|TO: Federal Trade Commission
FROM: MLG Internet, Inc.
Date: June 11, 1999
RE: Childrens Online Privacy Protection RuleComment, P994504
MLG Internet, Inc. ("MLGI") operates a retail electronic commerce site selling to consumers. MLGI is concerned that the proposed regulations for the Childrens Online Privacy Protection Act (the "Act") are overbroad--in particular over whether a given Web site operator is within the scope of the regulations in the first place.
1. The Proposed Rule Should Be Modified To Clearly Designate Which Web Sites Are Subject To The Rule.
A Web site that does not target children should not be forced to deal with the elaborate mechanisms and risks the Rule creates. The primary operative section of the Rule, Section 312.3, obligates a Web site operator to enter into the massive undertaking of compliance when either of two conditions is true: either be a Website or Online Service Directed to Children, or have actual knowledge that a child has put information on the Web site. The definition of a Website or Online Service Directed to Children (Section 312.2) is too broad, and subject to too much discretion by the Commission, to permit an operator to determine whether or not it is within the scope of the Rule. Nor does the definition give an operator clear instruction on how to avoid being inside the scope of the regulation. Further, actual knowledge of just a single child using ones Web site, even if the Web site is doing nothing to attract that child in particular, is sufficient to require the Web sites operator to comply with the maze of regulations over the entire Web site. See proposed Rule Section 312.3, which requires only the receipt of personal information from "a child" to trigger the entire panoply of requirements. To resolve this problem, the proposed Rule should provide clear guidance to Web site operators to help them steer clear of children on the Internet and thus properly avoid the onerous obligations of the Rule.
To illustrate this issue, consider the Federal Trade Commissions own Web site. The FTC has solicited comments on the proposed Rule by providing an email address for the submission of comments (Kidsrule@ftc.gov). A review of the comments submitted to date (<www.ftc.gov/privacy/comments/index.html>) shows that the FTC is "collecting" and "disclosing" both "personal information" and "online contact information" to the public, including the persons name, email address, state and city of residence.
The proposed Rule would apply to the FTCs Web site if the FTC has "actual knowledge that it is collecting personal information from a child." See Section 312.3 (emphasis added). In at least one case, Russ (Comment number 47), provided the FTC with his age (17). If Russ had disclosed in his email message that he was 12 years old, then under the proposed Rule, the FTC arguably would have "actual knowledge" that it had collected personal information about a child, and none of the exceptions listed at Section 312.5(c) would apply. Thus, the FTC would be required for its entire Web site to have the mechanisms necessary to provide the notice, consent, and access protections required by the proposed Rule--certainly not the intent of the Act.
As another example of unintended consequences, the Commissions use of the e-mail address "KidsRule" could be cited as a factor of language that might have the Commissions site be deemed a Website or Online Service Directed to Children. "Kids Rule" is a popular phrase used by children, and many internet search engines would find the Commissions Web site as a "hit" if a child did a search on that phrase. Would the Commissions own site be deemed a Website or Online Service Directed to Children because of factors such as this? That is certainly not the intent of the Rule, but an operator is justifiably uncertain when faced with Rules such as this one.
This problem could be remedied several different ways. First, the FTC should change the Rules definition of Website or online service directed to children so that an operator has a clearer sense of what Web site features will lead to the conclusion that the Web site is targeted to children. This change would also have the benefit of giving less discretion to the Commission in its determinations of whether a Web site is targeted to children.
One particular class of Web site operators who should be concerned about this issue are "e-commerce" Web sites that sell normal consumer goods to the public via their Internet Web sites. The purpose of such Web sites is to sell goods. For many sites, a sale cannot occur unless the person has a credit card. Given that children under the age of 13 should not be expected to have credit cards (the Commission and Congress have both found that credit card use is proof of being of age), such a site should be clearly classified under the definition of a Website or online service directed to children as falling outside the scope of the Rule. Yet, the current rule would offer no such comfort.
Second, the FTC should clarify the interplay between definition of Website or online service directed to children and the "actual knowledge" provisions of Section 312.3. Ideally, it should be clear that the Rule, or at least its panoply of mechanisms and standards, apply only to Web site operators who seek personal information from a child because of that persons status as a child. The costs of providing the mechanisms provided by the Rule clearly outweigh the minimal protection to be provided to the small number of children who may provide personal information to an unwitting Web site operator who did not want the information. For an operator who has actual human knowledge that it has collected information about a child or that it has placed a "cookie" on a childs computer, the Rule should allow the operator to simply delete that information without becoming subject to the Rules requirements.
Furthermore, the term "actual knowledge" should be defined to include actual "human" knowledge. A great number of Web site operators rely upon automated systems to manage their message boards and email response systems without any human intervention. It is just this type of efficiency that makes many Web-based businesses feasible. If a Web site operator can be deemed to have "actual knowledge" that a child has submitted information because the operators database contains some disclosure by a child of his or her age, then Web site operators may not be able to rely upon these automated systems. This then could lead to significant costs for Web site operators, or as more likely, would prevent some Web based businesses from opening.
Third, the FTC should amend the Safe Harbor section of the Rule to permit self-regulatory organizations to set and maintain rules which meet the stated goals of the Act, while still permitting the self-regulatory organizations to improvise and change with technology and the particular needs of their membership. For example, a self-regulatory organization could specialize in members who choose not to deal with children, and create self-regulations that will guide its members on how to avoid dealings with children. That organizations rules would deal little if at all with the notice, consent, or access provisions, since they would be irrelevant to its members, but could concentrate on how to avoid being a Website or online service directed to children in the first place.
The proposed safe harbor is of little comfort and does not meet the intent of the Act, since it requires, at a minimum, full compliance with the final Rule issued by the Commission--which a Web site operator could already rely upon without being involved in any self-regulatory group. Section 1304(b)(2) of the Act, suggests that full compliance with the FTC Rule will be an absolute guaranty of approval by the Commission--not that full compliance was a floor. However, the proposed Rule, at Section 312.10(b)(1), states that no self-regulation guidelines are acceptable unless they "implement the protections afforded children under this Rule" thus setting the regulations as a floor--and effectively eviscerating any safe harbor for self regulation. The Rule should allow for self-regulatory guidelines that are capable of change, reflection of particular group needs, while still seeking to achieve the purposes set forth by Congress.
2. The Rule Is Too Dependent Upon Current Technology.
Although providing specific examples in the Rule makes it easier to follow, this practice necessarily entails the use of current industry terms or reference to existing technologies. This in turn places too much emphasis on the present state of the Internet, and does not recognize the incredibly fast changes in the technologies.
For example, despite the availability of IP addressing technology to track users of the Internet, the Rule does not mention it. On the other hand, "cookies" are mentioned. The natural inference is that the collection of IP Addresses (as well as many other methods of tracking Web browsers) does not run afoul of the Rule. Further, a new technology that is similar to "cookies" but with a different name would also fall outside the scope of the rule.
The FTC should modify the Rule either to remove all references to existing technology and clarify this issue by defining goals without reference to particular technologies. Otherwise, the Rule will be obsolete before their time or lead to unnecessary confusion.
3. The FTC Should Hold the Proposed July 20, 1999 Workshop.
Because these Rule may impose significant burdens on Web site operators who do not intend to collect information from children, the FTC should hold the proposed July 20, 1999 Workshop.