Supplemental NPRM Supporting Statement

Federal Trade Commission
Supporting Statement for Proposed Amendments
in Supplemental Notice of Proposed Rulemaking to
the Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
(1) Necessity for Collecting the Information
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. § 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection and use
of personally identifiable information from and about children1 on the Internet. The underlying
goals of the Act are to: (1) enhance parental involvement in children’s online activities in order
to protect the privacy of children in the online environment; (2) limit the collection of personal
information from children without parental consent; (3) help protect the safety of children in
online fora such as chat rooms, home pages, and pen-pal services in which children may make
public postings of identifying information; and (4) maintain the security of children’s personal
information collected online. See 144 Cong. Rec. S11657 (Oct. 7, 1998) (statement of Sen.
Bryan).
The COPPA Rule (“Rule”), 16 C.F.R. Part 312, imposes requirements on operators of
websites or online services directed to children under 13 years of age or that have actual
knowledge that they are collecting personal information online from children of such age.
Among other things, the Rule:
(1)
(2)
(3)
(4)
(5)

requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (Section 312.3);
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (Section 312.4);
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (Section 312.5);
requires operators to provide reasonable means to enable a parent to review the
information (Section 312.6);
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (Section 312.8).

In addition to the disclosure requirements imposed on covered operators, the Rule
contains reporting requirements for entities voluntarily seeking approval as a COPPA safe
harbor self-regulatory program (Section 312.10).
The Rule’s requirements are necessary because they expressly implement the Act’s
requirements and goals.

1

A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. 6501(2).

The amendments proposed in the Commission’s Supplemental Notice of Proposed
Rulemaking (“supplemental NPRM”)2 would, among other things:
(1)
(2)

(3)

modify the definitions of “operator” and “website or online service directed to children,”
potentially increasing the number of operators subject to the Rule;
modify the definitions of “personal information” and “support for internal operations,”
potentially offsetting the burdens imposed by the proposed definitions of “operator” and
“website or online service directed to children,” by decreasing certain operators’
recordkeeping, reporting, disclosure or other compliance requirements; and,
modify the definition of “screen or user name” to cover situations where a screen or user
name functions in the same manner as online contact information.

The objectives of the proposed amendments are to modernize the Rule to ensure that
children’s online privacy continues to be protected, as directed by Congress, as new online
technologies evolve, and to clarify existing obligations for operators under the Rule. COPPA
provides the authority for the amendments proposed.
(2) Use of the Information
The proposed amendments to the definitions of “operator” and “website or online service
directed to children” in Section 312.2 would better insure that parents are provided notice of
when a website or service wants to collect children’s personal information in instances where a
child-directed site or service chooses to integrate into its property other services that collect
visitors’ personal information. For example, the proposed change to the definition of “operator”
would clarify that child-directed websites that do not collect personal information from users,
but employ downloadable software plug-ins or permit third-parties, such as advertising
networks, to collect personal information from their sites, are covered operators with
responsibility for providing parental notice and obtaining consent. Additionally, the proposed
changes to website or online service definition, among other things, will clarify that a plug-in or
ad network is covered by the Rule where it knows or has reason to know that it is collecting
personal information through a child-directed website or online service.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule’s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burdens imposed by the Rule, consistent with the aims of the
Government Paperwork Elimination Act, 44 U.S.C. § 3504 note. In particular, Section 312.4(b)
of the Rule requires that notices be posted online on the operators’ website or online service, and
Section 312.4(c) expressly contemplates that operators shall “tak[e] into account available
technology” in ensuring that parents receive direct notice of their information practices. Notice
under Section 312.4(c) incorporates by reference the requirement of Section 312.5(b) that

2

77 Fed. Reg. 46,643 (August 6, 2012).

2

operators obtain a parent’s consent through methods “reasonably calculated, in light of available
technology, to ensure that the person providing consent is the child’s parent.” Thus, the Rule
provides operators with the flexibility to employ appropriate, reasonable information
technologies to comply with the notice and consent requirements.
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government
agencies.
(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the amendments proposed in the supplemental NPRM to
minimize the compliance burden of these requirements as much as possible. See item (8) for
more information.
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of
the COPPA. The statute requires both that notice be given online and that separate notice
regarding the operator’s information practices be given to parents.3 Parental notice under the
proposed amended Rule works in tandem with the statute’s mandated parental consent
requirement.4 Thus, the proposed Rule amendments do not require notices any more frequently
than necessary for operators to comply with the statute and to enable parents to make an
informed decision about an operator’s collection, maintenance, use, or disclosure of their
children’s personal information.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The proposed “collection” is consistent with all applicable OMB PRA guidelines under
5 C.F.R. § 1320.11. No collection inconsistent with such guidelines is being proposed.

3

See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Commission’s Rule at Sections 312.3(a) (online notice), proposed 312.4(b)
and (c) (form and content of online and direct to parent notices), and 312.6(a) (notice to parents upon their
request).

4

See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at Sections 312.4 (form and contents of
notices) and 312.5 (parental consent and exceptions).

3

(8) Consultation Outside the Agency
Last year, the Commission sought public comment on PRA aspects of the Rule, as
required by 5 C.F.R. 1320.8(d). See 76 Fed. Reg. 31,334 (May 31, 2011). No comments were
received. On July 18, 2011, OMB approved the Rule’s existing information collection
requirements through July 31, 2014.
On September 27, 2011, the Commission published a Notice of Proposed Rulemaking
(“NPRM”) to amend the Rule, consistent with the requirements of the Act, to respond to changes
in online technology, including in the mobile marketplace, and, where appropriate, to streamline
the Rule. See 76 Fed. Reg. 59,804 (September 27, 2011). The Commission received over 350
comments, of which three related to PRA burden estimates.5
After reviewing these comments, and based upon its experience in enforcing and
administering the Rule, the Commission issued its supplemental NPRM to clarify the scope of
the Rule and strengthen its protections for children’s personal information. As before, the
Commission seeks public comment on its PRA burden analysis in addition to comment on the
underlying proposed Rule amendments to which the analysis relates.
Under the existing OMB clearance for the Rule, the FTC has estimated that new
operators will each spend approximately 60 hours to craft a privacy policy, design mechanisms
to provide the required online privacy notice and, where applicable, direct notice to parents in
order to obtain verifiable consent. At least a few commenters noted that this 60-hour estimate
failed to take into account accurate costs of compliance with the Rule.6 None of these
commenters, however, provided the Commission with empirical data or specific evidence on the
number of hours such activities require. Thus, the Commission does not have sufficient
information at present to revise its earlier hours estimate.
In drafting the proposed modifications to the Rule’s definitions, the Commission has
attempted to avoid unduly burdensome requirements for entities. The Commission believes that
the proposed modifications will advance the goal of children’s online privacy in accordance with
COPPA. For each of the proposed modifications, the Commission has taken into account the
concerns evidenced by the record to date. On balance, the Commission believes that the benefits
to children and their parents outweigh the costs of implementation to industry.
The Commission has considered, but has decided not to propose, an exemption for small
businesses. The primary purpose of COPPA is to protect children’s online privacy by requiring
verifiable parental consent before an operator collects personal information. The record and the

5

See Nancy Savitt (comment 142) at p. 1; NCTA (comment 113), at pp. 23-24; and MPAA (comment 109) at
pp. 15-16. These and the remaining comments can be found at
http://www.ftc.gov/os/comments/copparulereview2011/.

6

See id.

4

Commission’s enforcement experience have shown that the threats to children’s privacy are just
as great, if not greater, from small businesses or even individuals than from large businesses.7
Accordingly, an exemption for small businesses would undermine the very purpose of the statute
and Rule. Still, the Commission’s supplemental NPRM also seeks comments on ways in which
the Rule could be modified to reduce any costs or burdens for small entities.
(9) Payments or Gifts to Respondents
Not applicable. The Commission makes no payments or gifts to respondents in
connection with the proposed requirements.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice (i.e., disclosure) of
information practices by website and online service operators to the public and specifically to
parents of children from whom personal information is sought to be collected.
(12) Hours Burden8
Number of Respondents: 625
There are an estimated 500 existing operators that will newly be covered by the
modifications proposed in the supplemental NPRM plus 125 new operators per year to be
covered by Rule through the proposed modifications (the 125 new operators are an incremental
addition to the previously cleared FTC estimate of 100 new operators per year9 for a prospective
three-year PRA clearance period).
The proposed changes to the definitions of “operator” and “website or online service
directed to children” will potentially increase the number of operators subject to the Rule. The
Commission believes, however, that the number of operators subject to the Rule’s requirements
7

See, e.g.,United States v. RockYou, Inc., No. 3:12-cv-01487-SI (N.D. Cal., entered Mar. 27, 2012); United
States v. Godwin , No. 1:11-cv-03846-JOF (N.D. Ga., entered Feb. 1, 2012); United States v. W3 Innovations,
LLC, No. CV-11-03958 (N.D. Cal., filed Aug. 12, 2011); United States v. Industrious Kid, Inc., No. CV-080639 (N.D. Cal., filed Jan. 28, 2008); United States v. Xanga.com, Inc., No. 06-CIV-6853 (S.D.N.Y., entered
Sept. 11, 2006); United States v. Bonzi Software, Inc., No. CV-04-1048 (C.D. Cal., filed Feb. 17, 2004);
United States v. Looksmart, Ltd., Civil Action No. 01-605-A (E.D. Va., filed Apr. 18, 2001); United States v.
Bigmailbox.Com, Inc., Civil Action No. 01-606-B (E.D. Va., filed Apr. 18, 2001).
8

This discussion tracks the PRA focus of the Commission’s supplemental NPRM. It is incremental to the
PRA burden estimates previously posited for the September 27, 2011 NPRM. The combined estimated PRA
burden effects, however, are summarized in item #15 of the instant Supporting Statement.
9

See Agency Information Collection Activities; Submission for OMB Review; Comment Request; Extension,
76 Fed. Reg. 31,334 (May 31, 2011).

5

should be offset by the clarification of the definition of support for internal operations and the
carve out from the definition of website or online service directed to children of family friendly
sites and services that take measures to identify and provide COPPA protections to child visitors.
Some operators of child-directed properties will also likely adjust their information collection
practices so as not to be covered by the Rule.
Estimated annual hours burden: 17,500 hours
(a)

Recordkeeping Requirements: 0 hours

The proposed modifications to the Rule’s definitions do not impose any incremental
recordkeeping costs on operators.
(b)

Disclosure Requirements: 17,500 hours
(1)

New Operators

Under the existing OMB clearance for the Rule, the Commission has already accounted
for the time that new operators will spend to craft a privacy policy (approximately 60 hours per
operator), design mechanisms to provide the required online privacy notice and, where
applicable, direct notice to parents in order to obtain verifiable consent. The proposed
modifications to the Rule’s definitions should not add to the burden for new operators.
However, the Commission estimates an incremental increase of 125 new operators per year
covered by the Rule given the proposed modifications. Aggregated for the estimated 125
operators per year that would be newly subject to the Rule, annualized disclosure burden would
be 7,500 hours.
(2)

Existing Operators

The proposed modifications will not impose incremental disclosure time per existing
operator, but, as noted above, would result in an estimated additional 500 existing operators that
would hence be covered by the Rule. These entities will have a one-time burden to re-design
their existing privacy policies and direct notice procedures that would not carry over to the
second and third years of prospective PRA clearance. The Commission estimates that an
existing operator’s time to make these changes would be no more than that for a new entrant
crafting a privacy policy for the first time, i.e., 60 hours. Aggregated for the estimated 500
existing operators that would be newly subject to the Rule, this non-recurring adjustment,
annualized over a three-year OMB clearance, would total 10,000 hours.
Estimated annual labor cost burden: $2,747,454
(a)

Recordkeeping

The proposed modifications to the Rule’s definitions do not impose any incremental
recordkeeping costs on operators.
6

(b)

Disclosure

The Commission assumes that the time spent on compliance for new and existing
operators would be apportioned five to one between legal (lawyers or similar professionals) and
technical (e.g., computer programmers, software developers, and information security analysts)
personnel.10 As noted above, the Commission estimates a total of 17,500 hours of incremental
disclosure burden from the proposed modifications to the definitions, annualized, for 625
additional operators (125 new operators + 500 existing operators that would be covered by the
Rule). Thus, apportioned five to one, this amounts to, rounded, 14,583 hours of legal, and 2,917
hours of technical, assistance. Applying hourly rates of $180 and $42, respectively, for these
personnel categories,11 associated labor costs would total approximately $2,747,454.
(c)

Reporting

The proposed modifications to the Rule’s definitions do not impose any incremental
reporting costs on operators.
(13) Estimated Capital/Other Non-Labor Costs Burden
Capital and start-up costs associated with the Rule are minimal. Because websites will
already be substantially equipped with the computer equipment and software necessary to
comply with the Rule’s proposed notice requirements, the primary costs incurred by the websites
are the estimated labor costs [discussed in item (12)].
(14) Cost to the Federal Government
Because Commission staff anticipates that the incremental cost to the FTC to administer
the proposed amendments will be de minimis, it retains the FTC’s most recently cleared
estimates of costs to the agency to implement the Rule: $425,000. This consists of
approximately 3 attorney/investigator work years at approximately $415,000 per year and travel
costs or other expenses associated with enforcing and administering the Rule of approximately
$10,000. Clerical and other support services are included in these estimates.
(15) Program Changes or Adjustments
The proposed changes to the definitions of “operator” and “website or online service
10

See FTC COPPA PRA Extension, 76 Fed. Reg. at 31,335 n. 1.

11

The estimated rate of $180 per hour is roughly midway between Bureau of Labor Statistics (BLS) mean
hourly wages for lawyers (approximately $62.74) in the most recent annual compilation available online and
what Commission staff believes more generally reflects hourly attorney costs ($300) associated with
Commission information collection activities. The $42 estimate of mean hourly wages for computer
programmers, software developers, information security analysts, and web developers is based on an average
of the salaries as reported by the BLS, National Occupational and Wages - May 2011.

7

directed to children” will potentially increase the number of operators subject to the Rule. The
proposed changes to the definition of “personal information” would expand the definition to
encompass additional types of information and thereby potentially increase the number of
operators subject to the Rule. The proposed amendment to eliminate the sliding scale “email
plus” method for obtaining parental consent may increase the burden for the limited category of
operators whose information collection practices to date have enabled them to use this relatively
low cost method of obtaining parental consent. Existing operators that currently use the email
plus method would incur burden in the first year of implementation to convert to a more reliable
method of obtaining verifiable parental consent. The proposed Rule amendments require a safe
harbor applicant to submit a more detailed proposal than what the current Rule mandates.
Existing safe harbor programs will thus need to submit a revised application and new safe harbor
applicants will have to provide greater detail than they would under the current Rule.
The cumulative estimated incremental burden, annualized, for the above-noted proposed
modifications, is 58,270 hours (40,770 hours regarding the September 27, 2011 NPRM;12 17,500
additional hours regarding the August 6, 2012 supplemental NPRM).
(16) Statistical Use of Information
There are no plans to publish information associated with the proposed requirements for
statistical use.
(17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.

12

Details underlying this estimate are presented in the September 27, 2011 NPRM and in the associated PRA
Supporting Statement under ROCIS ICR Ref. No. 201108-3084-004.

8