Children's Online Privacy Protection Rule - Comment, P994504
Ms. Toby Levin
Friday, June 11, 1999
COMMENTS FROM ICANBUY.COM RE 16 CFR 312 PROPOSED RULE QUESTION 1 REGARDING OVERALL COMMENT ON THE PROVISIONS OF THE PROPOSED RULE
Overall, the Proposed Rule is implementable in its current form. There are also alternative means of implementation to optimize the balance between off-line and on-line verification. The benefits, costs, and alternatives are outlined below to each of the key stakeholders.
As an example, iCanBuy.com's technology and systems provide a safe, secure and private system and standard to administer permissions that are suggested by the Proposed Rule. These permissions, which are set by the parent for each individual child, regulate on-line actions and transactions -- including whether or not a child can participate, to what extent, and to which third parties they can connect. iCanBuy's technology and processes are beneficial for Parents, Children and other OnLine Providers to Children.
Benefits: Increased comfort and confidence regarding security of their children on-line. Full knowledge and approval of their children's activities. Costs: Increased burden on parent to monitor activities of their children. Burdensome processes may require use of external facilities in order to fax signatures. It may also be exclusionary to those who do not have access to fax machines. Multiple sites would require multiple approvals. Alternatives: The use of a credit-card verification system, or another system where parents have already verified their identification (including with a credit card as approved by the Supreme Court). For example, iCanBuy's safe, secure and private system enables parental choice regarding their children's on-line actions. Parents can choose how they would like to set each individual child's permission. Identity is verified with a parental credit card; and followed up by iCanBuy as part of the security process. This alternative is beneficial as it already exists, and is in successful use by some on-line parents today; this alternative's costs are limited to signing up for the service once so that permissions can be used by multiple sites.
CHILDREN UNDER 13
Benefits: Increased protection from predators and misleading behaviors by on-line providers. Costs: Increased burden of asking parents prior to using sites that require personal information. Possible decreased use of valuable sites that require this information. Alternatives: The use of a permissions-based system that enables the approval of an individual site, or categories of sites. For example, iCanBuy provides such a system today that is set by the parent, and is approved in conjunction with how much they trust their children to make the appropriate choices. This alternative's benefits include familiarity with the trusted brand, the use of one standard system across all sites for permissions, and limited burden on parents to pursue yet another unique process for registering their children. This alternative's costs are waiting for the parent to approve their access, which could be much longer with the off-line systems.
ON LINE PROVIDERS TO CHILDREN
Benefits: Increased confidence that parents have approved children's participation in their site. Limited liability for potentially hazardous behavior by abusers of the site. Costs: Potentially costly processes that require labor-intensive verification (phone calls, faxes, paper mail) of parents. Possible uncertainty regarding the true identity of the source. Alternatives: The use of, or integration with, an electronic system that has already verified parents, and/or has the capabilities of granting permissions to on-line activities, including access to sites, information or financial transactions on those sites, and other actions on-line. For example, iCanBuy provides such a system for on-line providers to children that integrate with their existing systems. This alternative's benefits include adopting an already-established standard for managing permissions between parents and children on-line, is an on-line process (which would save costs), has secure and safe procedures for verification, and can easily and quickly be integrated into their business. This alternative's costs are limited to integrating their site technically into the established standard, such as iCanBuy.
QUESTION 5 REGARDING SECTION 312.4 (b)
Finally, outside entities like TRUSTe do follow-up verifications and are a trusted source for privacy verification.
Privacy links can be more informative for parents and children by displaying them in a more visual sense. For example, bullet pointed items that highlight what DO's and DON'Ts are, and how information WILL and WILL NOT be used. In addition, having a standard checklist across sites (with checkboxes for compliance) would help consumers of information quickly understand who is keeping their information private.
QUESTION 7 REGARDING SECTION 312.4-B-2-IV
Operators should be required to at least hot-link to the privacy polices of third parties with which it conducts business. In addition, a checklist (as described above) that highlights the use of information and how third parties may use it differently should be available for parents and children.
QUESTION 9 REGARDING SECTION 312.4-C
Equally effective methods for parents being alerted include a standard permissions system that can be conducted on-line. For example, iCanBuy.com hosts a system whereby parents sign up once and can then issue permissions on an on-going basis, either manually or automatically. This network makes it extremely flexible for the parent to interact as it can be accessed from any browser. In addition, there is a feature which enables new transactions (such as parental approval) to be administered through a central activity screen for parents. This would enable all permissions requests to queue in one system and then be granted or denied. The benefits of a standard system, like iCanBuy's permissions, are simplifying the process for users, establishing a common way of managing permission, and a safe, secure, private network for issuing permission.
QUESTION 13 REGARDING 312.5-B
The methods listed in the commentary are all implementable. However, many of the labor-intensive approaches can be quite costly without the use of a standard system. New systems, processes, policies, and security procedures will be required for most web sites dealing with children. The costs of this approach may exceed the benefits for many of the valuable sites out there for children. However, there is the opportunity for a standard permissions-management system that integrates across all providers serving the children's market. An example of a solution like this is iCanBuy's parental permissions, in use today by many parents and children. This system enables parental permissions to be managed from a central computer, with standardized processes, and tight security procedures. This approach can be integrated with on-line providers so they can outsource the new privacy verification processes.
QUESTION 17 REGARDING 312.5-C-1
A reasonable time period is 30 days from the initial collection if done by each individual site. This timeframe could be 7-14 days if there were a central system that parents would use to manage permissions. ICanBuy's experience is that 7-14 days is reasonable for a site where parental permissions are used regularly. This accommodates parent's busy lives with work, children's school and extracurricular activities, as well as time off for vacations and holidays. However a longer period would be required for sites not customarily thought of for parental permissions.
"Do-not-contact" lists should be maintained for those parents who are protective of their children. They should have a 'refresh' date to ensure that circumstances of parental permission have not changed, such as when the child matures. Again, the benefit of a standard system that avoids multiple do-not-contact responses would be extremely helpful to parents, while keeping a standard approach, and allowing the capability to designate which specific requests would be acceptable and which would not.
QUESTION 24 REGARDING SECTION 312.8
There are many security procedures, especially dealing with customer-specific data, that can be used to protect privacy. These practices are fairly well known among security consultants and financial services firms. The cost of implementing these is usually in extra time to respond to the customer or management regarding customer-specific questions or transactions. The extra monetary cost can be significant, if specialty hardware, software and encryption are required.
For example, iCanBuy.com has implemented very secure and safe procedures to ensure the highest levels of privacy protection. These include limited access by staff to customer information (including username, passwords, address, and customized selections of permissions); multiple alphanumeric usernames and passwords to access that data; locked safes of printed information; regular changing of usernames and passwords; encryption of customer data and financial information; use of secure networks and protocols for transferring data; and when customer requires information, they must volunteer at least five separate pieces of unique information to the Company via voice. In addition, if the Company's systems come under attack, high-security software and hardware shut down the system, repel the attacker, seek the source of the attack, and encrypt the database as it shuts down.