• Regulatory Advocacy Reports
• Comment Calls
• Comment Letters
• Final Rule Analyses
• NCUA Board Meetings
• Regulatory Advocacy Podcasts
• Additional Resources
• Regulatory Advocacy Home

CUNA Regulatory Comment Call

March 23, 2005

FTC Reviews Rules Under the Children’s Online Privacy Protection Act

EXECUTIVE SUMMARY

• In 1999, the Federal Trade Commission (FTC) issued rules implementing the Children’s Online Privacy Protection Act (COPPA) that prohibit certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet. Click below for CUNA’s Final Rule Analysis for more information about the COPPA rules:
  
  http://www.cuna.org/reg_advocacy/member/analysis/ftc_091901.html
• COPPA requires the FTC to now initiate a review of these rules to evaluate their implementation and to issue the results in a report to Congress. The FTC has issued a request for public comment that is intended to help the FTC in this review.
• At the time the rules were issued, questions were raised as to whether COPPA applied to credit unions based on language that could be interpreted to exempt nonprofit entities. The National Credit Union Administration (NCUA) has reviewed this issue and concluded that COPPA applies to credit unions. NCUA has the enforcement authority for federal credit unions. FTC would have enforcement authority for state-chartered credit unions, but FTC staff has indicated to CUNA in the past that they believe COPPA does not apply to credit unions.
• Comments on this request are due by June 27, 2005. Please submit your comments to CUNA by June 15, 2005. If you provide comments directly to the FTC, please refer to "COPPA Rule Review 2005, Project No. P054505."

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Senior Vice President and Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Senior Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the request for comment or you may access it on the Internet at the following address:

http://www.ftc.gov/os/2005/04/050420coppacomments.pdf

DESCRIPTION OF THE REQUEST FOR COMMENT

In 1999, the FTC issued rules implementing COPPA, which prohibits certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet. The rules impose certain requirements on operators of websites or online services directed to children under the age of 13 and on operators of other websites or online services that have actual knowledge that they are collecting personal information from children under the age of 13.

The rules require the following:

• Notice to parents regarding collection of personal information from children under the age of 13.
• That parents provide consent before the information is collected, used, or disclosed. The rules include certain exceptions to this prior consent requirement.
• The ability for parents to review the information that is collected, used, or disclosed.
• The ability for parents to prevent further use of information that has been collected and further collection of additional information.
• That collection of personal information for a child’s participation in a game or activity be limited to information that is reasonably necessary.
• Procedures to protect the confidentiality and security of personal information that is collected.

At the time the rules were issued, the FTC adopted a "sliding scale" approach to the parental consent requirements, in that the measures required for obtaining parental consent vary depending on how a website operator uses the child’s information. To reflect possible changes in technology, this approach was due to expire in 2002 but has been extended since then, and the FTC has now extended the "sliding scale" approach until the FTC reviews the COPPA rules pursuant to this notice.

The FTC has recently requested comments as to whether the "sliding scale" approach should be made permanent. The FTC will consider those comments as part of this review of the COPPA rules in their entirety. Click below for CUNA’s comments that were submitted in response to the earlier request:

http://www.cuna.org/reg_advocacy/comment_letters/cl_021505.html

Also, at the time the rules were issued, questions were raised as to whether COPPA applied to credit unions based on language that could be interpreted to exempt nonprofit entities. NCUA has reviewed this issue and concluded that COPPA applies to credit unions. NCUA has the enforcement authority for federal credit unions. FTC would have enforcement authority for state-chartered credit unions, but FTC staff has indicated to CUNA in the past that they believe COPPA does not apply to credit unions, although this position could change in the future.

COPPA requires the FTC to now initiate a review of the COPPA rules to evaluate the rules’ implementation and to issue the results in a report to Congress. This request for public comment is intended to help the FTC in this review. Although all comments with regard to the rules are welcome, the FTC has specifically requested responses on a number of issues, grouped in the following categories:

A. General Questions for Comment

• Are children's online privacy and safety at greater, lesser, or the same risk as existed before COPPA and the rules?
• Is there a continuing need for the rules as currently promulgated?
• Since the rules were issued, have changes in technology, industry, or economic conditions affected the need for or effectiveness of the rules?
• Do the rules include any provisions, not mandated by COPPA, that are unnecessary?
• What are the aggregate costs and benefits of the rules? Have the costs or benefits of the rules dissipated over time? Do the rules contain provisions, not mandated by COPPA, whose costs outweigh their benefits?
• What effect, if any, have the rules had on children, parents, or other consumers?
• How have the rules benefited children, parents, or other consumers? What have been the costs?
• What changes, if any, should be made to the rules to increase the benefits? What costs would these changes impose?
• What impact, if any, have the rules had on your operations? What have been the benefits and costs, including the costs of compliance?
• How many hours does it take to come into compliance with the rules? How many hours are spent each year to remain in compliance with the rules? How much does it cost to comply with the rules?
• What changes, if any, should be made to the rules to reduce the costs imposed on operators? How would those changes affect the rules’ benefits?
• Are there regulatory alternatives to the rules that might impose fewer costs yet still meet with COPPA's and the rules’ objective of protecting children's online privacy and safety?
• Do the rules overlap or conflict with other federal, state, or local government laws or regulations? If so, which ones, and how do they conflict and how should such conflicts be resolved?
• Are there any gaps where no federal, state, or local government law or regulation has addressed a problematic practice relating to children's online privacy?
• How have the rules affected practices relating to the collection and disclosure of information relating to children online?
• How have the rules affected children's ability to obtain access to information of their choice online?
• How have the rules affected the availability of Web sites or online services directed to children?

B. Definitions

• Do the definitions in the rules accomplish COPPA's goal of protecting children's online privacy and safety? Are they clear and appropriate? How can they be improved?
• Do the rules clearly define the factors to consider in determining whether a website or online service is directed to children? What additional factors should be considered? How should any of the current factors need to be clarified?
• Is the term "actual knowledge'' sufficiently clear? How can the term be clarified further? Does the situation in which children intentionally submit an incorrect age older than 12 on general audience Web sites continue to raise enforcement issues and how can these issues be addressed?
• Are there additional definitions that should be added to the rules? If so, what terms should be defined and how should they be defined?

C. Notice

• The rules require operators to provide notice of their information practices both online and directly to parents. These notices must inform parents about what information operators collect from children, how operators use such information, and their disclosure practices for such information. Have has the notice requirement been effective in protecting children's online privacy and safety?
• Do the benefits of the notice requirement outweigh its costs?
• What changes, if any, should be made to the notice requirement, including modifying the information required to be disclosed? What are the costs and benefits of these changes?

D. Verifiable Parental Consent

• The rules require operators to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including any material change to practices to which the parent previously consented. How has the consent requirement been effective in protecting children's online privacy and safety?
• Do the benefits of the consent requirements outweigh the costs to operators?
• What changes, if any, should be made to the consent requirement? What are the costs and benefits of these changes?
• Is the use of a credit card in combination with a transaction a reasonable means of verifying whether the person providing consent is the child's parent? Is the use of a credit card without a transaction a reasonable means of verifying whether the person providing consent is the child's parent? What about the use of a credit card without a transaction but with an additional step, such as verification of a mailing address or the use of a PIN number, to verify that a parent is providing consent? Does the availability of credit or debit cards to children under 13 years of age affect your opinion?

E. Right of Parent To Review Personal Information Provided by a Child

• The rules require operators to give parents, upon their request: (1) A description of the specific types of personal information collected from children; (2) the opportunity for the parent to refuse to permit the further use or collection of personal information from the child and direct the deletion of the information; and (3) a means of reviewing any personal information collected from the child. How have these requirements been effective in protecting children's online privacy and safety?
• Do the benefits of these requirements outweigh their costs?
• What changes, if any, should be made to these requirements? What are the costs and benefits of these changes?

F. Prohibition Against Conditioning a Child's Participation on Collection of Personal Information

• The rules prohibit operators from conditioning a child's participation in an activity on disclosing more personal information than is reasonably necessary to participate in such activity. How has the prohibition been effective in protecting children's online privacy and safety?
• Do the benefits of the prohibition outweigh its costs?
• What changes, if any, should be made to the prohibition? What are the costs and benefits of these changes?

G. Confidentiality, Security, and Integrity of Personal Information Collected From a Child

• The rules require operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child. How has this requirement been effective in protecting children's online privacy and safety?
• Do the benefits to consumers of this requirement outweigh its costs?
• What changes, if any, should be made to this requirement? What are the costs and benefits of these changes?
• Is the requirement that operators establish and maintain "reasonable procedures'' to protect children's information sufficiently clear? How can it be clarified?

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com Lilly Thomas • Assistant General Counsel • (202) 508-6733 • lthomas@cuna.com Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com