Children's Online Privacy Protection Rule - - Comment, P994504 TO: Federal Trade Commission RE: Comments on the Commission's Proposed Rule to Implement DATE: May 19, 1999 I. Introduction. This comment focuses on the criteria used in Section 312.10(b)(2) for determining whether a privacy seal program has adequate "independent assessment mechanisms" in place to qualify for "safe harbor" treatment. Two examples included in the proposed Rule suggest that to qualify as safe harbors, privacy seal programs may conduct manual assessments of member sites. Because the cost of manual assessments is substantial, the Rule should include other examples of less expensive first-level mechanisms that would also suffice. We propose that the safe harbor criteria be clarified to recognize that automated independent assessment processes can be used as a first-level assessment mechanism, when reinforced by manual assessments undertaken on a targeted as-needed basis. As discussed below, this two-step mechanism (automated first-level assessment, reinforced as needed by targeted manual assessment) would limit manual assessments to troublesome sites that merit close scrutiny. This approach would largely eliminate compliance costs for the vast majority of web sites, which are mom-and-pop operations. It could also yield greater compliance levels than random manual audits performed on a hit-or-miss basis. II. Discussion. These comments address the Commission's proposed criteria in rule 312.10(b)(2) for approving privacy seal programs as "safe harbors" under the Children's Online Privacy Protection Act of 1998. The idea for privately operated, government approved "safe harbors" appears central to the delicate balance struck by Congress between ensuring protection of children's privacy rights, while buffering the impact that direct regulation might otherwise have on the rapidly growing Internet. Safe harbor criteria in Section 312.10(b)(2) are the fulcrum of this balancing act. These criteria merit careful attention by all web sites since they will be expected to comply with the rules as a condition to obtaining legal protection under safe harbor privacy seal programs. PrivacyBot.com will soon launch a privacy seal program offering practical Internet-based tools for drafting privacy policies, registering for a privacy seal program and for consumers to file grievances and have them mediated in an online, largely automated dispute resolution procedure. While PrivacyBot will also provide manual assessment services on a targeted basis, our primary goal is to use automated systems to reduce compliance costs for the vast majority of web sites to a nominal amount. The following addresses questions raised by the Commission; namely: what is the impact of the [safe harbor] provisions (including any benefits and costs) and, what alternatives, if any, should the Commission consider, as well as the costs and benefits of those alternatives? (see Section I: Questions on Prop. Rule No. 1). 1. The Impact of the Safe Harbor Provision (Including Benefits and Costs). Section 312.10(b)(2) requires that, in order to be approved by the Commission, self-regulatory guidelines include an effective, mandatory mechanism for the "independent assessment" of subject operators' compliance with the guidelines. This emphasis on independent assessment reflects Congress's belief that self assessment has not worked to the level needed to protect overriding privacy interests of children. Section 312.10(b)(2) indicates that independent assessment may be achieved by comprehensive reviews or by random reviews conducted by the industry group promulgating the guidelines, or by an independent entity, such as a seal program. Our concern with subsection (b)(2) is that, without further refinement, the limited examples contained in the clause may be viewed as imposing an expensive manual audit requirement as a condition for FTC approval of any safe harbor program. Of course, use of the word "may" in the Rule indicates the examples given are merely illustrative, and authority to use random audits suggests 100 percent compliance is not expected. When the pricing structure of existing privacy seal programs is examined, it is apparent the cost of requiring manual audits, even on a random basis, is quite substantial. In one case, members are required to engage a local CPA and pay for quarterly audits. In other cases, membership dues are calculated as a percentage of a site's annual revenue. When out-of-pocket costs of supporting expensive manual processes are considered, the cost of compliance far exceeds that anticipated by Section G of the proposed Rule ("Paperwork Reduction Act"). One might argue that the proposed Rule has limited economic impact because it would only regulate the subset of children's web sites. But legislation has already been introduced that would extend similar rules to the millions of other sites (see, e.g., Senate Bill 809, introduced April 15, 1999 and referred to Senate Commerce Committee). It is notable that S809 contains "safe harbor" provisions identical to the Children's Act. It is therefore likely that this Rule will set a precedent for implementing future privacy laws regulating all sites. Expensive manual assessment processes, like audited financial statements, would no doubt achieve a high level of compliance, but at substantial cost to an industry populated by mom-and-pop operations. Manual assessments are not mandated by the statutory language or the legislative history to the Act. Indeed, the procedures referenced in the proposed Rule are illustrative. As the Commission has noted, it is important to consider alternatives, particularly mechanisms that employ business process automation to provide an adequate level of independent assessment at nominal cost. 2. Automated Assessment Mechanisms Should Play a Role in Safe Harbor Programs. As stated by the Commission, "What other mechanisms exist that would provide similarly effective and independent compliance assessment?" Our proposed alternative borrows from the provisions of Section 312.10(b)(3) that recognize consumer redress and mandatory public reporting of disciplinary action as effective incentives for compliance. We believe such incentives can be incorporated into an automated business process that provides effective first-level independent assessment. The first-level mechanism would still be reinforced by manual assessments, but they would be targeted more carefully at those web sites that are non-compliant. In layman's terms, we are essentially proposing that carpet bombing and random bombing on a hit-or-miss basis be augmented by an alternative; namely, one that uses automated assessment mechanisms (like radar) backed up by targeted smart bombs aimed at problem sites as they are identified. We believe this approach may actually be more effective than the simple random audits already recognized by the Rules. At PrivacyBot.com, for example, we have devised an automated system that uses consumer redress and public reporting as a first-level independent assessment mechanism. While the details of our seal program will be fully described in an upcoming request for "safe harbor" status, in summary, PrivacyBot consists of three interrelated subsystems:
A web site having a history of unresolved disputes would then be targeted for manual assessment, including "seeding" of their database to detect misbehavior and possible referral of uncooperative sites to governmental authorities. This two step process (automated assessment followed, in appropriate cases, by targeted manual assessment) should greatly reduce compliance costs for the great majority of web sites, which are mom-and-pop operations. And, because all sites are subject to first-level assessment, it may actually improve the level of compliance that one might expect from simple random audits implemented on a hit-or-miss basis. There will undoubtedly be a robust market for premium privacy seal programs. Just as larger firms pay for audited financial statements, larger web sites may conclude that an audited privacy statement provides value that is worth the extra cost. It would be a major policy decision, however, to interpret the Act as imposing an unfunded mandate that all web sites, regardless of size or past history, shoulder the cost of manually audited privacy statements as a condition of joining a safe harbor program. We believe an automated system of "consumer redress" and "public reporting" of unresolved privacy disputes should be recognized as a viable first-level independent assessment mechanism for safe harbor qualification, when accompanied by back-up manual assessment on a targeted basis. We believe this approach is consistent with Congress's intention to achieve actual compliance at the lowest possible cost to the industry. 3. Suggested Modification to Section 312.10(b)(2). For the reasons stated, we propose that Section 312.10(b)(2) be modified by adding a new clause (iii) as indicated by the bracketed language below:
III. Conclusion. A recent survey indicates that online firms deserve considerable credit for making progress during the past year toward posting Internet privacy policies. Much remains to be done, of course, to ensure all web sites post policies meeting standard disclosure requirements and to assess actual compliance with those policies. We believe automated procedures have a role to play in the assessment process and, when properly reinforced by targeted manual audits, could achieve better results at less cost than random audits undertaken on a hit-or-miss basis. Thank you for your time and consideration in this matter.
[PrivacyBot.com is an upcoming web site produced by the makers of QuickForm Contracts Online, a legal automation specialist in business since 1991 and on the web at http://www.quickforms.com since 1996]. |