Rule2025-05904
Children's Online Privacy Protection Rule
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 22, 2025
Effective
June 23, 2025
Issuing agencies
Federal Trade Commission
Abstract
The Federal Trade Commission amends the Children's Online Privacy Protection Rule (the "Rule"), consistent with the requirements of the Children's Online Privacy Protection Act. The amendments to the Rule, which are based on the FTC's review of public comments and its enforcement experience, include one new definition and modifications to several others, as well as updates to key provisions to respond to changes in technology and online practices. The amendments are intended to strengthen protection of personal information collected from children, and, where appropriate, to clarify and streamline the Rule since it was last amended in January 2013.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 76 (Tuesday, April 22, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 76 (Tuesday, April 22, 2025)]
[Rules and Regulations]
[Pages 16918-16983]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-05904]
[[Page 16917]]
Vol. 90
Tuesday,
No. 76
April 22, 2025
Part II
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Part 312
Children's Online Privacy Protection Rule; Final Rule
��Federal Register / Vol. 90 , No. 76 / Tuesday, April 22, 2025 / Rules
and Regulations��
[[Page 16918]]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 312
RIN 3084-AB20
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission.
ACTION: Final rule amendments.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission amends the Children's Online
Privacy Protection Rule (the ``Rule''), consistent with the
requirements of the Children's Online Privacy Protection Act. The
amendments to the Rule, which are based on the FTC's review of public
comments and its enforcement experience, include one new definition and
modifications to several others, as well as updates to key provisions
to respond to changes in technology and online practices. The
amendments are intended to strengthen protection of personal
information collected from children, and, where appropriate, to clarify
and streamline the Rule since it was last amended in January 2013.
DATES:
Effective date: The amended Rule is effective June 23, 2025.
Compliance date: Except with respect to Sec. 312.11(d)(1), (d)(4),
and (g), regulated entities have until April 22, 2026 to comply.
ADDRESSES: The complete public record of this proceeding will be
available at <a href="http://www.ftc.gov">www.ftc.gov</a>.
FOR FURTHER INFORMATION CONTACT: James Trilling, Attorney, (202) 326-
3497; Manmeet Dhindsa, Attorney, (202) 326-2877; Elizabeth Averill,
Attorney, (202) 326-2993; Andy Hasty, Attorney, (202) 326-2861; or
Genevieve Bonan, Attorney, (202) 326-3139, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
Statement of Basis and Purpose
I. Overview and Background
A. Overview
This document states the basis and purpose for the Federal Trade
Commission's (``Commission'' or ``FTC'') decision to adopt certain
amendments to the Children's Online Privacy Protection Rule that were
proposed and published for public comment on January 11, 2024, in a
notice of proposed rulemaking (``2024 NPRM'').\1\ After careful review
and consideration of the entire rulemaking record, including public
comments submitted by interested parties, and based upon its
enforcement experience, the Commission has determined to adopt
amendments to the Children's Online Privacy Protection Rule, 16 CFR 312
(``COPPA Rule'' or ``Rule''). These amendments will update and clarify
the COPPA Rule, consistent with the requirements of the Children's
Online Privacy Protection Act (``COPPA'' or ``COPPA statute''), 15
U.S.C. 6501 et seq., to protect children's personal information and
give parents control over their children's personal information.
---------------------------------------------------------------------------
\1\ Children's Online Privacy Protection Rule, Notice of
Proposed Rulemaking, 89 FR 2034 (Jan. 11, 2024), available at
<a href="https://www.govinfo.gov/content/pkg/FR-2024-01-11/pdf/2023-28569.pdf">https://www.govinfo.gov/content/pkg/FR-2024-01-11/pdf/2023-28569.pdf</a>.
---------------------------------------------------------------------------
The final amendments to the COPPA Rule include a new definition for
Mixed audience website or online service that is intended to provide
greater clarity regarding an existing sub-category of child-directed
websites and online services under the Rule. The final amendments also
modify the definitions of Online contact information to include mobile
telephone numbers; Personal information to include government-issued
identifiers and biometric identifiers that can be used for the
automated or semi-automated recognition of an individual; Support for
the internal operations of the website or online service to clarify
that information collected for the enumerated activities in the
definition may be used or disclosed to carry out those activities; and
Website or online service directed to children to provide some examples
of evidence the Commission may consider in analyzing audience
composition and intended audience, and to adjust the third paragraph to
align with the new definition of Mixed audience website or online
service. In addition, the Commission is modifying operators'
obligations with respect to direct and online notices; information
security, deletion, and retention protocols; and FTC-approved COPPA
Safe Harbor programs' annual assessment, disclosure, and reporting
requirements. The Commission is also adopting amendments related to
parental consent requirements, methods of obtaining verifiable parental
consent, and exceptions to the parental consent requirement. The
Commission is replacing the term ``web site'' with ``website''
throughout the Rule and making other minor stylistic or grammatical
changes to the Rule that the Commission proposed in the 2024 NPRM.
In the 2024 NPRM, the Commission proposed a number of Rule
modifications relating to educational technology (``ed tech''),
including new definitions of School and School-authorized education
purpose,\2\ as well as provisions governing collection of information
from children in schools,\3\ and codifying a school authorization
exception to obtaining verifiable parental consent.\4\ In Fall 2024,
the United States Department of Education (``DOE'') affirmed its
intention to propose amendments to the Family Educational Rights and
Privacy Act (``FERPA'') regulations, 34 CFR 99, ``to update, clarify,
and improve the current regulations by addressing outstanding policy
issues, . . . and clarify[ ] provisions governing non-consensual
disclosures of personally identifiable information from education
records to third parties.'' \5\ These changes may be relevant to
provisions of the COPPA Rule related to ed tech and school
authorization that the Commission proposed in the 2024 NPRM. To avoid
making amendments to the COPPA Rule that may conflict with potential
amendments to DOE's FERPA regulations, the Commission is not finalizing
the proposed amendments to the Rule related to ed tech and the role of
schools at this time.\6\ The Commission will continue to enforce COPPA
in the ed tech context consistent with its existing guidance.\7\
---------------------------------------------------------------------------
\2\ 89 FR 2034 at 2043-2044.
\3\ Id. at 2053-2058, 2059.
\4\ Id. The Commission also asked a question about what types of
services should be considered to have an educational purpose. Id. at
2071 (Question 16).
\5\ Department of Education Fall 2024 Unified Agenda, RIN: 1875-
AA15, available at <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202410&RIN=1875-AA15">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202410&RIN=1875-AA15</a>.
\6\ This approach is consistent with that taken in a prior
Commission rulemaking. See Energy Labeling Rule, Final rule, 87 FR
61465, 61466 (Oct. 12, 2022), available at <a href="https://www.federalregister.gov/documents/2022/10/12/2022-22036/energy-labeling-rule">https://www.federalregister.gov/documents/2022/10/12/2022-22036/energy-labeling-rule</a> (``In response to comments, the Commission will wait
to update television ranges until [the Department of Energy]
completes proposed test procedure changes for those products.'').
\7\ See Complying with COPPA: Frequently Asked Questions
(``COPPA FAQs''), FAQ Section N, available at <a href="https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions">https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions</a>; FTC, Policy Statement of the Federal Trade Commission on
Education Technology and the Children's Online Privacy Protection
Act (May 19, 2022), available at <a href="https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-education-technology-childrens-online-privacy-protection">https://www.ftc.gov/legal-library/browse/policy-statement-federal-trade-commission-education-technology-childrens-online-privacy-protection</a>. The Commission will
monitor and weigh future developments with respect to DOE's
potential FERPA regulation amendments in deciding whether to pursue
COPPA Rule amendments related to ed tech.
---------------------------------------------------------------------------
[[Page 16919]]
B. Background
Congress enacted COPPA in 1998. On November 3, 1999, the Commission
issued the COPPA Rule, which became effective on April 21, 2000.\8\ The
COPPA Rule imposes certain requirements on operators of websites \9\ or
online services directed to, or with actual knowledge of the collection
of personal information from, children under 13 years of age
(collectively, ``operators''). The Rule requires that operators provide
direct and online notice to parents and obtain verifiable parental
consent before collecting, using, or disclosing personal information
from children under 13 years of age.\10\ Additionally, the Rule
requires operators to provide parents the opportunity to review the
types of personal information collected from their child, delete the
collected information, and prevent further use or future collection of
personal information from their child.\11\ The Rule requires operators
to keep personal information they collect from children secure and to
maintain effective data retention and deletion protocols for that
information.\12\ The Rule prohibits operators from conditioning
children's participation in activities on the collection of more
personal information than is reasonably necessary to participate in
such activities.\13\ The Rule also includes a ``safe harbor'' provision
that allows industry groups or others to submit to the Commission for
approval self-regulatory guidelines that implement the Rule's
protections.\14\
---------------------------------------------------------------------------
\8\ Children's Online Privacy Protection Rule, Final rule, 64 FR
59888 (Nov. 3, 1999), available at <a href="https://www.federalregister.gov/documents/1999/11/03/99-27740/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/1999/11/03/99-27740/childrens-online-privacy-protection-rule</a>.
\9\ See 89 FR 2034 at 2040 for discussion of the Commission's
change from using the term ``website'' to ``website'' throughout the
Rule.
\10\ 16 CFR 312.3, 312.4, and 312.5.
\11\ 16 CFR 312.3 and 312.6.
\12\ 16 CFR 312.8 and 312.10.
\13\ 16 CFR 312.7.
\14\ 16 CFR 312.11.
---------------------------------------------------------------------------
In 2013, the Commission adopted changes to the COPPA Rule,
consistent with the COPPA statute, in light of changing technology and
business practices (``2013 Amendments'').\15\ Subsequent changes in how
children utilize online services led the Commission to propose in
January 2024, and now to finalize, further additional revisions to the
COPPA Rule to enable COPPA to continue to meet its goal of protecting
children online.
---------------------------------------------------------------------------
\15\ See Children's Online Privacy Protection Rule, Final Rule
Amendments, 78 FR 3972 (Jan. 17, 2013), available at <a href="https://www.federalregister.gov/documents/2013/01/17/2012-31341/childrens-online-privacy-protection-rule">https://www.federalregister.gov/documents/2013/01/17/2012-31341/childrens-online-privacy-protection-rule</a>.
---------------------------------------------------------------------------
The Commission initiated the underlying review of the COPPA Rule in
July 2019 when it published a document in the Federal Register seeking
public comment about the Rule's application to the ed tech sector,
voice-enabled connected devices, and general audience platforms that
host third-party child-directed content (``2019 Rule Review
Initiation'').\16\ In response to the 2019 Rule Review Initiation, the
Commission received more than 175,000 comments from a variety of
stakeholders, including industry representatives, content creators,
consumer advocacy groups, academics, technologists, FTC-approved COPPA
Safe Harbor programs, members of Congress, and other individual members
of the public.
---------------------------------------------------------------------------
\16\ See Request for Public Comment on the Federal Trade
Commission's Implementation of the Children's Online Privacy
Protection Rule, 84 FR 35842 (July 25, 2019), available at <a href="https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online">https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online</a>.
---------------------------------------------------------------------------
Following consideration of these comments and other feedback
received, the Commission issued the 2024 NPRM in the Federal Register
on January 11, 2024.\17\ The Commission received 279 unique responsive
comments.\18\ After carefully reviewing these additional comments, the
Commission now announces this final amended COPPA Rule.
---------------------------------------------------------------------------
\17\ 89 FR 2034.
\18\ Public comments filed in response to the 2024 NPRM are
available at <a href="https://www.regulations.gov/docket/FTC-2024-0003/comments">https://www.regulations.gov/docket/FTC-2024-0003/comments</a>.
---------------------------------------------------------------------------
II. Modifications to the Rule
A. Stylistic, Grammatical, and Punctuation Changes
In the 2024 NPRM, the Commission proposed minor revisions to the
Rule to address various stylistic, grammatical, and punctuation issues.
The Commission proposed amending the Rule to change the term ``Web
site'' to ``website'' throughout the Rule, noting that this better
aligns with the COPPA statute's use of the term, as well as how the
term is used in the marketplace.\19\ The Commission also proposed
amending Sec. 312.1 of the Rule to adjust the location of a comma.\20\
The Commission proposed two technical fixes to Sec. 312.5(c)(6) that
included adjusting Sec. 312.5(c)(6)(i) to ``protect the security or
integrity of the website or online service'' and removing the word
``be'' in Sec. 312.5(c)(6)(iv) to fix a typographical error in the
current Rule.\21\ The Commission additionally proposed making a few
edits in Sec. 312.12(b) to ensure that each reference to the support
for the internal operations of the website or online service is
consistent with the COPPA statute's use of the phrase ``support for the
internal operations of the [website] or online service.'' \22\ The
Commission did not receive any feedback from commenters regarding these
minor changes and adopts them in the final Rule.\23\
---------------------------------------------------------------------------
\19\ 89 FR 2034 at 2040. The Statement of Basis and Purpose
incorporates this change in all instances in which the current Rule
uses the term ``Web site.''
\20\ Id. at 2040.
\21\ Id. at 2059 (emphasis added).
\22\ Id. at 2064, 2076.
\23\ Additionally, the final Rule will include in Sec.
312.5(b)(viii), after ``Provided that,'' a comma that appears in the
current Rule but was inadvertently omitted from the proposed Rule
text in the 2024 NPRM. The final Rule will also include in Sec.
312.5(d)(4), before the phrase ``for each such operator,'' a comma
that was inadvertently omitted from the proposed Rule text in the
2024 NPRM. In addition, after consultation with the Office of the
Federal Register, stylistic adjustments are being made in the final
Rule that remove the phrase ``general requirements'' from the
introductory text of Sec. 312.3 and add the phrase ``of this
section'' in Sec. 312.11(c)(ii) to clarify that paragraphs (b)(2)
and (b)(3) refer to Sec. 312.11(b)(2) and (3).
---------------------------------------------------------------------------
B. Sec. 312.2: Definitions
1. Definition of ``Mixed Audience Website or Online Service''
a. The Commission's Proposal Regarding ``Mixed Audience Website or
Online Service''
The Commission proposed a new stand-alone definition for ``mixed
audience website or online service'' as ``a website or online service
that is directed to children under the criteria set forth in paragraph
(1) of the definition of website or online service directed to
children, but that does not target children as its primary audience,
and does not collect personal information from any visitor prior to
collecting age information or using another means that is reasonably
calculated, in light of available technology, to determine whether the
visitor is a child.'' \24\ The proposed definition further requires
that ``[a]ny collection of age information, or other means of
determining whether a visitor is a child, must be done in a neutral
manner that does not default to a set age or encourage visitors to
falsify age information.'' \25\ The Commission explained in the 2024
NPRM that this proposed stand-alone definition is intended to make
clearer in the Rule the existing category for ``mixed audience''
websites and online services under the Rule and to provide greater
clarity about
[[Page 16920]]
the means by which operators of mixed audience sites and services can
determine whether a user is a child.\26\
---------------------------------------------------------------------------
\24\ 89 FR 2034 at 2071.
\25\ Id.
\26\ Id. at 2048.
---------------------------------------------------------------------------
Since the Commission established the ``mixed audience'' category in
the 2013 Amendments, the Commission has viewed ``mixed audience'' sites
and services as a subset of the ``child-directed'' category of websites
or online services.\27\ Under both the current and the proposed amended
Rule, a website or online service can fall under the mixed audience
designation if it is: (1) ``child-directed'' under the Rule's multi-
factor test, and (2) does not target children as its primary
audience.\28\ The new definition does not change the established two-
step analysis used to determine whether a website or online service is
mixed audience.\29\ The threshold inquiry under the existing Rule and
the proposed new definition for ``mixed audience website or online
service'' is whether a website or online service is directed to
children, based on an evaluation of the factors set forth in the first
paragraph of the definition of ``website or online service directed to
children.'' If a website or online service is directed to children
under that analysis, then the second step in the determination of
whether a website or online service is ``mixed audience'' is to ask
whether it targets children as its primary audience. Both steps of the
analysis require consideration of a totality of the circumstances and
the factors set forth in the first paragraph of the definition of
``website or online service directed to children.''
---------------------------------------------------------------------------
\27\ 78 FR 3972 at 3983-84. Staff guidance has also addressed
this category. See COPPA FAQs, FAQ Section D.4.
\28\ When codifying this approach in 2013, the Commission noted
that it would first apply the ``totality of the circumstances''
standard set forth in paragraph (1) of the definition of website or
online service directed to children to determine whether the site or
service is directed to children, and then the Commission would
determine whether children are the primary audience for the site or
service. 78 FR 3972 at 3984.
\29\ Many commenters responding to the 2024 NPRM asked the
Commission to clarify whether the determination of whether a site or
service is mixed audience remains a two-step process or whether the
Commission is changing that process with the new definition and
related changes to the definition of ``website or online service
directed to children.'' See, e.g., U.S. Chamber of Commerce
(``Chamber''), at 7; Entertainment Software Association (``ESA''),
at 7; Interactive Advertising Bureau (``IAB''), at 12-13. The
Commission has carefully considered alternative definitions
proffered by these and other commenters, but believes the proposed
definition is sufficiently clear about the relevant two-step
analysis for identifying mixed audience websites and online
services. The Commission reiterates its earlier guidance related to
the second step of the analysis, that it ``intends the word
`primary' to have its common meaning, i.e., something that stands
first in rank, importance, or value,'' and that this will be
determined by considering the totality of the circumstances and not
through a precise audience threshold. See 78 FR 3972 at 3984 n.162.
---------------------------------------------------------------------------
Unlike other child-directed sites and services, those that do not
target children as their primary audience may decide to age screen
visitors in order to apply COPPA's protections only to visitors who
identify as under 13. Under both the current Rule and proposed stand-
alone definition for ``mixed audience website or online service,'' an
operator of a mixed audience website or online service may not collect
personal information from any visitor until it collects age information
from the visitor or uses another means that is reasonably calculated,
in light of available technology, to determine whether the visitor is
under 13. To the extent that a visitor identifies as under 13, the
operator may not collect, use, or disclose the child's personal
information without first complying with the Rule's notice and parental
consent provisions.
b. Public Comments Received in Response to the Commission's Proposal
Regarding ``Mixed Audience Website or Online Service''
The proposed stand-alone definition of ``mixed audience website or
online service'' received general support from many commenters, but
also generated many requests for clarification.\30\ For example, some
commenters asked whether the new definition is intended to expand the
scope of child-directed websites and online services.\31\ It is not.
The Commission reiterates that mixed audience websites and online
services are a subset of child-directed websites and online services,
and the proposed definition of ``mixed audience website or online
service'' does not change which websites or online services are
directed to children under the Rule.
---------------------------------------------------------------------------
\30\ See, e.g., Children and Screens: Institute of Digital Media
and Child Development (``Children and Screens''), at 6; Google, at
3; Information Technology Industry Council (``ITIC''), at 4-5;
kidSAFE Seal Program (``kidSAFE''), at 7.
\31\ See, e.g., ITIC, at 4-5; ACT [verbar] The App Association,
at 5.
---------------------------------------------------------------------------
A number of commenters asked for additional guidance about when
websites and online services will be considered general audience,
primarily child-directed, or mixed audience.\32\ The Commission directs
these commenters to earlier staff guidance, which explains that
operators should analyze who their intended audience is, who their
actual audience is, and the likely audience of their website or online
service and consider the multiple factors identified in the first
paragraph of the Rule's definition of ``website or online service
directed to children.'' \33\
---------------------------------------------------------------------------
\32\ Google, at 3 (supporting adding a stand-alone definition
for mixed audience website or online service, but stating that
``further clarity is needed on the distinction between a general
audience service or mixed audience service that `does not target
children as its primary audience' and a primarily child-directed
service''); The Toy Association, Inc. (``The Toy Association''), at
4-5 (contending that distinction between ``primarily'' and
``secondarily'' directed to children is not clear).
\33\ See COPPA FAQs, FAQ Sections D.1, D.3, and D.5.
---------------------------------------------------------------------------
Other commenters expressed concern that the new definition prevents
mixed audience websites and online services from utilizing the
exceptions to the COPPA Rule's verifiable parental consent requirement
set forth in Sec. 312.5(c).\34\ In response, the Commission clarifies
that operators of mixed audience websites and online services may
utilize the exceptions to the verifiable parental consent requirement
set forth in Sec. 312.5(c) of the Rule, as is true for operators of
child-directed websites and online services targeting children as their
primary audience. The Commission is also adding language to the
definition of ``mixed audience website or online service'' to clarify
this issue by stating that operators of such websites and online
services may not ``collect personal information from any visitor, other
than for the limited purposes set forth in Sec. 312.5(c), prior to
collecting age information or using another means . . . to determine
whether the visitor is a child.''
---------------------------------------------------------------------------
\34\ See, e.g., ESA, at 7; IAB, at 12-13.
---------------------------------------------------------------------------
One commenter urged the Commission to state that general audience
and mixed audience websites and online services containing ``kid-
friendly portions'' of content or services are not primarily child-
directed.\35\ This request for clarification is somewhat unclear, as it
is not apparent to the Commission what the commenter means by ``kid-
friendly portions.'' If a portion of a general audience website or
online service is directed to children, then the operator must treat
all visitors to that portion of the website or online service as
children.\36\ If a portion of a general
[[Page 16921]]
audience website or online service is directed to children but does not
target children as its primary audience, the operator can choose to age
screen visitors to that portion and must comply with COPPA obligations
with respect to visitors identified as under 13. Another industry
commenter contended that a general audience website or online service
``should not become a mixed audience property just because the property
does not include mature content and is presented as appropriate for
children.'' \37\ In response, the Commission notes that it agrees that
a general audience website or online service, or portion thereof, is
not necessarily child-directed merely because it includes content that
is appropriate for children and reiterates that categorization is
determined by evaluating the totality of the circumstances and the
multiple factors set forth in the definition of ``website or online
service directed to children.''
---------------------------------------------------------------------------
\35\ See Google, at 3. The commenter further suggested
``[a]bsent clear guidance on this issue, companies may choose not to
offer kid-friendly experiences or content on their service due to
the risk of the entire service being deemed primarily child-
directed.'' Id. Somewhat similarly, another industry commenter asked
the Commission to clarify that general audience websites and online
services will not be deemed to be mixed audience just because they
``host pockets of child-directed content'' and that such guidance is
essential to ``forestall general audience services from making a
Hobson's choice between age gating all users or removing children's
content from among their offerings.'' NCTA--The Internet and
Television Association (``NCTA''), at 10-11.
\36\ The statutory definition of ``website or online service
directed to children'' includes ``that portion of a commercial
website or online service that is targeted to children.'' 15 U.S.C.
6501(10)(A)(ii). The definition of ``website or online service
directed to children'' in the Rule also clearly establishes that a
portion of a website or online service may be child-directed. 16 CFR
312.2.
\37\ Privacy for America, at 7.
---------------------------------------------------------------------------
Another commenter suggested amending the definition of ``mixed
audience website or online service'' to mean ``a website or online
service that does not target children as its primary audience but where
a portion of the website or online service would satisfy the criteria
set forth in paragraph (1) of the definition of website or online
service directed to children.'' \38\ However, a portion of a website or
online service may be primarily directed to children even if the
website or online service as a whole is not. The Commission thus
declines to amend the definition of ``mixed audience website or online
service'' in response to this comment.
---------------------------------------------------------------------------
\38\ Centre for Information Policy Leadership (``CIPL''), at 8.
The Commission declines to adjust the proposed definition in this
way and believes that it would result in confusion.
---------------------------------------------------------------------------
The proposed definition of ``mixed audience website or online
service'' also included language to provide additional clarity about
how an operator of a mixed audience website or online service can
determine whether a user is a child. The Commission received a variety
of comments about this aspect of the proposed definition. Some
commenters expressed support for the flexibility built into the
Commission's proposal to permit operators of mixed audience websites or
online services to collect age information or use other reasonably
calculated means to determine whether a visitor is a child.\39\
---------------------------------------------------------------------------
\39\ See, e.g., kidSAFE, at 7 (expressing support for inclusion
of language allowing for other methods of age gating to provide
clarity and spur innovation); Google, at 3 (expressing support for
flexibility and suggesting the proposed change ``will allow
companies to leverage new and emerging age verification
mechanisms''). In the 2024 NPRM, the Commission observed that the
proposed language ``allows operators to innovate and develop
additional mechanisms that do not rely on a user's self-
declaration.'' 89 FR 2034 at 2048.
---------------------------------------------------------------------------
Other commenters raised concerns related to this aspect of the
proposed definition of ``mixed audience website or online service.''
For example, one commenter opposed references to the ``collection of
age information'' on the ground that ``collection'' implies retention
of information, which the commenter indicated should not be necessary
to achieve the goal of determining users' ages; the commenter favored
alternative age verification strategies that avoid retention of age
information.\40\ In response, the Commission notes that it disagrees
that collection of age information necessarily requires retention of
the exact age of a visitor or user,\41\ or that operators' retention of
information that a user is 12 years old, or 40 years old, would violate
the Rule. Another commenter argued the Commission should require the
use of ``privacy-protected age estimation methods to determine the
likely age of users'' rather than including an age verification
requirement that would require additional personal data collection and
management.\42\ Other commenters suggested the Rule should require
additional methods of verification when operators of mixed audience
websites or online services are relying on self-declarations to
determine whether the visitor is a child.\43\ The Commission does not
have adequate evidence from the record to assess potential benefits and
burdens associated with these alternative proposals and declines to
amend the definition to impose additional verification obligations on
operators at this time.
---------------------------------------------------------------------------
\40\ Internet Safety Labs, at 6-7.
\41\ For example, one commenter suggested operators could retain
a Boolean of ``user age under 13: Y/N.'' Internet Safety Labs, at 7.
\42\ See Electronic Privacy Information Center (``EPIC''), at 5.
\43\ See, e.g., Motley Rice, at 13 (suggesting Commission should
require COPPA-compliant measures to corroborate self-declarations of
age because of falsification risks).
---------------------------------------------------------------------------
Other commenters requested clarification about whether the proposed
definition of ``mixed audience website or online service'' permits
collection of information without first obtaining parental consent for
the purpose of determining whether a user is a child.\44\ In response,
the Commission notes that most of these commenters do not specify the
type of information they contemplate operators collecting to determine
age or what identifiers such information might be combined with.
However, one industry commenter requested that the Commission consider
an exception in the Rule allowing operators to collect personal
information such as photographs to estimate a visitor's age as
``another means'' to determine age under the proposed definition of
``mixed audience website or online service'' without triggering COPPA
compliance obligations.\45\ The Commission did not propose such an
exception to the COPPA Rule's verifiable parental consent requirement
in the 2024 NPRM and did not intend to propose one when adding the
provision for ``another means that is reasonably calculated in light of
available technology'' to the definition of ``mixed audience website or
online service.'' The Commission reiterates that the COPPA Rule applies
to ``personal information'' collected online from children.\46\ To the
extent operators collect information to determine whether a visitor is
a child from sources other than a child, such as from a reliable third-
party platform, this would not be considered collection of ``personal
information'' under the Rule.
---------------------------------------------------------------------------
\44\ See, e.g., ITIC, at 4-5; ACT [verbar] The App Association,
at 5; Consumer Technology Association, at 2. See also Google, at 3-4
(requesting exception from COPPA obligations when personal
information is collected solely to verify a user's age using
alternative age verification methods); Network Advertising
Initiative (``NAI''), at 7 (same).
\45\ Google, at 4 (``[W]e believe additional protections are
needed for companies that use alternative methods to age-screen
users. Under the existing Rule, date of birth is not considered
`personal information.' This allows companies to collect date of
birth from users in order to age-screen those users without
triggering compliance obligations under the Rule. We believe the
same protection should apply to other categories of information that
may be collected to age-screen users under the revised Rule. For
example, using selfies for age verification to estimate a user's age
(in a privacy-preserving manner, and without identifying them) may
become a more reliable age verification method than asking users to
provide their age. Under the current Rule, however, this would be
unworkable, as photos containing a child's image constitute
`personal information,' and collecting a selfie from a user under 13
would thus trigger compliance obligations.'').
\46\ See 16 CFR 312.3.
---------------------------------------------------------------------------
Another commenter suggested that the neutrality requirement for age
screening in the proposed definition ``presents considerable
challenges'' because age assurance methodologies present different
levels of accuracy and some require the collection of personal
[[Page 16922]]
information for age assurance while others do not.\47\ The commenter
further suggested the Rule should require operators to select an age
assurance methodology based on the risks and benefits of different
methods, as well as whether the privacy impact of a specific
methodology is proportionate to the level of harm being addressed or
avoided by the methodology.\48\ The Commission believes the proposed
definition provides sufficient guidance and flexibility for operators
to select from age assurance methodologies and declines to incorporate
the suggested harm-based calculation into the Rule. The Commission
agrees with commenters expressing the view that it is important to
allow operators to innovate and develop alternative, improved
mechanisms to determine age that do not rely on a visitor's self-
declaration and finds that the proposed language best accomplishes
this.
---------------------------------------------------------------------------
\47\ See CIPL, at 8-9. In response, the Commission notes that it
did not intend for the requirement that collection or other means of
determining whether a visitor is a child ``must be done in a neutral
manner'' to require that the means used must be neutral with respect
to associated risks and benefits. Instead, the Commission included
this provision to make clear that collection or other means employed
to age screen visitors must not guide visitors to a particular age
or encourage them to indicate they are over the age of 12 through
design choices, nudges, communications or site content, or in other
ways. Staff guidance has previously addressed this concern. See
COPPA FAQs, FAQ Section D.7.
\48\ See CIPL, at 8-9.
---------------------------------------------------------------------------
c. The Commission Adopts Amendments Regarding ``Mixed Audience Website
or Online Service''
After carefully considering the record and comments, and for the
reasons discussed in Part II.B.1.b of this document, the Commission is
adopting an amended version of the proposed definition of ``mixed
audience website or online service'' that includes additional language
clarifying operators of mixed audience websites and online services may
collect personal information for the limited purposes set forth in
Sec. 312.5(c) prior to determining visitor age. The Commission intends
for operators of mixed audience websites and online services to have
the same ability to utilize the exceptions to the verifiable parental
consent requirement set forth in Sec. 312.5(c) as operators of other
child-directed websites and online services.
2. Definition of ``Online Contact Information''
a. The Commission's Proposal Regarding ``Online Contact Information''
In the 2024 NPRM, the Commission proposed amending the definition
of ``online contact information'' in Sec. 312.2 of the Rule by adding
to the non-exhaustive list of identifiers that constitute online
contact information ``an identifier such as a mobile telephone number
provided the operator uses it only to send a text message.'' \49\ The
Commission proposed this amendment to allow operators to collect and
use a parent's or child's mobile phone number in certain circumstances,
including in connection with using a text message to initiate the
process of seeking verifiable parental consent.\50\ The proposed
amendment was intended to give operators another way to initiate the
process of seeking parental consent quickly and effectively.
---------------------------------------------------------------------------
\49\ 89 FR 2034 at 2040.
\50\ In the 2024 NPRM, the Commission explained the basis for
its conclusion that increased use of ``over-the-top'' messaging
platforms, which are platforms that utilize the internet instead of
a carrier's mobile network to exchange messages, means that mobile
telephone numbers now permit direct contact with a person online and
therefore can be treated as online contact information consistently
with the COPPA statute. See 89 FR 2034 at 2041.
---------------------------------------------------------------------------
b. Public Comments Received in Response to the Commission's Proposal
Regarding ``Online Contact Information''
A substantial majority of commenters addressing the proposed
amendment to the definition supported it.\51\ Supporters suggested that
permitting operators to utilize text messages to facilitate the process
of seeking verifiable parental consent is appropriate given the
increased utilization of text messaging and mobile phones in the United
States.\52\ Commenters also suggested that mobile communication
mechanisms are more likely than some other approved consent methods to
result in operators reaching parents for the desired purpose of
providing notice and obtaining consent, and that sending a text message
may be one of the most direct and frictionless methods of contacting a
parent.\53\
---------------------------------------------------------------------------
\51\ See, e.g., Future of Privacy Forum, at 2-3; Computer and
Communications Industry Association (``CCIA''), at 2-3; Association
of National Advertisers (``ANA''), at 15-16; The Toy Association, at
2; Chamber, at 4; EPIC, at 4; kidSAFE, at 2; Epic Games, Inc.
(``Epic Games''), at 4-5; Consumer Technology Association, at 2-3;
Consumer Reports, at 3; Children and Screens, at 3; M. Bleyleben, at
1-2; TechNet, at 3; Software and Information Industry Association
(``SIIA''), at 3. See also, e.g., ITIC, at 2 (supporting permitting
operators to send text messages to parents for the purpose of
initiating verifiable parental consent); Advanced Education Research
and Development Fund, at 8 (same); BBB National Programs/Children's
Advertising Review Unit (``CARU''), at 2-3 (asserting that the
benefits of operators contacting parents via text messages likely
outweigh the security risks).
\52\ See, e.g., CCIA, at 2-3; ANA, at 16; Epic Games, at 4;
SIIA, at 3; Consumer Reports, at 3.
\53\ See, e.g., kidSAFE, at 2 (suggesting proposed change ``will
greatly alleviate the burden of operators initiating a parental
consent flow . . . and increase the chances of the parent actually
receiving and completing the consent request''); CARU, at 2-3
(permitting use of text messages to initiate verifiable parental
consent may improve ease and accessibility); CCIA, at 3 (suggesting
text messages are ``one of the most direct and frictionless
verifiable methods for contacting a parent to provide notice or
obtain consent''); Epic Games, at 4 (asserting proposal will enhance
operators' ability to connect with parents and ``text messaging
appears to be a common and trusted platform among consumers''); M.
Bleyleben, at 1-2 (``Allowing operators to communicate with parents
via mobile messaging will broaden access and reduce friction for
parents to provide parental consent (thereby also reducing
incentives for children to circumvent the age gate).'').
---------------------------------------------------------------------------
While not clearly opposing the proposal, one FTC-approved COPPA
Safe Harbor program, Privacy Vaults Online, Inc. (``PRIVO''), suggested
that the use of text messages to seek parental consent might make it
more difficult for parents to recognize senders, review disclosures,
and contact the operator if they subsequently decide to withdraw
consent.\54\ In response, the Commission notes that these issues can
also be challenges associated with other methods of communication, such
as email. PRIVO further suggested children's provision of parents'
mobile telephone numbers may expose parents to increased data mining
and profiling because, while many adults have multiple email accounts,
they frequently have only one mobile telephone number, thereby enabling
use of the number to profile an individual.\55\ In response, the
Commission notes that Sec. 312.5(c)(1) restricts the purpose for which
online contact information can be collected under that exception to
providing notice and obtaining parental consent.\56\ Although mindful
of the concerns raised by commenters, the Commission finds that
parents' mobile telephone numbers are likely an effective way to reach
parents and believes these concerns are outweighed by the strong
interest in facilitating effective communication between operators and
parents to initiate the process of seeking and obtaining consent.
---------------------------------------------------------------------------
\54\ Privacy Vaults Online, Inc. (``PRIVO''), at 3-4.
\55\ Id. at 2-3. PRIVO did not provide specific evidence to
assess these potential impacts.
\56\ 16 CFR 312.5(c)(1) (``Where the sole purpose of collecting
the name or online contact information of the parent or child is to
provide notice and obtain parental consent under Sec.
312.4(c)(1).'') (emphasis added).
---------------------------------------------------------------------------
A minority of commenters opposed the proposal to amend the
definition of ``online contact information.'' \57\
[[Page 16923]]
Commenters opposing the proposed amendment generally cited possible
security risks for recipients of text messages related to malicious
links and phishing.\58\ However, more commenters addressing this issue
suggested that the use of email messages to initiate the verifiable
parental consent process poses comparable security risks.\59\ A number
of commenters suggested that operators could take steps to reduce such
security risks.\60\ Based on the record, the Commission believes that
the security risks associated with initiating the process of seeking
verifiable parental consent via text message are comparable to the
risks associated with initiating the verifiable parental consent
process via other communication methods, such as email. The Commission
expects that operators will take steps to reduce security risks to
recipients of text messages.
---------------------------------------------------------------------------
\57\ Internet Safety Labs, at 3; Parent Coalition for Student
Privacy, at 11. Commenters also addressed potential security risks
in response to Question Three in the ``Questions for the Proposed
Revisions to the Rule'' section of the 2024 NPRM. See 89 FR 2034 at
2069 (Question 3).
\58\ See, e.g., Parent Coalition for Student Privacy, at 11;
Internet Safety Labs, at 3 (suggesting proposed change would
facilitate phishing). Other commenters that supported, or did not
explicitly oppose, the addition of mobile telephone numbers as a
category of online contact information in order to permit operators
to use text messages to initiate verifiable parental consent noted
some of the same potential security risks. See, e.g., City of New
York Office of Technology and Innovation (``NYC Technology and
Innovation Office''), at 3 (citing increased risk of malicious text
messages or ``smishing''); B. Hills, at 5 (expressing concern about
increased risk of scams with malicious verification links).
\59\ See, e.g., Consumer Reports, at 3 (suggesting risks
associated with the use of text messages are not appreciably
stronger than the risks with existing contact methods such as
email); Future of Privacy Forum, at 2 (suggesting risks associated
with the use of text messages are no greater than with the use of
existing contact methods such as email); Epic Games, at 4
(suggesting security risks associated with use of text messages are
relatively low and not higher or worse than those associated with
the use of email); M. Bleyleben, at 2 (same). One of these
commenters suggested that security risks can be mitigated because
parents can check with their children to determine if they initiated
the process before proceeding. See Future of Privacy Forum, at 2.
\60\ See SIIA, at 14 (suggesting security risk is minimal and
can be ameliorated); Heritage Foundation, at 1 (suggesting risks of
undetected spam from text may be higher than email, but platforms
could employ methods that avoid risks associated with recipients
clicking on links). See also kidSAFE, at 2 (asserting that, if the
Commission approved the use of text messages to obtain verifiable
parental consent, the inputting of a code received in a text message
could mitigate risks associated with clicking on malicious links in
text messages).
---------------------------------------------------------------------------
Some commenters suggested that sending text messages to mobile
telephone numbers without the consent of mobile telephone subscribers
might have the potential to conflict with Federal and State laws
related to text messaging \61\ and warned that operators might rely on
a Commission rule (the potentially amended COPPA Rule) permitting the
collection of mobile telephone numbers without a full appreciation of
other regulatory requirements related to sending text messages.\62\
While not opposing the proposal, one such commenter contended that the
Telephone Consumer Protection Act, the National Do-Not-Call Registry,
and an Oklahoma statute ``all require prior express consent of the
recipient to receive various types of text messages, including
marketing messages.'' \63\ The commenter further indicated there is
some uncertainty about what constitutes a commercial or marketing
message under existing laws, and that it is not clear that children can
legally consent on behalf of a parent to the transmission of a text
message to a parent's mobile phone number.\64\ The Commission agrees
that it is important for operators and others to carefully consider,
and comply with, all applicable State and Federal laws when making
decisions about whether and how to collect and use mobile telephone
numbers.\65\ The analysis of relevant factual considerations and laws
that commenters provided on this issue was limited, but the Commission
believes these comments potentially overstate the degree of conflict
and expects the content of text messages as well as other decisions
related to implementation likely would be important in complying with
legal obligations.
---------------------------------------------------------------------------
\61\ Chamber, at 4 (asking Commission to verify that collection
and use of mobile phone number provided by children to contact
parents to start notice and consent process will not violate
relevant Federal or State laws); The Toy Association, at 2 (alluding
to possible conflict between proposed collection and use of mobile
phone numbers under the Rule and the Telephone Consumer Protection
Act and related State laws).
\62\ PRIVO, at 4.
\63\ Id. at 2. See also The Toy Association, at 2.
\64\ PRIVO, at 2. PRIVO also suggested parents will not
recognize numbers associated with such text messages, which could
lead parents to decide not to provide consent or might make it
difficult for parents to know how to change their consent decision
or request review of their children's data later. Id. at 3.
\65\ The Commission notes that many States have enacted laws
regulating commercial text messages. See, e.g., Conn. Gen. Stat.
sec. 42-288a; Fla. Stat. sec. 501.059; Wash. Rev. Code sec.
19.190.060 et seq.
---------------------------------------------------------------------------
At least one commenter expressed confusion about whether the
Commission intended the proposed Rule amendments to constitute approval
of operators' use of text messages to obtain verifiable parental
consent.\66\ Other commenters encouraged the Commission to approve text
messaging as a mechanism for obtaining verifiable parental consent.\67\
In response, the Commission clarifies that it is amending the
definition of ``online contact information'' and has decided to make a
related amendment to Sec. 312.5(b)(2) of the Rule discussed in Part
II.D.7. That amendment to Sec. 312.5(b)(2) will permit operators to
send text messages to parents to initiate the process of seeking
verifiable parental consent, provide direct notice to the parent, and
obtain verifiable parental consent, in situations where a child's
personal information is not being disclosed, consistent with a new
``text plus'' verifiable parental consent method the Commission is
approving and adding as Sec. 312.5(b)(2)(ix).
---------------------------------------------------------------------------
\66\ See Entertainment Software Rating Board (``ESRB''), at 22-
23.
\67\ See, e.g., Program on Economics & Privacy at Scalia Law
School and Brechner Center for the Advancement of the First
Amendment at University of Florida (``Scalia Law School Program on
Economics & Privacy and University of Florida Brechner Center''), at
2; TechNet, at 3-4; Consumer Technology Association, at 3; Privacy
for America, at 10-11; ANA, at 15-16; ACT [verbar] The App
Association, at 7.
---------------------------------------------------------------------------
The Commission is also adjusting the definition of ``online contact
information'' proposed in the 2024 NPRM to limit the use of mobile
telephone numbers, in the absence of verifiable parental consent, to
purposes related to obtaining verifiable parental consent. In the 2024
NPRM, the Commission discussed the importance of avoiding situations
where mobile telephone numbers collected from children would be used to
make voice calls to children without parental consent. After carefully
considering the record and comments, the Commission has adjusted the
proposed language to prevent situations where operators are utilizing
mobile telephone numbers collected from a child for purposes unrelated
to obtaining verifiable parental consent.\68\
---------------------------------------------------------------------------
\68\ At least one commenter requested clarification as to
whether the amendment to the ``online contact information''
definition proposed in the 2024 NPRM was intended to allow operators
to use mobile telephone numbers for other purposes set forth in
Sec. 312.5(c) of the Rule. kidSAFE, at 2. The Commission did not
intend such a result and is therefore modifying the proposed
amendment to the definition. For example, the Commission wants to
avoid situations where operators use mobile telephone numbers to
contact a child multiple times through either text messages or voice
calls without verifiable parental consent.
---------------------------------------------------------------------------
c. The Commission Adopts Amendments Regarding ``Online Contact
Information''
After carefully considering the record and comments, and for the
reasons discussed in Part II.B.2.b of this document, the Commission has
decided to adopt an amended version of the
[[Page 16924]]
proposed addition to the definition of ``online contact information''
to include ``or a mobile telephone number provided the operator uses it
only to send text messages to a parent in connection with obtaining
parental consent.''
3. Definition of ``Personal Information''
The COPPA statute and the COPPA Rule define ``personal
information'' as individually identifiable information about an
individual collected online, including, for example, a first and last
name, an email address, or a Social Security number. The COPPA statute
also authorizes the Commission to include within the COPPA Rule's
definition of personal information ``any other identifier that the
Commission determines permits the physical or online contacting of a
specific individual.'' \69\ Accordingly, as discussed in Part II.B.3.a
and b, the Commission has decided to include biometric identifiers in
the definition of ``personal information''. However, in response to
comments, the Commission is adopting a modified version of the
definition proposed in the 2024 NPRM.
---------------------------------------------------------------------------
\69\ 15 U.S.C. 6501(8)(F).
---------------------------------------------------------------------------
a. The Commission's Proposal Regarding ``Personal Information''
In the 2024 NPRM, the Commission proposed using its statutory
authority to expand the Rule's coverage by amending the definition of
personal information to include ``[a] biometric identifier that can be
used for the automated or semi-automated recognition of an individual,
including fingerprints or handprints; retina and iris patterns; genetic
data, including a DNA sequence; or data derived from voice data, gait
data, or facial data.'' \70\ The Commission explained this proposed
amendment is intended to ensure that the Rule is keeping pace with
technological developments that facilitate increasingly sophisticated
means of identifying individuals.\71\ The Commission has determined
that biometric recognition technologies have rapidly advanced since the
2013 Amendments to the Rule,\72\ and biometric identifiers such as
fingerprints, handprints, retina and iris patterns, and DNA sequences
can be used to identify and contact a specific individual either
physically or online.\73\
---------------------------------------------------------------------------
\70\ See 89 FR 2034 at 2041.
\71\ Id.
\72\ Id. For example, the National Institute of Standards and
Technology (``NIST'') found that, between 2014 and 2018, facial
recognition became 20 times better at finding a matching photograph
from a database. See NIST, Ongoing Face Recognition Vendor Test
(FRVT) Part 2: Identification (2018), at 6, available at <a href="https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8238.pdf">https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8238.pdf</a>. See also U.S.
Government Accountability Office, Biometric Identification
Technologies: Considerations to Address Information Gaps and Other
Stakeholder Concerns (Apr. 2024), at 1, available at <a href="https://www.gao.gov/assets/gao-24-106293.pdf">https://www.gao.gov/assets/gao-24-106293.pdf</a> (observing that use of facial
and iris recognition technologies to conduct and automate
identification has become ``increasingly common in both the public
and private sectors''); NIST, Press Release, NIST Evaluation Shows
Advance in Face Recognition Software's Capabilities (Nov. 30, 2018),
available at <a href="https://www.nist.gov/news-events/news/2018/11/nist-evaluation-shows-advance-face-recognition-softwarescapabilities">https://www.nist.gov/news-events/news/2018/11/nist-evaluation-shows-advance-face-recognition-softwarescapabilities</a>.
\73\ See U.S. Government Accountability Office, Facial
Recognition Technology: Current and Planned Uses by Federal Agencies
(Aug. 2021), at 3, available at <a href="https://www.gao.gov/assets/gao-21-526.pdf">https://www.gao.gov/assets/gao-21-526.pdf</a> (citing biometric technologies used to identify individuals
by measuring and analyzing physical and behavioral characteristics,
including faces, fingerprints, eye irises, voice, and gait). The
Commission notes that law enforcement authorities and agencies are
using a variety of biometric-based technologies to identify and
contact individuals. For example, the FBI has stated that its Next
Generation Identification utilizes fingerprints, palm prints, and
facial recognition to identify individuals of interest in criminal
investigations, and that it is developing a repository of iris
images. See FBI Law Enforcement Resources, available at <a href="https://le.fbi.gov/science-and-lab/biometrics-and-fingerprints/biometrics/next-generation-identification-ngi">https://le.fbi.gov/science-and-lab/biometrics-and-fingerprints/biometrics/next-generation-identification-ngi</a>. See also U.S. Government
Accountability Office, Facial Recognition Technology: Federal Law
Enforcement Agencies Should Better Assess Privacy and Other Risks
(June 2021) (surveying use of facial recognition technology by
twenty Federal agencies). The FBI reported that its Combined DNA
Index System included 20 million DNA profiles in 2021, and it is
used to link crime scene evidence to other cases or to persons
already convicted of or arrested for specific crimes. See FBI
National Press Office, The FBI's Combined DNA Index System (CODIS)
Hits Major Milestone (May 21, 2021), available at https://
www.fbi.gov/news/press-releases/the-fbis-combined-dna-index-system-
codis-hits-major-
milestone#:~:text=May%2021,%202021.%20The%20FBI%E2%80%99s%20Combined%
20DNA%20Index%20System%20(CODIS).
---------------------------------------------------------------------------
b. Public Comments Received in Response to the Commission's Proposal
Regarding ``Personal Information''
Many commenters expressed general support for amending the Rule's
definition of personal information to include biometric
identifiers.\74\ Supportive commenters emphasized the uniquely personal
nature of biometric identifiers and noted that there are particularly
compelling privacy interests in protecting such sensitive data.\75\
Moreover, unlike certain other identifiers, such as email addresses,
telephone numbers, or first and last names, biometric identifiers are
generally immutable.\76\ Commenters also expressed concern about the
fact that the expanded collection of biometric data from children
online \77\ and from wearable devices with sensor technology \78\
increases the risk of abuse and sale of such data. Commenters discussed
the potential for biometric data to be combined with other persistent
identifiers such as IP addresses or device IDs to identify specific
individuals \79\ and also cited concerns about tools utilizing machine
learning or artificial intelligence being used to duplicate and misuse
such data.\80\ A children's advocates coalition
[[Page 16925]]
expressed concern about the ``unreasonable unnecessary collection of
biometric information for mass profiling, neuromarketing, targeted
advertising, advanced behavioral analytics, behavioral advertising . .
. product improvement, and engagement maximization.'' \81\ Commenters
also highlighted harms related to the misuse of biometric data to
impersonate individuals through deepfake technologies,\82\ and the
particularly grave harms associated with child sexual abuse material
generated using such biometric data.\83\ The Commission finds these
concerns compelling. A principal benefit to including biometric
identifiers in the definition of personal information is to protect
children under 13 from the misuse of this immutable and particularly
sensitive information, which can potentially be used to identify a
child for the rest of their life. While it is impossible to quantify,
the Commission considers protecting children under 13 from the
potential misuse of this highly sensitive information to be a
significant benefit of the proposed amendment.
---------------------------------------------------------------------------
\74\ See, e.g., B. Hills, at 4; Common Sense Media, at 13; S.
Winkler, at 1; Children and Screens, at 5; NYC Technology and
Innovation Office, at 1-2; Lawyers' Committee for Civil Rights Under
Law (``Lawyers' Committee''), at 6; EPIC, at 4; Internet Safety
Labs, at 4; Mental Health America, at 4-5; American Civil Liberties
Union (``ACLU''), at 13; Center for AI and Digital Policy, at 5;
IEEE Consortium for Innovation and Collaboration in Learning
Engineering (``IEEE Learning Engineering Consortium''), at 5; Parent
Coalition for Student Privacy, at 12; PRIVO, at 4; Attorneys General
of Oregon, Illinois, Mississippi, Tennessee, Alabama, Alaska,
Arizona, Arkansas, California, Colorado, Connecticut, Delaware,
District of Columbia, Florida, Georgia, Hawaii, Indiana, Kentucky,
Maine, Maryland, Massachusetts, Michigan, Minnesota, Nebraska,
Nevada, New Hampshire, New Jersey, New Mexico, New York, North
Carolina, Ohio, Oklahoma, Pennsylvania, Puerto Rico, Rhode Island,
South Carolina, South Dakota, Utah, Vermont, Virgin Islands,
Virginia, Washington, and Wisconsin (``State Attorneys General
Coalition''), at 2-3; Consortium for School Networking, at 3; Center
for Democracy and Technology (``CDT''), at 5; Google, at 3; Consumer
Reports, at 4; Center for Digital Democracy, Fairplay, American
Academy of Pediatrics, Berkeley Media Studies Group, Children and
Screens: Institute of Digital Media and Child Development, Consumer
Federation of America, Center for Humane Technology, Eating
Disorders Coalition for Research, Policy, & Action, Issue One,
Parents Television and Media Council, and U.S. PIRG (``Children's
Advocates Coalition''), at 58; Data Quality Campaign, at 3.
\75\ See, e.g., Children and Screens, at 5; NYC Technology and
Innovation Office, at 1-2; Lawyers' Committee, at 6; Consortium for
School Networking, at 3; Consumer Reports, at 4-5; ACLU, at 13; Data
Quality Campaign, at 3.
\76\ See, e.g., Mental Health America, at 4 (``Biometric
identifiers are generally immutable and could potentially be used to
identify a child for the rest of their life.''); NYC Technology and
Innovation Office, at 1 (``A person cannot easily alter, if at all,
their fingerprints, ocular scans, facial features, or genetic data.
This makes biometric information particularly sensitive. . .[.]'');
ACLU, at 13 (noting that ``biometrics are inherently personally
identifying and generally immutable''); Data Quality Campaign, at 3
(``The immutable nature of biometrics means improper access or use
can permanently expose children to unwanted risks.'').
\77\ See, e.g., State Attorneys General Coalition, at 3;
Children's Advocates Coalition, at 58-60.
\78\ See, e.g., State Attorneys General Coalition, at 3
(discussing increased use of wearable devices with sensors and
noting that ``[t]he prevalence of the collection and use of this
type of data--from using a fingerprint to unlock a device to
wearable sensors--has resulted in a heightened risk of abuse and
sale of this type of data, data that is often immutable and
permanently tied to the individual''); Children's Advocates
Coalition, at 59 (discussing collection of biometric data by large
platforms and virtual reality products and services).
\79\ See State Attorneys General Coalition, at 3.
\80\ See, e.g., Center for AI and Digital Policy, at 4-5; S.
Winkler, at 1. See also Comment of the Federal Trade Commission In
the matter of: Implications of Artificial Intelligence Technologies
on Protecting Consumers from Unwanted Robocalls and Robotexts, Fed.
Commc'ns Comm'n CG Docket No. 23-362 (July 29, 2024) (describing
some of the FTC's efforts to address the emergence of new
technologies powered by artificial intelligence, particularly those
related to voice cloning), available at <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/FTC-Comment-VoiceCloning.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/FTC-Comment-VoiceCloning.pdf</a>.
\81\ See Children's Advocates Coalition, at 60.
\82\ See, e.g., Center for AI and Digital Policy, at 5; S.
Winkler, at 1. See also DHS Public-Private Analytic Exchange
Program, Increasing Threats of Deepfake Identities, at 9-18, 22-25
(discussing how deepfakes using biometric data are made and their
use in non-consensual pornography and cyberbullying), available at
<a href="https://www.dhs.gov/sites/default/files/publications/increasing_threats_of_deepfake_identities_0.pdf">https://www.dhs.gov/sites/default/files/publications/increasing_threats_of_deepfake_identities_0.pdf</a>.
\83\ See Center for AI and Digital Policy, at 5.
---------------------------------------------------------------------------
A number of commenters that generally supported adding in the
definition of personal information a new provision for biometric data
encouraged the Commission to consider expanding the biometric
identifier provision in the definition of personal information beyond
what the Commission proposed in the 2024 NPRM.\84\ For example, one
commenter encouraged the Commission to consider adding more examples of
biometric identifiers such as electroencephalogram patterns used in
brain-computer interfaces, heart rate patterns, or behavioral
biometrics such as typing patterns or mouse movements.\85\ Some
consumer groups suggested the Commission should expand the provision to
include any information derived from biometric data.\86\ Another
suggestion was that the Commission broaden the provision to make it
consistent with the Commission's definition of the term ``biometric
information'' in a recent Commission policy statement.\87\ A coalition
of State attorneys general urged the Commission to consider language
that would include ``imagery of the iris, retina, fingerprint, face,
hand, palm, vein patterns, and voice recordings (from which an
identifier template such as a faceprint, a minutiae template, or a
voiceprint, can be extracted), genetic data, or other unique
biological, physical, or behavioral patterns or characteristics,
including data generated by any of these data points.'' \88\
---------------------------------------------------------------------------
\84\ In Question Five in the ``Questions for the Proposed
Revisions to the Rule'' section of the 2024 NPRM, the Commission
asked commenters to address whether it should consider including any
additional biometric identifier examples beyond those listed in the
proposed definition. 89 FR 2034 at 2070 (Question 5).
\85\ IEEE Learning Engineering Consortium, at 5. See also Parent
Coalition for Student Privacy, at 12 (recommending expanding the
proposed list of biometric identifiers to include keystroke
dynamics); B. Hills, at 4 (recommending adding vein recognition);
Internet Safety Labs, at 4 (recommending adding typing cadence);
State Attorneys General Coalition, at 2-3. Some commenters proposed
adding sensitive categories of information such as student
behavioral data, health data, and geolocation data to the definition
of personal information. See, e.g., K. Blankinship, at 1; State
Attorneys General Coalition, at 3. The Commission notes that at
least some forms of student behavioral data and health data
currently receive protection under the United States Department of
Education's Family Educational Rights and Privacy Act Regulations,
34 CFR part 99, and the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191. Moreover, the
definition of personal information already includes geolocation data
that is sufficient to identify street name and name of a city or
town, which is the geolocation data that is most likely to permit
identifying and contacting a specific child. See 78 FR 3972 at 3982-
3983 (discussing personal information definition's coverage of
geolocation data).
\86\ See, e.g., Children's Advocates Coalition, at 58; Mental
Health America, at 4.
\87\ Center for AI and Digital Policy, at 5 (discussing Policy
Statement of the Federal Trade Commission on Biometric Information
and section 5 of the Federal Trade Commission Act).
\88\ State Attorneys General Coalition, at 2.
---------------------------------------------------------------------------
For a variety of reasons, a significant number of industry group
and other commenters opposed the biometric identifier provision
proposed in the 2024 NPRM.\89\ Commenters argued the proposal exceeds
the Commission's statutory authority because the Commission has not
established that the biometric identifiers enumerated in the 2024 NPRM
proposal enable the physical or online contacting of a specific
child.\90\ The Commission disagrees. As explained in this Part, 15
U.S.C. 6501(8)(F) provides that ``[t]he term `personal information'
means individually identifiable information about an individual
collected online, including . . . any . . . identifier that the
Commission determines permits the physical or online contacting of a
specific individual,'' and for several reasons, the Commission has
determined that biometric information permits the physical or online
contacting of a specific individual.
---------------------------------------------------------------------------
\89\ See, e.g., R Street Institute, at 1-2; ITIC, at 2; CIPL, at
4-5; ESA, at 9-11; SIIA, at 4, 15; ACT [verbar] The App Association,
at 4-5; Chamber, at 3; IAB, at 2-5; NCTA, at 5-6; NetChoice, at 3-4;
Information Technology and Innovation Foundation (``ITIF''), at 3;
CCIA, at 3-4; ANA, at 10; Privacy for America, at 14-15; Epic Games,
at 7-8.
\90\ See, e.g., ESA, at 9-11; NCTA, at 5; CCIA, at 3. See also
NetChoice, at 3-4 (suggesting the Commission has not demonstrated
that biometric data is being misused in ways that allow contact with
children).
---------------------------------------------------------------------------
The Commission notes that the proposed expansion of the definition
of personal information to include biometric identifiers appropriately
responds to marketplace developments such as the increasingly common
use of technologies relying on facial recognition, retina or iris
imagery, or fingerprints to allow individuals to unlock mobile devices
and to access accounts or facilities,\91\ and that enable companies to
identify and contact a specific individual. Genetic data, particularly
when combined with other personal information, can also be used to
identify and, in some circumstances,
[[Page 16926]]
contact a specific individual.\92\ Gait \93\ and other movement
patterns \94\ can also be used to identify and contact specific
individuals and are an increasing concern with the growth of virtual
reality products and services. The Commission also expects that
biometric identifiers, particularly when combined with increasingly
sophisticated methods of consumer profiling, potentially could be used
to track and deliver targeted advertisements to specific children
online, which would constitute online contact.\95\ Accordingly,
biometric identifiers are appropriately included in the definition of
``personal information.''
---------------------------------------------------------------------------
\91\ See ACT [verbar] The App Association, at 4 (noting that
many new apps collect biomarkers such as voice, facial features, and
fingerprints in some form). See also R.L. German & K.S. Barber,
Current Biometric Adoption and Trends (November 2016), at 2-13
(analyzing adoption of biometric authentication between 2004 and
2016 and concluding that rapid expansion of biometric technologies
has led to similar explosion in biometric services and
applications), available at <a href="https://identity.utexas.edu/sites/default/files/2020-09/Current%20Biometric%20Adoption%20and%20Trends.pdf">https://identity.utexas.edu/sites/default/files/2020-09/Current%20Biometric%20Adoption%20and%20Trends.pdf</a>; H. Kelly,
Fingerprints and Face Scans Are the Future of Smartphones. These
Holdouts Refuse to Use Them, Washington Post (Nov. 15, 2019),
available at <a href="https://www.washingtonpost.com/technology/2019/11/15/fingerprints-face-scans-are-future-smartphones-these-holdouts-refuse-use-them/">https://www.washingtonpost.com/technology/2019/11/15/fingerprints-face-scans-are-future-smartphones-these-holdouts-refuse-use-them/</a>; National Retail Federation, 2023 National Retail
Survey (Sept. 26, 2023), at 18 (stating that 40% of retail survey
respondents were researching, piloting, or implementing either
facial recognition or feature-matching technologies to address loss
prevention and other security concerns), available at <a href="https://nrf.com/research/national-retail-security-survey-2023">https://nrf.com/research/national-retail-security-survey-2023</a>.
\92\ See, e.g., S.Y. Rojahn, Study Highlights the Risk of
Handing Over Your Genome: Researchers found they could tie people's
identities to supposedly anonymous genetic data by cross referencing
it with information available online, MIT Technology Review (Jan.
17, 2013), available at <a href="https://www.technologyreview.com/2013/01/17/180448/study-highlights-the-risk-of-handing-over-your-genome/">https://www.technologyreview.com/2013/01/17/180448/study-highlights-the-risk-of-handing-over-your-genome/</a>;
Natalie Ram, America's Hidden National DNA Database, 100 Texas Law
Review, Issue 7 (July 2022) (discussing growth of investigative
genetic genealogy searches using private platforms and surveying
State law policies related to potential law enforcement access to
newborn genetic screening samples), available at <a href="https://texaslawreview.org/americas-hidden-national-dna-database/">https://texaslawreview.org/americas-hidden-national-dna-database/</a>.
\93\ L. Topham et al., Gait Identification Using Limb Joint
Movement and Deep Machine Learning, IEEE Access (Sept. 19, 2022),
available at <a href="https://ieeexplore.ieee.org/document/9895247">https://ieeexplore.ieee.org/document/9895247</a>; D. Kang,
Chinese `gait recognition' tech IDs people by how they walk,
Associated Press (Nov. 6, 2018), available at <a href="https://apnews.com/article/bf75dd1c26c947b7826d270a16e2658a">https://apnews.com/article/bf75dd1c26c947b7826d270a16e2658a</a>.
\94\ See V. Nair et al., Unique Identification of 50,000+
Virtual Reality Users from Head & Hand Motion Data (Feb. 17, 2023),
at 1 (reporting results showing virtual reality users can be
uniquely and reliably identified out of a pool of over 50,000
candidates with 94.33% accuracy based on 100 seconds of head and
hand motion data), available at <a href="https://arxiv.org/pdf/2302.08927">https://arxiv.org/pdf/2302.08927</a>.
\95\ The plain meaning of ``contact'' is broader than just an
email or other communication, and the legislative history of the
COPPA statute also supports a broad interpretation of the term. At
the time of adoption, Senator Bryan noted that the term ``is not
limited to email, but also includes any other attempts to
communicate directly with a specific, identifiable individual.'' See
144 Cong. Rec. S12741-04, S12787 (1998) (statement of Senator
Bryan).
---------------------------------------------------------------------------
Other commenters objecting to the proposed biometric identifier
provision argued that it is inconsistent with the COPPA statute because
the enumerated biometric identifiers do not necessarily identify a
specific individual.\96\ In response, the Commission notes that the
Rule's definition of personal information is consistent with the COPPA
statute because it remains expressly limited to ``individually
identifiable information about an individual,'' and the proposed
provision for ``biometric identifier'' only includes ``a biometric
identifier that can be used for the automated or semi-automated
recognition of an individual.'' Further, the Commission finds that the
biometric identifiers listed as examples in the proposed definition can
be used to identify specific individuals.\97\
---------------------------------------------------------------------------
\96\ See, e.g., ITIF, at 3. Some generally supportive commenters
also emphasized the importance of ensuring that the definition only
includes biometric identifiers that can be used to identify and
contact a specific child. See, e.g., Common Sense Media, at 13; The
Toy Association, at 3.
\97\ For example, a recent GAO Report found that ``a wide range
of technologies [ ] can be used to verify a person's identity by
measuring and analyzing biological and behavioral characteristics''
and specifically mentioned facial data, fingerprints, iris, voice,
hand geometry, and gait. See U.S. Government Accountability Office,
Biometric Identification Technologies: Considerations to Address
Information Gaps and Other Stakeholder Concerns (April 2024), at 4-
5, available at <a href="https://www.gao.gov/assets/gao-24-106293.pdf">https://www.gao.gov/assets/gao-24-106293.pdf</a>. See
also A.K. Jain et al., 50 years of biometric research:
Accomplishments, challenges, and opportunities, Pattern Recognition
Letters, Volume 79 (Aug. 2016), at 80-83, available at <a href="https://www.sciencedirect.com/science/article/abs/pii/S0167865515004365">https://www.sciencedirect.com/science/article/abs/pii/S0167865515004365</a>.
---------------------------------------------------------------------------
Commenters also encouraged the Commission to consider the costs and
benefits of constraining the collection and use of biometric
identifiers,\98\ including considering the impact the proposed
biometric identifier provision would have on innovation and on
beneficial uses such as security and authentication features.\99\ In
response, the Commission notes that the commenters raising these and
similar concerns did not provide information or evidence quantifying
the potential costs and impacts associated with adding the new
biometric identifier provision to the personal information definition.
The amendment does not impact the collection or use of biometric
identifiers from users over the age of 12. Because the proposed
biometric identifier provision only requires that covered operators
provide appropriate notice and obtain verifiable parental consent
before collecting, using, or disclosing this sensitive data from
children, it is not clear that the proposed provision would
significantly interfere with innovation or beneficial uses of biometric
identifiers. However, in consideration of these and other comments, the
Commission has decided to adopt a modified version of the biometric
identifier provision proposed in the 2024 NPRM.
---------------------------------------------------------------------------
\98\ See, e.g., ITIC, at 2 (suggesting expansion of personal
information to include biometric data requires a detailed assessment
of costs and benefits, including impacts on innovation, and that
additional work is required to ensure that any inclusion of
biometric data is narrowly tailored to clear, evidenced harms); IEEE
Learning Engineering Consortium, at 5 (recommending that the
Commission periodically review the list of biometric identifiers in
the definition to make sure it remains comprehensive and relevant
and consider the context in which biometric identifiers are being
collected and used).
\99\ See, e.g., kidSAFE, at 4 (discussing use of biometric data
for security purposes); ACT [verbar] The App Association, at 4
(expressing general concern about the provision's impact on
innovation); ITIF, at 2 (same).
---------------------------------------------------------------------------
Some commenters urged the Commission to consider adjusting the
language proposed in the 2024 NPRM to reduce perceived inconsistencies
between the proposed biometric identifier provision and various State
laws and industry standards.\100\ For example, one industry commenter
indicated the term ``biometric identifier'' is not commonly used in
other laws and regulations and recommended instead using the term
``biometric data'' to align with other laws and industry standards to
reduce confusion and help operators fulfill their compliance
obligations.\101\ Another commenter suggested the proposed provision is
inconsistent with
[[Page 16927]]
State laws related to biometric information that exclude audio
recordings, videos, and photos from their definitions.\102\ In
response, the Commission notes that the COPPA Rule applies to personal
information collected from children online by operators of child-
directed websites and online services and operators of general audience
websites or online services that have actual knowledge they are
collecting personal information from children. State laws' approaches
to biometric data may be different, in part, because of the different
obligations those laws impose on businesses or because those laws apply
to data collected from a large population of users.\103\
---------------------------------------------------------------------------
\100\ See, e.g., M. Bleyleben, at 2 (suggesting that it is
critical that the Commission's approach to defining and scoping the
use of biometric technologies is coordinated with State-level
biometric laws such as the Biometric Information Privacy Act in
Illinois); CIPL, at 4-5 (suggesting the term biometric identifier is
not aligned with the International Organization for Standardization
and other laws and regulations); ESA, at 10-11 (discussing State
laws that exclude audio recordings, videos, and photos from
definitions of biometric information); SIIA, at 4 (opposing
biometric identifier provision and suggesting it creates
inconsistencies with State privacy laws); IAB, at 3-4 (discussing
differences between proposed biometric identifier provision and
biometric definitions in various State privacy laws); Chamber, at 3
(encouraging the Commission to harmonize proposed biometric
identifier provision with other laws modeled on Consensus State
Privacy Approach, and citing the definition of biometric data in the
Virginia Consumer Data Protection Act); NCTA, at 6 (arguing
Commission's proposal conflicts with State biometric laws, which
consider derived data to be biometric data only where it is used or
intended to be used to identify a specific individual); ITIF, at 3
(stating that many States have enacted privacy legislation to
protect biometric data and have limited their definitions to
biometric data that identifies a specific individual). On the other
hand, at least one supportive commenter suggested the proposed
biometric identifier provision would better align the Rule's
personal information definition with FERPA. See Data Quality
Campaign, at 3.
\101\ CIPL, at 4. In response, the Commission notes that it is
using the term biometric identifier rather than the term biometric
data to align with the definition of personal information in the
COPPA statute. There is some variation in the defined terms
different State privacy and biometric laws use, but Texas, Illinois,
and Washington State laws use the term biometric identifier. The
Illinois Biometric Information Privacy Act defines that term to mean
``a retina or iris scan, fingerprint, voiceprint, or scan of hand or
face geometry'' and excludes a variety of other types of information
such as written signatures, photographs, or human biological samples
used for scientific testing or screening. See 740 Ill. Comp. Stat.
14/10. Washington's biometric privacy law defines that term to mean
``data generated by automatic measurements of an individual's
biological characteristics, such as a fingerprint, voiceprint, eye
retinas, irises, or other unique biological patterns or
characteristics that is used to identify a specific individual.''
Wash. Rev. Code 19.375.010.
\102\ See, e.g., ESA, at 10-11; IAB, at 3-4. It is not clear why
the proposed new provision for biometric identifiers generates
concerns for industry commenters about inconsistencies related to
the treatment of photographs, videos, or audio files under State law
when paragraph 8 of the COPPA Rule's personal information definition
currently has a separate provision for such data when they contain a
child's image or voice. See 16 CFR 312.2.
\103\ The Commission also notes that use of the term biometric
identifier comports with language in the definition of personal
information in the COPPA statute. See 15 U.S.C. 6501(8)(F).
---------------------------------------------------------------------------
Other commenters urged the Commission to consider limiting the
proposed biometric identifier provision to biometric identifiers that
are used or intended to be used to recognize or identify an individual,
to better align with State laws and to simplify operators' compliance
obligations.\104\ While recognizing there is some variability in
defined terms among State privacy laws and also between those laws and
the biometric identifier provision in the proposed definition of
personal information, industry commenters raising these concerns have
not explained how those variations will complicate business practices
or create irreconcilable compliance obligations.\105\ The Commission is
therefore not persuaded that the proposed amended definition of
personal information should be changed to align with specific State
laws, particularly when there is variation among such laws.
---------------------------------------------------------------------------
\104\ See, e.g., Privacy for America, at 15 (citing Connecticut
statute's definition of biometric data as ``data generated by
automatic measurements of an individual's biological
characteristics, such as a fingerprint, a voiceprint, eye retinas,
irises or other unique biological patterns or characteristics that
are used to identify a specific individual''); NCTA, at 6
(suggesting the NPRM proposal conflicts with State biometric laws,
which consider derived data to be biometric data only where it is
used or intended to be used to identify a specific individual); ANA,
at 10 (suggesting biometric identifier provision should be limited
to instances where biometric information is used or intended to be
used to recognize or identify a child rather than data that can
theoretically be used for that purpose but is not used in that way
and further arguing this approach better aligns with the definitions
of similar terms in the majority of State privacy laws and
regulations) (citing Cal. Civ. Code 1798.140(c); 4 CCR 904-3, Rule
2.02; Va. Code Ann. 59.1-575); CIPL, at 4-5.
\105\ See, e.g., ITIF, at 3 (contending that a materially
different definition of biometric identifiers in the COPPA Rule
would complicate an already complex regulatory environment in the
United States and would create consumer confusion, increase
compliance costs on businesses, and adversely impact the digital
economy); Chamber, at 3.
---------------------------------------------------------------------------
Other commenters suggested the proposed biometric identifier
provision should be similarly narrowed for different reasons. For
example, several industry commenters suggested adjusting the provision
from biometric identifiers that ``can be used'' for automated or semi-
automated recognition to a biometric identifier that ``is used'' for
automated recognition of an individual, to, in their view, be more
consistent with the definition of personal information in the COPPA
statute and to avoid vagueness concerns.\106\ Other commenters
suggested the provision should only include biometric identifiers that
are intended to be used for identification, or suggested that there
should be an exception when biometric identifiers are used to provide a
service without identifying the user.\107\ Still others urged the
Commission to narrow the biometric identifier provision to a specific
list of biometric identifiers and to limit coverage to situations where
the biometric identifier is used to contact a child.\108\
---------------------------------------------------------------------------
\106\ See, e.g., Chamber, at 3 (arguing that the Commission
should revise the definition to include biometric identifiers only
when they are used for the automated recognition of an individual
rather than when they could be used for such purposes to avoid
vagueness concerns); ACT [verbar] The App Association, at 4-5
(suggesting definition must be limited to when a biometric
identifier is used to identify or reasonably identify a child to
comport with the COPPA statute); Privacy for America, at 15
(contending the provision should be limited to biometric identifiers
used to identify a child in order to contact them); The Toy
Association, at 3 (contending an actual use element needs to be
included in the definition to comport with the COPPA statute). See
also CIPL, at 4-5.
\107\ See, e.g., CIPL, at 5 (suggesting there should be an
intent component included in the provision); ITIC, at 2 (contending
that the Commission should clarify that any use of biometric data
that does not involve identifying a unique individual and that does
not allow physical or online contact with a specific individual is
exempt).
\108\ See NCTA, at 6.
---------------------------------------------------------------------------
In response, the Commission notes that it disagrees with these
commenters' assertions that such adjustments are necessary to comport
with the COPPA statute. The phrase ``can be used'' is consistent with
the COPPA statute, which defines personal information to mean
``individually identifiable information about an individual collected
online'' rather than an alternative such as information used to
identify an individual.\109\ Further, the Commission believes the
proposed language is consistent with the statutory language in 15
U.S.C. 6501(8)(F), which permits the addition of ``any other identifier
the Commission determines permits the physical or online contacting of
a specific individual'' rather than alternative language such as
``identifiers when used to contact a specific individual physically or
online.'' Additionally, the other identifiers listed in the definition
in the COPPA statute qualify as personal information regardless of how
an operator uses them. The Commission also believes that adjusting the
proposed language from ``can be used for the automated or semi-
automated recognition of an individual'' to language requiring actual
use of biometric identifiers to identify individuals may increase
opportunities for operators to collect and retain sensitive data for
future use and would also present enforcement challenges.
---------------------------------------------------------------------------
\109\ 15 U.S.C. 6501(8).
---------------------------------------------------------------------------
Numerous commenters were particularly critical of the Commission's
proposal to include the words ``data derived from voice data, gait
data, or facial data'' in the biometric identifier provision the
Commission proposed in the 2024 NPRM.\110\ Many commenters suggested
this language is overbroad or vague.\111\ Some commenters also argued
such data is not necessarily individually identifying and cannot be
used to contact a specific child, and therefore falls outside the scope
of personal information protected by the COPPA statute.\112\ Commenters
contended this aspect of the biometric provision may stifle innovation
\113\ and interfere with uses of biometric information such as
[[Page 16928]]
virtual reality applications, educational technology products,
connected toys, or speech-enabled apps used by children or individuals
with disabilities.\114\ Others suggested that treating such derived
data as personal information would constrain desirable use cases such
as security features.\115\ Still other commenters opposing the proposal
argued that it conflicts with relevant State laws and the 2024 NPRM's
proposal to except from the COPPA Rule's verifiable parental consent
requirement operators' collection of certain audio files that contain a
child's voice.\116\ To reduce the potential burdens and impacts these
and other commenters mentioned, the Commission has decided not to
include this language in the biometric identifier provision as proposed
in the 2024 NPRM.
---------------------------------------------------------------------------
\110\ See, e.g., ANA, at 10; Chamber, at 3; kidSAFE, at 3-4;
Epic Games, at 7-8; NCTA, at 5-6.
\111\ See, e.g., CARU, at 3 (suggesting unclear whether data
from an avatar based on the user or data from an accelerometer in a
connected toy would be included in data derived from voice data,
gait data, or facial data); kidSAFE, at 3-4 (suggesting breadth of
proposed language may cover unintended data and requesting that the
Commission provide clarifying examples and indicate whether it
intends to include data tracking the motion of a child in a virtual
reality game, analysis of a child's ability to pronounce certain
words or sounds, or the text transcript of a child's audio
conversation with a connected toy device); ESA, at 10; Chamber, at
10; ANA, at 10. Others suggested that including data derived from
voice data in the proposed definition of personal information is
potentially inconsistent with the approach adopted in the
Commission's Enforcement Policy Statement Regarding the
Applicability of the COPPA Rule to the Collection and Use of Voice
Recordings. See, e.g., ESA, at 10.
\112\ See, e.g., ESA, at 9-10; Epic Games, at 7-8.
\113\ See, e.g., CARU, at 3.
\114\ See, e.g., SIIA, at 4 (suggesting proposed language would
potentially apply to skills assessments, time spent, and other usage
information that is derived from voice data and used in literacy
products with a recording feature); ACT [verbar] The App
Association, at 4 (suggesting many apps collect voice, fingerprints,
and facial features for beneficial uses and mentioning apps
assisting autistic children with speech); CARU, at 3 (suggesting
``data derived from voice data, gait data, or facial data'' is
integral to virtual reality products, connected toys, and metaverse
experiences); kidSAFE, at 3-4 (suggesting derived data language is
overbroad and could apply to the collection of non-identifying data
in virtual reality games, phonics instructional tools, and connected
toy devices); R Street Institute, at 1-2 (discussing beneficial use
cases such as voice-activated digital assistants with parental
controls, educational products, and products assisting children with
disabilities).
\115\ See, e.g., ConnectSafely, at 1 (emphasizing all users
should have access to biometric security tools); IEEE Learning
Engineering Consortium, at 5 (encouraging the Commission to consider
beneficial uses such as security when determining which biometric
identifiers to include in the definition).
\116\ See, e.g., NCTA, at 6 (``This definition conflicts with
State biometric laws, which consider derived data to be biometric
information only where it is used or intended to be used to identify
a specific individual.''); CCIA, at 3 (discussing conflict with
approach to voice recordings in the 2024 NPRM).
---------------------------------------------------------------------------
After carefully considering the record and comments, the Commission
has decided to adopt an amended version of the biometric identifier
provision the Commission proposed in the 2024 NPRM. The Commission
previously explained that the proposed provision included a non-
exhaustive list of examples of covered biometric identifiers that can
be used for the automated or semi-automated recognition of an
individual.\117\ In response to the comments, the Commission has
decided to change the word ``including'' in the proposed provision to
the phrase ``such as'' in the final Rule.\118\ The comments received
have also persuaded the Commission not to include the proposed language
of ``data derived from voice data, gait data, or facial data'' in the
final Rule because it may be overly broad and include some data that
cannot currently be used to identify and contact a specific individual.
The Commission's original intent in proposing ``data derived from voice
data, gait data, or facial data'' was to cover situations such as where
imagery of a biometric characteristic (e.g., a fingerprint or a
photograph) is converted into templates or numeric representations such
as fingerprint templates or facial templates that can be used to
identify and contact a specific individual.\119\ The Commission still
intends for the modified provision to apply to such biometric
identifiers. To make this clearer, and to exclude derived data that
cannot be used to identify an individual, the Commission has decided to
remove the originally proposed language at the end of the biometric
identifier provision but to include additional examples of some covered
biometric identifiers that can be used to identify a specific
individual such as voiceprints, facial templates, faceprints, and gait
patterns.
---------------------------------------------------------------------------
\117\ 89 FR 2034 at 2042.
\118\ At least one commenter suggested adjusting the
definitional language to clarify the intended scope of the
provision. See CIPL, at 5 (suggesting the Commission replace term
``including'' with the phrase ``includes but is not limited to'').
The Commission has concluded that an alternative approach of
enumerating a complete list of covered biometric identifiers in the
Rule would not provide the flexibility necessary to respond to the
rapid pace of technological development in biometric recognition.
\119\ See NIST, The Organization of Scientific Area Committees
for Forensic Science, OSAC Lexicon (defining the term template in
facial identification as a set of biometric measurement data
prepared by a facial recognition system from a facial image) (citing
ANSI/ASTM Standard Terminology for Digital and Multimedia Evidence
Examination), available at <a href="https://www.nist.gov/glossary/osac-lexicon?k=&name=template&committee=All&standard=&items_per_page=50#top">https://www.nist.gov/glossary/osac-lexicon?k=&name=template&committee=All&standard=&items_per_page=50#top</a>.
---------------------------------------------------------------------------
The Commission has carefully considered input from commenters
emphasizing that biometric identifiers are important for uses such as
identity authentication, security, age assurance, and virtual reality,
and that expanding the definition of personal information to include
biometric identifiers will make it more burdensome for operators to
collect and use such data from children because they will need to
notify parents and obtain verifiable parental consent. However, the
Commission is persuaded that enabling parents to make decisions about
whether operators are collecting and using their children's biometric
identifiers for any purpose and the other benefits commenters
identified associated with restricting the collection of children's
biometric identifiers without parental consent outweigh the attendant
burdens imposed on operators.\120\
---------------------------------------------------------------------------
\120\ See Consumer Reports, at 5 (arguing parents should know
and have a choice when operators want to collect or process data
about their child's most personal attributes, even if such
activities are ephemeral). Importantly, the provision advances two
of the goals for the COPPA statute identified in relevant
legislative history: (1) enhancing parental involvement in a child's
online activity to protect the privacy of children in the online
environment, and (2) protecting children's privacy by limiting the
collection of personal information from children without parental
consent. 144 Cong. Rec. S12741-04, S12787 (1998) (statement of
Senator Bryan).
---------------------------------------------------------------------------
c. NPRM Questions Related to ``Personal Information''
i. Potential Exceptions Related to Biometric Data
The Commission also solicited comments about whether it should
consider establishing any exceptions to Rule requirements with regard
to biometric data, such as when such data is promptly deleted.\121\ In
the event that the Commission decided to add biometric identifiers to
the definition of personal information, some industry commenters
expressed support for adding an exception when there is prompt deletion
of biometric data.\122\ These commenters suggested this would
facilitate beneficial uses such as permitting use of biometric
identifiers for identity verification or age assurance purposes.\123\
---------------------------------------------------------------------------
\121\ 89 FR 2034 at 2070 (Question 5).
\122\ See, e.g., The Toy Association, at 3; Google, at 3; ITIC,
at 2; Chamber, at 9; CCIA, at 3. For example, one industry commenter
opposed including derived data in any definition related to
biometric information and suggested a carveout for biometric data
when an identifier is not used to identify a specific individual and
is deleted promptly after collection. Epic Games, at 7. Another
commenter that opposed the Commission's proposed inclusion of a
biometric identifier provision in the definition of personal
information also expressed support for a prompt deletion exception
permitting use of biometric identifiers for purposes such as fraud
and abuse prevention, complying with legal or regulatory
requirements, service continuity, and ensuring the safety and age-
appropriateness of the service. SIIA, at 15.
\123\ See, e.g., Google, at 3; Yoti, at 4-5; SIIA, at 15. See
also Epic Games, at 8 (recommending adoption of a carveout that
would preserve operators' ability to offer features such as motion
capture that rely on limited biometric data to translate users'
movements to animate non-realistic, in-game avatars).
---------------------------------------------------------------------------
Other commenters opposed creating any exceptions tied to prompt
deletion of biometric identifiers.\124\ One consumer group commenter
expressed concerns about operators ``implementing narrow deletion
practices, while retaining the ability to
[[Page 16929]]
use and disclose biometric information for secondary purposes.'' \125\
Another commenter opposing the idea of a deletion exception emphasized
the difficulty in verifying operators' compliance with their deletion
obligations and suggested that some operators would be incentivized to
retain biometric identifiers for their business models.\126\ A
coalition of State attorneys general suggested that the ``mere fact
that the data is collected and temporarily held makes it vulnerable to
potential cybersecurity attacks or misuse.'' \127\ A public advocacy
group commenter also contended it would be premature to adopt a new
exception for biometric data based on the limited factual record in
this rulemaking proceeding and suggested the Commission should instead
consider adding to Sec. 312.12 of the Rule a new voluntary approval
process for biometric-related exception requests.\128\
---------------------------------------------------------------------------
\124\ See, e.g., Children's Advocates Coalition, at 58; State
Attorneys General Coalition, at 3; Consumer Reports, at 4-5.
\125\ Children's Advocates Coalition, at 65.
\126\ Internet Safety Labs, at 4. The Commission's enforcement
experience suggests that these concerns are well-founded. See, e.g.,
Complaint, In re Everalbum, Inc., Dkt. No. C-4743, available at
<a href="https://www.ftc.gov/system/files/documents/cases/1923172_-_everalbum_complaint_final.pdf">https://www.ftc.gov/system/files/documents/cases/1923172_-_everalbum_complaint_final.pdf</a>; Complaint, United States v.
<a href="http://Amazon.com">Amazon.com</a>, Inc. et al., Case No. 2:23-cv-00811 (W.D. Wash. May 31,
2023), available at <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/Amazon-Complaint-%28Dkt.1%29.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/Amazon-Complaint-%28Dkt.1%29.pdf</a>.
\127\ State Attorneys General Coalition, at 3.
\128\ ACLU, at 15 (``Creating exceptions to the Rule's
protections for biometrics should be done on a case-by-case basis
with a robust factual record; it is thus better suited for the
voluntary approval process rather than ordinary rulemaking.'').
---------------------------------------------------------------------------
A number of commenters suggested the Commission should consider
exceptions for biometric identifiers that are based on specific use
cases, such as when fingerprints or facial data are used for security
or authentication purposes.\129\ One FTC-approved COPPA Safe Harbor
program supported excepting the collection and use of biometric data
for security purposes or for a limited purpose such as the temporary
use of facial images for age verification or obtaining verifiable
parental consent, followed by the data's prompt deletion.\130\
---------------------------------------------------------------------------
\129\ See, e.g., ConnectSafely, at 1 (``We strongly believe that
biometric tools such as fingerprint and facial recognition should be
available for all users to make sure that children and teens, as
well as adults, are able to access services in the most secure way
possible.''); M. Bleyleben, at 2 (``The decision whether or not to
make an exception for biometric data that has been promptly deleted
should be based on the use case, not solely on whether it has been
deleted. For example, using biometrics for platform-based
authentication (such as iPhone's face ID) is a positive use case
that should be covered under any exception.''); IEEE Learning
Engineering Consortium, at 5 (suggesting the Commission consider the
context in which biometric data is collected and used and that use
for security purposes might be treated differently under the COPPA
Rule than biometric data used for tracking or monitoring behavior).
Another commenter that generally opposed the Commission's proposed
biometric identifier provision expressed support for a prompt
deletion exception permitting the use of biometric identifiers for
compliance purposes such as to facilitate ``fraud and abuse
prevention, complying with legal or regulatory requirements, service
continuity, and ensuring the safety and age-appropriateness of the
service.'' SIIA, at 15.
\130\ kidSAFE, at 4.
---------------------------------------------------------------------------
After carefully considering the record and comments related to this
question, the Commission has decided not to add any additional
exceptions to COPPA Rule requirements related to biometric data at this
time, other than the exception to prior parental consent set forth in
proposed Sec. 312.5(c)(9) in the 2024 NPRM for the collection of audio
files containing a child's voice. The Commission has carefully
considered the input from commenters emphasizing that biometric
identifiers are important for uses such as identity authentication and
security purposes, age assurance, and virtual reality, and that
expanding the definition of personal information to include biometric
identifiers will make it more burdensome for operators to collect and
use such data from children.\131\ While technologies utilizing
biometrics are developing rapidly, they still vary in terms of efficacy
across use cases and across providers. Based on the current record, and
in light of the uniquely personal and immutable nature of biometric
identifiers and potential privacy and other harms when such data is
misused, the Commission has concluded at this time that the impact on
such uses and the burden placed on operators to obtain verifiable
parental consent are outweighed by the benefit of providing greater
protection for this sensitive data and enhancing control for parents.
Further, as some commenters noted, storage of sensitive biometric
identifiers for even limited periods of time increases the risk that
such data will be compromised in a data security incident.
---------------------------------------------------------------------------
\131\ The Commission notes that COPPA's requirements relating to
biometric identifiers apply only to operators of child-directed
websites or online services--including those that have actual
knowledge they are collecting personal information from users of
another child-directed site or service--and operators that have
actual knowledge they are collecting personal information from a
child.
---------------------------------------------------------------------------
ii. Government-Issued Identifiers
The Commission also requested comment on whether it should revise
the definition of ``personal information'' to specifically list
government-issued identifiers beyond Social Security numbers that are
currently included in the definition.\132\ The Commission received
relatively few comments addressing this proposal, and all of them
supported listing additional government-issued identifiers in the
definition of ``personal information.'' \133\
---------------------------------------------------------------------------
\132\ 89 FR 2034 at 2070 (Question 7).
\133\ See State Attorneys General Coalition, at 4 (recommending
inclusion of passport and passport card numbers, Alien Registration
numbers or other identifiers from United States Citizenship and
Immigration Services, birth certificate numbers, identifiers used
for public benefits, State ID card numbers, and student ID numbers);
Consumer Reports, at 5-6 (suggesting inclusion of passport, birth
certificate, and DMV-issued Child ID cards); EPIC, at 4 (expressing
general support for including government-issued identifiers); Common
Sense Media, at 7 (same); AASA, The School Superintendents
Association, at 8 (same).
---------------------------------------------------------------------------
One commenter noted such identifiers are likely already covered
under the existing definition of personal information, but suggested
that adding an explicit provision for government-issued identifiers
would provide greater clarity.\134\ A coalition of State attorney
generals expressed the view that parents should have the right to
review and to have discussions with their children before these highly
sensitive identifiers are shared.\135\ Based on the comments and its
enforcement experience, the Commission is persuaded that government-
issued identifiers can be used to identify and permit the physical or
online contacting of a specific child and has concluded that it would
be beneficial to expressly incorporate additional government
identifiers in the definition of personal information in order to
provide greater clarity. Therefore, paragraph 6 of the current
definition of ``personal information'' which is ``a Social Security
number'' will be amended to: ``[a] government-issued identifier, such
as a Social Security, state identification card, birth certificate, or
passport number.'' The Commission notes that the list of examples of
specific government identifiers is not intended to be exhaustive.
---------------------------------------------------------------------------
\134\ Consumer Reports, at 6.
\135\ State Attorneys General Coalition, at 4.
---------------------------------------------------------------------------
iii. Screen and User Names
Since the 2013 Amendments to the Rule, the definition of personal
information has included screen or user names to the extent that these
identifiers function in the same manner as ``online contact
information.'' In the 2024 NPRM, the Commission sought comment on
whether screen or user names should also be treated as online contact
information or personal information if the screen or user names do not
allow one user to contact another user through the operator's website
or online service, but could enable one user to contact another by
assuming that
[[Page 16930]]
the user to be contacted is using the same screen or user name on
another site or service.\136\
---------------------------------------------------------------------------
\136\ 89 FR 2034 at 2070 (Question 4.a).
---------------------------------------------------------------------------
A minority of commenters expressed support for this
suggestion.\137\ Some of these commenters suggested there is frequent
reuse of screen and user names across platforms, and that screen and
user names might allow entities to link information collected across
various platforms.\138\ Another commenter cited safety concerns and
suggested screen and user names can facilitate contact with, and the
grooming of, children for sexual exploitation or other harms.\139\
---------------------------------------------------------------------------
\137\ Internet Safety Labs, at 3; AASA, The School
Superintendents Association, at 8; ACLU, at 9-10; Center for AI and
Digital Policy, at 2-3; Consumer Reports, at 3-4.
\138\ See, e.g., Parent Coalition for Student Privacy, at 3,7;
Consumer Reports, at 3-4; AASA, The School Superintendents
Association, at 8.
\139\ Center for AI and Digital Policy, at 2-3.
---------------------------------------------------------------------------
A majority of commenters opposed this proposal for a variety of
reasons.\140\ Some of these commenters argued that the proposal to
expand the definition is inconsistent with the COPPA statute because a
screen or user name does not necessarily permit the physical or online
contacting of a specific individual.\141\ Opponents also highlighted
practical problems associated with such an expansion. For example,
commenters suggested the proposal would likely result in operators
treating all screen and user names as personal information because of
the difficulty in determining whether a particular child has used the
same screen or user name on other sites or services.\142\ Many
commenters emphasized this result would adversely impact privacy
interests of children and parents because it would require operators of
websites or online services that do not currently collect personal
information from children to need to do so in order to seek verifiable
parental consent.\143\ Industry commenters also opined that the
suggested expansion of screen and user names constituting personal
information would require significant changes to common business
practices and would impose significant burdens on operators related to
changing such practices and trying to determine whether screen or user
names are being re-used on other sites and services in ways that permit
communication.\144\
---------------------------------------------------------------------------
\140\ See, e.g., Chamber, at 2-3; ESRB, at 23-25; ESA, at 8;
IAB, at 5-6; kidSAFE, at 2-3; M. Bleyleben, at 2; CCIA, at 4, The
Toy Association, at 3-4; Privacy for America, at 15-16; Epic Games,
at 8-9.
\141\ See, e.g., ESA, at 8; CCIA, at 4. At least one industry
commenter contended that it is common for the same screen name or
user name to be used by different children. See The Toy Association,
at 3.
\142\ IAB, at 5; ESA, at 9.
\143\ For example, the U.S. Chamber of Commerce suggested many
operators collect an anonymous username or screen name precisely to
avoid collecting personal information--such as full name or email
address--when such information is not otherwise needed and that a
change to the definition would require operators to collect more
personal information from children and their parent to seek
verifiable parent consent. Chamber, at 2-3. See also ESRB, at 23-24;
ESA, at 8; IAB, at 5-6; The Toy Association, at 3-4; Privacy for
America, at 16; Epic Games, at 8.
\144\ See, e.g., IAB, at 5 (suggesting operators cannot
reasonably determine whether a particular child has used the same
screen or user name across different sites or services); Epic Games,
at 8 (stating that video game companies use anonymous screen and
user names in many ways that do not facilitate the contacting of an
individual in order to protect user privacy and arguing that it
would be burdensome to require operators to monitor use of their
screen names on third-party sites and services).
---------------------------------------------------------------------------
The Commission currently does not have sufficient evidence
concerning either the extent to which children are currently reusing
their screen and user names across platforms or the prevalence of
children being contacted via screen or user names through secondary
platforms to warrant amending the Rule.\145\ Recognizing the
difficulties operators might face in determining whether screen and
user names are being used by specific individuals on other websites and
online services, the Commission is persuaded that amending the Rule now
to require operators to treat screen or user names that do not allow
one user to contact another user through the operator's website or
online service as personal information would likely cause operators to
treat all screen and user names as personal information and have
negative privacy consequences, including increased data collection by
operators that currently do not need to collect personal
information.\146\ After carefully considering the record and comments,
the Commission has therefore concluded that it will not amend the
definitions of personal information or online contact information at
this time to include the suggestion discussed in Question Four of the
``Questions for the Proposed Revisions to the Rule'' section of the
2024 NPRM. The Commission notes that if a screen or user name collected
online from a child is combined with other personal information, then
it is considered personal information under the provision set forth in
paragraph 10 of the Rule's definition of ``personal information.''
---------------------------------------------------------------------------
\145\ See kidSAFE, at 2-3 (stating that it was not aware of any
studies indicating children are using the same exact usernames
across multiple online services, such that knowing a child's
username on one online service would allow for direct communication
on another online service).
\146\ See ESA, at 8 (suggesting that restricting the use of
anonymous screen names and user names would negatively impact the
online experience for children and undermine the data minimization
principles underlying COPPA and stating that many screen and user
names are automatically generated and assigned by the service, and
therefore would be unlikely to allow a user to contact another user
on another website or online service).
---------------------------------------------------------------------------
iv. Avatars
The Commission solicited comments in Question Six of the
``Questions for the Proposed Revisions to the Rule'' section of the
2024 NPRM about whether an avatar generated from a child's image should
constitute personal information under the Rule even if the photograph
of the child is not itself uploaded to the site or service and no other
personal information is collected from the child, and, if so, whether
the current Rule provides sufficient coverage or whether further
modifications to the definition of personal information are necessary
to ensure coverage.\147\
---------------------------------------------------------------------------
\147\ 89 FR 2034 at 2070 (Question 6).
---------------------------------------------------------------------------
A minority of commenters supported treating avatars based on a
child's image as personal information under the circumstances described
in Question Six.\148\ A coalition of State attorneys general cited
concerns about the possibility of reverse engineering from avatars that
are generated using biometric data, and recommended amending the
definition of personal information to include ``an avatar generated on
the child's image and likeness, whether or not a photograph, video or
audio file is provided or stored.'' \149\ Another commenter suggested
that some popular platforms are encouraging the creation of realistic
avatars modelled on users' biometric data and expressed concerns about
the possibility that companies might ``collect data from an avatar to
analyze and influence a child's behavior'' including through targeted
[[Page 16931]]
advertising.\150\ A consumer group contended that a likeness of a child
generated from an image could alone, or when combined with other
sources of information, be used to individually identify a child and
suggested adding ``or likeness of a child'' to existing paragraph 8 of
the COPPA Rule's personal information definition to provide coverage if
the Commission decided not to adopt the NPRM proposal of including
``data derived . . . from facial data'' in the biometric identifier
provision in the personal information definition.\151\
---------------------------------------------------------------------------
\148\ See, e.g., Consumer Reports, at 5; EPIC, at 3-4
(recommending including avatars generated from a child's image);
State Attorneys General Coalition, at 3-4 (same); Common Sense
Media, at 13 (supporting adding avatars that are identifiable and
are able to be contacted outside of a specific service or session);
L. Lu, at 1 (recommending that definition of personal information
include identifiable avatars). At least one commenter recommended
the Commission treat all avatars as personal information, regardless
of whether they are generated from a child's image. See Internet
Safety Labs, at 4.
\149\ State Attorneys General Coalition, at 4 (``If the avatars
are based on the child's photograph or likeness, regardless of
whether the original source is retained, the avatar could be used in
the identification of the child, through many different methods
including reverse image searches, facial recognition tools, or
combining information gleaned from the avatar with other known
elements of personal information.'').
\150\ L. Lu, at 2.
\151\ Consumer Reports, at 5. Paragraph 8 of the COPPA Rule's
personal information definition encompasses ``[a] photograph, video,
or audio file where such file contains a child's image or voice.''
16 CFR 312.2.
---------------------------------------------------------------------------
Another commenter discussed potentially sensitive information that
might be derived from avatars such as ethnicity or disability
information, but suggested more research should precede expansion of
the definition.\152\
---------------------------------------------------------------------------
\152\ Yoti, at 5 (``An avatar could give evidence or clues as to
age, gender, disability, ethnicity. . . If the avatar could be
combined with additional information held by a service provider, to
reasonably identify the avatar's human representative, that could
pose greater risks to a minor. . . .'').
---------------------------------------------------------------------------
For a variety of reasons, a majority of commenters opposed the idea
of treating avatars described in Question Six as personal information
under the Rule.\153\ Some of these commenters emphasized that avatars
are often temporary, changeable, and not linkable to personal
information.\154\ Many commenters raised statutory concerns about
expanding the definition of personal information to include avatars,
arguing that avatars are not individually identifiable and cannot be
used for the physical or online contacting of a child.\155\ Some
commenters suggested that if a photograph used to generate an avatar is
processed locally on a device, the photograph and the avatar would be
outside the scope of the COPPA statute and Rule because the photograph
is not information collected or stored online.\156\ Several commenters
argued the proposal would be inconsistent with existing FTC guidance
permitting operators to blur the facial features in children's photos
before posting the photos online in order to avoid collecting personal
information.\157\ Commenters contended that avatars similarly obscure
individually identifying information and should not be treated as
personal information.\158\
---------------------------------------------------------------------------
\153\ See, e.g., The Toy Association, at 3-4; ITIC, at 2-3; ESA,
at 11-12; ESRB, at 25; Kidentify, at 3-4; Epic Games, at 9-10.
\154\ See ITIC, at 3. See also Kidentify, at 4 (suggesting that
avatars are rarely actually used in practice to identify or contact
an individual in-game due to their frequently changing nature);
CARU, at 7 (suggesting that avatars vary widely, and that many users
do not base avatars on their own images); ACT [verbar] The App
Association, at 5 (contending that avatars are temporary and
alterable representations that often do not reflect personal
characteristics of an individual user and do not enable contact).
\155\ See, e.g., ITIC, at 3; SIIA, at 5, 15; IAB, at 7-8;
Chamber, at 2; ACT [verbar] The App Association, at 5.
\156\ ESA, at 11-12 (``[I]f the photograph of the child is not
uploaded to the site or service, the photograph is processed locally
on the device to generate the avatar. The FTC has previously
recognized that local processing of a child's personal information
does not trigger COPPA because the statute requires that personal
information must be collected, used, or stored over the
internet.''). See also Chamber, at 2 (suggesting that if an avatar
image does not leave the device, no personal information is
collected under COPPA); IAB, at 7 (same).
\157\ See, e.g., ESA, at 12; NCTA, at 7. These commenters cited
staff guidance in COPPA Frequently Asked Questions, Section F.3, and
previous statements in the 2013 Statement of Basis and Purpose. See
COPPA FAQs, FAQ Section F.3; 78 FR 3972 at 3982 n.123.
\158\ See, e.g., NCTA, at 7 (suggesting that ``avatars, even if
initially generated from a child's image, once altered do not
constitute an identity of the sort that permits physical or online
contacting of a child''); ESA, at 12 (contending that ``once a photo
has been transformed into an avatar, facial recognition technology
no longer is able to identify the specific individual'').
---------------------------------------------------------------------------
Industry commenters also raised practical and policy-related
objections to the idea of requiring operators to treat avatars
generated from a child's image, in situations where the operator has
not itself collected the child's photograph, as personal information.
For example, commenters suggested that expanding coverage for avatars
under the Rule would be burdensome and confusing, and introduce
significant compliance challenges, particularly because operators that
do not collect photographs or videos of users would have difficulty
determining whether an avatar is created from a child's image.\159\
Commenters suggested that such uncertainty would deter online service
providers from offering avatar-based features in games and related
product offerings, and that this would negatively impact users' privacy
and online experiences.\160\ Commenters argued that the use of avatars
as online proxies is privacy-enhancing because they can, like screen
and user names, be used by online services as a substitute for personal
identification.\161\ Several commenters also urged the Commission to
consider that avatars also benefit users by personalizing online
experiences and allowing users to explore self-expression online.\162\
---------------------------------------------------------------------------
\159\ See, e.g., CARU, at 7; ITIC, at 3; Kidentify, at 3.
\160\ See, e.g., Kidentify, at 3-4; CARU, at 7.
\161\ See, e.g., M. Bleyleben, at 3; IAB, at 7-8; The Toy
Association, at 3-4; SIIA, at 5; NCTA, at 6; Chamber, at 2;
SuperAwesome, at 5.
\162\ L. Lu, at 1; The Toy Association, at 3-4; ITIC, at 2-3;
Chamber, at 2-3; SuperAwesome, at 5.
---------------------------------------------------------------------------
After carefully considering the record and comments, the Commission
is persuaded that it would likely be difficult for operators to
determine whether an avatar is generated from a child's image in
situations where they have not collected an image of the child. For
example, with the advent of generative AI, the Commission expects that
it would be possible for a user to create a highly realistic avatar
that might appear to be generated from a child's image. The Commission
also does not currently have sufficient evidence that avatars are
individually identifying. Indeed, a number of the comments received
suggest that avatars are often temporary and may not resemble
users.\163\ However, the Commission notes that an avatar that the
operator collects online from a child and combines with another
identifier included in the definition of personal information is
personal information pursuant to paragraph 10 of the Rule's definition
of personal information.\164\ The Commission further notes that it will
continue to monitor marketplace and technological developments in this
area and may revisit Rule amendments related to avatars in the
future.\165\
---------------------------------------------------------------------------
\163\ See, e.g., M. Bleyleben, at 3; Kidentify, at 4; CARU, at
7; ACT [verbar] The App Association, at 5.
\164\ See FTC Press Release, FTC Will Require Microsoft to Pay
$20 million over Charges it Illegally Collected Personal Information
from Children without Their Parents' Consent (June 5, 2023),
available at <a href="https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information">https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information</a> (discussing applicability
of COPPA to avatars generated from a child's image when combined
with other personal information).
\165\ It is possible that if cross-platform use of avatars
becomes common, avatars could be used to identify and contact
specific individuals and track users across domains. See M.
Bleyleben, at 3.
---------------------------------------------------------------------------
v. Information Concerning the Child or the Parents of That Child
The definition of personal information in the current Rule includes
``information concerning the child or the parents of that child that
the operator collects online from the child and combines with an
identifier described in [the Rule's definition of ``personal
information''].'' \166\ This provision includes the same language found
in the COPPA statute's definition of personal information.\167\ In the
2024 NPRM, the Commission solicited comments about whether the phrase
[[Page 16932]]
``concerning the child or the parents of that child'' in the Rule
requires further clarification.\168\ The Commission received relatively
few significant comments.
---------------------------------------------------------------------------
\166\ 16 CFR 312.2.
\167\ 15 U.S.C. 6501(8)(G).
\168\ 89 FR 2034 at 2070 (Question 8).
---------------------------------------------------------------------------
A coalition of State attorneys general suggested the Commission
consider amending this provision to: ``information concerning the child
or the parents of that child that the operator collects online from the
child and combines with an identifier described in [the Rule's
definition of `personal information'], or which may otherwise be linked
or reasonably linkable to personal information of the child.'' \169\ In
response, the Commission observes this provision already provides broad
coverage for information concerning children and parents that the
operator collects online from a child when it is combined with
identifiers included in the Rule's definition of personal information
and declines to expand coverage to the extent proposed by this
commenter.
---------------------------------------------------------------------------
\169\ State Attorneys General Coalition, at 5. See also SIIA, at
9 (suggesting the word ``concerning'' is potentially overbroad and
recommending adding language to the provision to limit coverage to
data that is ``linked or reasonably linkable'' to the child or
parents of that child).
---------------------------------------------------------------------------
A number of commenters asked the Commission to clarify when, or if,
inferred data would be considered personal information under the
provision in paragraph 10 of the Rule's definition of personal
information.\170\ One consumer group stated that it disagreed with the
Commission's earlier conclusion in the 2024 NPRM that inferred data is
outside the scope of the COPPA statute \171\ and urged the Commission
to state specifically that information inferred about a child is
information ``concerning the child.'' \172\ This commenter noted that
inferred data is commonly used to categorize individuals for marketing
purposes and suggested parents should have the right both to be
notified when this information is generated and to delete such
information when the disclosure of a ``business' assumptions about a
child carry the risk for personal embarrassment, social stigmatization,
[or] discrimination, [and] could be used as a basis to make legal or
other similarly significant decisions.'' \173\
---------------------------------------------------------------------------
\170\ See, e.g., CDT, at 5-6; CIPL, at 5; IAB, at 8-9.
\171\ See 89 FR 2034 at 2042 (``The Commission has decided not
to propose including inferred data or data that may serve as a proxy
for `personal information' within the definition. . . . [T]o the
extent data is collected from a source other than the child, such
information is outside the scope of the COPPA statute and such an
expansion would exceed the Commission's authority.'').
\172\ Consumer Reports, at 6.
\173\ Id.
---------------------------------------------------------------------------
Several industry commenters asked the Commission to confirm that
the catch-all provision in paragraph 10 of the definition of personal
information does not extend to inferred data.\174\ Others expressed
concern about potential interference with the support for the internal
operations exception if inferred data not collected from a child and
linked to persistent identifiers were to be covered by the catch-all
provision.\175\ To clarify that inferred information can be combined
with persistent identifiers to support the internal operations of a
site or service without parental consent, some commenters suggested
amending the catch-all provision in the Rule's definition of personal
information to ``information concerning the child or the parents of
that child that the operator collects online from the child and
combines with an identifier described in this definition, except to the
extent such information is combined with a persistent identifier and
used solely to support internal operations.'' \176\
---------------------------------------------------------------------------
\174\ See, e.g., ESA, at 12 (urging Commission to clarify a
statement in the 2024 NPRM suggesting that inferred data could fall
within COPPA's catch-all provision if combined with other
identifiers listed in the definition of personal information and
arguing that inferred data does not fall under the catch-all
provision if it is not collected from a child online); CIPL, at 5
(same); CDT, at 5-6 (asking the Commission to clarify when and how
the catch-all provision applies to inferred data).
\175\ See, e.g., Chamber, at 4; ESA, at 12-13.
\176\ See Epic Games, at 10; ESA, at 12-13.
---------------------------------------------------------------------------
After carefully considering the record and comments related to this
question, the Commission has decided to retain the existing language in
paragraph 10 of the Rule's definition of personal information, which
tracks the definition in the COPPA statute and provides broad coverage
for a wide range of information that is collected from children when
such information is combined with other identifiers set forth in the
definition.\177\ While the Commission agrees that inferred or proxy
data about a child may sometimes include sensitive information
presenting privacy risks, the COPPA statute regulates the collection of
personal information from a child,\178\ and inferred or proxy data that
is derived from information collected from sources other than a child
therefore cannot be treated as personal information under the COPPA
statute.
---------------------------------------------------------------------------
\177\ See 64 FR 59888 at 59892 (definition of personal
information covers ``non-individually identifiable information
(e.g., information about a child's hobbies or toys) that is
associated with an identifier'').
\178\ See 15 U.S.C. 6502(a)(1).
---------------------------------------------------------------------------
d. The Commission Adopts Amendments Regarding ``Personal Information''
As discussed earlier, after carefully considering the record and
comments, the Commission is adopting an amended version of the
biometric provision proposed in the 2024 NPRM to be included in the
definition of personal information. Specifically, the Commission has
decided not to include the language ``data derived from voice data,
gait data, or facial data'' in the provision for the reasons discussed
in Part II.B.3.b. The Commission has also decided to replace the word
``including'' with ``such as'' and to provide additional illustrative
examples of biometric identifiers to provide further clarity concerning
the provision's coverage. The language the Commission is adopting for
the biometric identifier provision in the final Rule's definition of
personal information includes the following: ``A biometric identifier
that can be used for the automated or semi-automated recognition of an
individual, such as fingerprints; handprints; retina patterns; iris
patterns; genetic data, including a DNA sequence; voiceprints; gait
patterns; facial templates; or faceprints[.]'' As discussed in Part
II.B.3.c.ii, the Commission has also decided to amend paragraph 6 of
the definition of personal information to include ``[a] government-
issued identifier, such as a Social Security, [S]tate identification
card, birth certificate, or passport number[.]''
4. Definition of ``Support for the Internal Operations of the Website
or Online Service''
a. The Commission's Proposal Regarding ``Support for the Internal
Operations of the Website or Online Service''
The current Rule defines ``support for the internal operations of
the website or online service'' to include seven enumerated activities
and further provides that the information collected to perform such
activities cannot be used or disclosed to ``contact a specific
individual, including through behavioral advertising, to amass a
profile on a specific individual, or for any other purpose.'' \179\ In
the 2024
[[Page 16933]]
NPRM, the Commission proposed two substantive amendments to the
definition's use restriction. First, the Commission proposed an
amendment clarifying that the information collected for the enumerated
activities in the definition may be used or disclosed to carry out
those activities.\180\ Second, the Commission proposed expanding the
non-exhaustive list of use restrictions in the definition to prohibit
operators relying on the support for the internal operations exception
to the COPPA Rule's verifiable parental consent requirement from using
or disclosing personal information to contact a specific individual
``in connection with processes that encourage or prompt use of a
website or online service.'' \181\ The Commission also solicited
comments about ``whether and how the Rule should differentiate between
techniques used solely to promote a child's engagement with the website
or online service and those techniques that provide other functions,
such as to personalize the child's experience on the website or online
service.'' \182\
---------------------------------------------------------------------------
\179\ 16 CFR 312.2, definition of ``support for the internal
operations of the website or online service.'' In adopting the 2013
Amendments to the Rule, the Commission observed that a number of
functions fall within the scope of the enumerated activities in the
definition of ``support for the internal operations of the website
or online service.'' Specifically, the Commission recognized that
``intellectual property protection, payment and delivery functions,
spam protection, optimization, statistical reporting, or de-
bugging'' are covered by the definitional language permitting
activities that ``maintain or analyze'' the functioning of the
website or online service or those that protect the ``security or
integrity'' of the website or online service. 78 FR 3972 at 3981. In
the 2024 NPRM, the Commission explained its reasons for declining to
expand or narrow the list of activities included in the definition
as suggested by some commenters. 89 FR 2034 at 2044-2045. The
Commission also clarified that ad attribution, personalization,
product improvement, and fraud prevention fall within the scope of
the activities already enumerated in the definition. 89 FR 2034 at
2045.
\180\ 89 FR 2034 at 2050. See also id. at 2045.
\181\ Id. at 2072. See also id. at 2045.
\182\ Id. at 2046, 2070-71 (Question 15). Commenters suggested
various alternatives to the proposed amendment that are responsive
to this question. For example, an FTC-approved COPPA Safe Harbor
program urged the Commission to drop the proposed restriction or
adjust it in a way that distinguishes ``between engagement
techniques that are intrusive, misleading, or unexpected, versus
ones that are reasonable and/or core to the functioning of the
service'' and specifically suggested the alternative language of
``in connection with processes that encourage or prompt continuous
use of a website or online service in a manner not core to the
function of the service or not reasonably expected by the user, or
for any other purpose.'' kidSAFE, at 6 (emphasis in original). An
industry commenter contended that ``engagement techniques falling
outside the Support for Internal Operations exception should be
restricted to practices that have negative consequences for
children, rather than restricting things that simply make a service
more relevant for them, notify them of rewards, or even promote an
age-appropriate experience.'' Chamber, at 5. Another industry
commenter that objected to changing the definition suggested in the
alternative that the Commission ``should clarify that these
restrictions do not apply to techniques used to drive engagement for
purposes that benefit children . . . and personalization that seeks
to make a service more relevant.'' Google, at 10. In response, the
Commission notes that it believes such alternatives would introduce
considerable uncertainty given the variation in possible conclusions
as to whether, for example, a prompt is intrusive or has a negative
consequence and would be difficult for the Commission to enforce for
the same reason.
---------------------------------------------------------------------------
b. Public Comments Received in Response to the Commission's Proposal
Regarding ``Support for the Internal Operations of the Website or
Online Service''
The Commission received at least one comment supporting the first
proposed amendment to the definition of ``support for the internal
operations of the website or online service'' \183\ and did not receive
any comments objecting to it. The Commission received a number of
comments both for and against the proposal to expand the non-exhaustive
list of use restrictions in the definition to include efforts to
contact a specific individual ``with processes that encourage or prompt
use of a website or online service.''
---------------------------------------------------------------------------
\183\ See CIPL, at 6.
---------------------------------------------------------------------------
A number of consumer advocacy groups, school-related groups,
governmental commenters, and other commenters supported the proposal to
restrict the use of persistent identifiers collected under the support
for the internal operations exception to COPPA's verifiable parental
consent requirement to contact a specific individual in order to
encourage or prompt use of a website or online service.\184\ For
example, commenters supporting the additional restriction contended it
is necessary to address the use of engagement techniques that exploit
children's developmental vulnerabilities \185\ and the potential
adverse impacts on mental health associated with children spending
extended periods of time online or engaging with social media
platforms.\186\ At least one commenter suggested that parents should be
given the opportunity to decide whether to consent to the use of their
children's personal information to feed features that encourage
engagement with websites or online services.\187\ Other supportive
commenters contended that using children's personal information to
encourage or prompt use of a website or online service would be
inconsistent with the intended purpose of the support for the internal
operations exception.\188\ Other commenters, while generally supporting
the Commission's proposal, suggested push notifications and prompts
encouraging children to use a website or online service should be
permissible in certain settings, such as ``to promote pedagogical
engagement on edtech platforms.'' \189\
---------------------------------------------------------------------------
\184\ See, e.g., S. Winkler, at 1-2; Children and Screens, at 2;
NYC Technology and Innovation Office, at 2-3; Mental Health America,
at 1-2; ASSA, The School Superintendents Association, at 5;
SuperAwesome, at 4; Motley Rice, at 13; Sandy Hook Promise, at 5;
Children's Advocates Coalition, at 29-31; Family Online Safety
Institute, at 2-3; Data Quality Campaign, at 4; Anonymous, Doc. FTC-
2024-0003-0125, at 1; Anonymous, Doc. FTC-2024-0003-0127, at 1.
\185\ See, e.g., Children's Advocates Coalition, at 29
(``[E]ngagement-maximizing techniques pose particular risks when
used on minors, who are developmentally vulnerable to features and
functions designed to extend their use of a website or service.'').
\186\ See, e.g., S. Winkler, at 1-2; Children and Screens, at 2;
Data Quality Campaign, at 4; Mental Health America, at 1-2.
\187\ S. Winkler, at 1-2.
\188\ See, e.g., Children and Screens, at 2 (suggesting ``[s]uch
uses are an abuse of the exception. . . .''); Children's Advocates
Coalition, at 29 (contending children's ``nascent executive function
skills related to `impulse control, decision-making, attentional
flexibility, planning, self-regulation' . . . make it particularly
difficult for children to resist prompts to return to or stay on a
platform'' and suggesting that ``[u]sing a child's personal data to
exploit these vulnerabilities via notifications or nudges exceeds
the limited practical purposes for which the internal operations
exception is intended'') (internal citation omitted). As part of the
2013 Amendments to the Rule, the Commission explained that the
support for the internal operations exception reflects the agency's
recognition that ``persistent identifiers are [] used for a host of
functions that have little or nothing to do with contacting a
specific individual, and that these uses are fundamental to the
smooth functioning of the internet, the quality of the site or
service, and the individual users' experience.'' 78 FR 3972 at 3980.
\189\ ASSA, The School Superintendents Association, at 5. See
also Advanced Education Research and Development Fund, at 7. Some
commenters opposing the proposal raised similar concerns about the
importance of avoiding amendments to the Rule that would interfere
with beneficial features of ed tech products or services. See, e.g.,
Google, at 10 (discussing ed tech and language learning products and
arguing the proposed change should not apply to ``techniques used to
drive engagement for purposes that benefit children (e.g., sending
them important reminders) and personalization that seeks to make a
service more relevant.''); SIIA, at 6 (contending that ``machine
learning `prompting' or `nudging''' may be beneficial in some
circumstances such as ``algorithmic or machine learning prompts for
the purposes of meeting learning objectives . . . in the context of
education technology (specifically adaptive and/or personalized
learning)'').
---------------------------------------------------------------------------
For a variety of reasons, a majority of commenters that weighed in
on this proposal, representing different types of stakeholders, opposed
amending the definition's use restriction to prohibit operators from
relying on the support for the internal operations exception when
persistent identifiers are being used in connection with processes that
encourage or prompt the use of a website or online service.\190\
Several
[[Page 16934]]
industry group commenters suggested the proposal falls outside the
scope of the objectives that the COPPA statute was intended to address
and exceeds the Commission's statutory authority.\191\
---------------------------------------------------------------------------
\190\ See, e.g., SIIA, at 5-6, 16; Chamber, at 5; ACLU, at 21-
22; ESA, at 16-18; IAB, at 18-20; NCTA, at 13-14; ACT [verbar] The
App Association, at 7-8; Scalia Law School Program on Economics &
Privacy and University of Florida Brechner Center, at 5-6; kidSAFE,
at 5-6; ANA, at 14-15; CCIA, at 5; Google, at 9-10; The Toy
Association, at 2-3; Future of Privacy Forum, at 8-9.
\191\ See, e.g., Google, at 9-10 (``None of the objectives that
COPPA was designed to achieve, or harms that COPPA was intended to
prevent, have anything to do with children's engagement with online
content. The FTC's attempt to regulate children's engagement with
content through the COPPA Rule goes beyond its statutory authority
and is the type of value judgment that is appropriately reserved for
Congress.''); Chamber, at 5 (suggesting ``it is not clear that COPPA
confers authority on the FTC to propose this restriction''); ESA, at
18 (``The intent of COPPA was not to regulate how operators design
experiences for children online beyond the specific requirements
related to the processing of children's personal information. The
FTC should not use this rulemaking to implement age-appropriate-
design-code-style features that would overstep its statutory
authority and congressional intent in order to, for example,
restrict the amount of time children spend online.''); IAB, at 19
(``COPPA is intended to protect the privacy and safety of children's
personal information online, not to be a `design code' statute.'');
NCTA, at 14 (arguing that proposal is ``outside the scope of COPPA's
remit, which is to protect privacy of children online'') (emphasis
in original).
---------------------------------------------------------------------------
Several commenters asserted the proposed language is vague or
overbroad and fails to give operators adequate notice of the prohibited
conduct.\192\ Another commenter suggested the proposed language is
``potentially broader than the concerns of maximizing user engagement
and could include something as infrequently as one notification per
day.'' \193\ Other commenters argued the proposed restriction is broad
enough to potentially include any design feature improving the user
experience, because a streamlined or personalized user experience could
be viewed as encouraging or prompting the use of the service.\194\
---------------------------------------------------------------------------
\192\ See, e.g., ESA, at 16 (suggesting language ``does not
clearly indicate the type of functions and features that are
prohibited by the proposed restriction'' and therefore does not
provide adequate notice to operators about what is prohibited);
NCTA, at 14 (contending proposal is vague and unenforceable);
kidSAFE, at 5 (arguing restriction is too broad and may require
operators to obtain verifiable parental consent and increase data
collection ``for prompts that are essential to the core function of
child-directed services and reasonably expected by users of those
services''); IAB, at 18-19 (``[T]he prohibition could be read
expansively as applying to a wide range of design practices that
benefit consumers, including `personalization' and `optimization'
expressly permitted under the support for internal operations
exception.''); ANA, at 15 (arguing ``proposed restriction is vague
and unclear'').
\193\ Future of Privacy Forum, at 9.
\194\ See, e.g., ESA, at 16-17; NCTA, at 14 (``[T]he language
could be interpreted that any design feature that improves user
experience is problematic. . . .'') (emphasis in original); Scalia
Law School Program on Economics & Privacy and University of Florida
Brechner Center, at 6 (suggesting proposal will adversely impact
quality of online services for children because ``[u]nder the
potentially vast and highly subjective standard proposed by the
Commission, taking actions to improve one's service risks being
deemed by the Commission to have `encouraged' use or attention'');
American Association of Advertising Agencies (``4A's''), at 3 (``The
use of persistent identifiers for personalization allows operators
to provide valuable benefits to children including reactive learning
environments, tailored and improved products, and fraud prevention
services. In the longer term, widespread disruption of these
services by way of requiring verifiable parental consent would mean
a significantly downgraded user experience for children as they
engage safely online.''); IAB, at 18-19; ANA, at 15 (``On its face,
this proposal could restrict any feature that makes the offered
services more enjoyable or interesting to kids.'') (emphasis in
original). See also NCTA, at 14 (``Even if the FTC's intention is to
protect children against dark patterns, addictive features, or other
putatively manipulative characteristics and capabilities, the
proposed language sweeps far more broadly and threatens to interfere
with beneficial capabilities that enhance user experience.'').
---------------------------------------------------------------------------
Many commenters emphasized that the proposed restriction could have
unintended consequences, such as preventing operators from using
prompts and notifications that are beneficial for children.\195\ For
example, commenters mentioned features in educational products that
rely on push notifications to help children remain focused on studies
or notifications to children related to taking turns in an online
game.\196\ Another commenter opposing the additional restriction urged
the Commission to consider positive use cases for prompts such as
``reminders about meditation apps, homework assignment reminders, and
notifications about language lessons.'' \197\ Another commenter
criticized the proposal for failing to ``differentiate between features
that are: (1) commercial in nature or enable access to third parties
and/or harmful content, and (2) [those] intended to helpfully
personalize a child's experience.'' \198\
---------------------------------------------------------------------------
\195\ See, e.g., SIIA, at 6, 19-20 (suggesting proposal would
prohibit useful notifications and machine learning-based prompts
reminding students to complete lessons or homework); Chamber, at 5;
IAB, at 18-19; ACT [verbar] The App Association, at 7-8; CIPL, at 6
(requesting clarification of the terms used in proposal and
suggesting undefined phrase of `` `encourage or prompt use' . . .
could unwittingly prohibit innovative and beneficial uses for end
users. . .'').
\196\ See, e.g., CCIA, at 5 (``Some educational applications . .
. utilize push notifications to help children remain focused on
their studies, including in conjunction with usage `streaks' and
other methods intended to gamify learning for children's
benefit.''); E. Tabatabai, at 12-13 (stating that ed tech operators
often use ``benign forms of encouragement to make a learning
activity more enjoyable . . . and to increase the learning benefit
for the child by encouraging additional practice''); kidSAFE, at 5-6
(suggesting restriction is overbroad and would apply to beneficial
prompts such as (1) an educational website sending alert to student
that a teacher has assigned new materials or graded an assignment;
(2) a chess game sending an in-app notification that the next move
is ready; (3) a connected toy device displaying an indicator that
the device is ready to be used after software update or completed
battery charge; (4) language learning apps prompting learner to
engage in scheduled practice-based curriculum; (5) notice of friend
request or that friend request has been accepted; and (6) an email
alert informing user to confirm login to account from an
unrecognized device).
\197\ Future of Privacy Forum, at 9.
\198\ ACT [verbar] The App Association, at 7-8.
---------------------------------------------------------------------------
Other industry and public interest group commenters argued that the
proposed use restriction unduly restricts legal speech and may violate
First Amendment constitutional protections.\199\ At least one public
interest group commenter urged the Commission to address the misuse of
push notifications through guidance and enforcement rather than with
rulemaking and further suggested that changing the Rule to
categorically prohibit push notifications would, in some circumstances,
be inconsistent with the COPPA statute's requirement that agency
regulations permit operators to respond ``more than once directly to a
specific request from the child'' as long as parents are provided with
notice and an opportunity to opt out.\200\
---------------------------------------------------------------------------
\199\ See, e.g., Chamber, at 5; ACLU, at 21; NCTA, at 13
(stating COPPA statute is not an age appropriate design code and
that ``such efforts at the state level are actively being challenged
on constitutional grounds as impermissible restrictions on
speech''); ACT [verbar] The App Association, at 8 (suggesting
regulation of engagement techniques as proposed would restrict
access to legal content online and ``gives rise to First Amendment
concerns''). See also ESA, at 18 (contending an ``overly broad
interpretation of this prohibition could also unconstitutionally
limit adults' ability to access online content by making sites and
services less easy to use (e.g., by limiting personalization)'').
\200\ See ACLU, at 22 (citing 15 U.S.C. 6502(b)(2)(C)).
---------------------------------------------------------------------------
c. The Commission Adopts Amendments Regarding ``Support for the
Internal Operations of the Website or Online Service''
After carefully considering the record and comments, and for the
reasons discussed in Part II.B.4.b of this document, the Commission
adopts the proposed amendment clarifying that persistent identifiers
used for the activities enumerated in paragraphs (1)(i) through (vii)
of the definition of ``support for the internal operations of the
website or online service'' may be used or disclosed in connection with
those activities.\201\
---------------------------------------------------------------------------
\201\ See supra note 179.
---------------------------------------------------------------------------
By contrast, the Commission is persuaded that adding ``in
connection with processes that encourage or prompt use of a website or
online service'' to the use restriction as proposed is overly broad and
would constrain beneficial prompts and notifications, as well as those
that prolong children's engagement with sites and services, in
[[Page 16935]]
ways that may be detrimental. Although the Commission is not making
this proposed change to the Rule, the Commission notes the proposal is
consistent with the goals of the COPPA statute, which include
protecting children's privacy by ``enhancing parental involvement in a
child's online activities'' and ``by limiting the collection of
personal information from children without parental consent.'' \202\
The Commission shares supportive commenters' concerns regarding
practices that operators employ to maximize children's engagement with
online services \203\ and notes that it may pursue enforcement under
section 5 of the FTC Act in appropriate cases to address unfair or
deceptive acts or practices encouraging prolonged use of websites and
online services that increase risks of harm to children.\204\ The
Commission also reiterates that the support for the internal operations
exception restricts the use of persistent identifiers, without parental
consent, to what is ``necessary'' for the activities enumerated in
paragraphs 1(i) through (vii) of the definition of the ``support for
the internal operations of the website or online service.'' \205\
---------------------------------------------------------------------------
\202\ See 144 Cong. Rec. S12787-04, S12787 (1998) (statement of
Senator Bryan).
\203\ See, e.g., FTC Press Release, FTC Announces Virtual
Workshop on the Attention Economy: Monopolizing Kids' Time Online
(Sept. 26, 2024), available at <a href="https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-announces-virtual-workshop-attention-economy-monopolizing-kids-time-online">https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-announces-virtual-workshop-attention-economy-monopolizing-kids-time-online</a>.
\204\ There may be circumstances where the collection of
personal information for the purposes of increasing engagement could
violate Sec. 312.7 of the COPPA Rule, where an operator conditions
a child's participation in an activity on the collection of such
information and such information is more than is reasonably
necessary to participate in the activity. See 16 CFR 312.7.
\205\ See 16 CFR 312.2.
---------------------------------------------------------------------------
d. NPRM Question Nine: Personalization and ``Support for the Internal
Operations of the Website or Online Service''
In Question Nine of the ``Questions for the Proposed Revisions to
the Rule'' section of the 2024 NPRM, the Commission noted that some
commenters on the 2019 Rule Review Initiation recommended modifications
to the ``support for the internal operations of the website or online
service'' definition to limit personalization to ``user-driven''
actions and to exclude methods designed to maximize user
engagement.\206\ To follow up on those recommendations, the 2024 NPRM
requested comment as to the circumstances under which personalization
would be considered ``user-driven'' versus ``operator-driven'' and as
to how operators use persistent identifiers, as defined by the COPPA
Rule, to maximize user engagement with a website or online
service.\207\
---------------------------------------------------------------------------
\206\ 89 FR 2034 at 2070.
\207\ Id.
---------------------------------------------------------------------------
Most commenters that responded to Question Nine recommended against
the Commission amending the definition of ``support for the internal
operations of the website or online service'' to differentiate between
user-driven versus operator-driven personalization actions.\208\ Some
such commenters expressed concern that the meaning of ``user-driven''
personalization is not clear.\209\ Some commenters asserted that an
attempt to draw a distinction between user-driven and operator-driven
personalization might violate the First Amendment or exceed the
Commission's authority under the COPPA statute.\210\ Some opined that
such a distinction does not take into account how operator-driven
personalization can benefit children in educational and other
contexts.\211\
---------------------------------------------------------------------------
\208\ See, e.g., ACLU, at 21-22; Privacy for America, at 14;
ANA, at 9; Center for AI and Digital Policy, at 6-7; ESA, at 17;
CCIA, at 4-5; SIIA, at 16; News/Media Alliance, at 3; Chamber, at 5;
kidSAFE, at 6.
\209\ See, e.g., ACLU, at 21-22.
\210\ See, e.g., Chamber, at 5; Privacy for America, at 14.
\211\ See, e.g., ESA, at 17; News/Media Alliance, at 3; ANA, at
9.
---------------------------------------------------------------------------
By contrast, a coalition of State attorneys general recommended
that the Commission amend the definition of ``support for the internal
operations of the website or online service'' to limit
``personalization'' to ``user-driven'' actions.\212\ Specifically, the
coalition proposed that the Commission limit user-driven
personalization to tools that enable users to customize their
experience by, for example, configuring layout, content, or system
functionality, while excluding personalization that is ``based on data
collected from what users search, purchase, and watch.'' \213\ The
Center for Democracy and Technology also expressed general support for
limiting the definition to user-driven rather than operator-driven
personalization.\214\ This commenter suggested that, if a user signs
into his or her account on an app where the user selects an option to
see more of a particular type of content or creator, such action should
be deemed to be user-driven personalization that falls within the
support for the internal operations definition.\215\ A few commenters
recommended that the Commission restrict the use of the support for the
internal operations exception to the COPPA Rule's verifiable parental
consent requirement so that it would not be available for user-driven
or operator-driven personalization.\216\
---------------------------------------------------------------------------
\212\ State Attorneys General Coalition, at 6.
\213\ Id.
\214\ CDT, at 6.
\215\ Id.
\216\ See, e.g., Center for AI and Digital Policy, at 6-7; T.
McGhee, at 10.
---------------------------------------------------------------------------
Some commenters recommended that, if the Commission decides to
exclude some personalization techniques from the support for the
internal operations of the website or online service definition, the
Commission should focus only on personalization that is based upon user
profiling \217\ or permit personalization in educational products that
schools have consented for children to use or that facilitate adaptive
learning.\218\ Relatedly, an individual commenter opined that operator-
driven, profile-based personalization can be beneficial in contexts
such as ``delivering age-appropriate content, restricting display of
adult content, restricting contact by adults, serving content that is
relevant to the user, [and] enriching the functionality for a user.''
\219\
---------------------------------------------------------------------------
\217\ See, e.g., ACLU, at 21-22. See also, e.g., Consumer
Reports, at 7 (opining that the support for the internal operations
exception might properly permit operator-driven personalization for
purposes such as preserving a child's progress within a game but
should not permit operator-driven personalization to create profiles
of children).
\218\ See Advanced Education Research and Development Fund, at
7.
\219\ M. Bleyleben, at 4.
---------------------------------------------------------------------------
Having carefully considered the record and comments regarding the
idea of amending the support for the internal operations of the website
or online service definition to exclude operator-driven
personalization, the Commission finds persuasive the reasons set forth
by commenters that recommended the Commission decline to make such an
amendment. The Commission therefore declines to make such an amendment
to the definition at this time.\220\
---------------------------------------------------------------------------
\220\ The Commission received relatively little specific
response to the portion of Question Nine that asked how operators
use persistent identifiers to maximize user engagement. For the
reasons set forth in Part II.D.5.c, the Commission is not moving
forward with the 2024 NPRM's proposal to prohibit operators from
using the support for the internal operations exception to the COPPA
Rule's verifiable consent requirement in conjunction with processes
that encourage or prompt use of a website or online service.
---------------------------------------------------------------------------
e. NPRM Question Ten: Contextual Advertising
The 2024 NPRM noted that the support for the internal operations
exception to the COPPA Rule's verifiable parental consent requirement
permits operators to collect persistent identifiers for contextual
advertising purposes without parental consent as
[[Page 16936]]
long as they do not also collect other personal information.\221\
Question Ten of the ``Questions for the Proposed Revisions to the
Rule'' section of the NPRM requested comment on whether the Commission
should consider changes to the COPPA Rule's treatment of contextual
advertising due to the current sophistication of contextual
advertising, ``including that personal information collected from users
may be used to enable companies to target contextual advertising to
some extent.'' \222\
---------------------------------------------------------------------------
\221\ 89 FR 2034 at 2043.
\222\ Id. at 2070.
---------------------------------------------------------------------------
Several commenters responded to Question Ten by expressing concerns
with the COPPA Rule's treatment of contextual advertising.\223\ Some
commenters opined generally that contextual advertising closely
resembles targeted advertising by relying upon user-level data and
inferences and the use of artificial intelligence.\224\ One commenter
stated that the COPPA Rule's support for the internal operations
exception to the verifiable parental consent requirement does not need
to include contextual advertising because persistent identifiers are
not needed for contextual advertising, and including within the
exception the use of persistent identifiers for contextual advertising
``simply opens the door to the sharing of personal information with
third parties who do not need it'' and ``invit[es] leakage into the
broader ad ecosystem.'' \225\ Some commenters asserted that contextual
advertising allows entities such as data brokers to create and sell
profiles.\226\ Commenters raising these concerns recommended that the
Commission respond by, for example, providing greater clarity as to the
meaning of ``contextual'' advertising, including by narrowing the
support for the internal operations exception to permit only contextual
advertising that does not vary based on personal information collected
from, or related to, the child or by stating explicitly that operators
should restrict the personal information collected for contextual
advertising to what is strictly necessary to deliver contextual
advertising.\227\
---------------------------------------------------------------------------
\223\ See, e.g., Internet Safety Labs, at 5-6; EPIC, at 6-8; M.
Bleyleben, at 1, 4-5; State Attorneys General Coalition, at 6-8;
Consumer Reports, at 7-8; CDT, at 7; SuperAwesome, at 2-4; T.
McGhee, at 11.
\224\ See, e.g., EPIC, at 6-8; State Attorneys General
Coalition, at 7-8.
\225\ M. Bleyleben, at 1. See also, e.g., T. McGhee, at 11
(questioning what persistent identifiers are needed for ``contextual
advertising'' about the context and content of the web page).
\226\ See, e.g., Internet Safety Labs, at 5-6.
\227\ See, e.g., EPIC, at 6-8; State Attorney General Coalition,
at 5-6; Consumer Reports, at 7-8. See also, e.g., SuperAwesome, at
3-4 (supporting the COPPA Rule permitting operators to collect
persistent identifiers for contextual advertising purposes without
obtaining parental consent while recommending that the COPPA Rule
provide greater clarity as to the distinction between contextual and
behavioral advertising).
---------------------------------------------------------------------------
By contrast, a large number of commenters recommended that the
Commission maintain the position that the support for the internal
operations exception to the COPPA Rule's verifiable parental consent
requirement permits the use of persistent identifiers for contextual
advertising.\228\ Many such commenters urged that contextual
advertising is critical to maintaining free, high quality content for
children.\229\ Some emphasized that requiring operators to obtain
verifiable parental consent to collect and use persistent identifiers
for contextual advertising would negatively affect startup and small
businesses, in particular.\230\ Some commenters emphasized that
enabling operators to use contextual advertising is important for
ensuring that children do not receive advertising content that is not
appropriate for children.\231\ Some stated that the COPPA Rule should
not require verifiable parental consent for the use of persistent
identifiers to serve contextual advertisements because delivering
contextual advertisements is a ``privacy-centric'' advertising practice
that does not entail ``contacting'' a specific individual or child on a
one-to-one basis.\232\ In addition, a few trade associations asserted
that requiring verifiable parental consent for the use of persistent
identifiers to facilitate contextual advertising could violate the
Constitution.\233\
---------------------------------------------------------------------------
\228\ See, e.g., SIIA, at 6, 17; R Street Institute, at 2-3;
ITIC, at 3; 4A's, at 3-4; NAI, at 5-6; Chamber, at 11; NCTA, at 11-
13; kidSAFE, at 6-7; ACT [verbar] The App Association, at 7; ITIF,
at 4; CCIA, at 5-6; The Toy Association, at 4; Google, at 11;
Microsoft, at 6; ANA, at 8-10; News/Media Alliance, at 5-6; Privacy
for America, at 3-4; IAB, at 20-21; CIPL, at 6; M. Jones, at 1; S.
Ward, at 1.
\229\ See, e.g., SIIA, at 6, 17; ITIC, at 3; 4A's, at 3-4;
Chamber, at 11; IAB, at 20-21; ITIF, at 4; CCIA, at 5-6; Google, at
11; News/Media Alliance, at 5-6; Privacy for America, at 3-4;
kidSAFE, at 6-7; NAI, at 5-6; ANA, at 8-10; M. Jones, at 1.
\230\ See, e.g., Engine, at 3 (emphasizing that startups rely
upon revenue received from contextual advertising); 4A's, at 3-4
(emphasizing that small publishers and content providers rely upon
revenue received from contextual advertising).
\231\ See, e.g., ITIC, at 3; Microsoft, at 6.
\232\ See, e.g., NCTA, at 12 (arguing that contextual ads are by
their nature not delivered on a one-to-one basis and thus do not
result in ``contacting''); News/Media Alliance, at 5 (``Contextual
advertising is one of the more privacy-centric advertising
practices.''). See also The Toy Association, at 4 (``[B]y its very
nature contextual advertising is targeting the audience based on the
content they are choosing and making common sense inferences about
the audience. For our members['] experience, AI and machine learning
used for contextual advertising only pertains to content analysis of
the programming/show where the ads appear and not information
collected from the viewer.'').
\233\ See, e.g., ACT [verbar] The App Association, at 7; NCTA,
at 12.
---------------------------------------------------------------------------
Having carefully considered the record and commenters' responses to
Question Ten, the Commission declines to modify the COPPA Rule's
treatment of contextual advertising. As discussed further in Part
II.C.2, the Commission's addition of new Sec. 312.4(d)(3) will enhance
the Commission's ability to monitor operators' use of the support for
the internal operations exception to the COPPA Rule's verifiable
parental consent requirement for contextual advertising and other
purposes.
5. Definition of ``Website or Online Service Directed to Children''
The Rule's current definition of ``website or online service
directed to children'' includes in its first paragraph a list of
factors that the Commission considers in determining whether a
particular website or online service is child-directed. The second
paragraph states that a website or online service shall be deemed
directed to children when it has actual knowledge that it is collecting
personal information directly from users of another website or online
service directed to children. The third paragraph provides that certain
``mixed audience'' websites and online services that are child-directed
under the multi-factor test set forth in the first paragraph of the
definition will not be deemed directed to children if the website or
online service does not collect personal information from any visitor
prior to collecting age information and prevents the collection, use,
or disclosure of personal information from visitors who identify
themselves as under 13 without first complying with the notice and
parental consent provisions of the Rule. The fourth paragraph provides
that a website or online service will not be deemed child-directed
solely because it refers or links to a commercial website or online
service directed to children.
The Commission proposed a number of amendments to this definition
in the 2024 NPRM that were intended to provide additional insight and
clarity regarding how the Commission currently interprets and applies
the definition and were not intended to substantively change the
Rule.\234\ As explained infra, the Commission adopts amendments to
paragraphs (1) and (3).
[[Page 16937]]
The Commission has decided not to make the proposed amendment to
paragraph (2) and also declines to adopt an exemption.
---------------------------------------------------------------------------
\234\ See 89 FR 2034 at 2046.
---------------------------------------------------------------------------
a. Paragraph (1) of ``Website or Online Service Directed to Children''
i. The Commission's Proposal Regarding Paragraph (1) of ``Website or
Online Service Directed to Children''
The determination of whether a website or online service is child-
directed is fact-based and requires flexibility as individual factors
may be more, or less, relevant depending on the context. In the 2024
NPRM, the Commission preserved the multi-factor test for determining
child-directedness in the Rule,\235\ but proposed amending paragraph
(1) of the definition of ``website or online service directed to
children'' to include a non-exhaustive list of examples of evidence the
Commission may consider in analyzing audience composition and intended
audience. Specifically, the Commission proposed adding to the
definition marketing or promotional materials or plans, representations
to consumers or to third parties, reviews by users or third parties,
and the age of users on similar websites or services.
---------------------------------------------------------------------------
\235\ See id. at 2046. The Commission notes that many commenters
expressed support for continued application of the multi-factor
test. See, e.g., ESA, at 2; IAB, at 9; CDT, at 7; CIPL, at 7.
---------------------------------------------------------------------------
ii. Public Comments Received in Response to the Commission's Proposal
Regarding Paragraph (1) of ``Website or Online Service Directed to
Children''
The Commission received numerous comments in response to this
proposal, with many commenters expressing support for including certain
proposed examples in the definition of ``website or online service
directed to children'' while opposing the inclusion of other proposed
examples.\236\
---------------------------------------------------------------------------
\236\ Certain commenters expressed support for all of the
proposed examples. See, e.g., Common Sense Media, at 3; Consumer
Reports, at 8; Mental Health America, at 5.
---------------------------------------------------------------------------
Regarding the examples of ``marketing or promotional materials or
plans'' and ``representations to consumers or to third parties,'' a
majority of commenters addressing the proposal supported including such
examples.\237\ Some of these commenters emphasized these factors are
within operators' control and appropriately focus on the ways that
operators signal to consumers, advertisers, and others that children
are a targeted audience.\238\ For these reasons, the Commission is
convinced such materials and representations often provide compelling
direct evidence regarding an operator's intended audience and audience
composition and notes that complaints in previous COPPA enforcement
cases have cited such evidence as being relevant in determining whether
a website or online service is directed to children.\239\
---------------------------------------------------------------------------
\237\ See, e.g., CIPL, at 7; T. McGhee, at 4; NAI, at 6-7; ESRB,
at 19; Microsoft, at 8; TechFreedom, at 9-10; News/Media Alliance,
at 4; Common Sense Media, at 3; Consumer Reports, at 8; Mental
Health America, at 5. Other commenters expressed support for one of
these examples. See Chamber, at 6 (expressing support for Commission
considering marketing and promotional materials in determining
child-directedness).
\238\ See Mental Health America, at 5; NAI, at 6.
\239\ See, e.g., Complaint, United States v. Microsoft Corp.,
Case No. 2:23-cv-00836 (W.D. Wash. June 5, 2023), at 7, available at
<a href="https://www.ftc.gov/system/files/ftc_gov/pdf/microsoftcomplaintcivilpenalties.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/microsoftcomplaintcivilpenalties.pdf</a>; Complaint, FTC v. Google LLC
and YouTube, LLC, Case No. 1:19-cv-02642 (D.D.C. Sept. 4, 2019), at
8-9, 11, 15-16, available at <a href="https://www.ftc.gov/system/files/documents/cases/youtube_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/youtube_complaint.pdf</a>.
---------------------------------------------------------------------------
Most of the commenters that opposed the Commission's proposal
primarily raised concerns with the addition of ``reviews by users or
third parties'' and ``the age of users on similar websites or
services'' to paragraph (1) of the definition. Some commenters
contended these examples are not ``competent and reliable empirical
evidence'' of audience composition or intended audience, and are
therefore inconsistent with the standard set forth in the final
sentence of paragraph (1) and should not be considered in the
Commission's assessment of child-directedness.\240\ Many commenters
also asserted that these examples are subjective or vague,\241\ and
unlike other factors identified in paragraph (1) of the definition,
improperly make operators responsible for factors outside of their
knowledge and control.\242\ For example, regarding reviews by users or
third parties, commenters questioned which reviews the Commission would
deem relevant \243\ and noted that not all reviews are reliable or
genuine.\244\ Some commenters also expressed concern that this proposed
amendment would incentivize competitors or others to file false reviews
in an attempt to influence how a website or online service is
categorized.\245\
---------------------------------------------------------------------------
\240\ See, e.g., IAB, at 9-12 (arguing that user reviews and age
demographics of other services are not competent and reliable
indicators of child-directedness); NCTA, at 8-9 (arguing the two
factors do not meet the heightened standard of competent and
reliable empirical evidence); News/Media Alliance, at 4 (``It is our
members' experience that reviews by users and third parties are
often subjective and tend to be imprecise.'').
\241\ See, e.g., Chamber, at 6; ESRB, at 19; ESA, at 2-3; NCTA,
at 8-9.
\242\ See, e.g., CCIA, at 6-7; T. McGhee, at 4; 4A's, at 2;
Chamber, at 6; ESA, at 2-3; IAB, at 5-6; NCTA, at 7-8; ACT [verbar]
The App Association, at 5; ANA, at 7-8; International Center for Law
& Economics, at 14-15; Privacy for America, at 5-6; Epic Games, at
11; Google, at 4-5.
\243\ See, e.g., American Consumer Institute, at 2; CCIA, at 7;
Taxpayers Protection Alliance, at 2. At least one commenter
expressed uncertainty about whether the Commission would evaluate
user reviews over time, or whether the assessment would be based on
evaluating reviews at a particular point of time. See, e.g., ESA, at
3.
\244\ See, e.g., CIPL, at 7; ANA, at 7.
\245\ See, e.g., ANA, at 7 (``[L]isting reviews as a factor in
this test incentivizes competitors to file false reviews in an
attempt to influence how a website or online service is
categorized.''); TechFreedom, at 11-12 (``allowing third-party
reviews to color the intent of the website or service provider
almost guarantees the weaponization of this new definition'').
---------------------------------------------------------------------------
Regarding the age of users on similar websites or services,
commenters emphasized that operators would likely not have access to
data about the ages of users of websites or online services controlled
by others,\246\ and that it is not clear what would be considered a
``similar'' website or service.\247\ Many industry commenters also
emphasized that monitoring third-party reviews or gathering available
information about the age of users of ``similar'' websites and online
services would significantly increase operators' compliance
burdens.\248\ Others suggested that inclusion of such evidence in the
definition would be inconsistent with the Commission's position that
operators of general audience properties have no duty to investigate
the ages of visitors to their properties under COPPA \249\ and would
inappropriately import a constructive knowledge standard into the Rule
that is inconsistent with the COPPA statute.\250\
---------------------------------------------------------------------------
\246\ See, e.g., American Consumer Institute, at 2; ANA, at 8;
CCIA, at 7; Google, at 4-5.
\247\ See, e.g., ANA, at 8; CCIA, at 6-7; International Center
for Law & Economics, at 14-15; Privacy for America, at 5-6; Google,
at 4-5; NetChoice, at 4; Taxpayers Protection Alliance, at 2; News/
Media Alliance, at 4-5; ESA, at 3; CIPL, at 7.
\248\ See, e.g., Privacy for America, at 6; CCIA, at 7; 4A's, at
2; ANA, at 7-8. Some such commenters asserted that such monitoring
may be ``entirely infeasible'' for small operators. Privacy for
America, at 6; 4A's, at 2.
\249\ See Privacy for America, at 5-6; ACT [verbar] The App
Association, at 5.
\250\ See, e.g., SIIA, at 18; IAB, at 10-11.
---------------------------------------------------------------------------
In response to these comments, the Commission reiterates that the
inquiry in determining child-directedness requires consideration of a
totality of the circumstances. Depending on the facts, reviews or the
age of users on similar websites or online services may receive little
weight in determining audience composition or the intended audience of
a website or online service. For example, the Commission understands
that reviews may not always be representative, accurate, or genuine and
that content ratings or other ratings published by platforms or other
third
[[Page 16938]]
parties are developed for a range of different purposes that are not
necessarily fully aligned with determining whether a website or online
service is directed to children under the COPPA Rule.\251\ The
Commission will take such considerations into account when determining
whether to rely on such evidence in assessing child-directedness. The
Commission also observes that it is common for companies to monitor
reviews related to their websites or online services as well as to
track information about user demographics and the features of
competitors' websites or online services. The addition of these
examples to the definition of ``website or online service directed to
children'' is not intended to impose a burdensome requirement that
operators identify and continuously monitor all such information.
However, there certainly may be circumstances in which operators'
knowledge of reviews or the ages of users on similar websites or
services may be relevant to the Commission's determination, based on
the totality of the circumstances, that a website or service is
directed to children.\252\
---------------------------------------------------------------------------
\251\ See, e.g., ESRB, at 20 (suggesting reviews by third
parties could potentially include content ratings which would be
inappropriate for the Commission to consider because such ratings
are about the appropriateness of content rather than whether a
service is directed to children).
\252\ If an operator is aware of publicly-available information
indicating that children under 13 are using its website or online
service, such information may be relevant to determining that the
website or online service is child-directed. For example, in a
complaint against Epic Games, the Commission alleged the company and
its employees regularly monitored, read, and circulated news
articles and social media posts chronicling Fortnite's popularity
among children, and sometimes incorporated kids' ideas directly into
the game. See Complaint, United States v. Epic Games, Inc., Case No.
5:22-CV-00518 (E.D.N.C. Dec. 19, 2022), at 15, available at <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesComplaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/2223087EpicGamesComplaint.pdf</a>.
In an enforcement case involving a weight-loss app directed to
children, the Commission's complaint highlighted that defendants
featured consumer reviews from young children to market their app in
the Apple App Store. Complaint, United States v. Kurbo, Inc. and WW
International, Inc., Case No. 22-cv-946 (N.D. Cal. Feb. 16, 2022),
at 7, available at <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/filed_complaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/filed_complaint.pdf</a>.
---------------------------------------------------------------------------
iii. The Commission Amends Paragraph (1) of ``Website or Online Service
Directed to Children''
After carefully considering the record and comments, and for the
reasons discussed in Part II.B.5.a.ii of this document, the Commission
has decided to amend paragraph (1) of the definition as proposed.
b. NPRM Question Eleven: Potential Exemption From ``Website or Online
Service Directed to Children''
In Question Eleven of the ``Questions for the Proposed Revisions to
the Rule'' section of the NPRM, the Commission requested comment on
various questions related to whether it should offer an exemption
within the definition of website or online service directed to
children, or other incentive, if an operator of a website or online
service undertakes an analysis of its audience composition and
determines that no more than a specific percentage of its users are
likely to be children under 13.\253\
---------------------------------------------------------------------------
\253\ See 89 FR 2034 at 2070 (Question 11). Question Eleven's
subsidiary questions included what are reliable means by which
operators can determine the likely ages of their sites' or services'
users (Question 11(b)) and whether inclusion of an audience
composition-based exemption within the definition of ``website or
online service directed to children'' would be inconsistent with the
COPPA Rule's multi-factor test for determining whether a website or
online service, or a portion thereof, is directed to children
(Question 11(e)).
---------------------------------------------------------------------------
The Commission received some comments supporting such an
exemption.\254\ One FTC-approved COPPA Safe Harbor program suggested an
exemption would motivate operators to thoroughly investigate their
audiences without fear of collecting evidence that might be used in
government enforcement actions.\255\ An industry commenter suggested an
exemption would allow operators of sites with a small percentage of
users under 13 to avoid unnecessary compliance costs and better tailor
their services to their audience, and provide the FTC with greater
insight into online services' audiences.\256\
---------------------------------------------------------------------------
\254\ See, e.g., CARU, at 2; ITIF, at 4. See also generally
Family Online Safety Institute, at 3-4 (responding to Question
Eleven by expressing the view that age assurance processes can
improve online safety for young users by enabling operators to offer
age appropriate online experiences).
\255\ CARU, at 2. However, another FTC-approved COPPA Safe
Harbor program saw limited value in the proposal. See kidSAFE, at 7-
8.
\256\ ITIF, at 4-5.
---------------------------------------------------------------------------
However, a large majority of commenters addressing Question Eleven
opposed implementing such an exemption.\257\ Commenters opposing or
expressing skepticism about this potenti
[…truncated; see source link]Indexed from Federal Register on April 22, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.