The Magazine Publishers of America (MPA) is pleased to comment on the Notice of Proposed Rulemaking to implement the Children’s Online Privacy Protection Act of 1998. MPA is the principal trade association of the consumer magazine industry, representing more than 200 publishers of more than 1250 of the most-recognized magazines in the Unites States, including many titles – classic and new – that provide news, information, literature and commentary in a child-friendly format. Many of these titles also provide educational and fun web sites for children.

MPA appreciates the Commission’s extensive analysis and exploration of key issues raised by the Children’s Online Privacy Protection Act and its efforts to balance privacy protection needs with the opportunity for children to have fun and educational interactive experiences at a variety of child-oriented web sites. However, we are concerned that some of the requirements proposed in the NPRM go beyond the provisions and intent of the Act and could have the unintentional effect of discouraging children from participating in the valuable activities offered by child-oriented web sites. Creating obstacles to children’s participation may not only deprive children of interesting and educational opportunities but may cause children to visit less appropriate sites not subject to these rules.

In addition to our comments on specific sections of the proposed rules contained below, we endorse the extensive comments submitted by the Direct Marketing Association, an association with extensive interest in the online environment. In addition to its traditional membership, DMA includes the Internet Alliance and the Association for Interactive Media.

Section 312.3. General Requirements.

Web sites directed to children - In defining a web site directed to children, the Commission lists factors that it would consider in making a determination whether a site, or portion thereof, is targeted to children. Some of the factors identified are useful indicators of the site’s orientation, for example "competent and reliable empirical evidence regarding audience composition" and "evidence regarding the intended audience." The commentary to the Rule additionally mentions consideration of whether the site is designated as a children’s area.

Some of the other factors identified in the Rule, however, may be too broad to capture only sites directed to children. For example, the rule mentions "visual or audio content" and "age of models." Sites directed to parents may utilize children as models and feature products or services that are child-oriented. Depiction of such products is not intended to attract children to the site, rather to show parents how they might use such products or services. Samples of child-oriented visual or audio content may be displayed. Another factor mentioned is whether a site uses "animated characters." Use of animated characters is not necessarily an indicator of a site directed to children. Adult-oriented sites may use animated characters that appeal to adults as well as children. The overall nature of the site, as well as its self- definition for editorial and advertising purposes, should be considered rather than individual components or elements of the site.

Definition of information collection - In describing the collection of personal information that is covered by the Rule, the Commission includes "any online request for personal information by the operator regardless of how that personal information is transmitted to the operator." This definition is overly broad and clearly not consistent with the scope and intent of the Act, which applies only to information collected online, not information requested online. Furthermore, broadening the definition in this way would impose a tremendous tracking and record-keeping burden on web site operators who may receive information offline from a variety of sources and may not be able to track information requested online separately. The applicability of the Rule should be limited to information collected online.

Notice regarding third parties - In describing the very lengthy and detailed nature of the notice required to be provided to parents, the Rule requires the notice to disclose "whether personal information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used." The commentary goes on to describe the need to provide a "brief statement of the types of business in which the third parties are engaged, e.g. list brokering, advertising, magazine publishing, or retailing…."

This requirement has the potential to lead to excessively long and confusing notices, especially for web sites that have both children’s and adult portions. Many third parties are large conglomerates with multiple operations. Would the operator have to list all divisions of the companies it deals with? Further, would the operator be expected to provide a check off box for each third party, so that the parent could specify that it liked banks or magazine publishers, for example, but didn’t like advertisers or retailers? This level of detail could lead to parental confusion and frustration as well as create an administrative nightmare for operators to keep the information in the notice precisely accurate and up-to-date. What if the operator drops one type of third party. Would the notice have to be changed constantly?

Information practices of third parties – The proposed Rule requires operators to inform parents whether third parties to whom they may disclose personal information "have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator." This requirement exceeds the scope and intent of the Act, which requires operators to describe their own information practices only. As the Act states, operators are required "to provide notice on the web site of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information." This additional requirement to describe the information practices of third parties would create a tremendous burden on web site operators. How often would they be required to verify the policies of third parties? It would also potentially create a liability for the web site operator if the third party intentionally or unintentionally violated its own privacy policy.

Partial consent – The proposed Rule also requires that the notice state that "the parent has the option to consent to the collection and use of their child’s personal information without consenting to the disclosure of that information to third parties." This requirement is inconsistent with the Act, which does not specify a requirement to allow partial consent and, in a comparable situation, explicitly allows an operator to terminate service if a parent opts out of further use, maintenance or collection of data. Web site operators should be allowed to deny service if accommodating partial consent elections interferes with the general administration of the web site and causes an excessive administrative burden.

The Commission also asks a question as to whether parents should be given the option to refuse to consent to different internal uses of the child’s personal information by the operator. As with partial consent for collection and use of data but not disclosure, it is likely that allowing parents to consent to different internal uses of the child’s personal information would impose an undue administrative burden and lead to confusion and possible unintentional violations of the parental election.

Placement of the notice – The proposed Rule requires that a link to a notice of the site’s children’s information practices or privacy policies be placed in a prominent place on the home page of the web site "such that a typical visitor to the home page can see the link without having to scroll down." There would also have to be prominent links to the notice at each place on the web site where children directly provide personal information, again visible without having to scroll down.

The requirement that a visitor not have to scroll down is impractical and overly burdensome, as is the requirement for a notice on the home page if only a portion of the web site is directed to children.

Web site visitors are by now used to the common and well-accepted practice of placing links to other portions of a web site at the bottom of individual web pages. This is a place where visitors know to look. Furthermore, there is variation is how pages are displayed to individuals using different service providers, browsers, or computers. What does not require scrolling for one visitor may require scrolling for another. As long as there is not an excessive break between the body of text and graphics on the web page and the link button, visitors should not have trouble finding the link.

For sites where only a portion of the site is directed to children, the main home page may not be a suitable place for a hyperlink dealing with information practices relating to children. It should be sufficient in such a case for the link(s) to be located in the children’s section of the web site and on web pages where data is collected from children.

Retroactive consent - The general requirements of this section include an obligation for an operator to obtain verifiable parental consent "before any collection, use and/or disclosure of personal information collected from children, including any collection, use and/or disclosure to which the parent has not previously consented." The commentary explains that this is meant to require verifiable parental consent prior to using or disclosing "any information already in its possession as of the effective date of the proposed Rule." This requirement for retroactive consent for use or disclosure of previously collected information is not specified in the Act, is contrary to usual and customary statutory precedents, would impose a tremendous burden on web site operators, and could prove to be unworkable.

Web site operators may not know what information in their files was obtained online before the Rule’s effective date. Web site operators frequently combine data from multiple sources and do not keep a record of the original source. Furthermore, they may not know how to obtain the parental contact information needed to obtain parental consent. The correct time to seek parental consent is when data is collected. Systems to track parental notification and consent cannot be set up retroactively.

Verifiable parental consent mechanisms - This section discusses mechanisms for obtaining verifiable parental consent and the commentary to the proposed Rule identifies some examples of ways in which consent may be obtained. We agree that web site operators should have latitude in choosing an appropriate mechanism for implementing parental consent. We urge the Commission to encourage electronic verification methods so as not to break the interactivity link between children and the web sites, to control costs, and to allow for technological innovation.

Some of the methods identified in the Rule, such as hard copy return of a consent form by postal mail or facsimile, while reluctantly used by web site operators currently, are not a satisfactory long-term solution. Such methods can cause a substantial delay before a child can participate in a web site’s activities and involve a substantial paperwork burden for web site operators. They may also depress consent rates, due to lack of fax machines, postage, and convenience.

Two other methods provided as examples in the proposed rule are expensive to implement. Toll-free numbers are too expensive for many web sites to operate as they involve significant telephone charges, labor expenses for a dedicated telephone operator, and capital and storage expenses for creating a tape verification system. Using credit card verification at a free site is also expensive, with a substantial charge for each verification and no revenue for operators to offset these verification charges from credit card companies.

Electronic verification is more promising. This can currently be accomplished effectively as long as parents have a separate e-mail address or password that has not been provided to the child. The use of digital signatures is an emerging technology that will also allow verifiable consent. The Commission also discusses the possibility of third parties or online service providers offering parental consent services. A related consideration is the use of filtering technology to provide consent. This emerging technology will allow parents to match their privacy preferences with the information practices of web sites their children may visit. Children would then be able to visit only those sites where the parent has implicitly provided parental consent. There should be no need for additional verification of parental consent with such privacy preference platforms.

Identification of parents – The proposed Rule provides parents with the right to review and make changes to personal information collected from their child. The proposed Rule places web site operators in a difficult position – requiring them to "ensure that the requestor is a parent of that child" while not making the process of seeking review "unduly burdensome to the parent". The commentary lists several possibilities for verifying parental identity, such as requiring a copy of the parent’s driver’s license or a previously assigned password.

One method to discourage requests from non-parents would be to require all requests in writing, with confirmation sent to the home address. There is however, another consideration not addressed in the proposed Rule. There may be situations in which a child provides information that the child does not want the parent to know about - or when a child seeks guidance about problems with the parent. In such situations, it would be potentially dangerous to the child to allow the parent to review such information. The Rule should allow exceptions in such situations.

Changing personal information – The proposed rule requires web site operators to allow parents an opportunity for "making changes to any personal information collected from the child." This requirement is inconsistent with, and much more extensive than the requirements specified in the Act. There is no mention in the Act of changing the data collected from the child. The Act only requires operators to provide "a description of the specific types of personal information collected….the opportunity to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information….and…a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child."

The right to alter data not only goes beyond the statutory mandate but could jeopardize web site operators’ ability to protect the confidentiality, security, and integrity of personal information collected from children. Furthermore, this requirement does not seem to be limited to corrections of errors and would appear to allow parents to make any changes to personal information, even if inaccurate. Given parents ability to refuse further use or maintenance of the data, the excessively broad right to alter data should be deleted.

* * * * * * *

Thank you for consideration of our comments. We would be happy to provide additional information if needed.

Rita D. Cohen
Senior Vice President
Legislative and Regulatory Policy