Description of the steps the agency has taken to minimize the significant economic impact on small entities, consistent with the stated objectives of applicable statutes, including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final Rule and why each of the other significant alternatives to the Rule considered by the agency which affect the impact on small entities was rejected

The Rule incorporates the many performance standards set forth in the statute.348 Thus, operators are free to choose among a number of compliance methods based upon their individual business models and needs. Although the Rule's provisions impose some costs, the requirements of notice, verifiable parental consent, access, and security are mandated by the COPPA itself. The Commission has sought to minimize the burden on all businesses, including small entities, by adopting flexible standards;349 however, it does not have the discretion to create exemptions from the Act based on an operator's size. Likewise, while the Rule attempts to clarify, consolidate, and simplify the statutory requirements for all entities,350 the Commission has little discretion, if any, to mandate different methods or schedules for small entities that would undermine compliance with the Act.351

Nevertheless, throughout the rulemaking proceeding, the Commission has sought to gather information regarding the economic impact of the COPPA's requirements on all operators, including small entities. The NPR, for example, included a number of questions for public comment regarding the costs and benefits associated with notice and consent.352 Similarly, the subsequent IRFA notice invited public comment specifically on the issue of small business impact.353 In addition, the agenda for the public workshop on verifiable parental consent included topics designed to elicit economic impact information. In connection with the workshop, the Commission invited additional public comment.

The Commission has carefully considered responsive comments that suggested a variety of alternatives in developing the final Rule. The discussion below reviews some of the significant alternatives considered and the basis for the Commission's decisions with regard to certain notice, parental consent, access, security, and safe harbor requirements.

1. New Notice and Request for Consent

Many commenters contended that requiring operators to undertake new notice and consent under sections 312.4(c) and 312.5 for any use not covered by a parent's previous consent was burdensome and unnecessary.354 The Commission is sensitive to the objections raised, particularly with respect to mergers, which occur often in this industry and which would trigger new notice and consent requirements even where there was no significant change in the operator's information practices. Eliminating this requirement altogether, however, would prevent parents from receiving material information that could affect their decisions regarding their child's online activities.355 In response to comments, including those of small businesses,356 the Commission has modified the Rule to require new notice and consent only if there will be a material change in how the operator collects, uses, or discloses personal information from children.357 This modification should substantially reduce the costs of compliance.

2. Verifiable Parental Consent

Throughout the rulemaking, the Commission has sought input on what mechanisms may be used to satisfy the COPPA's verifiable parental consent requirement. As described more fully in Section II.D. above, the Commission has temporarily adopted a "sliding scale" approach that depends upon the use of the child's personal information. This approach was recommended by many industry members seeking to preserve flexibility for operators while achieving the objectives of the Act.358 To minimize burdens until more reliable electronic methods become more available and affordable, it allows use of e-mail for internal uses of personal information, as long as additional steps are taken to verify a parent's identity.

Some commenters had contended that use of e-mail alone should be an acceptable method of consent under section 312.5 of the Rule.359 Commenters also criticized methods such as print-and-send, credit card, toll-free numbers, and digital signatures for the costs and burdens they might impose.360 Based on the comments and workshop discussion, the Commission does not believe that use of e-mail alone adequately satisfies the statutory requirement that operators make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology.361 According to many commenters, e-mail is easily subject to circumvention by children.362 In particular, where a child and parent share the same e-mail account, as is often the case, a child may easily pretend to be a parent and provide consent for himself.363

Moreover, where e-mail mechanisms are employed for internal uses under the sliding scale, the additional steps required under section 312.5 (such as sending a confirmatory e-mail to the parent following receipt of consent) should not be especially onerous given the availability and ease of automated technology.366 Thus, the additional steps required should have no deterrent effect on operators (or parents).

Only for activities that entail "disclosure" of a child's personal information, as defined in the Rule, such as chat rooms, message boards, pen-pal services, and personal home pages, will the higher method of consent be triggered.367 The comments and public workshop discussion provide considerable support for the principle that such activities warrant a higher level of protection, given the heightened safety concerns.368 In order to ensure maximum flexibility within this upper tier of the sliding scale, a range of mechanisms will be acceptable under the Rule, including postal mail, facsimile, credit card in connection with a transaction, toll-free numbers, and digital signatures.369 To minimize costs, once a parent has provided consent through one of these methods and obtained a PIN or password, an operator may subsequently obtain consent through an e-mail accompanied by such PIN or password.

In adopting the sliding scale for a two-year period following the Rule's effective date, the Commission has sought to minimize any burdens of compliance until advancements in technology provide more reliable electronic methods at low cost. Based on reports from industry members, the Commission expects that this will occur soon.370 To assess whether such developments have in fact occurred as expected, the Commission will undertake a review, using notice and comment, approximately eighteen months after the Rule's effective date. All businesses, including small entities, will be given the opportunity to comment on economic impact issues at that time.

If technology progresses as expected, operators should have a wide variety of reasonable and effective options for providing verifiable parental consent. Therefore, phasing out the sliding scale should not impose undue burdens on operators seeking to comply with the Rule. Moreover, the Commission's amendment to the Rule requiring new notice and consent only in the case of "material changes" to an operator's information practices should further reduce operators' burdens.

3. Parental Access to Information

In implementing the COPPA's parental access requirement,371 the Commission has adopted flexible standards and sought to eliminate any unnecessary provisions in the Rule. For example, section 312.6(a)(3) requires that operators provide a means of review that ensures that the requestor is a parent, taking into account available technology, and that is not unduly burdensome to the parent. In response to comments that the proposed Rule's right to change information went beyond the statute and was onerous, the Commission has omitted that provision from the Rule. To eliminate unnecessary costs, the Rule also no longer requires parental verification for access to the types or categories of personal information collected from the child under section 312.6(a)(1). However, consistent with the COPPA, which recognized the safety concerns inherent in granting access to the child's specific information, proper parental verification will be required for access to that information under section 312.6(a)(3). As with verifiable parental consent, operators may choose from among a variety of verification methods, including both online and offline methods.372

4. Confidentiality, Security, and Integrity of Information

As required under the Act, the Rule seeks to ensure a baseline level of protection for children's personal information.373 The Commission recognizes that certain security procedures may be more costly for smaller entities than larger entities.374 Accordingly, section 312.8 allows operators flexibility in selecting reasonable procedures in accordance with their business models.375

5. Safe Harbors

The safe harbor provisions also utilize performance standards in order to minimize burdens and provide incentives for industry self-regulation, as required by the COPPA.376 In response to concerns that the proposed Rule appeared inflexible, the Commission has clarified in section 312.10(b)(1) that promulgators of self-regulatory guidelines may comply with the safe harbor provisions by requiring subject operators to implement "substantially similar requirements that provide the same or greater protections for children" as those contained in the Rule. The Commission also has adopted performance standards for the assessment mechanisms and compliance incentives in sections 312.10(b)(2) and (b)(3). In addition to the examples listed in the Rule, these performance standards may be satisfied by other equally effective means. In order to maximize efficiency, the Rule further provides that only material changes in approved guidelines will be subject to the public notice and comment required under this section.

List of Subjects in 16 CFR Part 312

Children, Children's online privacy protection, Communications, Computer technology, Consumer protection, Data protection, Electronic mail, E-mail, Information practices, Internet, Online service, Privacy, Record retention, Safety, Trade practices, Website, Youth.

Accordingly, the Federal Trade Commission amends 16 CFR chapter I by adding a new Part 312 to read as follows:

PART 312 -- CHILDREN'S ONLINE PRIVACY PROTECTION

Sec.
312.1 Scope of regulations in this part.
312.2 Definitions.
312.3 Unfair or deceptive acts or practices.
312.4 Notice to parents.
312.5 Parental consent.
312.6 Right of parent to review personal information provided by a child.
312.7 Prohibition against conditioning a child's participation on collection of personal information.
312.8 Confidentiality, security, and integrity.
312.9 Enforcement.
312.10 Safe harbors.
312.11 Rulemaking review.
Authority: Secs. 15 U.S.C. 6501 et seq.

¤312.1 Scope of regulations in this part.

This Rule implements the Children's Online Privacy Protection Act of 1998, to be codified at 15 U.S.C. 6501, et seq., which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. The effective date of the Rule is April 21, 2000.

¤ 312.2 Definitions.

Child means an individual under the age of 13.

Collects or collection means the gathering of any personal information from a child by any means, including but not limited to:

1. requesting that children submit personal information online;
2. enabling children to make personal information publicly available through a chat room, message board, or other means, except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator's records; or
3. the passive tracking or use of any identifying code linked to an individual, such as a cookie.

Commission means the Federal Trade Commission.

Delete means to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.

Disclosure means, with respect to personal information: (a) the release of personal information collected from a child in identifiable form by an operator for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does not disclose or use that information for any other purpose. For purposes of this subparagraph:

1. release of personal information means the sharing, selling, renting, or any other means of providing personal information to any third party, and
2. support for the internal operations of the website or online service means those activities necessary to maintain the technical functioning of the website or online service, or to fulfill a request of a child as permitted by ¤¤ 312.5(c)(2) and (3). or
3. making personal information collected from a child by an operator publicly available in identifiable form, by any means, including by a public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room.

Federal agency means an agency, as that term is defined in Section 551(1) of title 5, United States Code. Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission.

Online contact information means an e-mail address or any other substantially similar identifier that permits direct contact with a person online.

Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce

1. among the several States or with 1 or more foreign nations;
2. (b)in any territory of the United States or in the District of Columbia, or between any such territory and
   1. another such territory, or
   2. any State or foreign nation; or
3. between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

Parent includes a legal guardian. Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.

Personal information means individually identifiable information about an individual collected online, including:

1. a first and last name;
2. a home or other physical address including street name and name of a city or town;
3. an e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an individual's e-mail address;
4. a telephone number;
5. a Social Security number;
6. a persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or
7. information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this paragraph.

Third party means any person who is not (1) an operator with respect to the collection or maintenance of personal information on the website or online service or (2) a person who provides support for the internal operations of the website or online service and who does not use or disclose information protected under this Rule for any other purpose.

Obtaining verifiable consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:

1. receives notice of the operator's personal information collection, use, and disclosure practices; and
2. authorizes any collection, use, and/or disclosure of the personal information. Website or online service directed to children means a commercial website or online service, or portion thereof, that is targeted to children. Provided, however, that a commercial website or online service, or a portion thereof, shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial website or online service, or a portion thereof, is targeted to children, the Commission will consider its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives.

¤ 312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.

General requirements. It shall be unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this Rule. Generally, under this Rule, an operator must:

1. provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (¤ 312.4(b));
2. obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (¤ 312.5);
3. provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (¤ 312.6);
4. not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (¤ 312.7); and
5. establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (¤ 312.8).

348 See, e.g., sections 312.4(c), 312.5.

349 See 5 U.S.C. 603(c)(3). The notice requirements, for example, have been designed to minimize the burdens on operators in a variety of ways. Section 312.4(b) of the Rule permits operators to post "links" to the required notices, rather than state the complete text. Similarly, in response to industry concerns about technical feasibility, the Commission has eliminated the requirement that the link must be seen without having to scroll down from the initial viewing screen. See Section II.C.2, supra.

350 See 5 U.S.C. 603(c)(2).

351 For example, the COPPA requires the online posting of privacy policies by websites and online services. A waiver for small entities of that prior notice requirement (e.g., by permitting notice after the fact) would be inconsistent with the statutory mandate. See 15 U.S.C. 6502(b)(1)(A)(i).

352 64 FR at 22761-63.

353 64 FR 40525.

354 See supra note 143.

355 For example, an operator might initially use a child's information only for internal marketing purposes and then later undertake a new use involving disclosures to third parties. Such a change would likely be important to the parent's consent decision.

356 See KidsOnLine.com (IRFA Comment 02) at 1.

357 See also Section II.C.3.a, supra (discussing section 312.4(b)(2)(i) (content of notice)).

358 See supra note 203 and accompanying text.

359 See supra note 197 and accompanying text.

360 See supra notes 187-195 and accompanying text.

361 See 15 U.S.C. 6501(9).

362 See supra note 196 and accompanying text.

363 See supra note 178 and accompanying text.

364 See Section II.D.3, supra. Prior parental consent is not required pursuant to these exceptions. However, in some instances, operators must provide parents with notice and an opportunity to opt out. See section 312.5(c)(3).

365 See supra note 226.

366 A number of commenters recognized that taking additional steps would increase the likelihood that it is the parent who is providing consent, and some websites already undertake such measures. See supra notes 198-203 and accompanying text.

367 To minimize burdens on general audience sites, the Commission has revised the Rule so that if a chat room monitor strips any posting of individually identifiable information before it is made public, the operator will not be deemed to have "collected" the child's personal information for purposes of the Rule. See Section II.A.2, supra (discussing section 312.2's definition of "collects or collection"). Moreover, because the individually identifiable information has been deleted, the operator will not have "disclosed" that information under the Rule.

368 See supra note 205 and accompanying text.

369 See section 312.5(b).

370 See Section II.D.2 and note 186, supra.

371 See 15 U.S.C. 6502(b)(1)(B)(iii).

372 The Commission will continue to monitor technological advances that might play a useful role in identifying parents for purposes of granting access. The Commission agrees with comments that it is currently premature to mandate the use of certain mechanisms still under development or not yet widely available. See CBBB (Comment 91) at 24.

373 See 15 U.S.C. 6502(b)(1)(D).

374 See KidsOnLine.com (IRFA Comment 02) at 1.

375 See note 284, supra.

376 See 15 U.S.C. 6503.

Please send any questions or comments to webmaster@eff.org