UNITED STATES OF AMERICA In the Matter of FTC File No. P994504 Children’s Online Privacy Protection Rule COMMENTS OF MAMAMEDIA, INC. ON THE FTC’S PROPOSED CHILDREN’S ONLINE PRIVACY PROTECTION RULE MaMaMedia, Inc. through its undersigned counsel, respectfully submits these comments in response to the Commission's request for comments on the proposed Children’s Online Privacy Protection Rule ("Rule"). We look forward to participating in any follow-up workshop scheduled by the Commission. With submission of these comments, MaMaMedia requests to participate in any such workshop. By way of background, MaMaMedia operates a free Web site (www.mamamedia.com) that contains safe and dynamic educational activities for kids, and that is dedicated to advancing the technological fluency of kids through playful learning. Designed and developed by a team of Harvard and MIT-trained educators (who are also parents), MaMaMedia offers kids unique tools and technology to fuel their creativity and curiosity. Not only are kids encouraged to explore the Web, but also to express themselves by creating their own stories, games, artwork, and characters. Moreover, kids are encouraged to safely (i.e., anonymously) exchange their ideas with MaMaMedia characters and employees to foster important communication skills in MaMaMedia’s digital sandbox. In providing kids with these important educational opportunities, MaMaMedia shares the Commission’s concern for kids' safety as they explore the Web and develop online learning skills. To that end, MaMaMedia goes to great lengths to safeguard children and protect their privacy. Thus, MaMaMedia respects the goals and guidelines established by the Children's Advertising Review Unit of the Council of Better Business Bureaus, the Center for Media Education, and other organizations concerned with children's online privacy and safety. MaMaMedia’s online offering provides a database of Web sites operated by third parties, which MaMaMedia pre-screens for quality kid’s content. MaMaMedia links to only the best and most age-appropriate sites for children; the database is highly selective rather than comprehensive. A team of educators and trained editors carefully screens, selects, and approves sites for the database, which currently includes links to over 2,000 Web sites. MaMaMedia calls this constructive filtering, rather than blocking. MaMaMedia’s comments on the proposed Rule focus on three distinct issues. First, the issue of requiring Web sites that collect personal information from children to obtain verifiable "parental" consent. Specifically, MaMaMedia requests that the Commission also permit educationally-oriented Web sites, such as mamamedia.com, to obtain verifiable "educators’" consent as a proxy for the consent of a parent or legal guardian. This "safe harbor" will allow forward-thinking educators to incorporate educationally-oriented Web sites into their curriculum without first having to seek and obtain verifiable "parental" consent from each child in the classroom. Second, MaMaMedia requests that the Commission explicitly acknowledge that passive tracking of information through the use of "cookies" technology does not always involve obtaining personal information. Thus, in every instance, using cookies does not fall within conduct regulated by the Rule. Finally, MaMaMedia requests that the Commission confirm, in the Statement of Basis and Purpose that will be issued concurrently with the Rule, that linking to a third party’s Web site, by itself, does not provide a basis for liability under the Rule. Based upon informal conversations with FTC staff in charge of implementing the Rule, MaMaMedia understands this to be the Commission’s view. II. COMMENTS
The Children’s Online Privacy Protection Act permits the Commission to establish safe harbors for Commission-approved activities that maintain the protections afforded to children under the Rule to be implemented. 15 U.S.C. § 6503. MaMaMedia recommends that one such safe harbor should be created for Web site operators who receive verifiable "educators’" consent to collect personal information from their students. This verifiable "educators’" consent would be a proxy for obtaining verifiable "parental" consent. For example, obtaining verifiable "educators’" consent could involve an educator providing a letter to a Web site operator consenting to the Web site’s activities with respect to collection and use of personal information from that educator’s students. The consent could be required to be on the letterhead of the educational institution that includes identifiable information about the educator, such as his/her name and e-mail address, and a list of the e-mail addresses and screen names of the children who will be participating in the Web site’s activities. Permitting educators to serve as proxies for parents under the Rule obviates the unduly burdensome need for educators to obtain the verifiable "parental" consent of each and every student prior to participation of the entire class in online activities. In this scenario as described, children’s online privacy would remain protected, as the online activities would be supervised and monitored by a qualified educator, who already has been given responsibility by the children’s parents or guardians for educating and supervising the educational activities of the students in their classroom. This safe harbor is consistent with the evolving trend of using computers and the Internet to supplement traditional classroom teaching methods. The Commission’s Rule, as enacted, should not inhibit the use of these innovative teaching methods or the development of these important activities.
As currently written, the Rule is not clear whether the use of cookies is always an activity that comes within the Rule. Section 312.2 of the Rule defines "collects or collection" as:
Moreover, "personal information" is defined as:
Taken together, it is not clear from these definitions whether the use of cookies technology that does not link an identifying code to an individual is conduct that comes within the Rule. In fact, MaMaMedia uses cookies to obtain aggregate information about users of its Web site, which information does not contain any identifying codes linked to an individual. For example, when a person visits MaMaMedia’s Web site, MaMaMedia uses cookies technology to learn whether that person visited the Web site from a MaMaMedia banner advertisement placed on another Web site. From the use of that cookie, MaMaMedia obtains no personal information about that visitor. Even if MaMaMedia obtains a processor serial number of the computer that the visitor used to enter mamamedia.com, MaMaMedia has no way of further identifying any personal information about that visitor from the cookie. MaMaMedia seeks confirmation that, in such cases, the Rule would not apply. In particular, MaMaMedia suggests the Commission modify the definition of "collect" or "collection" to make clear that use of cookies without obtaining personal information is not covered by the Rule. We propose that the definition be modified as follows:
As noted above, an integral part of MaMaMedia’s Web site offering is its database of over 2,000 pre-screened, "kid friendly," Web sites operated by third parties. In creating and maintaining this list, MaMaMedia screens the sites in its database regularly, adding new sites with useful and appropriate content for kids, and deleting those that fall short of MaMaMedia’s standards. While every effort is made to ensure that sites in MaMaMedia’s database do not contain inappropriate material, the ever-changing nature of the Internet makes it possible that a site can alter its policies regarding advertising, data collection, or commerce, or create links to sites that have material that is not kid-appropriate, without MaMaMedia’s knowledge. MaMaMedia encourages users to recommend good sites it may have missed, and warn against those that may not be appropriate. MaMaMedia recommends that the Commission make clear in the Statement of Basis and Purpose issued concurrently with the final Rule, that merely linking to a third party’s Web site does not create liability under the Rule. Otherwise, it would not be feasible, in practice, for sites such as mamamedia.com to link to third parties’ Web sites. MaMaMedia would be required to monitor all 2,000 sites in its database continually in order to limit its liability for a Rule violation. Thus, with respect to liability for linking to third party sites, MaMaMedia suggests that where a Web site operator has no actual knowledge of a Rule violation, then such Web site operator should not be held liable for that violation. Counsel for MaMaMedia sought and received informal confirmation of this understanding from an FTC staff member responsible for implementation of the Rule. MaMaMedia now seeks a definitive statement from the Commission that linking, by itself, to a third party’s Web site that violates the Rule, would not be a basis for liability under the Rule. III. CONCLUSION In conclusion, MaMaMedia respectfully requests that the Commission permit educators to consent to Web sites’ personal information collection activities that affect their students. In so doing, the Commission will foster, rather than impede, the emergence of this important educational tool. In addition, MaMaMedia requests that the Commission confirm that use of cookies in every instance does not always come within the Rule. Finally, MaMaMedia asks the Commission to affirm that merely linking to a third party’s Web site does not create liability under the Rule. We look forward to working with the Commission on issues that pertain to children’s online privacy. Respectfully submitted, Dated: June 11, 1999 Idit Harel, Chief Executive Officer _______________________________ |