16 CFR Part 312, Children’s Online Privacy Protection Rule, Supplemental Notice of Proposed Rulemaking, Project No. P104503
The proposed changes to how FTC enforces COPPA appear to be troublingly vague. "...Know or have reason to know..." appears to be impossible to interpret meaningfully. The proposed requirements forcing third-party providers of tracking and analytics scripts--and all other components comprising any suitably complex website--are quite breathtaking. Few if any providers of such components will have any means (reasonable or unreasonable) of determining whether their code is interacting with a human, much less a web browser or other application directed by a human of a given age. The same applies to any website operator. Conforming to the proposed new regulation would require affirmative means of permanently, uniquely, and invasively identifying all users of web services, such as via state-issued ID, and would vastly increase the amount of personally-identifying information available to be compromised any time a website's security is penetrated, which has happened as a matter of routine over the last decade or so. Even if FTC accepts the tremendous invasion of privacy, and exposure to "identity theft," of American users of the Internet, it should be aware that any age-related access controls, even those mandating state ID, can and will be bypassed by any suitably persistent attacker. FTC appears to have little to no knowledge of the technologies it proposes to enforce unreasonable new regulations on. I would urge FTC to retain or engage with experienced web developers, security engineers, and other technical professionals who can explain in detail why the proposed new regulation will be both impossible to enforce, and nightmarish for the citizens it purports to protect.