TMCnet News
Children's Online Privacy Protection RuleAug 06, 2012 (Federal Trade Commission Documents and Publications/ContentWorks via COMTEX) -- SUMMARY: The Commission is proposing to further modify the proposed definitions of personal information, support for internal operations, and Web site or online service directed to children, that the FTC has proposed previously under its Rule implementing the Children's Online Privacy Protection Act ("COPPA Rule"), and further proposes to revise the Rule's definition of operator. These proposed revisions, which are based on the FTC's review of public comments and its enforcement experience, are intended to clarify the scope of the Rule and strengthen its protections for children's personal information. The Commission is not adopting any final amendments to the COPPA Rule at this time and continues to consider comments submitted in response to its Notice of Proposed Rulemaking issued in September 2011. EFFECTIVE DATE: Written comments must be received on or before September 10, 2012. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write "COPPA Rule Review, 16 CFR Part 312, Project No. P104503" on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/2012copparulereview, by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex E), 600 Pennsylvania Avenue NW., Washington, DC 20580. FOR FURTHER INFORMATION CONTACT: Phyllis H. Marcus or Mamie Kresses, Attorneys, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580, (202) 326-2854 or (202) 326-2070. SUPPLEMENTARY INFORMATION: In September 2011, the FTC issued a Notice of Proposed Rulemaking setting forth proposed changes to the Commission's COPPA Rule. Among other things, the Commission proposed modifying the Rule's definition of personal information to include persistent identifiers and screen or user names other than where they are used to support internal operations, and Web site or online service directed to children to include additional indicia that a site or service may be targeted to children. /1/ The Commission received over 350 comments, a number of which addressed the proposed changes to these two definitions. /2/ After reviewing these comments, and based upon its experience in enforcing and administering the Rule, the Commission now proposes to modify the definition of operator, and proposes additional modifications to the definitions of Web site or online service directed to children, personal information, and support for internal operations. FOOTNOTE 1 Id. END FOOTNOTE FOOTNOTE 2 Public comments in response to the Commission's September 27, 2011, Federal Register document are located at http://www.ftc.gov/os/comments/copparulereview2011/. Comments have been numbered based upon alphabetical order. Comments are cited herein by commenter name, comment number, and, where applicable, page number. END FOOTNOTE The Commission proposes modifying the definition of both operator and Web site or online service directed to children to allocate and clarify the responsibilities under COPPA when independent entities or third parties, e.g., advertising networks or downloadable software kits ("plug-ins"), collect information from users through child-directed sites and services. As described below, previous Commission statements suggested that the responsibility for providing notice to parents and obtaining verifiable parental consent to the collection of personal information from children rested entirely with the information collection entity and not with the child-directed site operator. The Commission now believes that the most effective way to implement the intent of Congress is to hold both the child-directed site or service and the information-collecting site or service responsible as covered co-operators. Sites and services whose content is directed to children, and who permit others to collect personal information from their child visitors, benefit from that collection and thus should be responsible under COPPA for providing notice to and obtaining consent from parents. Conversely, online services whose business models entail the collection of personal information and that know or have reason to know that such information is collected through child-directed properties should provide COPPA's protections. In addition, the Commission proposes to modify the previously proposed revised definition of Web site or online service directed to children to permit Web sites or online services that are designed for both children and a broader audience to comply with COPPA without treating all users as children. The Commission also proposes modifying the definition of screen or user name to cover only those situations where a screen or user name functions in the same manner as online contact information. Finally, the Commission proposes to modify the revised definition of support for internal operations and to modify the Rule's coverage of persistent identifiers as personal information. II. Proposed Modifications to the Rule's Definitions (16 CFR 312.2) A. Definition of Operator Public comments /3/ and the Commission's own enforcement experience /4/ highlight the need for the Commission to clarify the responsibilities of child-directed properties that integrate independent social networking or other types of "plug-ins" into their sites or services. These plug-ins often collect personal information directly from users of child-directed sites and services. Although the child-directed site or service benefits by incorporating the social networking or other information collection features of the plug-in, it generally has no ownership, control, or access to the personal information collected by the plug-in. In many ways, the plug-in scenario mirrors the current situation with child-directed Web sites and advertising networks: the site determines the child-directed nature of the content, but the third-party advertising network collects persistent identifiers for tracking purposes, which could be considered personal information under the proposed revised Rule. FOOTNOTE 3 See, e.g., AT&T (comment 8), at 3-4; CDT (comment 17), at 3-6; CTIA (comment 32), at 16; Direct Marketing Association (comment 37), at 7; Future of Privacy Forum (comment 55), at 3; Information Technology Industry Council (comment 70), at 3-4; Interactive Advertising Bureau (comment 73), at 7; and, Tech Freedom (comment 159), at 12. END FOOTNOTE FOOTNOTE 4 See FTC staff closing letter to OpenFeint ("OpenFeint Letter"), available at http://www.ftc.gov/os/closings/120831openfeintclosingletter.pdf. END FOOTNOTE COPPA defines operator in pertinent part, as (A) Any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes, including any person offering products or services for sale through that Web site or online service, involving commerce * * *. /5/ FOOTNOTE 5 15 U.S.C. 6501(2). The Rule's definition of operator reflects the statutory language. See 16 CFR 312.2. END FOOTNOTE In both the 1999 Notice of Proposed Rulemaking and the 1999 Statement of Basis and Purpose, the Commission suggested that some retention of ownership, control, or access to the personal information collected was required to make a party an operator. The Commission stated that it would look to a variety of factors--ownership, control, financial and contractual arrangements, and the role of the site or service in data collection or maintenance--to establish whether an entity was covered by or subject to COPPA's regulatory obligations. /6/ The Commission also asserted that "[w]here the Web site or online service merely acts as the conduit through which the personal information collected flows to another person or to another's Web site or online service, and the Web site or online service does not have access to the information, then it is not an operator under the proposed Rule." /7/ FOOTNOTE 6 1999 Notice of Proposed Rulemaking and Request for Public Comment, 64 FR 22750, 22752 (Apr. 27, 1999), available at http://www.ftc.gov/os/fedreg/1999/april/990427childrensonlineprivacy.pdf ("In determining who is the operator for purposes of the proposed Rule, the Commission will consider such factors as who owns the information, who controls the information, who pays for the collection or maintenance of the information, the pre-existing contractual relationships surrounding the collection or maintenance of the information, and the role of the Web site or online service in collecting and/or maintaining the information"). END FOOTNOTE FOOTNOTE 7 Id. The Commission reiterated this view in the 1999 Statement of Basis and Purpose to the COPPA Rule ("1999 Statement of Basis and Purpose"), 64 FR 59888, 59891 (Nov. 3, 1999), available at http://www.ftc.gov/os/1999/10/64Fr59888.pdf. END FOOTNOTE --This is a summary of a Federal Register article originally published on the page number listed below-- Supplemental notice of proposed rulemaking; request for comment. CFR Part: "16 CFR Part 312" RIN Number: "RIN 3084-AB20" Citation: "77 FR 46643" Federal Register Page Number: "46643" "Proposed Rules" |