Childrens Online Privacy Protection Rule
June 11, 1999
Bruce D. Bower
Ronald L. Plesser, Of Counsel
James J. Halpert
ZapMe! Corporation, a pioneer in supplying free high-performance computers and high-speed Internet access to schools across the country, is pleased to respond to the Commission's request for comments regarding its Notice of Proposed Rulemaking ("NPRM") for the Childrens Online Privacy Protection Act of 1998 ("COPPA" or "the Act"). ZapMe! strongly supports protections for children's privacy. We hope that these comments will assist the Commission in its commendable efforts to develop responsible information practices governing the collection, use, and disclosure of personal information obtained from children online.
A. ZapMe!s Next Generation Network
ZapMe! is leading the next generation of Internet service providers by bringing broadband Internet services to America's pupils at no cost to schools. The typical ZapMe! school installation consists of up to 15 new, high-performance PCs, 17" monitors, a server, and a satellite dish. Through its high-speed network, students and teachers can access ZapMe!s collection of the 10,000 best educational sites as well as other valuable materials on the Internet. Our network also allows students 13 and older to communicate via e-mail and, eventually, students will be able to share their ideas and experiences with each other in chat rooms consistent with the Commissions regulations. Our system also includes free Microsoft office software so that todays students can learn the skills they will need for the future while doing their homework and projects.
Schools and parents have greeted us with an overwhelmingly positive response. ZapMe! is closing the enormous technology gapestimated at up to $42 billion in our resident state of California alonein our nations schools. And because ZapMe! connects students to the Internet through state-of-the-art satellite-based broadband technology, our network is ideally suited to meeting the federal governments mandate to bring the Internet to schools throughout the nation, particularly in rural or under-developed areas that enjoy little hard-wired infrastructure.
ZapMe! has taken numerous steps to ensure that our network is safe for our students. We are commencing a program that allows schools to choose to screen Internet usage with the Cyber-Patrol filtering software, which limits access to inappropriate sites. We also screen all advertisements that appear on our netspace to ensure that they do not promote inappropriate products or materials. When our ZapChat program becomes operational, it will initially be available only at school (as opposed to home) so that local school administrators, at their discretion, and/or ZapMe! employees can monitor these communications to ensure safety. Any extensions of this service will be implemented with these privacy concerns in mind.
B. ZapMe!s Robust Privacy Policies
ZapMe!s privacy protection policies are similarly robust. We register all students through a blind system administered by the schools so that we do not know any student identities. After a school signs up for the ZapMe! network, we issue the school a set of generic user names and passwords. Students then register by selecting their own anonymous user names while giving the schooland the school onlytheir real identities. ZapMe! then collects only a small set of non-personally identifying information limited to age, gender, school location, and system use. In order to further protect privacy and promote local control, ZapMe! necessarily relies on schools to administer any parental consent programs before giving students access to the network.
C. These Comments
ZapMe! suggests that the Commission make a number of changes to its proposed rules in order to facilitate children's access to important educational experiences online while ensuring their privacy and safety. In particular, we respectfully urge the Commission to do the following:
In addition, we strongly encourage the Commission to hold a workshop and to receive reply comments on the important issue of how COPPA applies in the context of children's access to online information in the school and library environments.
The Commission should clarify in its final rules that ZapMe! and other online services may obtain "verifiable parental consent" for purposes of COPPA through schools and their boards. Section 312.5. As a leading architect of COPPA stated during its consideration, COPPA's consent standard is a "flexible" one that requires examination of multiple considerations. 144 Cong. Rec. at S11657 (Statement of Sen. Bryan) (Oct. 7, 1998) ("Bryan Statement"). Access to the Internet from schools and libraries is precisely the sort of situation that demands this flexibility.
Children's access to online information from schools and libraries raises unique issues under COPPA. COPPA's legislative history recognizes that implementation of the statute's parental consent requirement in schools and libraries is an issue that merits special consideration by the Commission. Id. Indeed, the legislative history expressly states that the legislation was crafted with the "understand[ing] that the FTC will consider how schools, libraries, and other public institutions that provide Internet access to children may accomplish the goals of this Act." Id.
For purposes of the statute, the Commission should recognize that teachers and school administrators in a school district act as "guardians" for the children under their care for purposes of 15 U.S.C. § 6501(7), which grants them the authority to consent to children's online usage. In the school context, an operator almost always offers service through the school, rather than to individual families. The school, in turn, secures consent for the child's Internet usage through various means depending on the districts policies. With this consent, the school then acts in loco parentis with the authority to direct the child's Internet usage in schools.
Our proposal best serves the purposes of COPPA. It would give educators acting with parental consent control over children's online experiences in the educational setting. It also would greatly simplify schools' consent obligations under the E-rate program and other means of online access in schools. Requiring the online service to obtain consents under these circumstances, on the other hand, would be infeasible if not impossible. At the very least, it would significantly increase the cost of providing many forms of Internet and online service to schools, undermining the goals of the E-rate program as well as efforts to provide free broadband access to schools.
Perhaps most importantly, requiring the online service to obtain consent directly would fly in the face of COPPAs goal of promoting privacy: online providers such as ZapMe! that go to great lengths to avoid receiving personal information would be forced to collect that informationin the form of the parents contact datain order to comply with the Act. Moreover, requiring operators to seek consent directly would run into schools' sensible reluctance to provide contact information for parents of children in their schools. In contrast, allowing schools to grant consent would satisfy COPPAs statutory requirements and further its purposes, including "preserv[ing] children's access to information in this rich and valuable medium." Bryan Statement at S11657.
ZapMe! further recommends that the Commission clarify the meaning of the term "publicly available" in the definition of "disclosure" so as to exclude chat rooms that are available only in a closed educational setting. Section 312.2(b). Under the current definition, "disclosure" applies broadly to a host of services, including chat rooms, that "would enable a child to reveal personal information to others online." Id. Thus, any chat room open to the public would inevitably lead to "disclosure" because it would enable children to make personal information "publicly available."
This is not the case when chat rooms or similar electronic fora are closed to the public. If an operator limits access to chat rooms to a defined group, information disclosed by students themselves on these services is not "publicly available" within the meaning of 15 U.S.C. § 6502(4) or the proposed rule.
Moreover, powerful reasons support allowing limited chat for children in non-public situations. ZapMe! agrees wholeheartedly with the Commission's concern about adults initiating contacts with children in online fora such as chat rooms. However, we believe that school-based educational chat rooms available only to students and teachers provide significant educational benefits for students without raising the concerns presented by public chat rooms. Providing protected fora for students to exchange ideas with their classmates would promote education and community building. Through such a system, students could discuss assignments and debate current events with their classmates and even their colleagues across the country. While ZapMe! does not yet offer chat to any age group, we plan to do so for those thirteen and older. ZapMe!s chat rooms will further promote security by allowing local school officials and/or ZapMe! employees to supervise the chat. The proposed clarification, coupled with a change in the definition of "collection" discussed below, would allow ZapMe! to provide protected service to all ZapMe! network schools.
The NPRM's attempt to define "collection" sweeps so broad that it apparently makes operators liable under the Act in any number of scenarios where they may receive "personal information" despite their best efforts to avoid doing so. Current Section 312.2 defines "collection" to include "passive . . . collection using a chat room, message board, or other public posting of such information." Under this definition, operators of sites directed to children or with notice of a childs age are apparently strictly liable whenever, for example, they receive an e-mail (which automatically reveals a child's e-mail address), or a child posts his or her name or other personal information in an otherwise anonymous chat room.
The broad definition of "collection" is also in tension with the notice provisions of the NPRM itself. These notice provisions require sites to include their e-mail address in the posted privacy notice. Section 312.4(b)(2). This notice, of course, is designed to elicit e-mail messages, possibly from children.
The Commission should therefore narrow the definition of "collection" to clarify that it does not impose strict liability. In particular, the regulations should not impose liability for the mere receipt of an e-mail address that was not solicited or solicited only through the NPRMs own notice requirements. Nor should the operation of an anonymous chatroom in which a child chooses to post personal information contrary to the rules of the forum trigger COPPAs notice and consent obligations.
Finally, ZapMe! respectfully urges the Commission to clarify two ambiguities in § 312.2's definition of "personal information." First, as currently drafted, paragraphs (g) and (f) could collectivelyand unreasonablyimpose liability on an operator for using screen names in an effort to avoid collecting personal information. Paragraph (f) defines "personal information" to include, among other things, "a persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with personal identifying information." Paragraph (g) then further extends the definition of "personal information" to "information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this paragraph." The meaning of "an identifier described in this paragraph" is unclear. It could include (1) only identifiers that are associated with "personally identifying information," or (2) identifiers in paragraph (f) that are not associated with such information.
While the present text of the regulation is unclear, the intent of Congress and the Commission is not. Section 312 should not cover information such as screen names that do not require "personal information" under the statute. Online services such as ZapMe! must assign a screen name or some other sort of anonymous log-on identifier even if they are making all possible attempts to protect the privacy of children. In order to make clear that operators do not violate these regulations when they use screen names, the Commission should delete "in this paragraph" and insert the phrase "that is associated with personal information" at the end of paragraph (g).
The Commission should also clarify a second ambiguity in paragraph (f): the use of the term "personal identifying information." This term is both undefined and different from the defined term "personal information" used throughout the regulations. The meaning of "personal identifying information" is thus unclear. If the distinction is inadvertent, the term should be replaced with "personal information." If the Commission does intend some different scope of the current term, we urge the Commission to define this different scope.
ZapMe! respectfully requests the foregoing clarifications, changes, and implementations for the Commissions proposed COPPA regulations.