COPPA '08 SS.FIN_mtd

Supporting Statement for
Information Collection Provisions of
The Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
(1) Necessity for Collecting the Information
The Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. § 6501 et seq.,
prohibits unfair and deceptive acts and practices in connection with the collection and use of
personally identifiable information from and about children1 on the Internet. The underlying
goals of the Act are: (1) to enhance parental involvement in children’s online activities in order
to protect the privacy of children in the online environment; (2) to help protect the safety of
children in online fora such as chat rooms, home pages, and pen-pal services in which children
may make public postings of identifying information; (3) to maintain the security of children’s
personal information collected online; and (4) to limit the collection of personal information
from children without parental consent. See 144 Cong. Rec. S11657 (Oct. 7, 1998) (statement of
Sen. Bryan).
The COPPA Rule (“Rule”), 16 C.F.R. Part 312, imposes requirements on operators of
websites or online services directed to children under 13 years of age or that have actual
knowledge that they are collecting personal information online from children under 13 years of
age. Among other things, the Rule:
(1)
(2)
(3)
(4)
(5)

requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (section 312.3);
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (section 312.4);
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (section 312.5);
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (section 312.8); and
requires operators to provide reasonable means for the parent to review the information
(section 312.6).

The Rule’s requirements are necessary because: (a) they are expressly mandated by the
Act; and (b) the requirements ensure that parents and others know what specific kinds of
information are being collected from their children, how that information is used, and how it
may be disclosed to others.
The Rule additionally contains reporting and recordkeeping requirements for operators
seeking safe harbors. Section 312.10(c) requires that applicants for safe harbor status submit to
the Federal Trade Commission (“Commission”) certain specific documents and information,
including, among other things, a copy of the guidelines for which approval is sought and a
1

A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. 6501(2).

statement explaining how the guidelines and related assessment mechanism meet the Rule’s
requirements. Section 312.10(d) requires these applicants to keep for 3 years records of
consumer complaints (alleging violations of the guidelines), disciplinary actions taken against
subject operators, and results of independent assessments of the operators’ compliance with the
guidelines.
(2) Use of the Information
Providing the online disclosure information described above enables parents to determine
whether to seek access from a website or online service operator to review their children’s
personal information and whether to object to any further collection, maintenance, or use of such
information.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule’s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burden of such requirements, thereby consistent with the aims of
the Government Paperwork Elimination Act, P.L. 105-277, Title XVII, 112 Stat. 2681-749. In
particular, section 312.3 of the Rule requires that notices be posted online on the operators’
website or online service, and section 312.4 expressly contemplates that operators’ shall “tak[e]
into account available technology” in ensuring that parents receive notice of the operators’
information practices. Notice under section 312.5(c) incorporates by reference the notice
requirement of section 312.4, and nothing in the remaining notice requirement, section 312.6,
prohibits regulated entities from providing such notice using the least burdensome information
technology to reduce compliance burdens.
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government
agencies. The Commission’s Rule review proceeding conducted in 2005 sought public
comments on these requirements, including the extent to which they may be unnecessary or
duplicative. 70 Fed. Reg. 21,104 (Apr. 22, 2005). Comments received for the Rule review
indicate that neither operators nor parents have found the Rule’s standards to be overly
burdensome and that operators have been able to use the COPPA standards successfully in
providing online content for children. See Implementing the Children's Online Privacy
Protection Act: A Federal Trade Commission Report to Congress (February 2007), at
http://www.ftc.gov/opa/2007/02/copparpt.shtm.

2

(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the Rule to minimize the compliance burden of these
requirements as much as possible. The notice requirements are expressly mandated by the
COPPA, as described above. The Commission’s Rule implements these requirements by
providing guidance on the contents of such notices while allowing small businesses (and all
other regulated businesses) to determine the most cost-effective means of disseminating such
notices.
Specifically, the notice that the COPPA requires to be posted online has been interpreted
under the Commission’s Rule in the least burdensome manner possible, i.e., by permitting a
hyperlink to such notice, rather than the complete text of such notice, on the home page of the
website and other web page(s) or other online location(s) where personal information is collected
from children. See section 312.4(b). The requirements for parental notice are even more
flexible and open-ended, requiring simply that the operator make “reasonable efforts, taking into
account available technology, to ensure” that notice reaches parents. See section 312.4(c). Thus,
the Commission’s adoption of these “performance” standards allows regulated entities to meet
the Rule’s requirements in a way suited to their particular businesses, and is therefore inherently
less burdensome than any precisely mandated format and method of notice.
At the same time, the Rule reduces compliance burdens by giving regulated parties clear
and detailed guidance on the required contents of the notices. This guidance thus helps eliminate
much of the administrative and legal costs that might be incurred by a small or other business
trying to determine what needs to be included in a notice in order to comply with the Rule.
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of
the COPPA. The statute requires both that notice be given online and that separate notice
regarding the operator’s information practices be given to parents.2 Parental notice under the
Rule is also mandated in part by the statute’s parental consent requirement.3 Thus, the Rule does
not require notices any more frequently than is necessary for operators to comply with the statute
and for parents to make an informed decision about an operator’s collection, maintenance, or use
of their children’s personal information. Moreover, section 310.12 safe harbor applications are
filed solely upon the initiative of the filer.

2

See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Commission’s Rule at sections 312.3(a) (online notice), 312.4 (form and
content of online and parental notices), and 312.6(a) (notice to parents upon their request), as discussed earlier.

3

See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at sections 312.4 (form and contents of
notices) and 312.5 (parental consent and exceptions), as discussed earlier.

3

(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The proposed “collection” is consistent with all applicable OMB PRA guidelines under
5 C.F.R. § 1320.5. No collection inconsistent with such guidelines is being proposed.
(8) Consultation Outside the Agency
The Commission sought public comment on its proposed rulemaking and its associated
PRA burden analysis. 64 Fed. Reg. 27,751, 22,261. No comments were received that
necessitated modifying burden estimates. In addition, when crafting the Rule, staff informally
consulted with members of the website and online service industry and also met with federal,
state, and local law enforcement agencies. Staff balanced the need for requiring compliance in
accordance with the express terms of the statute against the need to minimize the burden
associated with such compliance.
The Commission again sought public comment on PRA aspects of the Rule, as required
by 5 C.F.R. 1320.8(d). 73 Fed. Reg. 16,015 (Mar. 26, 2008). No comments were received. The
FTC is providing another opportunity for public comment while seeking OMB approval to
extend the existing paperwork clearance for the Rule.
(9) Payments or Gifts to Respondents
Not applicable. The Commission makes no payments or gifts to respondents in
connection with the proposed requirements.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice (i.e., disclosure) of
information practices by website and online service operators to the public and, in particular,
parents of children from whom personal information is collected.4
(12) Hours Burden
Estimated annual hours burden: 1,900 hours
Disclosure Requirements: 1,800 hours

4

Although not applicable to the “information collection” requirements for which the Commission is seeking
OMB approval, the COPPA and the Rule do contain strict provisions to ensure the confidentiality, security,
and integrity of personal information collected from children by website and online service operators. See 15
U.S.C. § 6502(b)(1)(D); 16 C.F.R. § 312.8 (confidentiality, security, and integrity).

4

The FTC staff retains its estimate that roughly 30 new web entrants each year will fall
within the Rule’s coverage and that, on average, new entrants will spend approximately 60 hours
crafting a privacy policy, designing mechanisms to provide the required online privacy notice
and, where applicable, the direct notice to parents.5 Accordingly, staff estimates that complying
with the Rule’s disclosure requirements will require approximately 1,800 hours (30 new web
entrants x 60 hours per entrant). Consistent with prior estimates, FTC staff estimates that the
time spent on compliance would be apportioned five to one between legal (lawyers or similar
professionals) and technical (computer programmers) personnel. Staff therefore estimates that
lawyers or similar professionals who craft privacy policies will account for 1,500 of the 1,800
hours required. Computer programmers responsible for posting privacy policies and
implementing direct notices and parental consent mechanisms will account for the remaining
300 hours.
Website operators that have previously created or adjusted their sites to comply with the
Rule will incur no further burden associated with the Rule, unless they opt to change their
policies and information collection in ways that will further invoke the Rule’s provisions.
Moreover, staff believes that existing COPPA-compliant operators who introduce additional
sites beyond those they already have created will incur minimal, if any, incremental PRA
burden. This is because such operators already have been through the start-up phase and can
carry over the results of that to the new sites they create.
Reporting Requirements for Safe Harbor Applicants: 100 hours
Operators can comply with the Rule by meeting the terms of industry self-regulatory
guidelines that the Commission approves after notice and comment.6 While the submission of
industry self-regulatory guidelines to the agency is voluntary, the Rule includes specific
reporting requirements that all safe harbor applicants must provide to receive Commission
approval. Staff retains its estimate that it would require, on average, 265 hours per new safe
harbor program applicant to prepare and submit its safe harbor proposal in accordance with
Section 312.10(c) of the Rule. Industry sources have confirmed that this estimate is reasonable
and advised that all of this time would be attributable to the efforts of lawyers. Given that
several safe harbor programs are already available to website operators, FTC staff believes that it
is unlikely that more than one additional safe harbor applicant will submit a request within the
next three years of PRA clearance sought. Thus, annualized burden attributable to this
requirement would be approximately 85 hours per year (265 hours ÷ 3 years) or, roughly, 100
hours. Staff believes that most of the records submitted with a safe harbor request would be

5

Although staff cannot determine with any degree of certainty the number of new entrants potentially subject
to the Rule, it believes its estimate is reasonable. The Commission received no comments challenging staff’s
prior PRA analyses in its prior requests for renewed clearance for the Rule or when it most recently sought
comment on the Rule itself (70 FR 21107, 21109, April 22, 2005). Accordingly, staff retains those estimates
for the instant PRA analysis. For the same reasons, staff retains its prior estimate of 60 hours per new entrant.
6

See Section 312.10(c). Approved self-regulatory guidelines can be found on the FTC’s website at
http://www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.

5

those that these entities have kept in the ordinary course of business, and that any incremental
effort associated with maintaining the results of independent assessments or other records under
Section 312.10(d)(3) also would be in the normal course of business. In accordance with the
regulations implementing the PRA, the burden estimate excludes effort expended for these
activities. 5 CFR 1320.3(b)(2).
Accordingly, FTC staff estimates that total burden per year for disclosure requirements
affecting new web entrants and reporting requirements for safe harbor applications would be
approximately 2,000 hours, rounded to the nearest thousand.
Labor costs: $250,000
Labor costs are derived by applying appropriate hourly cost figures to the burden hours
described above. Staff conservatively assumes hourly rates of $150 and $35, respectively, for
lawyers or similar professionals and computer programmers.7 Based on these inputs, staff
further estimates that associated annual labor costs for new entrants would be $235,000 [(1,500
hours x $150 per hour for legal) + (300 hours x $35 per hour for computer programmers)] and
$15,000 for safe harbor applicants (100 hours per year x $150 per hour), for a total labor cost of
$250,000.
(13) Estimated Capital/Other Non-Labor Costs Burden
Because websites will already be equipped with the computer equipment and software
necessary to comply with the Rule’s notice requirements, the sole costs incurred by the websites
are the aforementioned estimated labor costs. Similarly, industry members should already have
in place the means to retain and store the records that must be maintained under the Rule’s safe
harbor recordkeeping provisions, because they are likely to have been keeping these records
independent of the Rule.
(14) Cost to the Federal Government
Enforcing and monitoring compliance with the notice requirement of the COPPA will
require approximately 1.5 attorney/investigator work years at an annualized approximate cost of
$210,000 per year. In addition, travel costs or other expenses associated with enforcing and
administering the Rule will be approximately $3,000. Thus, the approximate total cost to the
Commission in connection with enforcing and monitoring compliance with the COPPA will be
$213,000. Clerical and other support services are included in these estimates.

7

FTC staff estimates average legal costs at $150 per hour, which is roughly midway between Bureau of Labor
Statistics (BLS) mean hourly wages shown for attorneys (approximately $55) in the most recent whole-year
data available online (2006) and what staff believes may more generally reflect hourly attorney costs ($250)
associated with Commission information collection activities. The $35 estimate for computer programmers is
also conservatively based on the most recent whole-year data available online from the BLS (2006 National
Compensation Survey and 2006 Occupational Employment and Wage Statistics).

6

(15) Program Changes or Adjustments
There are no program changes. The only adjustments reflect the minor difference
between prior rounding to the nearest thousand for burden hours (2,000), pre-ROCIS, and the
estimated burden hours stated herein (1,900), and an increased estimate of hourly legal costs.
(16) Statistical Use of Information
There are no plans to publish information associated with the proposed requirements for
statistical use.
(17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.

7