i-SAFE, Inc. Application for Safe Harbor #546345-00013

Submission Number:
Harry Valetk
Initiative Name:
i-SAFE, Inc. Application for Safe Harbor
The Federal Trade Commission (“FTC”) asked public comment on the proposed guidelines submitted by iSAFE designed to help website operators comply with the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501-6508. I write to submit comment on three concerns with iSafe’s application. I submit these concerns in my own capacity as an Internet privacy and security attorney devoted to consumer protection, technology, and online child safety. First, iSafe’s Program is unclear about the standards it proposes to apply to periodic monitoring. According to iSafe, it may perform periodic monitoring reviews quarterly, semi-annually, annually, or bi-annually “which shall be determined and conducted by i-Safe at its sole and complete discretion.” It’s hard to imagine a situation where waiting two years before monitoring a COPPA-seal bearing website directed to kids under 13 is appropriate. This approach also leaves parents to wonder about the significance of iSafe’s website seal, and what monitoring standards may apply to any particular website bearing that seal. Given the dynamic nature of the marketplace online, a defined and frequent monitoring schedule is appropriate for any COPPA Safe Harbor Seal Program. Second, iSafe’s proposed Complaint Resolution process requires participants to agree to confidentiality. This requirement, however, is inconsistent with the COPPA Rule’s openness requirement. The Rule requires Safe Harbors to retain consumer complaint records and make them available for FTC inspection and copying. 16 C.F.R. § 312.10(d)(1). Even more important, this explicit requirement could discourage parents from raising important concerns about a commercial website operator’s practices out of fear that they will be prohibited from seeking other legal or regulatory assistance. Third, iSafe’s application here, in essence, asks the FTC to entrust it with the authority to ensure commercial website operators comply with the COPPA Rule’s strict regulatory standards. A simple audit of iSafe’s website, however, reveals that www.isafe.org does not comply with the COPPA Rule’s parental consent requirements. Self-identified child users who register for an account must disclose name and online contact information. Once shared, the website makes no effort to obtain verifiable parental consent, give parents an opportunity to opt-out, or fall within any of the exceptions outlined in 16 C.F.R. § 312.5(b) or (c). (See https://auth.isafe.org/reg/register2.php) This is unsettling. Granted, COPPA only applies to commercial website operators, and iSafe.org presumably falls outside its jurisdiction. But that’s a technical response. The COPPA Safe Harbor Program is about marketplace credibility and accountability. Indeed, Congress enacted COPPA in direct response to industry’s failure to follow responsible marketing and data collection practices online. This failure affected those users too young to understand the consequences of sharing sensitive personal information in an online environment. As a COPPA Safe Harbor, website operators will look to iSafe to set an example on how to interact responsibly with child users. And before the FTC awards iSafe’s Program Safe Harbor status, it should hold iSafe’s own web practices to the same high standards parents expect commercial operators to employ. To close, I extend my thanks to the FTC for all that it does to protect consumers and children online. Through its leadership and enforcement efforts, the Internet continues to grow into a better place for the global community to enjoy. If I can help in any way, please let me know. Respectfully submitted, Harry A. Valetk