www.ftc.gov os fedreg 2013-01-130117coppa

7/28/2019 Www.ftc.Gov Os Fedreg 2013-01-130117coppa

1/44

Vol. 78 Thursday,No. 12 January 17, 2013

Part II

Federal Trade Commission16 CFR Part 312Childrens Online Privacy Protection Rule; Final Rule

VerDate Mar2010 14:21 Jan 16, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\17JAR2.SGM 17JAR2m

m

D

K

V

VN

RODw


2/44

3972 Federal Register / Vol. 78, No. 12/ Thursday, January 17, 2013 / Rules and Regulations

1 2011 NPRM, 76 FR 59804, available at http:// ftc.gov/os/2011/09/110915coppa.pdf.

2 2012 SNPRM, 77 FR 46643, available at http:// ftc.gov/os/2012/08/120801copparule.pdf.

3 See 16 CFR 312.3.4 See 16 CFR 312.7 and 312.8.5 See 16 CFR 312.10.6 See Request for Public Comment on the Federal

Trade Commissions Implementation of theChildrens Online Privacy Protection Rule (2010FRN), 75 FR 17089 (Apr. 5, 2010).

7 Id.8 Information about the June 2010 public

roundtable is located at http://www.ftc.gov/bcp/ workshops/coppa/index.shtml.

FEDERAL TRADE COMMISSION

16 CFR Part 312

RIN 3084AB20

Childrens Online Privacy ProtectionRule

AGENCY : Federal Trade Commission

(FTC or Commission).ACTION : Final rule amendments.SUMMARY : The Commission amends theChildrens Online Privacy ProtectionRule (COPPA Rule or Rule),consistent with the requirements of theChildrens Online Privacy ProtectionAct, to clarify the scope of the Rule andstrengthen its protections for childrenspersonal information, in light of changesin online technology since the Rulewent into effect in April 2000. The finalamended Rule includes modifications tothe definitions of operator, personal information, and Web site or onlineservice directed to children. Theamended Rule also updates therequirements set forth in the notice,parental consent, confidentiality andsecurity, and safe harbor provisions, andadds a new provision addressing dataretention and deletion.DATES : The amended Rule will becomeeffective on July 1, 2013.ADDRESSES : The complete public recordof this proceeding will be available atwww.ftc.gov. Requests for paper copiesof this amended Rule and Statement of Basis and Purpose (SBP) should besent to: Public Reference Branch,Federal Trade Commission, 600Pennsylvania Avenue NW., Room 130,Washington, DC 20580.FOR FURTHER INFORMATION CONTACT :Phyllis H. Marcus or Mamie Kresses,Attorneys, Division of AdvertisingPractices, Bureau of ConsumerProtection, Federal Trade Commission,600 Pennsylvania Avenue NW.,Washington, DC 20580, (202) 3262854or (202) 3262070.SUPPLEMENTARY INFORMATION :

Statement of Basis and PurposeI. Overview and Background

A. Overview This document states the basis and

purpose for the Commissions decisionto adopt certain amendments to theCOPPA Rule that were proposed andpublished for public comment onSeptember 27, 2011 (2011 NPRM), 1 and supplemental amendments thatwere proposed and published for publiccomment on August 6, 2012 (2012

SNPRM). 2 After careful review andconsideration of the entire rulemakingrecord, including public commentssubmitted by interested parties, and

based upon its experience in enforcingand administering the Rule, theCommission has determined to adoptamendments to the COPPA Rule. Theseamendments to the final Rule will helpto ensure that COPPA continues to meetits originally stated goals to minimizethe collection of personal informationfrom children and create a safer, moresecure online experience for them, evenas online technologies, and childrensuses of such technologies, evolve.

The final Rule amendments modifythe definitions of operator to make clearthat the Rule covers an operator of achild-directed site or service where itintegrates outside services, such as plug-ins or advertising networks, that collectpersonal information from its visitors;Web site or online service directed to

children to clarify that the Rule coversa plug-in or ad network when it hasactual knowledge that it is collectingpersonal information through a child-directed Web site or online service; Website or online service directed tochildren to allow a subset of child-directed sites and services todifferentiate among users, and requiringsuch properties to provide notice andobtain parental consent only for userswho self-identify as under age 13;

personal information to includegeolocation information and persistentidentifiers that can be used to recognizea user over time and across differentWeb sites or online services; andsupport for internal operations toexpand the list of defined activities.

The Rule amendments also streamlineand clarify the direct noticerequirements to ensure that keyinformation is presented to parents in asuccinct just-in-time notice; expandthe non-exhaustive list of acceptablemethods for obtaining prior verifiableparental consent; create three newexceptions to the Rules notice andconsent requirements; strengthen datasecurity protections by requiringoperators to take reasonable steps to

release childrens personal informationonly to service providers and thirdparties who are capable of maintainingthe confidentiality, security, andintegrity of such information; requirereasonable data retention and deletionprocedures; strengthen theCommissions oversight of self-regulatory safe harbor programs; andinstitute voluntary pre-approvalmechanisms for new consent methods

and for activities that support theinternal operations of a Web site oronline service.

B. Background The COPPA Rule, 16 CFR part 312,

issued pursuant to the ChildrensOnline Privacy Protection Act(COPPA or COPPA statute), 15U.S.C. 6501 et seq., became effective onApril 21, 2000. The Rule imposescertain requirements on operators of Web sites or online services directed tochildren under 13 years of age, and onoperators of other Web sites or onlineservices that have actual knowledge thatthey are collecting personal informationonline from a child under 13 years of age (collectively, operators). Amongother things, the Rule requires thatoperators provide notice to parents andobtain verifiable parental consent priorto collecting, using, or disclosingpersonal information from children

under 13 years of age.3

The Rule alsorequires operators to keep secure theinformation they collect from children,and prohibits them from conditioningchildrens participation in activities onthe collection of more personalinformation than is reasonablynecessary to participate in suchactivities. 4 The Rule contains a safeharbor provision enabling industrygroups or others to submit to theCommission for approval self-regulatoryguidelines that would implement theRules protections. 5

The Commission initiated review of the COPPA Rule in April 2010 when itpublished a document in the FederalRegister seeking public comment onwhether the rapid-fire pace of technological changes to the onlineenvironment over the preceding fiveyears warranted any changes to theRule. 6 The Commissions request forpublic comment examined each aspectof the COPPA Rule, posing 28 questionsfor the publics consideration. 7 TheCommission also held a publicroundtable to discuss in detail several of the areas where public comment wassought. 8

The Commission received 70comments from industryrepresentatives, advocacy groups,academics, technologists, and


m

D

K

V

VN

RODw


3/44

3973Federal Register / Vol. 78, No. 12/ Thursday, January 17, 2013 / Rules and Regulations

9 Public comments in response to theCommissions 2010 FRN are located at http:// www.ftc.gov/os/comments/copparulerev2010/ index.shtm. Comments cited herein to the FederalRegister Notice are designated as such, and areidentified by commenter name, comment number,and, where applicable, page number.

10 See supra note 1.11 Public comments in response to the 2011

NPRM are located at http://www.ftc.gov/os/ comments/copparulereview2011/. Comments citedherein to the 2011 NPRM are designated as such,and are identified by commenter name, commentnumber, and, where applicable, page number.

12 Public comments in response to the 2012SNPRM are available online at http://ftc.gov/os/ comments/copparulereview2012/index.shtm.Comments cited herein to the SNPRM aredesignated as such, and are identified bycommenter name, comment number, and, whereapplicable, page number.

13 One commenter, Go Daddy, expressed concernthat the definition of collects or collection is silentas to personal information acquired from childrenoffline that is uploaded, stored, or distributed tothird parties by operators. Go Daddy (comment 59,2011 NPRM), at 2. However, Congress limited thescope of COPPA to information that an operatorcollects online from a child; COPPA does notgovern information collected by an operator offline.See 15 U.S.C. 6501(8) (defining the personalinformation as individually identifiableinformation about an individual collected online* * *.); 144 Cong. Rec. S11657 (Oct. 7, 1998)(Statement of Sen. Bryan) (This is an onlinechildrens privacy bill, and its reach is limited toinformation collected online from a child.).

14 See Institute for Public Representation(comment 71, 2011 NPRM), at 19; kidSAFE SealProgram (comment 81, 2011 NPRM), at 5;Alexandra Lang (comment 87, 2011 NPRM), at 1.

15 NCTA (comment 113, 2011 NPRM), at 1718.16 Id.17 See 16 CFR 312.2: Collects or collection means

the gathering of any personal information from achild by any means, including but not limited to* * *

18 Several other commenters raised concern thatthe language prompting, or encouraging couldmake sites or services that post third-party Likeor Tweet This buttons subject to COPPA. SeeAssociation for Competitive Technology (comment5, 2011 NPRM), at 6; Direct Marketing Association(DMA) (comment 37, 2011 NPRM), at 6; see alsoAmerican Association of Advertising Agencies(comment 2, 2011 NPRM), at 23; Interactive

Advertising Bureau (IAB) (comment 73, 2011NPRM), at 12. The collection of personalinformation by plug-ins on child-directed sites isaddressed fully in the discussion regarding changesto the definition of operator. See Part II.A.4.a., infra.

19 Under the Rule, operators who offered servicessuch as social networking, chat, and bulletin boardsand who did not pre-strip ( i.e., completely delete)such information were deemed to have disclosedpersonal information under COPPAs definition of disclosure. See 16 CFR 312.2.

20 See P. Marcus, Remarks from COPPAsExceptions to Parental Consent Panel at the FederalTrade Commissions Roundtable: Protecting KidsPrivacy Online 310 (June 2, 2010), available at http://www.ftc.gov/bcp/workshops/coppa/ COPPARuleReview _ Transcript.pdf.

individual members of the public inresponse to the April 5, 2010 request forpublic comment. 9 After reviewing thecomments, the Commission issued the2011 NPRM, which set forth severalproposed changes to the COPPA Rule. 10 The Commission received over 350comments in response to the 2011NPRM. 11 After reviewing thesecomments, and based upon itsexperience in enforcing andadministering the Rule, in the 2012SNPRM, the Commission soughtadditional public comment on a secondset of proposed modifications to theRule.

The 2012 SNPRM proposedmodifying the definitions of bothoperator and Web site or online servicedirected to children to allocate andclarify the responsibilities underCOPPA when independent entities orthird parties, e.g., advertising networks

or downloadable software kits (plug-ins), collect information from usersthrough child-directed sites andservices. In addition, the 2012 SNPRMproposed to further modify thedefinition of Web site or online servicedirected to children to permit Web sitesor online services that are directed bothto children and to a broader audience tocomply with COPPA without treating allusers as children. The Commission alsoproposed modifying the definition of screen or user name to cover only thosesituations where a screen or user namefunctions in the same manner as onlinecontact information. Finally, theCommission proposed to further modifythe revised definitions of support for internal operations and persistent identifiers. The Commission received 99comments in response to the 2012SNPRM. 12 After reviewing theseadditional comments, the Commissionnow announces this final amendedCOPPA Rule.

II. Modifications to the Rule

A. Section 312.2: Definitions

1. Definition of Collects or Collectiona. Collects or Collection, Paragraph (1)

In the 2011 NPRM, the Commissionproposed amending paragraph (1) tochange the phrase requesting that

children submit personal informationonline to requesting, prompting, orencouraging a child to submit personalinformation online. The proposal wasto clarify that the Rule covers the onlinecollection of personal information bothwhen an operator requires it toparticipate in an online activity, andwhen an operator merely prompts orencourages a child to provide suchinformation. 13 The comments receiveddivided roughly equally betweensupport of and opposition to theproposed change to paragraph (1). Thosein favor cited the increased clarity of therevised language as compared to theexisting language. 14

Several commenters opposed therevised language of paragraph (1). Forexample, the National Cable andTelecommunications Association(NCTA) expressed concern that therevised language suggests that COPPAobligations are triggered even withoutthe actual or intended collection of personal information. 15 NCTA askedthe Commission to clarify thatprompting or encouraging does nottrigger COPPA unless an operatoractually collects personal informationfrom a child. 16

The Rule defines collection as thegathering of any personal informationfrom a child by any means, and theterms prompting and encouragingare merely exemplars of the means bywhich an operator gathers personalinformation from a child. 17 This change

to the definition of collects or collectionis intended to clarify the longstandingCommission position that an operatorthat provides a field or open forum fora child to enter personal informationwill not be shielded from liabilitymerely because entry of personalinformation is not mandatory toparticipate in the activity. It recognizesthe reality that such an operator musthave in place a system to provide noticeto and obtain consent from parents todeal with the moment when theinformation is gathered. 18 Otherwise,once the child posts the personalinformation, it will be too late to obtainparental consent.

After reviewing the comments, theCommission has decided to modifyparagraph (1) of the definition of collects or collection as proposed in the2011 NPRM.

b. Collects or Collection, Paragraph (2)Section 312.2(b) of the Rule defines

collects or collection to coverenabling children to publicly postpersonal information ( e.g., on socialnetworking sites or on blogs), exceptwhere the operator deletes all individually identifiable informationfrom postings by children before theyare made public, and also deletes suchinformation from the operatorsrecords. 19 This exception, oftenreferred to as the 100% deletionstandard, was designed to enable sitesand services to make interactive contentavailable to children, without providingparental notice and obtaining consent,provided that all personal informationwas deleted prior to posting. 20

The 2010 FRN sought comment onwhether to change the 100% deletionstandard, whether automated systemsused to review and post child contentcould meet this standard, and whether


m

D

K

V

VN

RODw


4/44


21 See 75 FR at 17090, Question 9.22 See Entertainment Software Association

(ESA) (comment 20, 2010 FRN), at 1314; R.Newton (comment 46, 2010 FRN), at 4; Privo, Inc.(comment 50, 2010 FRN), at 5; B. Szoka (comment59, 2010 FRN), at 19; see also Wired Safety(comment 68, 2010 FRN), at 15.

23 See 76 FR at 59808.24 See Institute for Public Representation

(comment 71, 2011 NPRM), at 19.25 See NCTA (comment 113, 2011 NPRM), at 8.26 DMA (comment 37, 2011 NPRM), at 7.27 See DMA id.; Institute for Public

Representation (comment 71, 2011 NPRM), at 3;kidSAFE Seal Program (comment 81, 2011 NPRM),at 5; NCTA (comment 113, 2011 NPRM), at 8; ToyIndustry Association (comment 163, 2011 NPRM),at 8.

28 See TechFreedom (comment 159, 2011 NPRM),at 6.

29 76 FR at 59808.30 Privacy Rights Clearinghouse indicated its

belief that this change would give operators addedincentive to notify parents of their informationcollection practices, particularly with regard toonline tracking and behavioral advertising. SeePrivacy Rights Clearinghouse (comment 131, 2011NPRM), at 2; see also Consumers Union (comment29, 2011 NPRM), at 2; kidSAFE Seal Program(comment 81, 2011 NPRM), at 6.

31 See DMA (comment 37, 2011 NPRM), at 910;IAB (comment 73, 2011 NPRM), at 12; NCTA(comment 113, 2011 NPRM), at 1718; NationalRetail Federation (comment 114, 2011 NPRM), at 23; TechAmerica (comment 157, 2011 NPRM), at 56.

32 See Part II.C.10.g., infra.33 See 2011 NPRM, 76 FR at 59809.34 The Commission intended this change to

clarify what was meant by the terms release of personal information and support for the internal operations of the Web site or online service, wherethose terms are referenced elsewhere in the Ruleand are not directly connected with the termsdisclose or disclosure.

35 See kidSAFE Seal Program (comment 81, 2011NPRM), at 8 ([P]aragraph (b) under the definitionof disclose or disclosure should have thefollowing opening clause: Subject to paragraph (b)under the definition of collects or collection,making personal information collected by anoperator from a child publicly available * * *.).

the Commission had provided sufficientguidance on the deletion of personalinformation. 21 In response, severalcommenters urged a new standard,arguing that the 100% deletionstandard, while well-intentioned, wasan impediment to operatorsimplementation of sophisticatedautomated filtering technologies thatmay actually aid in the detection andremoval of personal information. 22

In the 2011 NPRM, the Commissionstated that the 100% deletion standardset an unrealistic hurdle to operatorsimplementation of automated filteringsystems that could promote engagingand appropriate online content forchildren, while ensuring strong privacyprotections by design. To address this,the Commission proposed replacing the100% deletion standard with areasonable measures standard. Underthis approach, an operator would not bedeemed to have collected personal

information if it takes reasonablemeasures to delete all or virtually allpersonal information from a childspostings before they are made public,and also to delete such information fromits records. 23

Although the Institute for PublicRepresentation raised concerns aboutthe effectiveness of automated filteringtechniques, 24 most comments wereresoundingly in favor of the reasonablemeasures standard. For example, onecommenter stated that the revisedlanguage would enable the use of automated procedures that couldprovide increased consistency andmore effective monitoring than humanmonitors, 25 while another noted that itwould open the door to cost-efficientand reliable means of monitoringchildrens communications. 26 Severalcommenters noted that the proposedreasonable measures standard wouldlikely encourage the creation of morerich, interactive online content forchildren. 27 Another commenter notedthat the revised provision, by offeringgreater flexibility for technologicalsolutions, should help minimize the

burden of COPPA on childrens freeexpression. 28

The Commission is persuaded that the100% deletion standard should bereplaced with a reasonable measuresstandard. The reasonable measuresstandard strikes the right balance inensuring that operators have effective,comprehensive measures in place toprevent public online disclosure of childrens personal information andensure its deletion from their records,while also retaining the flexibilityoperators need to innovate and improvetheir mechanisms for detecting anddeleting such information. Therefore,the final Rule amends paragraph (2) of the definition of collects or collection toadopt the reasonable measures standardproposed in the 2011 NPRM.c. Collects or Collection, Paragraph (3)

In the 2011 NPRM, the Commissionproposed to modify paragraph (3) of theRules definition of collects or collectionto clarify that it includes all means of passively collecting personalinformation from children online,irrespective of the technology used. TheCommission sought to accomplish this

by removing from the original definitionthe language or use of any identifyingcode linked to an individual, such as acookie. 29

The Commission received severalcomments supporting, 30 and severalcomments opposing, 31 this proposedchange. Those opposing the changegenerally believed that this changesomehow expanded the definition of

personal information. As support fortheir argument, these commenters alsoreferenced the Commissions proposalto include persistent identifiers withinthe definition of personal information.

The Commission believes thatparagraph (3), as proposed in the 2011NPRM, is sufficiently understandable.The paragraph does nothing to alter thefact that the Rule covers only thecollection of personal information.Moreover, the final Rules exception forthe limited use of persistent identifiers

to support internal operations312.5(c)(7)clearly articulates thespecific criteria under which anoperator will be exempt from the Rulesnotice and consent requirements inconnection with the passive collectionof a persistent identifier. 32 Accordingly,the Commission adopts the definition of collects or collection as proposed in the2011 NPRM.2. Definition of Disclose or Disclosure

In the 2011 NPRM, the Commissionproposed making several minormodifications to Section 312.2 of theRules definition of disclosure,including broadening the title of thedefinition to disclose or disclosure toclarify that in every instance in whichthe Rule refers to instances where anoperator disclose[s] information, thedefinition of disclosure shall apply. 33 Inaddition, the Commission proposedmoving the definitions of release of

personal information and support for the internal operations of the Web siteor online service contained within thedefinition of disclosure to make themstand-alone definitions within Section312.2 of the Rule. 34

One commenter asked theCommission to modify paragraph (2) of the proposed definition by adding anopening clause linking it to thedefinition of collects or collection. 35 While this commenter did not state itsreasons for the proposed change, theCommission believes that the languageof paragraph (2) is sufficiently clear soas not to warrant making the changesuggested. Therefore, the Commissionmodifies the definition of disclosure or disclosure as proposed in the 2011NPRM.3. Definition of Online ContactInformation

Section 312.2 of the Rule definesonline contact information as an emailaddress or any other substantiallysimilar identifier that permits directcontact with a person online. The 2011NPRM proposed clarifications to thedefinition to flag that the term broadlycovers all identifiers that permit direct


m

D

K

V

VN

RODw


5/44


36 The Rules definition of personal informationincluded the sub-category an email address orother online contact information, including but notlimited to an instant messaging user identifier, ora screen name that reveals an individuals emailaddress. The 2011 NPRM proposed replacing thatsub-category of personal information with onlinecontact information.

37 76 FR at 59810.38 See DMA (comment 37, 2011 NPRM), at 11.39 kidSAFE Seal Program (comment 81, 2011

NPRM), at 7. Acknowledging the Commissionsposition that cell phone numbers are outside of thestatutory definition of online contact information,kidSAFE advocates for a statutory change, if needed, to enable mobile app operators, in

particular, to reach parents using contactinformation relevant to their ecosystem.

40 At the same time, the Commission believes itmay be impractical to expect children to correctlydistinguish between mobile and land-line phoneswhen asked for their parents mobile numbers.

41 Moreover, given that the final Rules definitionof online contact information encompasses a broad,non-exhaustive list of online identifiers, operatorswill not be unduly burdened by the Commissionsdetermination that cell phone numbers are notonline contact information.

42 2012 SNPRM, 77 FR at 46644. The Commissionacknowledged that this decision reversed aprevious policy choice to place the burden of noticeand consent entirely upon the informationcollection entity.

43 In so doing, the Commission noted that it believed it could hold the information collectionentity strictly liable for such collection because,when operating on child-directed properties, thatportion of an otherwise general audience servicecould be deemed directed to children. 2012SNPRM, 77 FR at 4664446645.

44 See, e.g., Facebook (comment 33, 2012SNPRM), at 34.

45 See Microsoft (comment 66, 2012 SNPRM), at6; IAB (comment 49, 2012 SNPRM), at 5; DMA(comment 28, 2012 SNPRM), at 5.

46 See, e.g., Institute for Public Representation(comment 52, 2012 SNPRM), at 20; Common SenseMedia (comment 20, 2012 SNPRM), at 6.

contact with a person online and toensure consistency between thedefinition of online contact informationand the use of that term within thedefinition of personal information. 36 The proposed revised definitionidentified commonly used onlineidentifiers, including email addresses,instant messaging (IM) useridentifiers, voice over Internet protocol(VOIP) identifiers, and video chatuser identifiers, while also clarifyingthat the list of identifiers was non-exhaustive and would encompass othersubstantially similar identifiers thatpermit direct contact with a persononline. 37 The Commission received fewcomments addressing this proposedchange.

One commenter opposed themodification, asserting that IM, VOIP,and video chat user identifiers do notfunction in the same way as emailaddresses. The commenters rationale

for this argument was that not all IMidentifiers reveal the IM system in use,which information is needed to directlycontact a user. 38 The Commission doesnot find this argument persuasive.While an IM address may not reveal theIM program provider in every instance,it very often does. Moreover, several IMprograms allow users of differentmessenger programs to communicateacross different messaging platforms.Like email, instant messaging is acommunications tool that allows peopleto communicate one-to-one or in groupsB sometimes in a faster, more real-time

fashion than through email. TheCommission finds, therefore, that IMidentifiers provide a potent means tocontact a child directly.

Another commenter asked theCommission to expand the definition of online contact information to includemobile phone numbers. The commenternoted that, given the Rules coverage of mobile apps and web-based textmessaging programs, operators would

benefit greatly from collecting a parentsmobile phone number (instead of anemail address) in order to initiatecontact for notice and consent. 39 The

Commission recognizes that includingmobile phone numbers within thedefinition of online contact informationcould provide operators with a usefultool for initiating the parental noticeprocess through either SMS text or aphone call. It also recognizes that theremay be advantages to parents for anoperator to initiate contact via SMS textB among them, that parents generallyhave their mobile phones with them andthat SMS text is simple andconvenient. 40 However, the statute didnot contemplate mobile phone numbersas a form of online contact information,and the Commission therefore hasdetermined not to include mobile phonenumbers within the definition. 41 Thus,the final Rule adopts the definition of online contact information as proposedin the 2012 SNPRM.4. Definitions of Operator and Web Siteor Online Service Directed to Children

In the 2012 SNPRM, the Commissionproposed modifying the definitions of

both operator and Web site or onlineservice directed to children to allocateand clarify the responsibilities underCOPPA when independent entities orthird parties, e.g., advertising networksor downloadable plug-ins, collectinformation from users through child-directed sites and services. Under theproposed revisions, the child-directedcontent provider would be strictly liablefor personal information collected bythird parties through its site. TheCommission reasoned that, although thechild-directed site or service may notown, control, or have access to thepersonal information collected, suchinformation is collected on its behalf due to the benefits it receives by addingmore attractive content, functionality, oradvertising revenue. The Commissionalso noted that the primary-contentprovider is in the best position to knowthat its site or service is directed tochildren, and is appropriatelypositioned to give notice and obtainconsent. 42 By contrast, if theCommission failed to imposeobligations on the content providers,

there would be no incentive for child-directed content providers to policetheir sites or services, and personalinformation would be collected fromyoung children, thereby underminingcongressional intent. The Commissionalso proposed imputing the child-directed nature of the content site to theentity collecting the personalinformation only if that entity knew orhad reason to know that it wascollecting personal information througha child-directed site. 43

Most of the comments opposed theCommissions proposed modifications.Industry comments challenged theCommissions statutory authority for

both changes and the breadth of thelanguage, and warned of the potentialfor adverse consequences. In essence,many industry comments argued thatthe Commission may not apply COPPAwhere independent third parties collectpersonal information through child-

directed sites,44

and that even if theCommission had some authority,exercising it would be impractical

because of the structure of the onlineecosystem. 45 Many privacy andchildrens advocates agreed with the2012 SNPRM proposal to hold child-directed content providers strictlyliable, but some expressed concernabout holding plug-ins and advertisingnetworks to a lesser standard. 46

For the reasons discussed below, theCommission, with some modificationsto the proposed Rule language, willretain the strict liability standard forchild-directed content providers thatallow other online services to collectpersonal information through their sites.The Commission will deem a plug-in orother service to be a covered co-operatoronly where it has actual knowledge thatit is collecting information through achild-directed site.

a. Strict Liability for Child-DirectedContent Sites: Definition of Operator

Implementing strict liability asdescribed above requires modifying thecurrent definition of operator. The Rule,which mirrors the statutory language,defines operator in pertinent part, as


m

D

K

V

VN

RODw


6/44


47 15 U.S.C. 6501(2). The Rules definition of operator reflects the statutory language. See 16 CFR312.2.

48 See, e.g., Application Developers Alliance(comment 5, 2012 SNPRM), at 34; Association of Competitive Technology (comment 7, 2012SNPRM), at 45; IAB (comment 49, 2012 SNPRM),at 56; Online Publishers Association (comment 72,2012 SNPRM), at 1011; Magazine Publishers of America (comment 61, 2012 SNPRM), at 35; TheWalt Disney Co. (comment 96, 2012 SNPRM), at 45; S. Weiner (comment 97, 2012 SNPRM), at 12;WiredSafety (comment 98, 2012 SNPRM), at 3.

49 See DMA (comment 28, 2012 SNPRM), at 12;Internet Commerce Coalition (comment 53, 2012SNPRM), at 5; TechAmerica (comment 87, 2012SNPRM), at 23.

50 See, e.g., Gibson, Dunn & Crutcher (comment39, 2012 SNPRM), at 79; Facebook (comment 33,2012 SNPRM), at 6 (entities acting primarily fortheir own benefit not considered to be acting on

behalf of another party).51 See, e.g., Business Software Alliance (comment

12, 2012 SNPRM), at 24; Internet CommerceCoalition (comment 53, 2012 SNPRM), at 5; seealso, e.g., IAB (comment 49, 2012 SNPRM), at 5;DMA (comment 28, 2012 SNPRM), at 6; OnlinePublishers Association (comment 72, 2012SNPRM), at 1011; The Walt Disney Co. (comment96, 2012 SNPRM), at 35.

52 See Center for Democracy & Technology(CDT) (comment 15, 2012 SNPRM), at 45; DMA(comment 28, 2012 SNPRM), at 5; Google (comment41, 2012, SNPRM), at 34; Lynette Mattke(comment 63, 2012 SNPRM).

53 See Google (comment 41, 2012 SNPRM), at 3;Application Developers Alliance (comment 5, 2012SNPRM), at 5; Association for CompetitiveTechnology (comment 6, 2012 SNPRM), at 5; TheWalt Disney Co. (comment 96, 2012 SNPRM), at 4;ConnectSafely (comment 21, 2012 SNPRM), at 2.

54 See Application Developers Alliance (comment5, 2012 SNPRM), at 3; Online PublishersAssociation (comment 72, 2012 SNPRM), at 11; TheWalt Disney Co. (comment 96, 2012 SNPRM), at 4;DMA (comment 28, 2012 SNPRM), at 4.

55 See, e.g., Online Publishers Association(comment 72, 2012 SNPRM), at 11 (publishershould be entitled to rely on third partysrepresentations about its information practices);The Walt Disney Co. (comment 96, 2012 SNPRM),at 5 (operator of a site directed to children should

be permitted to rely on the representations made bythird parties regarding their personal informationcollection practices, as long as the operator hasundertaken reasonable efforts to limit anyunauthorized data collection); Internet CommerceCoalition (comment 53, 2012 SNPRM), at 6 (theCommission should state that operators whose sitesor services are targeted to children should bindthird party operators whom they know arecollecting personal information through their sitesor services to comply with COPPA with regard tothat information collection).

56 See Institute for Public Representation(comment 52, 2012 SNPRM), at 1819; CommonSense Media (comment 20, 2012 SNPRM), at 46;EPIC (comment 31, 2012 SNPRM), at 56; CatholicBishops (comment 92, 2012 SNPRM), at 3; CDT(comment 15, 2012 SNPRM), at 3.

57 See Institute for Public Representation

(comment 52, 2012 SNPRM), at 19; Common SenseMedia (comment 20, 2012 SNPRM), at 5.58 See CDT (comment 15, 2012 SNPRM), at 5;

Apple (comment 4, 2012 SNPRM), at 34; Assert ID(comment 6, 2012 SNPRM), at 5.

59 Although this issue is framed in terms of child-directed content providers integrating plug-ins orother online services into their sites because that is

by far the most likely scenario, the same strictliability standard would apply to a general audiencecontent provider that allows a plug-in to collectpersonal information from a specific user when theprovider has actual knowledge the user is a child.

60 National Organization for Marriage v. Daluz,654 F.3d 115, 121 (1st Cir. 2011) (statute requiringexpenditure reports by independent PAC to thetreasurer of the candidate on whose behalf theexpenditure was made meant to the candidate whostands to benefit from the independent

expenditures advocacy); accord American Postal Workers Union v. United States Postal Serv., 595 F.Supp 1352 (D.D.C. 1984) (Postal Unions activitiesheld to be on behalf of a political campaignwhere evidence showed union was highlypoliticized, with goal of electing a particularcandidate); Sedwick Claims Mgmt. Servs. v. Barrett Business Servs., Inc., 2007 WL 1053303 (D. Or.2007) (noting that 9th Circuit has interpreted thephrase on behalf of to include both to the

benefit of and in a representative capacity); United States v. Dish Network, LLC, 2010 U.S. Dist. LEXIS8957, 10 (C.D. Ill. Feb. 3, 2010) (reiterating thecourts previous opinion that the plain meaning of the phrases on whose behalf or on behalf of isan act by a representative of, or an act for the benefitof, another).

any person who operates a Web sitelocated on the Internet or an onlineservice and who collects or maintainspersonal information from or about theusers of or visitors to such Web site oronline service, or on whose behalf suchinformation is collected or maintained,where such Web site or online serviceis operated for commercial purposes,including any person offering productsor services for sale through that Web siteor online service, involving commerce* * * 47

In the 2012 SNPRM, the Commissionproposed adding a proviso to thatdefinition stating that personalinformation is collected or maintained on behalf of an operator where it iscollected in the interest of, as arepresentative of, or for the benefit of,the operator.

Industry, particularly online contentpublishers, including app developers,criticized this proposed change. 48

Industry comments argued that thephrase on whose behalf in the statuteapplies only to agents and serviceproviders, 49 and that the Commissionlacks the authority to interpret thephrase more broadly to include anyincidental benefit that results when twoparties enter a commercialtransaction. 50 Many commenterspointed to an operators post-collectionresponsibilities under COPPA, e.g.,mandated data security and affordingparents deletion rights, as evidence thatCongress intended to cover only thoseentities that control or have access tothe personal information. 51

Commenters also raised a number of policy objections. Many argued thatchild-directed properties, particularly

small app developers, would faceunreasonable compliance costs and thatthe proposed revisions might choke off their monetization opportunities, 52 thusdecreasing the incentive for developersto create engaging and educationalcontent for children. 53 They also arguedthat a strict liability standard isimpractical given the current onlineecosystem, which does not rely on closeworking relationships andcommunication between contentproviders and third parties that helpmonetize that content. 54 Somecommenters urged the Commission toconsider a safe harbor for contentproviders that exercise some form of due diligence regarding the informationcollection practices of plug-ins presenton their site. 55

Privacy organizations generallysupported imposing strict liability oncontent providers. They agreed with theCommissions statement in the 2012SNPRM that the first-party contentprovider is in a position to controlwhich plug-ins and software downloadsit integrates into its site and that it

benefits by allowing informationcollection by such third parties. 56 Theyalso noted how unreasonable it would

be for parents to try to decipher which

entity might actually be collecting datathrough the child-directed property. 57

Finally, many commenters expressedconcern that the language describingon whose behalf reaches so broadly asto cover not only child-directed contentsites, but also marketplace platformssuch as Apples iTunes App Store andGoogles Android market (now GooglePlay) if they offered child-directed appson their platforms. 58 These commentersurged the Commission to revise thelanguage of the Rule to exclude suchplatforms.

After considering the comments, theCommission retains a strict liabilitystandard for child-directed sites andservices that allow other online servicesto collect personal information throughtheir sites. 59 The Commission disagreeswith the views of commenters that thisis contrary to Congressional intent orthe Commissions statutory authority.The Commission does not believeCongress intended the loopholeadvocated by many in industry:Personal information being collectedfrom children through child-directedproperties with no one responsible forsuch collection.

Nor is the Commission persuaded bycomments arguing that the phrase onwhose behalf must be read extremelynarrowly, encompassing only an agencyrelationship. Case law supports a

broader interpretation of that phrase. 60 Even some commenters opposed to theCommissions interpretation have


m

D

K

V

VN

RODw


7/44


61 Application Developers Alliance (comment 5,2012 SNPRM), at 2; see also Gibson, Dunn &Crutcher (comment 39, 2012 SNPRM), at 7.

62 Application Developers Alliance (comment 5,2012 SNPRM), at 4.

63 Id.; see also Association for CompetitiveTechnology (comment 7, 2012 SNPRM), at 5; seegenerally DMA (comment 28, 2012 SNPRM), at 5;Facebook (comment 33, 2012 SNPRM), at 3; OnlinePublishers Association (comment 72, 2012SNPRM), at 11.

64 Id.

65 See Part II.A.5.b., infra (discussion of persistentidentifiers and support of internal operations).

66 The type of due diligence advocated rangedfrom essentially relying on a plug-in or advertisingnetworks privacy policy to requiring an affirmativecontract. See, e.g., The Walt Disney Co. (comment96, 2012 SNPRM), at 5 (operator should be able to

rely on third partys representations about itsinformation collection practices, if operator makesreasonable efforts to limit unauthorized datacollection); Gibson, Dunn & Crutcher (comment 39,2012 SNPRM), at 2324 (provide a safe harbor foroperators that certify they do not receive, own, orcontrol any personal information collected by thirdparties; alternatively, grant a safe harbor foroperators that also certify they do not receive aspecific benefit from the collection, or that obtainthird partys certification of COPPA compliance);Internet Commerce Coalition (comment 53, 2012SNPRM), at 67 (provide a safe harbor for operatorswhose policies prohibit third party collection ontheir sites).

67 See Common Sense Media (comment 20, 2012SNPRM), at 45; EPIC (comment 31, 2012 SNPRM),at 6; Institute for Public Representation (comment52, 2012 SNPRM), at 1819.

68

Some commenters, although not conceding theneed to impose strict liability on any party, notedthat if the burden needed to fall on either theprimary content provider or the plug-in, it was

better to place it on the party that controlled thechild-directed nature of the content. See, e.g., CTIA(comment 24, 2012 SNPRM), at 89; CDT (comment15, 2012 SNPRM), at 45. Not surprisingly, industrymembers primarily in the business of providingcontent did not share this view. See, e.g.,Association for Competitive Technology (comment7, 2012 SNPRM), at 45; Business Software Alliance(comment 12, 2012 SNPRM), at 24; EntertainmentSoftware Association (comment 32, 2102 SNPRM),at 9; Online Publishers Association (comment 72,2012 SNPRM), at 1011; The Walt Disney Co.(comment 96, 2012 SNPRM), at 6.

69 This clarification to the term on behalf of isintended only to address platforms in instanceswhere they function as an conduit to someone elsescontent. Platforms may well wear multiple hats andare still responsible for complying with COPPA if they themselves collect personal informationdirectly from children.

70 See Business Software Alliance (comment 12,2012 SNPRM), at 45; Digital Advertising Alliance(comment 27, 2012 SNPRM), at 2; Google (comment41, 2012 SNPRM), at 4; Internet CommerceCoalition (comment 53, 2012 SNPRM), at 7;Magazine Publishers of America (comment 61, 2012

Continued

acknowledged that the Commissionsproposal is based on an accuraterecognition that online contentmonetization is accomplished through acomplex web of inter-related activities

by many parties, and have noted thatto act on behalf of another is to do whatthat person would ordinarily do herself if she could. 61 That appears to beprecisely the reason many first-partycontent providers integrate theseservices. As one commenter pointedout, content providers have chosen todevote their resources to develop greatcontent, and to let partners help themmonetize that content. In part, these appdevelopers and publishers have madethis choice because collecting andhandling childrens data internallywould require them to take on liabilityrisk and spend compliance resourcesthat they do not have. 62 Moreover,content-providing sites and servicesoften outsource the monetization of

those sites to partners because theydo not have the desire to handle itthemselves. 63

In many cases, child-directedproperties integrate plug-ins to enhancethe functionality or content of theirproperties or gain greater publicitythrough social media in an effort todrive more traffic to their sites andservices. Child-directed properties alsomay obtain direct compensation orincreased revenue from advertisingnetworks or other plug-ins. These

benefits to child-directed properties arenot merely incidental; as the commentspoint out, the benefits may be crucial totheir continued viability. 64

The Commission recognizes thepotential burden that strict liabilityplaces on child-directed contentproviders, particularly small appdevelopers. The Commission alsoappreciates the potential fordiscouraging dynamic child-directedcontent. Nevertheless, when it enactedCOPPA, Congress imposed absoluterequirements on child-directed sites andservices regarding restrictions on thecollection of personal information; thoserequirements cannot be avoided throughoutsourcing offerings to other operators

in the online ecosystem. TheCommission believes that the potential burden on child-directed sites discussed

by the commenters in response to the2012 SNPRM will be eased by the morelimited definition of persistentidentifiers, the more expansivedefinition of support for internal operations adopted in the Final Rule,and the newly-created exception to theRules notice and parental consentrequirements that applies when anoperator collects only a persistentidentifier and only to support theoperators internal operations. 65

The Commission consideredincluding the due-diligence safeharbor for child-directed contentproviders that many of the commentsproposed. 66 Nevertheless, as many othercomments pointed out, it cannot be theresponsibility of parents to try to piercethe complex infrastructure of entitiesthat may be collecting their childrenspersonal information through any onesite. 67 For child-directed properties, oneentity, at least, must be strictly

responsible for providing parents noticeand obtaining consent when personalinformation is collected through thatsite. The Commission believes that theprimary-content site or service is in the

best position to know which plug-ins itintegrates into its site, and is also in the

best position to give notice and obtainconsent from parents. 68 Although the

Commission, in applying itsprosecutorial discretion, will considerthe level of due diligence a primary-content site exercises, the Commissionwill not provide a safe harbor fromliability.

When it issued the 2012 SNPRM, theCommission never intended thelanguage describing on whose behalfto encompass platforms, such as GooglePlay or the App Store, when such storesmerely offer the public access tosomeone elses child-directed content.In these instances, the Commissionmeant the language to cover only thoseentities that designed and controlled thecontent, i.e., the app developer or siteowner. Accordingly, the Commissionhas revised the language proposed inthe 2012 SNPRM to clarify that personalinformation will be deemed to becollected on behalf of an operator whereit benefits by allowing another person tocollect personal information directly

from users of such operators site orservice, thereby limiting the provisionscoverage to operators that design orcontrol the child-directed content. 69 Accordingly, the Final Rule shall statethat personal information is collected or maintained on behalf of an operatorwhen it is collected or maintained by anagent or service provider of the operator;or the operator benefits by allowinganother person to collect personalinformation directly from users of suchoperators Web site or online service.

b. Operators Collecting PersonalInformation Through Child-DirectedSites and Online Services: Moving to anActual Knowledge Standard

In the 2012 SNPRM, the Commissionproposed holding responsible as a co-operator any site or online service thatknows or has reason to know it iscollecting personal information througha host Web site or online servicedirected to children. Many commenterscriticized this standard. Industrycomments contended that such astandard is contrary to the statutorymandate that general audience services

be liable only if they have actualknowledge they are collectinginformation from a child. 70 They further


m

D

K

V

VN

RODw


8/44


SNPRM), at 8; Toy Industry Association (comment89, 2012 SNPRM), at 1011; see also ACLU(comment 3, 2012 SNPRM), at 23; TechAmerica(comment 87, 2012 SNPRM), at 3.

71 See CDT (comment 15, 2012 SNPRM), at 2;CTIA (comment 24, 2012 SNPRM), at 10;Entertainment Software Association (comment 32,2012 SNPRM), at 9; Marketing Research Association(comment 62, 2012 SNPRM), at 2; Tangman(comment 85, 2012 SNPRM).

72 See DMA (comment 28, 2012 SNPRM), at 9;Magazine Publishers of America (comment 61, 2012SNPRM), at 8; Menessec (comment 65, 2012SNPRM); Privo (comment 76, 2012 SNPRM), at 8.

73 See Common Sense Media (comment 20, 2012SNPRM), at 6; Institute for Public Representation(comment 52, 2012 SNPRM), at 2022.

74 See Digital Advertising Alliance (comment 27,2012 SNPRM), at 2; DMA (comment 28, 2012SNPRM), at 89; Entertainment SoftwareAssociation (comment 32, 2012 SNPRM), at 1314.

75 Similarly, when a behavioral advertisingnetwork offers age-based advertising segments thattarget children under 13, that portion of its service

becomes an online service directed to children.Contra DMA (comment 28, 2012 SNPRM), at 12.The Commission also believes that narrowing thedefinition of persistent identifiers and furtherrevisions to the definition of Web site or onlineservice directed to children ease (although notentirely eliminate) many of the concerns expressed

in industry comments. See, e.g., CDT (comment 15,2012 SNPRM), at 3; Digital Advertising Alliance(comment 27, 2012 SNPRM), at 2; EntertainmentSoftware Association (comment 32, 2012 SNPRM),at 14 (combination of reason to know standard andexpanded definition of persistent identifiers createsan unworkable result).

76 See Microsoft (comment 66, 2012 SNPRM), at2; TRUSTe (comment 90, 2012 SNPRM), at 4; seealso Association for Competitive Technology(comment 7, 2012 SNPRM), at 34; Google(comment 41, 2012 SNPRM), at 4; DMA (comment28, 2012 SNPRM), at 7; Viacom (comment 95, 2012SNPRM), at 89.

77 See 16 CFR 312.2 (paragraph (n), definition of personal information ).

78 2011 NPRM, 76 FR at 59810.

79 Id.80 See DMA (comment 37, 2011 NPRM), at 1516;

ESA (comment 47, 2011 NPRM), at 9; NCTA(comment 113, 2011 NPRM), at 12; Scholastic(comment 144, 2011 NPRM), at 12; A. Thierer(comment 162, 2011 NPRM), at 6; TRUSTe(comment 164, 2011 NPRM), at 3; The Walt DisneyCo. (comment 170, 2011 NPRM), at 21.

81 See 2011 NPRM, 76 FR at 59810 (proposeddefinition of online contact information ).

82 See Common Sense Media (comment 20, 2012SNPRM), at 7; Information Technology IndustryCouncil (comment 51, 2012 SNPRM), at 2;Marketing Research Association (comment 62, 2012SNPRM), at 3; Promotion Marketing Association(comment 77, 2012 SNPRM), at 8; TechAmerica(comment 87, 2012 SNPRM), at 56.

83 See, e.g., Promotion Marketing Association, id.84 See DMA (comment 28, 2012 SNPRM), at 16;

ESA (comment 32, 2012 SNPRM), at 5; kidSAFESeal Program (comment 56, 2012 SNPRM), at 5;NCTA (comment 69, 2012 SNPRM), at 45; Online

argued that the standard is vague because it is impossible to determinewhat type of notification would providea reason to know. Thus, thecommenters argued that the standardtriggers a duty to inquire. 71 In addition,commenters stated that even afterinquiring, it might be impossible todetermine which sites are truly directedto children (particularly in light of theCommissions revised definition of Website directed to children to include thosesites that are likely to attract adisproportionate percentage of childrenunder 13). 72 Conversely, many privacyadvocates believed it is necessary toimpose some duty of inquiry, or evenstrict liability, on the entity collectingthe personal information. 73

After considering the comments, theCommission has decided that while it isappropriate to hold an entity liableunder COPPA for collecting personalinformation on Web sites or online

services directed to children, it isreasonable to hold such entity liableonly where it has actual knowledge thatit is collecting personal informationdirectly from users of a child-directedsite or service. In striking this balance

by moving to an actual knowledgestandard, the Commission recognizesthat this is still contrary to the positionadvocated by many industry comments:That a plug-in or advertising networkthat collects personal information fromusers of both general audience andchild-directed sites must be treatedmonolithically as a general audienceservice, liable only if it has actualknowledge that it is collecting personalinformation from a specific child. 74 However, the COPPA statute alsodefines Web site or online servicedirected to children to include thatportion of a commercial Web site oronline service that is targeted tochildren. Where an operator of anotherwise general audience site oronline service has actual knowledge it is

collecting personal information directlyfrom users of a child-directed site, andcontinues to collect that information,then, for purposes of the statute, it haseffectively adopted that child-directedcontent as its own and that portion of its service may appropriately be deemedto be directed to children. 75

Commenters urged that, whateverstandard the Commission ultimatelyadopts, it provide guidance as to whena plug-in or advertising network would

be deemed to have knowledge that it iscollecting information through a child-directed site or service. 76 Knowledge, byits very nature, is a highly fact-specificinquiry. The Commission believes thatthe actual knowledge standard it isadopting will likely be met in mostcases when: (1) A child-directed contentprovider (who will be strictly liable forany collection) directly communicatesthe child-directed nature of its contentto the other online service; or (2) a

representative of the online servicerecognizes the child-directed nature of the content. The Commission does notrule out that an accumulation of otherfacts would be sufficient to establishactual knowledge, but those facts wouldneed to be analyzed carefully on a case-

by-case basis.5. Definition of Personal Informationa. Screen or User Names

The Rule defines personal information as including a screenname that reveals an individuals emailaddress. 77 In the 2011 NPRM, theCommission proposed to modify thisdefinition to include a screen or username where such screen or user nameis used for functions other than or inaddition to support for the internaloperations of the Web site or onlineservice. 78 The Commission intended

this change to address scenarios inwhich a screen or user name could beused by a child as a single credential toaccess multiple online properties,thereby permitting him or her to bedirectly contacted online, regardless of whether the screen or user namecontained an email address. 79

Some commenters expressed concernthat the Commissions screen-nameproposal would unnecessarily inhibitfunctions that are important to theoperation of child-directed Web sitesand online services. 80 In response tothis concern, the 2012 SNPRM proposedcovering screen names as personal information only in those instances inwhich a screen or user name rises to thelevel of online contact information. Insuch cases, the Commission reasoned, ascreen or user name functions much likean email address, an instant messagingidentifier, or any other substantiallysimilar identifier that permits direct

contact with a person online.81

The Commission received a numberof comments in support of this changefrom industry associations andadvocacy groups. 82 Commentersrecognized the change as providingoperators with the flexibility to usescreen or user names both for internaladministrative purposes and acrossaffiliated sites, services, or platformswithout requiring prior parentalnotification or verifiable parentalconsent. 83

A number of commenters, however,despite clear language otherwise in the

2012 SNPRM, continued to expressconcern that the Commissionsproposed revision would limitoperators use of anonymized screennames in place of childrens real namesin filtered chat, moderated interactiveforums, or as log-in credentialsproviding users with seamless access tocontent across multiple platforms anddevices. 84 Some of these commenters


m

D

K

V

VN

RODw


9/44


Publishers Association (comment 72, 2012SNPRM), at 12; Toy Industry Association (comment89, 2012 SNPRM), at 13; TRUSTe (comment 90,2012 SNPRM), at 56.

85 See Online Publishers Association (comment72, 2012 SNPRM), at 12; TRUSTe TRUSTe(comment 90, 2012 SNPRM), at 56.

86 See kidSAFE Seal Program (comment 56, 2012SNPRM), at 5.

87 See ESA (comment 32, 2012 SNPRM), at 5.88 See Common Sense Media (comment 20, 2012

SNPRM), at 7.89 See 16 CFR 312.2 of the existing Rule

(paragraph (f), definition of personal information ).

90 See 2011 NPRM, 76 FR at 59812 (proposeddefinition of personal information, paragraphs (g)and (h)).

91 Those comments are discussed in the 2012SNPRM, 77 FR at 46647.

92 Id.93 The proposed definition of support for internal

operations was published at 77 FR 46648.94 Contextual advertising is the delivery of

advertisements based upon a consumers currentvisit to a Web page or a single search query, withoutthe collection and retention of data about theconsumers online activities over time. SeePreliminary FTC Staff Report, ProtectingConsumer Privacy in an Era of Rapid Change: AProposed Framework for Businesses andPolicymakers, (Dec. 2010), at 55 n.134, availableat http://ftc.gov/os/2010/12/ 101201privacyreport.pdf. Such advertising is moretransparent and presents fewer privacy concerns ascompared to the aggregation and use of data acrosssites and over time for marketing purposes. See id.

95 For example, the term personalize the contenton the Web site or online service was intended topermit operators to maintain user-drivenpreferences, such as game scores, or characterchoices in virtual worlds.

96 Id.97 15 U.S.C. 6501(8)(F) defines personal

information to include any other identifier that theCommission determines permits the physical or

online contacting of a specific individual. See, e.g.,Gibson Dunn & Crutcher (comment 39, 2012SNPRM), at 20 (This expansion of the definitionof personal information is inconsistent with thetext of COPPA, which limits personal informationto categories of information that by themselves can

be used to identify and contact a specificindividual. Every category of information thatCOPPA enumeratesname, physical address, emailaddress, telephone number, and Social Securitynumberas well as the catch-all for any otheridentifier that the Commission determines permitsthe physical or online contacting of a specificindividual, 15 U.S.C. 6501(8)(A)(F)isinformation that makes it possible to identify andcontact a specific individual); see also BusinessSoftware Alliance (comment 12, 2012 SNPRM), at56; CTIA (comment 24, 2012 SNPRM), at 1417;Chappell (comment 18, 2012 SNPRM), at 1; DMA(comment 28, 2012 SNPRM), at 10; Facebook(comment 33, 2012 SNPRM), at 9; InformationTechnology Industry Council (comment 51, 2012SNPRM), at 2; Internet Commerce Coalition(comment 53, 2012 SNPRM), at 1113; Microsoft(comment 66, 2012 SNPRM), at 3; NetChoice(comment 70, 2012 SNPRM), at 7; TechFreedom(comment 88, 2012 SNPRM), at 56.

98 See Application Developers Alliance (comment5, 2012 SNPRM), at 6; Business Software Alliance(comment 12, 2012 SNPRM), at 6); InformationTechnology and Innovation Foundation (comment50, 2012 SNPRM), at 67; NetChoice (comment 70,2012 SNPRM), at 6.

99 Facebook (comment 33, 2012 SNPRM), at 910;Google (comment 41, 2012 SNPRM), at 5; J. Holmes(comment 47, 2012 SNPRM).

urged the Commission to refine thedefinition further, for example, byexplicitly recognizing that the use of screen names for activities such asmoderated chat will not be deemed aspermitting direct contact with a childonline and therefore will not require anoperator using anonymous screen namesto notify parents or obtain theirconsent. 85 Others suggested a return tothe Commissions original definition of screen or user names, i.e., only thosethat reveal an individuals onlinecontact information (as newlydefined). 86 Yet others hoped to see theCommission carve out from thedefinition of screen or user name usesto support an operators internaloperations (such as using screen or usernames to enable moderated or filteredchat and multiplayer game modes). 87

The Commission sees no need toqualify further the proposed descriptionof screen or user name. The description

identifies precisely the form of direct,private, user-to-user contact theCommission intends the Rule to coveri.e., online contact [that] can now beachieved via several methods besideselectronic mail. 88 The Commission

believes the description permitsoperators to use anonymous screen anduser names in place of individuallyidentifiable information, including usefor content personalization, filteredchat, for public display on a Web site oronline service, or for operator-to-usercommunication via the screen or username. Moreover, the definition does notreach single log-in identifiers thatpermit children to transition betweendevices or access related propertiesacross multiple platforms. For thesereasons, the Commission modifies thedefinition of personal information, asproposed in the 2012 SNPRM, toinclude a screen or user name whereit functions in the same manner asonline contact information, as definedin this Section.

b. Persistent Identifiers and Support for Internal Operations

Persistent identifiers have long beencovered by the COPPA Rule, but onlywhere they are associated with

individually identifiable information.89

In the 2011 NPRM, and again in the2012 SNPRM, the Commission proposed

broader Rule coverage of persistentidentifiers.

First, in the 2011 NPRM, theCommission proposed coveringpersistent identifiers in two scenarios(1) where they are used for functions

other than or in addition to support forthe internal operations of the Web siteor online service, and (2) where theylink the activities of a child acrossdifferent Web sites or online services. 90 After receiving numerous comments onthe proposed inclusion of persistentidentifiers within the definition of

personal information, 91 the Commissionrefined its proposal in the 2012 SNPRM.

In the Commissions refined proposalin the 2012 SNPRM, the definition of

personal information would include apersistent identifier that can be used torecognize a user over time, or across

different Web sites or online services,where such persistent identifier is usedfor functions other than or in additionto support for the internal operations of the Web site or online service. 92 TheCommission also proposed to set forthwith greater specificity the types of permissible activities that wouldconstitute support for internal operations. 93 The proposed revision tothis latter definition was intended toaccomplish three goals: (1) Toincorporate into the Rule text many of the types of activitiesuserauthentication, maintaining userpreferences, serving contextualadvertisements, 94 and protecting againstfraud or theftthat the Commissioninitially discussed as permissible in the2011 NPRM; (2) to specifically permitthe collection of persistent identifiersfor functions related to site maintenanceand analysis, and to perform networkcommunications that many commentersviewed as crucial to their ongoing

operations; 95 and (3) to make clear thatnone of the information collected may

be used or disclosed to contact aspecific individual, including throughthe use of behavioral advertising. 96

Most of the commenters whoresponded to the 2012 SNPRM opposedthe Commissions refinement. Manycontinued to argue, as they had done inresponse to the 2011 NPRM, that because persistent identifiers onlypermit contact with a device, not aspecific individual, the Commissionwas exceeding its statutory authority bydefining them as personal information. 97 Others arguedstrenuously for the benefits to children,parents, operators, and commerce of collecting anonymous information on,and delivering advertisements to,unknown or unnamed users. 98 Somecommenters maintained that, to complywith COPPAs notice and consentrequirements in the context of persistent

identifiers, sites would be forced tocollect more personal information ontheir users, contrary to COPPAs goals of data minimization. 99

Because the proposed definition of persistent identifiers ran hand-in-handwith the proposed carve-out for


m

D

K

V

VN

RODw


10/44


100 Association for Competitive Technology(comment 7, 2012 SNPRM), at 5; Business Software

Alliance (comment 12, 2012 SNPRM), at 67; CTIA(comment 24, 2012 SNPRM), at 1718; DMA(comment 28, 2012 SNPRM), at 1012; InternetCommerce Coalition (comment 53, 2012 SNPRM),at 12; Microsoft (comment 66, 2012 SNPRM), at 35; NetChoice (comment 70, 2012 SNPRM), at 89.

101 See DMA (comment 28, 2012 SNPRM), at 11(warning that an exhaustive list is likely to haveunintended consequences if companies are notafforded flexibility as technologies evolve); DigitalAdvertising Alliance (comment 27, 2012 SNPRM),at 3; Internet Commerce Coalition (comment 53,2012 SNPRM), at 34, 12 ([T]he definition of support for the internal operations of a Web siteis too narrow. * * * This list of exemptcollections is incomplete and risks quickly

becoming outmoded.); Magazine Publishers of America (comment 61, 2012 SNPRM), at 11; OnlinePublishers Association (comment 72, 2012SNPRM), at 8; Promotion Marketing Association(comment 77, 2012 SNPRM), at 7; Computer andCommunications Industry Association (comment27, 2011 NPRM), at 4 (the exceptions are narrowand immobile short of another rulemaking).

102 See, e.g., Association for CompetitiveTechnology (comment 7, 2012 SNPRM), at 5; IAB(comment 49, 2012 SNPRM), at 4; TechFreedom(comment 88, 2012 SNPRM), at 11; Toy IndustryAssociation (comment 89, 2012 SNPRM), at 15;Viacom Inc. (comment 95, 2012 SNPRM), at 13.

103 CDT (comment 15, 2012 SNPRM), at 67;Google (comment 41, 2012 SNPRM), at 5; ToyIndustry Association (comment 89, 2012 SNPRM),at 14.

104 Institute for Public Representation (comment52, 2012 SNPRM), at 13.

105 See CDT (comment 15, 2012 SNPRM), at 6(We do, however, agree with the Commission that

behavioral targeting of children using uniqueidentifiers should trigger COPPA complianceobligations); Internet Commerce Coalition(comment 53, 2012 SNPRM), at 12; see also AT&T(comment 8, 2011 NPRM), at 7; Future of PrivacyForum (comment 55, 2011 NPRM), at 2; WiredTrust(comment 177, 2011 NPRM), at 9; Visa Inc.(comment 168, 2011 NPRM), at 2.

106 See 2011 NPRM, 76 FR at 59811.107 See J. Bowman, Real-time BiddingHow It

Works and How To Use It, Warc Exclusive (Feb.

2011), available at http://www.improvedigital.com/ en/wp-content/uploads/2011/09/Warc-RTB-Feb11.pdf (With real-time bidding, advertisers candecide to put a specific ad in front of a specificindividual web user on a given site, bid for thatimpression andif they win the bidserve the ad,all in the time it takes for a page to load on thetarget consumers computer.); L. Fisher,eMarketers Guide to the Digital AdvertisingEcosystem: Mapping the Display AdvertisingPurchase Paths and Ad Serving Process (Oct.2012), available at http://www.emarketer.com/ Corporate/reports (media buyers can deliverpersonalized, impression-by-impression, ads basedon what is known about individual viewerattributes, behaviors, and site context).

108 15 U.S.C. 6501(8).

109 See Toy Industry Association (comment 89,

2012 SNPRM), at 14; see also ESA (comment 32,2012 SNPRM), at 8; NetChoice (comment 70, 2012SNPRM), at 78.

110 This interpretation of affiliate relationships isconsistent with prior Commission articulations. SeeFTC Report, Protecting Consumer Privacy in an Eraof Rapid Change (March 2012), at 4142, availableat http://ftc.gov/os/2012/03/ 120326privacyreport.pdf (The Commissionmaintains the view that affiliates are third parties,and a consumer choice mechanism is necessaryunless the affiliate relationship is clear toconsumers); see also kidSAFE Seal Program(comment 56, 2012 SNPRM), at 5 (asking theCommission to clarify what is meant by the phrase across different Web sites or online services inthe context of persistent identifiers).

permissible activities, most commentersalso opined on the proposed scope of the definition of support for internal operations. 100 Unsurprisingly, thesecommenters urged the Commission to

broaden the definition either to makethe list of permissible activities non-exhaustive, 101 or to clarify that activitiessuch as ensuring legal and regulatorycompliance, intellectual propertyprotection, payment and deliveryfunctions, spam protection, statisticalreporting, optimization, frequencycapping, de-bugging, market research,and advertising and marketing moregenerally would not require parentalnotification and consent on COPPA-covered sites or services. 102 Othercommenters expressed confusion aboutwhich entities operating on or througha property could take advantage of thesupport for internal operationsexemption. 103 Childrens advocacygroups, by contrast, expressed fear that

the proposed definition was already so broad that it could exempt thecollection of many persistent identifiersused to facilitate targeted marketing. 104

Several commenters supported theCommissions premise that thecollection of certain persistentidentifiers permits the physical oronline contacting of a specificindividual, but asked the Commission totake a different tack to regulating suchidentifiers. Rather than cover allpersistent identifiers and then carve out

permissible uses, these commenterssuggested a simpler approach: theCommission should apply the Rule onlyto those persistent identifiers used forthe purposes of contacting a specificchild, including through online

behavioral advertising. 105 The Commission continues to believe

that persistent identifiers permit theonline contacting of a specificindividual. As the Commission stated inthe 2011 NPRM, it is not persuaded byarguments that persistent identifiersonly permit the contacting of adevice. 106 This interpretation ignoresthe reality that, at any given moment, aspecific individual is using that device.Indeed, the whole premise underlying

behavioral advertising is to serve anadvertisement based on the perceivedpreferences of the individual user. 107

Nor is the Commission swayed byarguments noting that multipleindividuals could be using the same

device. Multiple people often share thesame phone number, the same homeaddress, and the same email address, yetCongress still classified these, standingalone, as individually identifiableinformation about an individual. 108 For these reasons, and the reasons statedin the 2011 NPRM, the Commission willretain persistent identifiers within thedefinition of personal information.

However, the Commission recognizesthat persistent identifiers are also usedfor a host of functions that have litt le ornothing to do with contacting a specificindividual, and that these uses arefundamental to the smooth functioningof the Internet, the quality of the site orservice, and the individual usersexperience. It was for these reasons that

the Commission proposed to expand thedefinition of support for internal operations in the 2012 SNPRM.

The Commission has determined toretain the approach suggested in the2011 NPRM and refined in the 2012SNPRM, with certain revisions. First,the final Rule modifies the proposeddefinition of persistent identifier tocover a persistent identifier that can beused to recognize a user over time and across different Web sites or onlineservices. This modification takes intoaccount concerns several commentersraised that using a persistent identifierwithin a site or service over time servesan important function in conducting siteperformance assessments andsupporting intra-site preferences. 109 However, in this context, not every Website or service with a tangentialrelationship will be exemptthe termdifferent means either sites orservices that are unrelated to each other,or sites or services where the affiliaterelationship is not clear to the user. 110

Second, the Commission hasdetermined that the carve-out for use of a persistent identifier to provide supportfor the internal operations of a Web siteor online service is better articulated asa separate exception to the Rulesrequirements. For this reason, it hasamended Section 312.5(c) ( Exceptionsto prior parental consent ) to add a newexception providing that where anoperator collects only a persistentidentifier for the sole purpose of providing support for its internal

operations, the operator will have nonotice or consent obligations under theRule. This is a change in organization,rather than a substantive change, fromthe Commissions earlier proposals.

In addition, in response to thearguments made in a number of comments, the Commission has furthermodified the 2012 SNPRM proposeddefinition of support for internal operations to add frequency capping of advertising and legal or regulatorycompliance to the permissible uses


m

D

K

V

VN

RODw


11/44


111 See, e.g., Digital Advertising Alliance(comment 27, 2012 SNPRM), at 3; DMA (comment28, 2012 SNPRM), at 11; IAB (comment 73, 2011NPRM), at 1011; Magazine Publishers of America

(comment 61, 2012 SNPRM), at 11; Microsoft(comment 66, 2012 SNPRM), at 5; OnlinePublishers Association (comment 123, 2011 NPRM),at 45; Viacom Inc. (comment 95, 2012 SNPRM), at14.

112 See EPIC (comment 31, 2012 SNPRM), at 9.The Commission disagrees with the contention bycertain commenters that the word necessary isconfusing and unduly restrictive. See OnlinePublishers Association (comment 72, 2012SNPRM), at 9. In this context, the t erm means thatan operator may collect a covered persistentidentifier if it uses it for the purposes listed in thedefinition of support for internal operations. Theoperator need not demonstrate that collection of theidentifier was the only means to perform theactivity.

113 144 Cong. Rec. S8482 (Statement of Sen. Bryan(1998)).

114 See, e.g., Association for CompetitiveTechnology (comment 7, 2012 SNPRM), at 5; IAB(comment 73, 2011 NPRM), at 11.

115 See 2011 NPRM, 76 FR at 59813.

116 Id.117 Institute for Public Representation (comment

71, 2011 NPRM), at 33; Privacy RightsClearinghouse (comment 131, 2011 NPRM), at 2.

118 See DMA (comment 37, 2011 NPRM), at 17;Promotion Marketing Association (comment 133,2011 NPRM), at 12; NCTA (comment 113, 2011NPRM), at 16. Certain commenters interpreted theCommissions proposal as inapplicable to user-generated content, but applicable to an operatorsown use of childrens images or voices. See CTIA

(comment 32, 2011 NPRM), at 12; National RetailFederation (comment 114, 2011 NPRM), at 4; F.Page (comment 124, 2011 NPRM).

119 See American Association of AdvertisingAgencies (comment 2, 2011 NPRM), at 4; InternetCommerce Coalition (comment 74, 2011 NPRM), at5; Promotion Marketing Association (comment 133,2011 NPRM), at 12; see also DMA (comment 37,2011 NPRM), at 17.

120 See Intel Corp. (comment 72, 2011 NPRM), at67; Motion Picture Association of America(MPAA) (comment 109, 2011 NPRM), at 13.

121 See Privo (comment 76, 2012 SNPRM), at 7;DMA (comment 37, 2011 NPRM), at 1718;Promotion Marketing Association (comment 133,2011 NPRM), at 12; WiredSafety (comment 177,2011 NPRM), at 10.

enumerated therein. 111 The Commissiondeclines to add certain other languageproposed by commenters, such asintellectual property protection,payment and delivery functions, spamprotection, optimization, statisticalreporting, or de-bugging, because it

believes that these functions aresufficiently covered by the definitionallanguage permitting activities thatmaintain or analyze the functions of the Web site or service, or protect thesecurity or integrity of the site orservice. Under this revised definition,most of the activities that commenterscite to as important to permitting thesmooth and optimal operation of Websites and online services will be exemptfrom COPPA coverage.

The Commission also is cognizantthat future technical innovation mayresult in additional activities that Websites or online services find necessary tosupport their internal operations.

Therefore, the Commission has createda voluntary processnew Section312.12(b)whereby parties may requestCommission approval of additionalactivities to be included within thedefinition of support for internal operations. Any such request will beplaced on the public record for noticeand comment, and the Commission willact on it within 120 days.

The final amended language makesclear that operators may only engage inactivities necessary to support thecovered functions. The Commissionagrees with commenter EPIC that [t]hepresence of the word necessary [in thestatute] * * * indicates that the use of persistent identifiers is to be limited tothe above activities, and that theseactivities are to be narrowlyconstrued. 112 Moreover, operators maynot use persistent identifiers that fallwithin the Rules definition of personal information for any purposes other thanthose listed within the definition of support for internal operations.Accordingly, the Rule will require

operators to obtain parental consent forthe collection of persistent identifierswhere used to track children over timeand across sites or services. Withoutparental consent, operators may notgather persistent identifiers for thepurpose of behaviorally targetingadvertising to a specific child. They alsomay not use persistent identifiers toamass a profile on an individual childuser based on the collection of suchidentifiers over time and across differentWeb sites in order to make decisions ordraw insights about that child, whetherthat information is used at the time of collection or later. 113

Several commenters soughtclarification of whether a partys statusas a first party or a third party wouldaffect its ability to rely upon the support

for internal operations definition. 114 Tothe extent that a child-directed contentsite or service engages service providersto perform functions encompassed by

the definition of support for internal operations, those functions will becovered as support for the content-providers internal operations. If a thirdparty collecting persistent identifiers isdeemed an operator under the Rule(e.g., because it has actual knowledge itis collecting personal information fromusers of a child-directed site or service,or it has actual knowledge it iscollecting personal information from achild through a general audience site orservice), that operator may rely on theRules support for internal operationsdefinition when it uses persistentidentifier information for functions thatfall within it.c. Photographs, Videos, and Audio Files

The Rules existing definition of personal information includesphotographs only when they arecombined with other information suchthat the combination permits physicalor online contacting. Given theprevalence and popularity of postingphotos, videos, and audio files online,in the 2011 NPRM, the Commissionreevaluated the privacy and safetyimplications of such practices as theypertain to children. The Commission

determined that the inherently personalnature of photographs, and the fact thatthey may contain information such asembedded geolocation data, or can bepaired with facial recognitiontechnology, makes them identifiers thatpermit the physical or onlinecontacting of a specific individual. 115

The Commission found the same risksattendant with the online uploading of video and audio files. 116 Accordingly,the Commission proposed creating anew category within the definition of

personal information covering aphotograph, video, or audio file wheresuch file contains a childs image orvoice.

Some commenters supported thisproposal. For example, the Institute forPublic Representation, on behalf of agroup of childrens privacy advocates,stated that [b]ecause photographs,videos, and audio files can convey largeamounts of information about childrenthat can make them more vulnerable to

behavioral advertising, and possibly puttheir personal safety at risk as well,these types of information should beincluded in the definition of personalinformation. 117

Several commenters criticized theCommissions proposal, claiming thatthe effect would limit childrensparticipation in online activitiesinvolving user-generated content. 118 Several commenters issued blanketstatements that photos, videos, andaudio files, in and of themselves, do notpermit operators to locate or contact achild. 119 Other commenters stated thatthe Commissions proposal ispremature, arguing that facialrecognition technologies are only intheir nascent stages. 120 Finally, severalcommenters argued that theCommission should narrow the scope of its proposal, exempting from coveragephotos, videos, or audio files that have

been prescreened to remove anymetadata or other individuallyidentifiable information. 121 Othersasked the Commission to carve out fromcoverage photos or videos where used to


m

D

K

V

VN

RODw


12/44


122 ESA (comment 47, 2011 NPRM), at 14 n.21;kidSAFE Seal Program (comment 81, 2011 NPRM),at 11.

123 See WiredSafety (comment 177, 2011 NPRM),at 10 (the risk of using a preteens clear image instill photos or in video formats is obvious); seealso Intel (comment 72, 2011 NPRM), at 7 (wepropose limiting the Commissions new definitionto a photograph, video or audio file where such filecontains a childs image or voice which may

reasonably allow identification of the child ). TheCommission believes that operators who choose to blur photographic images of children prior toposting such images would not be in violation of the Rule.

124 15 U.S.C. 6501(8)(F) (italics added).125 Privacy Rights Clearinghouse (comment 131,

2011 NPRM), at 2; see also TRUSTe (comment 164,2011 NPRM), at 7 (biometrics such as thoseprovided in a photo, video or audio recording arepersonal information and greater protections needto be provided).

126 The Commission notes that this amendmentwould not apply to uploading photos or videos ongeneral audience sites such as Facebook orYouTube, absent actual knowledge that the personuploading such files is a child.

127 76 FR at 59813.128 Id. Adding new paragraph (10) to the

definition of personal information in 16 CFR 312.2.129 See AT&T (comment 8, 2011 NPRM), at 5; see

also American Association of Advertising Agencies(comment 2, 2011 NPRM), at 4; CTIA (comment 32,2011 NPRM), at 9; DMA (comment 37, 2011 NPRM),at 17; Promotion Marketing Association (comment133, 2011 NPRM), at 13; Software & InformationIndustry Association (SIIA) (comment 150, 2011NPRM), at 8; Verizon (comment 167, 2011 NPRM),at 6.

130 See Internet Commerce Coalition (comment74, 2011 NPRM), at 5; see also AT&T (comment 8,2011 NPRM), at 56.

131 See, e.g., CTIA (comment 32, 2011 NPRM), at9; Future of Privacy Forum (comment 55, 2011NPRM), at 5; Verizon (comment 167, 2011 NPRM),at 6 (Consistent with Congressional intent,geolocation information should be treated aspersonal information only when the data is tied toa specific individual.).

132 15 U.S.C. 6501(8)(B).133 For this reason, the Commission finds those

comments focusing on the potential to capture alarge geographic area to be inapposite. See IAB

(comment 73, 2011 NPRM), at 6 (without anaddress or other additional data to identify ahousehold or individual, a street name and citycould encompass a large geographic area and asmany as 1,000 households. For example, SepulvedaBoulevard, in the Los Angeles area, is over 40 mileslong).

134 See Consumers Union (comment 29, 2011NPRM), at 3; see also EPIC (comment 41, 2011NPRM), at 89 (As with IP addresses and usernames, geolocation information can be used to tracka particular device, which is usually linked to aparticular individual.).

135 See American Association of AdvertisingAgencies (comment 2, 2011 NPRM), at 4; AT&T(comment 8, 2011 NPRM), at 6; DMA (comment 37,2011 NPRM), at 17; Promotion MarketingAssociation (comment 133, 2011 NPRM), at 13;Verizon (comment 167, 2011 NPRM), at 6.

136 CTIA (comment 32, 2011 NPRM), at 9.137 kidSAFE Seal Program (comment 81, 2011

NPRM), at 11.138 TRUSTe (comment 164, 2011 NPRM), at 3.

support internal operations of a site orservice. 122 Commenter WiredSafetyurged the Commission to adopt astandard that would permit operators to

blur images of children beforeuploading them, thereby reducing therisks of exposure. 123

The Commission does not disputethat uploading photos, videos, andaudio files can be entertaining forchildren. Yet, it is precisely the verypersonal nature of childrensphotographic images, videos, and voicerecordings that leads the Commission todetermine that such files meet thestandard for personal information setforth by Congress in the COPPA statute.That is, in and of themselves, such files permit the physical or onlinecontacting of a specific individual. 124 As the Privacy Rights Clearinghousestated, [a]s fac

www.ftc.gov os fedreg 2013-01-130117coppa

Documents