November 30, 2001
VIA FEDERAL EXPRESS AND EMAIL
Donald S. Clark
Dear Secretary Clark:
The Entertainment Software Rating Board ("ESRB") appreciates the opportunity to submit this Public Comment in response to the Federal Trade Commission's (the "Commission") Request for Comments announced in the Federal Register on October 26, 2001. ESRB supports the recommendation of the Commission to extend the sliding scale approach for obtaining verifiable parental consent for an additional two years to April 21, 2004. Such an extension would permit a website operator to use an e-mail message from the parent, coupled with additional steps, to obtain verifiable parental consent for the collection and internal use of personal information from children.
Created in 1994, the ESRB is an independent, not-for-profit organization established to educate and protect consumers through self-regulatory programs such as "ESRB Privacy Online." ESRB Privacy Online is a third-party, privacy seal provider approved by the Commission as a safe harbor program for compliance with the Children's Online Privacy Protection Rule. We assist interactive entertainment software companies in protecting the rights of consumers--particularly children--through open disclosure and adherence to comprehensive principles for fair online information practices. Our goal is to help make the Internet a secure, reliable, and private place to share information, provide valuable educational and entertainment services, and conduct business.
Under the Children's Online Privacy Protection Act ("COPPA"), if a website operator is collecting personal information for its internal use only, such operator may obtain verifiable parental consent through the use of an e-mail message from the parent, coupled with certain additional steps. These additional steps, which are designed to provide assurances that the person providing the consent is the parent, include sending a confirmatory e-mail to the parent after receiving consent, or alternatively, obtaining a postal address or telephone number from the parent to confirm the parent's consent by letter or telephone call. At the time the Commission issued COPPA, it was anticipated that the sliding scale was only necessary in the short term because more reliable methods of obtaining verifiable parental consent were expected to soon be widely available and affordable. Based on our experience in working with website operators, as well as an analysis of the current state of verification technology, ESRB Privacy Online strongly believes that this is not yet the case.
I. Availability and Use of Secure Electronic Mechanisms or Infomediary Services.
With the exception of P3P technology, digital signatures, digital certificates, and other secure electronic mechanisms have been around for several years and available at a nominal cost. These electronic mechanisms have enabled individuals as well as large and small businesses, to secure a variety of electronic transactions, including email communications, electronic commerce, and electronic funds transfers.
Despite the availability of secure electronic mechanisms, however, companies still have not employed, on a widespread and consistent basis, these electronic mechanisms for use in facilitating verifiable parental consent. Rather, many companies that collect personal information from children under 13 use other reliable methods of obtaining verifiable parental consent--a "print, sign and send" parental consent form or the use of a credit card in connection with a transaction. These methods have worked for our participating companies since COPPA went into effect in April 2000. We anticipate that these two options will continue to be used as the preferred method for obtaining verifiable parental consent. This is not to say that ESRB Privacy Online would not encourage its participating companies to use an alternative, secure electronic mechanism such as digital signatures once they become more widely adopted. At this time, however, such mechanisms have been of limited utility since few parents are familiar with the technology, and those few have found the technology difficult to use. Thus, from a parent's perspective, the use of digital technology tools has been unattractive and impractical.
Unlike these digital verification mechanisms, infomediary services that facilitate verifiable parental consent are few and far between. In fact, ESRB Privacy Online is familiar with only one company that qualifies as an adequate infomediary for purposes of obtaining and verifying parental consent. To our knowledge, this company has not made a significant impact in the area of parental consent management.
II. Proposed Amount of Time for Extension
By proposing to extend the expiration date for the sliding scale, ESRB believes the Commission is again demonstrating its commitment to balance the need to protect children online with the need for organizations to maintain manageable business practices. ESRB Privacy Online commends the Commission for its continued commitment to these goals and fully supports the proposed extension. We believe that an extension of two years will give companies an opportunity to further incorporate the use of secure electronic mechanisms into their website capabilities and for parents to learn more about how these mechanisms operate and what steps they need to take to effectively use this technology as a means of verification and consent. Also, additional time is necessary for organizations that offer infomediary services to surface and fulfill the increased need for affordable outsourcing assistance in managing the parental permission process. It is ESRB Privacy Online's hope that secure electronic mechanisms and infomediary services become more available over the course of the next two years and achieve their full potential as more efficient and cost-effective alternatives to either the print and send form or the use of a credit card in connection with a transaction.
III. Impact of the Proposed Extension
Companies participating in our privacy program currently use reliable methods of obtaining verifiable parental consent, such as a parental permission form or the use of a credit card in connection with a transaction. However, ESRB Privacy Online understands that many online businesses are relatively small and have limited resources to support the extensive internal operations necessary to receive, verify, and process parental permission forms. As such, it is our belief that phasing out the sliding scale approach at this time would have a considerable negative impact on many businesses on both an economic and practical level. This is especially true for small to mid-size companies to the extent that some may be forced to cease certain operations entirely.
In sum, ESRB Privacy Online firmly supports a two-year extension of the sliding scale period from April 21, 2002 until April 21, 2004. This extension is warranted since (i) the availability and use of efficient, reliable, and cost-effective verification alternatives, such as secure electronic mechanisms and infomediary services, have yet to achieve their potential as viable options; and (ii) eliminating the sliding scale at this time would have significant negative economic and practical consequences for consumers, businesses, and the online space in which they participate. Our experience has shown that businesses, especially those operating websites directed to children under 13, have exhibited a good-faith effort to comply with COPPA. Compliance is primarily limited by a lack-of-knowledge combined with the administrative and financial costs associated with implementing meaningful and effective compliance mechanisms. We have also concluded that many parents are concerned about online privacy and would consider adopting any reasonable mechanism which would ensure that their children's personal information is secure. ESRB Privacy Online believes that it is these goals--and the further development and adoption of means by which to achieve them--that warrant the two-year extension of the sliding scale approach.
Marc E. Szafran