17 April 2002 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ------------------------------------------------------------------------- [Federal Register: April 17, 2002 (Volume 67, Number 74)] [Rules and Regulations] [Page 18818-18821] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr17ap02-9] ======================================================================= ----------------------------------------------------------------------- FEDERAL TRADE COMMISSION 16 CFR Part 312 Children's Online Privacy Protection Rule AGENCY: Federal Trade Commission. ACTION: Final rule amendment. ----------------------------------------------------------------------- SUMMARY: The Federal Trade Commission (``the Commission'') issues a final amendment to the Children's Online Privacy Protection Rule (``the Rule'') to extend, until April 21, 2005, the time period during which website operators may use an e-mail message from the parent, coupled with additional steps, to obtain verifiable parental consent for the collection of personal information from children for internal use by the website operator. EFFECTIVE DATE: April 21, 2002. ADDRESSES: Requests for copies of the amended Rule and the Statement of Basis and Purpose should be sent to: Public Reference Branch, Federal Trade Commission, Room H-130, 600 Pennsylvania Avenue NW, Washington, DC 20580. FOR FURTHER INFORMATION CONTACT: Elizabeth Delaney, (202) 326-2903, Rona Kelner, (202) 326-2752, or Mamie Kresses, (202) 326-2070, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. Statement of Basis and Purpose I. Introduction As part of the effort to protect children's online privacy, Congress enacted the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq. (``COPPA''), to prohibit unfair or [[Page 18819]] deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from children on the Internet. On October 20, 1999, the Commission issued its final Rule implementing COPPA, which became effective on April 21, 2000.\1\ The Rule imposes certain requirements on operators of websites or online services directed to children under 13 years of age, or other websites or online services that have actual knowledge that they have collected information from a child under 13 years of age. Among other things, the Rule requires that website operators obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. --------------------------------------------------------------------------- \1\ 64 FR 59888 (1999). --------------------------------------------------------------------------- The Rule provides that, ``[a]ny method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.''\2\ In order to allow time for reliable electronic methods of verification to become widely available and affordable, the Rule sets forth a sliding scale approach to obtaining verifiable parental consent.\3\ For uses of personal information that will involve disclosing the information to the public or third parties, the Rule requires that website operators use the more reliable methods of obtaining verifiable parental consent. These methods include: using a print-and-send form that can be faxed or mailed back to the website operator; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the above methods.\4\ --------------------------------------------------------------------------- \2\ 16 CFR 312.5(b)(1). \3\ In a Notice of Proposed Rulemaking and Request for Public Comment published in April 1999, the Commission provided examples of methods of obtaining verifiable parental consent that might satisfy the standard required by COPPA, and sought public comment on the feasibility, costs and benefits of these suggested methods. 64 FR 22750 (1999). In addition, in July 1999, the Commission held a workshop devoted entirely to the verifiable parental consent issue. 64 FR 34595 (1999) (announcement of the public workshop). \4\ 16 CFR 312.5(b)(2). --------------------------------------------------------------------------- In contrast, if the website operator is collecting personal information for its internal use only, the Rule allows verifiable parental consent to be obtained through the use of an e-mail message from the parent, coupled with additional steps. Such additional steps are designed to provide assurances that the person providing the consent is the parent and include: sending a confirmatory e-mail to the parent after receiving consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call.\5\ --------------------------------------------------------------------------- \5\ Id. --------------------------------------------------------------------------- At the time it issued the final Rule, the Commission anticipated that the sliding scale was necessary only in the short term because the more reliable methods of obtaining verifiable parental consent would soon be widely available and affordable.\6\ Accordingly, the sliding scale was set to expire on April 21, 2002, at which time website operators were to obtain verifiable parental consent using the more reliable methods for all uses of personal information.\7\ However, when the expected progress in available technology did not occur, the Commission published a Notice of Proposed Rulemaking and Request for Public Comment (``NPR'') in the Federal Register on October 31, 2001, proposing to amend the Rule to extend the sliding scale mechanism for an additional two years to April 21, 2004.\8\ The Commission requested public comment on the proposed extension of time as well as several questions regarding the current and anticipated availability and affordability of secure electronic mechanisms and/or infomediaries for obtaining parental consent. The 30-day comment period closed on November 30, 2001. The Commission received 21 comments from an array of interested parties, all of which were extremely informative and which the Commission has considered in crafting the final amended Rule. Those submitting comments included: the FTC-approved COPPA safe harbor programs; companies operating Internet sites or businesses; marketing and advertising trade groups; publishing groups; and educational organizations.\9\ --------------------------------------------------------------------------- \6\ 64 FR 59902 (1999). \7\ 16 CFR 312.5(b)(2). \8\ 66 FR 54963 (2001). \9\ The comments are discussed below. In addition, a complete list of the commenters and their comments appear on the FTC's website at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov">http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov . --------------------------------------------------------------------------- II. The Amended Rule In the October 2001 NPR, the Commission proposed a two-year extension of the sliding scale mechanism because it appeared that the expected progress in technology had not occurred to the extent necessary to phase out the sliding scale mechanism and require the most reliable methods of parental consent for all uses of personal information collected from children by websites. After careful consideration, the Commission has decided to extend the sliding scale mechanism for three years, from April 21, 2002 until April 21, 2005. The Rule provides that, ``[a]ny method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.''\10\ In making its initial determination to adopt the sliding scale mechanism in the final rulemaking in November 1999, the Commission balanced the costs imposed by the method of obtaining parental consent and the risks associated with the intended uses of information.\11\ Because of the limited availability and affordability of the more reliable methods of obtaining consent--including electronic methods of verification--the Commission found that these methods should only be required when obtaining consent for uses of information that posed the greatest risks to children.\12\ Accordingly, the Commission implemented the sliding scale, noting that it would ``provide[] operators with cost-effective options until more reliable electronic methods became available and affordable, while providing parents with the means to protect their children.''\13\ The Commission anticipated that reliable electronic methods of verification would soon become widely available and affordable and, accordingly, determined that a two-year sliding scale mechanism would be adequate.\14\ --------------------------------------------------------------------------- \10\ 16 CFR 312.5(b)(1). \11\ 64 FR 59901, 59902 (1999). \12\ Id. \13\ Id. at 59902. \14\ Id. --------------------------------------------------------------------------- Having reviewed the rulemaking record, the Commission concludes that secure electronic mechanisms and/or infomediary services for obtaining verifiable parental consent are not yet widely available at a reasonable cost.\15\ [[Page 18820]] In addition, the Commission finds that support for an extension of the sliding scale mechanism is widespread.\16\ The record indicates that the sliding scale mechanism to date has been an effective method for obtaining parental consent.\17\ At the same time, the Commission finds that the safety risk to children of a website collecting personal information for its internal use only remains low.\18\ Websites that use an e-mail message from the parent, coupled with additional steps, to obtain parental consent may only use the personal information collected from the child for the internal use of the website, and cannot share or disclose this information to third parties or the public. If a website wishes to share or disclose personal information collected from a child, or allow a child a mechanism to make personal information publicly available (for example, through an email account, message board or chat room), the website must use the more reliable methods of obtaining consent. Indeed, the relatively lower cost of seeking permission for internal use of children's information may well be part of the reason why more websites do not seek permission to disclose information to third parties. --------------------------------------------------------------------------- \15\ The overwhelming majority of commenters noted that secure electronic mechanisms and/or infomediary services have not yet developed to the point where they are widely available and affordable. Aftab & Savitt (Comment 1) at 1-2; America Online et al. (``AOL'') (Comment 2) at 1-2; Association of American Publishers (``AAP'') (Comment 4) at 1-2; Romain Carrere (Comment 6); Children's Advertising Review Unit (``CARU'') (Comment 7) at 2; Direct Marketing Association et al. (``DMA'') (Comment 9) at 2; Entertainment Software Rating Board (``ESRB'') (Comment 10) at 1-2; Gardner, Carton & Douglas (``Gardner'') (Comment 11) at 1; Leo Burnett Worldwide, Inc. (Comment 12); Magazine Publishers of America (``MPA'') (Comment 13); National Cable & Telecommunications Association (``NCTA'') (Comment 15) at 1-2; Online Privacy Alliance (``OPA'') (Comment 16) at 2; Privo (Comment 17) at 2-3; Promotion Marketing Association, Inc. (``PMA'') (Comment 18) at 2; Software & Information Industry Association (``SIIA'') (Comment 19) at 2-3; and TRUSTe (Comment 21). However, one commenter noted that many children's websites had made the necessary adjustments and investments within the original timeframe provided by the Rule. Circle 1 Network (Comment 8). Another commenter said that digital signature technology is available from at least one company and should be implemented on a mandatory basis in cases where personal information is shared with third parties. Jennifer Melendez et al. (Comment 14). Three commenters did not address the issue of whether secure electronic mechanisms and/or infomediary services are widely available and affordable. Aristotle (Comment 3); Association of Educational Publishers (``AEP'') (Comment 5); and Office of Attorney General, State of Connecticut (Comment 20). \16\ Of the 21 comments received by the Commission, 20 addressed the issue of whether the sliding scale mechanism should be extended, and 19 of those commenters agreed that an extension was warranted. Only one commenter favored collapsing the sliding scale as originally scheduled. Circle 1 Network (Comment 8). Two other commenters supported extending the sliding scale mechanism for periods of time less than two years. Romain Carrere (Comment 6) and Privo (Comment 17) at 1 & 5. Six commenters supported the two-year extension as set out in the NPR. Aftab & Savitt (Comment 1); AAP (Comment 4) at 2; CARU (Comment 7) at 2; ESRB (Comment 10); Gardner (Comment 11); and Leo Burnett Worldwide, Inc. (Comment 12). An additional commenter supported the two-year extension, but only if the ``additional steps'' taken with e-mail plus were limited to telephone and postal mail follow-up, rather than a confirmatory e- mail. TRUSTe (Comment 21). One commenter suggested a 10-year extension, DMA (Comment 9) at 3, while eight commenters supported an indefinite or permanent extension. AOL et al. (Comment 2) at 1; AEP (Comment 5); MPA (Comment 13); Melendez et al. (Comment 14); NCTA (Comment 15) at 1-2; OPA (Comment 16) at 2; PMA (Comment 18) at 2; and SIIA (Comment 19) at 3. One commenter argued specifically against extending the sliding scale indefinitely, Office of Attorney General, State of Connecticut (Comment 20), while five other commenters noted the value of a finite extension. Aftab & Savitt (Comment 1) at 2; CARU (Comment 7) at 2; Gardner (Comment 11) at 1; Privo (Comment 17) at 5; and TRUSTe (Comment 21). \17\ AOL (Comment 2) at 2-3 (no ``complaints or other record evidence that the sliding scale mechanism is inadequate''); DMA (Comment 9) at 3 (``not aware of any harm from the use of e-mail plus consent''); Leo Burnett Worldwide, Inc. (Comment 12) (``sliding scale mechanism has been very effective''); NCTA (Comment 15) at 2 (``not aware of any complaints against member companies for infringement of children's on-line privacy''); and SIIA (Comment 19) at 3 (``present approach has worked well''). Although none of the commenters articulated specific examples of misuse of the sliding scale mechanism, three commenters found the email plus method of obtaining parental consent to be ineffective and unreliable. Romain Carrere (Comment 6) (children can impersonate their parents); Privo (Comment 17) at 2-3 (``e-mail plus may not and often does not result in reliable verification'' and ``[i]t is commonplace for children to have the requisite knowledge to falsify their age or fabricate a spurious e-mail message that is allegedly from the parent or guardian''); and TRUSTe (Comment 21) (``it would be unwise to extend the lessened protection of `email plus' rule two additional years, unless the rule is modified, so that a delayed email to the parent's email address is not considered sufficient verifiable parental consent''). \18\ Aftab & Savitt (Comment 1) at 1 (``Parents appreciate the convenience of the e-mail plus consent process, particularly as it is coupled with low-risk privacy concerns where information will not be disclosed.''); AEP (Comment 5) (``We believe the current `sliding scale' approach--allowing Web operators who collect information for internal use only to pursue this less stringent form of consent--has proved an effective way to balance parental involvement with children's freedom to pursue educational experiences online.''); CARU (Comment 7) at 1 (``In adopting the sliding scale the Commission wisely acknowledged that the risks involved where an operator uses a child's personal information solely for its internal use, with no disclosure, were minimal.''); DMA (Comment 9) at 2-3 (``the e-mail plus consent mechanism for internal uses of information is successfully protecting children's privacy as intended by the Act.''); Gardner (Comment 11) at 2 (noting that sites that collect parental consent by e-mail plus may not share that information with third parties); MPA (Comment 13) (``e-mail based consent mechanism...effectively protects children's personal information''); NCTA (Comment 15) at 2 (noting that companies using e-mail plus can only use the data collected for internal purposes); PMA (Comment 18) at 1-2 (risk of harm to children from improper disclosure of their information is ``significantly lower when the child's information will not be released to any third parties''); and SIIA (Comment 19) at 3 (``sliding scale that provides for different methods between data gathered only for internal use and that which will be disclosed to third parties is `appropriate to the circumstances'''). --------------------------------------------------------------------------- The Commission finds that the record also shows that the anticipated date for the development and deployment of secure electronic mechanisms and/or infomediary services on a widespread and affordable basis does not appear to be able to be predicted with any reasonable certainty at this point in time.\19\ In light of the delayed development and deployment of secure electronic mechanisms and/or infomediary services for obtaining verifiable parental consent, the unpredictability of estimating when such technology will be widely available and affordable, and the effectiveness of the present sliding scale mechanism, the Commission has determined that an extension of the sliding scale mechanism is appropriate. Accordingly, the Commission will re-examine this issue when it conducts its statutorily mandated review of the Rule, no later than April 21, 2005.\20\ --------------------------------------------------------------------------- \19\ MPA (Comment13) at 2 (``New technologies have not yet developed to facilitate verifiable parental consent at a reasonable cost, and no widely and economically feasible verification technology even appears to be on the near horizon.''); OPA (Comment 16) at 2 (``no clear signals that the anticipated verification technology is likely to be economically and widely available in the consumer market in the forseeable future''); PMA (Comment 18) at 2 (``it is difficult, if not impossible, to predict accurately when such technologies will be both available and adopted by a significant percentage of consumers''); and SIIA (Comment 19) at 3 (``In reviewing developments over the last two years, there are no clear signals that the anticipated verification technology-- technology that must be low-cost, widely deployed and acceptable to consumer end users--is likely to be economically and widely available in the consumer market in the foreseeable future.''). \20\ 16 CFR 312.11. --------------------------------------------------------------------------- III. Regulatory Flexibility Act The Regulatory Flexibility Act, 5 U.S.C. 601-612, requires agencies to prepare and make available to the public regulatory flexibility analyses at the proposed and final stages of a rulemaking proceeding, except in cases where the agency certifies that the Rule will not have a significant economic impact on a substantial number of small entities. 5 U.S.C. 605. In its notice of proposed rulemaking, the Commission certified that its proposed rule amendment to extend by two years the time period during which Web site operators could continue to obtain verifiable parental consent under a ``sliding scale'' of compliance options would not have a significant economic impact on a substantial number of small entities. 66 FR at 54964. Nonetheless, to ensure that no significant economic impact on a substantial number of small entities is overlooked, the Commission requested public comment on the effect of the proposed amendment to the Rule on the costs, profitability, and competitiveness of, and employment in, small entities. Id. The Commission did not receive any comments directly addressing the [[Page 18821]] impact of the proposed amendment on small entities. To the extent, however, that any small entities are affected by the Rule, the Commission believes the public comments support its determination that the adoption of the rule amendment will not impose more significant or costly compliance methods on Web site operators than the Rule would otherwise impose if it were not amended. By adopting a final rule amendment that leaves currently effective compliance options in place for an additional three years, the Commission is preserving the status quo for all Web site operators, including any small entities. Thus, the change, if any, in the economic impact of the Rule resulting from the final rule amendment, will be less than if the Commission did not amend the Rule and the more burdensome requirements of the Rule as originally promulgated were allowed to take effect. Accordingly, for these reasons, the Commission certifies under the Regulatory Flexibility Act that the final rule amendment will not have a significant economic impact on a substantial number of small entities. 5 U.S.C. 605. This notice also serves as the required certification and statement of the Commission's determination to the Small Business Administration. IV. Paperwork Reduction Act This amendment does not amend any information collection requirements that have previously been reviewed and approved by the Office of Management and Budget pursuant to the Paperwork Reduction Act, as amended, 44 U.S.C. 3501 et seq. Final Rule List of Subjects in 16 CFR Part 312 Children, Communications, Consumer protection, Electronic mail, E- mail, Internet, Online service, Privacy, Record retention, Safety, Science and technology, Trade practices, Website, Youth. Accordingly, the Federal Trade Commission amends 16 CFR Part 312 as follows: PART 312--CHILDREN'S ONLINE PRIVACY PROTECTION RULE 1. The authority citation for this part continues to read as follows: Authority: 15 U.S.C. 6501 et seq. 2. Amend Sec. 312.5 by revising the second sentence of paragraph (b)(2) to read as follows: Sec. 312.5 Parental consent. * * * * * (b) * * * (2) * * * Provided that: For the period until April 21, 2005, methods to obtain verifiable parental consent for uses of information other than the ``disclosures'' defined by Sec. 312.2 may also include use of e-mail coupled with additional steps to provide assurances that the person providing the consent is the parent. * * * * * * * * By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 02-9272 Filed 4-16-02; 8:45 am] BILLING CODE 6750-01-P