FTC Retains Children’s Online Privacy Protection (COPPA) Rule Without Changes
The Federal Trade Commission today announced its decision to retain, without changes, the Children’s Online Privacy Protection (COPPA) Rule, which implements the Children’s Online Privacy Protection Act. In a Federal Register notice to be published soon, the Commission will present its findings retaining the Rule’s sliding scale approach to obtaining parental consent to the online collection of personal information from children, which takes into account how such information can be used.
The COPPA Rule Review
As required by COPPA, the Commission began reviewing the Rule within five years of its effective date. As part of this review, the FTC sought public comment on its implementation of COPPA. The Rule imposes certain requirements on Web site or online service operators whose services are directed at children under 13 years old, as well as operators who have ‘actual knowledge’ that they are collecting personal information from children under 13. In its review, the Commission sought comments on the costs and benefits of the Rule, and on whether it should be modified. The FTC also sought information on three specific issues Congress directed the agency to study: 1) the Rule’s effect on practices related to the collection and disclosure of information related to children; 2) the Rule’s effect on children’s ability to access information of their choice online; and 3) the Rule’s effect on the availability of Web sites directed to children.
The comments received uniformly stated that COPPA has succeeded in providing greater protection to children’s personal information online, that there is a continuing need for the Rule, and that the Rule should be retained. Specifically, many commenters emphasized that the Rule provides Web site operators with a clear set of standards to follow and that operators have received few, if any, complaints from parents about the standards and how they are implemented.
Responding to the three statutorily mandated issues, commenters said that operators’ primary response to the Rule has been to limit the personal information they collect from children, and that the Rule’s requirements have struck an appropriate balance between protecting children’s personal information online and preserving children’s ability to access content. They also said that operators have been successful in maintaining popular and viable Web sites in the five years since the Rule was implemented. In the near future, the FTC will submit to the Congress a comprehensive assessment of COPPA’s implementation, including a discussion of these three issues.
Finally, the Commission sought comments on each of the Rule’s specific provisions, as well as on issues that have arisen since its effective date. Commenters generally agreed that the Rule’s provisions are clear and have been effective. In particular, most stated that the terms “website or online service directed to children” and “actual knowledge” are sufficiently clear. They also did not find that screening for visitors’ age on general audience Web sites has become a problem, and they supported the FTC’s continued approval of using a credit card with a transaction as a method of obtaining verifiable parental consent to the collection of children’s personal information. As discussed below in greater detail, most commenters also supported the continued use of the Rule’s sliding scale approach to verifiable parental consent. Accordingly, the FTC determined that no changes were needed to the Rule’s substantive provisions, including the sliding scale approach to obtaining verifiable parental consent.
The Sliding Scale Approach
The FTC adopted a sliding scale approach for parental consent when it issued the COPPA Rule in 1999. Under this approach, the measures required to obtain verifiable parental consent depend on how the operator of a Web site intends to use the information that it collects. Specifically, if the operator intends to disclose information collected from children to the public or a third party, then it must use more reliable methods for obtaining verifiable parental consent. In contrast, if the operator intends to use information from children for its internal use only, then it also can obtain verifiable parental consent by an e-mail from the parent if it also confirms the consent by sending a message to the parent by delayed e-mail, fax, or telephone.
The Commission originally set 2002 as the expiration date for the sliding scale approach. In 2002, the FTC extended the sliding scale approach until April 21, 2005, due to the continued lack of affordable and more reliable means of obtaining parental consent. In January 2005, the Commission sought public comment on whether to sunset the sliding scale as scheduled in April 2005. Based on the public comments received, the FTC decided to seek additional comments on the approach in the context of the larger rule review process, and subsequently extended the use of the sliding scale.
Based on the comments received and its own experience in implementing the Rule, the FTC determined that the risk to children’s privacy from an operator collecting personal information for internal use only remains relatively low. The Commission also determined that more secure technologies that might be used to obtain parental consent for information collection and internal operator use are not yet widely available at a reasonable cost. It further determined that the sliding scale approach has worked well, and that its continued use may foster the (COPPA FRN - 3/8/06) development of children’s online content. Based on this evaluation, the FTC decided to retain the sliding scale approach indefinitely while it continues to monitor technological developments.
The Commission vote approving issuance of the Federal Register notice was 5-0.
Copies of the Federal Register notice are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.htm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Office of Public Affairs
Karen M. Muoio
Bureau of Consumer Protection