' As discussed later in this Part, this
modification would allow operators to collect and use a parent's or
child's mobile phone number in certain circumstances, including in
connection with obtaining parental consent through a text message.
Although the Commission did not raise the issue of adding mobile
telephone numbers to the online contact information definition in its
2019 Rule Review Initiation, some commenters supported such a
modification in discussing the Rule's parental consent requirement.\76\
One commenter noted that parents increasingly rely on telephone and
cloud-based text messaging services,\77\ and another similarly noted
that permitting parents to utilize text messages to provide consent
would be more in sync with current technology and parental
expectations.\78\ Commenters also stated that mobile communication
mechanisms are more likely to result in operators reaching parents for
the desired purpose of providing notice and obtaining consent, and that
sending a text message may be one of the most direct and easily
verifiable methods of contacting a parent.\79\ Further, one commenter
posited that the chance of a child submitting his or her own mobile
number in order to circumvent a valid consent mechanism is no greater
than, for instance, a child submitting his or her own email
address.\80\
---------------------------------------------------------------------------
\76\ See, e.g., kidSAFE, at 3-4. More generally, several other
commenters recommended modifying the Rule to allow the use of text
messaging in connection with obtaining parental consent. See The Toy
Association, at 4; ESA, at 24-26; ANA, at 12; Entertainment Software
Rating Board (``ESRB''), at 8.
\77\ kidSAFE, at 4.
\78\ ESA, at 24-25.
\79\ kidSAFE, at 3-4; ANA, at 12.
\80\ kidSAFE, at 4.
---------------------------------------------------------------------------
The Commission agrees that permitting parents to provide consent
via text message would offer them significant convenience and utility.
The Commission also recognizes that consumers are likely accustomed to
using mobile telephone numbers for account creation or log-in purposes.
For these reasons, the Commission is persuaded that operators should be
able to collect parents' mobile telephone numbers as a method to obtain
consent from the parent. Therefore, the Commission proposes adding
mobile telephone numbers to the definition of ``online contact
information.''
Modifying the definition in this way, however, will also enable
operators to collect and use a child's mobile telephone number to
communicate with the child, including--under various parental consent
exceptions--prior to the operator obtaining parental consent.\81\ The
Commission does not seek to allow operators to use children's mobile
telephone numbers to call them prior to the operator obtaining parental
consent. Therefore, the Commission proposes including the qualifier
``provided the operator uses it only to send a text message'' to ensure
that operators cannot call the child using the mobile telephone number,
unless and until the operator seeks and obtains a parent's verifiable
parental consent to do so.\82\
---------------------------------------------------------------------------
\81\ 16 CFR 312.5(c)(1), (3), (4), (5), and (6).
\82\ Because various parental consent exceptions allow operators
to collect a child's ``online contact information'' without first
obtaining verifiable parental consent, the Commission proposes
limiting operators from using such information to call a child.
However, this proposal does not prevent an operator from making
telephone calls after the operator has obtained consent. Indeed, the
definition of ``personal information'' includes a telephone number
under COPPA and the COPPA Rule, and neither the statute nor the Rule
includes a prohibition on using that information to make telephone
calls.
---------------------------------------------------------------------------
[[Page 2041]]
This proposed modification is a departure from the position the
Commission previously took when it declined to include mobile telephone
numbers within the definition of ``online contact information.'' In
discussing the 2013 Amendments, the Commission stated that the COPPA
statute did not contemplate adding mobile telephone numbers as a form
of online contact information, and therefore it determined not to
include mobile telephone numbers within the definition.\83\ However,
the Commission also stated at that time that the list of identifiers
constituting online contact information was non-exhaustive and would
encompass other substantially similar identifiers that permit direct
contact with a person online.\84\ As part of the 2013 Amendments, the
Commission revised the definition to include examples of such
identifiers, and the Commission now believes that adding mobile
telephone numbers to this list is appropriate.
---------------------------------------------------------------------------
\83\ See 78 FR 3972 at 3975. At that time, the Commission also
questioned whether adding mobile telephone numbers would result in
greater convenience for parents in providing consent, noting that
children might have difficulty distinguishing between a parent's
mobile number and a landline number. See 78 FR 3972 at 3975. This
concern seems less significant today given that many more consumers
now rely exclusively on their mobile phone.
\84\ 78 FR 3972 at 3975, citing 76 FR 59804 at 59810.
---------------------------------------------------------------------------
Specifically, consumers today widely use over-the-top messaging
platforms, which are platforms that utilize the internet instead of a
carrier's mobile network to exchange messages. These platforms include
Wi-Fi messaging applications, voice over internet protocol applications
that have messaging features, and other messaging applications. Because
a consumer's mobile telephone number is often used as the unique
identifier through which a consumer can exchange messages through these
over-the- top platforms, mobile telephone numbers permit direct contact
with a person online, thereby meeting the statutory requirements for
this definition.\85\
---------------------------------------------------------------------------
\85\ 15 U.S.C. 6501(12) (providing that ``the term `online
contact information' means an email address or another substantially
similar identifier that permits direct contact with a person
online'' (emphasis added)).
---------------------------------------------------------------------------
When the Commission enacted the 2013 Amendments, the use of over-
the-top messaging platforms was more nascent and growing in adoption.
Today, the prevalent and widespread adoption of such messaging
platforms allows consumers to use these platforms as their primary form
of text messaging. Therefore, the Commission finds it appropriate to
propose amending the definition of ``online contact information'' to
include ``an identifier such as a mobile telephone number provided the
operator uses it only to send a text message.'' The Commission welcomes
comment on this proposed modification. In particular, the Commission is
interested in understanding whether allowing operators to contact
parents through a text message to obtain verifiable parental consent
presents security risks to the recipient of the text message,
especially if the parent would need to click on a link provided in the
text message.
2. Personal Information
The COPPA statute defines ``personal information'' as individually
identifiable information about an individual collected online,
including, for example, a first and last name, an email address, or a
Social Security number.\86\ The COPPA statute also includes within the
definition ``any other identifier that the Commission determines
permits the physical or online contacting of a specific individual.''
\87\
---------------------------------------------------------------------------
\86\ See 15 U.S.C. 6501(8).
\87\ 15 U.S.C. 6501(8)(F). As part of the 2013 Amendments, the
Commission used this statutory authority to add several new
identifiers to the COPPA Rule's definition of ``personal
information.'' See 78 FR 3972 at 3978-83. For example, the
Commission added a photograph, video, or audio file containing a
child's image or voice, and it also included geolocation information
sufficient to identify street name and name of a city or town.
Additionally, the Commission added persistent identifiers that can
be used to recognize a user over time and across different websites
or online services, which the Rule had previously only covered when
associated with individually identifiable information. See 64 FR
59888 at 59912.
---------------------------------------------------------------------------
a. Biometric Data
The Commission proposes using its statutory authority to expand the
Rule's coverage by modifying the Rule's definition of ``personal
information'' to include ``[a] biometric identifier that can be used
for the automated or semi-automated recognition of an individual,
including fingerprints or handprints; retina and iris patterns; genetic
data, including a DNA sequence; or data derived from voice data, gait
data, or facial data.'' \88\ The Commission believes this proposed
modification is necessary to ensure that the Rule is keeping pace with
technological developments that facilitate increasingly sophisticated
means of identification.
---------------------------------------------------------------------------
\88\ Given that the Rule's definition of ``personal
information'' currently includes ``a photograph, video, or audio
file where such file contains a child's image or voice,'' the
Commission believes facial features, voice, and gait are already
covered under the Rule. 16 CFR 312.2, definition of ``personal
information,'' paragraph 8. However, in light of the inherently
personal and sensitive nature of data derived from voice data, gait
data, and facial data, the Commission proposes to cover this data
within the proposed list of biometric identifiers.
---------------------------------------------------------------------------
The majority of comments addressing the question of whether to
expand the Rule's definition of ``personal information'' supported the
addition of biometric data.\89\ These commenters asserted that
different types of biometric data can be used to contact specific
individuals. For example, a coalition of consumer groups recommended
adding biometric data, including genetic data, fingerprints, and
retinal patterns, to the Rule's enumerated list of ``personal
information.'' \90\ These commenters cited consumer products' current
use of biometrics to identify and authenticate users through such
mechanisms as fingerprints and face scans.\91\ They also noted that
while some types of personal information may be altered to protect
privacy, biometric data collected today may be used to identify and
contact specific children for the rest of their lives.\92\ Several
other commenters also argued that the permanent and unalterable nature
of biometric data makes it particularly sensitive.\93\ Additional
commenters noted that many states have expanded the definition of
personally identifiable information to include biometric data as have
other federal laws and regulations, such as the Department of
Education's Family Educational Rights and Privacy Act (``FERPA'')
Regulations, 34 CFR 99.3.\94\
---------------------------------------------------------------------------
\89\ See, e.g., Attorney General of Arizona, at 2; Joint
Attorneys General, at 7; Consumer Reports, at 14; SuperAwesome, at
12; CARU, at 3-5; ESRB, at 5; and kidSAFE, at 6.
\90\ Joint Consumer Groups, at 52-53.
\91\ Id. at 53 (citing Heather Kelly, Fingerprints and Face
Scans Are the Future of Smartphones. These Holdouts Refuse to Use
Them, Wash. Post (Nov. 15, 2019)).
\92\ Joint Consumer Groups, at 53.
\93\ CARU, at 4; H. Adams, at 3; Joint Attorneys General, at 7,
11-12.
\94\ Future of Privacy Forum (``FPF''), at 4-5; D. Derigiotis
Burns Wilcox, at 1-2.
---------------------------------------------------------------------------
A small number of commenters urged the Commission to proceed
cautiously with respect to adding biometric data to the Rule's personal
information definition. These commenters suggested that such an
expansion could stifle innovation \95\ or questioned whether biometric
data allows the physical or online contacting of a specific
individual.\96\ Some commenters also
[[Page 2042]]
recommended that, if the Commission does define biometric data as
personal information, it should consider appropriate exceptions, for
example, where the data enhances the security of a child-directed
service \97\ or the operator promptly deletes the data.\98\
---------------------------------------------------------------------------
\95\ The App Association (``ACT''), at 4.
\96\ CCIA, at 4; The Toy Association, at 3, 17.
\97\ The Toy Association, at 3, 17.
\98\ kidSAFE, at 6.
---------------------------------------------------------------------------
The Commission believes that, as with a photograph, video, or audio
file containing a child's image or voice, biometric data is inherently
personal in nature. Indeed, the Commission agrees with the many
commenters \99\ who argued that the personal, permanent, and unique
nature of biometric data makes it sensitive, and the Commission
believes that the privacy interest in protecting such data is a strong
one.
---------------------------------------------------------------------------
\99\ See, e.g., Joint Consumer Groups, at 53; CARU, at 3-5; H.
Adams, at 3; Joint Attorneys General, at 11-12.
---------------------------------------------------------------------------
And, as with some facial and voice recognition technologies, the
Commission believes that biometric recognition systems are sufficiently
sophisticated to permit the use of identifiers such as fingerprints and
handprints; retina and iris patterns; genetic data, including a DNA
sequence; and data derived from voice data, gait data, or facial data
to identify and contact a specific individual either physically or
online.
The Commission notes that the specific biometric identifiers that
it proposes adding to the Rule's personal information definition are
examples and not an exhaustive list. The Commission welcomes further
comment on this proposed modification, including whether it should
consider additional biometric identifier examples and whether there are
appropriate exceptions to any of the Rule's requirements that it should
consider applying to biometric data, such as exceptions for biometric
data that has been promptly deleted.
b. Inferred and Other Data
In addition to biometric data, the Commission also asked for
comment on whether it should expand the Rule's definition of ``personal
information'' to include data that is inferred about, but not directly
collected from, children, or other data that serves as a proxy for
``personal information.'' Several commenters recommended such an
expansion.\100\ For example, one commenter stated that inferred data,
including predictive behavior, is often incredibly sensitive and that
even when it is supplied in the aggregate, can be easily re-
identified.\101\ The commenter also noted that certain State laws
include inferred data in their definitions of personally identifiable
information.\102\ Another pointed to the ability of analysts to infer
personal information that the Rule covers, such as an individual's
geolocation, from data that currently falls outside the Rule's
scope.\103\
---------------------------------------------------------------------------
\100\ See, e.g., Joint Consumer Groups, at 53-54 (supporting the
inclusion of inferred data); London School of Economics, at 1, 9
(supporting the inclusion of inferred data from profiling and other
data analytics); SuperAwesome, at 18 (supporting the inclusion of
inferred data, health and activity information derived from fitness
trackers, and household viewing data from automated content
recognition systems in televisions and video streaming devices); C.
Frascella, at 2-3 (supporting the inclusion of personal information
collected from children through digital reproduction technology);
Parent Coalition for Student Privacy, at 5-8 (supporting, among
other things, the inclusion of inferred data and proxy data, such as
the language spoken at home and the length of time the child has
lived in the United States); UnidosUS (``Unidos''), at 5 (urging the
Commission to study the use of ``cultural cues'' as personal
information). See also, e.g., National Center on Sexual
Exploitation, at 2 (expressing general support for expanding the
definition of ``personal information'' to protect children).
\101\ Parent Coalition for Student Privacy, at 5.
\102\ Id. (citing Colorado's Student Data Transparency and
Security Act and California's Consumer Privacy Act).
\103\ Joint Consumer Groups, at 54 (``For example, non-
geolocation ambient data collected by a mobile device operating
system does not constitute an independently enumerated category of
personal information under the current iteration of the COPPA Rule.
But a savvy analyst could use data collected by a mobile device to
infer specific geolocation or other details that clearly would fall
under the COPPA Rule definition of personal information'') (emphasis
in original).
---------------------------------------------------------------------------
Commenters opposed to including inferred data stated that such an
expansion would not be in accordance with the COPPA statute, which
covers data collected ``from'' a child.\104\ Some commenters opposed to
the inclusion of inferred data argued that inferred data does not
permit the physical or online contacting of the child.\105\ Some
commenters also expressed concern that adding inferred data would
create ambiguity and hamper companies' abilities to provide websites
and online services to children, would stifle new products and
services, and may prohibit the practice of contextual advertising.\106\
---------------------------------------------------------------------------
\104\ See, e.g., IAB, at 4; NCTA--The internet and Television
Association (``NCTA''), at 5-7; U.S. Chamber of Commerce, at 3. See
also CCIA, at 4 (asserting that the COPPA Rule already covers the
processing of personal information to derive inferences about a
specific user and that the use of aggregated data that does not
relate to a specific user is outside the scope of the COPPA
statute's definition of ``personal information'').
\105\ See, e.g., IAB, at 4; The Toy Association, at 16-17.
\106\ See CIPL, at 2; U.S. Chamber of Commerce, at 3; IAB, at 4;
internet Association, at 5-6; PRIVO, at 8.
---------------------------------------------------------------------------
The Commission has decided not to propose including inferred data
or data that may serve as a proxy for ``personal information'' within
the definition. As several commenters correctly note, the COPPA statute
expressly pertains to the collection of personal information from a
child.\107\ Therefore, to the extent data is collected from a source
other than the child, such information is outside the scope of the
COPPA statute and such an expansion would exceed the Commission's
authority. Inferred data or data that may serve as a proxy for
``personal information'' could fall within COPPA's scope, however, if
it is combined with additional data that would meet the Rule's current
definition of ``personal information.'' In such a case, the existing
``catch-all'' provision of that definition would apply.\108\
---------------------------------------------------------------------------
\107\ 15 U.S.C. 6502(a)(1).
\108\ See 16 CFR 312.2, definition of ``personal information,''
paragraph 10 (defining ``personal information'' to include
``[i]nformation concerning the child or the parents of that child
that the operator collects online from the child and combines with
an identifier described in this definition'').
---------------------------------------------------------------------------
c. Persistent Identifiers
In 2013, the Commission used its authority under 15 U.S.C.
6501(8)(F) to modify the Rule's definition of ``personal information''
to include persistent identifiers that can be used to recognize a user
over time and across different websites or online services. Prior to
that change, the Rule covered persistent identifiers only when they
were combined with certain types of identifying information.\109\ As
part of the 2019 Rule Review Initiation, the Commission asked for
comment on whether this modification has resulted in stronger privacy
protections for children. The Commission also asked whether the
modification has had any negative consequences.
---------------------------------------------------------------------------
\109\ See 64 FR 59888 at 59912.
---------------------------------------------------------------------------
A number of commenters, citing a variety of reasons, argued that
the amendment to include ``stand-alone'' persistent identifiers as
personal information was incorrect or had caused harm. Several
commenters claimed that persistent identifiers alone do not allow for
the physical or online contacting of a child, and thus should not be
included unless linked to other forms of personal information.\110\
Commenters also argued
[[Page 2043]]
that the persistent identifier modification harmed both operators and
children. Specifically, some commenters pointed to operators' lost
revenue from targeted advertising, which requires collection of
persistent identifiers, and the resulting reduction of available child-
appropriate content online due to operators' inability to monetize such
content.\111\ One commenter stated that while the 2013 modification
``served the widely held goal of excluding children from interest-based
advertising,'' it created uncertainty for operators' use of data for
internal operations.\112\ The commenter suggested that the Commission
consider exempting persistent identifiers used for internal operations
from the Rule's deletion requirements.\113\
---------------------------------------------------------------------------
\110\ See, e.g., TechFreedom, at 8 (``[P]ersistent identifiers
on their own can only identify a device, not a `specific person' as
the COPPA statute requires''); Competitive Enterprise Institute, at
2 (``[P]ersistent online identifiers do not `permit[] the physical
or online contacting of a specific individual' in the sense that
Congress contemplated when it enacted COPPA in 1998''); ICLE, at 6
(``Neither IP addresses nor device identifiers alone `permit the
physical or online contacting of a specific individual' as required
by 15 U.S.C. 6501(8)(F)''); NetChoice, at 3 (``Persistent
identifiers, like cookies, only identify devices--not a person'').
\111\ See, e.g., ICLE, at 7-12. These commenters also included
content creators on YouTube. See, e.g., Skyship Entertainment; J.
Johnston (J House Vlogs); H. and S. Jho (Sockeye Media LLC). See
also CARU, at 1 (noting that ``[t]he addition of `persistent
identifier' to the definition of `Personal Information' has resulted
in improved privacy protections for children but has had negative
consequences for industry, specifically the lack of robust and
creative child-directed content''); IAB, at 4 (noting that this
modification may have had the unintended effect of reducing the
availability of children's online content).
\112\ CCIA, at 3.
\113\ Id.
---------------------------------------------------------------------------
In contrast, other commenters expressed strong support for the 2013
persistent identifier modification. For example, while acknowledging
that it took time for the digital advertising industry to adapt to the
new definition, one commenter described the 2013 modification as
``wholly positive.'' \114\ The commenter also noted that the change
recognized that unique technical identifiers might be just as personal
as traditional identifiers such as name or address when used to
contact, track, or profile users.\115\ The commenter stated that this
change ``laid the groundwork for many countries adopting this expanded
definition of personal information in their updated privacy laws.''
\116\
---------------------------------------------------------------------------
\114\ SuperAwesome, at 18.
\115\ Id. See also Princeton University Center for Information
Technology Policy (``Princeton University''), at 4 (``In the most
recent COPPA Rule revision, the FTC recognized that `persistent
identifiers' are a form of `personal information,' because they
enable singling out a specific user through their device for
contact. This makes sense; we see no basis in computer science for
treating persistent identifiers any differently from other means of
directing communications, such as telephone numbers or email
addresses. While the technical details differ, the use of the
information is the same'').
\116\ SuperAwesome, at 18. This commenter also recommended that
the Commission expand the ``personal information'' definition's non-
exhaustive list of persistent identifiers to include ``device ID,
[a]dvertising ID or similar'' IDs and a ``user agent or other device
information which, when combined, can be used to create a unique
fingerprint of the device.'' SuperAwesome, at 17. Because the Rule
provides examples of persistent identifiers rather than an
exhaustive list, the Commission does not find it necessary to
include these elements within the definition.
---------------------------------------------------------------------------
After reviewing the comments relevant to this issue, the Commission
has decided to retain the 2013 modification including stand-alone
persistent identifiers as ``personal information.'' The Commission is
not persuaded by the argument that persistent identifiers must be
associated with other individually identifiable information to permit
the physical or online contacting of a specific individual. The
Commission specifically addressed, and rejected, this argument during
its discussion of the 2013 Amendments. There, the Commission rejected
the claim that persistent identifiers only permit contact with a
device. Instead, the Commission pointed to the reality that at any
given moment a specific individual is using that device, noting that
this reality underlies the very premise behind behavioral
advertising.\117\ The Commission also reasoned that while multiple
people in a single home often use the same phone number, home address,
and email address, Congress nevertheless defined these identifiers as
``individually identifiable information'' in the COPPA statute.\118\
The adoption of similar approaches in other legal regimes enacted since
the 2013 Amendments further supports the Commission's position.\119\
---------------------------------------------------------------------------
\117\ 78 FR 3972 at 3980.
\118\ Id. (citing 15 U.S.C. 6501(8)).
\119\ See The European Union's General Data Protection
Regulation (``GDPR''), which defines ``personal data'' as ``any
information relating to an identified or identifiable natural person
. . . [A]n identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier
such as . . . an online identifier.'' GDPR, Article 4, available at
<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434</a>. Recital 30 of
the GDPR notes that ``natural persons may be associated with online
identifiers provided by their devices, applications, tools and
protocols, such as [I]nternet [P]rotocol addresses, cookie
identifiers or other identifiers such as radio frequency
identification tags.'' Recital 30, available at <a href="https://eur-lex.europa.eu/eli/reg/2016/679">https://eur-lex.europa.eu/eli/reg/2016/679</a>. The California Privacy Rights Act
similarly defines ``personal information'' as ``information that
identifies, relates to, describes, is reasonably capable of being
associated with, or could reasonably be linked, directly or
indirectly, with a particular consumer or household,'' and includes
identifiers such as online identifiers. Section 3, Title 1.81.5 of
the CCPA, added to Part 4 of Division 3 of the California Civil Code
Sec. 1798.140(v). This approach is also consistent with the FTC's
own precedent. See Protecting Consumer Privacy in an Era of Rapid
Change, Federal Trade Commission (March 2012), available at <a href="https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326bprivacybreport.pdf">https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326bprivacybreport.pdf</a>; FTC Staff Report: Self-
Regulatory Principles For Online Behavioral Advertising (February
2009), available at <a href="https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/p085400behavadreport.pdf">https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/p085400behavadreport.pdf</a>.
---------------------------------------------------------------------------
Nor does the Commission find compelling the argument that the 2013
persistent identifier modification has caused harm by hindering the
ability of operators to monetize online content through targeted
advertising. One of the stated goals of including persistent
identifiers within the definition of ``personal information'' was to
prevent the collection of personal information from children for
behavioral advertising without parental consent.\120\ After reviewing
the comments, the Commission has determined that the privacy benefits
of such an approach outweigh the potential harm, including the
purported harm created by requiring operators to provide notice and
seek verifiable parental consent in order to contact children through
targeted advertising.\121\
---------------------------------------------------------------------------
\120\ 78 FR 3972 at 3979-3981.
\121\ The Commission received comments from content creators who
indicated that the 2013 Amendments resulted in the loss of the
ability to monetize content through targeted advertising. See
Skyship Entertainment; J. Johnston (J House Vlogs); H. and S. Jho
(Sockeye Media LLC). As discussed in Part IV.A.2.c., the 2013
Amendments permit monetization through other avenues, such as
contextual advertising, or through providing notice and seeking
parental consent for the use of personal information for targeted
advertising.
---------------------------------------------------------------------------
Moreover, it bears noting, as the Commission did in 2013, that the
expansion of the personal information definition was coupled with a
newly created exception that allows operators to collect persistent
identifiers from children to provide support for the internal
operations of the website or online service without providing notice or
obtaining parental consent. One of these purposes is serving contextual
advertising, which provides operators another avenue for monetizing
online content. The Commission continues to believe that it struck the
proper balance in 2013 when it expanded the personal information
definition while also creating a new exception to the Rule's
requirements.
3. School and School-Authorized Education Purpose
As discussed in Part IV.C.3.a., the Commission proposes codifying
current guidance on ed tech \122\ by adding an
[[Page 2044]]
exception for parental consent in certain, limited situations in which
a school authorizes an operator to collect personal information from a
child. The Commission also proposes adding definitions for ``school''
and ``school-authorized education purpose,'' terms that are
incorporated into the functioning of the proposed exception and
necessary to cabin its scope. Part IV.C.3.a. provides further
discussion about these definitions.
---------------------------------------------------------------------------
\122\ Policy Statement of the Federal Trade Commission on
Education Technology and the Children's Online Privacy Protection
Act, Federal Trade Commission (May 19, 2022), available at <a href="https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-education-technology-childrens-online-privacy-protection">https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-education-technology-childrens-online-privacy-protection</a>;ComplyingwithCOPPA:FrequentlyAskedQuestions (``COPPA
FAQs''), FAQ Section N, available at <a href="https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions">https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions</a>.
---------------------------------------------------------------------------
4. Support for the Internal Operations of the Website or Online Service
As discussed in Part IV.A.2.c., the 2013 Amendments expanded the
definition of ``personal information'' to include stand-alone
persistent identifiers ``that can be used to recognize a user over time
and across different websites or online services.'' \123\ The 2013
Amendments balanced this expansion by creating an exception to the
Rule's notice and consent requirements for operators that collect a
persistent identifier for the ``sole purpose of providing support for
the internal operations of the website or online service.'' \124\ The
Rule defines ``support for the internal operations of the website or
online service'' to include a number of specified activities and
provides that the information collected to perform those activities
cannot be used or disclosed ``to contact a specific individual,
including through behavioral advertising, to amass a profile on a
specific individual, or for any other purpose.'' \125\
---------------------------------------------------------------------------
\123\ 16 CFR 312.2, definition of ``personal information,''
paragraph 7.
\124\ 16 CFR 312.5(c)(7).
\125\ 16 CFR 312.2, definition of ``support for the internal
operations of the website or online service.'' The definition
includes activities such as those necessary to maintain or analyze
the functioning of a site or service; personalize content; serve
contextual advertising or cap the frequency of advertising; and
protect the security or integrity of the user, site, or service.
---------------------------------------------------------------------------
A variety of commenters recommended modifying the definition of
``support for the internal operations of the website or online
service.'' Multiple consumer and privacy advocates, academics, and one
advertising platform called for the Commission to define ``support for
the internal operations'' narrowly and thereby restrict the exception's
use.\126\ For example, a coalition of consumer groups argued that the
current definition is overly broad, too vague, and allows operators to
avoid or minimize their COPPA obligations.\127\ These commenters cited
the lack of clarity between data collection for permissible content
personalization versus collection for impermissible behavioral
advertising.\128\ To prevent operators from applying the exception too
broadly, the coalition recommended a number of modifications to the
definition, including limiting ``personalization'' to user-driven
actions and to exclude methods designed to maximize user
engagement.\129\
---------------------------------------------------------------------------
\126\ Joint Consumer Groups, at 48-52; S. Egelman, at 5-6
(stating that, from a technical standpoint, persistent identifiers
are not needed to carry out the activities listed in the support for
the internal operations of the website or online service
definition); Princeton University, at 5-7 (expressing reservations
about the scope of the internal operations exception); SuperAwesome,
at 5-7 and 19-20 (noting that the industry-standard persistent
identifiers are not needed for most internal operations and that the
support for the internal operations exception should be
significantly narrowed, if not eliminated).
\127\ Joint Consumer Groups, at 48-52.
\128\ Id. at 48-49.
\129\ Id. at 50-52.
---------------------------------------------------------------------------
Several commenters specifically recommended that the Commission
exclude the practice of ``ad attribution''--which allows the advertiser
to associate a consumer's action with a particular ad--from the support
for the internal operations definition.\130\ A group of State Attorneys
General argued that ad attribution is unrelated to the activities
enumerated in the definition and that the practice ``necessarily
involves `recogniz[ing] a user over time and across different
[websites] or online services.' '' \131\ Another commenter argued that
companies should not be able to track children across online services
to determine which ads are effective because the harm to privacy
outweighs the practice's negligible benefit.\132\
---------------------------------------------------------------------------
\130\ Joint Attorneys General, at 8; Joint Consumer Groups, at
51-52; Consumer Reports, at 14-15.
\131\ Joint Attorneys General, at 8.
\132\ Consumer Reports, at 14-15 (noting that it is unclear
whether companies are following COPPA's existing restraints on
operators' use of the support for the internal operations
exception).
---------------------------------------------------------------------------
In contrast, many industry commenters recommended that the
Commission expand the list of activities that fall under the support
for the internal operations definition. With respect to ad attribution,
these commenters generally cited the practical need of websites and
online services that monetize through advertising to evaluate the
effectiveness of ad campaigns or to measure conversion in order to
calculate compensation for advertising partners.\133\ Some commenters
characterized the practice as common and expected, and they argued that
reducing the ability to monetize would result in the development of
fewer apps and online experiences for children.\134\
---------------------------------------------------------------------------
\133\ ESA, at 17-18; CARU, at 5; The Toy Association, at 14-15;
NCTA, at 10. See also Committee for Justice, at 4.
\134\ See, e.g., kidSAFE, at 6.
---------------------------------------------------------------------------
Several commenters stated that ad attribution already falls within
the definition but supported a Rule modification to make this
clear.\135\ One argued that the definition's prohibition on the
collection of persistent identifiers for behavioral advertising
``serves as a safeguard to assure that [attribution] is appropriately
limited.'' \136\
---------------------------------------------------------------------------
\135\ See, e.g., The Toy Association, at 14-15; NCTA, at 10;
ESA, at 18; CARU, at 5. See also PRIVO, at 8 (noting that ``the
Commission should make clear whether attribution and remarketing can
be claimed to be support for internal operations'').
\136\ The Toy Association, at 15.
---------------------------------------------------------------------------
Commenters also recommended that a number of other practices should
fall within the definition of ``support for the internal operations of
the website or online service.'' These include additional ad measuring
techniques,\137\ different types of personalization activities,\138\
product improvement,\139\ and fraud detection.\140\
---------------------------------------------------------------------------
\137\ See, e.g., ANA, at 11 (recommending including click/
conversion tracking, ad modeling, and A/B testing, practices that
provide operators with information about the value of their ads,
reduce the need for behavioral targeted ads, and allow operators to
determine the most ``user-friendly'' version of a site); Google, at
17 (recommending adding conversion tracking and ad modeling, which
allow measuring the relevance and appropriateness of ads); IAB, at 3
(recommending including conversion tracking and advertising modeling
because they ``are fundamental activities that improve the customer
and business experience without creating additional privacy risks to
children''); internet Association, at 6-7 (recommending including
click/conversion tracking and ad modeling support because they
``support child-centered content creation and, in each case, can be
undertaken without focusing on a specific child's behavior over time
for targeting purposes'').
\138\ See, e.g., NCTA, at 9-10 (recommending including user-
driven and user-engagement personalization to allow, for example,
``activities to tailor users' experiences based on their prior
interactions with a site or service (whether derived from predictive
analytics, real-time behaviors, or both)''); Viacom, at 3
(requesting the Commission clarify that the definition includes
``enhanced personalization techniques based on operator-driven
first-party metrics and inferences about user interaction''); CCIA,
at 5-6 (recommending including personalization to a user, such as
``the recommendation of content based on prior activity on the
website or online service'').
\139\ See, e.g., ANA, at 11; kidSAFE, at 7; Khan Academy, at 2-3
(noting that it is important to preserve the operator's ability to
use data for educational research, product development, and to
analyze the functioning of a product).
\140\ See, e.g., SIIA, at 5 (recommending amending (1)(v) of the
definition to ``[p]rotect the security or integrity of the user,
[website], or online service of the operator or its service
providers''). See also kidSAFE, at 7 (recommending expanding the
definition to include customer or technical support, market research
and user surveys, demographic analysis, ``or any other function that
helps operate internal features and activities offered by a site or
app'').
---------------------------------------------------------------------------
[[Page 2045]]
By expanding the definition of ``personal information'' to include
stand-alone persistent identifiers, while at the same time creating an
exception that allowed operators to collect such identifiers without
providing notice and obtaining consent for a set of prescribed internal
operations, the Commission struck an important balance between privacy
and practicality in the 2013 Amendments.\141\ After careful
consideration of the comments that addressed the Rule's support for the
internal operations definition, the Commission does not believe that
significant modifications to either narrow or expand the definition are
necessary.
---------------------------------------------------------------------------
\141\ See 78 FR 3972 at 3980 (noting that ``the Commission
recognizes that persistent identifiers are also used for a host of
functions that have little or nothing to do with contacting a
specific individual, and that these uses are fundamental to the
smooth functioning of the internet, the quality of the site or
service, and the individual user's experience'').
---------------------------------------------------------------------------
With respect to ad attribution, which generated significant
commentary, the Commission believes the practice currently falls within
the support for the internal operations definition. When it amended the
definition in 2013, the Commission declined to enumerate certain
categories of uses, including payment and delivery functions,
optimization, and statistical reporting, in the Rule, stating that the
definitional language sufficiently covered such functions as activities
necessary to `` `maintain or analyze' the functions'' of the website or
service.\142\ The Commission believes that ad attribution, where a
persistent identifier is used to determine whether a particular
advertisement led a user to take a particular action, falls within
various categories, such as the concept of ``payment and delivery
functions'' and ``optimization and statistical reporting.'' When used
as a tool against click fraud, ad attribution also falls within the
category of ``protecting against fraud or theft,'' an activity that
served as a basis for the Commission's creation of the support for the
internal operations exception.\143\ That said, as the definition makes
clear, the Commission would not treat ad attribution as support for the
internal operations of the website or online service if the information
collected to perform the activity is used or disclosed ``to contact a
specific individual, including through behavioral advertising, to amass
a profile on a specific individual, or for any other purpose.'' \144\
---------------------------------------------------------------------------
\142\ Id. at 3981.
\143\ 76 FR 59804 at 59812; 77 FR 46643 at 46647-46648.
\144\ 16 CFR 312.2, definition of ``support for the internal
operations of the website or online service,'' paragraph 2. This
restriction applies to each of the activities enumerated in the
definition.
---------------------------------------------------------------------------
The definition's use restriction is an important safeguard to help
ensure that operators do not misuse the exception that allows them to
collect a persistent identifier in order to provide support for the
internal operations without providing notice and obtaining
consent.\145\ The Commission appreciates the concerns expressed by some
commenters that there is a lack of clarity in how operators implement
the support for the internal operations exception and that certain
operators may not comply with the use restriction. To increase
transparency and to help ensure that operators follow the use
restriction, the Commission proposes modifying the online notice
requirements in Sec. 312.4(d) to require any operator using the
support for the internal operations exception to specifically identify
the practices for which the operator has collected a persistent
identifier and the means the operator uses to comply with the
definition's use restriction.\146\
---------------------------------------------------------------------------
\145\ 16 CFR 312.5(c)(7).
\146\ See Part IV.B.3. for further discussion of these proposed
changes.
---------------------------------------------------------------------------
With respect to the other proposed additions, the Commission does
not believe additional enumerated activities are necessary. Other
proposed additions--such as personalization, product improvement, and
fraud prevention--are already covered.\147\ As the Commission noted in
developing the 2013 Amendments, the Commission is cognizant that future
technical innovation may result in additional activities that websites
or online services find necessary to support their internal
operations.\148\ Therefore, the Commission reminds interested parties
that they may utilize the process permitted under Sec. 312.12(b) of
the Rule, which allows parties to request Commission approval of
additional activities to be included within the support for the
internal operations definition based on a detailed justification and an
analysis of the activities' potential effects on children's online
privacy.
---------------------------------------------------------------------------
\147\ See, e.g., 77 FR 46643 at 46647 (noting that ``[b]y
carving out exceptions for support for internal operations, the
Commission stated it intended to exempt from COPPA's coverage the
collection and use of identifiers for authenticating users,
improving site navigation, maintaining user preferences, serving
contextual advertisements, protecting against fraud or theft, or
otherwise personalizing, improving upon, or securing a [website] or
online service'').
\148\ 78 FR 3972 at 3981.
---------------------------------------------------------------------------
Although the Commission does not find it necessary to modify the
definition's enumerated activities, it does propose modifications to
the definition's use restriction. Currently, the use restriction
applies to each of the seven enumerated activities in the definition,
and it states that information collected for those enumerated
activities may not be used or disclosed to contact a specific
individual, including through behavioral advertising, to amass a
profile on a specific individual, or for any other purpose.\149\
However, certain of these activities likely necessarily require an
operator to contact an individual, for example in order to ``[f]ulfill
a request of a child as permitted by Sec. Sec. 312.5(c)(3) and (4).''
\150\ Therefore, the Commission proposes clarifying language to
indicate that the information collected for these enumerated activities
may be used or disclosed to carry out the activities permitted under
the support for the internal operations exception.
---------------------------------------------------------------------------
\149\ 16 CFR 312.2, definition of ``support for the internal
operations of the website or online service,'' paragraph 2.
\150\ 16 CFR 312.2, definition of ``support for the internal
operations of the website or online service,'' paragraph (1)(vii).
For example, Sec. 312.5(c)(3) allows an operator to ``respond
directly on a one-time basis to a specific request from the child.''
The Commission notes that the exceptions set forth in Sec. Sec.
312.5(c)(3) and (4) are limited to responding to a child's specific
request. Such a response would not include contacting an individual
for another purpose, including through behavioral advertising,
amassing a profile on a specific individual, or for any other
purpose.
---------------------------------------------------------------------------
In addition, the Commission proposes expanding its non-exhaustive
list of use restrictions. The Commission agrees with commenters who
argued that the support for the internal operations exception should
not be used to allow operators to maximize children's engagement
without verifiable parental consent. Therefore, the Commission proposes
prohibiting operators that use this exception from using or disclosing
personal information in connection with processes, including machine
learning processes, that encourage or prompt use of a website or online
service. This proposed addition prohibits operators from using or
disclosing persistent identifiers to optimize user attention or
maximize user engagement with the website or online service, including
by sending notifications to prompt the child to engage with the site or
service, without verifiable parental consent.
The Commission welcomes comment on whether there are other
engagement
[[Page 2046]]
techniques the Rule should address. The Commission also welcomes
comment on whether and how the Rule should differentiate between
techniques used solely to promote a child's engagement with the website
or online service and those techniques that provide other functions,
such as to personalize the child's experience on the website or online
service.
5. Website or Online Service Directed to Children
The Commission proposes a number of changes to the definition of
``website or online service directed to children.'' Overall, the
Commission does not intend these proposed changes to alter the
definition substantively; rather, the changes will provide additional
insight into and clarity regarding how the Commission currently
interprets and applies the definition.
a. Multi-Factor Test
The first paragraph of the definition sets forth a list of factors
the Commission will consider in determining whether a particular
website or online service is child-directed. The Commission received a
significant number of comments regarding the Rule's multi-factor test.
Several industry commenters encouraged the FTC to continue relying on a
multi-factor test to determine whether a site or service is directed to
children, balancing both context (e.g., intent to target children,
promoted to children, and empirical evidence of audience) and content
(e.g., subject matter, animation, and child-oriented activities)
factors.\151\ These commenters discouraged the FTC from relying on a
single factor taken alone, arguing that a multi-factor evaluation
allows flexibility and takes into account that some factors may be more
or less indicative than others.\152\
---------------------------------------------------------------------------
\151\ See, e.g., Google, at 15 (``By equally balancing both
content and context factors in applying the multi-factor test,
operators--including creators, developers and platforms--are less
likely to be over- or under-inclusive in making determinations about
child-directed services, particularly when decisions are being made
at the margins. We are concerned that pulling out a single factor as
a litmus test for child-directedness can lead to bad outcomes,
resulting in the application of COPPA obligations to general
audience content where it doesn't make sense to apply the same
protections we'd apply to children's services''); internet
Association, at 9 (``The Commission should continue to consider
these factors holistically, with no single factor taking precedence
over others. Reliance on a comprehensive multi-factor test that
includes audience composition as one of many factors balances both
content and context inputs and provides the flexibility needed to
apply the Rule in the context of new technology and evolving
platforms such as interactive media'').
\152\ See, e.g., internet Association, at 9; CIPL, at 3-4;
Google, at 15-16; Pok[eacute]mon Company International, Inc.
(``Pok[eacute]mon''), at 1-2; ESA, at 3-8. See also TechFreedom, at
19 (``The FTC should reinforce its prior decision to apply a
`totality of circumstances' test in determining whether content is
child-directed'').
---------------------------------------------------------------------------
At the same time, commenters also recommended that the Commission
reevaluate the test's existing factors, claiming that some are outdated
and no longer seem indicative of child-directed websites or online
services. For example, several industry members noted that content
styles such as animation are not necessarily determinative of whether a
service is child-directed.\153\ In addition, several industry members
recommended that the FTC consider giving more weight to particular
factors when determining whether a website or online service is
directed to children or that it create a sliding scale for existing
factors to provide more guidance for operators.\154\ For example, a
number of commenters recommended that the Commission weigh more heavily
operators' intended audience as opposed to empirical evidence of
audience composition.\155\
---------------------------------------------------------------------------
\153\ See, e.g., ANA, at 8 (noting that animated content is
often adult-oriented rather than child-oriented); Pok[eacute]mon, at
2 (noting that popular adult animated content such as ``Family Guy''
or ``South Park'' illustrates that the use of animation is no longer
a clear indicator that the use of animated characters is targeted to
children); ESA, at 6 (asserting that the use of animated characters
should not be given weight in video game and similar media contexts
because video games are computer-generated media and therefore
inherently utilize animated characters).
\154\ See, e.g., Pok[eacute]mon, at 2 (suggesting ``weighting''
the factors); TRUSTe, LLC (``TRUSTe''), at 2 (noting that, while not
dispositive, audience composition and target market factors will
have a higher likelihood of determining that the service is child-
directed); SuperAwesome, at 11 (suggesting the establishment of a
roadmap for the Rule's scope to evolve from ``content-based'' to
``user-based'' factors, noting that ``[t]oday, the best (and highly
imperfect) method for determining whether a user is a child is by
categori[z]ing the content being accessed, e.g. is it child-directed
or not. In the near future, new technologies will make it possible
to identify whether a user is a child on any website or app, and
without collecting more personal information to verify age'').
\155\ See, e.g., ANA, at 8; J. Johnston (J House Vlogs), at 14;
The Toy Association, at 10. See also generally Screen Actors Guild-
American Federation of Television and Radio Artists (``SAG-AFTRA''),
at 4-5 (asserting that, when applying the COPPA Rule to content
creators who distribute their content on general audience platforms,
the Commission should consider the content creators' knowledge and
intent).
---------------------------------------------------------------------------
Several FTC-approved COPPA Safe Harbor programs suggested adding
new factors to the Rule to help guide operators, including by adding an
operator's self-categorization to third parties. One such program, for
example, recommended considering marketing materials directed to third-
party partners or advertisers, claiming that such materials can provide
insights on the operator's target and users.\156\ Another supported
consideration of ``whether an operator self-categorizes its website or
online service as child-directed on third[-]party platforms.'' \157\ A
third FTC-approved COPPA Safe Harbor program recommended requiring
operators to periodically analyze the demographics of their audience or
users and to consider consumer inquiries and complaints.\158\
---------------------------------------------------------------------------
\156\ TRUSTe, at 1-2.
\157\ kidSAFE, at 7 (also recommending the addition of ``video
content'' to the existing factor of ``music or other audio
content'').
\158\ CARU, at 6-7 (suggesting that such factors would be
particularly relevant to sites or services that were not originally
directed to children, but where the audience has reached a threshold
level such that COPPA protections should apply).
---------------------------------------------------------------------------
Some commenters cautioned against relying on an operator's internal
rating system or a third party's rating system as a factor.\159\ One
such commenter argued that relying on operators' internal rating
systems would potentially punish those that engage in good faith,
responsible review activities and might violate section 230 of the
Communications Decency Act.\160\ The commenter also argued that a third
party's ratings do not constitute competent and empirical evidence
regarding audience composition or evidence regarding the intended
audience, and further argued that relying on such ratings increases an
operator's risk of unexpected liability, particularly if the rating
system may have been developed for a purpose unrelated to the COPPA
Rule's factors.\161\
---------------------------------------------------------------------------
\159\ See, e.g., ANA, at 8; ESRB, at 7.
\160\ ANA, at 8 (stating that ``Section 230 of the
Communications Decency Act explicitly states that no provider of an
interactive computer service shall be held liable for `any action
voluntarily taken in good faith to restrict access to or
availability of material that the provider or user considers to be
obscene, lewd, lascivious, filthy, excessively violent, harassing,
or otherwise objectionable.' As such, considering content moderation
actions taken by companies to oversee content on their platforms as
a basis for liability may be impermissible pursuant to the
Communications Decency Act'').
\161\ ANA, at 8-9.
---------------------------------------------------------------------------
The Commission continues to believe that the Rule's multi-factor
test, which applies a ``totality of the circumstances'' standard, is
the most practical and effective means for determining whether a
website or online service is directed to children. The determination of
whether a given site or service is child-directed is necessarily fact-
based and requires flexibility as individual factors may be more or
less relevant depending on the context. Moreover, a requirement that
the Commission, in all cases, weigh more heavily certain factors could
unduly hamper the Commission's law enforcement efforts. For example, it
is
[[Page 2047]]
not hard to envision operators circumventing the Rule by claiming an
``intended'' adult audience despite the attributes and overall look and
feel of the site or service appearing to be directed to children.\162\
Additionally, a rigid approach that prioritizes specific factors is
unlikely to be nimble enough to address a site or service that changes
its characteristics over time.
---------------------------------------------------------------------------
\162\ Indeed, the Commission has previously acknowledged that a
website or online service with the attributes, look, and feel of a
property targeted to children would be deemed directed to children
even if an operator claims that was not the intent. 78 FR 3972 at
3983.
---------------------------------------------------------------------------
The Commission does not propose eliminating any of the existing
factors or modifying how it applies the multi-factor test.\163\
However, the Commission proposes modifications to clarify the evidence
the Commission will consider regarding audience composition and
intended audience.
---------------------------------------------------------------------------
\163\ With respect to animation as a factor, the Commission
recognizes that a variety of adult content uses animated characters.
By the same token, animation can be an important characteristic of
child-directed sites and services. Accordingly, as with the other
enumerated factors, animation continues to be one of several
potentially relevant considerations the Commission will take into
account in determining whether a specific site or service is
directed to children.
---------------------------------------------------------------------------
Specifically, the Commission proposes adding a non-exhaustive list
of examples of evidence the Commission will consider in analyzing
audience composition and intended audience. The Commission agrees with
those commenters that argued that an operator's marketing materials and
own representations about the nature of its site or service are
relevant. Such materials and representations can provide insight into
the operator's understanding of its intended or actual audience and are
thus relevant to the Commission's analysis. Additionally, the
Commission believes that other factors can help elucidate the intended
or actual audience of a site or service, including user or third-party
reviews and the age of users on similar websites or services.
Therefore, the Commission proposes adding ``marketing or promotional
materials or plans, representations to consumers or to third parties,
reviews by users or third parties, and the age of users on similar
websites or services'' as examples of evidence the Commission will
consider. Because many of these examples can provide evidence as to
both audience composition and intended audience, the Commission also
proposes a technical fix to remove the comma between ``competent and
reliable empirical evidence regarding audience composition'' and
``evidence regarding the intended audience.''
b. Operators Collecting Personal Information From Other Websites and
Online Services Directed to Children
The second paragraph of the definition of ``website or online
service directed to children'' states ``[a] website or online service
shall be deemed directed to children when it has actual knowledge that
it is collecting personal information directly from users of another
website or online service directed to children.'' \164\ The Commission
added this language in 2013, along with parallel changes to the
definition of ``operator,'' in order ``to allocate and clarify the
responsibilities under COPPA'' of third parties that collect
information from users of child-directed sites and services.\165\ The
changes clarified that the child-directed content provider is strictly
liable when a third party collects personal information through its
site or service, while the third party is liable only if it had actual
knowledge that the site or service from which it was collecting
personal information was child-directed.\166\
---------------------------------------------------------------------------
\164\ 16 CFR 312.2, definition of ``website or online service
directed to children,'' paragraph 2.
\165\ 78 FR 3972 at 3975. The 2013 Amendments added a proviso to
the definition of ``operator'' discussing the circumstances under
which personal information is collected or maintained on behalf of
an operator. See 16 CFR 312.2, definition of ``operator.''
\166\ The Commission stated that ``for purposes of the [COPPA]
statute'' the third party ``has effectively adopted that child-
directed content as its own and that portion of its service may
appropriately be deemed to be directed to children.'' 78 FR 3972 at
3978.
---------------------------------------------------------------------------
Because the second paragraph of this definition specifies that the
operator must have actual knowledge that it is collecting personal
information ``directly'' from users of another site or service, the
Commission is concerned that entities with actual knowledge that they
receive large amounts of children's data from another site or service
that is directed to children, without collecting it directly from the
users of such site or service, may avoid COPPA's requirements. For
example, the online advertising ecosystem involves ad exchanges that
receive data from an ad network that has collected information from
users of a child-directed site or service. In the same spirit of
avoiding a loophole that led the Commission to amend the Rule in 2013,
the Commission proposes modifying the current language by deleting the
word ``directly.'' The Commission did not seek comment in the 2019 Rule
Review Initiation on this aspect of the Rule's definition of ``website
or online service directed to children'' and therefore welcomes comment
on this proposed modification.
c. Mixed Audience
The 2013 Amendments established a distinction between child-
directed sites and services that target children as a ``primary
audience'' and those for which children are one of multiple audiences--
so called ``mixed audience'' sites or services. Specifically, the Rule
provides that a website or online service that meets the multi-factor
test for being child-directed ``but that does not target children as
its primary audience, shall not be deemed directed to children'' so
long as the operator first collects age information and then prevents
the collection, use, or disclosure of information from users who
identify as younger than 13 before providing notice and obtaining
verifiable parental consent.\167\ This allows operators of mixed
audience sites or services to use an age-screen and apply COPPA
protections only to those users who are under 13.
---------------------------------------------------------------------------
\167\ 16 CFR 312.2, definition of ``website or online service
directed to children,'' paragraph 3.
---------------------------------------------------------------------------
Although there appears to be general support for the mixed audience
classification, a number of commenters cited confusion regarding its
application and called on the Commission to provide additional clarity
on where to draw the line between general audience, primarily child-
directed, and mixed audience categories of sites and services.\168\ One
commenter noted that the mixed audience definition is confusing and the
language ``shall not be deemed directed to children''
[[Page 2048]]
suggests that such sites or services are not within the definition of
child-directed websites or online services.\169\ Others recommended the
Commission use a specific threshold for making the determination or
provide additional guidance based on the Rule's multi-factor test.\170\
---------------------------------------------------------------------------
\168\ See, e.g., ANA, at 9 (``Although the ability to age screen
users has helped businesses ascertain those users to which COPPA
applies, children could benefit from the FTC providing additional
guidance on the threshold for determining whether a website or
online service is primarily directed to children''); Google, at 13
(``We support the retention of the mixed audience category, which
appropriately recognizes that it is reasonable to treat age screened
users as adults when the underlying child-directed content is also
directed to adult audiences . . . At the same time, we believe that
the definition of mixed audience as currently drafted requires
significant clarification, especially with respect to its
distinction from primarily child-directed and general audience
content''); Lego, at 7 (``[F]urther clarity on how content for mixed
audience and adults could be interpreted by regulatory and self-
regulatory authorities would increase our ability to provide clearer
direction internally on content development''); The Toy Association,
at 9 (suggesting the Commission amend the Rule ``to establish that a
mixed audience site or service, including apps or platforms, is one
that offers content directed to children, but whose target audience
likely includes a significant number of tweens, teens or adults'')
(bold typeface omitted); Internet Association, at 7 (``While it can
be fairly straightforward to identify sites and services that are
directed primarily to children, the concept of mixed audience sites
is not clearly defined and the implications of this concept are
unclear and unpredictable'').
\169\ kidSAFE, at 7-8 (``How can a site or service be `directed
to children' for purposes of the factors' test, yet not be `deemed
directed to children' for purposes of compliance?'').
\170\ See, e.g., The Toy Association, at 9 (``[The Toy
Association] suggests that the FTC consider revising the Rule to
establish that a mixed audience site or service, including apps or
platforms, is one that offers content directed to children, but
whose target audience likely includes a significant number of
tweens, teens or adults, even if segments other than children do not
comprise 50% or more of the audience'') (bold typeface omitted);
CIPL, at 3-4 (``In its application of the COPPA Rule, the Commission
has increasingly blurred the lines between services that are
`primarily directed to children,' services that target children as
one but not the primary audience (`mixed audience'), and general
audience sites that don't target children as an audience. The FTC
should issue guidance based upon the multi-factor test in COPPA to
ensure that content creators, app developers and platforms
understand how the rules apply to their products and services'');
SIIA, at 4 (``As the way people consume content online continues to
evolve, additional guidance is needed on the line between child-
directed and mixed audience services''); ESRB, at 6-7 (recommending
the Commission provide clarity on the ``directed to children''
analysis through rulemaking or guidance); and J. Johnston (J House
Vlogs), at 16 (requesting an ``[e]mergency [e]nforcement [s]tatement
from the FTC providing . . . [c]larity on the lines between child-
directed, mixed-audience, and general audience content'').
---------------------------------------------------------------------------
Commenters also questioned the effectiveness of age screening, with
some arguing that children have been conditioned to lie about their age
in order to circumvent age gates.\171\ Others expressed support for the
current approach,\172\ and some warned against specifying proscriptive
methods for age screening, as it could prevent companies from
innovating new methods.\173\
---------------------------------------------------------------------------
\171\ See, e.g., SuperAwesome, at 21; PRIVO, at 7-8; Joint
Attorneys General, at 9; CARU, at 8.
\172\ See, e.g., CCIA, at 7-8; U.S. Chamber of Commerce, at 4-5;
ANA, at 9; Internet Association, at 9.
\173\ See, e.g., CCIA, at 8; ANA, at 9.
---------------------------------------------------------------------------
Through the 2013 Amendments, the Commission intended mixed audience
sites and services to be a subset of the ``child-directed'' category of
websites or online services to which COPPA applies. A website or online
service falls under the mixed audience designation if it: (1) meets the
Rule's multi-factor test for being child-directed; and (2) does not
target children as its primary audience. Unlike other child-directed
sites and services, mixed audience sites and services may collect age
information and need only apply COPPA's protections to those users who
identify as under 13. An operator falling under this mixed audience
designation may not collect personal information from any visitor until
it collects age information from the visitor. To the extent the visitor
identifies themselves as under age 13, the operator must provide notice
and obtain verifiable parental consent before collecting, using, and
disclosing personal information from the visitor.\174\
---------------------------------------------------------------------------
\174\ 16 CFR 312.2, definition of ``website or online service
directed to children,'' paragraph 3.
---------------------------------------------------------------------------
To make its position clearer, the Commission proposes adding to the
Rule a separate, stand-alone definition for ``mixed audience website or
online service.'' This definition provides that a mixed audience site
or service is one that meets the criteria of the Rule's multi-factor
test but does not target children as the primary audience.\175\
---------------------------------------------------------------------------
\175\ Current staff guidance notes that operators should
carefully analyze the intended audience, actual audience, and, in
many instances, the likely audience for the website or online
service in determining whether children are the primary audience or
not. COPPA FAQs, FAQ D.5.
---------------------------------------------------------------------------
The proposed definition also provides additional clarity on the
means by which an operator of a mixed audience site or service can
determine whether a user is a child. First, the Commission agrees with
the comments that recommend it allow operators flexibility in
determining whether a user is a child. To that end, the proposed
definition allows operators to collect age information or use ``another
means that is reasonably calculated, in light of available technology,
to determine whether the visitor is a child,'' reflecting a standard
used elsewhere in the Rule.\176\ Although currently collecting age
information may be the most practical means for determining that a user
is a child, the proposed definition allows operators to innovate and
develop additional mechanisms that do not rely on a user's self-
declaration.\177\
---------------------------------------------------------------------------
\176\ Compare proposed definition of ``mixed audience website or
online service'' (as quoted in the text accompanying this footnote)
with 16 CFR 312.5(b)(1) (``Any method to obtain verifiable parental
consent must be reasonably calculated, in light of available
technology, to ensure that the person providing consent is the
child's parent.'').
\177\ Indeed, the Commission supports the development of other
means and mechanisms to determine whether the user is a child. Other
jurisdictions, such as the United Kingdom, have conducted research
that indicates that mechanisms other than self-declaration may be a
more effective means of age assurance. Specifically, the research
states that parents found the self-declaration method ``easy to
circumvent,'' with many parents ``open about themselves and their
children lying about their ages.'' Families' attitudes towards age
assurance, Research commissioned by the United Kingdom's Information
Commissioner's Office and Ofcom (Oct. 11, 2022), at 19, available at
<a href="https://www.gov.uk/government/publications/families-attitudes-towards-age-assurance-research-commissioned-by-the-ico-and-ofcom">https://www.gov.uk/government/publications/families-attitudes-towards-age-assurance-research-commissioned-by-the-ico-and-ofcom</a>.
---------------------------------------------------------------------------
Additionally, consistent with long-standing staff guidance,\178\
the proposed mixed audience definition specifically requires that the
means used for determining whether a visitor is a child ``be done in a
neutral manner that does not default to a set age or encourage visitors
to falsify age information.'' This, for instance, would prevent
operators from suggesting to users that certain features will not be
available for users who identify as younger than 13.
---------------------------------------------------------------------------
\178\ COPPA FAQs, FAQ D.7.
---------------------------------------------------------------------------
To further clarify the obligations of an operator of a mixed
audience site or service, the Commission also proposes amending
paragraph (3) of the definition of ``website or online service directed
to children'' by stating that such operators shall not be deemed
directed to children with regard to any visitor not identified as under
13.
B. Notice (16 CFR 312.4)
The Commission proposes a number of modifications to the Rule's
direct notice and online notice provisions.
1. Direct Notice to the Parent (Paragraph (b))
Section 312.4(b) requires operators to make reasonable efforts to
ensure that parents receive direct notice of an operator's practices
with respect to the collection, use, or disclosure of children's
information. The Commission proposes adding references to ``school'' in
Sec. 312.4(b) to cover the situation in which an operator relies on
authorization from a school to collect information from a child and
provides the direct notice to the school rather than to the child's
parent. As discussed in Part IV.C.3.a., the Commission is proposing to
add an exception to the Rule's parental consent requirement where an
operator, in limited contexts, obtains authorization from a school to
collect a child's personal information. For purposes of authorization,
``school'' includes individual schools as well as local educational
agencies and State educational agencies, as those terms are defined
under Federal law.\179\
---------------------------------------------------------------------------
\179\ See Part IV.C.3.a. for further discussion on the proposed
school authorization exception. This proposed definition is intended
to preserve the ability of local and State educational agencies to
contract on behalf of multiple schools and school districts. This
definition aligns with current staff guidance providing that ``[a]s
a best practice, we recommend that schools or school districts
decide whether a particular site's or service's information
practices are appropriate, rather than delegating that decision to
the teacher.'' COPPA FAQs, FAQ N.3.
---------------------------------------------------------------------------
Just as notice is necessary for a parent to provide informed and
meaningful consent, a school must also obtain information about an
operator's data
[[Page 2049]]
collection and use practices before authorizing collection. Therefore,
as part of the proposed school authorization exception, an operator
must make reasonable efforts to ensure that the school receives the
notice that the operator would otherwise provide to a child's parent.
2. Content of the Direct Notice (Paragraph (c))
Section 312.4(c) details the content of the direct notice required
where an operator avails itself of one of the Rule's exceptions to
prior parental consent set forth in Sec. 312.5(c)(1)-(8). The
Commission proposes several modifications to Sec. 312.4(c). The first
is to delete the reference to ``parent'' in the Sec. 312.4(c) heading.
This modification is to accommodate the proposed new Sec. 312.4(c)(5),
which specifies the content of the direct notice where an operator
relies on school authorization to collect personal information.
Next, the Commission proposes modifying language in Sec.
312.4(c)(1) and a number of its paragraphs. As currently drafted, this
section sets forth the required content of direct notice when an
operator collects personal information in order to initiate parental
consent under the parental consent exception listed in Sec.
312.5(c)(1). The Commission proposes revising the heading of Sec.
312.4(c)(1) by adding the phrase ``for purposes of obtaining consent,
including . . .'' after ``[c]ontent of the direct notice to the
parent'' and before ``under Sec. 312.5(c)(1).'' This change would
clarify that this direct notice requirement applies to all instances in
which the operator provides direct notice to a parent for the purposes
of obtaining consent, including under Sec. 312.5(c)(1).
In its current form, Sec. 312.4(c)(1) presumes that an operator
has collected a parent's online contact information and, potentially,
the name of the child or parent. However, operators are free to use
other means to initiate parental consent, including those that do not
require collecting online contact information. For example, an operator
could use an in-app pop-up message that directs the child to hand a
device to the parent and then instructs a parent to call a toll-free
number. The modification is intended to clarify that even where the
operator does not collect personal information to initiate consent
under Sec. 312.5(c)(1), it still must provide the relevant aspects of
the Sec. 312.4(c)(1) direct notice to the parent.
Because the Commission's proposed changes to Sec. 312.4(c)(1)
would expand the scope of when an operator must provide this direct
notice, the Commission proposes modifications to indicate that
Sec. Sec. 312.4(c)(1)(i) and newly-numbered 312.4(c)(1)(vii) may not
be applicable in all instances.\180\ Additionally, because Sec. Sec.
312.4(c)(1)(i) and newly-numbered 312.4(c)(1)(vii) apply to scenarios
in which an operator is obtaining parental consent under the parental
consent exception provided in Sec. 312.5(c)(1), the Commission
proposes making minor modifications to those sections to align language
with that exception. Specifically, that exception permits operators to
collect a child's name or online contact information prior to obtaining
parental consent, and the proposed notice would require the operator to
indicate when it has collected a child's name or online contact
information.
---------------------------------------------------------------------------
\180\ As discussed in Part IV.B.2., the Commission proposes
expanding Sec. 312.4(c)(1) to include instances in which operators
collect information other than online contact information to obtain
consent. The modifications to Sec. Sec. 312.4(c)(1)(i) and newly-
numbered 312.4(c)(1)(vii) address those instances in which an
operator may not have collected a parent's or child's online contact
information to obtain consent.
---------------------------------------------------------------------------
The Commission also proposes adding a new paragraph (iv) to require
that operators sharing personal information with third parties identify
the third parties as well as the purposes for such sharing, should the
parent provide consent. This new paragraph (iv) will also require the
operator to state that the parent can consent to the collection and use
of the child's information without consenting to the disclosure of such
information, except where such disclosure is integral to the nature of
the website or online service.\181\ For example, such disclosure could
be integral if the website or online service is an online messaging
forum through which children necessarily have to disclose their
personal information, such as online contact information, to other
users on that forum. The Commission believes that this information will
enhance parents' ability to make an informed decision about whether to
consent to the collection of their child's personal information. In
order to minimize the burden on operators, and to maintain the goal of
providing parents with a clear and concise direct notice, the proposed
modification allows operators to disclose the categories of third
parties with which the operator shares data rather than identifying
each individual entity. The Commission welcomes further comment on
whether information regarding the identities or categories of third
parties with which an operator shares information is most appropriately
placed in the direct notice to parents required under Sec. 312.4(c) or
in the online notice required under Sec. 312.4(d).
---------------------------------------------------------------------------
\181\ This proposed modification effectuates current
requirements under the Rule, namely Sec. 312.5(a)(2), which states
that ``[a]n operator must give the parent the option to consent to
the collection and use of the child's personal information without
consenting to disclosure of his or her personal information to third
parties.''
---------------------------------------------------------------------------
Additionally, the Commission proposes a number of clarifying
changes. First, the Commission proposes clarifying that the information
at issue in the first clause of Sec. 312.4(c)(1)(ii) is ``personal
information.'' \182\ Second, in Sec. 312.4(c)(1)(iii), the Commission
proposes clarifying that the direct notice must include how the
operator intends to use the personal information collected from the
child. For example, to the extent an operator uses personal information
collected from a child to encourage or prompt use of the operator's
website or online service such as through a push notification, such use
must be explicitly stated in the direct notice. Additionally, the
Commission further proposes to change the current use of ``or'' to
``and'' to indicate that the operator must provide all information
listed in Sec. 312.4(c)(1)(iii). Lastly, the Commission also proposes
removing the term ``additional'' from Sec. 312.4(c)(1)(iii) because
this paragraph no longer applies solely to instances in which the
operator collects the parent's or child's name or online contact
information.
---------------------------------------------------------------------------
\182\ This clause currently uses the term ``such information.''
16 CFR 312.4(c)(1)(ii).
---------------------------------------------------------------------------
In addition to the proposed modifications to Sec. 312.4(c)(1), the
Commission proposes adding Sec. 312.4(c)(5) to identify the content of
the direct notice an operator must provide when seeking to obtain
school authorization to collect personal information.\183\ While
tailored to the school context, the requirements in this new provision
generally track the proposed modifications to Sec. 312.4(c)(1).\184\
---------------------------------------------------------------------------
\183\ The Commission is aware that ed tech operators may enter
into standard contracts with schools, school districts, and other
education organizations across the country. This direct notice
requirement is not meant to interfere with such contractual
arrangements. Operators may employ various methods to meet the
proposed direct notice requirement without interfering with the
standard contract, such as by appending the direct notice to the
contract. See Part IV.C.3.a. for further discussion of the direct
notice required under this exception.
\184\ For instance, proposed Sec. 312.4(c)(5)(iii) requires the
operator to provide the information collected from the child, how
the operator intends to use such information, and the potential
opportunities for disclosure. Similarly, to the extent the operator
discloses information to third parties, proposed Sec.
312.4(c)(5)(iv) requires the operator to provide the identities or
specific categories of such third parties and the purposes for such
disclosures.
---------------------------------------------------------------------------
[[Page 2050]]
3. Notice on the Website or Online Service (Paragraph (d))
The Commission proposes two additions to the Rule's online notice
requirement. These additions pertain to an operator's use of the
exception for prior parental consent set forth in Sec. 312.5(c)(7) and
the proposed exception set forth in new proposed Sec.
312.5(c)(9).\185\ The Commission also proposes certain modifications to
the Rule's existing online notice requirements.
---------------------------------------------------------------------------
\185\ Given that these proposed disclosures may be longer and
somewhat technical in nature, the Commission believes their
appropriate location is in the operator's online notice rather than
the direct notice.
---------------------------------------------------------------------------
First, the Commission proposes adding a new paragraph, Sec.
312.4(d)(3), which would require operators that collect a persistent
identifier under the support for the internal operations exception in
Sec. 312.5(c)(7) to specify the particular internal operation(s) for
which the operator has collected the persistent identifier and describe
the means it uses to ensure that it does not use or disclose the
persistent identifier to contact a specific individual, including
through behavioral advertising, to amass a profile on a specific
individual, in connection with processes that encourage or prompt use
of a website or online service, or for any other purpose, except as
permitted by the support for the internal operations exception.\186\
---------------------------------------------------------------------------
\186\ The Commission also proposes requiring operators to
implement a data retention policy as part of the requirements for
Sec. 312.10. See Part IV.G. for a discussion of this proposed
change.
---------------------------------------------------------------------------
Currently, an operator that collects a persistent identifier
pursuant to Sec. 312.5(c)(7) is not required to provide notice of the
collection. The Commission finds merit in the concerns expressed by
some commenters about a lack of transparency in how operators implement
the support for the internal operations exception and the extent to
which they comply with the exception's restrictions.\187\ The
Commission believes that the proposed disclosure requirements will
provide additional clarity into the use of Sec. 312.5(c)(7), will
enhance operator accountability, and will function as an important tool
for monitoring COPPA compliance.
---------------------------------------------------------------------------
\187\ See Part IV.A.4. for a discussion of these concerns.
---------------------------------------------------------------------------
Second, as discussed in Part IV.C.3.b., the Commission proposes a
new parental consent exception, codifying its law enforcement policy
statement regarding the collection of audio files.\188\ Consistent with
this codification, the Commission also proposes a new Sec. 312.4(d)(4)
requiring that an operator that collects audio files pursuant to the
new Sec. 312.5(c)(9) exception describe how the operator uses the
audio files and to represent that it deletes such files immediately
after responding to the request for which the files were collected.
---------------------------------------------------------------------------
\188\ See Part IV.C.3.b.
---------------------------------------------------------------------------
The Commission also proposes a number of other modifications to the
Rule's online notice requirements. Specifically, the Commission
proposes modifying Sec. 312.4(d)(2) to require additional information
regarding operators' disclosure practices and operators' retention
policies.\189\ As discussed earlier, the Commission believes that this
information will enhance parents' ability to make an informed decision
about whether to consent to the collection of their child's personal
information. The Commission notes that the COPPA Rule's online notice
provision requires that operators describe how they use personal
information collected from children.\190\ For example, to the extent an
operator uses personal information collected from a child to encourage
or prompt use of the operator's website or online service such as
through a push notification, such use must be explicitly stated in the
online notice. The Commission also proposes adding ``if applicable'' to
current Sec. 312.4(d)(3) (which would be redesignated as Sec.
312.4(d)(5)) in order to acknowledge that there may be situations in
which a parent cannot review or delete the child's personal
information.\191\
---------------------------------------------------------------------------
\189\ The Commission proposes requiring operators to implement a
data retention policy as part of the requirements for Sec. 312.10.
See Part IV.G. for a discussion of this proposed change.
\190\ 16 CFR 312.4(d)(2).
\191\ As discussed in Part IV.D., operators utilizing the school
authorization exception would not be required to provide parents the
rights afforded under Sec. 312.6(a) for information collected under
that exception.
---------------------------------------------------------------------------
Lastly, the Commission proposes to delete the reference to
``parent'' in the Sec. 312.4(d) introductory text. This proposal is to
align with the Commission's new proposed direct notice requirement to
accommodate the proposed new school authorization exception found in
Sec. 312.5(c)(10).
4. Additional Notice on the Website or Online Service Where an Operator
Has Collected Personal Information Under Sec. 312.5(c)(10) (New
Paragraph Sec. 312.4(e))
The Commission also proposes adding a separate online notice
provision applicable to operators that obtain school authorization to
collect personal information from children pursuant to the proposed
exception set forth in Sec. 312.5(c)(10). These disclosures are in
addition to the requirements of Sec. 312.4(d). The Commission believes
these proposed disclosures will convey important information to parents
regarding the limitations on an operator's use and disclosure of
personal information collected under the school authorization
exception, and the school's ability to review that information and
request the deletion of such information.\192\
---------------------------------------------------------------------------
\192\ The school's ability to review information and request the
deletion of such information are addressed in Part IV.D. in
connection with the proposed modification to Sec. 312.6.
---------------------------------------------------------------------------
C. Parental Consent (16 CFR 312.5)
The verifiable parental consent requirement, in combination with
the notice provisions, is a fundamental component of the COPPA Rule's
ability to protect children's privacy. The Rule requires operators to
obtain verifiable parental consent before they collect, use, or
disclose a child's personal information.\193\ Operators must make
``reasonable efforts to obtain verifiable parental consent'' and any
parental consent method ``must be reasonably calculated, in light of
available technology, to ensure that the person providing consent is
the child's parent.'' \194\ Although the Rule sets forth a non-
exhaustive list of methods that the Commission has recognized as
meeting this standard, the Commission encourages operators to develop
their own consent mechanisms provided they meet the ``reasonably
calculated standard'' required by Sec. 312.5(b)(1). In addition to the
enumerated consent mechanisms listed in Sec. 312.5(b)(2), Sec.
312.5(c) provides several exceptions pursuant to which an operator may
collect limited personal information without first obtaining parental
consent and, in some cases, without providing notice.
---------------------------------------------------------------------------
\193\ Operators must also obtain such consent for ``any material
change in the collection, use, or disclosure practices to which the
parent has previously consented.'' 16 CFR 312.5(a)(1).
\194\ 16 CFR 312.5(b)(1).
---------------------------------------------------------------------------
The Commission requested comment in its 2019 Rule Review Initiation
on the efficacy of the Rule's consent requirements, including whether
the Commission should add to the list of approved methods and whether
there are ways to encourage the development of new consent methods. The
Commission also requested comment on whether the Commission should
consider additional exceptions to the consent requirement, including
with respect to the collection of audio files
[[Page 2051]]
containing a child's voice and in the educational context where a
school authorizes the operator to collect personal information.
The Commission proposes modifying the Rule's consent requirements
in a number of ways. First, the Commission proposes requiring the
operator to obtain separate verifiable parental consent before
disclosing personal information collected from a child. The Commission
also proposes modifying the consent method set forth in Sec.
312.5(b)(2)(ii) and incorporating into the Rule two previously approved
consent mechanisms submitted through the Sec. 312.12(a) voluntary
process. Lastly, the Commission proposes modifying the parental consent
exceptions set forth in Sec. 312.5(c)(4), (6), and (7) and adding
exceptions for where an operator relies on school authorization and for
the collection of audio files that contain a child's voice.
1. General Requirements (Paragraph (a))
Section 312.5(a)(1) provides that an operator must obtain
verifiable parental consent before collecting, using, or disclosing
personal information from a child. While the Commission does not
propose modifications to this paragraph, it seeks to make a
clarification. This requirement applies to any feature on a website or
online service through which an operator collects personal information
from a child. For example, if an operator institutes a feature that
prompts or enables a child to communicate with a chatbot or other
similar computer program that simulates conversation, the operator must
obtain verifiable parental consent before collecting any personal
information from a child through that feature. While the Commission is
not proposing modifications to this paragraph, it welcomes comment on
it.
Section 312.5(a)(2) currently states that ``[a]n operator must give
the parent the option to consent to the collection and use of the
child's information without consenting to disclosure of his or her
personal information to third parties.'' The Commission proposes
bolstering this requirement by adding that operators must obtain
separate verifiable parental consent for disclosures of a child's
personal information, unless such disclosures are integral to the
nature of the website or online service.\195\ Under the proposed
language, operators required to obtain separate verifiable parental
consent for disclosures may not condition access to the website or
online service on such consent.
---------------------------------------------------------------------------
\195\ This exception aligns with previous staff guidance, in
which FTC staff has stated that operators are not required to
provide parents with a separate option to consent to the disclosure
of the child's personal information where such disclosures are
integral to the site or service. The guidance requires the operators
to make clear when such disclosures are integral. See COPPA FAQs,
FAQ A.1. For example, such disclosure could be integral if the
website or online service is an online messaging forum through which
children necessarily have to disclose their personal information,
such as online contact information, to other users on that forum.
---------------------------------------------------------------------------
In the preamble of the 1999 initial COPPA Rule, the Commission
noted that ``disclosures to third parties are among the most sensitive
and potentially risky uses of children's personal information. This is
especially true in light of the fact that children lose even the
protections of [COPPA] once their information is disclosed to third
parties.'' \196\ The Commission remains concerned about the disclosure
of personal information collected from children. Indeed, one commenter
noted that ``[c]hildren today face surveillance unlike any other
generation--their every movement online and off can be tracked by
potentially dozens of different companies and organizations.'' \197\
---------------------------------------------------------------------------
\196\ 64 FR 59888 at 59899.
\197\ Common Sense Media, at 3.
---------------------------------------------------------------------------
The Commission believes that information sharing is a pervasive
practice. Therefore, the Commission finds it appropriate to provide
parents with greater control over the disclosure of their children's
information by clarifying that Sec. 312.5(a)(2) requires operators to
obtain separate verifiable parental consent for disclosures. This
includes disclosure of persistent identifiers for targeted advertising
purposes, as well as disclosure of other personal information for
marketing or other purposes. The Commission did not seek comment on
this particular aspect of the Rule's verifiable parental consent
requirements in the 2019 Rule Review Initiation and welcomes comment on
this proposed modification.
2. Methods for Verifiable Parental Consent (Paragraph (b))
The Commission received numerous comments related to the methods by
which operators can obtain parental consent. Many commenters criticized
particular approved parental consent methods. Some characterized the
methods as outdated or counterintuitive.\198\ Others complained that
the methods failed to serve unbanked or low-income families who may
lack access to the means to provide consent, such as a credit
card.\199\ Some commenters suggested that the use of credit card data
and government-issued IDs are too privacy-invasive,\200\ while one
advocate claimed that the current methods are better indicators of
adulthood than parenthood.\201\
---------------------------------------------------------------------------
\198\ See, e.g., FOSI, at 4-5 (describing current method of
requiring submission by facsimile as outdated, staffing a toll-free
number as expensive, and requiring a credit card number for a
service that should be free as counter-intuitive); ESA, at 24 (``For
example, the collection of a driver's license or credit card in
connection with a transaction may appear particularly cumbersome in
the context of a free mobile app that does not require registration
and that collects and uses only limited types of information within
the app'').
\199\ See, e.g., internet Association, at 13; CIPL, at 5; Net
Safety Collaborative, at 2; Connected Camps, at 2.
\200\ See, e.g., P. Aftab, at 12-13; see also ESRB, at 8 (noting
that parents may be disinclined to provide credit card information
unless the operator is a name the parents know and trust).
\201\ P. Aftab, at 13.
---------------------------------------------------------------------------
Commenters also expressed concern that the current methods include
too much friction, resulting in significant drop-off during the consent
process. Commenters noted that this friction discourages operators from
creating services that target children or creates an incentive to limit
their collection of personal information to avoid triggering
COPPA.\202\ Consistent with this view, the Network Advertising
Initiative stated that ``[r]ecognizing that verifiable parental consent
mechanisms are challenging and expensive to implement, and result in
considerable drop-off, the practical reality is that most ad-tech
companies simply seek to avoid advertising to children altogether.''
\203\ Other commenters warned that cumbersome consent methods can drive
children to general audience sites, which may have fewer digital safety
and privacy protections in place.\204\
---------------------------------------------------------------------------
\202\ See, e.g., ESRB, at 8; CIPL, at 4-5; Internet Association,
at 13; Connected Camps, at 2-3.
\203\ See NAI, at 2; see also Attorney General of Arizona, at 2
(noting that ``. . . the cost of obtaining verifiable parental
consent can be unduly burdensome on small businesses, and the
consent process can be frustrating for both businesses and parents
alike'').
\204\ See, e.g., Lego, at 4-5; Net Safety Collaborative, at 2.
---------------------------------------------------------------------------
Some commenters suggested modifying existing consent methods or
adding new ones. For example, several recommended that the Commission
eliminate the need for a monetary transaction when an operator obtains
consent through a credit or debit card or an online payment system
where the system provides notification of transactions that do not
involve a charge.\205\ Some recommended
[[Page 2052]]
modifying the Rule to allow for the use of text messages to obtain
consent. Those commenters noted that text messages are a common
alternative to email for verification purposes and argued that text
message-based consent is no weaker than consent initiated through the
collection of an email address.\206\
---------------------------------------------------------------------------
\205\ See, e.g., ANA, at 12 (``. . . companies should be able to
obtain verifiable parental consent by requesting a valid credit card
from a parent even if the consent is not obtained in connection with
a monetary transaction''); kidSAFE, at 10 (``The FTC should consider
eliminating the need for a `monetary' transaction when consent is
obtained using a credit card, debit card, or other online payment
system that provides notification of each discreet [sic]
transaction'').
\206\ See ANA, at 12; The Toy Association, at 4; kidSAFE, at 11.
---------------------------------------------------------------------------
Other commenters called for the Commission to add to the list of
approved consent methods. They recommended allowing the use of
fingerprint or facial recognition technologies that already exist in
parents' mobile devices,\207\ voice recognition technology currently
used in the online banking context,\208\ and a variety of other
technologies and tools.\209\
---------------------------------------------------------------------------
\207\ See ESRB, at 8.
\208\ See Net Safety Collaborative, at 2.
\209\ See, e.g., Net Choice, at 12 (recommending the use of a
digital certificate that uses public key technology coupled with
additional steps to demonstrate that consent is from the parent);
Internet Association, at 14 (recommending that the Commission add a
mechanism whereby parents log into a preexisting parental account);
CTIA, at 2-3 (recommending obtaining consent through the set-up
process for services, such as wearables, that collect personal
information from children at parents' direction); Yoti, at 12
(recommending the use of age estimation and age verification tools
instead of parental consent).
---------------------------------------------------------------------------
Several commenters recommended that the Commission encourage
platforms to participate in the parental consent process.\210\ One
suggested that platforms could provide notifications to the consenting
parent about the intended collection, use, or disclosure of the child's
personal information.\211\ Another suggested that parents would be more
likely to engage with platforms than to provide consent on a service-
by-service basis.\212\
---------------------------------------------------------------------------
\210\ See, e.g., Princeton University, at 9 (noting that mobile
operating systems offer linked parent and child accounts and could
provide an interface for child accounts to submit consent permission
requests to parent accounts).
\211\ See ACT: The App Association, at 4-5.
\212\ See ESRB, at 8.
---------------------------------------------------------------------------
Commenters also recommended different procedural steps the
Commission could undertake. These include such things as the Commission
using its authority to conduct studies on the costs and benefits of
different consent methods,\213\ streamlining the Rule's current 120-day
comment period on applications for new parental consent methods,\214\
and convening stakeholder meetings to explore effective solutions.\215\
---------------------------------------------------------------------------
\213\ See Pok[eacute]mon, at 3.
\214\ See CCIA, at 10; SIIA, at 3-4.
\215\ See Lego, at 5; The Toy Association, at 20; Yoti, at 13.
---------------------------------------------------------------------------
After reviewing these comments, the Commission continues to believe
that the Rule's current approach to verifiable parental consent is
appropriate and sound. With respect to the more general concerns that
COPPA's consent methods create ``friction,'' the Commission stresses
that COPPA requires a balance between facilitating consent mechanisms
that are not prohibitively difficult for operators or parents, while
also ensuring that it is a parent granting informed consent, rather
than a child circumventing the process. In response to commenters
indicating that this friction has discouraged operators from creating
services or caused operators to change their practices, the Commission
welcomes the development of methods that prove less cumbersome for
operators while still meeting COPPA's statutory requirements.
As to the more specific criticisms of the approved consent
mechanisms set forth in the Rule, the Commission notes that operators
are not obligated to use any of those methods.\216\ Rather, operators
are free to develop and use any method that meets the standard
contained in Sec. 312.5(b)(1) and to tailor their approach to their
own individual situation.
---------------------------------------------------------------------------
\216\ Indeed, the Commission is aware that many operators will
choose not to utilize certain enumerated methods. However, the
Commission retains these methods in the Rule in case any operator
would like to use these methods.
---------------------------------------------------------------------------
While it is possible that some of the suggested methods could meet
the Sec. 312.5(b)(1) requirement, the Commission does not believe the
comments contain sufficient detail or context for it to propose adding
these additional consent methods at this time. The Commission welcomes
further explanation detailing the necessity and practicality of any
recommended new consent method, including how it would satisfy the
Rule's requirements. This could come in the form of additional comments
or through the voluntary approval process provided in Sec. 312.12(a)
of the Rule.
At the same time, the Commission agrees that platforms could play
an important role in the consent process, and the Commission has long
recognized the potential of a platform-based common consent
mechanism.\217\ The Commission would also welcome further information
on the role that platforms could play in facilitating the obtaining of
parental consent. In particular, the Commission would be interested in
any potential benefits platform-based consent mechanisms would create
for operators and parents and what specific steps the Commission could
take to encourage development of such mechanisms.
---------------------------------------------------------------------------
\217\ 78 FR 3972 at 3989-90 (noting that platform-based common
consent mechanism could simplify operators' and parents' abilities
to protect children's privacy).
---------------------------------------------------------------------------
The Commission also agrees with the recommendation that it modify
the Rule to eliminate the monetary transaction requirement when an
operator obtains consent through a parent's use of a credit card, debit
card, or an online payment system. As one commenter noted, many of
these payment mechanisms provide a means for the account holder to
receive notification of every transaction, even those that cost no
money, such as a free mobile app download.\218\ In addition, many
operators offer their apps or other online services at no charge.
Requiring such operators to charge the parent a fee when seeking
consent undercuts their ability to offer the service at no cost.
Further, the Commission understands that some consumers might be
hesitant to complete consent processes when they will incur even a
nominal monetary charge.
---------------------------------------------------------------------------
\218\ kidSAFE, at 10.
---------------------------------------------------------------------------
In proposing this modification, the Commission notes that it had
previously determined that a monetary transaction was necessary for
this form of consent.\219\ At that time, the Commission reasoned that
requiring a monetary transaction would increase the method's
reliability because the parent would receive a record of the
transaction. This would provide the parent notice of purported consent,
which, if improperly given, the parent could then withdraw. Because
Sec. 312.5(b)(2)(ii), as proposed to be modified, would still require
notice of a discrete transaction, even where there is no monetary
charge, the Commission believes this indicia of reliability is
preserved. Where a payment system cannot provide notice absent a
monetary charge, an operator will not be able to obtain consent through
this method.
---------------------------------------------------------------------------
\219\ See 76 FR 59804 at 59819; see also 78 FR 3972 at 3987.
---------------------------------------------------------------------------
The Commission also agrees with the recommendation to modify the
Rule to allow the use of text messages to obtain consent. As discussed
in Part IV.A.1., the Commission believes this is achieved through its
proposed modification to the ``online contact information''
definition.\220\ Therefore, the Commission does not propose
[[Page 2053]]
modifying Sec. 312.5(b)(2)(ii) to address this recommendation.
---------------------------------------------------------------------------
\220\ See Part IV.A.1.
---------------------------------------------------------------------------
In addition to the modification to Sec. 312.5(b)(2)(ii), the
Commission also proposes adding two parental consent methods to Sec.
312.5(b). These methods are knowledge-based authentication and the use
of facial recognition technology. The Commission approved both methods
pursuant to the Sec. 312.12(a) process created from the 2013
Amendments.\221\
---------------------------------------------------------------------------
\221\ See Letter to Imperium, LLC (Dec. 23, 2013) (approval of
knowledge-based authentication), available at <a href="https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf">https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-grants-approval-new-coppa-verifiable-parental-consent-method/131223imperiumcoppa-app.pdf</a>; Letter to Jest8 Limited (Trading as Riyo) (Nov. 18, 2015)
(approval of facial recognition technology), available at <a href="https://www.ftc.gov/system/files/documents/public_statements/881633/151119riyocoppaletter.pdf">https://www.ftc.gov/system/files/documents/public_statements/881633/151119riyocoppaletter.pdf</a>.
---------------------------------------------------------------------------
3. Exceptions to Prior Parental Consent (Paragraph (c))
The Commission also received numerous comments regarding possible
additional exceptions to the Rule's parental consent requirement. The
majority of the commenters addressing this issue focused on whether the
Commission should allow schools to authorize data collection, use, and
disclosure in certain circumstances rather than requiring ed tech
operators to obtain parental consent. A smaller number of commenters
addressed whether the Commission should codify in the Rule its existing
enforcement policy statement regarding the collection of audio files.
In addition, several commenters recommended that the Commission expand
the Rule's current one-time use exception.
The Commission proposes creating exceptions for where an operator
relies on school authorization and for the collection of audio files
that contain a child's voice. The Commission also proposes a
modification to Sec. 312.5(c)(7), which relates to the support for the
internal operations exception, to align with proposed new
requirements.\222\ Additionally, Commission proposes a modification to
Sec. 312.5(c)(4) to exclude from this exception the use of push
notifications to encourage or prompt use of a website or online
service. Finally, the Commission proposes technical modifications to
Sec. 312.5(c)(6). At this time, the Commission does not propose
expanding the Rule's current one-time use exception.
---------------------------------------------------------------------------
\222\ See Part IV.B.3. for discussion of the Commission's
proposed notice requirement under 16 CFR 312.4(d)(3).
---------------------------------------------------------------------------
a. School Authorization Exception
In response to the Commission's initial proposed COPPA Rule in
1999, stakeholders expressed concern about how the Rule would apply to
the use of websites and online services in schools. Some of these
commenters claimed that requiring parental consent to collect students'
information could interfere with classroom activities.\223\ In
response, the Commission noted in the final Rule's preamble ``that the
Rule does not preclude schools from acting as intermediaries between
operators and parents in the notice and consent process, or from
serving as the parents' agent in the process.'' \224\ It further
stated, ``where an operator is authorized by a school to collect
personal information from children, after providing notice to the
school of the operator's collection, use, and disclosure practices, the
operator can presume that the school's authorization is based on the
school's having obtained the parent's consent.'' \225\ Since that time,
Commission staff has provided additional guidance on this issue through
its ``Complying with COPPA: Frequently Asked Questions'' document
(``COPPA FAQs''), which specifies that an operator may rely on school
consent when it collects a child's personal information provided the
operator uses the information for an educational purpose and for ``no
other commercial purpose.'' \226\ The Commission has since issued a
policy statement on COPPA's application to ed tech providers, similarly
noting that operators of ed tech that collect personal information
pursuant to school authorization are prohibited from using such
information for any commercial purpose, including marketing,
advertising, or other commercial purposes unrelated to the provision of
the school-requested online service.\227\
---------------------------------------------------------------------------
\223\ See 64 FR 59888 at 59903.
\224\ Id.
\225\ Id.
\226\ COPPA FAQs, FAQ N.1.
\227\ Policy Statement of the Federal Trade Commission on
Education Technology and the Children's Online Privacy Protection
Act, Federal Trade Commission (May 19, 2022), available at <a href="https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-education-technology-childrens-online-privacy-protection">https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-education-technology-childrens-online-privacy-protection</a>.
---------------------------------------------------------------------------
In recent years there has been a significant expansion of ed tech
used in both classrooms and in the home.\228\ This expansion, in the
form of students' increased access to school-issued computers and
online learning curricula, raised questions about ed tech providers'
compliance with the Rule as well as calls for additional guidance on
how COPPA applies in the school context. Stakeholders also questioned
how COPPA obligations relate to those operators subject to FERPA, the
federal law that protects the privacy of ``education records,'' and its
implementing regulations.\229\
---------------------------------------------------------------------------
\228\ The closure of schools and in-person learning due to the
global COVID-19 pandemic added to this expansion as students shifted
to remote education.
\229\ FERPA applies to all schools receiving funds from any
applicable program of the Department of Education. 34 CFR 99.1. In
general, unless an exception applies, parents (or students over 18
years of age) must provide consent for the disclosure of personal
information from an education record. 34 CFR 99.30. FERPA provides
an exception to its parental consent requirement for ``school
officials.'' 34 CFR 99.31. Under this exception, schools do not need
to obtain consent to disclose personal information where there is a
``legitimate educational interest.'' In addition, the school must
maintain direct control over the information.
---------------------------------------------------------------------------
In 2017, the FTC and the Department of Education hosted a workshop
on student privacy and ed tech to explore these questions.\230\ Through
the discussions at the workshop, the Commission gathered information
that helped inform the questions posed in the 2019 Rule Review
Initiation regarding the application of the COPPA Rule to the education
context. The Commission asked whether it should modify the Rule to add
an exception to the parental consent requirement where the school
provides authorization and, if so, whether the exception should mirror
the requirements of FERPA's ``school official exception.'' \231\ The
Commission also asked for comment on various aspects of a school
authorization exception, including how student data could be used, who
at the school should be able to provide consent, and notice to
parents.\232\
---------------------------------------------------------------------------
\230\ Student Privacy and Ed Tech (Dec. 1, 2017), available at
<a href="https://www.ftc.gov/news-events/events/2017/12/student-privacy-ed-tech">https://www.ftc.gov/news-events/events/2017/12/student-privacy-ed-tech</a>.
\231\ The FERPA school official exception allows schools to
outsource institutional services or functions that involve the
disclosure of education records to contractors, consultants,
volunteers, or other third parties, provided that the outside party:
``(1) Performs an institutional service or function for which the
agency or institution would otherwise use employees; (2) Is under
the direct control of the agency or institution with respect to the
use and maintenance of education records; (3) Is subject to the
requirements in 34 CFR 99.33(a) that the personally identifiable
information (PII) from education records may be used only for the
purposes for which the disclosure was made, e.g., to promote school
safety and the physical security of students, and governing the
redisclosure of PII from education records; and (4) Meets the
criteria specified in the school or local educational agency's
(LEA's) annual notification of FERPA rights for being a school
official with a legitimate educational interest in the education
records.'' Who is a ``School Official'' Under FERPA?, Department of
Education, available at <a href="https://studentprivacy.ed.gov/faq/who-%E2%80%9Cschool-official%E2%80%9D-under-ferpa">https://studentprivacy.ed.gov/faq/who-%E2%80%9Cschool-official%E2%80%9D-under-ferpa</a>.
\232\ The Commission also asked for comment on deletion rights
in the educational context. The issue of the deletion of information
collected when a school has provided authorization is discussed in
Part IV.D.
---------------------------------------------------------------------------
[[Page 2054]]
i. Whether To Include a School Authorization Exception in the Rule
Numerous commenters representing industry and schools, along with
some consumer groups, expressed support for codifying a school
authorization exception in the Rule so long as such exception is
consistent with FERPA and its implementing regulations. That is, where
there is a legitimate educational interest to collect the child's data,
the school maintains direct control of the data, and the operator uses
the data only as permitted by the school and complies with disclosure
limits.\233\
---------------------------------------------------------------------------
\233\ See, e.g., CIPL, at 6; Net Safety Collaborative, at 3;
Illinois Council of School Attorneys, at 1-2; Association of
American Publishers, at 5; CCIA, at 11; internet Association, at 14-
17; SIIA, at 3; Joint comment of the Consortium for School
Networking, Knowledge Alliance, National Association of State Boards
of Education, and the State Educational Technology Directors
Association (``CoSN''), at 2; National School Boards Association, at
4-5; National Parent Teacher Association, at 2; Joint comment of the
AASA, the School Superintendents Association, and the Association of
Education Service Agencies, at 1-3; CDT, at 5; Khan Academy, at 2;
Google, at 18; Future of Privacy Forum, at 10-12; Lego, at 5-6. Some
commenters supported the Commission implementing a school
authorization exception within the Rule but did not call for
alignment with FERPA's school official exception. See, e.g., ANA, at
13-14; Lightspeed, at 1-2; The Toy Association, at 5, 19-20;
5Rights, at 6.
---------------------------------------------------------------------------
In supporting such an exception, several of these commenters raised
concerns that requiring schools to obtain consent from parents would be
burdensome and costly for schools.\234\ These commenters claimed that
the burden would include obtaining parental consent as well as
providing curriculum to students whose parents did not consent to the
use of the ed tech program.\235\
---------------------------------------------------------------------------
\234\ See CDT, at 4 (noting that ``[s]ome schools do not have
the resources or the time to ask for consent from parents every time
they rely on an educational technology product''); CCIA, at 11
(noting that ``[a]s Ed Tech becomes increasingly prevalent in the
classroom, requiring parental consent for every online service used
in the classroom would quickly become administratively and
practically unwieldy for parents and schools alike, with the
resulting consent fatigue decreasing the availability of beneficial
technologies and services to all students''); Lightspeed, at 2
(``Seeking explicit, written parental approval for every single use
of technology by a student at present is impracticable. Requiring
parents to affirmatively approve each student's use of every
application would lead to an avalanche of paperwork for parents and
school administrators, one that would push schools to shy away from
utilizing EdTech solutions in the classroom''); National PTA, at 3
(noting that ``[w]hen student data is collected in support of core
curricular functions, National PTA believes that schools should be
able to act as parents' agents and consent on parents' behalf.
However, not all student data collection meets that standard.
Schools use education technology for a broad range of
extracurricular, non-essential or optional activities . . . We ask
that the FTC clarify when schools may act on behalf of parents,
differentiating between technology used in support of schools'
essential academic and administrative needs and other, optional
uses''); Net Safety, at 3 (urging the Commission to ensure that
schools' burden and cost of obtaining parental consent under COPPA
not be increased); Illinois Council of School Attorneys, at 2
(noting that ``requiring school districts to obtain verifiable
parental consent from all parents/guardians for potentially hundreds
of education applications in use in a district would be an enormous
and unworkable administrative burden, even for those districts that
have more resources available to them'').
\235\ See, e.g., National School Boards Association, at 3 (``If
school districts are required to get actual parent consent, many
districts would be unable to deliver the curriculum to students
whose parents have not responded, creating inequities in addition to
administrative burdens''); CIPL, at 5 (noting that ``[i]t could also
result in administrative burden and classroom disruption for
teachers to manage different lesson plans for students whose parents
have provided consent and those whose parents have not'').
---------------------------------------------------------------------------
Commenters also raised concerns about requiring ed tech providers
to obtain verifiable parental consent from parents. For example,
commenters expressed concern that requiring operators to obtain
parental consent would require operators to collect additional personal
information from parents, much of which is not necessary to provide the
educational service, which contradicts data minimization
principles.\236\ One commenter argued that requiring parents to consent
would lead to ``consent fatigue,'' \237\ while another commenter
explained that operators often do not have a direct touchpoint with
parents that could facilitate the consent process.\238\
---------------------------------------------------------------------------
\236\ See CIPL, at 5; ANA, at 14; CCIA, at 11.
\237\ CCIA, at 11.
\238\ ANA, at 13.
---------------------------------------------------------------------------
The Illinois Council of School Attorneys argued that schools are
often in a better position than parents to evaluate ed tech
products.\239\ They also pointed to privacy protections in the FERPA
school official exception including the requirement that the school
maintain direct control of the data and the operator use the data for
only limited, authorized purposes.\240\ Finally, in supporting a school
authorization exception, some commenters stated that numerous operators
have built up their consent process in reliance on the Commission's
existing guidance indicating that COPPA permits schools to provide
consent for educational purposes.\241\
---------------------------------------------------------------------------
\239\ Illinois Council of School Attorneys, at 1.
\240\ The organization also noted that schools consenting on
behalf of parents is consistent with their in loco parentis role.
Illinois Council of School Attorneys, at 1-2.
\241\ See ANA, at 13; Association of American Publishers, at 3.
---------------------------------------------------------------------------
However, not all commenters supported a school authorization
exception, with several consumer groups, parent organizations, and
government representatives raising various concerns.\242\ For example,
a coalition of consumer groups argued that a COPPA exception aligned
with FERPA would not adequately protect children because FERPA fails to
provide a clear standard for when a party has a ``legitimate
educational interest'' as required by the school official exception.
The coalition also claimed that schools fail to adequately inform
parents about the use of FERPA's school official exception and that
most schools are ill-equipped to properly vet the privacy and security
practices of ed tech services.\243\ Another advocacy organization cited
statistics purportedly showing that schools do not comply with the
school official exception.\244\
---------------------------------------------------------------------------
\242\ See, e.g., EPIC, at 8-9 (asserting that ``[i]nstead of
putting the burden on schools to obtain and provide consent on
behalf of parents, which they are unauthorized to do under the Act,
the burden should be shifted to operators, who are in a better
position to do so given advancements in technology and greater
availability of resources, to obtain verifiable parental consent'');
Joint Consumer Groups, at 20-30; Unidos, at 6 (noting that ``cash-
strapped districts could be preyed upon by bad actors targeting
these districts by offering free or low-cost programs to gain a
foothold in schools and start collecting children's data. Many of
these companies have opaque privacy policies. Inadequately funded
school administrators and/or teachers will not likely have the
resources to advocate for better protections or do a sufficient
review to understand policies, especially in an environment where
schools are using countless apps and programs''); Illinois Families
for Public Schools, at 2 (noting that ``[p]arental consent is
especially important in the case of extremely sensitive student data
regarding children's behavior, biometrics, geolocation,
disabilities, or health conditions. As such, we disagree firmly with
the idea of amending COPPA rules to have a Family Educational Rights
and Privacy Act (FERPA)-type exception for school officials to grant
consent for the collection and use of a child's data in an
educational setting in place of a parent. The school-official
exception in FERPA has weakened its protections
[…truncated; see source link]Indexed from Federal Register on January 11, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.