|Secretary, Federal Trade Commission
600 Pennsylvania Avenue, NW, Room H-159
Washington, DC 20580.
Childrens Online Privacy Protection Rule -- Comment, P994504.
The Electronic Privacy Information Center (hereinafter "EPIC") respectfully submits these comments pursuant to the Federal Trade Commissions ("FTC" or "Commission") proposed Rule implementing the Childrens Online Privacy Protection Act ("COPPA" or "the Act") Notice of Proposed Rulemaking to Implement the Childrens Online Privacy Protection Act of 1998, and Proposed Rule, 64 Fed. Reg. 80 (April 27, 1999) ("NPRM").
The Electronic Privacy Information Center is a project of the Fund for Constitutional Government, a non-profit charitable organization established in 1974 to protect civil liberties and constitutional rights. EPIC has played a leading role in the effort to establish enforceable Fair Information Practices in the United States. EPIC testified before the House Judiciary Committee, Subcommittee on Crime, on September 16, 1996 in support of legislation to protect the privacy rights of children.
COPPA establishes legal rights regarding the collection and use of personal information on young children. Self-regulation is simply not well suited to privacy protection where kids are involved. Young people cannot assess risks as adults can, cannot exercise complicated "opt-out" procedures, and should not be expected to monitor compliance with posted privacy policies. Legislation such as COPPA is necessary to establish sensible codes and clear standards for privacy protection of childrens information in the digital medium. Earlier legislation, such as the Family Educational Right to Privacy Act of 1974 ("FERPA"), has recognized the need for such standards regarding young peoples information.
Because EPIC believes that these principles are the foundation for effective privacy protection, this discussion will focus on the ways in which the proposed Rule embodies or undermines them.
For each provision commented on please describe (a) the impact of the provision(s) (including any benefits and costs), if any, and (b) what alternatives, if any, the Commission should consider, as well as the costs and benefits of those alternatives.
The proposed Rule requires notice of types or categories of personal information collected from children. Although the Commissions commentary is instructive with regards to what sorts of categories are expected, A rule that would allow operators to list broad descriptions such as "contact information" is insufficient. Such descriptions would violate the principles of openness and disclosure underlying COPPA. Consequently, EPIC recommends that the FTC require explicit disclosure of collection of the following information types: name, mailing address, electronic mail address, telephone number, Social Security number.
The proposed Rule allows operators to categorically describe their uses of childrens personal information. This approach does not adequately inform parents of the potential effects of their consent and weakens privacy protection.
For instance, the Commissions sample use description -- "we use this information to provide information on toys to your child" -- includes activities as innocuous as loading a
particular banner ad when the child visits the operators website. However, it also seems to encompass direct mailings, both physical and electronic. Because adequate disclosure is crucial to meaningful consent, use descriptions must be more detailed. Thus the above description should be expanded to include how the information will be provided, how often the operator will provide it, and how long the childs personal information will be archived.
This degree of specificity is required by several of the principles underlying Fair Information Practices: purpose specification, collection limitation (consent is meaningless if parents do not know what activities they are authorizing), use limitation (detailed descriptions make clear what uses and purposes have been consented to), and accountability (enforcement is easier when the policy lists specific practices).
EPIC opposes the exceptions enumerated in subsections (1), (3), and (4) of this section. Regarding (1), it is unclear why an operator would need to collect a childs contact information for the purposes of obtaining consent from the parent. The operator need only know the parents contact information, and the childs first name (so that parents will know which child is involved).
Similarly, a childs request for repeated future contacts from the operator, such as a notification when a website is updated, can be complied with by collecting only the parents information and obtaining consent prior to the first transmission. Because the initial response may not immediately follow the childs request, the childs personal information may sit for some time on an operators machine without any parental screening of that operators privacy practices. This situation presents a threat to the childs privacy.
Finally, the safety of a child is best protected by collecting the parents contact information. This makes the exception in (4) unnecessary.
EPIC recognizes the need for parental access to a young childs personal information files. Parental involvement is generally consistent with the individual participation aspect of Fair Information Practices in the case of a young child who may not be able to fully exercise rights in the collection and use of personal information. Congress has previously recognized the importance of allowing parents to exercise information control rights on behalf of their children--FERPA creates a parental interest in inspecting and challenging childrens records. COPPA creates a similar interest in personal information held by an operator.
In light of this interest, the two-tiered approach described in the commentary to this section seems unnecessarily cumbersome. A single, effective identity check should suffice for parents to gain access to their childrens information. Burdening parents with multiple identity checks of varying strengths discourages the participation which COPPA envisions.
Regarding the methods of verifying identity, EPIC believes that requiring parents to provide photocopies of drivers license information is unnecessarily invasive. A password system, while not perfect, provides a high level of protection without compromising the parents rights. Along with the security requirements of §312.8, a password system should be effective in preventing unauthorized access to childrens personal information.
EPIC supports limiting collection of personal information to what is reasonably necessary to participate in a particular activity. However, the Commissions example under §312.6(c) of collecting e-mail addresses from chat room participants in order to contact them in case of misbehavior is troubling. The "reasonably necessary" standard should be narrowly construed. In the chat room example, the existence of regulatory options which preserve user anonymity suggests that collection of a chat room users e-mail address is not reasonably necessary to keep things civil in the chat room. For example, in the self-regulated IRC chat community, individual users can be temporarily kicked off or banned from particular channels. This regulation is implemented using only the users nicknameno personal information is required. Being removed or locked out of a channel in this way sends as strong a message to the user as a personally directed e-mail note would, without the invasion of privacy. Operators should be encouraged to set up chat rooms and other community resources in ways which facilitate anonymous use.
EPIC supports the public review of self-regulatory guidelines submitted under this section. The Commission should create and maintain a list of organizations interested in being contacted when such guidelines are published for public comment. Such a measure would allow interested groups to be actively involved in the review of these safe harbor proposals.
5. Section 312.4(b) lists an operators obligations with respect to the online placement of the notice of its information practices.
The Commission should require that an operators privacy page be accessible by
searching for the word "privacy" on the home page. This simple measure will ensure uniformity and allow parents to efficiently access privacy information. This approach has the added benefit of requiring a text-based link, which will load quickly (increasing the likelihood that an individual sees it before impatiently moving on).
The FTC should also require placement of the link such that a typical visitor to the operators website can see the link without having to scroll at all. The purpose of this restriction is to prevent clever webmasters from concealing privacy links far to the right or far above places where the Rule requires placement.
Furthermore, the FTC should encourage operators to put their privacy policies on dedicated pages. This highlights the importance of privacy protection and allows parents to easily "bookmark" the privacy page for future reference. In the alternative, the Rule should explicitly include the Commissions recommendation that the required links point at the policy itself, not at the top of a general page of legal notices.
As noted above, the word "privacy" should be included in the links. A parenthetical description such as "what we do with your information" may be an appropriate supplement.
7. Section 312.4(b)(2)(iv) requires an operator to state whether the third parties to whom it discloses personal information have agreed to maintain the confidentiality, security, and integrity of that information. How much detail should an operator be required to disclose about third parties information practices?
The disclosure standard for third party practices should be equivalent to the standard proposed above for operators. Anything less than full disclosure regarding third party information practices would fatally undermine the purposes of COPPA. There is nothing inherent in being a third party which reduces ones potential for misuse of personal information. Consequently, an informed parental decision regarding disclosure to third parties will require much more than the third partys "type of business" and the "general purposes for which [a childs] personal information is used." The same principles noted, supra, in the context of specific operator use descriptions apply here. EPIC urges the Commission to impose a high disclosure standard on third party practices.
Regarding confidentiality and security of information disclosed to third parties, parents must be warned if a third party has weaker standards than the operator. EPIC recommends that the FTC should modify the proposed Rule accordingly.
8. Section 312.4(b)(2)(vi) requires an operators notice to state that the parent has the right to review personal information provided by his or her child and to make changes to and/or have that information deleted, and to describe how the parent can do so. Is this information needed in the notice on the website or online service, or should it be included only in the notice provided directly to the parent under Section 312.4(c)?
12. Section 312.5(a)(2) requires operators to give the parent the opportunity to consent to the collection and use of the childs personal information without consenting to the disclosure of that information to third parties. Should the rule also require that the parent be given the option to refuse to consent to different internal uses of the childs personal information by the operator?
A parents ability to refuse particular uses is fundamental to the protection of childrens privacy. This power is complimentary to the detailed use descriptions discussed above. The same key principleslimiting collection and use to specified purposesare implicated by both issues. A parent must know about an operators specific information uses so that she can approve the ones she considers appropriate for her child and refuse the rest. An "all-or-nothing" approach places parents in a quandary: if an operator has only a few unacceptable practices , parents must either withhold permission altogether (potentially cutting the child off from beneficial information or services) or grant consent despite their misgivings (undermining the reason for requiring consent in the first place). To avoid these problems, parents should be given the option to specify which particular uses of a childs information they approve.
13. The commentary on Section 312.5(b) identifies a number of methods an operator might use to obtain verifiable parental consent.
(b) What are the costs and benefits of using the methods listed?
Any methods that require parents to provide credit card information as part of the consent process may be unduly burdensome. Such practices invade parental privacy and discourage consent, even if the operators uses and practices are otherwise unobjectionable. The other methods provide excellent means of obtaining parental consent.
EPIC urges that the Commission modify its proposed Rule in accordance with the principles of Fair Information Practices and the comments presented above.
Marc Rotenberg, Executive Director