Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for Final Amendments
to the Children’s Online Privacy Protection Rule
16 C.F.R. Part 312
(OMB Control No. 3084-0117)
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. § 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection and use
of personally identifiable information from and about children1 on the Internet. The Federal
Trade Commission (“FTC” or “Commission”) amends the Children’s Online Privacy Protection
Rule (“COPPA Rule” or “Rule”), 16 C.F.R. Part 312, consistent with the requirements of the
Act, to clarify the scope of the Rule and strengthen its protections for children’s personal
information, given changes in online technology since the Rule went into effect in April 2000.
The final amended Rule includes modifications to the definitions of operator, personal
information, and website or online service directed to children. The amended Rule also updates
the requirements set forth in the notice, parental consent, confidentiality and security, and safe
harbor provisions, and adds a new provision addressing data retention and deletion.
Upon publication of the 2011 Notice of Proposed Rulemaking (“2011 NPRM”)2 and the
2012 Supplemental Notice of Proposed Rulemaking (“2012 SNPRM”)3, the FTC submitted
associated clearance requests with Supporting Statements to OMB. In response, OMB filed
comments (dated October 27, 2011 and August 10, 2012, respectively) stating that it was
withholding approval pending the Commission’s examination of the public comments to the
2011 NPRM and 2012 SNPRM. This document and the final rule Statement of Basis and
Purpose presents a revised PRA analysis, factoring in relevant public comments and the
Commission’s resulting or self-initiated changes to the Rule.
(1) & (2) Necessity for and Use of the Collecting the Information
The underlying goals of the Act are to: (1) enhance parental involvement in children’s
online activities in order to protect the privacy of children in the online environment; (2) limit
the collection of personal information from children without parental consent; (3) help protect
the safety of children in online fora such as chat rooms, home pages, and pen-pal services in
which children may make public postings of identifying information; and (4) maintain the
security of children’s personal information collected online. See 144 Cong. Rec. S11657 (Oct. 7,
1998) (statement of Sen. Bryan).
The COPPA Rule, imposes requirements on operators of websites or online services
directed to children under 13 years of age or that have actual knowledge that they are collecting
personal information online from children of such age. Among other things, the Rule:
1
A “child” is defined under the Act as an individual under 13 years of age. 15 U.S.C. § 6501(2).
2
76 Fed. Reg. 59,804 (Sept. 27, 2011).
3
77 Fed. Reg. 46,643 (Aug. 6, 2012).
�•
requires operators to provide notice to parents of the specific types of personal
information sought to be collected from children and their uses (Section 312.3);
•
specifies the placement and content of the required online notice and describes the
contents of the direct notice to parents (Section 312.4);
•
requires operators to obtain “verifiable parental consent” prior to collecting, using, or
disclosing children’s personal information (Section 312.5);
•
requires operators to provide reasonable means to enable a parent to review the
information (Section 312.6);
•
requires operators to establish procedures that protect the confidentiality, security, and
integrity of personal information collected from children (Section 312.8).
In addition to the disclosure requirements imposed on covered operators, the Rule
contains reporting requirements for entities voluntarily seeking approval as a COPPA safe
harbor self-regulatory program (Section 312.11).
(1)
Amendments to the Disclosure Requirements
The final Rule amendments to Section 312.4(c) more clearly articulate the specific
information that operators’ direct notices to parents must include about their information
collection and use practices. The succinct, “just-in-time” notices will present key information to
parents to better enable them to determine whether to: permit their children to provide personal
information online, seek access from a website or online service operator to review their
children’s personal information, and object to any further collection, maintenance, or use of such
information. The final Rule amendments to the definitions of operator and website or online
service directed to children in Section 312.2 will better ensure that parents are provided notice
when a child-directed site or service chooses to integrate into its property other services that
collect visitors’ personal information. For example, the final Rule amendment to the definition
of operator clarifies that child-directed websites that do not collect personal information from
users, but that employ downloadable software plug-ins or permit other entities, such as
advertising networks, to collect personal information directly from their users, are covered
operators with responsibility for providing parental notice and obtaining consent. Additionally,
the changes to the definition of website or online service directed to children, among other
things, will clarify that the Rule covers a plug-in or ad network where it has actual knowledge
that it is collecting personal information directly from users of a child-directed website or online
service.
To avoid obscuring the most meaningful, material information for consumers, however,
the Commission removed a previously proposed requirement, set forth in the 2011 NPRM, that
all operators collecting, using, or disclosing information on a website or online service must
provide contact information. The Commission retained the existing Rule’s proviso that such
operators could designate one operator to serve as the point of contact. For the same reason, the
2
�Commission has streamlined the Rule’s online notice requirement to require a simple statement
of: (1) what information the operator collects from children, including whether the website or
online service enables a child to make personal information publicly available; (2) how the
operator uses such information; and (3) the operator’s disclosure practices for such information.
As a part of this revision, the Commission also removed the required statement that the operator
may not condition a child’s participation in an activity on the child’s disclosure of more personal
information than is reasonably necessary to participate in such activity.
(2)
Amendments to the Reporting Requirements
As stated above, the Commission believes that there is great value in receiving annual
reports from its approved safe harbor programs. Obtaining this information (in addition to the
Commission’s right to access program records) will better ensure that all safe harbor programs
keep sufficient records and that the Commission is routinely apprised of key information about
the safe harbors’ programs and membership oversight. Further, requiring annual reports to
include a description of any safe harbor approvals of new parental consent mechanisms will
inform the Commission of the emergence of new feasible parental consent mechanisms for
operators. Additionally, the final Rule amendments impose more stringent requirements for safe
harbor applicants’ submissions to the Commission to better ensure that applicants are capable of
administering effective safe harbor programs.
(3) Consideration to Use Improved Information Technology to Reduce Burden
By their terms and the very nature of the regulated industry, the Rule’s notice
requirements make use of improved information technology (i.e., electronic communications
over the Internet) to reduce the burdens imposed by the Rule, consistent with the aims of the
Government Paperwork Elimination Act, 44 U.S.C. § 3504 note. In particular, Section 312.4(d)
of the Rule requires that notices be posted online on the operators’ website or online service, and
Section 312.4(b) expressly contemplates that operators shall “tak[e] into account available
technology” in ensuring that parents receive direct notice of their information practices. Section
312.5(b)(1) requires operators to “make reasonable efforts to obtain verifiable parental consent,
taking into consideration available technology” in designing consent mechanisms. Section
312.5(b)(2) of the revised Rule, which contains a non-exclusive list of acceptable methods for
obtaining consent, has been amended to identify additional new methods for obtaining consent
that take advantage of new technologies. The notice provisions in Sections 312.5(c)(2),
312.5(c)(4), and 312.5(c)(5) also require consideration of available technology. Thus, the Rule
provides operators with the flexibility to employ appropriate, reasonable information
technologies to comply with the notice and consent requirements.
(4) Efforts to Identify Duplication
The notice requirements of the Rule do not duplicate any other requirements of the
Commission or, to its knowledge, the requirements of other federal or state government
agencies.
3
�(5) Efforts to Minimize Burden on Small Businesses
The Commission has designed the amendments to minimize the compliance burden of
these requirements as much as possible. Several provisions of the Rule amendments will ease
the burden on operators: the list of mechanisms to obtain parental consent has been expanded,
and operators can now use a voluntary, public process to seek Commission approval of new
forms of obtaining parental consent. Operators can also request that the Commission consider
on an expedited basis that additional internal activities involving the collection of persistent
identifiers be exempt from the Rule. In addition, the Rule amendments allow operators to
provide interactive communities without obtaining parental consent, so long as operators take
reasonable measures to delete all or virtually all children’s personal information before content
is made public. Moreover, the Commission determined not to adopt certain proposed
amendments that commenters believed would impose significant burdens on businesses,
including small businesses. See the discussion under item (8)(b)(1) for further elaboration.
(6) Consequences of Conducting Collection Less Frequently
A less frequent “collection” would violate the express statutory language and intent of
the COPPA. The statute requires both that notice be given online and that separate notice
regarding the operator’s information practices be given to parents.4 Parental notice under the
amended Rule works in tandem with the statute’s mandated parental consent requirement.5
Thus, the Rule amendments do not require notices any more frequently than necessary for
operators to comply with the statute and to enable parents to make an informed decision about an
operator’s collection, maintenance, use, or disclosure of their children’s personal information.
(7) Special Circumstances Requiring Collection Inconsistent With Guidelines
The “collection of information” under the final amendments is consistent with all
applicable OMB PRA guidelines under 5 C.F.R. § 1320.11.
(8) Consultation Outside the Agency
As noted above, the Commission published both a 2011 NPRM and 2012 SNPRM to
amend the Rule. Details on the 2011 NPRM and the comments received regarding the FTC
burden estimates were discussed at length in the FTC’s “Supplemental NPRM Supporting
4
See 15 U.S.C. § 6502(b)(1)(A) (requiring website notice), (B) (notice to parents upon request). These
requirements are reflected in the Rule at Sections 312.3(a) (online notice), 312.4 (c) (content of direct notice to
parent), and 312.6(a) (notice to parents upon their request).
5
See 15 U.S.C. § 6502(b)(1)(A)(ii) (requiring verifiable parental consent), § 6501(9) (defining “verifiable
parental consent” to mean, in relevant part, any reasonable efforts, taking into consideration available
technology, to ensure parental notice of the operator’s personal information collection, use, and disclosure
practices). These requirements are reflected in the Commission’s Rule at Sections 312.4 (content of notices)
and 312.5 (parental consent and exceptions).
4
�Statement” submitted to OMB on August 10, 2102, under ICR Ref. No. 201208-3084-001.
The instant discussion begins from where that left off, addressing PRA-related comments
to the 2012 SNPRM.
a. Comments Regarding the Estimated Number of Operators/FTC Disposition
Given the public comments received, the Commission estimates, as detailed further
below, that the final Rule amendments will cover 2,910 existing operators of websites or online
services and 280 new operators per year; of the latter estimate, 100 new operators have already
been accounted for through prior FTC estimates and OMB clearance6; thus, the net incremental
tally beyond existing clearance is 180 new operators. These groups of covered operators would
generally consist of certain traditional website operators, mobile app developers, plug-in
developers, and advertising networks.
(1) Existing Operators
The Commission received several comments directed to its estimates of the number of
existing operators, all of which assert that the Commission significantly underestimated these
numbers.7 The Association for Competitive Technology (“ACT”) cited data showing that as of
September 2012, there were approximately 74,000 “education” apps in the iTunes App Store,
and 30,000 in the Android market.8 Based on its review of “top” apps, ACT calculated a ratio of
1.54 apps per developer of “education” apps in the iTunes App Store,9 and that approximately
60% of apps in this category were directed to children under 13.10 Based on this information,
ACT calculated that approximately 28,800 app developers would be “potentially affected” by the
6
Under the existing OMB clearance for the pre-amended Rule the FTC had already accounted for an
estimated 100 new operators each requiring approximately 60 hours to comply with the Rule. See 76 Fed.
Reg. 7211, 7212 (Feb. 9, 2011); 76 Fed. Reg. 31,334, 31,335 (May 31, 2011). Thus, to avoid double-counting
what has already been submitted to OMB and cleared, the ensuing calculations for new operators’ disclosure
burden account strictly for the difference between the revised population estimate (280) and the currently
cleared estimate (100), i.e., 180 additional new operators.
7
Association for Competitive Technology (comment 7, 2012 SNPRM), at 2-3; S. Weiner (comment 97, 2012
SNPRM), at 1-2; J. Garrett (comment 38, 2012 SNPRM), at 1; see also Direct Marketing Association
(comment 28, 2012 SNPRM), at 17.
8
Association for Competitive Technology (comment 7, 2012 SNPRM), at 2.
9
Id. (“Unlike the game sector, where one developer may have several applications in the top 100, Educational
Apps tended to be much closer to a one-to-one ratio between app and creator at 1.54 apps per developer.”).
10
Id. ACT’s comment does not describe the methodology it used to categorize apps as being directed to
children under 13.
5
�proposed modifications to the Rule set forth in the 2011 NPRM and 2012 SNPRM.11 One
commenter, the moderator of an online group called “Parents With Apps,” stated that the group
has more than 1,400 small developers of family-friendly apps as members.12 Another
commenter stated that the Silicon Valley Apps for Kids Meetup group had “well over 500
members” as of September 2012, and that “the kids app market is incredibly vibrant with
thousands of developers, over 500 of which” are group members.13
Per the industry information source cited by ACT, the Commission believes that as of
November 2012, there were approximately 75,000 education apps in the iTunes App Store and
approximately 33,000 education apps in the Android market.14 ACT’s comment appears to
suggest that it would be reasonable for the Commission to base its PRA estimate of the number
of existing operators subject to the final Rule amendments on the number of “Education” app
developers. The Commission agrees that developer activity in the “Education” category, to the
extent it can be discerned through publicly available information, is a useful starting point for
estimating the number of mobile app developers whose activities may bring them within
coverage of the final Rule amendments. As discussed below, the Commission also looks to
information about “Education” apps in the Google Play store, and apps in the game and
entertainment categories in both the iTunes App Store and Google Play, as a basis for its
estimates for this PRA analysis.15
Similar to what appears to have been ACT’s methodology, Commission staff reviewed a
list, generated using the desktop version of iTunes, of the Top 200 Paid and Top 200 Free
“Education” apps in the iTunes App Store as of early November 2012. Based on the titles and a
prima facie review of the apps’ descriptions, staff believes that approximately 56% of them may
be directed to children under 13.16 Averaging this figure and ACT’s 60% calculation, FTC staff
11
Id. at 2-3.
12
S. Weiner (comment 97, 2012 SNPRM), at 1-2.
13
J. Garrett (comment 38, 2012 SNPRM), at 1.
14
“App Store Metrics,” 148Apps.biz (accessed Nov. 14, 2012), available at http://148apps.biz/app-storemetrics; “Android Statistic Top Categories,” AppBrain (accessed Nov. 15, 2012), available at
http://www.appbrain.com/stats/android-market-app-categories.
15
Although there are other mobile app platforms and distribution channels, the Commission believes that the
education, games, and entertainment categories in the iTunes App Store and the Google Play store adequately
approximate the relevant universe of unique mobile app developers whose apps may be directed to children
under 13.
16
In estimating this percentage (and similar percentages throughout this section) for purposes of the PRA
analysis, the Commission’s staff attempted to err on the side of inclusion to count any apps that were likely to
be used by children, whether independently or with parents’ assistance. To ensure a generous accounting of
operators potentially subject to the Rule, this estimate included, for example, even toddler apps unlikely to be
used by children themselves without direct parental assistance.
6
�estimates that 58% of “Education” Apps in the iTunes App Store may be directed to children
under 13, meaning that 43,500 of those 75,000 “Education” apps may be directed to children
under 13. To determine a ratio for the Education apps for the Android platform, Commission
staff reviewed listings of the Top 216 Paid and Top 216 Free “Education” apps in the Google
Play store as of mid-November 2012. Staff believes that approximately 42% of them may be
directed to children under 13; 42% of 33,000 apps yields 13,860 apps that may be directed to
children under 13. Adding these projected totals together yields 57,360 such apps for both
platforms, combined.
It is unreasonable to assume, however, that all apps directed to children under 13 collect
personal information from children, and that no developers only collect persistent identifiers in
support for their internal operations. Data from the recent Commission staff report, Mobile Apps
for Kids: Disclosures Still Not Making the Grade, indicates that about 59% of the surveyed apps
transmit device identification or other persistent identifiers, to their developers.17 However, it is
not clear how many of those app developers would be using those persistent identifiers in a way
that would fall within the final Rule’s amended definition of personal information. Indeed, the
Commission believes, based on the comments received, that many developers would use such
persistent identifiers to support internal operations as defined in the final Rule amendments and
not for other purposes, such as behavioral advertising directed to children.18 Furthermore, the
Commission believes that some mobile app developers, like some other operators of websites or
online services, will adjust their information collection practices so that they will not be
collecting personal information from children. The data in the staff report do suggest, however,
that approximately 3.5% of apps directed to children under 13 could be collecting location
information or a device’s phone number, thus making their developers more likely to be covered
by the final Rule amendments.19 The Commission believes it is reasonable to assume that an
additional 1.5% of those apps could be collecting other personal information, including
transmitting persistent identifiers to developers (or their partners) to use in ways that implicate
COPPA. This results in an estimate of 5% of apps that may be directed to children under 13, i.e.,
approximately 2,870 apps, that operate in ways that implicate the final Rule amendments.
To estimate the number of developers responsible for these apps,20 Commission staff
17
See FTC Staff, Mobile Apps for Kids: Disclosures Still Not Making the Grade, at 9-10 (Dec. 2012),
available at http://www.ftc.gov/os/2012/12/121210mobilekidsappreport.pdf (hereinafter “Mobile Apps for
Kids II Report”).
18
See L. Akemann (comment 2, 2012 SNPRM), at 1; Direct Marketing Association (comment 37, 2011
NPRM), at 7, 14; Scholastic (comment 144, 2011 NPRM), at 13-14; TRUSTe (comment 164, 2011 NPRM), at
5.
19
See Mobile Apps for Kids II Report, at 5-6, 10 (14 of 400 apps tested transmitted the mobile device’s
geolocation or phone number). These apps also transmitted device identification.
20
The Commission believes it is reasonable to assume, as ACT appears to, that developers responsible for
multiple apps directed to children under 13 will typically have a single set of privacy practices, a single
(continued...)
7
�used the “Browse” function in iTunes, to generate a list of 6,000 apps in the “Education”
category. Sorting that list by “Genre” generates a list of approximately 3,300 apps for which
“Education” was listed as the “Genre.” Approximately 1,800 developers were listed in
connection with these apps. Dividing 3,300 apps by 1,800 developers yields an iTunes
education-apps-per-developer ratio of approximately 1.83,21 and the Commission assumes this
ratio would apply for Android apps, as well. Assuming a 1.83 education-apps-to-developer
ratio, it appears that approximately 1,570 developers (2,870 ÷ 1.83) are responsible for apps
directed to children under 13 that operate in ways likely to implicate the final Rule amendments.
At least one more adjustment to this total of approximately 1,570 potentially affected
developers is warranted, however. Commission staff’s research for its two Mobile Apps for
Kids reports indicate that approximately 2.2% of developers of apps that may be directed to
children under 13 develop apps for both iOS and Android.22 To avoid double-counting
developers that develop for both platforms, the Commission subtracts 18 developers from the
total (i.e., 1,570 x 2.2% = 34.54; 35 ÷ 2 = 17.5), leaving approximately 1,552 potentially affected
developers of iOS and Android education apps that may be directed to children under 13.
The Commission believes it is also reasonable to add to this total existing developers of
game and entertainment apps directed to children under 13. Commission staff reviewed a list,
generated using the desktop version of iTunes, of the Top 200 Paid and Top 200 Free “Game”
apps in the iTunes App Store as of mid November 2012. Staff believes that approximately 7%
of them may be directed to children under 13. Publicly available industry data show that
approximately 131,000 game apps were available in the iTunes App Store as of mid-November
2012;23 thus, approximately 9,170 of those apps may be directed to children under 13. Assuming
5% of those apps operate in ways that bring their developers within the ambit of the final Rule
20
(...continued)
privacy policy to describe them, and will develop a single method of disclosing the information required by
the final Rule amendments. Any marginal increase in developer burdens addressed in this PRA analysis
arising from developers publishing additional apps is therefore not likely to be significant.
21
This appears to be a larger universe of data than ACT consulted in generating its education-apps-todeveloper ratio of 1.54. See Association for Competitive Technology (comment 7, 2012 SNPRM), at 2. Data
from the industry source ACT cites indicates a more general apps-to-developer ratio of approximately 3.8 apps
per developer of iTunes App Store apps. See “App Store Metrics,” 148Apps.biz (accessed Nov. 14, 2012),
available at http://148apps.bix/app-store-metrics (727,938 Total Active Apps; 191,366 Active Publishers in
the U.S. App Store).
22
See Mobile Apps for Kids II Report, at II-6 (approximately 1.6% of developers of apps studied developed
apps for both Android and iOS); FTC Staff, Mobile Apps for Kids: Current Privacy Disclosures are
Disappointing, at 8-9 (Feb. 2012), available at http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf
(approximately 2.7% of developers of apps studied developed apps for both Android and iOS). Averaging
these two percentages indicates developer overlap of approximately 2.2%.
23
“App Store Metrics,” 148Apps.biz (accessed Nov. 14, 2012), available at http://148apps.bix/app-storemetrics.
8
�amendments, at a general app-to-developer ratio of 3.8 apps per developer,24 this yields
approximately 120 developers (9,170 x .05 = 458.5; 458.5 ÷ 3.8 = 120.66). Commission staff
observed that approximately 35% of developers of games that may be directed to children under
the age of 13 also develop similar education apps. Thus, of the aforementioned 120 developers,
65% would not already have been counted in the previous tally of educational app developers.
This calculation yields an estimate of approximately 78 additional developers of iTunes games
apps primarily directed to children under 13 that likely are covered by the final Rule
amendments.
Performing a similar calculation for iTunes “Entertainment” app developers yields few
additional existing developers that are likely to be covered. Commission staff reviewed a list,
generated using the desktop version of iTunes, of the Top 200 Paid and Top 200 Free
“Entertainment” apps in the iTunes App Store as of mid-November 2012. Staff believes that
approximately 2.5% of them may be directed to children under 13. Publicly available industry
data show that approximately 67,600 “Entertainment” apps were available in the iTunes App
Store as of mid-November 2012;25 thus, approximately 1,690 of those apps may be directed to
children under 13. Assuming 5% of those apps operate in ways that bring their developers
within the ambit of the final Rule amendments, at a general app-to-developer ratio of 3.8 apps
per developer, this yields approximately 22 developers (1,690 x .05 = 84.5; 84.5 ÷ 3.8 = 22.24).
Commission staff observed that approximately 84% of developers of “Entertainment” apps that
may be directed to children under the age of 13 also develop similar education and game apps.
Thus, of the aforementioned 22 developers, 16% would not already have been counted in the
previous tally of educational and games app developers. This calculation yields an estimate of
approximately 4 additional developers of iTunes entertainment apps primarily directed to
children under 13 that likely are covered by the final Rule amendments.
To account for Android “Games” apps, Commission staff reviewed listings of the Top
216 Paid and Top 216 Free “Games” apps in the Google Play store as of mid-November 2012.
Staff believes that approximately 3% of them may be directed to children under 13. Three
percent of 75,000 apps26 yields about 2,250 Android “Games” apps that may be directed to
children under 13. Assuming 5% of those apps operate in ways that bring their developers
within the ambit of the final Rule amendments, at a general app-to-developer ratio of 3.8 apps
per developer, this yields approximately 30 developers (2,250 x .05 = 112.5; 112.5 ÷ 3.8 = 29.6).
Assuming that, as Commission staff observed in the iTunes App Store, approximately 35% of
developers of games that may be directed to children under the age of 13 also develop similar
education apps, 65% of the aforementioned 30 developers would not already have been counted
24
See supra note 21.
25
“App Store Metrics,” 148Apps.biz (accessed Nov. 14, 2012), available at http://148apps.bix/app-storemetrics.
26
“Android Statistic Top Categories,” AppBrain (accessed Nov. 15, 2012), available at
http://www.appbrain.com/stats/android-market-app-categories (total calculated by adding the number of apps
in each “Games” subcategory).
9
�in the previous tally of educational app developers. This calculation yields an estimate of
approximately 19 additional developers of Android games apps primarily directed to children
under 13 that likely are covered by the final Rule amendments.
Similarly, for Android “Entertainment” apps, Commission staff reviewed listings of the
Top 216 Paid and Top 216 Free “Entertainment” apps in the Google Play store as of midNovember 2012. Staff believes that approximately 2% of them may be directed to children
under 13. Two percent of 67,000 apps27 yields about 1,340 Android “Entertainment” apps that
may be directed to children under 13. Assuming 5% of those apps operate in ways that bring
their developers within the ambit of the final Rule amendments, at a general app-to-developer
ratio of 3.8 apps per developer, this yields approximately 18 developers (1,340 x .05 = 67; 67 ÷
3.8 = 17.63). Assuming that, as Commission staff observed with regard to the iTunes App Store,
approximately 84% of developers of entertainment apps that may be directed to children under
the age of 13 also develop similar education and game apps, 16% of the aforementioned 18
developers would not already have been counted in the prior tally of educational and game app
developers. This calculation yields an estimate of approximately 3 additional developers of
Android entertainment apps primarily directed to children under 13 that likely are covered by the
final Rule amendments.
Thus, the FTC estimates that approximately 1,660 mobile app developers (1,552 for
iTunes and Android education apps + 78 for iTunes games apps + 4 for iTunes entertainment
apps + 19 for Android games apps + 3 for Android entertainment apps = 1,656) are existing
operators of websites or online services that will be covered by the final Rule amendments. The
FTC’s 2011 NPRM PRA estimate of 2,000 existing operators already covered by the Rule and
its 2012 SNPRM PRA estimate of 500 newly covered existing operators,28 however, already
partially accounted for these mobile app developers because these estimates covered all types of
operators subject to COPPA, including mobile app developers. As discussed above, comments
on the FTC staff’s estimate of the number of existing operators focused almost entirely on an
asserted understatement of the number of mobile app developers that would be covered by the
final Rule amendments. The estimate otherwise was not contested. Thus, the total numbers of
mobile app developers set forth herein must be substituted for the total (unspecified) number of
mobile app developers subsumed within the 2011 NPRM and 2012 SNPRM PRA estimates.
The Commission believes it is reasonable to substitute the above-noted estimate of 1,660
mobile app developers for half, i.e., 1,250, of the 2,500 existing operators previously estimated
to be “covered” and “newly covered” by the 2011 NPRM and 2012 SNPRM PRA estimates.
Based on its experience, the Commission believes that half – if not more – of the existing
operators currently covered by the Rule already develop or publish mobile apps. The remaining
1,250 operators would account for traditional website and other online service providers that are
not mobile app developers, as well as plug-in developers and advertising networks that could be
27
Id.
28
See 2011 NPRM, 76 Fed. Reg. at 59,812, 59,813; 2012 SNPRM, 77 Fed. Reg. at 46,649.
10
�covered by the “actual knowledge” standard.29 Thus, combining these totals (1,660 + 1,250)
yields a total of 2,910 operators of existing websites or online services that would likely be
covered by the final Rule amendments.
(2) New Operators
The Commission received one comment asserting that the Commission significantly
underestimated the number of new operators per year that will be covered by the proposed Rule
amendments. One commenter, the moderator of an online group called “Parents With Apps,”
stated that this group of more than 1,400 small developers of family-friendly apps grows by at
least 100 new developers every six months.30 This would constitute an annual growth rate of
nearly 15% (200 new developers per year divided by 1,400 developers in the group = 0.1429).
Although the Commission believes this rate of increase is due, at least in part, to increased
awareness among developers of the group’s existence rather than growth in the number of new
developers, the Commission concludes it is reasonable to incorporate this information into its
revised estimate. Assuming a base number of 1,660 existing mobile app developers estimated to
be covered by the final Rule amendments, a 15% growth rate would yield, year-over-year after
three years, an additional 864 new developers, or approximately 290 per year averaged over a
prospective three-year clearance (1,660 x 1.15 = 1,909; 1,909 x 1.15 = 2,195; 2,195 x 1.15 =
2,524; 2,524 - 1,660 = 864; 864 ÷ 3 = 288).31
Bureau of Labor Statistics (“BLS”) projections suggest a much more modest rate of
growth. BLS has projected that employment of software application developers will increase
28% between 2010 and 2020.32 Assuming 10% of that total 28% growth would occur each year
of the ten-year period, and a base number of 1,660 existing mobile app developers, one can
derive an increase of approximately 46 (1,660 x 0.028 = 46.48) new mobile app developers per
year on average that will be covered by the final Rule amendments. Combining the average
based on the annual growth rate of Parents With Apps and that based on the BLS software
application developer growth projection yields an increase of approximately 168 (290 + 46 =
29
Disclosure burdens do not increase when taking into account plug-in developers and advertising networks
with actual knowledge because the burden will fall on either the primary-content site or the plug-in, but need
not fall on both. They can choose to allocate the burden between them. The Commission has chosen to
account for the burden via the primary-content site or service because it would generally be the party in the
best position to give notice and obtain consent from parents.
30
S. Weiner (comment 97, 2012 SNPRM), at 1-2.
31
See also Association for Competitive Technology (comment 5, 2011 SNPRM), at 2 (“total unique apps
across all platforms continue to grow beyond the one million mark” since Apple’s 2008 launch of its App
Store; “[t]he mobile app marketplace has grown to a five billion dollar industry from scratch in less than four
years.”).
32
Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2012-13 Edition,
Software Developers, http://www.bls.gov/ooh/computer-and-information-technology/software-developers.htm
(visited November 16, 2012).
11
�336; 336 ÷ 2 = 168) new mobile app developers per year on average that will be covered by the
proposed Rule amendments.
As with its previous estimates of existing developers, mobile app developers were
already included in the Commission’s 2011 NPRM PRA estimate of 100 new operators and the
Commission’s 2012 SNPRM PRA estimate of 125 additional new operators per year. As noted
above, the Commission’s 2011 NPRM and 2012 SNPRM PRA estimates of new operators were
contested only as they relate to their estimation of new mobile app developers. Thus, the total
number of new mobile app developers set forth herein should replace the total (unspecified)
number of new mobile app developers subsumed within the 2011 NPRM and 2012 SNPRM
PRA estimates.
The Commission believes it is reasonable to substitute the above-noted estimate of 168
mobile app developers for half, i.e., 113, of the 225 new operators previously estimated to be
covered by the 2011 NPRM and 2012 SNPRM PRA estimates. The remainder of the prior
estimates would account for new website and other online service providers other than new
mobile app developers, as well as new plug-in developers and advertising networks that could be
covered by the “actual knowledge” standard. Thus, combining these totals (168 + 113 = 281)
yields a total of approximately 280 new operators per year (over a prospective three-year
clearance) of websites or online services that would likely be covered by the final Rule
amendments. Under the existing OMB clearance for the pre-amended Rule, however, the FTC
had already accounted for an estimated 100 new operators each requiring approximately 60
hours to comply with the Rule. See 76 Fed. Reg. 7211, 7212 (Feb. 9, 2011); 76 Fed. Reg.
31,334, 31,335 (May 31, 2011). Thus, to avoid double-counting what has already been
submitted to OMB and cleared, the ensuing calculations for new operators’ disclosure burden
account strictly for the difference between the revised population estimate (280) and the
currently cleared estimate (100), i.e., 180 additional new operators.
b. Comments Regarding Estimated Disclosure Hours/FTC Disposition
(1) New Operators’ Disclosure Burden
Under the existing OMB clearance for the Rule, the FTC has estimated that new
operators will each spend approximately 60 hours to craft a privacy policy, design mechanisms
to provide the required online privacy notice and, where applicable, direct notice to parents in
order to obtain verifiable consent. Several commenters noted that this 60-hour estimate failed to
take into account accurate costs of compliance with the Rule, but they did not provide the
Commission with empirical data or specific evidence on the number of hours such activities
12
�require.33 The Toy Industry Association (“TIA”)34 asserts that the Commission underestimated
the number of hours shown in the 2011 NPRM and 2012 SNPRM PRA calculations,35 and that
“[d]epending on the FTC’s final revisions to the COPPA Rule, the time it takes to implement
technological changes could more than triple the Commission’s 60-hour estimate.”36 These
assertions appear to be based primarily on TIA’s concern that the FTC’s estimate did not include
costs “of ‘ensuring’ security procedures of third parties, securing deletion, managing parental
consents, or updating policies to disclose changes in ‘operators.’ In addition, the FTC seems to
reference only top level domains and, as such, its estimates for implementation of new verifiable
parental consent requirements are very low.”37 TIA states that “the additional processes and
procedures mandated under the revised proposed Rule will potentially include privacy policy
and operational changes, with related resource-intensive measures, such as organizational
management and employee training.”38 Moreover, TIA suggests that changes proposed in the
2011 NPRM to the treatment of screen or user names would entail “enormous” costs that the
FTC did not quantify.39
Substantially all of TIA’s concerns about understated burden estimates relate to proposed
requirements that the Commission has ultimately determined not to adopt. For example, the
final Rule amendments to Section 312.8 do not require operators to “ensure” that third-parties
secure information, but that they “take reasonable steps” to release children’s information only
to third parties capable of maintaining it securely and provide assurances that they will do so.
The Commission is not eliminating the “single operator designee” proviso of the Rule’s online
notice requirement. It is not eliminating email plus as an acceptable consent method for
33
See N. Savitt (comment 142, 2011 NPRM), at 1; National Cable and Telecommunications Association
(comment 113, 2011 NPRM), at 23-24.
34
TIA contends that in the 2012 SNPRM, the Commission “disregarded the empirical economic input”
regarding compliance costs that TIA had submitted in response to the 2011 NPRM, including hour and labor
cost estimates. Toy Industry Association (comment 89, 2012 SNPRM), at 16. Although the Commission did
not discuss TIA’s 2011 comments in the SNPRM – which focused on the potential incremental compliance
cost changes that the Commission anticipated would flow from certain newly proposed Rule amendments – it
has considered TIA’s 2011 and 2012 comments on compliance costs as discussed herein.
35
Toy Industry Association (comment 89, 2012 SNPRM), at 16-17; Toy Industry Association (comment 163,
2011 NPRM), at 17-18; see also Direct Marketing Association (comment 28, 2012 SNPRM), at 17.
36
Toy Industry Association (comment 163, 2011 NPRM), at 18.
37
Id. at 17. Also with specific regard to potential costs associated with obtaining and verifying parental
consent, TIA estimates that dedicating employees specifically to this task would, if the FTC were to require a
“scanned form type of control regime,” require additional salary and benefit costs. Id. at 18.
38
Id. at 17.
39
Id. at 18.
13
�operators collecting personal information only for internal use.40 The Commission determined to
treat screen names as personal information only in those instances in which a screen or user
name rises to the level of online contact information.41 Thus, in the Commission’s view, TIA’s
suggested increase to the above-noted estimate of 60 hours for compliance is not warranted.42
Applying, then, the 60 hours estimate to the portion of new operators not accounted for in
the FTC’s previously cleared burden totals yields a cumulative total of 10,800 hours (180 new
operators x 60 hours each).
(2) Existing Operators’ Disclosure Burden
The final Rule amendments will not impose ongoing incremental disclosure time per
entity, but, as noted above, would result in an estimated 2,910 existing operators covered by the
Rule. These entities will have a one-time burden to re-design their existing privacy policies and
direct notice procedures that would not carry over to the second and third years of a prospective
three-year OMB clearance under the PRA. Commission staff believes that an existing operator’s
time to make these changes would be no more than that for a new entrant crafting its online and
direct notices for the first time, i.e., 60 hours. Annualized over three years of a prospective
clearance,43 this amounts to 20 hours ((60 hours + 0 + 0) ÷ 3) per year. Aggregated for the
estimated 2,910 existing operators that would be subject to the Rule, annualized disclosure
burden would be 58,200 hours per year.
c. Reporting Burden
The Commission received no comments on its analysis of and estimates for reporting
burden.
40
Furthermore, the requirement to obtain parental consent is not a collection of information under the PRA.
41
This change also appears to moot the National Cable and Telecommunications Association’s concern that
operators would be faced with substantial costs if “forced to redesign” websites to eliminate the use of unique
screen or user names. National Cable and Telecommunications Association (comment 113, 2011 NPRM), at
23 n.69.
42
TIA cites, for example, the potential cost of needing to “develop communication tools and respond to
complaints from parents who may mistakenly believe that companies are altering data collection practices. . .
.” Toy Industry Association (comment 163, 2011 NPRM), at 18. This speculative cost does not relate to any
“information collection requirement” in the final Rule amendments.
43
TIA states that this first-year cost associated with compliance should not be “amortized” over three years.
Toy Industry Association (comment 89, 2012 SNPRM), at 17. But, TIA fails to recognize that agencies
routinely seek up to three years of clearance from OMB, 44 U.S.C. § 3507(g), and are to present an estimate of
annual burden thereby warranting such averaging or “amortizing” reflective of the term of requested
clearance. See 5 C.F.R. § 1320.5(a)(1)(iv)(B).
14
�d. Comments Regarding Estimated Labor Costs44/FTC Disposition
The Commission assumes that the time spent on compliance for new operators and
existing operators covered by the final Rule amendments would be apportioned five to one
between legal (lawyers or similar professionals) and technical (e.g., computer programmers,
software developers, and information security analysts) personnel.45 In the 2012 SNPRM, based
on BLS compiled data, FTC staff assumed for compliance cost estimates a mean hourly rate of
$180 for legal assistance and $42 for technical labor support.46 These estimates were challenged
in the comments.
TIA asserts that the Commission underestimates the labor rate for lawyers used in the
Commission’s 2011 NPRM and 2012 SNPRM compliance cost calculations.47 Given the
comments received, the Commission believes it appropriate to increase the estimated mean
hourly rate of $180 for legal assistance used in certain of the Commission’s 2011 NPRM and
2012 SNPRM compliance cost calculations. TIA stated in its 2011 comment that the “average
rates” of “specialized attorneys who understand children’s privacy and data security laws” with
whom its members typically consult are “2-3 times the Commission’s estimates” of $150 per
hour set forth in the 2011 NPRM.48 TIA reiterated this information in its 2012 comment49 and
added: “According to The National Law Journal’s 2011 annual billing survey, the average
hourly firm-wide billing rate (which combines partner and associate rates) ranges from $236 to
44
The comments on labor costs relate solely to the requirements associated with notice.
45
See 76 Fed. Reg. 7211, 7212-7213 (Feb. 9, 2011); 76 Fed. Reg. 31,334, 31,335 n. 1 (May 31, 2011) (FTC
notices for renewing OMB clearance for the COPPA Rule).
46
As explained in the 2012 SNPRM, “[t]he estimated rate of $180 is roughly midway between [BLS] mean
hourly wages for lawyers ($62.74) in the most recent annual compilation available online [as of August 2012]
and what Commission staff believes more generally reflects hourly attorney costs ($300) associated with
Commission information collection activities.” 77 Fed. Reg. at 46,651, n.54. This estimated rate was an
upward revision of the Commission’s estimate of $150 per hour used in the 2011 NPRM. See 76 Fed. Reg. at
59,827 n.204 and accompanying text. The estimated mean hourly wages for technical labor support ($42) is
based on an average of the salaries for computer programmers, software developers, information security
analysts, and web developers as reported by the BLS. See National Occupational and Wages - May 2011,
available at http://www.bls.gov/news.release/archives/ocwage_03272012.pdf.
47
Toy Industry Association (comment 89, 2012 SNPRM), at 16; Toy Industry Association (comment 163,
2011 NPRM), at 17.
48
Toy Industry Association (comment 163, 2011 NPRM), at 17. See also National Cable and
Telecommunications Association (comment 113, 2011 NPRM), at 23 n.70 (“NCTA members typically consult
with attorneys who specialize in data privacy and security laws and whose average rates are 2-3 times the
Commission’s [2011 NPRM] estimates [of $150 per hour].”).
49
Toy Industry Association (comment 89, 2012 SNPRM), at 18.
15
�$633, not taking into account any area of specialization.”50 While the Commission believes
TIA’s information provides useful reference points, it does not provide an adequate basis for
estimating an hourly rate for lawyers for compliance cost calculation purposes.
As an initial matter, the Commission notes that TIA has cited a range of average hourly
rates that its members pay for counsel, not a single average hourly rate, and it did not submit the
underlying data upon which those average rate calculations were based. The range of average
hourly rates TIA stated that its members typically pay (i.e., $300-$450 per hour) may include
some unusually high or low billing rates that have too much influence on the arithmetic means
for those averages to be representative of the rates operators are likely to have to pay.51 Without
more information about the distribution of the underlying rates factored into each average, or the
distribution of the averages within the cited range, TIA’s information is of limited value.
Likewise, as TIA’s comments appear to implicitly recognize, routine COPPA compliance
counseling would likely be performed by a mix of attorneys billed at a range of hourly rates.
Unfortunately, the information submitted in TIA’s comments does not indicate how that
workload is typically apportioned as between “high-level partner[s]” whose “support” is required
for “complex” COPPA compliance matters and other, less senior, attorneys at a law firm. The
National Law Journal survey the TIA cites is also a useful reference point, but it is a nonscientific survey of the nation’s 250 largest law firms52 that are located predominantly in major
metropolitan areas.53 Beyond the range of average hourly firm-wide billing rates that TIA cites,
the survey states that the average firm-wide billing rate (partners and associates) in 2011 was
$403, the average partner rate was $482, and the average associate rate was $303.
The Commission believes it reasonable to assume that the workload among law firm
partners and associates for COPPA compliance questions could be competently addressed and
efficiently distributed among attorneys at varying levels of seniority, but would be weighted
most heavily to more junior attorneys. Thus, assuming an apportionment of two-thirds of such
work is done by associates, and one-third by partners, a weighted average tied to the average
50
Id., at 10 (citation omitted).
51
See Federal Judicial Center, Reference Manual on Scientific Evidence (3rd Ed.), David H. Kay and David A.
Freedman, Reference Guide on Statistics at 238 (“[t]he mean takes account of all the data – it involves the
total of all the numbers; however, particularly with small datasets, a few unusually large or small observations
may have too much influence on the mean.”).
52
Toy Industry Association (comment 89, 2012 SNPRM), at 19. Fifty-one law firms supplied the average
rate information used in the survey’s tabulation, “A nationwide sampling of law firm billing rates,” to which
the TIA appears to refer.
53
The Commission recognizes that many attorneys who specialize in COPPA compliance and data security
law often work at large law firms located in major metropolitan areas. However, just as the nature of online
technology and the mobile marketplace allow operators to live almost anywhere, see Association for
Competitive Technology (comment 5, 2011 NPRM), at 2 (the “nature of this industry allows developers to
live almost anywhere”), it also allows them to seek the counsel of competent lawyers practicing anywhere in
the United States.
16
�firm-wide associate and average firm-wide partner rates, respectively, in the National Law
Journal 2011 survey would be about $365 per hour. The Commission believes that this rate –
which is very near the mean of TIA’s stated range of purported hourly rates that its members
typically pay to engage counsel for COPPA compliance questions – is an appropriate measure to
calculate the cost of legal assistance for operators to comply with the final Rule amendments.54
TIA also states that the 2012 SNPRM estimate of $42 per hour for technical support is
too low, and that engaging expert technical personnel can, on average, involve hourly costs that
range from $72 to $108.55 Similar to TIA’s hours estimate, discussed above, the Commission
believes that TIA’s estimate may have been based on implementing requirements that,
ultimately, the Commission has determined not to adopt. For example, technical personnel will
not need to “ensure” the security procedures of third parties; operators that have been eligible to
use email plus for parental consents will not be required to implement new systems to replace it.
It is unclear whether TIA’s estimate for technical support is based on the types of disclosurerelated tasks that the final Rule amendments would actually require, other tasks that the final
Rule amendments would not require, or non-disclosure tasks not covered by the PRA.
Moreover, unlike its estimate for lawyer assistance, TIA’s estimates for technical labor are not
accompanied by an adequate explanation of why estimates for technical support drawn from
BLS statistics are not an appropriate basis for the FTC’s PRA analysis. Accordingly, the
Commission believes it is reasonable to retain the 2012 SNPRM estimate of $42 per hour for
technical assistance based on BLS data.
(9) Payments or Gifts to Respondents
Not applicable.
(10) & (11) Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission is seeking OMB approval do not involve
collection or disclosure of confidential information but, rather, notice of information practices by
website and online service operators to the public and specifically to parents of children from
whom personal information is sought to be collected.
54
Cf. Civil Division of the United States Attorney’s Office for the District of Columbia, United States
Attorney’s Office, District of Columbia, Laffey Matrix – 2003-2013, available at
http://www.justice.gov/usao/dc/divisions/Laffey_Matrix_2003-2013.pdf (updated “Laffey Matrix” for
calculating “reasonable” attorneys fees in suits in which fee shifting is authorized can be evidence of
prevailing market rates for litigation counsel in the Washington, DC area; rates in table range from $245 per
hour for most junior associates to $505 per hour for most senior partners).
55
Toy Industry Association (comment 89, 2012 SNPRM), at 18.
17
�(12) Estimated Annual Hours Burden and Associated Labor Cost56
a. Annual Hours Burden: 69,720 hours
Estimating PRA burden of the final Rule amendments’ requirements depends on various
factors, including the number of entities operating websites or online services directed to
children or having actual knowledge that they are collecting or maintaining personal information
from children, and the number of such firms that collect persistent identifiers for something
other than support for the internal operations of their websites or online services.
(1) Number of Affected Entities
Existing operators:
New Operators:
Safe harbors:
2,910 (per item #8 above)
180 (net of existing clearance)
5 existing; 1 new applicant per clearance cycle
(2) Recordkeeping Requirements: 0 hours
The amendments to the Rule’s definitions do not impose any incremental recordkeeping
costs on operators, nor do they affect the Rule’s existing recordkeeping requirements for safe
harbors. Moreover, FTC staff believes that most of the records listed in the Rule’s pre-existing
safe harbor recordkeeping provisions consist of documentation that such parties have kept in the
ordinary course of business irrespective of the Rule.57 Any incremental burden, such as that for
maintaining the results of independent assessments under section 312.11(d), would be, in staff’s
view, marginal.
(3) Disclosure Requirements: 69,000 hours
(i) New Operators
Under the existing OMB clearance for the Rule, the Commission has already accounted
for the time that new operators will spend to craft a privacy policy (approximately 60 hours per
operator), design mechanisms to provide the required online privacy notice and, where
applicable, direct notice to parents in order to obtain verifiable consent. The modifications to the
Rule’s definitions should not add to the burden for new operators, individually. Applying,
56
This discussion and the associated PRA burden estimates focus strictly on the effects of the Rule
amendments, incremental to the FTC’s current OMB clearance for the pre-amended Rule under Control No.
3084-0117.
57
Under 5 C.F.R. § 1320.3(b)(2), OMB excludes from the definition of PRA “burden” the time and financial
resources needed to comply with agency-imposed recordkeeping, disclosure, or reporting requirements that
customarily would be undertaken independently in the normal course of business. Thus, on further reflection,
the FTC has determined not to include recordkeeping costs for safe harbors as it did in the 2011 NPRM PRA
analysis.
18
�however, the portion of new operators not accounted for in the FTC’s previously cleared burden
totals, 180, to the continuing estimate of 60 hours per year yields an increment of 10,800 hours.
(ii) Existing Operators
The final Rule amendments will not impose ongoing incremental disclosure time per
entity, but, as noted above, would result in an estimated 2,910 existing operators covered by the
Rule. These entities will have a one-time burden to re-design their existing privacy policies and
direct notice procedures that would not carry over to the second and third years of a prospective
three-year OMB clearance under the PRA. Commission staff believes that an existing operator’s
time to make these changes would be no more than that for a new entrant crafting its online and
direct notices for the first time, i.e., 60 hours. Annualized over three years of a prospective
clearance, this amounts to 20 hours ((60 hours + 0 + 0) ÷ 3) per year. Aggregated for the
estimated 2,910 existing operators that would be subject to the Rule, annualized disclosure
burden would be 58,200 hours per year.
(4) Reporting Requirements: 720 hours
(i) One-time: 120 hours, annualized
The final Rule amendments do not impose reporting requirements on operators; they do,
however, for safe harbor programs. Under the FTC’s already cleared estimates,
pre-amendments, staff projected that each new safe harbor program applicant would require 265
hours to prepare and submit its safe harbor proposal. The final Rule amendments, however,
require a safe harbor applicant to submit a more detailed proposal than what the Rule, prior to
such amendments, mandated. Existing safe harbor programs will thus need to submit a revised
application and new safe harbor applicants will have to provide greater detail than they would
have under the original Rule. The FTC estimates this added information will entail
approximately 60 additional hours for each new, and each existing, safe harbor to prepare.
Accordingly, for this added one-time preparation, the aggregate incremental burden is 60 hours
for the projected one new safe harbor program per three-year clearance cycle and 300 hours,
cumulatively, for the five existing safe harbor programs. Annualized for an average single year
per three-year clearance, this amounts to 20 hours for one new safe harbor program, and 100
hours for the existing five safe harbor programs; thus, cumulatively, the burden is 120 hours.
(ii) Recurring: 600 hours per year
The final Rule amendments require safe harbor programs to audit their members at least
annually and to submit annual reports to the Commission on the aggregate results of these
member audits. As such, this will increase currently cleared burden estimates pertaining to safe
harbor applicants. The burden for conducting member audits and preparing these reports likely
will vary for each safe harbor program depending on the number of members. Commission staff
estimates that conducting audits and preparing reports will require approximately 100 hours per
program per year. Aggregated for one new safe harbor (100 hours) and five existing (500 hours)
safe harbor programs, this amounts to an increased disclosure burden of 600 hours per year.
19
�b. Associated Labor Costs: $21,508,900
(1) Disclosure-related
For the 180 new operators per year not previously accounted for under the FTC’s
currently cleared estimates, 10,800 cumulative disclosure hours would be composed of 9,000
hours of legal assistance and 1,800 hours of technical support. Applied to hourly rates of $365
and $42, respectively, associated labor costs for the 180 new operators potentially subject to the
Rule amendments would be $3,360,600 (i.e., $3,285,000 for legal support plus $75,600 for
technical support).
Similarly, for the estimated 2,910 existing operators covered by the final Rule
amendments, 58,200 cumulative disclosure hours would consist of 48,500 hours of legal
assistance and 9,700 hours for technical support. Applied at hourly rates of $365 and $42,
respectively, associated labor costs would total $18,109,900 (i.e., $17,702,500 for legal support
plus $407,400 for technical support). Cumulatively, estimated labor costs for new and existing
operators subject to the final Rule amendments is $21,470,500.
(2) Reporting-related
The Commission staff assumes that the tasks to prepare augmented safe harbor program
applications occasioned by the final Rule amendments will be performed primarily by lawyers,
at a mean labor rate of $180 an hour.58 Thus, applied to an assumed industry total of 120 hours
per year for this task, incremental associated annualized labor costs would total $21,600.
The Commission staff assumes annual reports will be prepared by compliance officers, at
a labor rate of $28 per hour.59 Applied to an assumed industry total of 600 hours per year for this
task, associated yearly labor costs would be $16,800.
58
Based on Commission staff’s experience with previously approved safe harbor programs, staff anticipates
that most of the legal tasks associated with safe harbor programs will be performed by in-house counsel. Cf.
Toy Industry Association (comment 89, 2012 SNPRM), at 19 (regional BLS statistics for lawyer wages can
support estimates of the level of in-house legal support likely to be required on an ongoing basis). Moreover,
no comments were received in response to the February 9, 2011 and May 31, 2011 Federal Register notices
(76 Fed. Reg. 7211 and 76 Fed. Reg. 31,334, respectively, available at
http://www.gpo.gov/fdsys/pkg/FR-2011-02-09/pdf/2011-2904.pdf and
http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13357.pdf) which assumed a labor rate of $150 per
hour for lawyers or similar professionals to prepare and submit a new safe harbor application. Nor was that
challenged in the comments responding to the 2011 NPRM.
59
See Bureau of Labor Statistics National Compensation Survey: Occupational Earnings in the United States,
2010, at Table 3, available at http://www.bls.gov/ncs/ocs/sp/nctb1477.pdf. This rate has not been contested.
20
�(13) Estimated Capital/Other Non-Labor Costs Burden
Because both operators and safe harbor programs will already be equipped with the
computer equipment and software necessary to comply with the Rule’s new notice requirements,
the final Rule amendments should not impose any additional capital or other non-labor costs.60
(14) Cost to the Federal Government
The Commission anticipates that the amendments’ definitional changes will cover
additional existing operators and new operators. More FTC staff will be necessary for
educational and enforcement activities as a consequence. The amendments also create new
voluntary Commission approval processes for parental consent methods not currently
enumerated in Section 312.5(b), and for additional activities to be included within the definition
of support for internal operations. The Commission will be required to seek public comment on
these requests for approval and issue written determinations thereon. Because use of this
approval process is voluntary, however, staff expects that few entities will file requests. The
amendments also require existing safe harbor programs to provide additional information in
annual reports to the Commission that FTC staff will be required to evaluate. Staff estimates
that the incremental cost to the FTC to administer the final Rule amendments, collectively, will
consist of approximately 2 attorney/investigator work years at roughly $275,000 per year. This
cost is incremental to the FTC’s most recently cleared estimates of costs to the agency to
implement the Rule ($425,000). As before, clerical and other support services are included in
the cost estimate.
(15) Program Changes or Adjustments
The changes to the definitions of “operator” and “website or online service directed to
children” will potentially increase the number of operators subject to the Rule. The changes to
the definition of “personal information” would expand the definition to encompass additional
types of information and thereby potentially increase the number of operators subject to the
Rule. The Rule amendments require a safe harbor applicant to submit a more detailed proposal
than what the current Rule mandates. Existing safe harbor programs will thus need to submit a
revised application and new safe harbor applicants will have to provide greater detail than they
would under the current Rule.
The cumulative estimated incremental burden, annualized, for the above-noted Rule
60
The National Cable and Telecommunications Association commented that the Commission failed to
consider costs “related to redeveloping child-directed websites” that operators would be “forced” to incur as a
result of the proposed Rule amendments, including for “new equipment and software required by the
expanded regulatory regime.” National Cable and Telecommunications Association (comment 113, 2011
NPRM), at 23. Similarly, TIA commented that the proposed Rule amendments would entail “increased
monetary costs with respect to technology acquisition and implementation. . . .” Toy Industry Association
(comment 163, 2011 NPRM), at 17. These comments, however, do not specify projected costs, or which
Rule amendments would entail the asserted costs.
21
�amendments, including increased estimates of the number of operators affected, is 69,720 hours
and $21,508,900 in associated labor costs.
(16) Plans for Tabulation and Publication
Not applicable.
17) Display of Expiration Date for OMB Approval
Not applicable.
(18) Exceptions to Certification
Not applicable.
22
�
| File Type | application/pdf |
| File Title | H:\COPPA 2011-2012 rulemaking\COPPA Final Rule Suppl. Supptg Stmt_mtd.wpd |
| Author | ggreenfield |
| File Modified | 2012-12-21 |
| File Created | 2012-12-21 |