Parry Aftab, Esq.
June 11, 1999
RE: Children's Online Privacy Protection Rule -- Comment, P9945904
As a parents' and online safety advocate and author of the book, A Parents' Guide to the Internet . . . and how to protect your children in cyberspace (as well as the new book, The Parents' Guide to Protecting Children in Cyberspace, to be released by McGraw-Hill this October for parents and teachers), I submit these comments regarding the Federal Trade Commission's Notice of Proposed Rulemaking to implement the Children's Online Privacy Protection Act of 1998.
While many advocacy groups and child advocates have been very concerned about online safety and inappropriate content, many have been slower to recognize the issue of online privacy. I recognized the seriousness of online privacy and advertising practices in late 1996. From my weekly speaking engagements to parents around the country, I have heard first hand how many see this as the most significant issue we face with children online. Parents are very concerned with privacy issues. Recent studies conducted by Jupiter Communications disclose that parents are more concerned about privacy and advertising practices than anything else when their children=s Internet access is concerned. This survey is confirmed by the thousands of e-mails and other correspondence I receive from parents each week.
Yet, while privacy and safety are paramount, parents also want their children to have an easy surfing experience, without having to wait the time involved with the collection of offline snail mail consent. They want to be able to use e-mail to correspond with a site and to provide consent for their child. They also understand that children have been forging parental notes since the beginning of time. They don=t see the problem with permitting online consent to be given.
Thus, the rules should be as comprehensive as possible under COPPA to ensure that the policies behind the Act and the Rule are fully implemented, yet flexible enough to permit online consent. While I join in the comments submitted by Aftab & Savitt, P.C. (my cyberlaw firm), I have additional comments in my role as a parent and child online safety advocate. Accordingly, please note the following comments:
Response to Question 1 -- General Question
DEFINITION SECTION -- 312.1
Definition (c) under Acollects or collection@ is limited to the use of any identifying code linked to an Aindividual.@
SECTION 312.4 -- NOTICE
(This is also in response to Question 5(b), re the content of online notices). Section 312.4(a) states that all notices must be Aclearly and understandably written.@ Since children are going to be the first people to see the online notices in many instances, it makes sense for the Rule to require that at least some parts of the notice be written clearly and understandably for children, not just for adults. Differing age-appropriate disclosures should be considered as well, so that twelve year olds don=t have to be limited to the level of disclosure appropriate for a seven year old.
(This is also in response to Question 5, re the placement of online notices). Section 312.4(b) states that online notices must be placed Aon the home page of its website@ and further requires that it be placed Asuch that a typical visitor to the home page can see the link without having to scroll down.@ There is no definition of Atypical@ and no definition of Ahome page.@ The Rule should define home page as the first page of the website. The Rule can then define the size of the minimum screen monitor that a Atypical@ visitor would be using. (Internet device technology, such as WebTV, as well as 14 inch monitors in a world of 24 inch monitors creates a problem in this regard.) Some sites are designed using actual sizes of images, rather than percentages of the screen. This may create design problems for many webmasters. Perhaps simply requiring that the link be placed in the top __ inches (or top X%) of the shot of the first page of the site and prominently at each place within the site where personal information is collected would suffice.
SECTION 312.5 -- PARENTAL CONSENT
(This is also in response to Question 11, re the requirement that new notices be sent to parents in certain circumstances). 312.5(a)(1) requires that, consistent with the statutory directive, new notice and consent are required for personal information not covered by a previous consent. The Rule should provide that an operator may give parents the option to execute a clear, blanket approval for all specified collection, use or disclosure. This would be desirable, since it would be burdensome for new consent forms to be transmitted, for example, whenever there is Aa merger or other corporate combination involving existing operators or third parties,@ as mentioned in the commentary to Rule 312.4(c), or other changes in the collection, use or disclosure of personal information. Thus, the Rule should clearly give parents the option of providing a broad consent, provided that they have received adequate disclosure therefor. Parents want to be asked about how their children=s information will be used, but need not approve every minor change. If they are required to approve all such changes, they would like to use an online consent mechanism. They are very interested in confirming their e-mail address in any mandated offline consent, so all subsequent consents and notices can be provided online using such e-mail. Many parents have suggested that they provide AOL or other service which uses a master account with certain information which can be used to verify them as the parents of the children in question, and their designated e-mail address for the purposes of providing online (rather than offline) consent.
As schools begin to add new programs, many are contracting with websites and online services on behalf of their students. Class-wide participation that also permits a child to access the program from home or community access centers, such as libraries or tech centers creates a special problem. These programs often require registration, and personally identifiable information. Do they have to comply with parental notices and parental consents if they are working with schools? Can the school obtain a blanket consent form the parent in connection with these programs which would exempt them from the individual consent/notice requirement?
The Notice to Parents requirements are confusing to parents. Most parents do not appear concerned about the sites contacting their children directly using e-mail. They believe that the delay in obtaining their reply may be frustrating to their children. In any event, they want a streamlined process that permits an online reply.
Under COPPA and the Rule, operators are not permitted to maintain names and online contact information Ain retrievable form@ without consent. Practically, what should the website operator do if the child sends a second request for certain information within that time frame? For example, at a homework helper section of the site a child submits a question. The site responds with the answer, and notice is sent to the parent. The child then submits either a follow-up question or a new one. Should the website ignore the child? Should they tell the child that they can=t respond until the parent has had a chance to reply? If so, they have broken the one-e-mail rule by sending such notice. And what about collecting the child=s e-mail in a database for the purposes of preventing the second e-mail from being sent? Does that violate the collection and use rules?
(This is also in response to Question 19, re the exception from consent when a child's safety is at issue). 312.5(c)(4) permits an operator to collect certain personal information from a child Ato the extent reasonably necessary to protect the safety of a child participant.@ This language is consistent with the statute, and serves the broad purpose of protecting children. But what happens when a child alleges abuse by a parent at a site? Is this covered by the exception, or does that site send notice to the very person who is alleged to have abused the child?
Response to Question 17(b)
This question proposes that operators be required to maintain a Ado-not-contact@ list. We note that in order to implement this proposal, a parent would have to consent to be included on such a list: Under COPPA and the Rule, operators are not permitted to maintain names and online contact information Ain retrievable form@ without consent. Thus, any such list would almost surely be incomplete. Operators should be permitted to maintain such a list at their option and only after obtaining parental consent, but the maintenance of such a list should not be a requirement given the Act's prohibition and the resulting incomplete nature of any such list.
Response to Question 18
This question asks, AAre there circumstances that would necessitate the collection of the child's online contact information rather than the parent's?@ Parents may not have online contact information. A child's sole access to the Internet could be through a school, library or community group. Even if the child has Internet access at home, the parent may not have set up an e-mail account for him- or herself. Thus, operators must be permitted to obtain a child's online contact information. This also applies when allegations of abuse are made, and the site needs to be able to reach the child directly.
Essentially, parents aren=t happy about the offline consent requirement, unless their children have community rather than home access and the parent is not online. Otherwise they see it as an unnecessary measure. They frequently recount stories of children forging notes and pretending to be their parents on the phone. They see this as no different.
This issue of quick and easy access to sites when the parent approves is a key issue for parents. They see offline consent as delaying the quick access the Internet permits. Perhaps using innovations of existing technology, by linking school programs with parents to verify parental online identity for both access to their children=s personal information files and for consent purposes is the answer. The National PTA and other school/parent groups can work to design a simple system that gives parents and their children a matched pair of digital signatures, which are confirmed by the schools, and when activated used to embed fixed blanket consents and access information. I have envisioned such a system for the past few years, and would be happy to assist in its creation.
Parents have also complimented the FTC on its informative site, but want more information, generally, about this issue in plain terms that non-techies can understand. They also want offline information for parents who do not have Internet access, and in Spanish for those who do not speak English as a primary language.
I remain, as always, anxious to work with you in helping develop online rules that work and meet parents', children's and the Internet industry=s concerns.
Very truly yours,