TRUSTe Safe Harbor Proposal -- Comment, P00450---

Donald S. Clark
Secretary
Federal Trade Commission
Room H-159, 600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580

Dear Mr. Clark:

The Center for Media Education, the Consumer Federation of America, the American Academy of Child and Adolescent Psychiatry, Junkbusters Corporation, the National Alliance for Non-violent Programming, the National Association of Elementary School Principals, Privacy Times, and Public Advocacy for Kids ("CME/CFA et al.") respectfully submit these comments in response to the Federal Trade Commission's ("FTC" or "Commission") Notice of Proposed "Safe Harbor" Guidelines and Request for Public Comment on the Application of TRUSTe, 65 Fed. Reg. 54278 (September 7, 2000). CME/CFA et al. is a broad coalition of child advocacy, education, health and parents groups dedicated to improving the quality of electronic media, especially on behalf of children and their families.⁽¹⁾ CME/CFA et al. have a strong interest in ensuring that the Commission approve only self-regulatory guidelines that fully comply with the FTC's rules and with the underlying purpose of the Children's Online Privacy Protection Act ("COPPA"), i.e., to prohibit the collection of personal information from children without the verifiable informed consent of their parents.

INTRODUCTION

The TRUSTe Safe Harbor Application is one of the first batch of applications submitted for approval under the Safe Harbor provisions of the Children's Online Privacy Protection Rule, 64 Fed. Reg. 59888 (Nov. 3, 1999) ("COPPR"). As CME/CFA et al. have indicated in comments to previous applications, the Commission's response to the first generation of Safe Harbor applications, such as TRUSTe's proposal, will set the standard for applications submitted in the future. Approval of inadequate guidelines would set a dangerous precedent that would undermine the goal of protecting children's privacy in the online environment. Accordingly, it is imperative that the Commission carefully review TRUSTe's proposed guidelines to ensure that they meet the spirit and the letter of the Commission's rules and the Act itself.

Section 312.10(b) of the COPPR states that, to be approved, self-regulatory guidelines must include "substantially similar requirements that provide the same or greater protections for children as those contained in sections 312.2 through 312.9 of the rules."⁽²⁾ The TRUSTe Application⁽³⁾ comports with many of the major provisions of the COPPR.

Nonetheless, CME/CFA et al. believe the TRUSTe Guidelines fail to provide "the same or greater" protection as several critical requirements in the COPPR. Accordingly, CME/CFA et al. recommend that the Commission condition any approval of the TRUSTe Application on TRUSTe's amendment of its Guidelines to address the insufficiencies identified in these comments, as well as any other shortcomings the Commission may recognize.

The discussion below identifies each of the deficiencies in the TRUSTe Application in order of the COPPR's requirements. Although many of the deficiencies are minor, all of them contribute to TRUSTe's failure to provide the "same or greater" protections for children. Four deficiencies are of particular concern. First, the TRUSTe Guidelines omit the acceptable mechanisms for verifying parental consent enumerated in Section 312.5(b)(2) of the COPPR. By replacing the COPPR's inclusive list with an open-ended one, TRUSTe fails to provide sufficient guidance to its licensees to ensure the use of reliable verification methods. Second, the TRUSTe Guidelines omit the requirements in Sections 312.4(c) and 312.5(a)(1) of the COPPR that operators provide notice and obtain new parental consent, respectively, regarding any material change in their information practices. That omission may enable operators to collect, use or disclose children's personal information in ways to which a parent has not actually consented. Third, the TRUSTe Guidelines omit the COPPR's Section 312.6(a)(3) requirement that, upon request, parents must be provided a means of reviewing personal information collected from their children that is not unduly burdensome. Without such a limitation on an operator's choice of means, a parent's ability to exercise the right of review, guaranteed by COPPR, could be severely limited. Finally, the organization of the TRUSTe Children's Seal Program requirements (TRUSTe License Agreement - 6.0, Schedule B) is confusing and the TRUSTe Guidelines fail to delineate the interaction between the License Agreement and the Compliance Document.

I. TRUSTe's PROPOSED GUIDELINES FAIL TO MEET THE NOTICE REQUIREMENTS OF SECTION 312.4

A. Section 312.4(b)(1)(i) - All Links to the Privacy Policy Must be Clearly Labeled as a Notice of Information Practices Regarding Children

Section 312.4(b)(1)(i) of the COPPR requires that an operator's link to notice of its privacy policy "must be clearly labeled as a notice of [its] information practices with regard to children."⁽⁴⁾ Although Section 7 of TRUSTe's Children's Seal Program includes a similar requirement, it is unclear from TRUSTe's language whether its labeling requirement applies to all relevant links to the privacy policy.

Section 7 of the Children's Seal Program identifies placement requirements for links to an operator's Privacy Statement. It requires that a link to the Privacy Statement be prominently located on the operator's home page and in any area where children directly provide or are asked for personally identifiable information, near the requests for such information. In addition, Section 7 requires that a link to the Privacy Statement be placed on the home page of any separate children's area. Although Section 7 appropriately includes a requirement that the link be labeled to "clearly indicate that the Privacy Statement includes information about the site's information practices with regard to children,"⁽⁵⁾ it is not clear to which links the labeling requirement applies.

Accordingly, in order to comply with Section 312.4(b)(1)(i) of the COPPR, the TRUSTe guidelines should be amended to require that all links described in Section 7 be clearly labeled as notice of its information practices regarding children. This could be accomplished through an explicit statement to that effect in Section 7 or by amending the last sentence in the introductory paragraph in the Children's Seal Program to require placement of the TRUSTe Children's Seal Mark and its associated privacy statement in all the locations described in Section 7.

B. Section 312.4(b)(2)(iv) - Fact of Disclosure of Information to Third Parties Must be Stated

Under Section 312.4(b)(2)(iv) of the COPPR, a notice of an operator's information practices must state whether personal information is disclosed to third parties. If there is such disclosure, the notice also must include, among other things, information about the third party and its use and safeguarding of personal information. The TRUSTe Children's Seal Program, fails to require an affirmative statement whether information is disclosed to third parties. Instead, Section 9 of the TRUSTe Children's Seal Program only requires that "if information is transferred to third parties,"⁽⁶⁾ [emphasis added] the privacy statement must include all the additional information required by Section 312.4(b)(2)(iv) of the COPPR. As a result of TRUSTe's failure to require the initial disclosure as to whether information is disclosed to third parties, consumers may not understand the significance of the third party information and may not thoroughly consider their right to withhold consent to disclosure. Such a result could undermine the COPPR's goal of informed consent. Accordingly, in order to comply with Section 312.4(b)(2)(iv) of the COPPR, TRUSTe's guidelines should be amended to require an affirmative statement whether personal information is disclosed to third parties.

C. Section 312.4(c) - Parents Must be Notified of Material Changes in Operator's Information Practices and of Procedures for Providing Consent.

Section 312.4(c) of the COPPR requires operators to make reasonable efforts to ensure that a parent receives notice of the operator's information practices regarding his/her child's personal information, including any material change in information practices to which the parent previously consented. The TRUSTe Children's Seal Program fails to require parental notice for material changes in an operator's information practices. Although the TRUSTe License Agreement requires that operator's obtain prior approval from TRUSTe for such material changes,⁽⁷⁾ it does not require notice to parents or users. That omission could enable operators to collect, use and disclose children's personal information in new ways while keeping parents in the dark. Such a result would directly undermine the goal of informed consent upon which the COPPR is based. Accordingly, before the TRUSTe Guidelines are deemed to provide the "same or greater" protections as the COPPR, they should be amended to require notice to parents whenever there is a material change in the operator's information practices.

D. Organization of TRUSTe Privacy Statement Requirements Should Be Revised to Avoid Confusion

Apart from deficiencies noted above, the notice provisions as drafted are somewhat difficult to understand. Sections 8 and 9 of the TRUSTe Children's Seal Program describe information that must be set forth in an operator's privacy statement, but the division of requirements between the two sections and the integration of required information pertaining to notice, consent and review make the Children's Seal Program requirements confusing.

In order to ensure that operators understand and uniformly comply with the requirements of the TRUSTe Children's Program privacy statement in the context of other Children's Program requirements, we recommend that TRUSTe amend its Application to reorganize the two sections. One section would include information pertaining to the operator and its practices (e.g., identification of operators, contact information, types and means of information collection, for what purpose, whether information is disclosed to third parties and information about the third parties). The second section would include information about parental rights and procedures (e.g., right to opt-out of disclosure, right to review, order deletion, or refuse further use of child's information).

II. TRUSTe's PROPOSED GUIDELINES FAIL TO MEET THE VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF SECTION 312.5

The parental consent provisions of the TRUSTe guidelines are incomplete and confusingly scattered throughout Sections 1, 2, and 4 of the Children's Seal Program Requirements (Schedule B). In addition to the confusion created by the organization of TRUSTe's requirements, the TRUSTe Parental Consent provisions fail to provide the "same or greater protections" as §§ 312.5(a)(1), 312.5(b)(1), 312.5(b)(2), 312.5(c)(2), 312.5(c)(3), 312.5(c)(5) of the COPPR as described below.

A. Section 312.5(a)(1) - Parental Consent Must be Obtained for Any Material Change in Information Practices

Section 312.5(a) requires that operators obtain verifiable parental consent for any "material change in the collection, use, and/or disclosure practices to which the parent has previously consented."⁽⁸⁾ This requirement is completely omitted in the TRUSTe guidelines. That omission could enable operators to collect, use or disclose children's personal information in ways to which a parent has not actually consented. As with TRUSTe's similar omission regarding parental notice, such a result would be contrary to the COPPR's fundamental goal of informed parental consent. Accordingly, in order to provide the "same or greater" protections as the COPPR, the TRUSTe guidelines should be amended to require verifiable parental consent to any material change in the information practices to which a parent previously consented.

B. Sections 312.5(b)(1) and (b)(2) - Parental Consent Must Be Verifiable and Acceptable Verification Methods Must Be Delineated

Section 312.5(b)(1) of the COPPR requires, in addition to reasonable efforts to obtain parental consent, that operators use a method "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."⁽⁹⁾ Section 312.5(b)(2) of the COPPR provides an inclusive list of five acceptable methods for obtaining verifiable parental consent. However, for information uses that are primarily internal, not "disclosures" as defined in Section 312.2 of the COPPR, operators may use e-mail, a less reliable method of verification, coupled with specified additional verification steps until April 21, 2002.⁽¹⁰⁾ If an operator chooses to use the less secure e-mail mechanisms, it must also provide notice that the parent can revoke any consent given in response to the earlier e-mail.

The TRUSTe Children's Seal Program falls short of the protections required by COPPR in two ways. First, the TRUSTe provisions fail to emphasize the COPPR's dual requirement that parental consent not only be obtained but also be verified. Section 1 of the Children's Seal Program requires reasonable efforts "to ensure that consent for collection is actually obtained from a child's parent."⁽¹¹⁾ That provision can be read to require efforts to obtain a consent without appropriately emphasizing that the consent must be verified as from the actual parent. The COPPR specifies that, in addition to making reasonable efforts to "obtain" consent, the operator must use a method reasonably calculated to "ensure that the person providing consent is the child's parent."⁽¹²⁾ TRUSTe's failure to clarify the distinction dilutes the impact of the dual requirement for verifiable parental consent.

Second, and most importantly, the TRUSTe guidelines neglect to incorporate the inclusive list of acceptable mechanisms for verifiable parental consent itemized in Section 312.5(b)(2) of the COPPR. Rather, Section 1 of the Children's Seal Program states that "Mechanisms for consent may include, but are not limited to . . ." offline consent by mail or facsimile, or online consent with a verifiable unique identifier like credit card information. In light of the extensive consideration given to this particular subject by the Commission,⁽¹³⁾ replacing the COPPR's inclusive list of acceptable mechanisms with an open-ended one could enable operators to adopt verification methods the Commission has deemed unreliable.

Furthermore, Section 1 of the Children's Seal Program contains language that may confuse operators about the reach of the verifiable parental consent requirement. The statement that verifiable parental consent shall "relate" to the type of information, use or distribution⁽¹⁴⁾ may be an attempt to reflect the sliding scale of acceptable verification mechanisms found in Section 312.5(b)(2) of the COPPR. However, without a more thorough description of the different mechanisms that must be applied to different information uses, the TRUSTe provision requires operators to speculate about the nature and relevance of relationships between the verifiable consent requirement and various information practices.

Accordingly, in order to provide the "same or greater" protections as the verifiable parental consent provisions in the COPPR, the TRUSTe Guidelines should be amended to limit allowable mechanisms for obtaining consent to those identified by the Commission in the COPPR's inclusive list, and clarify the circumstances under which less reliable mechanisms may suffice. In addition, the TRUSTe Guidelines should be amended to require, explicitly, that reasonable efforts be undertaken to ensure not only receipt of consent, but also that consent is provided by the actual parent.

C. Section 312.5(c)(1) - Exception for Notice or Consent Purpose Requires Deletion if Consent Not Received

Section 312.5(c)(1) of the COPPR provides an exception to the requirement of prior parental consent for the collection of contact information for the "sole purpose of obtaining parental consent or providing notice."⁽¹⁵⁾ If consent is not received after a reasonable time, the contact information must be deleted from the operator's systems. Section 4 of the TRUSTe Children's Seal Program includes this exception to the prior parental consent requirement, but completely omits the additional requirement that the contact information be deleted if consent is not received. This requirement should be added to TRUSTe's guidelines in order to provide the "same or greater" protections as the COPPR.

D. Section 312.5(c)(2) - Exception for One-Time, Direct Response Requires Subsequent Deletion and No Re-Contact

Section 312.5(c)(2) of the COPPR provides an exception to the requirement of prior parental consent for the collection of a child's personal information for the "sole purpose of responding directly on a one-time basis to a specific request from the child, and where the information is not used to re-contact the child and is deleted by the operator from its records."⁽¹⁶⁾

Section 4 of the TRUSTe Children's Seal Program includes this exception to the prior parental consent requirement, but completely omits the requirement that the personal information collected by the operator be "deleted . . . from its records" subsequent to the one-time contact. In addition, unlike the COPPR which states that the information cannot be used to re-contact the child at all, TRUSTe requires only that the information not be used to re-contact the child "for other purposes." This leaves the door open for limited re-contact beyond that allowed under the COPPR. In order to provide the "same or greater" protections as the COPPR, the TRUSTe guidelines should be amended to clarify that one-time, direct responses are excepted from the parental consent requirement only if the child's information subsequently is deleted from the operator's records and the information is not used to re-contact the child at all.

E. Section 312.5(c)(3) - Exception for More Than One Direct Response Prohibits Use for Any Other Purpose

Section 312.5(c)(3) provides an exception to the prior parental consent requirement for the collection of a child's personal information in order to "respond directly more than once to a specific request from the child."⁽¹⁷⁾ Information collected under this exception may not be used for any other purpose, and the operator must make reasonable efforts to "ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information . . . immediately after the initial response and before making any additional response to the child."⁽¹⁸⁾ In addition, COPPR specifically states that mechanisms to provide such notice "do not include asking a child to print a notice form or sending an e-mail to the child."⁽¹⁹⁾

The TRUSTe Guidelines fall short of the protections required by Section 312.5(c)(3) of the COPPR in three ways. First, the TRUSTe guidelines omit an important requirement that children's information obtained under this exception may not be used for any other purpose. Section 4 of the TRUSTe Children's Seal Program includes this exception to the prior parental consent requirement. However, rather than prohibiting the use of the child's information "for any other purpose," the TRUSTe guidelines merely prohibit the use of that information to "recontact the child beyond the scope of that request." Such a limitation fails to protect the child from uses that do not involve re-contact, including potential disclosure to third parties.

Second, the language of the TRUSTe Guidelines weakens the requirements of Section 312.5(c)(3) of the COPPR regarding notice to parents and the opportunity to prevent further use of a child's personal information. Rather than requiring reasonable efforts, taking into account available technology, to "ensure that a parent receives" notice, Section 4 of the Children's Seal Program merely requires reasonable efforts to "provide" parental notice. Such a requirement, unlike Section 312.5(c)(3) of the COPPR, implies no obligation to consider the effectiveness of notice mechanisms. Furthermore, the critical requirement that parents be given the opportunity to prevent the future use of their children's information is lost in the confusing language of the last sentence of Section 4,⁽²⁰⁾ which seems to focus not on parental rights, but on the existence of distinctions between notice requirements for different information uses. Not only is the parental right to prevent future use of information weakened by placement in this confusing and unrelated provision, but the TRUSTe guidelines completely omit the requirement that parents be given the opportunity to exercise that option before the operator makes any additional response to the child.

Finally, the TRUSTe Children's Seal Program includes no discussion at all of appropriate mechanisms for providing the parental notice required under this exception. Although Section 312.5(c)(3) of the COPPR provides only a non-inclusive list of mechanisms, it explicitly prohibits "asking a child to print a notice form or sending an e-mail to the child."⁽²¹⁾ By excluding this prohibition, the TRUSTe guidelines fail to protect against notice mechanisms the Commission has explicitly forbidden.

Accordingly, in order to provide the "same or greater" protections under this section, the TRUSTe guidelines should be amended to clearly state that the collection of children's information for the purpose of responding directly more than once to a specific request may be exempt from the verifiable parental consent requirements only if the information is not used for any other purpose. In addition, the TRUSTe guidelines should clarify operators' obligation to make reasonable efforts to ensure not only provision, but also receipt of notice and should require that a parent be given an opportunity to prevent further use of a child's information before the operator makes any additional response to the child. Finally, the guidelines should be amended to specify that "asking a child to print a notice form or sending an e-mail to the child" is not an acceptable form of parental notice.

F. Section 312.5(c)(5) - Exception for Security, Liability, Etc. Prohibits Use for Any Other Purpose

Section 312.5(c)(5) of the COPPR provides an exception to the prior parental consent requirement for the collection of a child's name and online contact information to the extent necessary to protect the security or integrity of the operator, to protect against liability, to respond to judicial process or as permitted under other provisions of law. Again, this exception applies only when the child's information is not used for any other purpose. Section 4 of the TRUSTe Children's Seal Program includes this exception to the prior parental consent requirement, but omits the additional requirement that contact information not be used for any other purpose. In order to provide the "same or greater" protections as the COPPR, the TRUSTe guidelines should be amended to include the above requirement.

III. TRUSTe's PROPOSED GUIDELINES FAIL TO MEET THE PARENTAL REVIEW REQUIREMENTS OF SECTION 312.6

A. Section 312.6(a)(2) - Opportunity to Direct Deletion of Child's Information Must Be Provided

Section 312.6(a)(2) of the COPPR requires that an operator provide parents with the opportunity, at any time, to stop the further use or collection of a child's personal information and request deletion of a child's personal information. The TRUSTe guidelines fall short of the protections in the COPPR in two regards. First, Section 6 of the TRUSTe Children's Seal Program, which parallels Section 312.6 of the COPPR regarding parental rights, omits the parental right to order the deletion of a child's personal information. Second, rather than allowing refusal or deletion "at any time," Section 6 of the TRUSTe Children's Seal Program merely requires that operators give parents "an" opportunity for refusal. Under a literal reading of the TRUSTe language, a parent who requests an opportunity to refuse further use, but decides at that time not to exercise it might be denied the opportunity to reconsider at a later time by a licensed operator.

In order to provide the "same or greater" protections as the COPPR, Section 6 of the TRUSTe Children's Seal Program should be amended to clearly include a parent's right to direct deletion and to add the "at any time" language applicable to both refusal and deletion. The latter amendment would clarify that a parent's right to prohibit further use or future collection, or order deletion, is not limited to a single opportunity.

B. Section 312.6(a)(3) - Means and Opportunity to Review Must Be Stated

Section 312.6(a)(3)(ii) of the COPPR requires operators, upon request, to provide a means for parental review of any personal information collected from a child. In addition, the operator must verify that the requestor is a parent of the child and must ensure that the means of review are not "unduly burdensome to the parent."⁽²²⁾ Section 6 of the TRUSTe Children's Seal Program, however, completely omits the requirement that review of a child's information not be unduly burdensome to the parent. Without such a limitation on an operator's choice of means, a parent's ability to exercise the right of review could be severely limited.

Accordingly, in order to provide the "same or greater" protections as the COPPR, the TRUSTe guidelines should be amended to include language stating that an operator's procedures for parental review of a child's information must not be unduly burdensome. It also would be helpful if TRUSTe actually spelled out procedures for production of this information to ensure that all licensees conform to COPPR's minimum requirements, and to ensure some level of continuity among licensees in the TRUSTe program.

IV. TRUSTe's PROPOSED GUIDELINES FAIL TO MEET THE ASSESSMENT AND COMPLIANCE REQUIREMENTS OF SECTION 312.10(b)

Section 312.10(b) of the COPPR requires that self-regulatory guidelines submitted for approval include a "mandatory mechanism for the independent assessment of [an operator's] compliance with the guidelines" and "effective incentives" for compliance.⁽²³⁾ Sections 312.10(b)(2) and 312.10(b)(3), respectively, provide examples of how those performance standards may be satisfied. Periodic reviews and seeding by TRUSTe, as described in its safe harbor application letter,⁽²⁴⁾ and the Watchdog Compliance and Escalation Process should provide effective independent assessment mechanisms and incentives for compliance. However, the TRUSTe documentation fails to state that such reviews are "mandatory" and fails to explicitly incorporate the Watchdog Compliance and Escalation Process into the License Agreement.⁽²⁵⁾ Unless the Watchdog Compliance and Escalation Process is explicitly incorporated by the License Agreement, to be signed by operators, it is possible that the penalties for non-compliance in the Agreement, such as revocation or suspension of an operator's right to use the TRUSTe seal and referral to an appropriate government agency, would not apply to violations by all operators under the Children's Seal Program. Accordingly, the TRUSTe License Agreement should be amended to incorporate the Compliance Document and to add a statement that periodic reviews are mandatory, rather than discretionary.

V. CONCLUSION

The foregoing discussion identifies both minor and significant deficiencies in the TRUSTe Safe Harbor Application. Although CME/CFA et al. believe TRUSTe has made a strong effort to comply with the requirements of COPPR, the TRUSTe Application falls short of providing the "same or greater" protections as the COPPR in several key areas. Accordingly, CME/CFA et al. respectfully urge the Commission to condition approval of TRUSTe's Application on the amendments enumerated above.

Respectfully submitted,

Of Counsel: Angela Campbell
Christopher Day
Jennifer Chang Hetterly Institute for Public Representation
Law Student Georgetown University Law Center
Georgetown University Law Center 600 New Jersey Ave., N.W., Ste. 312
Washington, D.C. 20001
(202) 662-9535 (telephone)
(202) 662-9634 (facsimile)
Counsel to CME/CFA et al.
Filed : October 10, 2000

APPENDIX A

Center for Media Education (CME), is a national nonprofit, nonpartisan organization dedicated to creating a quality electronic media culture for children, their families, and the community. CME's four-year national campaign led to the 1996 Federal Communications Rule requiring a weekly minimum of three hours of educational television programming. CME's report "Web of Deception" (1996) first drew attention to potentially harmful marketing and data-collection practices targeted at children on the Internet and laid the groundwork for the Children's Online Privacy Protection Act (COPPA).

Consumer Federation of America (CFA) is a non-profit association of some 260 pro-consumer groups, with a combined membership of 50 million, that was founded in 1968 to advance the consumer interest through advocacy and education. CFA has worked closely with CME to defend the rights of children's privacy online and jointly published a consumer education brochure for parents and children entitled, The Internet, Privacy and Your Child: What You Need to Know as a Parent/Keeping Secrets About You on the Internet, A Kid's Guide to Internet Privacy.

The American Academy of Child and Adolescent Psychiatry (AACAP) is a nonprofit professional organization representing over 6,500 child and adolescent psychiatrists. Its members are physicians with at least five years of additional training beyond medical school in general and child and adolescent psychiatry. Its members actively research, diagnose and treat psychiatric disorders affecting children, adolescents, and their families. The AACAP is committed to protecting the well-being and rights of children and their families.

Junkbusters Corp. helps consumers defend themselves against intrusive marketing and protect their privacy online. At http://www.junkbusters.com, the company provides extensive free resources for stopping telemarketing calls, unwanted physical mail, junk email, and commercial invasions of privacy on the Internet.

The National Alliance for Non-violent Programming (NANP) is a not-for-profit network of organizations with a long history of effective community involvement and education. Member organizations include the American Medical Women's Association, Jack and Jill of America, Inc., Jewish Women International, the Links, Inc., the National Association of Women Business Owners, National Council of LaRaza, Soroptimist International of the Americas, and YWCA of the U.S.A. With the capacity to reach two million people, NANP builds and supports community initiatives to promote and teach media literacy and non-violence. NANP headquarters in Greensboro, NC serves as the information, technical assistance, materials distribution and network center for member organizations, local initiatives and the general public.

The National Association for Elementary School Principals (NAESP) was founded in 1921 by a group of principals who sought to promote their profession and to provide a national forum for their ideas. Over the past 75 years, NAESP has grown to become the most powerful voice of Pre-K-8 principals across the United States and around the world with a peer network of more than 27,000 principals worldwide. The NAESP is dedicated to assuring the nation's continued strength and prosperity by assuring the best possible schooling for its most important resource, the children. Its mission is to serve as advocates for children and to help principals do the best job possible.

Privacy Times, a Washington-based newsletter that covers the information world, is designed for professionals and attorneys who need to follow the legislation, court rulings, and industry developments that frame the ongoing debate about information privacy. Privacy Times covers such issues as the FTC's developing policy for the Internet, credit reports, Caller ID, medical records, "identity theft," the Freedom of Information Act, direct marketing and the European Union's Directive On Data Protection.

Public Advocacy for Kids is a non-profit child advocacy organization devoted to education, health, telecommunication, and parental involvement issues at the federal level. Services provided on a consulting basis include advocacy training, child policy development, organizing for local and federal action, and communications development.

1. See Appendix A for more information on the public interest groups that comprise CME/CFA et al.

25. TRUSTe emphasizes that the Children's Program requirements should be read "in the context of the overall TRUSTe License Agreement and Compliance Document which set forth the overarching standards of the TRUSTe program, and the details of the program's dispute resolution and enforcement mechanisms, respectively." TRUSTe "Safe Harbor" Application Letter, p. 6. Although the Children's Program requirements contained in Schedule B are incorporated into the License Agreement - 6.0 at Section 1(A), there is no reference to the Compliance Document in the TRUSTe License Agreement - 6.0.