United States: FTC Retains Children’s Online Privacy Rule without Modification

On March 15, 2006, the Federal Trade Commission (Commission or FTC) published its decision to retain its Children’s Online Privacy Protection Rule (Rule)¹ in its current form.² This decision followed a review of the Rule in which the public was invited to comment.

The Rule implements the Children’s Online Privacy Protection Act of 1998 (COPPA or Act)³ and imposes requirements on operators of web sites and online services directed to children under 13 years of age. The Rule also applies to operators of general audience web sites who have "actual knowledge" that they are collecting personal information online from children under 13 years old. Among other things, the Rule requires operators to provide notice to parents of their sites’ information practices and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children. Pursuant to the Rule, the means required to obtain parental consent depends upon the intended use of the collected information; the FTC adopted a "sliding scale" that determines the method operators must use to obtain verifiable parental consent.

The Act required the Commission to review this Rule within five years of its effective date.⁴ The Commission commenced its review in January 2005 by issuing a Notice of Proposed Rulemaking (NPRM) to seek comment on the "sliding scale."⁵ This was followed by a second NPRM in April 2005 requesting additional comments on the sliding scale and on the costs and benefits of the Rule and whether the Rule should be changed, modified, or eliminated.⁶ The Commission also sought comment on COPPA-mandated issues (see below).⁷

The Commission received 25 comments in response to the April NPRM and 91 in response to the January NPRM. Comments were submitted by trade associations, web site operators, privacy and education organizations, COPPA safe harbor programs, and consumers. In general, the commenters favored retaining the Rule without modification and cited the Rule’s success in promoting children’s online safety while not imposing overly burdensome costs on web site operators. Commenters also recognized the Rule’s effect on the market for children’s online content—with clear standards, businesses enjoy a more predictable environment. This builds confidence in the market, allows long-term planning, and attracts investment, all of which play a role in the creation of innovative and interactive online services for children.

The Commission was required to review the Rule’s effect on: (1) information practices relating to children; (2) children’s ability to obtain online access to information of their choice; and (3) availability of web sites directed to children. In general, the feedback demonstrated that the Rule is successful in protecting children’s online privacy while not adversely affecting their online experience. Commenters stated that the Rule has affected information collection practices, but operators have struck a balance between collection limitations and providing innovative and interactive online experience for children. A few commenters reported that the exceptions to obtaining verifiable parental consent prior to collecting personal information are useful to this balance. Specifically, allowing operators, in this limited context, to collect children’s online contact information (i.e., e-mail addresses) to respond to a specific request (e.g., homework question) or to respond more than once to a child’s specific request (e.g., subscribe to an electronic newsletter), without first obtaining parental consent, allows operators to provide a valuable online experience for children.⁸

As to the second COPPA-mandated issue, most commenters responded that the Rule effectively balances protecting children’s personal information and providing access to online content. As to the third matter, commenters provided no empirical evidence that the Rule affects the viability of web sites directed to children or leads to the failure of smaller sites. As a result, the Commission determined that no modification to its Rule was necessary.⁹

Most commenters agreed with the Commission’s determination that the definition of a "website or online service directed to children"¹⁰ is sufficiently clear and does not require further clarification. The definition currently provides several factors (e.g., subject matter; visual and audio content; age of models; language or other characteristics; advertising appearing on or promoting the site or service; competent and reliable empirical evidence of audience composition; evidence regarding the intended audience; and whether the site uses animated characters or child-oriented actives or incentives) that the Commission uses to determine whether a site is directed at children. The Commission declined to supplement its list, finding that the current Rule sufficiently addresses all of the suggestions made by commenters.¹¹

In addition to applying to web sites or online services directed at children, the requirements of COPPA are triggered for those operators of web sites or online services of general audience web sites—sites not directed to children—who have "actual knowledge" that they are collecting personal information online from children. According to the Rule’s Statement of Basis and Purpose, a web site operator possesses "actual knowledge" if it "learns of a child’s age or grade from the child’s registration or a concerned parent…," or learns of such information from other age-identifying questions.¹² Pursuant to subsequent guidance that the FTC posts on its web site, an operator does not have "actual knowledge" when a child posts personal information on a general audience web site but excludes his or her age, or if an operator is unaware and is not alerted that a child posted his or her age in a chat room on the site.¹³

With respect to age-screening practices, although not a requirement of COPPA, the FTC has published guidance in the form of best practices on how to ask age in such a way as to not invite falsification and to prevent children from back-clicking to change their age once they realize that parental consent is required to access an activity. These practices include asking age in a neutral manner (e.g., with an open field, rather than a drop-down menu that begins with age 13) and employing session cookies to prevent children from back-clicking. Little information was provided by commenters in response to the Commission’s request for evidence that children were falsifying age information in response to age-screening on general web sites. One commenter said that it is unrealistic to try to stop such behavior. Many commenters stated that following the staff’s guidance is reasonably effective, and that the Rule does not require modification. Thus, the Commission retained its Rule in its current form.¹⁴

In response to commenters’ requests for clarification as to whether affiliate sharing is an internal use or a disclosure, the Commission cited the Rule’s Statement of Basis and Purpose, which states that "determining whether an operator’s sharing of information with another entity is an internal use or a disclosure depends on the receiving entity’s relationship to the information. Sharing information with another entity can constitute an internal use of the information only if it is solely to facilitate internal support services for the operator and the entity does not use the information for any other purpose. Sharing for any other use, whether or not the other entity is a corporate affiliate, constitutes a disclosure."¹⁵

The Commission, in response to comments, reiterated that both web sites directed at children and general audience sites that have separate children’s areas or sites must post links to notices concerning their children’s information practices. However, the Commission does not otherwise require general audience sites to post such notices, even if they have actual knowledge that they have collected personal information from children.¹⁶

The Commission decided to maintain its Rule that the use of credit cards in connection with a transaction is a reasonable means of verifying that the person providing consent is the child’s parent. Currently, the Rule allows web sites to obtain consent for disclosures of information to third parties (e.g., children’s e-mail accounts, chat rooms, message boards) through the use of credit cards in connection with a transaction. The FTC sought review of this rule because of the growing practice of issuing credit cards to children, who may be able to use these cards to circumvent the parental consent requirement. In addition, the FTC notes that some web site operators merely verify that a given credit card is valid, rather than using the card to conduct an actual transaction, which would undermine the reliability that the person giving the consent is the parent.¹⁷

Most commenters on this issue stated that, despite the limited practice of issuing of cards to minors, the practice of "using a credit card with a transaction is a reasonable and trustworthy method to obtain verifiable parental consent." A few commenters explained that the method remains effective because a minor’s use of credit cards is linked to the parent’s account and would still serve as an opportunity to obtain parental consent. The Commission decided to retain the requirement that a credit card be used in connection with a transaction because it creates a record (i.e., billing statement) that increases the likelihood that the parent is aware of the child’s online activity.¹⁸

The Commission chose to maintain its safe harbor program, under which an operator is deemed to be in compliance with the Rule if the operator complies with Commission-approved self-regulatory guidelines. To date, the programs of four organizations (Privo, Inc., TRUSTe, the Children’s Advertising Review Unit of the Council of Better Business Bureaus (CARU), and the Entertainment Software Rating Board (ESRB)) have been approved as COPPA safe harbors. Web site operators in Commission-approved programs are first subject to the disciplinary procedures of the safe harbor in lieu of FTC enforcement. The FTC sought comment on the effectiveness of the safe harbor approach, and asked what changes, if any, should be made to this approach.¹⁹

After its review, the Commission chose to maintain the program in its current form and declined to adopt a recommendation to amend the Rule. A commenter had suggested that to provide an incentive to join a program, the Commission should recognize that "membership in good standing in a Commission-approved safe harbor program is an affirmative defense to an enforcement action" under COPPA. The Commission stated that it already considers whether an operator is participating in a safe harbor program when it evaluates whether to bring an enforcement action, and that no evidence was provided to demonstrate that an incentive is needed to encourage participation.²⁰

As noted above, in January 2005, the Commission requested comments on whether its "sliding scale" approach to parental consent should sunset as scheduled in April 2005 or be made permanent. During that comment period, which ended in February, the Commission received 91 comments. In its April NPRM, the Commission again requested comment on the sliding scale.²¹

The requirements for obtaining consent under the sliding scale vary based on the way the operator intends to use the child’s personal information. For instance, if the operator discloses the information to others—or enables the child to disclose information to others via an e-mail account, chat room, message board, or other means—then a very reliable method of consent is required because the situation potentially presents danger to children. Methods of obtaining parental consent that satisfy this "very reliable" standard include getting a signed form from the parent via postal mail or fax; accepting and verifying a credit card number; taking calls from parents through a toll-free number staffed by trained personnel; and receiving an e-mail that is accompanied by a digital signature.

If, on the other hand, the personal information collected from the child will be used only by the operator for internal purposes, then a less rigorous method of consent is required (e.g., through an initial e-mail followed by a delayed confirmation, the so-called "e-mail plus" mechanism).

The sliding scale had been adopted as a cost-effective option to obtain parental consent until a more reliable electronic method becomes available.²² Among the issues considered, the Commission noted that it received no examples of children’s privacy having been violated by use of the e-mail plus mechanism; in addition, commenters noted that internal use presents a low risk to children. Through the comments, it also is clear that the availability of electronic verification technology has not progressed to the point where it has rendered the scale unnecessary. Therefore, the Commission decided to continue to monitor this issue until digital verification technology is reliable and widely available. Until then, given the lack of technological advances in this area and the benefit of regulatory certainty, the Commission indefinitely extended the use of the sliding scale in its current form.²³

* * *

As expected, the Commission made no changes to the Rule. This review served as a means for the Commission to gather information regarding the Rule’s effectiveness for its required report to Congress on children’s privacy issues and the effectiveness of COPPA. For web site operators and other online services, the Commission’s decision provides regulatory stability in the marketplace and instills confidence that the regulatory environment will not change in the foreseeable future.

Footnotes

This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.