Comments on COPPA Rule Review, 16 CFR Part 312, Project No. P195404

Ms. April Tabor

Acting Secretary
Federal Trade Commission Office of the Secretary
Constitution Center 400 7th Street, SW
5th Floor, Suite 5610 (Annex B)
Washington, DC 20024

Re: COPPA Rule Review, 16 CFR Part 312, Project No. P195404

Ms. Tabor:

The U.S. Chamber of Commerce (“Chamber”) respectfully submits these comments to the Federal Trade Commission (“FTC” or “Commission”) in response to its request for comment in connection with its Children’s Online Privacy Protection Act (“COPPA”) Rule Review. The Chamber recognizes that the 2013 COPPA Rule generally strikes the right balance between protecting children’s privacy and ensuring availability and access to high-quality online content and services. The Chamber recognizes the critical importance of protecting children’s personal privacy. The COPPA Rule should provide certainty to children, parents, and companies that provide valuable services.

Question 1 through 3

• Is there a continuing need for the Rule as currently promulgated?
• What effect, if any, has the Rule had on children, parents, or other consumers?
• What impact, if any, has the Rule had on operators?

The COPPA Rule has led to greater protections for children but has also had costs. The FTC should understand and carefully balance these costs and benefits and consider tradeoffs with other policy goals such as the quality of content, competition, and safety. It is important that the Commission not overlook the benefits from services, content and other technologies for families, which rely on data collecting and processing to operate.

The Commission should take a broad view of the ecosystem of entities impacted by the COPPA Rule, specifically content creators, app developers, platform providers, and businesses of all sizes and types.

Uncertainty around COPPA—especially with novel interpretations—coupled with the high cost of potential noncompliance is a significant hurdle that discourages investment in innovative children’s content or services. Companies governed by COPPA have to invest a considerable amount in compliance resources and the FTC should recognize the impact of any material alterations to these Rules.

Question 5: Does the Rule overlap or conflict with any other federal, state, or local government laws or regulations?

The COPPA Rule should not create inconsistencies or overlapping obligations with other applicable laws such as the Federal Education Rights and Privacy Act (“FERPA”). Additionally, the Rule should not create conflicts with state laws such as the new California Consumer Privacy

Act (“CCPA”) or California’s Student Online Personal Information Privacy Act (“SOPIPA”).

One example where harmonization should occur is the issue of children’s health information. In considering potential future changes to the COPPA Rule, we ask the Commission to examine the interaction of the standards with state laws governing when children may obtain health care services without parental consent and potentially related restrictions about communicating with those children’s parents. For example, where minors can generally consent to mental health care without involvement of their parents and the state restricts subsequent disclosure to parents, there could be difficulty communicating electronically with the minor without parental consent. The Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule requires that a health plan or provider to accommodate reasonable requests to receive communications of Personal Health Information (“PHI”) by alternative means. Certain state laws have analogous protections for individuals.

In addition, the ways in which health care services are delivered are evolving as new technology becomes available. It is entirely possible at some point in the future that a child under age 13 may access health services governed by COPPA but the operator would be limited under state law from first obtaining parental consent and prohibited from disclosing any information to the parent. While these situations may be rare, we ask that the FTC consider how they might be resolved through appropriate safe harbors in the COPPA Rules.

Question 12-13

• Has the revision of the definition of “Personal Information” (“PI”) to include a “persistent identifier that can be used to recognize a user over time and across different websites or online services” resulted in stronger privacy protection for children?
• Should the Commission consider further revision to the definition of “Personal Information”?

There current definition of PI is already broad^[1] and there is no need to expand the definition to include information such as inferred information. COPPA sufficiently regulates the use of PI. To the extent that an operator is making use of aggregate data that does not relate to a specific, identifiable user, such users are clearly outside the scope of COPPA. A specific inclusion of inferred personal information would create more uncertainty and ambiguity around the scope of the Rule that could impede the development of new services.

Question 14: Should the Definition of “Support for the internal operators of the website or online service” be modified?

It is critical that the Commission maintain the internal operations exception. Under the COPPA Rule, information provided for support for the internal operations of a website is not considered a disclosure.^[2] The exception should not be construed as narrowly as it is now and provide additional examples of permissible personalization, which is crucial for providing users with age appropriate content and their expected user experience. For example, providing content recommendations based on different activities across a service can help ensure children have an age appropriate experience.

The exception should also expressly permit critical advertising-related uses of information that are necessary for maintaining and analyzing the service, such as clickconversion tracking, and advertising modelling. Advertising modelling allows advertisers to provide users with more meaningful and appropriate contextual advertisements without using a specific user’s historical activity data to behaviorally target them.

The Chamber further recommends that the Commission add service improvement to the definition of “internal operations. For example, the Commission should modify language to “support for the internal operations of the website or online services means: (1) those activities necessary to: (i) Maintain, improve, or analyze the functioning of the Web site or online service.”

Question 15: Does Section 312.2 correctly articulate the factors to consider in determining whether a website or online service directed to children?...Should the definition be amended, consistent with statute, to better address websites and online services that do not include traditionally child-oriented activities but have large numbers of child users?

The Chamber opposes expanding the definition of content directed to children to include “websites and online services that do not include traditionally child-oriented, but that have large numbers of child users.” There is no statutory authority for such an approach, and it is therefore, not permissible. The COPPA statute defines “Website or online service directed to children.” Unlike the definition of “personal information,”^[3] the FTC does not have authority to expand this definition. The statutory standard is whether the service (or portion of the service) is “targeted” to children^[4][5]—which requires some degree of design or designation for the target audience. Consequently, evidence of audience composition alone is insufficient. It is also unnecessary as the COPPA Rule already considers whether there is “competent and reliable empirical evidence regarding audience composition”⁵ as one of the many child-directed factors.

Expanding the definition from a practical perspective would also create uncertainty. The FTC should balance protections for children with other audiences and policy goals. If “child directed” is defined too broadly, experiences for general audience could be negatively impacted, undermining adults’ access to key product features including content about general-audience content like sports and musical performances. Adult users often use and benefit from features available on content that may be considered child directed, especially if the scope of this were to be expanded. An example would be teachers creating playlists for classroom use in which there would be a range of content included.

The operationalization of inferring age of a user from content is highly challenging and an identity-based approach which relies on the declared age of a user—meeting the expectations of that user based on their declared age—is the most sustainable approach.

Question 16: Has the 2013 addition, found in part (3) of the definition of “website or online service directed to children,” which permits those sites that do not target children as their primary audience to age screen users, resulted in stronger protections for children’s privacy? Should the Rule be more specific about the appropriate methods for determining the age of users?

The Chamber asserts that the Rule should remain adaptable amid an evolving technological landscape. It should be noted that appropriate measures are often context-specific and will vary depending on the type of service.

Guidance should be flexible and apply to new technology and platforms. It is important to rely on a multifactor test that takes into account a comprehensive set of criteria, that includes and balances both content and context based factors. For example, the current definition already contemplates “competent and reliable empirical evidence regarding audience composition,” which should be taken as one factor among many in determining the application of COPPA. There exists a need for improved guidance on how the test is applied for clear distinction between child-directed and general audience services.

The Commission should retain the mixed audience exception, which appropriate recognizes that it is reasonable to treat users as adults who have been neutrally age screened to be adults. The Chamber supports current guidance on neutral age screening.^[6] Any attempt to change age verification based on privacy or user experiences concerns should be done through the legislative and not the regulatory process.

Question 18: Are the requirements of Section 312.4, setting out rules for content and delivery of operators’ notices of informational practices related to children, of the Rules clear and appropriate or can they be improved?

The Chamber at this time does not recommend including additional information in the privacy notice to parents, which already covers key categories. Research supports the concept that exists the phenomenon of notice fatigue.^[7][8] The notice requirements in the regulation already require that operator provide information describing their disclosure and use practices, which has led providers to include categories of third parties where appropriate. In light of that, an additional requirement to this effect would be redundant.

Newer technologies such as smart phones and IoT devices can mean more limited space to disclose relevant information. Taking issues like technological changes and notice fatigue, “more” information is not always better. Guidance should focus on effective ways to provide the most pertinent and relevant information to consumers.

Question 20: Should changes be made to how Parental Consent is given?

Section 312.5 of the COPPA rules requires operators to obtain verifiable parental consent before any collection, use or disclosure of personal information from children. The current COPPA Rule strikes the right balance between allowing for the development of new and innovative consent mechanisms while providing guidance to companies through the approval of certain methods. The Commission could consider streamlining the process for obtaining additional guidance on proposed alternative methods for verifiable parental consent. The current 120-day feedback cycle in Section 312.12 could be shortened to encourage companies to check in with/solicit feedback from the FTC more generally.

Question 24: Should there be an exception for Transiently-Held Voice Data?

The Rule includes photographs, videos or audio files containing a child’s image or voice in the definition of “personal information” covered by COPPA.⁸ Voice-enabled technology is an incredibly beneficial resource for children unable to read or those who are disabled. The Chamber supports an exception for the brief collection of audio files, reflecting the standard the FTC established in its 2017 enforcement policy statement. Developers and their partners that deploy these services rely on the current guidance. Currently, the guidance limits enforcement in the case of a voice recording being used a replacement for written words.^[9] The exception should permit companies to retain the audio files if they have been deidentified, encouraging use of less identifying data. To address current and evolving technologies, this broader framing will be better than “replacement for written words.” Voice activated commands are not necessarily a

“replacement” for written words.

Technology is rapidly evolving and it is important for the rules to recognize new channels for the potential collection of information about children under age 13. In particular, the development of voice-activated digital assistants pose challenges that were not anticipated when COPPA was first enacted.

According to a survey conducted by the Pew Research Center, 46% of adults have used voice-activated technology. While the majority of such uses were in connection with a smart phone (42%), other uses of voice-activated devices include computers or tablets (14%) and stand-alone devices (8%).^[10] The types of personal data collected through voice-activated digital assistants includes tracking health and fitness, ordering purchases, and requests for information on a variety of topics.

Unlike “traditional” web-based applications, it may be difficult to track consents where the individual interacting with the digital assistant is under age 13. While access to the digital assistant – a computer/tablet, smart phone or stand-alone device – can be established by a parent, the business or other entity providing a software application (‘app”) which may be accessed through a virtual assistant may not be aware if a child accessing the device is under age 13. This is particularly true for stand-alone devices intended for home-use, whose primary functionality is their ability to be utilized by anyone within a certain spatial proximity. Access to most apps downloaded onto a home-use digital assistant is unfettered and anonymous, merely by speaking the device’s activation word – typically the device’s name. It is virtually impossible to discern the speaker’s identity - let alone their age – when accessing an app through a so-called “smart speaker” or home-use digital assistant.

In addition, the requirements related to record retention should be considered in the context of voice-activated digital assistants. Currently, the COPPA rules require operators to provide parents, “a means of reviewing any personal information collected from the child.”¹¹ FTC guidance permits operators to delete audio files in limited circumstances, notably “when a covered operator collects an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request, but only maintains the file for the brief time necessary for that purpose . . . .”^[11]In the case of voice-activated digital assistants, the operator may not be aware of the identity or age of the speaker on the recording and whether a child who may be accessing the device has the permission of a parent to do so. Given the operational challenges operators of such devices should be permitted to delete such files rather than having to retain the recordings and make them available on request.

Question 25: Should the COPPA Rule be updated to incentive general audience platforms to “identify and police child-directed content uploaded by others”? Should such platforms be able to rebut the presumption that all users of the child-directed, third-party content are children?

The Chamber has concerns with requiring platforms to “identify and police” child-directed, third-party content. Developers and creators know their content better than anyone and are best situated to make a “child directed” designation. Moving away from “actual knowledge”^[12]to “constructive knowledge” would hold platforms to an unreasonable level of accountability, increasing cost/burden to comply and could chill investments in child/family-directed content, service and platforms.

Services that have age screened adult users should be permitted to rebut the presumption that any user interacting with child-directed content is a child under the age of 13. The rebuttable presumption should be allowed if a service takes reasonable steps to ensure users interacting with the child-directed content is 13 or older. Reasonable steps should not be prescriptive but follow an adaptable standards-based approach.

The Chamber thanks you for your consideration and stands ready to work with you to ensure that COPPA continues to protect children while encouraging the creation of innovative services like education technology and other child-focused content.

Sincerely,

Tim Day

Senior Vice President

[1] See 16 C.F.R. 312.2.

[2] Id.

[3] See 15 U.S.C. § 6501(8)(F).

[4] Id. at 10(i)-(ii).

[5] C.F.R. 312.2 Definition of Web site or online service directed to children.

[6] See Federal Trade Commission, “Children’s Online Privacy Protection Act: A Six-Step Compliance Plan for Your Business,” available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacyprotection-rule-six-step-compliance; Federal Trade Commission, “Complying with COPPA: Frequently Asked Questions” (Mar. 20, 2015) available athttps://www.ftc.gov/tips-advice/business-center/guidance/complyingcoppa-frequently-asked-questions.

[7] See Brunswick Research and C_TEC, “The Public’s View on Technology and Data” at 34 (July 10, 2019) available at https://americaninnovators.com/wp-content/uploads/2019/07/C_TEC-Data-Privacy-Regulation-ofTech-Companies_Comprehensive-Report-10-June.pdf.

[8] C.F.R. 312.2 Definition of Personal Information (8).

[9] Federal Trade Commission, Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the

Collection and Use of Voice Recordings, 82 FR 58076 (Dec. 8, 2017) at p. 2 availability at https://www.ftc.gov/system/files/documents/public_statements/1266473/coppa_policy_statement_audiorecordings.pdf.

[10] Pew Research Center, FactTank, Nearly half of Americans use digital voice assistants, mostly on their smartphones (December 17, 2017) accessed at: https://www.pewresearch.org/fact-tank/2017/12/12/nearly-half-ofamericans-use-digital-voice-assistants-mostly-on-their-smartphones/​ ¹¹15 CFR §312.6(a)(3).

[11]​ Seesupra note 9.

[12] See 16 C.F.R. 312.2 Definition of Web site or online service directed to children (2) (“A Web site or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.”) (emphasis added).