Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 1 of 31

IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
Case No.: 1:19-cv-02642

FEDERAL TRADE COMMISSION,
and
PEOPLE OF THE STATE OF NEW
YORK, by LETITIA JAMES,
Attorney General of the State of New York,

STIPULATED
ORDER
FOR
PERMANENT INJUNCTION AND
CIVIL PENALTY JUDGMENT

Plaintiffs,
vs.
GOOGLE LLC,
a Delaware limited liability company,
and
YOUTUBE, LLC,
a Delaware limited liability company,
Defendants.
Plaintiffs, the Federal Trade Commission (“FTC” or “Commission”) and The People of
the State of New York (“State of New York”) (collectively, “Plaintiffs”) filed their Complaint
for Permanent Injunction, Civil Penalties, and Other Relief (“Complaint”) in this matter,
pursuant to Sections 13(b) and 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15
U.S.C. §§ 53(b) and 56(a)(1), the Children’s Online Privacy Protection Act (“COPPA”), 15
U.S.C. §§ 6502(c), 6504(a)(1), and 6505(d), and the Commission’s Children’s Online Privacy
Protection Rule (“Rule” or “COPPA Rule”), 16 C.F.R. Part 312. Defendants have waived
service of the summons and the Complaint. Plaintiffs and Defendants stipulate to the entry of
this Stipulated Order for Permanent Injunction and Civil Penalty Judgment (“Order”) to resolve
all matters in dispute in this action between them.
THEREFORE, IT IS ORDERED as follows:

1

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 2 of 31

FINDINGS
1.

This Court has jurisdiction over this matter.

2.

The Complaint charges that Defendants violated the COPPA Rule and Section 5

of the FTC Act, 15 U.S.C. § 45, by failing to post a privacy policy on their online service
providing clear, understandable, and complete notice of their information practices with respect
to the Collection of Personal Information from Children, failing to provide direct notice to
Parents of such information practices, and failing to Obtain Verifiable Parental Consent prior to
Collecting, using, or Disclosing Personal Information from Children.
3.

Defendants neither admit nor deny any of the allegations in the Complaint, except

as specifically stated in this Order. Only for purposes of this action, Defendants admit the facts
necessary to establish jurisdiction.
4.

Defendants waive any claim that they may have under the Equal Access to Justice

Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order,
and agree to bear their own costs and attorney fees.
5.

Defendants and Plaintiffs waive all rights to appeal or otherwise challenge or

contest the validity of this Order.
DEFINITIONS
For the purpose of this Order, the following definitions apply:
A.

“Channel Owner” means individuals or entities who upload videos onto the

YouTube Service.
B.

“Child” or “Children” means an individual or individuals under the age of 13.

2

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 3 of 31

C.

“Clear and Conspicuous” means that a required disclosure is difficult to miss

(i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the
following ways:
1.

In any communication that is solely visual or solely audible, the disclosure

must be made through the same means through which the communication is
presented. In any communication made through both visual and audible means,
such as a television advertisement, the disclosure must be presented
simultaneously in both the visual and audible portions of the communication even
if the representation requiring the disclosure is made in only one means.
2.

A visual disclosure, by its size, contrast, location, the length of time it

appears, and other characteristics, must stand out from any accompanying text or
other visual elements so that it is easily noticed, read, and understood.
3.

An audible disclosure, including by telephone or streaming video, must be

delivered in a volume, speed, and cadence sufficient for ordinary consumers to
easily hear and understand it.
4.

In any communication using an interactive electronic medium, such as the

Internet or software, the disclosure must be unavoidable.
5.

The disclosure must use diction and syntax understandable to ordinary

consumers and must appear in each language in which the representation that
requires the disclosure appears.
6.

The disclosure must comply with these requirements in each medium

through which it is received, including all electronic devices and face-to-face
communications.

3

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 4 of 31

7.

The disclosure must not be contradicted or mitigated by, or inconsistent

with, anything else in the communication.
8.

When the representation or sales practice targets a specific audience, such

as Children, the elderly, or the terminally ill, “ordinary consumers” includes
reasonable members of that group.
D.

“Collects” or “Collection” means the gathering of any Personal Information from

a Child by any means, including but not limited to:
1.

Requesting, prompting, or encouraging a Child to submit Personal

Information online;
2.

Enabling a Child to make Personal Information publicly available in

identifiable form. An Operator shall not be considered to have Collected Personal
Information if it takes reasonable measures to Delete all or virtually all Personal
Information from a Child’s postings before they are made public and also to
Delete such Personal Information from its records; or
3.

Passive tracking of a Child online.

E.

“Compliance Date” means four months after entry of this Order.

F.

“Content” means any video or channel page found on the YouTube Service.

G.

“Defendants” means Google LLC, a Delaware limited liability company, and

YouTube, LLC, a Delaware limited liability company, and their successors and assigns.
H.

“Delete” means to remove Personal Information such that it is not maintained in

retrievable form and cannot be retrieved in the normal course of business.
I.

“Disclose” or “Disclosure” means, with respect to Personal Information:

4

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 5 of 31

1.

The Release of Personal Information Collected by an Operator from a

Child in identifiable form for any purpose, except where an Operator provides
such information to a Person who provides Support for the Internal Operations of
the Website or Online Service; and
2.

Making Personal Information Collected by an Operator from a Child

publicly available in identifiable form by any means, including but not limited to
a public posting through the Internet, or through a personal home page or screen
posted on a website or online service; a pen pal service; an electronic mail
service; a message board; or a chat room.
J.

“Internet” means collectively the myriad of computer and telecommunications

facilities, including equipment and operating software, which comprise the interconnected worldwide network of networks that employ the Transmission Control Protocol/Internet Protocol, or
any predecessor or successor protocols to such protocol, to communicate information of all kinds
by wire, radio, or other methods of transmission.
K.

“Obtaining Verifiable Parental Consent” means making any reasonable effort

(taking into consideration available technology) to ensure that before Personal Information is
Collected from a Child, a Parent of the Child:
1.

Receives notice of the Operator’s Personal Information Collection, use,

and Disclosure practices; and
2.

Authorizes any Collection, use, and/or Disclosure of the Personal

Information, using a method reasonably calculated, in light of available
technology, to ensure that the Person providing consent is the Child’s Parent.

5

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 6 of 31

L.

“Online Contact Information” means an email address or any other substantially

similar identifier that permits direct contact with a Person online, including but not limited to, an
instant messaging user identifier, a voice over internet protocol (VOIP) identifier, or a video chat
user identifier.
M.

“Operator” means any Person who operates a website located on the Internet or

an online service and who Collects or maintains Personal Information from or about the users of
or visitors to such website or online service, or on whose behalf such information is Collected or
maintained, or offers products or services for sale through that website or online service, where
such website or online service is operated for commercial purposes involving commerce among
the several States or with one or more foreign nations; in any territory of the United States or in
the District of Columbia, or between any such territory and another such territory or any State or
foreign nation; or between the District of Columbia and any State, territory, or foreign nation.
This definition does not include any nonprofit entity that would otherwise be exempt from
coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45). Personal
Information is Collected or maintained on behalf of an Operator when:
1.

It is Collected or maintained by an agent or service provider of the

Operator; or
2.

The Operator benefits by allowing another Person to Collect Personal

Information directly from users of such website or online service.
N.

“Parent” includes a legal guardian.

O.

“Person” means any individual, partnership, corporation, trust, estate,

cooperative, association, or other entity.

6

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 7 of 31

P.

“Personal Information” means individually identifiable information about an

individual Collected online, including:
1.

A first and last name;

2.

A home or other physical address including street name and name of a city

or town;
3.

Online Contact Information;

4.

A screen or user name where it functions in the same manner as Online

Contact Information;
5.

A telephone number;

6.

A Social Security number;

7.

A persistent identifier that can be used to recognize a user over time and

across different websites or online services, where such persistent identifier is
used for functions other than or in addition to Support for the Internal Operations
of the Website or Online Service. Such persistent identifier includes, but is not
limited to, a customer number held in a cookie, an Internet Protocol (IP) address,
a processor or device serial number, or unique device identifier;
8.

A photograph, video, or audio file where such file contains a Child’s

image or voice;
9.

Geolocation information sufficient to identify street name and name of a

city or town; or
10.

Information concerning the Child or the Parents of that Child that the

Operator Collects online from the Child and combines with an identifier described
in this definition.

7

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 8 of 31

Q.

“Release of Personal Information” means the sharing, selling, renting, or

transfer of Personal Information to any Third Party.
R.

“Support for the Internal Operations of the Website or Online Service”

means
1.

Those activities necessary to:
a)

Maintain or analyze the functioning of the website or online
service;

b)

Perform network communications;

c)

Authenticate users of, or personalize the content on, the
website or online service;

d)

Serve contextual advertising on the website or online service or
cap the frequency of advertising;

e)

Protect the security or integrity of the user, website, or online
service;

f)

Ensure legal or regulatory compliance; or

g)

Fulfill a request of a Child as permitted by Section 312.5(c)(3) and
(4) of the COPPA Rule (attached as Appendix A);

2.

So long as the information Collected for these activities listed in 1(a) – (g)

is not used or Disclosed to contact a specific individual, including through
behavioral advertising, to amass a profile on a specific individual, or for any other
purpose.
S.

“Third Party” means any Person who is not:

8

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 9 of 31

1.

An Operator with respect to the Collection or maintenance of Personal

Information on the website or online service; or
2.

A Person who provides Support for the Internal Operations of the Website

or Online Service and who does not use or Disclose information protected under
the COPPA Rule (attached as Appendix A).
T.

“Website or Online Service Directed to Children” means a commercial website

or online service, or portion thereof, that is targeted to Children.
1.

In determining whether a website or online service, or a portion thereof, is

directed to Children, the Commission will consider its subject matter, visual
content, use of animated characters or child-oriented activities and incentives,
music or other audio content, age of models, presence of child celebrities or
celebrities who appeal to Children, language or other characteristics of the
website or online service, as well as whether advertising promoting or appearing
on the website or online service is directed to Children. The Commission will
also consider competent and reliable empirical evidence regarding audience
composition, and evidence regarding the intended audience.
2.

A website or online service shall be deemed directed to Children when it

has actual knowledge that it is Collecting Personal Information directly from
users of another Website or Online Service Directed to Children.
3.

A website or online service that is directed to Children under the criteria

set forth in paragraph (1) of this definition, but that does not target Children as its
primary audience, shall not be deemed directed to Children if it:

9

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 10 of 31

a)

Does not Collect Personal Information from any visitor prior to
Collecting age information; and

b)

Prevents the Collection, use, or Disclosure of Personal Information
from visitors who identify themselves as under age 13 without first
complying with the notice and parental consent provisions of the
COPPA Rule (attached as Appendix A).

4.

A website or online service shall not be deemed directed to Children

solely because it refers or links to a commercial Website or Online Service
Directed to Children by using information location tools, including a directory,
index, reference, pointer, or hypertext link.
U.

“YouTube Service” means the general audience YouTube user-generated video-

sharing platform(s), currently at www.youtube.com and on YouTube mobile application(s), on
which, among other things, consumers can view videos or upload videos to share.
ORDER
I.

INJUNCTION CONCERNING DESIGNATING CONTENT ON THE YOUTUBE
SERVICE AS DIRECTED TO CHILDREN
IT IS ORDERED that, no later than the Compliance Date, Defendants and Defendants’

officers, agents, employees, and attorneys, and all other Persons in active concert or participation
with any of them, who receive actual notice of this Order, whether acting directly or indirectly,
in connection with operating the YouTube Service, are permanently restrained and enjoined
from:
A.

Failing to develop, implement, and maintain a system for Channel Owners to

designate whether their Content on the YouTube Service is directed to Children. Such system

10

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 11 of 31

shall include a Clear and Conspicuous notice that Content made available on the YouTube
Service that is directed to Children may be subject to the Children’s Online Privacy Protection
Rule, 16 C.F.R. Part 312 (attached as Appendix A) and that Channel Owners are obligated to
designate such Content as directed to Children; and
B.

Failing to provide annual training regarding complying with the Children’s Online

Privacy Protection Rule, 16 C.F.R. Part 312 (attached as Appendix A), for each Person
responsible for managing Defendants’ relationships with Channel Owners on the YouTube
Service.
II.

INJUNCTION CONCERNING COLLECTION OF PERSONAL INFORMATION
FROM CHILDREN
IT IS ORDERED that, no later than the Compliance Date, Defendants and Defendants’

officers, agents, employees, and attorneys, and all other persons in active concert or participation
with any of them, who receive actual notice of this Order, whether acting directly or indirectly,
in connection with operating a Website or Online Service Directed to Children on the YouTube
Service are hereby permanently restrained and enjoined from:
A.

Failing to make reasonable efforts, taking into account available technology, to

ensure that a Parent of a Child receives direct notice of Defendants’ practices with regard to the
Collection, use, or Disclosure of Personal Information from Children, including notice of any
material change in the Collection, use, or Disclosure practices to which the Parent has
previously consented, unless the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312
(attached as Appendix A), provides an exception to providing such notice;
B.

Failing to post a prominent and clearly labeled link to an online notice of its

information practices with regard to Children on the home or landing page or screen of its

11

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 12 of 31

website or online service, and at each area of the website or online service where Personal
Information is Collected from Children, unless the Children’s Online Privacy Protection Rule, 16
C.F.R. Part 312 (attached as Appendix A), provides an exception to providing such notice;
C.

Failing to Obtain Verifiable Parental Consent before any Collection, use, or

Disclosure of Personal Information from Children, including consent to any material change in
the Collection, use, or Disclosure practices to which the Parent has previously consented, unless
the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312 (attached as Appendix A),
provides an exception to Obtaining Verifiable Parental Consent; and
D.

Violating the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312

(attached as Appendix A).
III.

INJUNCTION CONCERNING USE OF PREVIOUSLY
COLLECTED PERSONAL INFORMATION

IT IS FURTHER ORDERED that Defendants, Defendants’ officers, agents, employees,
and attorneys, and all other Persons in active concert or participation with any of them, who
receive actual notice of this Order, are ordered to refrain, within ninety (90) days of the
Compliance Date, from Disclosing, using, or benefitting from Personal Information previously
Collected from users of Content that is designated as directed to Children by a Channel Owner
under the system required under Section I.A. above, as long as such designation occurs within
sixty (60) days of the Compliance Date. Provided, however, that such Personal Information may
be Disclosed to the extent requested by a government agency or required by law, regulation, or
court order.

12

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 13 of 31

IV.

CIVIL PENALTY AND OTHER MONETARY RELIEF

IT IS FURTHER ORDERED that:
A.

Judgment in the amount of one hundred and thirty six million dollars

($136,000,000) is entered in favor of Plaintiff FTC against Defendants, jointly and severally, as a
civil penalty.
B.

Defendants are ordered to pay to Plaintiff FTC one hundred thirty six million

dollars ($136,000,000), which, as Defendants stipulate, their undersigned counsel holds in
escrow for no purpose other than payment to the Commission. Such payment must be made
within thirty (30) days of entry of this Order by electronic fund transfer in accordance with
instructions previously provided by a representative of the Commission.
C.

Judgment in the amount of thirty four million dollars ($34,000,000) is entered in

favor of Plaintiff State of New York against Defendants, jointly and severally, as damages,
restitution, or other compensation to its residents.
D.

Defendants are ordered to pay to Plaintiff State of New York, by making payment

to State of New York Department of Law, thirty four million dollars ($34,000,000). Such
payment must be made within thirty (30) days of entry of this Order by wire transfer in
accordance with instructions provided by a representative of Plaintiff State of New York.
V.

ADDITIONAL MONETARY PROVISIONS

IT IS FURTHER ORDERED that:
A.

Defendants relinquish dominion and all legal and equitable right, title, and interest

in all assets transferred pursuant to this Order and may not seek the return of any assets.

13

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 14 of 31

B.

The facts alleged in the Complaint will be taken as true, without further proof, in

any subsequent civil litigation by or on behalf of the Commission or the State of New York in a
proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.
C.

The facts alleged in the Complaint establish all elements necessary to sustain an

action by the Commission or the State of New York pursuant to Section 523(a)(2)(A) of the
Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect
for such purposes.
D.

Defendants acknowledge that their Taxpayer Identification Numbers, which

Defendants must submit to the Commission, may be used for collecting and reporting on any
delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.
VI.

ORDER ACKNOWLEDGMENTS

IT IS FURTHER ORDERED that Defendants obtain acknowledgments of receipt of this
Order:
A.

Each Defendant, within seven (7) days of entry of this Order, must submit to the

Commission and the State of New York an acknowledgment of receipt of this Order sworn under
penalty of perjury.
B.

For five (5) years after entry of this Order, each Defendant must deliver a copy of

this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all
employees, agents, and representatives who have supervisory responsibilities relating to the
subject matter of Sections I and II of this Order; and (3) any business entity resulting from any
change in structure as set forth in the Section titled Compliance Reporting. Delivery must occur
within seven (7) days of entry of this Order for current personnel. For all others, delivery must
occur before they assume their responsibilities.

14

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 15 of 31

C.

From each individual or entity to which a Defendant delivered a copy of this

Order, that Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment
of receipt of this Order.
VII.

COMPLIANCE REPORTING

IT IS FURTHER ORDERED that Defendants make timely submissions to the
Commission and the State of New York:
A.

One year after the Compliance Date, each Defendant must submit a compliance

report, sworn under penalty of perjury. In such report, each Defendant must:
1.

Identify the primary physical, postal, and email address and telephone

number, as designated points of contact, which representatives of the Commission
and the State of New York may use to communicate with that Defendant;
2.

Identify all of Defendant’s businesses involved in operating the YouTube

Service or in Collecting, using, or Disclosing Personal Information from Children
on or from the YouTube Service by all of their names, telephone numbers, and
physical, postal, email, and Internet addresses;
3.

Describe the activities of each such business directly involved with

operating the YouTube Service, including the goods and services offered and the
means of advertising, marketing, and sales;
4.

Describe in detail whether and how Defendants are in compliance with

each Section of this Order;
5.

Provide a copy of each materially different version of any privacy notice

posted on or otherwise applicable to the YouTube Service or sent to users of the
YouTube Service;

15

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 16 of 31

6.

Describe in detail the methods used, if any, to track Child users of the

YouTube Service (including methods used for passive tracking and means for
users to control or opt out of tracking), and the measures taken to avoid tracking
Children;
7.

Describe in detail the methods used to Obtain Verifiable Parental Consent

prior to any Collection, use, and/or Disclosure of Personal Information from
Children through the YouTube Service;
8.

Describe in detail the means provided for Parents to review the Personal

Information Collected from their Children through the YouTube Service and to
refuse to permit its further use or maintenance; and
9.

Provide a copy of each Order Acknowledgment obtained pursuant to this

Order, unless previously submitted to the Commission.
B.

For ten (10) years after entry of this Order, each Defendant must submit a

compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in:
(1) any designated point of contact; or (2) the structure of that Defendant or any entity that
Defendant has any ownership interest in or controls directly or indirectly that may affect
compliance obligations arising under this Order, including: creation, merger, sale, or dissolution
of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to
this Order.
C.

Each Defendant must submit to the Commission and the State of New York

notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by
or against such Defendant within fourteen (14) days of its filing.

16

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 17 of 31

D.

Any submission to the Commission and the State of New York required by this

Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C.
§ 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United
States of America that the foregoing is true and correct. Executed on: _____” and supplying the
date, signatory’s full name, title (if applicable), and signature.
E.

Unless otherwise directed by a Commission representative in writing, all

submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or
sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement,
Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580. The subject line must begin: FTC v. Google LLC and YouTube, LLC,
FTC File No. 1723083.
F.

Unless otherwise directed by a State of New York representative in writing, all

submissions to the State of New York pursuant to this Order must be emailed to
ifraud@ag.ny.gov and sent by overnight courier (not the U.S. Postal Service) to: Bureau Chief,
Bureau of Internet and Technology, New York State Attorney General’s Office, 28 Liberty
Street, New York, New York 10005. The subject line must begin: FTC v. Google LLC and
YouTube, LLC, FTC File No. 1723083.
VIII. RECORDKEEPING
IT IS FURTHER ORDERED that Defendants must create certain records for ten (10)
years after entry of the Order, and retain each such record for five (5) years. Specifically, each
Defendant in connection with operating the YouTube Service must create and retain the
following records:
A.

Accounting records showing the revenues of all goods and services sold;

17

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 18 of 31

B.

Personnel records showing, for each Person providing services, whether as an

employee or otherwise, that Person’s: name; addresses; telephone numbers; job title or position;
dates of service; and (if applicable) the reason for termination;
C.

All records necessary to demonstrate full compliance with each provision of this

Order, including all submissions to the Commission and the State of New York;
D.

Records of all consumer complaints relating to the unauthorized Collection, use or

Disclosure of Personal Information of Children interacting with the YouTube Service, and any
response;
E.

A copy of each materially different form, page, or screen created, maintained, or

otherwise provided by each Defendant through which Personal Information of Children is
Collected through the YouTube Service, and a copy of each materially different document
containing any representation regarding Collection, use, and Disclosure practices pertaining to
Personal Information from Children Collected through the YouTube Service. Each webpage
copy shall be accompanied by the URL of the webpage where the material was posted online.
Electronic copies shall include all text and graphics files, audio scripts, and other computer files
used in presenting information on the Internet; and
F.

A copy of each unique advertisement, other marketing material, telemarketing

script, or other representation related to the Collection of Personal Information of Children that is
made in connection with promoting or offering for sale the YouTube Service.
IX.

COMPLIANCE MONITORING

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendants’ compliance
with this Order:

18

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 19 of 31

A.

Within fourteen (14) days of receipt of a written request from a representative of

the Commission or the State of New York, each Defendant must: submit additional compliance
reports or other requested information, which must be sworn under penalty of perjury; appear for
depositions; and produce documents for inspection and copying. The Commission and the State
of New York are also authorized to obtain discovery, without further leave of court, using any of
the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic
depositions), 31, 33, 34, 36, 45, and 69.
B.

For matters concerning this Order, the Commission and the State of New York

are authorized to communicate directly with each Defendant. Each Defendant must permit
representatives of the Commission and the State of New York to interview any employee or
other Person affiliated with Defendant who has agreed to such an interview. The Person
interviewed may have counsel present.
C.

The Commission and the State of New York may use all other lawful means,

including posing, through its representatives as consumers, suppliers, or other individuals or
entities, to Defendants or any individual or entity affiliated with Defendants, without the
necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful
use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b1.

19

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 20 of 31

X.

RETENTION OF JURISDICTION

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of
construction, modification, and enforcement of this Order.

SO ORDERED this

day of

_______________________________
UNITED STATES DISTRICT JUDGE

20

, 2019.

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 21 of 31

SO STIPULATED AND AGREED:
FOR PLAINTIFFS
FEDERAL TRADE COMMISSION:

v/r/�a. 1ll111Ja1 Itu;

I
MANEESHA MITHAL
Associate Director
Division of Privacy and Identity Protection

I
MARK EICHORN
Assistant Director
Divisi'ri?>f� ivacy and Identity Protection
~
- KIDS TIN KRAUSE COHEN (D.C. Bar No. 485946)
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Ave., NW
Washington, DC 20580
(202) 326-2276 (voice)
(202) 326-3062 (fax)
Email: kcohen@ftc.gov

�

RL
P�
7:JFlt'�GEE
(D.C. Bar No. 444750)
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
(202) 326-3538 (voice)
(202) 326-3062 (fax)
Email: pmagee@ftc.gov
l

fdi(W.,f

t,liXA(._
I jJJ:_
61.V.

TIFF¼NY·GEORGE
Bar No. 4023248)
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
(202) 326-3040 (voice)
(202) 326-3062 (fax)
Email: tgeorge@ftc.gov

21

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 22 of 31

FOR THE PEOPLE OF THE STATE OF NEW YORK:
LETITIA JAMES
Attorney General of the State ofNew York

By ~

aL

CLA ~RWELL (New York Bar No. 2848323)
Deputy Bureau Chief
JORDAN S. ADLER (New York Bar No. 4605556)
Assistant Attorney General
Bureau of Internet and Technology
Office of the New York State Attorney General
28 Liberty St.
New York, NY 10005
(212) 416-8433 (voice)
(212) 416-8369 (fax)
Email: clark.russell@ag.ny.gov
Email: jordan.adler@ag.ny.gov

22

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 23 of 31

FOR DEFENDANTS:

C

1234567856
 

Date: - - - -

L"":

Libby J. Weingarten, Esq.
Wilson Sonsini Goodrich & Rosati
1700 K Street, NW
5th Floor
Washington, DC 20006
(202) 973-8800
(202) 973-8899
col en@wsgr.com
Iwein garten@w gr.com
COUNSEL for GOOGLE LLC and YOUTUBE, LLC

DEFENDANT: GOOGLELLC

012345678569
 

Date: - - - -

Name: Kent Walker
Title: Senior Vice President, Global Affairs & Chief Legal Officer
DEFENDANT: YOUTUBE,LLC
By: Google LLC, its Managing Member

lfJM!L

12345678569 

Date: - - - -

Name: Kent Walker
Title: Senior Vice President, Global Affairs & Chief Legal Officer

23

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 24 of 31

APPENDIX A

Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 25 of 31
4008

Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations

List of Subjects in 16 CFR Part 312
Children, Communications, Consumer
protection, Electronic mail, Email,
Internet, Online service, Privacy, Record
retention, Safety, science and
technology, Trade practices, Web site,
Youth.
Accordingly, for the reasons stated
above, the Federal Trade Commission
revises part 312 of Title 16 of the Code
of Federal Regulations to read as
follows:

■

PART 312—CHILDREN’S ONLINE
PRIVACY PROTECTION RULE
Sec.
312.1 Scope of regulations in this part.
312.2 Definitions.
312.3 Regulation of unfair or deceptive acts
or practices in connection with the
collection, use, and/or disclosure of
personal information from and about
children on the Internet.
312.4 Notice.
312.5 Parental consent.
312.6 Right of parent to review personal
information provided by a child.
312.7 Prohibition against conditioning a
child’s participation on collection of
personal information.

Appendix A

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 26 of 31
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
312.8 Confidentiality, security, and
integrity of personal information
collected from children.
312.9 Enforcement.
312.10 Data retention and deletion
requirements.
312.11 Safe harbor programs.
312.12 Voluntary Commission Approval
Processes.
312.13 Severability.
Authority: 15 U.S.C. 6501–6508.
§ 312.1

Scope of regulations in this part.

This part implements the Children’s
Online Privacy Protection Act of 1998,
(15 U.S.C. 6501, et seq.,) which
prohibits unfair or deceptive acts or
practices in connection with the
collection, use, and/or disclosure of
personal information from and about
children on the Internet.
§ 312.2

Definitions.

Child means an individual under the
age of 13.
Collects or collection means the
gathering of any personal information
from a child by any means, including
but not limited to:
(1) Requesting, prompting, or
encouraging a child to submit personal
information online;
(2) Enabling a child to make personal
information publicly available in
identifiable form. An operator shall not
be considered to have collected personal
information under this paragraph if it
takes reasonable measures to delete all
or virtually all personal information
from a child’s postings before they are
made public and also to delete such
information from its records; or
(3) Passive tracking of a child online.
Commission means the Federal Trade
Commission.
Delete means to remove personal
information such that it is not
maintained in retrievable form and
cannot be retrieved in the normal course
of business.
Disclose or disclosure means, with
respect to personal information:
(1) The release of personal
information collected by an operator
from a child in identifiable form for any
purpose, except where an operator
provides such information to a person
who provides support for the internal
operations of the Web site or online
service; and
(2) Making personal information
collected by an operator from a child
publicly available in identifiable form
by any means, including but not limited
to a public posting through the Internet,
or through a personal home page or
screen posted on a Web site or online
service; a pen pal service; an electronic
mail service; a message board; or a chat
room.

Federal agency means an agency, as
that term is defined in Section 551(1) of
title 5, United States Code.
Internet means collectively the
myriad of computer and
telecommunications facilities, including
equipment and operating software,
which comprise the interconnected
world-wide network of networks that
employ the Transmission Control
Protocol/Internet Protocol, or any
predecessor or successor protocols to
such protocol, to communicate
information of all kinds by wire, radio,
or other methods of transmission.
Obtaining verifiable consent means
making any reasonable effort (taking
into consideration available technology)
to ensure that before personal
information is collected from a child, a
parent of the child:
(1) Receives notice of the operator’s
personal information collection, use,
and disclosure practices; and
(2) Authorizes any collection, use,
and/or disclosure of the personal
information.
Online contact information means an
email address or any other substantially
similar identifier that permits direct
contact with a person online, including
but not limited to, an instant messaging
user identifier, a voice over internet
protocol (VOIP) identifier, or a video
chat user identifier.
Operator means any person who
operates a Web site located on the
Internet or an online service and who
collects or maintains personal
information from or about the users of
or visitors to such Web site or online
service, or on whose behalf such
information is collected or maintained,
or offers products or services for sale
through that Web site or online service,
where such Web site or online service
is operated for commercial purposes
involving commerce among the several
States or with 1 or more foreign nations;
in any territory of the United States or
in the District of Columbia, or between
any such territory and another such
territory or any State or foreign nation;
or between the District of Columbia and
any State, territory, or foreign nation.
This definition does not include any
nonprofit entity that would otherwise be
exempt from coverage under Section 5
of the Federal Trade Commission Act
(15 U.S.C. 45). Personal information is
collected or maintained on behalf of an
operator when:
(1) It is collected or maintained by an
agent or service provider of the operator;
or
(2) The operator benefits by allowing
another person to collect personal
information directly from users of such
Web site or online service.

4009

Parent includes a legal guardian.
Person means any individual,
partnership, corporation, trust, estate,
cooperative, association, or other entity.
Personal information means
individually identifiable information
about an individual collected online,
including:
(1) A first and last name;
(2) A home or other physical address
including street name and name of a
city or town;
(3) Online contact information as
defined in this section;
(4) A screen or user name where it
functions in the same manner as online
contact information, as defined in this
section;
(5) A telephone number;
(6) A Social Security number;
(7) A persistent identifier that can be
used to recognize a user over time and
across different Web sites or online
services. Such persistent identifier
includes, but is not limited to, a
customer number held in a cookie, an
Internet Protocol (IP) address, a
processor or device serial number, or
unique device identifier;
(8) A photograph, video, or audio file
where such file contains a child’s image
or voice;
(9) Geolocation information sufficient
to identify street name and name of a
city or town; or
(10) Information concerning the child
or the parents of that child that the
operator collects online from the child
and combines with an identifier
described in this definition.
Release of personal information
means the sharing, selling, renting, or
transfer of personal information to any
third party.
Support for the internal operations of
the Web site or online service means:
(1) Those activities necessary to:
(i) Maintain or analyze the
functioning of the Web site or online
service;
(ii) Perform network communications;
(iii) Authenticate users of, or
personalize the content on, the Web site
or online service;
(iv) Serve contextual advertising on
the Web site or online service or cap the
frequency of advertising;
(v) Protect the security or integrity of
the user, Web site, or online service;
(vi) Ensure legal or regulatory
compliance; or
(vii) Fulfill a request of a child as
permitted by § 312.5(c)(3) and (4);
(2) So long as The information
collected for the activities listed in
paragraphs (1)(i)–(vii) of this definition
is not used or disclosed to contact a
specific individual, including through
behavioral advertising, to amass a

Appendix A

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 27 of 31
4010

Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations

profile on a specific individual, or for
any other purpose.
Third party means any person who is
not:
(1) An operator with respect to the
collection or maintenance of personal
information on the Web site or online
service; or
(2) A person who provides support for
the internal operations of the Web site
or online service and who does not use
or disclose information protected under
this part for any other purpose.
Web site or online service directed to
children means a commercial Web site
or online service, or portion thereof, that
is targeted to children.
(1) In determining whether a Web site
or online service, or a portion thereof,
is directed to children, the Commission
will consider its subject matter, visual
content, use of animated characters or
child-oriented activities and incentives,
music or other audio content, age of
models, presence of child celebrities or
celebrities who appeal to children,
language or other characteristics of the
Web site or online service, as well as
whether advertising promoting or
appearing on the Web site or online
service is directed to children. The
Commission will also consider
competent and reliable empirical
evidence regarding audience
composition, and evidence regarding
the intended audience.
(2) A Web site or online service shall
be deemed directed to children when it
has actual knowledge that it is
collecting personal information directly
from users of another Web site or online
service directed to children.
(3) A Web site or online service that
is directed to children under the criteria
set forth in paragraph (1) of this
definition, but that does not target
children as its primary audience, shall
not be deemed directed to children if it:
(i) Does not collect personal
information from any visitor prior to
collecting age information; and
(ii) Prevents the collection, use, or
disclosure of personal information from
visitors who identify themselves as
under age 13 without first complying
with the notice and parental consent
provisions of this part.
(4) A Web site or online service shall
not be deemed directed to children
solely because it refers or links to a
commercial Web site or online service
directed to children by using
information location tools, including a
directory, index, reference, pointer, or
hypertext link.

§ 312.3 Regulation of unfair or deceptive
acts or practices in connection with the
collection, use, and/or disclosure of
personal information from and about
children on the Internet.

General requirements. It shall be
unlawful for any operator of a Web site
or online service directed to children, or
any operator that has actual knowledge
that it is collecting or maintaining
personal information from a child, to
collect personal information from a
child in a manner that violates the
regulations prescribed under this part.
Generally, under this part, an operator
must:
(a) Provide notice on the Web site or
online service of what information it
collects from children, how it uses such
information, and its disclosure practices
for such information (§ 312.4(b));
(b) Obtain verifiable parental consent
prior to any collection, use, and/or
disclosure of personal information from
children (§ 312.5);
(c) Provide a reasonable means for a
parent to review the personal
information collected from a child and
to refuse to permit its further use or
maintenance (§ 312.6);
(d) Not condition a child’s
participation in a game, the offering of
a prize, or another activity on the child
disclosing more personal information
than is reasonably necessary to
participate in such activity (§ 312.7);
and
(e) Establish and maintain reasonable
procedures to protect the
confidentiality, security, and integrity of
personal information collected from
children (§ 312.8).
§ 312.4

Notice.

(a) General principles of notice. It
shall be the obligation of the operator to
provide notice and obtain verifiable
parental consent prior to collecting,
using, or disclosing personal
information from children. Such notice
must be clearly and understandably
written, complete, and must contain no
unrelated, confusing, or contradictory
materials.
(b) Direct notice to the parent. An
operator must make reasonable efforts,
taking into account available
technology, to ensure that a parent of a
child receives direct notice of the
operator’s practices with regard to the
collection, use, or disclosure of personal
information from children, including
notice of any material change in the
collection, use, or disclosure practices
to which the parent has previously
consented.
(c) Content of the direct notice to the
parent—(1) Content of the direct notice
to the parent under § 312.5(c)(1) (Notice

to Obtain Parent’s Affirmative Consent
to the Collection, Use, or Disclosure of
a Child’s Personal Information). This
direct notice shall set forth:
(i) That the operator has collected the
parent’s online contact information from
the child, and, if such is the case, the
name of the child or the parent, in order
to obtain the parent’s consent;
(ii) That the parent’s consent is
required for the collection, use, or
disclosure of such information, and that
the operator will not collect, use, or
disclose any personal information from
the child if the parent does not provide
such consent;
(iii) The additional items of personal
information the operator intends to
collect from the child, or the potential
opportunities for the disclosure of
personal information, should the parent
provide consent;
(iv) A hyperlink to the operator’s
online notice of its information
practices required under paragraph (d)
of this section;
(v) The means by which the parent
can provide verifiable consent to the
collection, use, and disclosure of the
information; and
(vi) That if the parent does not
provide consent within a reasonable
time from the date the direct notice was
sent, the operator will delete the
parent’s online contact information from
its records.
(2) Content of the direct notice to the
parent under § 312.5(c)(2) (Voluntary
Notice to Parent of a Child’s Online
Activities Not Involving the Collection,
Use or Disclosure of Personal
Information). Where an operator
chooses to notify a parent of a child’s
participation in a Web site or online
service, and where such site or service
does not collect any personal
information other than the parent’s
online contact information, the direct
notice shall set forth:
(i) That the operator has collected the
parent’s online contact information from
the child in order to provide notice to,
and subsequently update the parent
about, a child’s participation in a Web
site or online service that does not
otherwise collect, use, or disclose
children’s personal information;
(ii) That the parent’s online contact
information will not be used or
disclosed for any other purpose;
(iii) That the parent may refuse to
permit the child’s participation in the
Web site or online service and may
require the deletion of the parent’s
online contact information, and how the
parent can do so; and
(iv) A hyperlink to the operator’s
online notice of its information

Appendix A

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 28 of 31
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
practices required under paragraph (d)
of this section.
(3) Content of the direct notice to the
parent under § 312.5(c)(4) (Notice to a
Parent of Operator’s Intent to
Communicate with the Child Multiple
Times). This direct notice shall set forth:
(i) That the operator has collected the
child’s online contact information from
the child in order to provide multiple
online communications to the child;
(ii) That the operator has collected the
parent’s online contact information from
the child in order to notify the parent
that the child has registered to receive
multiple online communications from
the operator;
(iii) That the online contact
information collected from the child
will not be used for any other purpose,
disclosed, or combined with any other
information collected from the child;
(iv) That the parent may refuse to
permit further contact with the child
and require the deletion of the parent’s
and child’s online contact information,
and how the parent can do so;
(v) That if the parent fails to respond
to this direct notice, the operator may
use the online contact information
collected from the child for the purpose
stated in the direct notice; and
(vi) A hyperlink to the operator’s
online notice of its information
practices required under paragraph (d)
of this section.
(4) Content of the direct notice to the
parent required under § 312.5(c)(5)
(Notice to a Parent In Order to Protect
a Child’s Safety). This direct notice shall
set forth:
(i) That the operator has collected the
name and the online contact
information of the child and the parent
in order to protect the safety of a child;
(ii) That the information will not be
used or disclosed for any purpose
unrelated to the child’s safety;
(iii) That the parent may refuse to
permit the use, and require the deletion,
of the information collected, and how
the parent can do so;
(iv) That if the parent fails to respond
to this direct notice, the operator may
use the information for the purpose
stated in the direct notice; and
(v) A hyperlink to the operator’s
online notice of its information
practices required under paragraph (d)
of this section.
(d) Notice on the Web site or online
service. In addition to the direct notice
to the parent, an operator must post a
prominent and clearly labeled link to an
online notice of its information
practices with regard to children on the
home or landing page or screen of its
Web site or online service, and, at each
area of the Web site or online service

where personal information is collected
from children. The link must be in close
proximity to the requests for
information in each such area. An
operator of a general audience Web site
or online service that has a separate
children’s area must post a link to a
notice of its information practices with
regard to children on the home or
landing page or screen of the children’s
area. To be complete, the online notice
of the Web site or online service’s
information practices must state the
following:
(1) The name, address, telephone
number, and email address of all
operators collecting or maintaining
personal information from children
through the Web site or online service.
Provided that: The operators of a Web
site or online service may list the name,
address, phone number, and email
address of one operator who will
respond to all inquiries from parents
concerning the operators’ privacy
policies and use of children’s
information, as long as the names of all
the operators collecting or maintaining
personal information from children
through the Web site or online service
are also listed in the notice;
(2) A description of what information
the operator collects from children,
including whether the Web site or
online service enables a child to make
personal information publicly available;
how the operator uses such information;
and, the operator’s disclosure practices
for such information; and
(3) That the parent can review or have
deleted the child’s personal
information, and refuse to permit
further collection or use of the child’s
information, and state the procedures
for doing so.
§ 312.5

Parental consent.

(a) General requirements. (1) An
operator is required to obtain verifiable
parental consent before any collection,
use, or disclosure of personal
information from children, including
consent to any material change in the
collection, use, or disclosure practices
to which the parent has previously
consented.
(2) An operator must give the parent
the option to consent to the collection
and use of the child’s personal
information without consenting to
disclosure of his or her personal
information to third parties.
(b) Methods for verifiable parental
consent. (1) An operator must make
reasonable efforts to obtain verifiable
parental consent, taking into
consideration available technology. Any
method to obtain verifiable parental
consent must be reasonably calculated,

4011

in light of available technology, to
ensure that the person providing
consent is the child’s parent. (2)
Existing methods to obtain verifiable
parental consent that satisfy the
requirements of this paragraph include:
(i) Providing a consent form to be
signed by the parent and returned to the
operator by postal mail, facsimile, or
electronic scan;
(ii) Requiring a parent, in connection
with a monetary transaction, to use a
credit card, debit card, or other online
payment system that provides
notification of each discrete transaction
to the primary account holder;
(iii) Having a parent call a toll-free
telephone number staffed by trained
personnel;
(iv) Having a parent connect to
trained personnel via video-conference;
(v) Verifying a parent’s identity by
checking a form of government-issued
identification against databases of such
information, where the parent’s
identification is deleted by the operator
from its records promptly after such
verification is complete; or
(vi) Provided that, an operator that
does not ‘‘disclose’’ (as defined by
§ 312.2) children’s personal information,
may use an email coupled with
additional steps to provide assurances
that the person providing the consent is
the parent. Such additional steps
include: Sending a confirmatory email
to the parent following receipt of
consent, or obtaining a postal address or
telephone number from the parent and
confirming the parent’s consent by letter
or telephone call. An operator that uses
this method must provide notice that
the parent can revoke any consent given
in response to the earlier email.
(3) Safe harbor approval of parental
consent methods. A safe harbor program
approved by the Commission under
§ 312.11 may approve its member
operators’ use of a parental consent
method not currently enumerated in
paragraph (b)(2) of this section where
the safe harbor program determines that
such parental consent method meets the
requirements of paragraph (b)(1) of this
section.
(c) Exceptions to prior parental
consent. Verifiable parental consent is
required prior to any collection, use, or
disclosure of personal information from
a child except as set forth in this
paragraph:
(1) Where the sole purpose of
collecting the name or online contact
information of the parent or child is to
provide notice and obtain parental
consent under § 312.4(c)(1). If the
operator has not obtained parental
consent after a reasonable time from the
date of the information collection, the

Appendix A

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 29 of 31
4012

Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations

operator must delete such information
from its records;
(2) Where the purpose of collecting a
parent’s online contact information is to
provide voluntary notice to, and
subsequently update the parent about,
the child’s participation in a Web site or
online service that does not otherwise
collect, use, or disclose children’s
personal information. In such cases, the
parent’s online contact information may
not be used or disclosed for any other
purpose. In such cases, the operator
must make reasonable efforts, taking
into consideration available technology,
to ensure that the parent receives notice
as described in § 312.4(c)(2);
(3) Where the sole purpose of
collecting online contact information
from a child is to respond directly on a
one-time basis to a specific request from
the child, and where such information
is not used to re-contact the child or for
any other purpose, is not disclosed, and
is deleted by the operator from its
records promptly after responding to the
child’s request;
(4) Where the purpose of collecting a
child’s and a parent’s online contact
information is to respond directly more
than once to the child’s specific request,
and where such information is not used
for any other purpose, disclosed, or
combined with any other information
collected from the child. In such cases,
the operator must make reasonable
efforts, taking into consideration
available technology, to ensure that the
parent receives notice as described in
§ 312.4(c)(3). An operator will not be
deemed to have made reasonable efforts
to ensure that a parent receives notice
where the notice to the parent was
unable to be delivered;
(5) Where the purpose of collecting a
child’s and a parent’s name and online
contact information, is to protect the
safety of a child, and where such
information is not used or disclosed for
any purpose unrelated to the child’s
safety. In such cases, the operator must
make reasonable efforts, taking into
consideration available technology, to
provide a parent with notice as
described in § 312.4(c)(4);
(6) Where the purpose of collecting a
child’s name and online contact
information is to:
(i) Protect the security or integrity of
its Web site or online service;
(ii) Take precautions against liability;
(iii) Respond to judicial process; or
(iv) To the extent permitted under
other provisions of law, to provide
information to law enforcement
agencies or for an investigation on a
matter related to public safety; and
where such information is not be used
for any other purpose;

(7) Where an operator collects a
persistent identifier and no other
personal information and such identifier
is used for the sole purpose of providing
support for the internal operations of
the Web site or online service. In such
case, there also shall be no obligation to
provide notice under § 312.4; or
(8) Where an operator covered under
paragraph (2) of the definition of Web
site or online service directed to
children in § 312.2 collects a persistent
identifier and no other personal
information from a user who
affirmatively interacts with the operator
and whose previous registration with
that operator indicates that such user is
not a child. In such case, there also shall
be no obligation to provide notice under
§ 312.4.
§ 312.6 Right of parent to review personal
information provided by a child.

(a) Upon request of a parent whose
child has provided personal information
to a Web site or online service, the
operator of that Web site or online
service is required to provide to that
parent the following:
(1) A description of the specific types
or categories of personal information
collected from children by the operator,
such as name, address, telephone
number, email address, hobbies, and
extracurricular activities;
(2) The opportunity at any time to
refuse to permit the operator’s further
use or future online collection of
personal information from that child,
and to direct the operator to delete the
child’s personal information; and
(3) Notwithstanding any other
provision of law, a means of reviewing
any personal information collected from
the child. The means employed by the
operator to carry out this provision
must:
(i) Ensure that the requestor is a
parent of that child, taking into account
available technology; and
(ii) Not be unduly burdensome to the
parent.
(b) Neither an operator nor the
operator’s agent shall be held liable
under any Federal or State law for any
disclosure made in good faith and
following reasonable procedures in
responding to a request for disclosure of
personal information under this section.
(c) Subject to the limitations set forth
in § 312.7, an operator may terminate
any service provided to a child whose
parent has refused, under paragraph
(a)(2) of this section, to permit the
operator’s further use or collection of
personal information from his or her
child or has directed the operator to
delete the child’s personal information.

§ 312.7 Prohibition against conditioning a
child’s participation on collection of
personal information.

An operator is prohibited from
conditioning a child’s participation in a
game, the offering of a prize, or another
activity on the child’s disclosing more
personal information than is reasonably
necessary to participate in such activity.
§ 312.8 Confidentiality, security, and
integrity of personal information collected
from children.

The operator must establish and
maintain reasonable procedures to
protect the confidentiality, security, and
integrity of personal information
collected from children. The operator
must also take reasonable steps to
release children’s personal information
only to service providers and third
parties who are capable of maintaining
the confidentiality, security and
integrity of such information, and who
provide assurances that they will
maintain the information in such a
manner.
§ 312.9

Enforcement.

Subject to sections 6503 and 6505 of
the Children’s Online Privacy Protection
Act of 1998, a violation of a regulation
prescribed under section 6502 (a) of this
Act shall be treated as a violation of a
rule defining an unfair or deceptive act
or practice prescribed under section
18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C.
57a(a)(1)(B)).
§ 312.10 Data retention and deletion
requirements.

An operator of a Web site or online
service shall retain personal information
collected online from a child for only as
long as is reasonably necessary to fulfill
the purpose for which the information
was collected. The operator must delete
such information using reasonable
measures to protect against
unauthorized access to, or use of, the
information in connection with its
deletion.
§ 312.11

Safe harbor programs.

(a) In general. Industry groups or
other persons may apply to the
Commission for approval of selfregulatory program guidelines (‘‘safe
harbor programs’’). The application
shall be filed with the Commission’s
Office of the Secretary. The Commission
will publish in the Federal Register a
document seeking public comment on
the application. The Commission shall
issue a written determination within
180 days of the filing of the application.
(b) Criteria for approval of selfregulatory program guidelines. Proposed
safe harbor programs must demonstrate

Appendix A

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 30 of 31
Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations
that they meet the following
performance standards:
(1) Program requirements that ensure
operators subject to the self-regulatory
program guidelines (‘‘subject
operators’’) provide substantially the
same or greater protections for children
as those contained in §§ 312.2 through
312.8, and 312.10.
(2) An effective, mandatory
mechanism for the independent
assessment of subject operators’
compliance with the self-regulatory
program guidelines. At a minimum, this
mechanism must include a
comprehensive review by the safe
harbor program, to be conducted not
less than annually, of each subject
operator’s information policies,
practices, and representations. The
assessment mechanism required under
this paragraph can be provided by an
independent enforcement program, such
as a seal program.
(3) Disciplinary actions for subject
operators’ non-compliance with selfregulatory program guidelines. This
performance standard may be satisfied
by:
(i) Mandatory, public reporting of any
action taken against subject operators by
the industry group issuing the selfregulatory guidelines;
(ii) Consumer redress;
(iii) Voluntary payments to the United
States Treasury in connection with an
industry-directed program for violators
of the self-regulatory guidelines;
(iv) Referral to the Commission of
operators who engage in a pattern or
practice of violating the self-regulatory
guidelines; or
(v) Any other equally effective action.
(c) Request for Commission approval
of self-regulatory program guidelines. A
proposed safe harbor program’s request
for approval shall be accompanied by
the following:
(1) A detailed explanation of the
applicant’s business model, and the
technological capabilities and
mechanisms that will be used for initial
and continuing assessment of subject
operators’ fitness for membership in the
safe harbor program;
(2) A copy of the full text of the
guidelines for which approval is sought
and any accompanying commentary;
(3) A comparison of each provision of
§§ 312.2 through 312.8, and 312.10 with
the corresponding provisions of the
guidelines; and
(4) A statement explaining:
(i) How the self-regulatory program
guidelines, including the applicable
assessment mechanisms, meet the
requirements of this part; and
(ii) How the assessment mechanisms
and compliance consequences required

under paragraphs (b)(2) and (b)(3)
provide effective enforcement of the
requirements of this part.
(d) Reporting and recordkeeping
requirements. Approved safe harbor
programs shall:
(1) By July 1, 2014, and annually
thereafter, submit a report to the
Commission containing, at a minimum,
an aggregated summary of the results of
the independent assessments conducted
under paragraph (b)(2) of this section, a
description of any disciplinary action
taken against any subject operator under
paragraph (b)(3) of this section, and a
description of any approvals of member
operators’ use of a parental consent
mechanism, pursuant to § 312.5(b)(4);
(2) Promptly respond to Commission
requests for additional information; and
(3) Maintain for a period not less than
three years, and upon request make
available to the Commission for
inspection and copying:
(i) Consumer complaints alleging
violations of the guidelines by subject
operators;
(ii) Records of disciplinary actions
taken against subject operators; and
(iii) Results of the independent
assessments of subject operators’
compliance required under paragraph
(b)(2) of this section.
(e) Post-approval modifications to
self-regulatory program guidelines.
Approved safe harbor programs must
submit proposed changes to their
guidelines for review and approval by
the Commission in the manner required
for initial approval of guidelines under
paragraph (c)(2) of this section. The
statement required under paragraph
(c)(4) of this section must describe how
the proposed changes affect existing
provisions of the guidelines.
(f) Revocation of approval of selfregulatory program guidelines. The
Commission reserves the right to revoke
any approval granted under this section
if at any time it determines that the
approved self-regulatory program
guidelines or their implementation do
not meet the requirements of this part.
Safe harbor programs that were
approved prior to the publication of the
Final Rule amendments must, by March
1, 2013, submit proposed modifications
to their guidelines that would bring
them into compliance with such
amendments, or their approval shall be
revoked.
(g) Operators’ participation in a safe
harbor program. An operator will be
deemed to be in compliance with the
requirements of §§ 312.2 through 312.8,
and 312.10 if that operator complies
with Commission-approved safe harbor
program guidelines. In considering
whether to initiate an investigation or

4013

bring an enforcement action against a
subject operator for violations of this
part, the Commission will take into
account the history of the subject
operator’s participation in the safe
harbor program, whether the subject
operator has taken action to remedy
such non-compliance, and whether the
operator’s non-compliance resulted in
any one of the disciplinary actions set
forth in paragraph (b)(3).
§ 312.12 Voluntary Commission Approval
Processes.

(a) Parental consent methods. An
interested party may file a written
request for Commission approval of
parental consent methods not currently
enumerated in § 312.5(b). To be
considered for approval, a party must
provide a detailed description of the
proposed parental consent methods,
together with an analysis of how the
methods meet § 312.5(b)(1). The request
shall be filed with the Commission’s
Office of the Secretary. The Commission
will publish in the Federal Register a
document seeking public comment on
the request. The Commission shall issue
a written determination within 120 days
of the filing of the request; and
(b) Support for internal operations of
the Web site or online service. An
interested party may file a written
request for Commission approval of
additional activities to be included
within the definition of support for
internal operations. To be considered
for approval, a party must provide a
detailed justification why such activities
should be deemed support for internal
operations, and an analysis of their
potential effects on children’s online
privacy. The request shall be filed with
the Commission’s Office of the
Secretary. The Commission will publish
in the Federal Register a document
seeking public comment on the request.
The Commission shall issue a written
determination within 120 days of the
filing of the request.
§ 312.13

Severability.

The provisions of this part are
separate and severable from one
another. If any provision is stayed or
determined to be invalid, it is the
Commission’s intention that the
remaining provisions shall continue in
effect.

Appendix A

 Case 1:19-cv-02642 Document 2-1 Filed 09/04/19 Page 31 of 31
4014

Federal Register / Vol. 78, No. 12 / Thursday, January 17, 2013 / Rules and Regulations

By direction of the Commission,
Commissioner Rosch abstaining, and
Commissioner Ohlhausen dissenting.
Donald S. Clark,
Secretary.

Dissenting Statement of Commissioner
Maureen K. Ohlhausen
I voted against adopting the amendments
to the Children’s Online Privacy Protection
Act (COPPA) Rule because I believe a core
provision of the amendments exceeds the
scope of the authority granted us by Congress
in COPPA, the statute that underlies and
authorizes the Rule.401 Before I explain my
concerns, I wish to commend the
Commission staff for their careful
consideration of the multitude of issues
raised by the numerous comments in this
proceeding. Much of the language of the
amendments is designed to preserve
flexibility for the industry while striving to
protect children’s privacy, a goal I support
strongly. The final proposed amendments
largely strike the right balance between
protecting children’s privacy online and
avoiding undue burdens on providers of
children’s online content and services. The
staff’s great expertise in the area of children’s
privacy and deep understanding of the values
at stake in this matter have been invaluable
in my consideration of these important
issues.
In COPPA Congress defined who is an
operator and thereby set the outer boundary
for the statute’s and the COPPA Rule’s
reach.402 It is undisputed that COPPA places
obligations on operators of Web sites or
online services directed to children or
operators with actual knowledge that they are
collecting personal information from
401 15

U.S.C. 6501–6506.
15 U.S.C. 6501(2), defines the term
‘‘operator’’ as ‘‘any person who operates a Web site
located on the Internet or an online service and who
collects or maintains personal information from or
about users of or visitors to such Web site or online
service, or on whose behalf such information is
collected and maintained * * *’’ As stated in the
Statement of Basis and Purpose for the original
COPPA Rule, ‘‘The definition of ‘operator’ is of
central importance because it determines who is
covered by the Act and the Rule.’’ Children’s
Online Privacy Protection Rule 64 FR 59888, 59891
(Nov. 3, 1999) (final rule).
402 COPPA,

children. The statute provides, ‘‘It is
unlawful for an operator of a Web site or
online service directed to children, or any
operator that has actual knowledge that it is
collecting personal information from a child,
to collect personal information from a child
in a manner that violates the regulations
prescribed [by the FTC].’’ 403
The Statement of Basis and Purpose for the
amendments (SBP) discusses concerns that
the current COPPA Rule may not cover childdirected Web sites or services that do not
themselves collect children’s personal
information but may incorporate third-party
plug-ins that collect such information 404 for
the plug-ins’ use but do not collect or
maintain the information for, or share it with,
the child-directed site or service. To address
these concerns, the amendments add a new
proviso to the definition of operator in the
COPPA Rule: ‘‘Personal information is
collected or maintained on behalf of an
operator when: (a) it is collected or
maintained by an agent or service provider of
the operator; or (b) the operator benefits by
allowing another person to collect personal
information directly from users of such Web
site or online service.’’ 405
The proposed amendments construe the
term ‘‘on whose behalf such information is
collected and maintained’’ to reach childdirected Web sites or services that merely
derive from a third-party plug-in some kind
of benefit, which may well be unrelated to
the collection and use of children’s
403 15

U.S.C. 6502(a)(1).
the third-party plugs-ins are child-directed
or have actual knowledge that they are collecting
children’s personal information they are already
expressly covered by the COPPA statute. Thus, as
the SBP notes, a behavioral advertising network that
targets children under the age of 13 is already
deemed an operator. The amendment must
therefore be aimed at reaching third-party plug-ins
that are either not child-directed or do not have
actual knowledge that they are collecting children’s
personal information, which raises a question about
what harm this amendment will address. For
example, it appears that this same type of harm
could occur through general audience Web sites
and online services collecting and using visitors’
personal information without knowing whether
some of the data is children’s personal information,
which is a practice that COPPA and the
amendments do not prohibit.
405 16 CFR 312.2 (Definitions).
404 If

information (e.g., content, functionality, or
advertising revenue). I find that this
proviso—which would extend COPPA
obligations to entities that do not collect
personal information from children or have
access to or control of such information
collected by a third-party does not comport
with the plain meaning of the statutory
definition of an operator in COPPA, which
covers only entities ‘‘on whose behalf such
information is collected and maintained.’’ 406
In other words, I do not believe that the fact
that a child-directed site or online service
receives any kind of benefit from using a
plug-in is equivalent to the collection of
personal information by the third-party plugin on behalf of the child-directed site or
online service.
As the Supreme Court has directed, an
agency ‘‘must give effect to the
unambiguously expressed intent of
Congress.’’ 407 Thus, regardless of the policy
justifications offered, I cannot support
expanding the definition of the term
‘‘operator’’ beyond the statutory parameters
set by Congress in COPPA.
I therefore respectfully dissent.
[FR Doc. 2012–31341 Filed 1–16–13; 8:45 am]
BILLING CODE 6750–01–P
406 This expanded definition of operator reverses
the Commission’s previous conclusion that the
appropriate test for determining an entity’s status as
an operator is to ‘‘look at the entity’s relationship
to the data collected,’’ using factors such as ‘‘who
owns and/or controls the information, who pays for
its collection and maintenance, the pre-existing
contractual relationships regarding collection and
maintenance of the information, and the role of the
Web site or online service in collecting and/or
maintaining the information (i.e., whether the site
participates in collection or is merely a conduit
through which the information flows to another
entity.)’’ Children’s Online Privacy Protection Rule
64 FR 59888, 59893, 59891 (Nov. 3, 1999) (final
rule).
407 Chevron v. Natural Resources Defense
Council, Inc., 467 U.S. 837, 842–43 (1984) (‘‘When
a court reviews an agency’s construction of the
statute which it administers, it is confronted with
two questions. First, always, is the question
whether Congress has directly spoken to the precise
question at issue. If the intent of Congress is clear,
that is the end of the matter; for the court, as well
as the agency, must give effect to the
unambiguously expressed intent of Congress.’’).

Appendix A