AFTAB & SAVITT, P.C.
A Professional Corporation
Counsellors at Law
The Atrium
East 80 Route 4
Paramus, New Jersey 07652
(201) 845-0100
Fax (201) 845-6688

June 11, 1999

Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue
Washington, D.C. 20580

This firm is a cyberlaw boutique that only represents web business. Our particular focus is on the children=s web industry. We represent many members of the child Internet industry, which range in size from some of the largest and most popular sites to some of the smallest as well as start-ups. As such, we submit these comments regarding the Federal Trade Commission's Notice of Proposed Rulemaking to implement the Children's Online Privacy Protection Act of 1998 (ACOPPA@). While Parry Aftab (a principal of this firm) is in her own right a child safety and privacy advocate (and author of the book, A Parents= Guide to the Internet), as well as Executive Director of Cyberangels, this comment is limited to this firm=s concerns, rather than Ms. Aftab=s concerns in other capacities. A separate comment will be submitted by her, in her various other capacities, to address those concerns.

Our chief concern is that the rules be as clear as possible so that websites that are covered by them understand what is covered and what actions they must take to comply with COPPA. While our clients have the benefit of counsel in these matters, many children=s sites are run by small organizations that may not have access to cyberlawyers to answer their questions. Thus, the rules should be intelligible to non-lawyers and non-cyberspace specialists as well.

We believe that regulation of chat room conversations needs to be more clearly set forth. Since the operators of websites do not control the posting or dissemination of information children may post in a chat room, it may not be apparent to website operators that such postings are intended to be covered by the regulations.

In addition, the Rule needs to be clarified to define precisely which operators are subject to its restrictions. Terms such as Amaintenance@ of personal information and Acommercial website@ require comprehensive definitions so that those subject to the Rule have clear notice of that fact.

Accordingly, we make the following comments:

DEFINITION SECTION -- 312.1

While the Act and the Rule cover the Acollection,@ Ause,@ Amaintenance@ and Adisclosure@ of personal information, only Adisclosure@ is defined in the Act, and only Acollection@ and disclosure@ are defined in the Rule. The Rule should define the other terms as well. (For example, Amaintains@ is used in the definition of Aoperator@ and Ause@ is used is the definition of Averifiable consent@.)

The definition of Acollects or collection@ should be clarified. In particular, subsection (b) of the definition uses the defined term within the definition itself, stating that Acollection@ means Acollection using a chat room, message board, or other public posting.@ The use of the defined term in such a manner is confusing, and, more importantly, does not give clear notice to the websites what particular action is being described. Assuming that the Commission means to reach the voluntary posting by a child of personal information, we suggest that this definition state: Apersonal information publicly posted in a chat room, message board, a personal home page posted on a website or online service, or other public posting of such information, with or without the invitation or request of the website or online service.@ We further suggest, for clarity and completeness, that the Commission state the conditions, if any, under which participation in a chat room is permissible without parental consent (e.g., time-delayed, pre-screened, ephemeral (not retained) chats).

The definition of Adisclosure,@subsection (b), also relates to chat rooms. As currently, drafted there seems to be no difference between the Acollection@ and the Adisclosure@ of covered information, since (either under the current definition or the revised one suggested above), chat room Acollection@ is defined as information that is publicly posted, which seems to be identical to the definition of Adisclosure@ in this context. If in fact, in this instance, the collection and the disclosure are one and the same thing, that needs to be made clear. If there are distinctions -- for example, if the Commission intends to permit time-delayed or pre-screened chats -- this should be clarified. We also note that this section defines Adisclosure@ to include the public posting of personal information through a pen-pal service or an electronic mail service. The Rule should clarify whether parental consent is required for participation in such services in all circumstances, or only when the e-mail or pen-pal communications or identities are publicly posted rather than being limited to their intended, private, recipients. In either event, the definition of Acollection@ needs to be amended to include the activities the Commission intends to reach with respect to pen-pal and e-mail services.

The definition of Aonline contact information@ should be expanded to expressly include screen names in channels, such as ICQ and instant messaging user identifiers. These are being used more and more frequently as the mechanisms for communicating online.

(This is also in response to Question 3(a), re: the definition of operator). The definition of Aoperator@ is not sufficiently clear to provide unambiguous notice as to whom is covered by the Rule, in the following respects:

An operator is defined as one who Amaintains@ personal information, as distinct from one who Acollects@ such information, yet Amaintains@ is never defined in the Rule. In order to provide notice to those covered by the Rule, Amaintains@ must be defined.

The definition of operator is limited to websites and services operated for Acommercial purposes,@ yet that term is not defined in the Rule. In order to provide notice to those covered by the Rule, Acommercial purposes@ must be defined.

The language immediately following the phrase Acommercial purposes@ in the definition begins with Aincluding any person . . .@ By using the word Aincluding,@ the definition may be construed as being less than comprehensive (although it is better than the alternative Aincluding, without limitation@). In order to provide notice to those covered by the Rule, the word Aincluding@ should be deleted and/or an expressly comprehensive definition should be drafted.

The definition of Aoperator,@ subsection (c), excludes from its coverage Aany nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act.@ This exemption must be further defined in the Rule, so as to give clear notice to nonprofit entities of whether they are subject to the Rule or not. Many such entities do not have regular counsel to research the law and cases under the FTC Act, and only know whether they are a 501(c)(3) entity or not. If the exemption is not co-extensive with the 501(c)(3) designation, many websites may unknowingly subject themselves to liability. Thus, the Rule should more particularly define the nonprofits that are excluded from coverage and/or those that are included by reference to something smaller non-profits may understand.

The definition of Apersonal information@ in the Rule should not contain the phrase Acollected online.@ While we are aware that this phrase is taken directly from the COPPA, it nevertheless creates a circular definition, since the Rule defines Acollection@ in terms of what it does with Apersonal information.@ Instead, the definition should simply begin, APersonal information means individually identifiable information about an individual, including:@

(This is also in response to Question 4, re the definition of personal information). The definition within personal information should expressly include Aonline contact information@ as defined in the Rule (with the modification suggested herein above), since that might be different from an e-mail address.

The Rule defines Athird party@ as a person who is not Aan operator with respect to the collection of personal information.@ Since an Aoperator@ is defined as someone who either Acollects@ or Amaintains@ personal information, the Rule, in addition to defining Amaintains@ as noted above, needs to amend this definition to state that a Athird party@ also includes a person who is not an operator with respect to the Amaintenance@ of personal information -- or, explain where an operator with respect to the maintenance of such information falls within the regulatory scheme.

The definition of Awebsite or online service directed to children@ uses the language of COPPA in referring to Aa commercial website.@ The Rule should define Acommercial website,@ and clarify whether it is identical to a website or online service operated for commercial purposes referred to in the definition of Aoperator@ (and defined as suggested above in the discussion of the definition of Aoperator@).

SECTION 312.4 -- NOTICE

The commentary to section 312.4(b)(2)(ii), together with the provisions of section 312.6, raise a potential ambiguity in the Rule regarding the definition of personal information. The commentary notes that operators must list the types of personal information collected, and gives as examples Ahobbies and investment information.@ Similarly, section 312.6(a)(1) states that operators must give parents descriptions of the types of personal information collected, including Ahobbies and extracurricular activities.@ Our reading of the Rule is that this information is not personal information unless it falls under subsection (g) of the definition of personal information, i.e., Ainformation concerning the child or parents of the child that the operator collects online from the child and combines with an identifier described in this paragraph.@ If such information is not combined with a defined identifier, our understanding is an operator would be free to collect such information for aggregate purposes or marketing profiles of the website's traffic. Language should be added to the Rule to resolve this ambiguity and put operators on clear notice of what they can and cannot collect without prior parental consent.

Rule 312.4(b)(2)(iii) illustrates the need for definitions of Ause@ and chat-room related collection as discussed earlier in this submission. Under this subsection, an operator must give notice concerning how personal information collected from children Ais or may be used by the operator, including . . . making it publicly available through a chat room or by other means.@ This language may lead an operator to believe that it has to do something affirmative to Ause@ the information or to Amake it@ available, other than just providing the service itself. To avoid any ambiguity, we suggest that the clearer language from the commentary -- Athe operator must clearly state that the operator permits a child to engage in interactive activities that enable a child to publicly reveal his or her personal information, e.g, a chat room, message board, e-mail service, instant message or personal home page@ -- be used in the Rule.

Rule 312.4(b)(2)(iv) needs the addition of the phrase Acollected from children@ after the words Apersonal information.@ Since the definition of personal information is not limited to children, this subsection needs to be made to conform with the remainder of 312.4 and the Rule in its entirety and clearly be limited to Apersonal information collected from children.@

SECTION 312.5 -- PARENTAL CONSENT

(This is also in response to Question 11, re the requirement that new notices be sent to parents in certain circumstances). 312.5(a)(1) requires that, consistent with the statutory directive, new notice and consent are required for personal information not covered by a previous consent. The Rule should provide that an operator may give parents the option to execute a clear, blanket approval for all specified collection, use or disclosure. This would be desirable, since it would be burdensome for new consent forms to be transmitted, for example, whenever there is Aa merger or other corporate combination involving existing operators or third parties,@ as mentioned in the commentary to Rule 312.4(c), or other changes in the collection, use or disclosure of personal information. Thus, the Rule should clearly give operators -- and parents -- the option of using consent forms that cover future changes in the collection, use or disclosure of personal information collected from children, providing that they are clearly intended to give parents an informed consent. For example AX site cares about your child=s privacy and protecting their personal information. If you consent, we may share your child=s name and address with our advertisers. They would be using this information to send your family catalogues which contain items of interest to your child. They may also use this information to provide you with special offers and notices of certain promotions. While our advertisers may change from time to time, we always use our strict standards to make sure that they have your child=s best interests at heart.@ This type of blanket consent should permit the site to share the information with the generic category of advertisers for the myriad of reasons disclosed, even if they change from time to time. Material changes in types of use can be covered by a new consent.

As schools begin to add new programs, many are contracting with websites and online services on behalf of their students. Class-wide participation that also permits a child to access the program from home or community access centers, such as libraries or tech centers creates a special problem. These programs often require registration, and personally identifiable information. Do they have to comply with parental notices and parental consents if they are working with schools? Can the school obtain a blanket consent from the parent in connection with these programs which would exempt them from the individual consent/notice requirement?

The Notice to Parents requirements may be confusing to an operator, and parts of the Rule seem to be inconsistent with the limitations on collecting personal information without parental consent. Specifically, under the Rule, 312.5(c)(1), an operator may collect from a child prior to obtaining parental consent only the name and online contact information of a parent or child. Thus, prior to obtaining any such consent, the operator will have no way to obtain offline contact information. However, the commentary to 312.4(c), describing the efforts operators may make to ensure that parents receive the notice, states that reasonable efforts include Asending the notice by postal mail.@ The text of Rule 312.5(c)(3) brings this inconsistency to the fore, stating that operators may send parental notice in the circumstances covered by that section Aby postal mail.@ How can these methods be acceptable if the operator is precluded from obtaining the information necessary to transmit the notice by offline means? This is a problem since, given the number of parents not actively online, postal notification may be the only way to reach the parent (especially when many children access the Internet only from a library or other public access).

In addition, under 312.5(c)(3), the operator is prohibited from Asending an e-mail to the child.@ Since, as the commentary to section 312.5(c) notes, A[i]n many instances the child's e-mail address may be the same as the parent's,@ 312.5(c)(3) must be amended to provide that the prohibition of Asending an e-mail to the child,@ does not include sending an e-mail to the child's e-mail address if that address is also the parent's e-mail address.

Section 312.5(c)(3) also needs to be clarified regarding when an operator may make an additional response to a child. Under the Rule, the operator needs to take reasonable efforts to give the parent notice and the opportunity to deny further contact before making an additional response to the child. However, operators need to know how long they must wait after giving notice before they may respond again to the child. This time limit should be set forth expressly, e.g., AAn operator need not wait longer than ___ days from the sending of the notice before making an additional response to the child.@

Under COPPA and the Rule, operators are not permitted to maintain names and online contact information Ain retrievable form@ without consent. Practically, what should the website operator do if the child sends a second request for certain information within that time frame? For example, at a homework helper section of the site a child submits a question. The site responds with the answer, and notice is sent to the parent. The child then submits either a follow-up question or a new one. Should the website ignore the child? Should they tell the child that they can=t respond until the parent has had a chance to reply? If so, they have broken the one-e-mail-rule by sending such notice. And what about collecting the child=s e-mail in a database for the purposes of preventing the second e-mail from being sent? Does that violate the collection and use rules?

This question asks what other methods can be used to give parents notice.

For those children who have access through a parent's account, that parent's account can be used to provide verifiable parental consent. ISPs and online services typically set up a Amaster account@ whenever a person sets up an account, requiring that person to provide, among other items, credit card information. The operators can verify with the ISPs that the e-mail address they are using for parental notification is the master account address, and they will then have assurance that the consent they are receiving is from the parent's master account.

Another method, which would have to be developed with existing technology, is the certification of offline entities to verify digital signatures so that schools could run Internet programs with their students and know the parameters of each student's parental consent. For example, such an entity could will work with a school system to pair parents and children with offline verification that can use embedded digital signature technology to pre-clear children when they want to participate in a particular program. When schools sign on for the program, they would arrange for the parents to sign on, and get digital signatures for them and the children, and the schools could verify the identity of each and the ages of the children. Each signature would identify the identity of the user and the parameters of parental consent (e.g., children's signature would reveal their age and whether they are permitted to participate in chat rooms, etc.). With these signatures, operators can verify who the parent is, and the schools would not have to seek separate consent for each online activity, since they would already have obtained pre-clearance from the parents, and would have that global information for each child. This system would have the added benefit of ensuring that Achildren-only@ chats and other related programs can truly be limited to just children.

This question proposes that operators be required to maintain a Ado-not-contact@ list. We note that in order to implement this proposal, a parent would have to consent to be included on such a list: Under COPPA and the Rule, operators are not permitted to maintain names and online contact information Ain retrievable form@ without consent. Thus, any such list would almost surely be incomplete. Operators should be permitted to maintain such a list at their option and only after obtaining parental consent, but the maintenance of such a list should not be a requirement given the Act's prohibition and the resulting incomplete nature of any such list.

This question asks, AAre there circumstances that would necessitate the collection of the child's online contact information rather than the parent's?@ Parents may not have online contact information. A child's sole access to the Internet could be through a school, library or community group. Even if the child has Internet access at home, the parent may not have set up an e-mail account for him- or herself. Thus, operators must be permitted to obtain a child's online contact information.

We remain, as always, anxious to work with you in helping develop online rules that work and meet parents', children's and the Internet industry=s concerns.

Very truly yours,

PARRY AFTAB, ESQ.
NANCY L. SAVITT, ESQ.
NLS/es