June 11, 1999
The Walt Disney Company
Ronald L. Plesser
I. INTRODUCTION AND SUMMARY
The Walt Disney Company ("TWDC") and Infoseek Corporation welcome the opportunity to comment on the Federal Trade Commissions proposed rules to implement the Childrens Online Privacy Protection Act of 1998 ("COPPA" or the "Act").
The Internet is like a large city: there are playgrounds, museums, and activities appropriate for families and "red light" districts offering uncensored adult-oriented content and activities. TWDCs online business unit, Buena Vista Internet Group, and Infoseek Corporations GO Network have been at the forefront of promoting parental involvement in childrens online experiences, providing a family-friendly environment that encourages intelligent use of the Internet. The GO Network affiliated web sites (the "GO Sites") offer great family and child-oriented content with strong, clear parental controls particularly focused on our community applications. The GO Sites have established a clear registration pathway for users, further described below, that differentiates between children, teens, and adults.
We emphasize two principles in commenting on the proposed regulations. First, we believe that, consistent with congressional intent in adopting COPPA, the Commission should promulgate rules that protect children without interfering with childrens interactive experiences on the Internet.
Second, the final rules should not place unreasonable hurdles in the way of families and children seeking to find safe, child-friendly online environments. Making it harder for children to participate in environments that are specially designed and appropriate for them would have the perverse, unintended result of driving young users to other sites that are not child-friendly and do not have appropriate content for children, and in some cases may put children in psychological or physical jeopardy. This would be an odd way of implementing COPPA, and certainly would be at odds with the Acts child protection goals.
Finally, TWDC encourages the Commission both to follow through on its tentative conclusion to hold a workshop and to accept reply comments on the important, often complex issues raised in this rule making.
II. CREATING A FAMILY-FRIENDLY ONLINE ENVIRONMENT
TWDC has made major efforts to create family-friendly online environments in which children can learn and explore. After describing these efforts in some detail, we set forth specific comments regarding three major issues raised by the proposed COPPA regulations: (1) their failure thus far to specifically accept e-mail-based mechanisms without digital signatures for obtaining parental consent; (2) their specification of where a childrens privacy notice must be placed; and (3) their proposal to apply the Rules regulatory obligations retroactively to data collected prior to COPPAs effective date.
This section explains how the GO Sites operate and some of the reasons why we believe GOs current policies fulfill the intent of the Act. We offer a number of services on the GO Sites, including e-mail, chat rooms, instant messaging, bulletin boards, multi-player games, and a family-friendly online subscription product known as "Disneys Club Blast," which provides a wide array of games, stories, and activities for kids to enjoy.
A. Our Data Collection Practices
We believe that users should not be allowed to participate in certain activities on the GO Sites without establishing an account that provides a means to trace, and potentially hold responsible, a users online activity. In addition, some activities, such as online contests and creation of home pages, require the provision of minimal information for users to participate in the activity. When guests register on GO Sites to participate in interactive activities or contests, we divide the users into the following categories: ages 18 and over (adults), ages 13-17 (teens) and under 13 (children). When adults and teens register, a verification e-mail is sent to the guest confirming the information submitted and allowing the guest to remove his or her registration if he or she wishes (see attachment 1). For teens, a notification message is also sent to the parent, which identifies the information supplied at registration and allows the parent to participate in the members online experience (see attachment 2).
For children, we collect information to enhance the interactive experience while taking precautions to protect any personal information provided. When children register, they are asked to provide non-intrusive information including: name, user name, password, e-mail address, birthday, gender (optional), parents e-mail address, and zip code (see attachment 3). We collect this information for specific reasons related to improving the childs experience at our site. For example, we collect a name to personalize verification e-mails and to cooperate with law enforcement officials when necessary. We ask users to establish a user name that can be used to signify their presence when participating in our online activities. Passwords are created to protect users accounts and the information that the GO Sites collect and retain. We collect the users birth date to validate the users age bracket and to track the user into content that is specifically appropriate for his or her age and to customize the GO home page. The parents e-mail account is collected to send a verification e-mail. Zip codes are collected so users can receive local content on the GO home page, such as local weather. We never use the parents e-mail account for any purpose other than validating the childs registration.
When a child registers, the parent or guardian receives an e-mail communicating that registration and a verification request (see attachment 4). Without verification, the child cannot register/participate in certain interactive features that require registration, such as chat. If a registered child wins a contest, notification and prizes are sent to the parent or guardian. Currently, for Disney.com registrations, we receive a verification for only 38% of child registrations and significantly less for child registrants on our other sites. Making registration more difficult will further reduce our user base and may make the entire age verification system undesirable.
Generally, users have the ability to change information that they supply. However, once a user has entered a birth date that indicates the user is under 13, the user cannot modify the account; only a person responding to the parental e-mail notification has that option.
A cookie is placed on the computer of any child who registers with GO. Until the account is validated, the child is blocked from using any interactive application such as chat, bulletin boards, or creation of home pages. The cookie identifies the childs age status for the interactive applications offered on the GO Sites. Children are restricted to certain chat areas and are prevented from accessing private chat rooms, unmoderated public chat rooms, or adult-oriented chats. In addition, GOguardian , described below, automatically filters out adult-related content in web searches performed anywhere on the GO Sites.
B. Our Children Online Privacy and Safety Practices
Both TWDC and Infoseek are committed to self-regulation and to providing consumers with appropriate protections for the collection of information. Indeed, TWDC is one of the founding members of the Online Privacy Alliance and sits on the board of the Better Business Bureaus Childrens Advertising Review Unit (CARU). TWDCs sites were some of the first to adopt the TRUSTe seal program, and the GO Sites are currently TRUSTe 3 certified and are in the process of obtaining TRUSTe 4.4 certification.
In addition, the GO Sites offer children, or adult users who elect to turn it on, GOguardianÔ , a filtered Internet search engine that screens out inappropriate adult content. If an adult search query is entered when GOguardianÔ is turned off, an intermediate screen appears to warn users that they have requested adult material and that the search results may show sites that are offensive. This screen also affords users the opportunity to discontinue the search (see attachment 6). GOguardian is being improved so that it allows parents to set a password so that children cannot turn off the filtering. In addition, the Infoseek Ultraseek search technology contains a number of technical safeguards to ensure that search results accurately reflect a query.
We believe these efforts and others that we take address the concerns of COPPA and fulfill the mandates of the Act: we obtain parental verification, we have prominently displayed privacy notices that comply with the TRUSTe seal program, and we make serious attempts to block childrens access to inappropriate, adult-oriented material.
III. SPECIFIC COMMENTS ON THE PROPOSED COPPA RULES
As noted above, our comments focus on the Commissions proposals:
A. The Rules Should Explicitly Approve Continued Use of E-Mail for Parental Consent
TWDC has filed joint comments with a number of other childrens content providers in response to Question 13s inquiry regarding methods of consent. We address e-mail consent here because of its fundamental importance to our business model of family-friendly content.
As explained above, TWDC relies extensively on e-mail-based mechanisms to secure parental approval for accounts opened by children. Without e-mail verification, a child cannot participate in our interactive activities. This system works well to empower parents to control their childrens online activities. Only 38% of parents validate child registrations at Disney.com under this system. However, we believe that the overall response rate indicates that the system works well as means for parents to express their choices with minimal effort.
The NPRM, however, does not provide TWDC and similarly situated operators with clear guidance that this approachor any other existing e-mail-based approachwill satisfy the COPPA rules. COPPA explicitly provides that verifiable parental consent means "any reasonable effort (taking into consideration available technology)" to obtain such consent. 15 U.S.C. § 6501(9) (emphasis added). Moreover, COPPAs legislative history indicates that Congress specifically intended that the statutes consent requirement "be interpreted flexibly, encompassing reasonable effort and taking into consideration available technology" 144 Cong. Rec. S11657 (Oct. 7, 1998) (emphases added). Mechanisms, such as e-mail consent, that have been adopted and accepted in the marketplace by operators and parents alike under current technological conditions should be considered reasonable under this standard.
Furthermore, Congress contemplated that at least some existing e-mail-based consent mechanisms would satisfy the Act until digital signatures become more commercially available. Indeed, in expressly creating an exception for the collection of "online contact information" in order to obtain parental consent, see 15 U.S.C. § 6502(b)(2)(B), Congress clearly envisioned that e-mail would play an important role in the statutory consent process. See also 144 Cong. Rec. S11657 ("Available technology can encompass other online and electronic methods of obtaining parental consent.") (emphases added).
E-mail-based mechanisms are the most cost-effective, least disruptive means of obtaining parental consent. They enable operators to elicit verification of a childs registration without the significant costs of operating toll-free fax or telephone numbers, staffing a data input center, and paying credit card verification charges. E-mail-based mechanisms enable children to participate in our protected areas within hours, not days, of registration. Furthermore, they satisfy the strong preference of Internet users to respond to inquiries regarding online activities conveniently over the Internet, without demanding disclosure of sensitive financial information such as credit card numbers, which nearly 75% of Internet users are very reluctant to disclose online. In short, taking into consideration available technology, e-mail consent is less expensive to implement, less likely to interfere with the online experience, and more likely to facilitate parental consent on a timely basis than any other consent mechanisms.
As with most other consent mechanisms, e-mail-based mechanisms are not foolproof in ensuring that the person providing consent is the childs parent. However, there are a number of reliable ways to augment the assurance provided by e-mail verification until technology developments enable operators to use digital signatures and other online consent methods. For example, a delayed e-mail approachwhereby a childs registration would not be accepted until an e-mail, sent after a time delay (e.g., at night time), is received from a parentwould help ensure authenticity. Furthermore, an operator could send a confirming e-mail over the weekend following receipt of e-mail consent to give the parent an opportunity to respond if the consent was not supplied by a parent.
At a minimum, the Commission should allow e-mail consent for sites and online services that do not disclose childrens information (as Question 14 suggests) and should exercise its discretion under the statutes consent standard and safe harbor to allow e-mail consent for child-friendly sites, such as TWDCs, that provide strong child safety protections.
There is ample room for the Commission to apply a more relaxed consent standard in these circumstances. As discussed above, COPPAs verifiable consent standard is extremely flexible. In addition, the safe harbor process set forth in 15 U.S.C. § 6503 gives the Commission additional discretion to tailor safe harbor approval to individual companies or groups of companies based upon their specific collection, use and disclosure practices. Furthermore, protecting child safety online is one of the primary purposes of the statute. Bryan Statement at S11657. Congressional intent would be turned on its head if the final rule created major obstacles to the sort of child safety system TWDC has established, which relies precisely upon collecting the age of child visitors to its sites in order better to protect their safety.
B. The NPRMs Notice Requirements Should Be Simplified
COPPA requires affected web site operators to post privacy notices at their sites describing their practices in collecting, using, and disclosing personally identifiable information. 15 U.S.C. § 6502(b)(1)(A)(i). To implement this requirement, the Commission proposes enormously detailed regulations with an explanation that spans three single-spaced pages of the Federal Register. See 64 Fed. Reg. 22753-56. The Commission should shorten and simplify these regulations significantly. The proposed rules currently under consideration are overly proscriptive, contrary to sound established practices, and present practical problems in their application.
First, as Question 8 of the NPRM appears to recognize, these rules are overly proscriptive in part because web site notices play a largely duplicative function under the Act. Parents receive notice directlynot through the operators web sitebefore providing consent, and in all but one of the exceptions to parental consent. See § 312.4(c) and 312.5(c)(1)-(4). Therefore, the Commission need not specify the placement of the notice. The privacy notice is primarily intended to educate parents about the practices at the site. It should be sufficient for a privacy notice to be posted in a prominent manner that is easy for an adult to find. 64 Fed. Reg. 22754 ("it is essential that such notices be prominent and easy to find").
Finally, operators do not have complete control over where their privacy notice actually appears on an end users computer screen. Sites may look different when accessed through different browsers or different versions of the same browser. In addition, operators have no control over the browser settings that end users select for their browsers. These settings, which include font size, tool bar display, and other options, greatly affect the portion of a web site that can be viewed without scrolling. Furthermore, where a site is framed (with or without authorization of the originating operator), it occupies a smaller portion of the end users screen. By regulating in this area, the Commission would impose serious legal uncertainty and substantial compliance costs that are wholly unnecessary to protect childrens privacy or to fulfill the requirements of the statute.
Therefore, the final rules should clarify that prominently placing the link to the privacy notice at the bottom of a web page is sufficient to protect privacy interests protected by COPPA.
C. The Final Rules Should Not Apply to Data Collected Prior to COPPAs Effective Date
The NPRM indicates that the Commission will apply the rules to any use or disclosure of personally identifiable information collected prior to COPPAs effective date. See 64 Fed. Reg. 22751. TWDC opposes the retroactive application of notice and consent obligations to information collected prior to COPPAs promulgation.
The rationale for retroactive application is that the proposed regulation "applies to the use or disclosure . . . not just collection" of information. Id. Yet, the statutory prohibition that provides the sole basis for the Commissions rulemaking authority is aimed exclusively at sites that "collect personal information from a child." 15 U.S.C. § 6502(a). The NPRM posits a strained reading of the statute, which runs afoul of the presumption against retroactive application of legislation.
As the Supreme Court held in Landgraf v. USI Film Products, 114 S. Ct. 1483 (1994), a statute has retroactive effect if "it would impair rights a party possessed when he acted, increase a partys liability for past conduct, or impose new duties with respect to transactions already completed." Id. at 1505. The proposed rule would impair operators rights to use and disclose information which they possessed at the time of collection, and would impose new duties with respect to collection transactions that have already occurred (duties that can only be fulfilled if operators separate out data collected online from children and obtain parental contact information up front). In such circumstances, Congress must expressly state its intent that the statute apply retroactively. It has not done so.
The proposal also underestimates the severe difficulties associated with requiring consent for information already collected. A requirement to re-contact and verify old accounts and the likelihood of success would be costly and ineffective. We also believe that since TWDC has had an appropriate registration pathway for children for many years, this would be unnecessary.
At a minimum, to address the serious burden to well-intentioned operators that would caused by lack of fair warning of the requirements of the rule, personal information collected prior to COPPAs effective date by operators in compliance with an existing self-regulatory regimesuch as CARU or the OPA Guidelinesshould be grandfathered and those operators exempted from obtaining verifiable consent from parents for this data.
For the foregoing reasons, TWDC asks the Commission to: (1) expressly provide that e-mail-based consent methods that do not include digital signatures satisfy the verifiable parental consent requirement under the rules; (2) clarify that hyperlinks to privacy notices may be placed in any prominent location on the site; and (3) provide that the requirements of the rule do not apply to information collected before the effective date.