BILLING CODE: 6750-01-P
FEDERAL TRADE COMMISSION
16 CFR PART 312
Children's Online Privacy Protection Rule
AGENCY: Federal Trade Commission
ACTION: Initial Regulatory Flexibility Analysis
SUMMARY: The Commission is publishing this initial regulatory flexibility analysis to aid the public in commenting upon the small business impact of its proposed rule implementing the Children's Online Privacy Protection Act ("COPPA" or "the Act").
DATES: Written comments must be submitted on or before August 6, 1999.
ADDRESSES: Written comments should be submitted to Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The Commission requests that commenters submit the original plus five copies, if feasible. To enable prompt review and public access, comments also should be submitted, if possible, in electronic form, on either a 5-1/4 or a 3-1/2 inch computer disk, with a disk label stating the name of the commenter and the name and version of the word processing program used to create the document. (Programs based on DOS or Windows are preferred. Files from other operating systems should be submitted in ASCII text format.) Alternatively, the Commission will accept comments submitted to the following e-mail address <firstname.lastname@example.org>. Individual members of the public filing comments need not submit multiple copies or comments in electronic form. All submissions should be captioned: "Children's Online Privacy Protection Rule- IRFA Comment, P994504." Comments will be posted on the Commission's Web site: <http://www.ftc.gov>.
FOR FURTHER INFORMATION CONTACT: Toby Milgrom Levin, (202) 326-3156, Loren G. Thompson, (202) 326-2049, or Jill Samuels, (202) 326-2066, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, 601 Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: This notice supplements the Commission's initial notice of proposed rulemaking, 64 FR 22750 (Apr. 27, 1999), for a Children's Online Privacy Protection Rule, 16 CFR Part 312, to implement the requirements of the Children's Online Privacy Protection Act of 1998 ("the Act"), Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999, Pub. L. 105-277, 1112 Stat. 2681, ___ (Oct. 21, 1998). The Commission's notice of proposed rulemaking did not include an initial regulatory flexibility analysis pursuant to the Regulatory Flexibility Act (5 U.S.C. 603) based on a certification that the proposed rule will not have a significant economic impact on a substantial number of small entities (5 U.S.C. 605). See 64 FR at 22761.
In the Notice of Proposed Rulemaking, the Commission concluded that the proposed rule's requirements are expressly mandated by the COPPA. In the Commission's view, the Act's requirements account for most, if not, all of the economic impact of the proposed rule, and the Commission's proposal adds little, if any, additional independent compliance burden to the statutory requirements. For example, as reiterated below, the proposed rule consistently incorporates the overall "performance" standards set forth in the statute rather than mandating any particular compliance method or approach. See 5 U.S.C. 603(c)(3). Moreover, certain provisions of the rule (e.g., definitions taken directly from the statute, enforceability of rule by the Commission and the states, severability of the rule's provisions) would appear to have no material effect on the costs or burdens of compliance under the rule for regulated entities, regardless of size. Thus, the marginal cost, if any, that would be imposed by the rule on regulated entities, including small entities, would not be substantial. Since the Regulatory Flexibility Act does not require an initial (or final) regulatory flexibility analysis when a "rule" will not have a significant economic impact on a substantial number of small entities (5 U.S.C. 605), such an analysis did not accompany the proposed rule. Nonetheless, in its Notice of Proposed Rulemaking to implement the COPPA, the Commission expressly invited public comment on the proposed rule's effect on the costs, profitability, competitiveness of, and employment in small entities to ensure that no significant economic impact on a substantial number of small entities would be overlooked. See 64 FR at 22761.
In response, the Commission received comments suggesting, among other things, that the Commission publish an initial regulatory flexibility analysis under the Regulatory Flexibility Act.(1) While the Commission continues to believe that such an analysis is not technically required, the Commission has decided to publish the following analysis to provide further information and opportunity for public comment on the small business impact, if any, of the rule. The Commission notes that it has already afforded a period of public comment on the proposed rule for such comments, and will be conducting a public workshop on July 20, 1999, on the issue of obtaining parental consent under the rule. See 64 FR 34595 (June 28, 1999). The workshop will provide an additional opportunity for public comment on how compliance with that particular requirement might be achieved, while minimizing the potential impact of the requirement on regulated entities, including small entities, to the extent the Commission has any discretion on that issue. The July 30th deadline for comments in response to the initial regulatory flexibility analysis set forth below is scheduled to coincide with the close of the comment period that will follow the public workshop described earlier.
Description of the reasons that action by the agency is being considered. The COPPA requires the Commission to promulgate this rule not later than one year after the date of enactment of the Act. COPPA § 1303(b)(1).
Succinct statement of the objectives of, and legal basis for, the proposed rule. To prohibit unfair and deceptive acts and practices in connection with commercial websites' and online services' collection and use of personal information from and about children by: (1) enhancing parental involvement in a child's online activities in order to protect the privacy of children in the online environment; (2) helping to protect the safety of children in online fora such as chat rooms, home pages, and pen-pal services in which children may make public postings of identifying information; (3) maintaining the security of children's personal information collected online; and (4) limiting the collection of personal information without parental consent. The legal basis for the proposed rule is the COPPA.
Description of and, where feasible, an estimate of the number of small entities to which the proposed rule will apply. In general, the rule will apply to any commercial operator of an online service or Internet website directed to children or a commercial operator of an online service or Internet website who has actual knowledge that he or she is collecting personal information from a child. See proposed Rule § 312.3 (general requirements). The rule does not apply to nonprofit entities. See proposed Rule § 312.2 (defining "operator"). A precise estimate of the number of small entities that fall within the rule is not currently feasible because the definition of a website directed to children turns on a number of factors that will require a factual analysis on a case-by-case basis.(2) The Commission seeks any information or comment on these issues, as noted below.
Description of the projected reporting, recordkeeping and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record. The statute and proposed rule do not directly impose any "reporting" or "recordkeeping" requirements within the meaning of the Paperwork Reduction Act, but would require that operators make certain third-party disclosures to the public, i.e., provide parents with notice of their privacy policies. See proposed rule §§ 312.3 (a) (notice on website or online service), 312.4(a), (b), & (c) (format and contents of notice), 312.5(c)(3) & (4) (parental notification to obtain consent), 312.6(a)(1) (parental notification of information being collected on children). The Commission is seeking clearance from the Office of Management & Budget (OMB) for these requirements and the Commission's Supporting Statement submitted as part of that process is being made available on the public record of this rulemaking.
The statute and proposed rule also contain a number of compliance requirements not subject to the Paperwork Reduction Act, including but not limited to obtaining verifiable parental consent to collect personal information from children, § 312.5(b); allowing parents to have the opportunity to review and make changes to information provided by their children, § 312.6; and developing and implementing methods for maintaining the confidentiality, security, and integrity of personal information collected from children, § 312.8. These statutorily mandated obligations do not require operators to file reports or maintain records within the meaning of the Paperwork Reduction Act, although the Commission recognizes that there are potential compliance costs associated with these requirements. As noted above, the only class of small entities that would be subject to the above-described compliance requirements would be commercial operators of websites or online services directed to children or those commercial operators who have actual knowledge that they are collecting information from children, as discussed earlier.
Certain of the statute's and rule's other non-Paperwork Reduction Act requirements may require some clerical or computer programmer time for compliance. For example, an employee may be required to review parental responses to the operator's requests for consent. Depending on the method chosen by the operator to seek parental consent, some employee training may be required, e.g., training an employee manning a toll-free telephone number to recognize whether a child or adult is on the line. Similar skills would be required of employees responsible for handling requests from parents who want to review the information provided by their children. Finally, computer programming and security expertise will be required to ensure that the operator maintains the confidentiality, security, and integrity of the data collected from children. Because the Commission currently has no basis on which to determine the number of hours required to conduct such tasks and as these requirements are not subject to the Paperwork Reduction Act, the Commission has not attempted here to provide an estimate in terms of burden hours, but is instead seeking reliable information and comment on costs and burdens for small entities.
Identification, to the extent practicable, of all relevant Federal rules that may duplicate, overlap or conflict with the proposed rule. The Commission is unaware of any duplicative, overlapping, or conflicting Federal rules. As noted below, the Commission seeks comments and information about any such rules, as well as any other state, local, or industry rules or policies that require website operators and online services to implement business practices (e.g., notification, parental consent, security measures, etc.) that would comply with the requirements of the Commission's proposed rule.
Description of any significant alternatives to the proposed rule that accomplish the stated objectives of applicable statutes and that minimize any significant economic impact of the proposed rule on small entities, including alternatives considered, such as: (1) establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) use of performance rather than design standards; (4) any exemption from coverage of the rule, or any part thereof, for such small entities. Under the proposed rule, subject operators will be free to choose one or more methods to achieve the goals of the rule based on their individual business models and needs. In many instances the proposed rule utilizes a performance standard to permit as much flexibility as possible for website operators to comply with the rule. For example, proposed Rule § 3.12.4(b) minimizes the burden on website operators and online service providers by permitting the notice to be posted by providing "links" to notices, rather than requiring complete texts of the notice, on each "page" or other location(s) where personal information is collected from children. Likewise, the requirements for parental notice (proposed Rule § 312.4(c)) are flexible and open-ended for all entities, not just small entities, requiring simply that the operator make "reasonable efforts, taking into account available technology, to ensure" that notice reaches parents. See also proposed Rule § 312.5 regarding parental consent.
Although these rules impose some costs, it is important to recognize that the requirements of notice, consent, access and security are mandated by the COPPA itself. Although the Commission has sought to minimize the burden on all businesses, including small entities, by incorporating the statute's flexible "performance" standards, the Commission does not have the discretion to provide for exemptions from the COPPA based on size of the operator. Likewise, the proposed rule attempts to clarify, consolidate, and simplify the statutory requirements for all entities, including small entities, but the Commission has little discretion, if any, to mandate different compliance methods or schedules for small entities that might "take into account the resources available to small entities" but not comply with the statutory requirements. For example, the COPPA requires the posting of privacy policies by websites and online services before information is collected from children and a waiver for small entities of that prior notice requirement (e.g., by permitting notice after the fact) would be inconsistent with the statutory mandate. See COPPA, Pub. L. No. 105-277, § 1303(b)(1)(A)(i) and (ii).
Nevertheless, the Commission is seeking to address the variability of online businesses and to devise performance standards to allow for flexibility and innovation to achieve compliance with the mandated COPPA protections. Throughout the rulemaking proceeding, the Commission has made every effort to gather information regarding the economic impact of the COPPA's parental notice and consent requirements on all operators, including small entities. Thus, the FEDERAL REGISTER notice announcing the proposed rule included a number of questions for public comment regarding the costs and benefits associated with these key requirements with respect to small entities.
In addition, the agenda for the July 20th public workshop includes topics designed to elicit economic impact information, particularly as it would affect small businesses. The workshop will examine a wide range of mechanisms to implement parental consent so as to obtain a rich record of how operators, including small entities, can comply with the statutory requirement.
QUESTIONS FOR COMMENT TO ASSIST REGULATORY FLEXIBILITY ANALYSIS:
1. Please provide comment on any or all of the provisions in the proposed rule with regard to (a) the impact of the provision(s) (including any benefits and costs), if any, and (b) what alternatives, if any, the Commission should consider, as well as the costs and benefits of those alternatives, paying specific attention to the effect of the rule on small entities in light of the above analysis. In particular, please provide the above information with regard to the following sections of the proposed rule:
Costs to "implement and comply" with the rule include expenditures of time and money for: any employee training; attorney, computer programmer, or other professional time; preparing relevant materials; processing materials, including, for example, processing parental consent materials or requests for access to information; and recordkeeping.
2. Please describe ways in which the rule could be modified to reduce any costs or burdens for small entities consistent with the COPPA's mandated requirements.
3. Please describe whether and how technological developments (such as the development and implementation of digital signatures) could reduce the costs of implementing and complying with the rule for small entities or other operators.
4. Please provide any information quantifying the economic benefits to website operators of collecting personal information from or about children, including any information showing: advertising revenues based in part upon the number of children registered at a site; revenue derived from the sale or rental of children's personal or aggregate information to others; efficiencies resulting from marketing to a targeted audience; or revenue resulting from designing a customized and appealing site.
5. Please identify all relevant Federal, state or local rules that may duplicate, overlap or conflict with the proposed rule. In addition, please identify any industry rules or policies that require website operators and online services to implement business practices (e.g., notification, parental consent, security measures, etc.) that would already comply with the requirements of the Commission's proposed rule.
By direction of the Commission.
Donald S. Clark
1. See Comment No. 74 submitted by the Honorable George W. Gekas and James M. Talent of the House of Representatives and Comment No. 91 submitted by Jere W. Glover, Jennifer A. Smith, and Eric E. Menge, Office of Advocacy, U.S. Small Business Administration.
2. The proposed Rule (§ 312.2) states that