In a similar vein, some commenters believed that the particular assessment mechanisms and compliance incentives listed as options in sections 312.10(b)(2) and 312.10(b)(3), respectively, of the proposed Rule were, in fact, mandatory practices.302 In the NPR, the Commission sought to clarify that these sections set out performance standards and that the listed methods were only suggested means for meeting these standards.303 In light of the confusion evidenced by the comments, the Commission has amended these sections to make this express.304

Thus, section 312.10(b)(2) of the Rule makes explicit that its requirement that guidelines include an effective, mandatory mechanism for the independent assessment of subject operators' compliance is a performance standard. Similarly, section 312.10(b)(3) of the Rule states that its requirement that guidelines include effective incentives for subject operators' compliance is a performance standard. Both section 312.10(b)(2) and 312.10(b)(3) of the Rule include suggested means of meeting their respective performance standards and provide that those performance standards may be satisfied by other means if their effectiveness equals that of the listed alternatives. The Commission believes that the Rule therefore provides the flexibility sought by the commenters.

In the NPR, the Commission stated that operators could not rely solely on self-assessment mechanisms to comply with section 312.10(b)(2).305 Commenters were divided on the issue of whether the Commission should permit self-assessment as a means of measuring operators' compliance with self-regulatory guidelines. Some believed that self-assessment, without more, is not an adequate means of measuring compliance.306 Others believed that the Commission should not impose an independent assessment requirement on operators that choose not to join third-party compliance programs, as long as their information practices satisfy the COPPA.307

On balance, the Commission believes that a performance standard that incorporates independent assessment is appropriate and necessary. Under the safe harbor provision, the Commission looks to the promulgators of guidelines, in the first instance, to ensure that those guidelines are effectively implemented. The Commission believes that independent assessment is the best way to ensure that operators are complying with the guidelines.308 The Commission notes, however, that the Rule does not prohibit the use of self-assessment as one part of an organization's efforts under section 312.10(b)(2) to measure subject operators' compliance with the Rule, nor does it preclude individual operators who have not joined third-party programs from assessing their own compliance.The Rule does, however, prohibit the use of self-assessment as the only means of measuring compliance with self-regulatory guidelines.

Several commenters suggested that the Commission require that self-regulatory guidelines include an array of specific practices not listed in the proposed Rule. Such practices include, for example: comprehensive information practice reviews as a condition of membership in self-regulatory programs,309 annual compliance affidavits to be submitted by subject operators to self-regulatory organizations,310 quarterly monitoring of operators' information practices by self-regulatory groups,311 public reporting of disciplinary actions taken by trade groups against subject operators in publications other than trade publications,312 and referral to the Commission of all violations of approved guidelines 313 or all failures to comply with a self-regulatory group's disciplinary dictates.314 Many of these ideas have merit, and self-regulatory groups may wish to include some or all of them in their proposed guidelines. The Commission does not, however, believe that it should require adoption of any specific practice or practices as a prerequisite to certification under the Rule. Self-regulatory groups or other promulgators of guidelines are best suited to determine the appropriateness of such measures, in light of the Rule's requirements. The Commission will review the adequacy of the proposed enforcement programs in considering specific safe harbor requests.

3. Request for Commission approval of self-regulatory guidelines

Section 312.10(c)(1)(iii) of the proposed Rule required that persons seeking approval of guidelines submit a statement to the Commission demonstrating that their proposed guidelines, including assessment mechanisms and compliance incentives, comply with the proposed Rule.315 One commenter suggested that the Commission eliminate this requirement.316 The Commission believes that the burden of demonstrating compliance properly rests on proponents of Commission approval and that the guideline approval process will benefit from proponents' explanations of their rationale for approval. Therefore, the Commission has retained this requirement in the Rule.

Section 312.10 of the proposed Rule did not include a provision governing approval of changes in previously approved self-regulatory guidelines. Several commenters suggested that the Commission amend the proposed Rule to include such a provision.317 Therefore, section 312.10(c)(3) of the Rule now provides that promulgators of approved self-regulatory guidelines must submit proposed changes and all supporting documentation for review and approval by the Commission. The Commission recognizes, however, the need for efficiency in reviewing proposed changes to approved guidelines. Only changes in approved guidelines will be subject to public notice and comment, not the unaffected portions of the guidelines.318 Section 312.10(c)(3) of the Rule also requires that proponents of changes in approved guidelines submit a statement describing how the proposed changes comply with the Rule and how they affect existing guideline provisions.

Other comments suggested that the Commission should shorten the 180-day period for Commission action on submissions,319 specify a time period for public comment (e.g., 30-45 days),320 "toll" (rather than restart, as proposed in the NPR) the 180- day period for Commission action in the event of an incomplete submission of supporting documents,321 and make guidelines effective upon publication of the Commission's decision, rather than 45 days from publication in the Federal Register as stated in the NPR.322 After considering the comments, the Commission agrees that the guidelines should become effective upon publication of Commission approval.323 However, it declines to adopt a single, specific time period for public comment, as the appropriate period may well vary with the complexity and novelty of the guidelines submitted. Further, the Commission does not believe the 180-day time period should be shortened or tolled during the comment period, but notes that it intends to complete its review within the statutory period.

4. Records

Section 312.10(d)(1) of the proposed Rule required that industry groups or other persons seeking safe harbor treatment maintain consumer complaints for a period not to exceed three years.324 As one commenter noted, however, the proposed Rule did not specify the length of time required for maintaining the other documents specified in this section, e.g., records of disciplinary actions against subject operators and records of independent assessments of subject operators' compliance.325 The Commission agrees that this inconsistency is unnecessarily confusing. Therefore, the Rule now clarifies that industry groups or other persons seeking safe harbor treatment must maintain all documents required by this section for a period of three years.

J. Section 312.11: Rulemaking Review

Section 312.11 of the proposed Rule retained the Act's requirement that the Commission initiate a review proceeding to evaluate the Rule's implementation no later than five years after the effective date of the Rule and report its results to Congress.326 The Commission stated in the NPR that the review will address the Rule's effect on: practices relating to the collection and disclosure of children's information; children's ability to access information of their choice online; and the availability of websites directed to children. In addition, eighteen months after the effective date of the Rule, the Commission will conduct a review of available mechanisms for obtaining verifiable parental consent, as discussed above in Section II.D.

K. Paperwork Reduction Act

Pursuant to the Paperwork Reduction Act (as amended 44 U.S.C. 3507(d)), the Commission submitted the proposed Rule to the Office of Management and Budget (OMB) for review.327 The OMB has approved the Rule's information collection requirements.328 The Commission did not receive any comments that necessitate modifying its cost estimates for the Rule's notice requirements.329

L. Final Regulatory Flexibility Analysis

The NPR did not include an initial regulatory flexibility analysis (IRFA) under the Regulatory Flexibility Act 330 based on a certification that the proposed Rule would not have a significant economic impact on a substantial number of small entities. Nonetheless, the Commission invited public comment on the proposed Rule's effect on small entities to ensure that no significant impact would be overlooked.331 The Commission received two responsive comments suggesting that it publish an IRFA.332 While the Commission believed that such an analysis was not technically required, it issued an IRFA to provide further information and opportunity for public comment on the small business impact, if any, of the Rule.333

This final regulatory flexibility analysis (FRFA) incorporates the Commission's initial findings, as set forth in the NPR; addresses the comments submitted in response to the IRFA notice; and describes the steps the agency has taken in the final Rule to minimize the impact on small entities consistent with the objectives of the COPPA. Succinct statement of the need for, and objectives of, the Rule

The Rule prohibits unfair or deceptive acts or practices in connection with commercial websites' and online services' collection and use of personal information from and about children by: (1) enhancing parental involvement in a child's online activities in order to protect the privacy of children in the online environment; (2) helping to protect the safety of children in online fora such as chat rooms, home pages, and pen-pal services in which children may make public postings of identifying information; (3) maintaining the security of children's personal information collected online; and (4) limiting the collection and disclosures of personal information without parental consent. The Commission was required by the COPPA to issue implementing regulations.334

Summary of the significant issues raised by the public comments in response to the IRFA; summary of the assessment of the agency of such issues; and statement of any changes made in the Rule as a result of such comments

In the IRFA, the Commission sought comment regarding the impact of the proposed Rule and any alternatives the Commission should consider, with a specific focus on the effect of the Rule on small entities.335 The Commission received five comments, which discussed issues also addressed in the Statement of Basis and Purpose, above, including notice, verifiable parental consent, security, and safe harbors.

1. New Notice and Request for Consent

One commenter contended that the requirement for new notice and consent for different uses of a child's personal information under the notice and consent sections of the proposed Rule threatened smaller operators that rely on mergers and marketing alliances to help build their business.336 The commenter recommended that new notice and consent should be required only when there is a material change in intended uses or practices.337 As explained in Section II.C.4 and II.D.1, above, the Commission has modified its position to require new notice and consent only if there is a material change in the collection, use, or disclosure of personal information from children.

2. Verifiable Parental Consent

Another commenter expressed concern that the proposed Rule's consent requirement would result in high compliance costs and a substantial reduction in traffic to small sites.338 According to the commenter, a child's use of collaborative educational tools on the Internet should be treated differently from the collection and use of personal contact information by marketers. The commenter, who called for parental notification and opt-out for such collaborative uses, was especially concerned about the loss of business from schools.

The Commission does not have discretion under the statute to waive the requirement of verifiable parental consent.339 As noted above in Section II.D.4, the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parent's agent in the process. Thus, the Rule should not hinder businesses that provide services to schools.

The Commission is sensitive to commenters' concerns about increased costs and reduced traffic to sites. Accordingly, the Commission has temporarily adopted a sliding scale approach to verifiable parental consent to minimize burdens and costs for operators while still providing for parental control of children's personal information. As more fully described in Section II.D, inexpensive e-mail mechanisms may be used to obtain parental consent for the collection of information for internal uses, such as an operator's marketing to a child based on information collected about the child's preferences. Only where information is subject to "disclosure" under section 312.2 of the Rule will the other methods of consent be required and, even then, operators will have a range of mechanisms from which to choose. Further, even after the sliding scale is phased out two years from the Rule's effective date, operators will be able to choose from a number of consent methods, many of which are expected to be less costly and more widely available at that time.340 Finally, for certain uses of children's personal information, no consent will be required at all under the exceptions to prior parental consent set forth in section 312.5(c) of the Rule.

3. Confidentiality, Security, and Integrity of Information

One commenter found the security methods identified in section 312.8 of the proposed Rule to be effective, but suggested that small entities should not be held to the same standards as larger entities when evaluating adequate protection under the Rule.341 As noted earlier, the Rule allows operators flexibility in selecting security procedures in accordance with their particular needs.

4. Safe Harbors

A commenter suggested that section 312.10 of the proposed Rule should more clearly recognize the role automation can play in assessing an operator's compliance with privacy seal programs.342 As explained above in Section II.I.2, section 312.10(b)(2) includes a performance standard requiring only that assessment mechanisms be effective, mandatory, and independent. In addition to the examples listed in the Rule, that performance standard may be satisfied by other equally effective means. Thus, the Rule does not preclude the use of automated assessment tools that meet the performance standard.

Description and estimate of the number of small entities to which the Rule will apply or an explanation of why no such estimate is available

The Rule applies to any commercial operator of an online service or website directed to children or any commercial operator that has actual knowledge that it is collecting personal information from a child.343 A precise estimate of the number of small entities that fall within the Rule is not currently feasible, in part, because the definition of a website directed to children turns on a number of factors that will require a factual analysis on a case-by-case basis.344 In connection with the NPR, IRFA, and the public workshop on verifiable parental consent, the Commission has not received any comments providing an estimate of the number of small entities to which the Rule will apply.

Description of the projected reporting, recordkeeping and other compliance requirements of the Rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record

The Commission incorporates by reference its description of the projected reporting, recordkeeping and other compliance requirements of the Rule, as set forth in the IRFA.345 The Office of Management and Budget has approved the information collection of the Rule 346 based on the Commission's earlier submission for clearance, which has been made available on the public record of this rulemaking.347 The Commission has not received any comments that necessitate modifying its previous description of projected compliance requirements.

302 DMA (Comment 89) at 28; PrivacyBot.com (Comment 32) (unpaginated). One commenter expressed the view that by requiring self-regulatory groups affirmatively to monitor their members' compliance, rather than take action only in response to consumer complaints, the proposed Rule in effect deputizes industry organizations to police their members on the Commission's behalf. DMA (Comment 89) at 28. However, the Commission believes that, to the contrary, the Rule's safe harbor provisions allow industry to craft effective alternatives to Commission enforcement.

303 64 FR at 22759.

304 One commenter was concerned that section 312.10(b)(2) could be read to require "manual," but not "automated" means of independently assessing subject operators' compliance with self-regulatory guidelines. PrivacyBot.com (Comment 32) (unpaginated) and (IRFA comment 03) at 2.

305 64 FR at 22759.

306 CME/CFA et al. (Comment 80) at 37; CBBB (Comment 91) at 31.

307 McGraw-Hill (Comment 104) at 9. See also Mars (Comment 86) at 15 (stating that the Commission should permit self-assessment).

308 One commenter suggested that the Commission award safe harbor status only to non-profit self-regulatory programs or for-profit groups whose self-regulatory decisions are insulated from owner or investor control. CBBB (Comment 91) at 33-34. The Commission believes it is unnecessary to so limit eligibility for safe harbor status and further believes that the test for eligibility should be the substance of self-regulatory guidelines, rather than the corporate structure of their promulgators.

309 CBBB (Comment 91) at 29-30.

310 Id. at 32.

311 E.A. Bonnett (Comment 126) at 6.

312 CME/CFA et al. (Comment 80) at 37.

313 Id.

314 CBBB (Comment 91) at 32.

315 64 FR at 22759-60. One commenter requested that the Commission clarify the status under the Freedom of Information Act of proprietary information submitted to the Commission under this section. CBBB (Comment 91) at 37. The Commission believes this is unnecessary, as such information would be protected from disclosure under section 6(f) of the Federal Trade Commission Act and Exemption 4 of the Freedom of Information Act, to the extent that it constitutes "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential." FTCA Section 6(f), 15 U.S.C. 46(f); FOIA Exemption 4, 5 U.S.C. 552(b)(4).

316 CBBB (Comment 91) at 36.

317 ANA (Comment 93) at 3; Mars (Comment 86) at 17; and MLG Internet (Comment 119) at 2.

318 64 FR at 22760.

319 CBBB (Comment 91) at 36. This commenter suggested a 90-day review period.

320 Id.

321 Id.; Mars (Comment 86) at 17.

322 CBBB (Comment 91) at 36.

323 One commenter requested that the Commission maintain a list of parties interested in being contacted by the Commission when proposed guidelines are published in the Federal Register and on the Commission's website. EPIC (Comment 115) at 7. The Commission believes that publication of proposed guidelines is, as a general matter, sufficient notice of their submission for approval.

324 64 FR at 22760.

325 CBBB (Comment 91) at 37.

326 15 U.S.C. 6506. Two commenters called for conducting the review in three years rather than five. CME/CFA et al. (Comment 80) at 17; CDT (Comment 81) at 31. The Commission believes that the COPPA's five year requirement is appropriate, but will consider undertaking a review sooner if warranted.

326 The Commission's Supporting Statement submitted to OMB as part of the clearance process has been made available on the public record of this rulemaking. See Supporting Statement for Information Collection Provisions at http://www.ftc.gov/os/1999/9906/childprivsup.htm.

328 The assigned OMB clearance number is 3084-0117.

329See 64 FR at 22761 (estimating total burden of 18,000 hours for first year, and 1800 hours for subsequent years).

330 5 U.S.C. 603.

331 See 64 FR at 22761.

332 Hons. George Gekas and James Talent, U.S. House of Representatives (Comment 74) at 4; U.S. Small Business Administration (Comment 128) at 4-5.

333 64 FR 40525.

334 15 U.S.C. 6502.

335 64 FR at 40527-28.

336 KidsOnLine.com (IRFA Comment 02) at 1.

337 Id.

338 Zeeks.com (IRFA Comment 05) at 2.

339 See 15 U.S.C. 6502; section 312.3 of the Rule. Another commenter suggested that operators be permitted to collect some personal information to establish a relationship with the child in exchange for limited access to the site (such as games) without obtaining consent. KidsOnLine.com (IRFA Comment 02 ) at 2.

340 See supra note 1868. As described more fully above, the Commission will undertake a review eighteen months after the effective date of the Rule to determine through public comment whether technology has progressed as expected. The impact on small businesses will again be carefully considered.

341 KidsOnLine.com (IRFA Comment 02) at 1.

342 PrivacyBot.com (IRFA Comment 03) at 2. This commenter noted that the examples listed in the NPR appeared to call for manual assessment mechanisms.

343 Section 312.3. The Rule does not apply to nonprofit entities. Section 312.2 (definition of "operator").

344 Under section 312.2, in determining whether a commercial website or online service is directed to children, the Commission will consider its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children.

345 See 64 FR at 40526-27.

346 The OMB clearance number is 3084-0117.

347 See Supporting Statement for Information Collection Provisions at http://www.ftc.gov/os/1999/9906/childprivsup.htm.

Please send any questions or comments to webmaster@eff.org