United States of America v. LAI Systems, LLC
Filing
9
AMENDED STIPULATED ORDER FOR PERMANENT INJUNCTION AND CIVIL PENALTY JUDGMENT 7 by Judge Andre Birotte Jr.: IT IS ORDERED that Defendant Lai Systems, LLC and Defendant's officers, agents, employees, and attorneys, and all other persons in activ e concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with being an operator of any website or online service directed to children or of any website or online servic e with actual knowledge that it is collecting or maintaining personal information from a child, are hereby permanently restrained and enjoined from violating the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312, etc. IT IS FURTHER ORDERED that Judgment in the amount of $60,000 is entered in favor of Plaintiff against Defendant as a civil penalty. See document for further details. (gk)
1
2
3
4
5
6
7
8
BENJAMEN C. MIZER
Principal Deputy Assistant Attorney General, Civil Division
JONATHAN F. OLIN
Deputy Assistant Attorney General
MICHAEL S. BLUME
Director, Consumer Protection Branch
ANDREW E. CLARK
Assistant Director, Consumer Protection Branch
Jacqueline Blaesi-Freed
jacqueline.m.blaesi-freed@usdoj.gov
United States Department of Justice
Consumer Protection Branch, Civil Division
P.O. Box 386
Washington, DC 20044
Telephone (202) 353-2809
Facsimile (202) 514-8742
9
10
11
12
Attorneys for Plaintiff
United States of America
IN THE UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA
WESTERN DIVISION
13
UNITED STATES OF AMERICA,
No. 2:15-cv-9691
14
Plaintiff,
AMENDED STIPULATED ORDER
FOR PERMANENT INJUNCTION
AND CIVIL PENALTY JUDGMENT
15
v.
16
17
18
LAI SYSTEMS, LLC, a limited
liability company,
Defendant.
19
Plaintiff, the United States of America, acting upon notification and
20
authorization to the Attorney General by the Federal Trade Commission
1
1
(“Commission”), filed its Complaint for Civil Penalties, Permanent Injunction, and
2
Other Equitable Relief (“Complaint”), in this matter, pursuant to Sections 13(b),
3
16(a)(1), and 19, of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§
4
53(b), 56(a)(1), and 57b of the Children’s Online Privacy Protection Act
5
(“COPPA”), 15 U.S.C. §§ 6502(c) and 6505(d), and the Commission’s Children’s
6
Online Privacy Protection Rule (“COPPA Rule”), 16 C.F.R. Part 312. Defendant
7
has waived service of the summons and the Complaint. The parties have been
8
represented by the attorneys whose names appear hereafter. Plaintiff and
9
Defendant stipulate to the entry of this Stipulated Order for Permanent Injunction
10
and Civil Penalty Judgment (“Order”) to resolve all matters in dispute in this action
11
between them. This Order supersedes the Court’s prior order entered on December
12
21, 2015.
13
THEREFORE, IT IS ORDERED as follows:
14
FINDINGS
15
1.
This Court has jurisdiction over this matter.
16
2.
The Complaint charges that Defendant violated COPPA and the FTC Act by
17
failing to provide notice to parents of their information practices and failing to
18
obtain verifiable parental consent prior to allowing a third party to collect, use, or
19
disclose personal information of children on Defendant’s behalf.
20
2
1
3.
2
except as specifically stated in this Order. Only for purposes of this action,
3
Defendant admits the facts necessary to establish jurisdiction.
4
4.
5
Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through
6
the date of this Order, and agrees to bear its own costs and attorney fees.
7
5.
8
contest the validity of this Order.
Defendant neither admits nor denies any of the allegations in the Complaint,
Defendant waives any claim that it may have under the Equal Access to
Defendant and Plaintiff waive all rights to appeal or otherwise challenge or
9
DEFINITIONS
10
For the purpose of this Order, the following definitions apply:
11
A.
“Child” means an individual under the age of 13.
12
B.
“Collects” or “collection” means the gathering of any personal information
13
from a child by any means, including but not limited to:
14
1.
15
information online;
16
2.
17
20
Enabling a child to make personal information publicly available in
identifiable form; or
18
19
Requesting, prompting, or encouraging a child to submit personal
3.
C.
Passive tracking of a child online.
“Defendant” means LAI Systems, LLC, also d/b/a TapBlaze, a limited
liability company, and its successors and assigns.
3
1
D.
“Disclose or disclosure” means, with respect to personal information:
1.
2
The release of personal information collected by an operator from a
3
child in identifiable form for any purpose, except where an operator
4
provides such information to a person who provides support for the
5
internal operations of the website or online service; and
2.
6
Making personal information collected by an operator from a child
7
publicly available in identifiable form by any means, including but not
8
limited to a public posting through the Internet, or through a personal
9
home page or screen posted on a website or online service; a pen pal
10
service; an electronic mail service; a message board; or a chat room.
11
E.
“Internet” means collectively the myriad of computer and
12
telecommunications facilities, including equipment and operating software,
13
which comprise the interconnected world-wide network of networks that
14
employ the Transmission Control Protocol/Internet Protocol, or any
15
predecessor or successor protocols to such protocol, to communicate
16
information of all kinds by wire, radio, or other methods of transmission.
17
F.
“Obtaining verifiable consent” means making any reasonable effort (taking
18
into consideration available technology) to ensure that before personal
19
information is collected from a child, a parent of the child:
20
4
1
1.
2
and disclosure practices; and
3
2.
4
5
Receives notice of the operator’s personal information collection, use,
Authorizes any collection, use, and/or disclosure of the personal
information.
G.
“Online contact information” means an e-mail address or any other
6
substantially similar identifier that permits direct contact with a person
7
online, including but not limited to, an instant messaging user identifier, a
8
voice over internet protocol (VOIP) identifier, or a video chat user identifier.
9
H.
“Operator” means any person who operates a website located on the Internet
10
or an online service and who collects or maintains personal information from
11
or about the users of or visitors to such website or online service, or on
12
whose behalf such information is collected or maintained, or offers products
13
or services for sale through that website or online service, where such
14
website or online service is operated for commercial purposes involving
15
commerce among the several States or with one (1) or more foreign nations;
16
in any territory of the United States or in the District of Columbia, or
17
between any such territory and another such territory or any State or foreign
18
nation; or between the District of Columbia and any State, territory, or
19
foreign nation. Personal information is collected or maintained on behalf of
20
an operator when:
5
1
1.
2
operator; or
3
2.
4
information directly from users of such website or online service.
It is collected or maintained by an agent or service provider of the
The operator benefits by allowing another person to collect personal
5
I.
“Parent” includes a legal guardian.
6
J.
“Person” means any individual, partnership, corporation, trust, estate,
7
8
cooperative, association, or other entity.
K.
“Personal information” means individually identifiable information about an
9
individual collected online, including:
10
1.
A first and last name;
11
2.
A home or other physical address including street name and name of a
12
city or town;
13
3.
Online contact information;
14
4.
A screen or user name where it functions in the same manner as
15
online contact information;
16
5.
A telephone number;
17
6.
A Social Security number;
18
7.
A persistent identifier that can be used to recognize a user over time
19
and across different websites or online services. Such persistent
20
identifier includes, but is not limited to, a customer number held in a
6
1
cookie, an Internet Protocol (IP) address, a processor or device serial
2
number, or unique device identifier;
8.
3
A photograph, video, or audio file where such file contains a child’s
image or voice;
4
9.
5
6
Geolocation information sufficient to identify street name and name
of a city or town; or
10.
7
Information concerning the child or the parents of that child that the
8
operator collects online from the child and combines with an identifier
9
described in this definition.
10
L.
11
12
13
“Release of personal information” means the sharing, selling, renting, or
transfer of personal information to any third party.
M.
“Support for the internal operations of the website or online service” means
1.
Those activities necessary to:
14
a. Maintain or analyze the functioning of the website or online service;
15
b. Perform network communications;
16
c. Authenticate users of, or personalize the content on, the website or
17
18
19
20
online service;
d. Serve contextual advertising on the website or online service or cap
the frequency of advertising;
e. Protect the security or integrity of the user, website, or online service;
7
1
f. Ensure legal or regulatory compliance; or
2
g. Fulfill a request of a child as permitted by Section 312.5(c)(3) and (4)
3
of COPPA;
4
2.
So long as the information collected for these activities listed in 1(a) –
5
(g) is not used or disclosed to contact a specific individual, including
6
through behavioral advertising, to amass a profile on a specific
7
individual, or for any other purpose.
8
N.
9
“Third party” means any person who is not:
1.
10
An operator with respect to the collection or maintenance of personal
information on the website or online service; or
11
2.
A person who provides support for the internal operations of the
12
website or online service and who does not use or disclose information
13
protected under this part for any other purpose.
14
O.
“Website or online service directed to children” means a commercial
15
website or online service, or portion thereof, that is targeted to children.
16
ORDER
17
18
I.
INJUNCTION CONCERNING COLLECTION OF PERSONAL
INFORMATION FROM CHILDREN
19
IT IS ORDERED that Defendant and Defendant’s officers, agents,
20
employees, and attorneys, and all other persons in active concert or participation
8
1
with any of them, who receive actual notice of this Order, whether acting directly
2
or indirectly, in connection with being an operator of any website or online service
3
directed to children or of any website or online service with actual knowledge that
4
it is collecting or maintaining personal information from a child, are hereby
5
permanently restrained and enjoined from violating the Children’s Online Privacy
6
Protection Rule, 16 C.F.R. Part 312, including, but not limited to:
7
A.
8
to ensure that a parent of a child receives direct notice of Defendant’s practices
9
with regard to the collection, use, or disclosure of personal information from
10
children, including notice of any material change in the collection, use, or
11
disclosure practices to which the parent has previously consented;
12
B.
13
information practices with regard to children on the home or landing page or
14
screen of its website or online service, and at each area of the website or online
15
service where personal information is collected from children; and
16
C.
17
disclosure of personal information from children, including consent to any material
18
change in the collection, use, or disclosure practices to which the parent has
19
previously consented.
20
failing to make reasonable efforts, taking into account available technology,
failing to post a prominent and clearly labeled link to an online notice of its
failing to obtain verifiable parental consent before any collection, use, or
A copy of the Children’s Online Privacy Protection Rule is attached hereto as
9
1
Appendix A.
2
II.
MONETARY JUDGMENT FOR CIVIL PENALTY
IT IS FURTHER ORDERED that:
3
4
A.
Judgment in the amount of sixty thousand dollars ($60,000) is entered in
5
favor of Plaintiff against Defendant as a civil penalty.
6
B.
7
of the United States, sixty thousand dollars ($60,000), which, as Defendant
8
stipulates, its undersigned counsel holds in escrow for no purpose other than
9
payment to Plaintiff. Such payment must be made within seven (7) days of entry
10
of this Order by electronic fund transfer in accordance with instructions previously
11
provided by a representative of Plaintiff.
12
C.
13
interest in all assets transferred pursuant to this Order and may not seek the return
14
of any assets.
15
D.
16
proof, in any subsequent civil litigation by or on behalf of the Commission,
17
including in a proceeding to enforce its rights to any payment or monetary
18
judgment pursuant to this Order.
19
E.
20
Defendant must submit to the Commission, may be used for collecting and
Defendant is ordered to pay to Plaintiff, by making payment to the Treasurer
Defendant relinquishes dominion and all legal and equitable right, title, and
The facts alleged in the Complaint will be taken as true, without further
Defendant acknowledges that its Taxpayer Identification Number, which
10
1
reporting on any delinquent amount arising out of this Order, in accordance with
2
31 U.S.C. § 7701.
3
III.
ORDER ACKNOWLEDGMENTS
IT IS FURTHER ORDERED that Defendant obtain acknowledgments of
4
5
receipt of this Order:
6
A.
7
Commission an acknowledgment of receipt of this Order sworn under penalty of
8
perjury.
9
B.
10
of this Order to: (1) all principals, officers, directors, and managers; (2) all
11
employees, agents, and representatives having supervisory responsibilities relating
12
to the collection, retention, storage, or security of personal information, and to the
13
operation of any of Defendant’s websites or online services; and (3) any business
14
entity resulting from any change in structure as set forth in the Section titled
15
Compliance Reporting. Delivery must occur within seven (7) days of entry of this
16
Order for current personnel. To all others, delivery must occur before they assume
17
their responsibilities.
18
C.
19
Order, Defendant must obtain, within thirty (30) days, a signed and dated
20
acknowledgment of receipt of this Order.
Defendant, within seven (7) days of entry of this Order, must submit to the
For three (3) years after entry of this Order, Defendant must deliver a copy
From each individual or entity to which Defendant delivered a copy of this
11
1
IV.
2
COMPLIANCE REPORTING
IT IS FURTHER ORDERED that Defendant make timely submissions to
3
the Commission:
4
A.
5
report, sworn under penalty of perjury. In such report, Defendant must:
6
One year after entry of this Order, Defendant must submit a compliance
1.
identify the primary physical, postal, and email address and telephone
7
number, as designated points of contact, which representatives of the Commission
8
and Plaintiff may use to communicate with Defendant;
9
10
11
12
13
14
15
2.
identify all of Defendant’s businesses by all of their names, telephone
numbers, and physical, postal, email, and Internet addresses;
3.
describe the activities of each business, including the goods and
services offered, the means of advertising, marketing, and sales;
4.
describe in detail whether and how Defendant is in compliance with
each Section of this Order;
5.
provide a copy of each different version of any privacy notice posted
16
on each website or online service operated by Defendant or sent to parents of
17
children that register on each website or online service;
18
6.
provide a statement setting forth in detail the methods used to obtain
19
verifiable parental consent prior to any collection, use, and/or disclosure of
20
personal information from children;
12
1
7.
provide a statement setting forth in detail the means provided for
2
parents to review the personal information collected from their children and to
3
refuse to permit its further use or maintenance; and
4
8.
provide a copy of each Order Acknowledgment obtained pursuant to
5
this Order, unless previously submitted to the Commission.
6
B.
7
compliance notice, sworn under penalty of perjury, within fourteen (14) days of
8
any change in: (a) any designated point of contact; or (b) the structure of
9
Defendant or any entity that Defendant has any ownership interest in or controls
10
directly or indirectly that may affect compliance obligations arising under this
11
Order, including: creation, merger, sale, or dissolution of the entity or any
12
subsidiary, parent, or affiliate that engages in any acts or practices subject to this
13
Order.
14
C.
15
bankruptcy petition, insolvency proceeding, or similar proceeding by or against
16
Defendant within fourteen (14) days of its filing.
17
D.
18
penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746,
19
such as by concluding: “I declare under penalty of perjury under the laws of the
20
United States of America that the foregoing is true and correct. Executed on:
For ten (10) years after entry of this Order, Defendant must submit a
Defendant must submit to the Commission notice of the filing of any
Any submission to the Commission required by this Order to be sworn under
13
1
_____” and supplying the date, signatory’s full name, title (if applicable), and
2
signature.
3
E.
4
submissions to the Commission pursuant to this Order must be emailed to
5
DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:
6
Associate Director for Enforcement, Bureau of Consumer Protection, Federal
7
Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The
8
subject line must begin: United States v. LAI Systems, LLC.
9
Unless otherwise directed by a Commission representative in writing, all
V.
RECORDKEEPING
IT IS FURTHER ORDERED that Defendant must create certain records for
10
11
ten (10) years after entry of the Order, and retain each such record for five (5)
12
years. Specifically, Defendant must create and retain the following records:
13
A.
14
this Order, including all submissions to the Commission;
15
B.
16
personal information whether received directly or indirectly, such as through a
17
third party, and any response; and
18
C.
19
or otherwise provided by Defendant through which personal information is
20
collected, and a copy of each materially different document containing any
all records necessary to demonstrate full compliance with each provision of
copies of all consumer complaints relating to Defendant’s collection of
a copy of each materially different form, page, or screen created, maintained,
14
1
representation made directly or indirectly by Defendant regarding collection, use,
2
and disclosure practices pertaining to personal information. Each webpage copy
3
shall be accompanied by the URL of the webpage where the material was posted
4
online. Electronic copies shall include all text and graphics files, audio scripts, and
5
other computer files used in presenting information on the Internet. Provided,
6
however, that for purposes of this subsection V.C, Defendant shall not be required
7
to retain any document for longer than two (2) years after the document was
8
created, or to retain a print or electronic copy of any amended webpage or screen
9
to the extent that the amendment does not affect Defendant’s compliance
10
obligations under this Order.
11
VI.
COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring
12
13
Defendant’s compliance with this Order:
14
A.
15
representative of the Commission or Plaintiff, Defendant must: submit additional
16
compliance reports or other requested information, which must be sworn under
17
penalty of perjury; appear for depositions; and produce documents for inspection
18
and copying. The Commission and Plaintiff are also authorized to obtain
19
discovery, without further leave of court, using any of the procedures prescribed by
Within fourteen (14) days of receipt of a written request from a
20
15
1
Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33,
2
34, 36, 45, and 69.
3
B.
4
authorized to communicate directly with Defendant. Defendant must permit
5
representatives of the Commission and Plaintiff to interview any employee or other
6
person affiliated with Defendant who has agreed to such an interview. The person
7
interviewed may have counsel present.
8
C.
9
posing, through its representatives as consumers, suppliers, or other individuals or
10
entities, to Defendant or any individual or entity affiliated with Defendant, without
11
the necessity of identification or prior notice. Nothing in this Order limits the
12
Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of
13
the FTC Act, 15 U.S.C. §§ 49, 57b-1.
For matters concerning this Order, the Commission and Plaintiff are
The Commission and Plaintiff may use all other lawful means, including
14
VII. RETENTION OF JURISDICTION
15
IT IS FURTHER ORDERED that this Court retains jurisdiction of this
16
matter for purposes of construction, modification, and enforcement of this Order.
17
SO ORDERED this 23rd of December
day
, 2015.
18
19
20
________________________________
HONRABLE ANDR BIROTTE JR.
UNITED STATES DISTRICT JUDGE
16
1
SO STIPULATED AND AGREED:
2
FOR PLAINTIFF UNITED STATES OF AMERICA
3
4
BENJAMEN C. MIZER
Principal Deputy Assistant Attorney General
Civil Division
5
6
7
8
9
JONATHAN F. OLIN
Deputy Assistant Attorney General
MICHAEL S. BLUME
Director
Consumer Protection Branch
ANDREW E. CLARK
Assistant Director
10
11
12
13
14
15
/s/ Jacqueline Blaesi-Freed_________
Jacqueline Blaesi-Freed
Trial Attorney, Kansas Bar No. 25455
Consumer Protection Branch
U.S. Department of Justice
P.O. Box 386
Washington, DC 20044
(202) 353-2809
(202) 514-8742
16
17
18
19
20
17
1
FOR THE FEDERAL TRADE COMMISSION
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
18
1
FOR DEFENDANT:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
19
4008
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
List of Subjects in 16 CFR Part 312
Children, Communications, Consumer
protection, Electronic mail, Email,
Internet, Online service, Privacy, Record
retention, Safety, science and
technology, Trade practices, Web site,
Youth.
Accordingly, for the reasons stated
above, the Federal Trade Commission
revises part 312 of Title 16 of the Code
of Federal Regulations to read as
follows:
■
PART 312—CHILDREN’S ONLINE
PRIVACY PROTECTION RULE
Sec.
312.1 Scope of regulations in this part.
312.2 Definitions.
312.3 Regulation of unfair or deceptive acts
or practices in connection with the
collection, use, and/or disclosure of
personal information from and about
children on the Internet.
312.4 Notice.
312.5 Parental consent.
312.6 Right of parent to review personal
information provided by a child.
312.7 Prohibition against conditioning a
child’s participation on collection of
personal information.
Appendix A
19
4009
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
312.8 Confidentiality, security, and
integrity of personal information
collected from children.
312.9 Enforcement.
312.10 Data retention and deletion
requirements.
312.11 Safe harbor programs.
312.12 Voluntary Commission Approval
Processes.
312.13 Severability.
Authority: 15 U.S.C. 6501–6508.
§ 312.1
Scope of regulations in this part.
This part implements the Children’s
Online Privacy Protection Act of 1998,
(15 U.S.C. 6501, et seq.,) which
prohibits unfair or deceptive acts or
practices in connection with the
collection, use, and/or disclosure of
personal information from and about
children on the Internet.
§ 312.2
Definitions.
Child means an individual under the
age of 13.
Collects or collection means the
gathering of any personal information
from a child by any means, including
but not limited to:
(1) Requesting, prompting, or
encouraging a child to submit personal
information online;
(2) Enabling a child to make personal
information publicly available in
identifiable form. An operator shall not
be considered to have collected personal
information under this paragraph if it
takes reasonable measures to delete all
or virtually all personal information
from a child’s postings before they are
made public and also to delete such
information from its records; or
(3) Passive tracking of a child online.
Commission means the Federal Trade
Commission.
Delete means to remove personal
information such that it is not
maintained in retrievable form and
cannot be retrieved in the normal course
of business.
Disclose or disclosure means, with
respect to personal information:
(1) The release of personal
information collected by an operator
from a child in identifiable form for any
purpose, except where an operator
provides such information to a person
who provides support for the internal
operations of the Web site or online
service; and
(2) Making personal information
collected by an operator from a child
publicly available in identifiable form
by any means, including but not limited
to a public posting through the Internet,
or through a personal home page or
screen posted on a Web site or online
service; a pen pal service; an electronic
mail service; a message board; or a chat
room.
Federal agency means an agency, as
that term is defined in Section 551(1) of
title 5, United States Code.
Internet means collectively the
myriad of computer and
telecommunications facilities, including
equipment and operating software,
which comprise the interconnected
world-wide network of networks that
employ the Transmission Control
Protocol/Internet Protocol, or any
predecessor or successor protocols to
such protocol, to communicate
information of all kinds by wire, radio,
or other methods of transmission.
Obtaining verifiable consent means
making any reasonable effort (taking
into consideration available technology)
to ensure that before personal
information is collected from a child, a
parent of the child:
(1) Receives notice of the operator’s
personal information collection, use,
and disclosure practices; and
(2) Authorizes any collection, use,
and/or disclosure of the personal
information.
Online contact information means an
email address or any other substantially
similar identifier that permits direct
contact with a person online, including
but not limited to, an instant messaging
user identifier, a voice over internet
protocol (VOIP) identifier, or a video
chat user identifier.
Operator means any person who
operates a Web site located on the
Internet or an online service and who
collects or maintains personal
information from or about the users of
or visitors to such Web site or online
service, or on whose behalf such
information is collected or maintained,
or offers products or services for sale
through that Web site or online service,
where such Web site or online service
is operated for commercial purposes
involving commerce among the several
States or with 1 or more foreign nations;
in any territory of the United States or
in the District of Columbia, or between
any such territory and another such
territory or any State or foreign nation;
or between the District of Columbia and
any State, territory, or foreign nation.
This definition does not include any
nonprofit entity that would otherwise be
exempt from coverage under Section 5
of the Federal Trade Commission Act
(15 U.S.C. 45). Personal information is
collected or maintained on behalf of an
operator when:
(1) It is collected or maintained by an
agent or service provider of the operator;
or
(2) The operator benefits by allowing
another person to collect personal
information directly from users of such
Web site or online service.
Parent includes a legal guardian.
Person means any individual,
partnership, corporation, trust, estate,
cooperative, association, or other entity.
Personal information means
individually identifiable information
about an individual collected online,
including:
(1) A first and last name;
(2) A home or other physical address
including street name and name of a
city or town;
(3) Online contact information as
defined in this section;
(4) A screen or user name where it
functions in the same manner as online
contact information, as defined in this
section;
(5) A telephone number;
(6) A Social Security number;
(7) A persistent identifier that can be
used to recognize a user over time and
across different Web sites or online
services. Such persistent identifier
includes, but is not limited to, a
customer number held in a cookie, an
Internet Protocol (IP) address, a
processor or device serial number, or
unique device identifier;
(8) A photograph, video, or audio file
where such file contains a child’s image
or voice;
(9) Geolocation information sufficient
to identify street name and name of a
city or town; or
(10) Information concerning the child
or the parents of that child that the
operator collects online from the child
and combines with an identifier
described in this definition.
Release of personal information
means the sharing, selling, renting, or
transfer of personal information to any
third party.
Support for the internal operations of
the Web site or online service means:
(1) Those activities necessary to:
(i) Maintain or analyze the
functioning of the Web site or online
service;
(ii) Perform network communications;
(iii) Authenticate users of, or
personalize the content on, the Web site
or online service;
(iv) Serve contextual advertising on
the Web site or online service or cap the
frequency of advertising;
(v) Protect the security or integrity of
the user, Web site, or online service;
(vi) Ensure legal or regulatory
compliance; or
(vii) Fulfill a request of a child as
permitted by § 312.5(c)(3) and (4);
(2) So long as The information
collected for the activities listed in
paragraphs (1)(i)–(vii) of this definition
is not used or disclosed to contact a
specific individual, including through
behavioral advertising, to amass a
Appendix A
20
4010
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
profile on a specific individual, or for
any other purpose.
Third party means any person who is
not:
(1) An operator with respect to the
collection or maintenance of personal
information on the Web site or online
service; or
(2) A person who provides support for
the internal operations of the Web site
or online service and who does not use
or disclose information protected under
this part for any other purpose.
Web site or online service directed to
children means a commercial Web site
or online service, or portion thereof, that
is targeted to children.
(1) In determining whether a Web site
or online service, or a portion thereof,
is directed to children, the Commission
will consider its subject matter, visual
content, use of animated characters or
child-oriented activities and incentives,
music or other audio content, age of
models, presence of child celebrities or
celebrities who appeal to children,
language or other characteristics of the
Web site or online service, as well as
whether advertising promoting or
appearing on the Web site or online
service is directed to children. The
Commission will also consider
competent and reliable empirical
evidence regarding audience
composition, and evidence regarding
the intended audience.
(2) A Web site or online service shall
be deemed directed to children when it
has actual knowledge that it is
collecting personal information directly
from users of another Web site or online
service directed to children.
(3) A Web site or online service that
is directed to children under the criteria
set forth in paragraph (1) of this
definition, but that does not target
children as its primary audience, shall
not be deemed directed to children if it:
(i) Does not collect personal
information from any visitor prior to
collecting age information; and
(ii) Prevents the collection, use, or
disclosure of personal information from
visitors who identify themselves as
under age 13 without first complying
with the notice and parental consent
provisions of this part.
(4) A Web site or online service shall
not be deemed directed to children
solely because it refers or links to a
commercial Web site or online service
directed to children by using
information location tools, including a
directory, index, reference, pointer, or
hypertext link.
§ 312.3 Regulation of unfair or deceptive
acts or practices in connection with the
collection, use, and/or disclosure of
personal information from and about
children on the Internet.
General requirements. It shall be
unlawful for any operator of a Web site
or online service directed to children, or
any operator that has actual knowledge
that it is collecting or maintaining
personal information from a child, to
collect personal information from a
child in a manner that violates the
regulations prescribed under this part.
Generally, under this part, an operator
must:
(a) Provide notice on the Web site or
online service of what information it
collects from children, how it uses such
information, and its disclosure practices
for such information (§ 312.4(b));
(b) Obtain verifiable parental consent
prior to any collection, use, and/or
disclosure of personal information from
children (§ 312.5);
(c) Provide a reasonable means for a
parent to review the personal
information collected from a child and
to refuse to permit its further use or
maintenance (§ 312.6);
(d) Not condition a child’s
participation in a game, the offering of
a prize, or another activity on the child
disclosing more personal information
than is reasonably necessary to
participate in such activity (§ 312.7);
and
(e) Establish and maintain reasonable
procedures to protect the
confidentiality, security, and integrity of
personal information collected from
children (§ 312.8).
§ 312.4
Notice.
(a) General principles of notice. It
shall be the obligation of the operator to
provide notice and obtain verifiable
parental consent prior to collecting,
using, or disclosing personal
information from children. Such notice
must be clearly and understandably
written, complete, and must contain no
unrelated, confusing, or contradictory
materials.
(b) Direct notice to the parent. An
operator must make reasonable efforts,
taking into account available
technology, to ensure that a parent of a
child receives direct notice of the
operator’s practices with regard to the
collection, use, or disclosure of personal
information from children, including
notice of any material change in the
collection, use, or disclosure practices
to which the parent has previously
consented.
(c) Content of the direct notice to the
parent—(1) Content of the direct notice
to the parent under § 312.5(c)(1) (Notice
to Obtain Parent’s Affirmative Consent
to the Collection, Use, or Disclosure of
a Child’s Personal Information). This
direct notice shall set forth:
(i) That the operator has collected the
parent’s online contact information from
the child, and, if such is the case, the
name of the child or the parent, in order
to obtain the parent’s consent;
(ii) That the parent’s consent is
required for the collection, use, or
disclosure of such information, and that
the operator will not collect, use, or
disclose any personal information from
the child if the parent does not provide
such consent;
(iii) The additional items of personal
information the operator intends to
collect from the child, or the potential
opportunities for the disclosure of
personal information, should the parent
provide consent;
(iv) A hyperlink to the operator’s
online notice of its information
practices required under paragraph (d)
of this section;
(v) The means by which the parent
can provide verifiable consent to the
collection, use, and disclosure of the
information; and
(vi) That if the parent does not
provide consent within a reasonable
time from the date the direct notice was
sent, the operator will delete the
parent’s online contact information from
its records.
(2) Content of the direct notice to the
parent under § 312.5(c)(2) (Voluntary
Notice to Parent of a Child’s Online
Activities Not Involving the Collection,
Use or Disclosure of Personal
Information). Where an operator
chooses to notify a parent of a child’s
participation in a Web site or online
service, and where such site or service
does not collect any personal
information other than the parent’s
online contact information, the direct
notice shall set forth:
(i) That the operator has collected the
parent’s online contact information from
the child in order to provide notice to,
and subsequently update the parent
about, a child’s participation in a Web
site or online service that does not
otherwise collect, use, or disclose
children’s personal information;
(ii) That the parent’s online contact
information will not be used or
disclosed for any other purpose;
(iii) That the parent may refuse to
permit the child’s participation in the
Web site or online service and may
require the deletion of the parent’s
online contact information, and how the
parent can do so; and
(iv) A hyperlink to the operator’s
online notice of its information
Appendix A
21
4011
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
practices required under paragraph (d)
of this section.
(3) Content of the direct notice to the
parent under § 312.5(c)(4) (Notice to a
Parent of Operator’s Intent to
Communicate with the Child Multiple
Times). This direct notice shall set forth:
(i) That the operator has collected the
child’s online contact information from
the child in order to provide multiple
online communications to the child;
(ii) That the operator has collected the
parent’s online contact information from
the child in order to notify the parent
that the child has registered to receive
multiple online communications from
the operator;
(iii) That the online contact
information collected from the child
will not be used for any other purpose,
disclosed, or combined with any other
information collected from the child;
(iv) That the parent may refuse to
permit further contact with the child
and require the deletion of the parent’s
and child’s online contact information,
and how the parent can do so;
(v) That if the parent fails to respond
to this direct notice, the operator may
use the online contact information
collected from the child for the purpose
stated in the direct notice; and
(vi) A hyperlink to the operator’s
online notice of its information
practices required under paragraph (d)
of this section.
(4) Content of the direct notice to the
parent required under § 312.5(c)(5)
(Notice to a Parent In Order to Protect
a Child’s Safety). This direct notice shall
set forth:
(i) That the operator has collected the
name and the online contact
information of the child and the parent
in order to protect the safety of a child;
(ii) That the information will not be
used or disclosed for any purpose
unrelated to the child’s safety;
(iii) That the parent may refuse to
permit the use, and require the deletion,
of the information collected, and how
the parent can do so;
(iv) That if the parent fails to respond
to this direct notice, the operator may
use the information for the purpose
stated in the direct notice; and
(v) A hyperlink to the operator’s
online notice of its information
practices required under paragraph (d)
of this section.
(d) Notice on the Web site or online
service. In addition to the direct notice
to the parent, an operator must post a
prominent and clearly labeled link to an
online notice of its information
practices with regard to children on the
home or landing page or screen of its
Web site or online service, and, at each
area of the Web site or online service
where personal information is collected
from children. The link must be in close
proximity to the requests for
information in each such area. An
operator of a general audience Web site
or online service that has a separate
children’s area must post a link to a
notice of its information practices with
regard to children on the home or
landing page or screen of the children’s
area. To be complete, the online notice
of the Web site or online service’s
information practices must state the
following:
(1) The name, address, telephone
number, and email address of all
operators collecting or maintaining
personal information from children
through the Web site or online service.
Provided that: The operators of a Web
site or online service may list the name,
address, phone number, and email
address of one operator who will
respond to all inquiries from parents
concerning the operators’ privacy
policies and use of children’s
information, as long as the names of all
the operators collecting or maintaining
personal information from children
through the Web site or online service
are also listed in the notice;
(2) A description of what information
the operator collects from children,
including whether the Web site or
online service enables a child to make
personal information publicly available;
how the operator uses such information;
and, the operator’s disclosure practices
for such information; and
(3) That the parent can review or have
deleted the child’s personal
information, and refuse to permit
further collection or use of the child’s
information, and state the procedures
for doing so.
§ 312.5
Parental consent.
(a) General requirements. (1) An
operator is required to obtain verifiable
parental consent before any collection,
use, or disclosure of personal
information from children, including
consent to any material change in the
collection, use, or disclosure practices
to which the parent has previously
consented.
(2) An operator must give the parent
the option to consent to the collection
and use of the child’s personal
information without consenting to
disclosure of his or her personal
information to third parties.
(b) Methods for verifiable parental
consent. (1) An operator must make
reasonable efforts to obtain verifiable
parental consent, taking into
consideration available technology. Any
method to obtain verifiable parental
consent must be reasonably calculated,
in light of available technology, to
ensure that the person providing
consent is the child’s parent. (2)
Existing methods to obtain verifiable
parental consent that satisfy the
requirements of this paragraph include:
(i) Providing a consent form to be
signed by the parent and returned to the
operator by postal mail, facsimile, or
electronic scan;
(ii) Requiring a parent, in connection
with a monetary transaction, to use a
credit card, debit card, or other online
payment system that provides
notification of each discrete transaction
to the primary account holder;
(iii) Having a parent call a toll-free
telephone number staffed by trained
personnel;
(iv) Having a parent connect to
trained personnel via video-conference;
(v) Verifying a parent’s identity by
checking a form of government-issued
identification against databases of such
information, where the parent’s
identification is deleted by the operator
from its records promptly after such
verification is complete; or
(vi) Provided that, an operator that
does not ‘‘disclose’’ (as defined by
§ 312.2) children’s personal information,
may use an email coupled with
additional steps to provide assurances
that the person providing the consent is
the parent. Such additional steps
include: Sending a confirmatory email
to the parent following receipt of
consent, or obtaining a postal address or
telephone number from the parent and
confirming the parent’s consent by letter
or telephone call. An operator that uses
this method must provide notice that
the parent can revoke any consent given
in response to the earlier email.
(3) Safe harbor approval of parental
consent methods. A safe harbor program
approved by the Commission under
§ 312.11 may approve its member
operators’ use of a parental consent
method not currently enumerated in
paragraph (b)(2) of this section where
the safe harbor program determines that
such parental consent method meets the
requirements of paragraph (b)(1) of this
section.
(c) Exceptions to prior parental
consent. Verifiable parental consent is
required prior to any collection, use, or
disclosure of personal information from
a child except as set forth in this
paragraph:
(1) Where the sole purpose of
collecting the name or online contact
information of the parent or child is to
provide notice and obtain parental
consent under § 312.4(c)(1). If the
operator has not obtained parental
consent after a reasonable time from the
date of the information collection, the
Appendix A
22
4012
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
operator must delete such information
from its records;
(2) Where the purpose of collecting a
parent’s online contact information is to
provide voluntary notice to, and
subsequently update the parent about,
the child’s participation in a Web site or
online service that does not otherwise
collect, use, or disclose children’s
personal information. In such cases, the
parent’s online contact information may
not be used or disclosed for any other
purpose. In such cases, the operator
must make reasonable efforts, taking
into consideration available technology,
to ensure that the parent receives notice
as described in § 312.4(c)(2);
(3) Where the sole purpose of
collecting online contact information
from a child is to respond directly on a
one-time basis to a specific request from
the child, and where such information
is not used to re-contact the child or for
any other purpose, is not disclosed, and
is deleted by the operator from its
records promptly after responding to the
child’s request;
(4) Where the purpose of collecting a
child’s and a parent’s online contact
information is to respond directly more
than once to the child’s specific request,
and where such information is not used
for any other purpose, disclosed, or
combined with any other information
collected from the child. In such cases,
the operator must make reasonable
efforts, taking into consideration
available technology, to ensure that the
parent receives notice as described in
§ 312.4(c)(3). An operator will not be
deemed to have made reasonable efforts
to ensure that a parent receives notice
where the notice to the parent was
unable to be delivered;
(5) Where the purpose of collecting a
child’s and a parent’s name and online
contact information, is to protect the
safety of a child, and where such
information is not used or disclosed for
any purpose unrelated to the child’s
safety. In such cases, the operator must
make reasonable efforts, taking into
consideration available technology, to
provide a parent with notice as
described in § 312.4(c)(4);
(6) Where the purpose of collecting a
child’s name and online contact
information is to:
(i) Protect the security or integrity of
its Web site or online service;
(ii) Take precautions against liability;
(iii) Respond to judicial process; or
(iv) To the extent permitted under
other provisions of law, to provide
information to law enforcement
agencies or for an investigation on a
matter related to public safety; and
where such information is not be used
for any other purpose;
(7) Where an operator collects a
persistent identifier and no other
personal information and such identifier
is used for the sole purpose of providing
support for the internal operations of
the Web site or online service. In such
case, there also shall be no obligation to
provide notice under § 312.4; or
(8) Where an operator covered under
paragraph (2) of the definition of Web
site or online service directed to
children in § 312.2 collects a persistent
identifier and no other personal
information from a user who
affirmatively interacts with the operator
and whose previous registration with
that operator indicates that such user is
not a child. In such case, there also shall
be no obligation to provide notice under
§ 312.4.
§ 312.6 Right of parent to review personal
information provided by a child.
(a) Upon request of a parent whose
child has provided personal information
to a Web site or online service, the
operator of that Web site or online
service is required to provide to that
parent the following:
(1) A description of the specific types
or categories of personal information
collected from children by the operator,
such as name, address, telephone
number, email address, hobbies, and
extracurricular activities;
(2) The opportunity at any time to
refuse to permit the operator’s further
use or future online collection of
personal information from that child,
and to direct the operator to delete the
child’s personal information; and
(3) Notwithstanding any other
provision of law, a means of reviewing
any personal information collected from
the child. The means employed by the
operator to carry out this provision
must:
(i) Ensure that the requestor is a
parent of that child, taking into account
available technology; and
(ii) Not be unduly burdensome to the
parent.
(b) Neither an operator nor the
operator’s agent shall be held liable
under any Federal or State law for any
disclosure made in good faith and
following reasonable procedures in
responding to a request for disclosure of
personal information under this section.
(c) Subject to the limitations set forth
in § 312.7, an operator may terminate
any service provided to a child whose
parent has refused, under paragraph
(a)(2) of this section, to permit the
operator’s further use or collection of
personal information from his or her
child or has directed the operator to
delete the child’s personal information.
§ 312.7 Prohibition against conditioning a
child’s participation on collection of
personal information.
An operator is prohibited from
conditioning a child’s participation in a
game, the offering of a prize, or another
activity on the child’s disclosing more
personal information than is reasonably
necessary to participate in such activity.
§ 312.8 Confidentiality, security, and
integrity of personal information collected
from children.
The operator must establish and
maintain reasonable procedures to
protect the confidentiality, security, and
integrity of personal information
collected from children. The operator
must also take reasonable steps to
release children’s personal information
only to service providers and third
parties who are capable of maintaining
the confidentiality, security and
integrity of such information, and who
provide assurances that they will
maintain the information in such a
manner.
§ 312.9
Enforcement.
Subject to sections 6503 and 6505 of
the Children’s Online Privacy Protection
Act of 1998, a violation of a regulation
prescribed under section 6502 (a) of this
Act shall be treated as a violation of a
rule defining an unfair or deceptive act
or practice prescribed under section
18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C.
57a(a)(1)(B)).
§ 312.10 Data retention and deletion
requirements.
An operator of a Web site or online
service shall retain personal information
collected online from a child for only as
long as is reasonably necessary to fulfill
the purpose for which the information
was collected. The operator must delete
such information using reasonable
measures to protect against
unauthorized access to, or use of, the
information in connection with its
deletion.
§ 312.11
Safe harbor programs.
(a) In general. Industry groups or
other persons may apply to the
Commission for approval of selfregulatory program guidelines (‘‘safe
harbor programs’’). The application
shall be filed with the Commission’s
Office of the Secretary. The Commission
will publish in the Federal Register a
document seeking public comment on
the application. The Commission shall
issue a written determination within
180 days of the filing of the application.
(b) Criteria for approval of selfregulatory program guidelines. Proposed
safe harbor programs must demonstrate
Appendix A
23
4013
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
that they meet the following
performance standards:
(1) Program requirements that ensure
operators subject to the self-regulatory
program guidelines (‘‘subject
operators’’) provide substantially the
same or greater protections for children
as those contained in §§ 312.2 through
312.8, and 312.10.
(2) An effective, mandatory
mechanism for the independent
assessment of subject operators’
compliance with the self-regulatory
program guidelines. At a minimum, this
mechanism must include a
comprehensive review by the safe
harbor program, to be conducted not
less than annually, of each subject
operator’s information policies,
practices, and representations. The
assessment mechanism required under
this paragraph can be provided by an
independent enforcement program, such
as a seal program.
(3) Disciplinary actions for subject
operators’ non-compliance with selfregulatory program guidelines. This
performance standard may be satisfied
by:
(i) Mandatory, public reporting of any
action taken against subject operators by
the industry group issuing the selfregulatory guidelines;
(ii) Consumer redress;
(iii) Voluntary payments to the United
States Treasury in connection with an
industry-directed program for violators
of the self-regulatory guidelines;
(iv) Referral to the Commission of
operators who engage in a pattern or
practice of violating the self-regulatory
guidelines; or
(v) Any other equally effective action.
(c) Request for Commission approval
of self-regulatory program guidelines. A
proposed safe harbor program’s request
for approval shall be accompanied by
the following:
(1) A detailed explanation of the
applicant’s business model, and the
technological capabilities and
mechanisms that will be used for initial
and continuing assessment of subject
operators’ fitness for membership in the
safe harbor program;
(2) A copy of the full text of the
guidelines for which approval is sought
and any accompanying commentary;
(3) A comparison of each provision of
§§ 312.2 through 312.8, and 312.10 with
the corresponding provisions of the
guidelines; and
(4) A statement explaining:
(i) How the self-regulatory program
guidelines, including the applicable
assessment mechanisms, meet the
requirements of this part; and
(ii) How the assessment mechanisms
and compliance consequences required
under paragraphs (b)(2) and (b)(3)
provide effective enforcement of the
requirements of this part.
(d) Reporting and recordkeeping
requirements. Approved safe harbor
programs shall:
(1) By July 1, 2014, and annually
thereafter, submit a report to the
Commission containing, at a minimum,
an aggregated summary of the results of
the independent assessments conducted
under paragraph (b)(2) of this section, a
description of any disciplinary action
taken against any subject operator under
paragraph (b)(3) of this section, and a
description of any approvals of member
operators’ use of a parental consent
mechanism, pursuant to § 312.5(b)(4);
(2) Promptly respond to Commission
requests for additional information; and
(3) Maintain for a period not less than
three years, and upon request make
available to the Commission for
inspection and copying:
(i) Consumer complaints alleging
violations of the guidelines by subject
operators;
(ii) Records of disciplinary actions
taken against subject operators; and
(iii) Results of the independent
assessments of subject operators’
compliance required under paragraph
(b)(2) of this section.
(e) Post-approval modifications to
self-regulatory program guidelines.
Approved safe harbor programs must
submit proposed changes to their
guidelines for review and approval by
the Commission in the manner required
for initial approval of guidelines under
paragraph (c)(2) of this section. The
statement required under paragraph
(c)(4) of this section must describe how
the proposed changes affect existing
provisions of the guidelines.
(f) Revocation of approval of selfregulatory program guidelines. The
Commission reserves the right to revoke
any approval granted under this section
if at any time it determines that the
approved self-regulatory program
guidelines or their implementation do
not meet the requirements of this part.
Safe harbor programs that were
approved prior to the publication of the
Final Rule amendments must, by March
1, 2013, submit proposed modifications
to their guidelines that would bring
them into compliance with such
amendments, or their approval shall be
revoked.
(g) Operators’ participation in a safe
harbor program. An operator will be
deemed to be in compliance with the
requirements of §§ 312.2 through 312.8,
and 312.10 if that operator complies
with Commission-approved safe harbor
program guidelines. In considering
whether to initiate an investigation or
bring an enforcement action against a
subject operator for violations of this
part, the Commission will take into
account the history of the subject
operator’s participation in the safe
harbor program, whether the subject
operator has taken action to remedy
such non-compliance, and whether the
operator’s non-compliance resulted in
any one of the disciplinary actions set
forth in paragraph (b)(3).
§ 312.12 Voluntary Commission Approval
Processes.
(a) Parental consent methods. An
interested party may file a written
request for Commission approval of
parental consent methods not currently
enumerated in § 312.5(b). To be
considered for approval, a party must
provide a detailed description of the
proposed parental consent methods,
together with an analysis of how the
methods meet § 312.5(b)(1). The request
shall be filed with the Commission’s
Office of the Secretary. The Commission
will publish in the Federal Register a
document seeking public comment on
the request. The Commission shall issue
a written determination within 120 days
of the filing of the request; and
(b) Support for internal operations of
the Web site or online service. An
interested party may file a written
request for Commission approval of
additional activities to be included
within the definition of support for
internal operations. To be considered
for approval, a party must provide a
detailed justification why such activities
should be deemed support for internal
operations, and an analysis of their
potential effects on children’s online
privacy. The request shall be filed with
the Commission’s Office of the
Secretary. The Commission will publish
in the Federal Register a document
seeking public comment on the request.
The Commission shall issue a written
determination within 120 days of the
filing of the request.
§ 312.13
Severability.
The provisions of this part are
separate and severable from one
another. If any provision is stayed or
determined to be invalid, it is the
Commission’s intention that the
remaining provisions shall continue in
effect.
Appendix A
24
4014
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
By direction of the Commission,
Commissioner Rosch abstaining, and
Commissioner Ohlhausen dissenting.
Donald S. Clark,
Secretary.
Dissenting Statement of Commissioner
Maureen K. Ohlhausen
I voted against adopting the amendments
to the Children’s Online Privacy Protection
Act (COPPA) Rule because I believe a core
provision of the amendments exceeds the
scope of the authority granted us by Congress
in COPPA, the statute that underlies and
authorizes the Rule.401 Before I explain my
concerns, I wish to commend the
Commission staff for their careful
consideration of the multitude of issues
raised by the numerous comments in this
proceeding. Much of the language of the
amendments is designed to preserve
flexibility for the industry while striving to
protect children’s privacy, a goal I support
strongly. The final proposed amendments
largely strike the right balance between
protecting children’s privacy online and
avoiding undue burdens on providers of
children’s online content and services. The
staff’s great expertise in the area of children’s
privacy and deep understanding of the values
at stake in this matter have been invaluable
in my consideration of these important
issues.
In COPPA Congress defined who is an
operator and thereby set the outer boundary
for the statute’s and the COPPA Rule’s
reach.402 It is undisputed that COPPA places
obligations on operators of Web sites or
online services directed to children or
operators with actual knowledge that they are
collecting personal information from
401 15
U.S.C. 6501–6506.
15 U.S.C. 6501(2), defines the term
‘‘operator’’ as ‘‘any person who operates a Web site
located on the Internet or an online service and who
collects or maintains personal information from or
about users of or visitors to such Web site or online
service, or on whose behalf such information is
collected and maintained * * *’’ As stated in the
Statement of Basis and Purpose for the original
COPPA Rule, ‘‘The definition of ‘operator’ is of
central importance because it determines who is
covered by the Act and the Rule.’’ Children’s
Online Privacy Protection Rule 64 FR 59888, 59891
(Nov. 3, 1999) (final rule).
402 COPPA,
children. The statute provides, ‘‘It is
unlawful for an operator of a Web site or
online service directed to children, or any
operator that has actual knowledge that it is
collecting personal information from a child,
to collect personal information from a child
in a manner that violates the regulations
prescribed [by the FTC].’’ 403
The Statement of Basis and Purpose for the
amendments (SBP) discusses concerns that
the current COPPA Rule may not cover childdirected Web sites or services that do not
themselves collect children’s personal
information but may incorporate third-party
plug-ins that collect such information 404 for
the plug-ins’ use but do not collect or
maintain the information for, or share it with,
the child-directed site or service. To address
these concerns, the amendments add a new
proviso to the definition of operator in the
COPPA Rule: ‘‘Personal information is
collected or maintained on behalf of an
operator when: (a) it is collected or
maintained by an agent or service provider of
the operator; or (b) the operator benefits by
allowing another person to collect personal
information directly from users of such Web
site or online service.’’ 405
The proposed amendments construe the
term ‘‘on whose behalf such information is
collected and maintained’’ to reach childdirected Web sites or services that merely
derive from a third-party plug-in some kind
of benefit, which may well be unrelated to
the collection and use of children’s
403 15
U.S.C. 6502(a)(1).
the third-party plugs-ins are child-directed
or have actual knowledge that they are collecting
children’s personal information they are already
expressly covered by the COPPA statute. Thus, as
the SBP notes, a behavioral advertising network that
targets children under the age of 13 is already
deemed an operator. The amendment must
therefore be aimed at reaching third-party plug-ins
that are either not child-directed or do not have
actual knowledge that they are collecting children’s
personal information, which raises a question about
what harm this amendment will address. For
example, it appears that this same type of harm
could occur through general audience Web sites
and online services collecting and using visitors’
personal information without knowing whether
some of the data is children’s personal information,
which is a practice that COPPA and the
amendments do not prohibit.
405 16 CFR 312.2 (Definitions).
404 If
information (e.g., content, functionality, or
advertising revenue). I find that this
proviso—which would extend COPPA
obligations to entities that do not collect
personal information from children or have
access to or control of such information
collected by a third-party does not comport
with the plain meaning of the statutory
definition of an operator in COPPA, which
covers only entities ‘‘on whose behalf such
information is collected and maintained.’’ 406
In other words, I do not believe that the fact
that a child-directed site or online service
receives any kind of benefit from using a
plug-in is equivalent to the collection of
personal information by the third-party plugin on behalf of the child-directed site or
online service.
As the Supreme Court has directed, an
agency ‘‘must give effect to the
unambiguously expressed intent of
Congress.’’ 407 Thus, regardless of the policy
justifications offered, I cannot support
expanding the definition of the term
‘‘operator’’ beyond the statutory parameters
set by Congress in COPPA.
I therefore respectfully dissent.
[FR Doc. 2012–31341 Filed 1–16–13; 8:45 am]
BILLING CODE 6750–01–P
406 This expanded definition of operator reverses
the Commission’s previous conclusion that the
appropriate test for determining an entity’s status as
an operator is to ‘‘look at the entity’s relationship
to the data collected,’’ using factors such as ‘‘who
owns and/or controls the information, who pays for
its collection and maintenance, the pre-existing
contractual relationships regarding collection and
maintenance of the information, and the role of the
Web site or online service in collecting and/or
maintaining the information (i.e., whether the site
participates in collection or is merely a conduit
through which the information flows to another
entity.)’’ Children’s Online Privacy Protection Rule
64 FR 59888, 59893, 59891 (Nov. 3, 1999) (final
rule).
407 Chevron v. Natural Resources Defense
Council, Inc., 467 U.S. 837, 842–43 (1984) (‘‘When
a court reviews an agency’s construction of the
statute which it administers, it is confronted with
two questions. First, always, is the question
whether Congress has directly spoken to the precise
question at issue. If the intent of Congress is clear,
that is the end of the matter; for the court, as well
as the agency, must give effect to the
unambiguously expressed intent of Congress.’’).
Appendix A
25
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?