DARBY & October 4, 2000 Reference: 0000/00901 Via E-Mail RE: TRUSTe Safe Harbor Proposal—Comment, P004505 The authors are attorneys who represent web business, and our particular focus is on the children’s web industry. We represent many members of the children’s Internet industry, which range in size from some of the largest and most popular sites to some of the smallest as well as start-ups. In addition, Parry Aftab is in her own right a child safety and privacy advocate (and author of the book, The Parent’s Guide to Protecting Your Children in Cyberspace), as well as Executive Director of Cyberangels (www.cyberangels.org). As such, we submit these comments regarding TRUSTe’s application for Safe Harbor status under 16 C.F.R. 312.10, implementing the Children's Online Privacy Protection Act of 1998 ("COPPA"). We noted only two areas of TRUSTe’s application that required clarification. The matters that should be clarified are as follows: 1. Under COPPA, the notice to parents when a site has collected online contact information to respond more than once to a child’s specific request [16 C.F.R. § 312.5(c)(3)] needs to include all the information contained in the site’s privacy policy, 16 C.F.R. § 312.4(c)(1)(i), as well as additional information, including that the parent may require deletion of the information. Id. at (c)(1)(iii). The way the TRUSTe Agreement is drafted, it is unclear whether TRUSTe requires similar notice. TRUSTe does require that notice to obtain parental consent include all the information contained in a site’s privacy policy. Schedule B ¶ 2. But it does not contain a similar requirement when the notice is not to obtain consent, but rather to notify the parent under 312.5(c)(3). In that case, discussed in Schedule B ¶ 4, the notice simply has to include the nature, use and distribution practices of the information collected, and "an opportunity for the parent to prevent the use of the information and participation in the activity." Schedule B of the TRUSTe Agreement should be clarified to expressly require that all notices to parents include all the information contained in the site’s privacy policy; and with respect to notices under 312.5(c)(3), that the notice in addition contain the information set forth in 312.4(c)(1)(iii), and in particular that parents can require the deletion of the information and the way they can exercise that right. 2. COPPA requires that new consent be obtained for any "material change" in a site’s data collection, use or disclosure practices. See 16 C.F.R. § 312.5(a)(1). The TRUSTe Agreement provisions need to be clarified to make this requirement explicit. The children’s part of the Agreement is silent on the issue of changes to a site’s privacy policy, leaving the general Program Requirements on the issue to apply. Those Requirements (TRUSTe Agreement Schedule A § 3(B)(vi)) state that sites can obtain electronic consent for changes, or they may under some circumstances simply post the changes at the site. In the latter case, the prior approval of TRUSTe must be obtained, but TRUSTe cannot unreasonably withhold such approval. Clarifying how this provision applies in the children’s context – that posting a material change is not an option, explaining when electronic consent could be used, etc. – would ensure that COPPA’s requirements are followed. Once these issues are addressed, we urge the Commission to approve TRUSTe’s application. They have played an important role in helping websites (and consumers) appreciate the importance of online privacy. Very truly yours, PARRY AFTAB, ESQ. |