May 25, 2000

Via E-Mail

Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue, NW
Washington, D.C. 20580

RE: CARU Safe Harbor Proposal—Comment, P004504

This firm is a cyberlaw boutique that represents web business. Our particular focus is on the children’s web industry. We represent many members of the children’s Internet industry, which range in size from some of the largest and most popular sites to some of the smallest as well as start-ups. In addition, Parry Aftab (a principal of this firm) is in her own right a child safety and privacy advocate (and author of the book, The Parent’s Guide to Protecting Your Children in Cyberspace), as well as Executive Director of Cyberangels (www.cyberangels.org). As such, we submit these comments regarding CARU’s application for Safe Harbor status under 16 C.F.R. 312.10, implementing the Children's Online Privacy Protection Act of 1998 ("COPPA").

We urge the Commission to approve CARU’s application for safe harbor status, once the matters set forth below are addressed.

CARU is a highly respected industry watchdog group, and its application as a whole contains the elements the Commission should look for in approving an application under the safe harbor provision. Its assessment and enforcement mechanisms are admirable. With respect to its online Data Collection Guidelines ("Guidelines" and/or "Principles"), a few additional provisions can help clarify what is expected of websites that adhere to CARU’s rules. CARU’s influence is such that many websites that are not members of CARU look to CARU’s guidelines and attempt to follow them. Accordingly, it is important that the written Guidelines and Principles contain all the necessary provisions required by COPPA. As will be seen, virtually all the suggested changes are already contained in CARU’s 21 page application cover letter to the Commission ("cover letter"). The matters that should be clarified are as follows:

1. CARU should clarify what information can be collected without prior parental consent. That is, the Guidelines need provisions similar to 16 C.F.R. 312.5(c), setting forth the limits of what information can be collected from children, for what purposes and how that information can be used or maintained. The Application currently has a provision similar to 312.5(c)(3) (see Principle 5), but needs to set forth the other exceptions. For example, without a provision such as 312.5(c)(1), a website operator would have no guidance as to what information can be collected for the purpose of obtaining parental consent.

2. Privacy Policy Link - In their cover letter (p.8) CARU states that the "Guidelines specifically provide that there be a prominent link to the operator’s privacy policy both from the home page and before any information is collected from a child," citing Guideline 1 at p.10. Guideline 1 should be modified so as to make this requirement clearer. "Before" can be interpreted to refer to time, rather than location, and the home page link requirement is only spelled out with respect to passive tracking. This can be accomplished by, for example, changing the second sentence to the following: "The disclosure notice should be prominent and readily accessible both at the homepage and at each area of the website where information is collected."

One additional suggestion with respect to Data Collection Guideline 1: we are unsure whether a link labeled "Note to Parents" is sufficient to clearly advise parents that the privacy policy can be found there. We suggest that that particular label be deleted from the list of examples of acceptable headings for the privacy policy links.

3. CARU’s cover letter (p.8) states that while the Guidelines do not specifically state how the operators must identify themselves in the notice or privacy policy, the requirements of the COPPR in this regard will have to be complied with. We suggest that the requirement of the COPPR be expressly included in the Guidelines, by, for example, adding to Guideline #1 the following sentence: "The company must include its name, address, email address and telephone number in its disclosure notices."

4. The cover letter at p. 10, in a paragraph beginning "Similarly, where online information collection or activities do trigger the need for verifiable parental consent," contains procedures consistent with COPPA for the contents of parental notice. We suggest that these procedures and requirements be included in the written Principles and Guidelines. We note, for example, that Principle #3 says that a company must obtain prior written consent before it can share personal information with third parties, but it does not contain the requirement that parents have the right to refuse to permit such disclosure while still being allowed to use the website. The referenced paragraph on p. 10 of the cover letter makes clear that CARU does in fact require this disclosure. Similarly, at p. 12 of the cover letter ("Thus, where verifiable parental consent is needed"), CARU states that parents must be told why their consent is necessary, how the information will be used, and how they can review or delete such information. These and other requirements for the contents of the notice and disclosure should be included in the Guidelines.

There is one minor matter that we point out simply for consideration.

The cover letter states at p. 10 that the CARU "Guidelines further provide that parental contact information should be used only for the purposes of providing notification or obtaining the requisite consent." An unnumbered paragraph of the Guidelines states that, "To respect the privacy of parents, information collected and used for the sole purpose of obtaining verifiable parental consent or providing notice should not be maintained in retrievable form by the site if parental consent is not obtained after a reasonable time." This is slightly different from the statement in the cover letter, as it does not discuss what can be done with the information collected if the parent does in fact consent. Either or both requirements should be sufficient, but if the statement in the cover letter is what is intended, we suggest that the language in the Guidelines be clarified.

CARU’s application exceeds COPPA in several regards, particularly in requiring that certain disclosures be written so as to be understood by children, not just parents, and requiring clear notices to children to ask their parents for permission before they answer questions. This is consistent with CARU’s practice of requiring responsibility in the industry where children are concerned. In conclusion, we urge the Commission to grant CARU’s application for safe harbor status under 312.10, once the issues raised in this comment have been addressed.

Very truly yours,