Before the Comments of June 11, 1999 Richard Bates Eric Aledort The Walt Disney Company Ronald L. Plesser I. INTRODUCTION AND SUMMARY The Walt Disney Company ("TWDC") and Infoseek Corporation welcome the opportunity to comment on the Federal Trade Commission’s proposed rules to implement the Children’s Online Privacy Protection Act of 1998 ("COPPA" or the "Act"). The Internet is like a large city: there are playgrounds, museums, and activities appropriate for families and "red light" districts offering uncensored adult-oriented content and activities. TWDC’s online business unit, Buena Vista Internet Group, and Infoseek Corporation’s GO Network have been at the forefront of promoting parental involvement in children’s online experiences, providing a family-friendly environment that encourages intelligent use of the Internet. The GO Network affiliated web sites (the "GO Sites") offer great family and child-oriented content with strong, clear parental controls particularly focused on our community applications. The GO Sites have established a clear registration pathway for users, further described below, that differentiates between children, teens, and adults. We emphasize two principles in commenting on the proposed regulations. First, we believe that, consistent with congressional intent in adopting COPPA, the Commission should promulgate rules that protect children without interfering with children’s interactive experiences on the Internet. Second, the final rules should not place unreasonable hurdles in the way of families and children seeking to find safe, child-friendly online environments. Making it harder for children to participate in environments that are specially designed and appropriate for them would have the perverse, unintended result of driving young users to other sites that are not child-friendly and do not have appropriate content for children, and in some cases may put children in psychological or physical jeopardy. This would be an odd way of implementing COPPA, and certainly would be at odds with the Act’s child protection goals. Finally, TWDC encourages the Commission both to follow through on its tentative conclusion to hold a workshop and to accept reply comments on the important, often complex issues raised in this rule making. II. CREATING A FAMILY-FRIENDLY ONLINE ENVIRONMENT TWDC has made major efforts to create family-friendly online environments in which children can learn and explore. After describing these efforts in some detail, we set forth specific comments regarding three major issues raised by the proposed COPPA regulations: (1) their failure thus far to specifically accept e-mail-based mechanisms without digital signatures for obtaining parental consent; (2) their specification of where a children’s privacy notice must be placed; and (3) their proposal to apply the Rules’ regulatory obligations retroactively to data collected prior to COPPA’s effective date. This section explains how the GO Sites operate and some of the reasons why we believe GO’s current policies fulfill the intent of the Act. We offer a number of services on the GO Sites, including e-mail, chat rooms, instant messaging, bulletin boards, multi-player games, and a family-friendly online subscription product known as "Disney’s Club Blast," which provides a wide array of games, stories, and activities for kids to enjoy. A. Our Data Collection Practices We believe that users should not be allowed to participate in certain activities on the GO Sites without establishing an account that provides a means to trace, and potentially hold responsible, a user’s online activity. In addition, some activities, such as online contests and creation of home pages, require the provision of minimal information for users to participate in the activity. When guests register on GO Sites to participate in interactive activities or contests, we divide the users into the following categories: ages 18 and over (adults), ages 13-17 (teens) and under 13 (children). When adults and teens register, a verification e-mail is sent to the guest confirming the information submitted and allowing the guest to remove his or her registration if he or she wishes (see attachment 1). For teens, a notification message is also sent to the parent, which identifies the information supplied at registration and allows the parent to participate in the member’s online experience (see attachment 2). For children, we collect information to enhance the interactive experience while taking precautions to protect any personal information provided. When children register, they are asked to provide non-intrusive information including: name, user name, password, e-mail address, birthday, gender (optional), parent’s e-mail address, and zip code (see attachment 3). We collect this information for specific reasons related to improving the child’s experience at our site. For example, we collect a name to personalize verification e-mails and to cooperate with law enforcement officials when necessary. We ask users to establish a user name that can be used to signify their presence when participating in our online activities. Passwords are created to protect users’ accounts and the information that the GO Sites collect and retain. We collect the user’s birth date to validate the user’s age bracket and to track the user into content that is specifically appropriate for his or her age and to customize the GO home page. The parent’s e-mail account is collected to send a verification e-mail. Zip codes are collected so users can receive local content on the GO home page, such as local weather. We never use the parent’s e-mail account for any purpose other than validating the child’s registration. When a child registers, the parent or guardian receives an e-mail communicating that registration and a verification request (see attachment 4). Without verification, the child cannot register/participate in certain interactive features that require registration, such as chat. If a registered child wins a contest, notification and prizes are sent to the parent or guardian. Currently, for Disney.com registrations, we receive a verification for only 38% of child registrations and significantly less for child registrants on our other sites. Making registration more difficult will further reduce our user base and may make the entire age verification system undesirable. Generally, users have the ability to change information that they supply. However, once a user has entered a birth date that indicates the user is under 13, the user cannot modify the account; only a person responding to the parental e-mail notification has that option. A cookie is placed on the computer of any child who registers with GO. Until the account is validated, the child is blocked from using any interactive application such as chat, bulletin boards, or creation of home pages. The cookie identifies the child’s age status for the interactive applications offered on the GO Sites. Children are restricted to certain chat areas and are prevented from accessing private chat rooms, unmoderated public chat rooms, or adult-oriented chats. In addition, GOguardian™ , described below, automatically filters out adult-related content in web searches performed anywhere on the GO Sites. B. Our Children Online Privacy and Safety Practices Both TWDC and Infoseek are committed to self-regulation and to providing consumers with appropriate protections for the collection of information. Indeed, TWDC is one of the founding members of the Online Privacy Alliance and sits on the board of the Better Business Bureau’s Children’s Advertising Review Unit (CARU). TWDC’s sites were some of the first to adopt the TRUSTe seal program, and the GO Sites are currently TRUSTe 3 certified and are in the process of obtaining TRUSTe 4.4 certification. We have taken a number of steps to help protect children while they are online. Since the Internet Summit: Focus on Children in December 1997, we have implemented a public awareness campaign on Internet safety. As part of that campaign, TWDC has created a series of CyberNetiquette Comics that instruct families on Internet safety. We provide prominent links to our Privacy Policy (see attachment 5) on all main pages of the GO Sites and to filtering technologies. As part of our privacy policy, no marketing material is ever sent to a child, and we do not share children’s information with third parties. As a further precaution, children are never listed in any member directory on any of the GO Sites. We are currently in the process of instituting a version of the "one click" program that will provide tools and information about online safety on all main pages of our GO Sites. In addition, the GO Sites offer children, or adult users who elect to turn it on, GOguardianÔ , a filtered Internet search engine that screens out inappropriate adult content. If an adult search query is entered when GOguardianÔ is turned off, an intermediate screen appears to warn users that they have requested adult material and that the search results may show sites that are offensive. This screen also affords users the opportunity to discontinue the search (see attachment 6). GOguardian is being improved so that it allows parents to set a password so that children cannot turn off the filtering. In addition, the Infoseek Ultraseek search technology contains a number of technical safeguards to ensure that search results accurately reflect a query. We believe these efforts and others that we take address the concerns of COPPA and fulfill the mandates of the Act: we obtain parental verification, we have prominently displayed privacy notices that comply with the TRUSTe seal program, and we make serious attempts to block children’s access to inappropriate, adult-oriented material. III. SPECIFIC COMMENTS ON THE PROPOSED COPPA RULES As noted above, our comments focus on the Commission’s proposals:
A. The Rules Should Explicitly Approve Continued Use of E-Mail for Parental Consent TWDC has filed joint comments with a number of other children’s content providers in response to Question 13’s inquiry regarding methods of consent. We address e-mail consent here because of its fundamental importance to our business model of family-friendly content. As explained above, TWDC relies extensively on e-mail-based mechanisms to secure parental approval for accounts opened by children. Without e-mail verification, a child cannot participate in our interactive activities. This system works well to empower parents to control their children’s online activities. Only 38% of parents validate child registrations at Disney.com under this system. However, we believe that the overall response rate indicates that the system works well as means for parents to express their choices with minimal effort. The NPRM, however, does not provide TWDC and similarly situated operators with clear guidance that this approach—or any other existing e-mail-based approach—will satisfy the COPPA rules. COPPA explicitly provides that verifiable parental consent means "any reasonable effort (taking into consideration available technology)" to obtain such consent. 15 U.S.C. § 6501(9) (emphasis added). Moreover, COPPA’s legislative history indicates that Congress specifically intended that the statute’s consent requirement "be interpreted flexibly, encompassing ‘reasonable effort’ and ‘taking into consideration available technology’" 144 Cong. Rec. S11657 (Oct. 7, 1998) (emphases added). Mechanisms, such as e-mail consent, that have been adopted and accepted in the marketplace by operators and parents alike under current technological conditions should be considered reasonable under this standard. Furthermore, Congress contemplated that at least some existing e-mail-based consent mechanisms would satisfy the Act until digital signatures become more commercially available. Indeed, in expressly creating an exception for the collection of "online contact information" in order to obtain parental consent, see 15 U.S.C. § 6502(b)(2)(B), Congress clearly envisioned that e-mail would play an important role in the statutory consent process. See also 144 Cong. Rec. S11657 ("‘Available technology’ can encompass other online and electronic methods of obtaining parental consent.") (emphases added). E-mail-based mechanisms are the most cost-effective, least disruptive means of obtaining parental consent. They enable operators to elicit verification of a child’s registration without the significant costs of operating toll-free fax or telephone numbers, staffing a data input center, and paying credit card verification charges. E-mail-based mechanisms enable children to participate in our protected areas within hours, not days, of registration. Furthermore, they satisfy the strong preference of Internet users to respond to inquiries regarding online activities conveniently over the Internet, without demanding disclosure of sensitive financial information such as credit card numbers, which nearly 75% of Internet users are very reluctant to disclose online. In short, taking into consideration available technology, e-mail consent is less expensive to implement, less likely to interfere with the online experience, and more likely to facilitate parental consent on a timely basis than any other consent mechanisms. As with most other consent mechanisms, e-mail-based mechanisms are not foolproof in ensuring that the person providing consent is the child’s parent. However, there are a number of reliable ways to augment the assurance provided by e-mail verification until technology developments enable operators to use digital signatures and other online consent methods. For example, a delayed e-mail approach—whereby a child’s registration would not be accepted until an e-mail, sent after a time delay (e.g., at night time), is received from a parent—would help ensure authenticity. Furthermore, an operator could send a confirming e-mail over the weekend following receipt of e-mail consent to give the parent an opportunity to respond if the consent was not supplied by a parent. At a minimum, the Commission should allow e-mail consent for sites and online services that do not disclose children’s information (as Question 14 suggests) and should exercise its discretion under the statute’s consent standard and safe harbor to allow e-mail consent for child-friendly sites, such as TWDC’s, that provide strong child safety protections. There is ample room for the Commission to apply a more relaxed consent standard in these circumstances. As discussed above, COPPA’s verifiable consent standard is extremely flexible. In addition, the safe harbor process set forth in 15 U.S.C. § 6503 gives the Commission additional discretion to tailor safe harbor approval to individual companies or groups of companies based upon their specific collection, use and disclosure practices. Furthermore, protecting child safety online is one of the primary purposes of the statute. Bryan Statement at S11657. Congressional intent would be turned on its head if the final rule created major obstacles to the sort of child safety system TWDC has established, which relies precisely upon collecting the age of child visitors to its sites in order better to protect their safety. B. The NPRM’s Notice Requirements Should Be Simplified COPPA requires affected web site operators to post privacy notices at their sites describing their practices in collecting, using, and disclosing personally identifiable information. 15 U.S.C. § 6502(b)(1)(A)(i). To implement this requirement, the Commission proposes enormously detailed regulations with an explanation that spans three single-spaced pages of the Federal Register. See 64 Fed. Reg. 22753-56. The Commission should shorten and simplify these regulations significantly. The proposed rules currently under consideration are overly proscriptive, contrary to sound established practices, and present practical problems in their application. First, as Question 8 of the NPRM appears to recognize, these rules are overly proscriptive in part because web site notices play a largely duplicative function under the Act. Parents receive notice directly—not through the operator’s web site—before providing consent, and in all but one of the exceptions to parental consent. See § 312.4(c) and 312.5(c)(1)-(4). Therefore, the Commission need not specify the placement of the notice. The privacy notice is primarily intended to educate parents about the practices at the site. It should be sufficient for a privacy notice to be posted in a prominent manner that is easy for an adult to find. 64 Fed. Reg. 22754 ("it is essential that such notices be prominent and easy to find"). TWDC is particularly concerned about proposed rule § 312.4(b)(ii) and (iii)’s highly intrusive requirement that both the home page and each page of collection display a link to privacy notice "without having to scroll down." This requirement is contrary to the established practice in the Internet industry of placing the link to the privacy notice prominently at the bottom of the page, along with copyright notices or links to other notices. This is where parents and other consumers have grown accustomed to look for it. At the very least, the link is made prominent by underlining the term "Privacy Policy" or contrasting it in a different color from other text. Others make it prominent by making it part of a seal (e.g., TRUSTe or BBBOnLine) or an icon (e.g., the-dma.org). CARU, TRUSTe, and BBBOnLine have all endorsed this approach. Finally, operators do not have complete control over where their privacy notice actually appears on an end user’s computer screen. Sites may look different when accessed through different browsers or different versions of the same browser. In addition, operators have no control over the browser settings that end users select for their browsers. These settings, which include font size, tool bar display, and other options, greatly affect the portion of a web site that can be viewed without scrolling. Furthermore, where a site is framed (with or without authorization of the originating operator), it occupies a smaller portion of the end user’s screen. By regulating in this area, the Commission would impose serious legal uncertainty and substantial compliance costs that are wholly unnecessary to protect children’s privacy or to fulfill the requirements of the statute. Therefore, the final rules should clarify that prominently placing the link to the privacy notice at the bottom of a web page is sufficient to protect privacy interests protected by COPPA. C. The Final Rules Should Not Apply to Data Collected Prior to COPPA’s Effective Date The NPRM indicates that the Commission will apply the rules to any use or disclosure of personally identifiable information collected prior to COPPA’s effective date. See 64 Fed. Reg. 22751. TWDC opposes the retroactive application of notice and consent obligations to information collected prior to COPPA’s promulgation. The rationale for retroactive application is that the proposed regulation "applies to the use or disclosure . . . not just collection" of information. Id. Yet, the statutory prohibition that provides the sole basis for the Commission’s rulemaking authority is aimed exclusively at sites that "collect personal information from a child." 15 U.S.C. § 6502(a). The NPRM posits a strained reading of the statute, which runs afoul of the presumption against retroactive application of legislation. As the Supreme Court held in Landgraf v. USI Film Products, 114 S. Ct. 1483 (1994), a statute has retroactive effect if "it would impair rights a party possessed when he acted, increase a party’s liability for past conduct, or impose new duties with respect to transactions already completed." Id. at 1505. The proposed rule would impair operators’ rights to use and disclose information which they possessed at the time of collection, and would impose new duties with respect to collection transactions that have already occurred (duties that can only be fulfilled if operators separate out data collected online from children and obtain parental contact information up front). In such circumstances, Congress must expressly state its intent that the statute apply retroactively. It has not done so. The proposal also underestimates the severe difficulties associated with requiring consent for information already collected. A requirement to re-contact and verify old accounts and the likelihood of success would be costly and ineffective. We also believe that since TWDC has had an appropriate registration pathway for children for many years, this would be unnecessary. At a minimum, to address the serious burden to well-intentioned operators that would caused by lack of fair warning of the requirements of the rule, personal information collected prior to COPPA’s effective date by operators in compliance with an existing self-regulatory regime—such as CARU or the OPA Guidelines—should be grandfathered and those operators exempted from obtaining verifiable consent from parents for this data. IV. CONCLUSION For the foregoing reasons, TWDC asks the Commission to: (1) expressly provide that e-mail-based consent methods that do not include digital signatures satisfy the verifiable parental consent requirement under the rules; (2) clarify that hyperlinks to privacy notices may be placed in any prominent location on the site; and (3) provide that the requirements of the rule do not apply to information collected before the effective date. |