Children’s Online Privacy Protection Rule -- Comment, P994504.

The Electronic Privacy Information Center (hereinafter "EPIC") respectfully submits these comments pursuant to the Federal Trade Commission’s ("FTC" or "Commission") proposed Rule implementing the Children’s Online Privacy Protection Act ("COPPA" or "the Act") Notice of Proposed Rulemaking to Implement the Children’s Online Privacy Protection Act of 1998, and Proposed Rule, 64 Fed. Reg. 80 (April 27, 1999) ("NPRM").

The Electronic Privacy Information Center is a project of the Fund for Constitutional Government, a non-profit charitable organization established in 1974 to protect civil liberties and constitutional rights. EPIC has played a leading role in the effort to establish enforceable Fair Information Practices in the United States. EPIC testified before the House Judiciary Committee, Subcommittee on Crime, on September 16, 1996 in support of legislation to protect the privacy rights of children.

COPPA establishes legal rights regarding the collection and use of personal information on young children. Self-regulation is simply not well suited to privacy protection where kids are involved. Young people cannot assess risks as adults can, cannot exercise complicated "opt-out" procedures, and should not be expected to monitor compliance with posted privacy policies. Legislation such as COPPA is necessary to establish sensible codes and clear standards for privacy protection of children’s information in the digital medium. Earlier legislation, such as the Family Educational Right to Privacy Act of 1974 ("FERPA"), has recognized the need for such standards regarding young people’s information.

In these comments, EPIC will discuss the proposed Rule in terms of the generally recognized responsibilities of organizations that collect personal information and the rights of individuals that give up personal information. These rights and responsibilities are called Fair Information Practices. The principles of Fair Information Practices have contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection. Among the foremost of these international guidelines is the OECD Recommendation Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines set out eight principles for data protection that are still the benchmark for assessing privacy policy and legislation. These are:

• Collection Limitation
• Data Quality
• Purpose Specification
• Use Limitation
• Security Safeguards
• Openness
• Individual Participation
• Accountability

Because EPIC believes that these principles are the foundation for effective privacy protection, this discussion will focus on the ways in which the proposed Rule embodies or undermines them.

The proposed Rule requires notice of types or categories of personal information collected from children. Although the Commission’s commentary is instructive with regards to what sorts of categories are expected, A rule that would allow operators to list broad descriptions such as "contact information" is insufficient. Such descriptions would violate the principles of openness and disclosure underlying COPPA. Consequently, EPIC recommends that the FTC require explicit disclosure of collection of the following information types: name, mailing address, electronic mail address, telephone number, Social Security number.

The proposed Rule allows operators to categorically describe their uses of children’s personal information. This approach does not adequately inform parents of the potential effects of their consent and weakens privacy protection.

For instance, the Commission’s sample use description -- "we use this information to provide information on toys to your child" -- includes activities as innocuous as loading a

particular banner ad when the child visits the operator’s website. However, it also seems to encompass direct mailings, both physical and electronic. Because adequate disclosure is crucial to meaningful consent, use descriptions must be more detailed. Thus the above description should be expanded to include how the information will be provided, how often the operator will provide it, and how long the child’s personal information will be archived.

This degree of specificity is required by several of the principles underlying Fair Information Practices: purpose specification, collection limitation (consent is meaningless if parents do not know what activities they are authorizing), use limitation (detailed descriptions make clear what uses and purposes have been consented to), and accountability (enforcement is easier when the policy lists specific practices).

EPIC opposes the exceptions enumerated in subsections (1), (3), and (4) of this section. Regarding (1), it is unclear why an operator would need to collect a child’s contact information for the purposes of obtaining consent from the parent. The operator need only know the parent’s contact information, and the child’s first name (so that parents will know which child is involved).

Similarly, a child’s request for repeated future contacts from the operator, such as a notification when a website is updated, can be complied with by collecting only the parent’s information and obtaining consent prior to the first transmission. Because the initial response may not immediately follow the child’s request, the child’s personal information may sit for some time on an operator’s machine without any parental screening of that operator’s privacy practices. This situation presents a threat to the child’s privacy.

Finally, the safety of a child is best protected by collecting the parent’s contact information. This makes the exception in (4) unnecessary.

EPIC recognizes the need for parental access to a young child’s personal information files. Parental involvement is generally consistent with the individual participation aspect of Fair Information Practices in the case of a young child who may not be able to fully exercise rights in the collection and use of personal information. Congress has previously recognized the importance of allowing parents to exercise information control rights on behalf of their children--FERPA creates a parental interest in inspecting and challenging children’s records. COPPA creates a similar interest in personal information held by an operator.

In light of this interest, the two-tiered approach described in the commentary to this section seems unnecessarily cumbersome. A single, effective identity check should suffice for parents to gain access to their children’s information. Burdening parents with multiple identity checks of varying strengths discourages the participation which COPPA envisions.

Regarding the methods of verifying identity, EPIC believes that requiring parents to provide photocopies of drivers license information is unnecessarily invasive. A password system, while not perfect, provides a high level of protection without compromising the parent’s rights. Along with the security requirements of §312.8, a password system should be effective in preventing unauthorized access to children’s personal information.

EPIC supports limiting collection of personal information to what is reasonably necessary to participate in a particular activity. However, the Commission’s example under §312.6(c) of collecting e-mail addresses from chat room participants in order to contact them in case of misbehavior is troubling. The "reasonably necessary" standard should be narrowly construed. In the chat room example, the existence of regulatory options which preserve user anonymity suggests that collection of a chat room user’s e-mail address is not reasonably necessary to keep things civil in the chat room. For example, in the self-regulated IRC chat community, individual users can be temporarily kicked off or banned from particular channels. This regulation is implemented using only the user’s nickname–no personal information is required. Being removed or locked out of a channel in this way sends as strong a message to the user as a personally directed e-mail note would, without the invasion of privacy. Operators should be encouraged to set up chat rooms and other community resources in ways which facilitate anonymous use.

EPIC supports the public review of self-regulatory guidelines submitted under this section. The Commission should create and maintain a list of organizations interested in being contacted when such guidelines are published for public comment. Such a measure would allow interested groups to be actively involved in the review of these safe harbor proposals.

5. Section 312.4(b) lists an operator’s obligations with respect to the online placement of the notice of its information practices.

1. Are there other effective ways of placing notices that should be included in the proposed rule?

The Commission should require that an operator’s privacy page be accessible by

searching for the word "privacy" on the home page. This simple measure will ensure uniformity and allow parents to efficiently access privacy information. This approach has the added benefit of requiring a text-based link, which will load quickly (increasing the likelihood that an individual sees it before impatiently moving on).

The FTC should also require placement of the link such that a typical visitor to the operator’s website can see the link without having to scroll at all. The purpose of this restriction is to prevent clever webmasters from concealing privacy links far to the right or far above places where the Rule requires placement.

Furthermore, the FTC should encourage operators to put their privacy policies on dedicated pages. This highlights the importance of privacy protection and allows parents to easily "bookmark" the privacy page for future reference. In the alternative, the Rule should explicitly include the Commission’s recommendation that the required links point at the policy itself, not at the top of a general page of legal notices.

2. How can operators make their links to privacy policies informative for parents and children?

As noted above, the word "privacy" should be included in the links. A parenthetical description such as "what we do with your information" may be an appropriate supplement.

The disclosure standard for third party practices should be equivalent to the standard proposed above for operators. Anything less than full disclosure regarding third party information practices would fatally undermine the purposes of COPPA. There is nothing inherent in being a third party which reduces one’s potential for misuse of personal information. Consequently, an informed parental decision regarding disclosure to third parties will require much more than the third party’s "type of business" and the "general purposes for which [a child’s] personal information is used." The same principles noted, supra, in the context of specific operator use descriptions apply here. EPIC urges the Commission to impose a high disclosure standard on third party practices.

Regarding confidentiality and security of information disclosed to third parties, parents must be warned if a third party has weaker standards than the operator. EPIC recommends that the FTC should modify the proposed Rule accordingly.

As noted above, a parent’s option to review and update a child’s information is an important part of COPPA’s scheme of privacy protection. In order to ensure that parents are aware of their power, the same version of an operator’s privacy policy should be maintained on the operator’s website and sent to parents pursuant to the Rule. The notice provided directly to the parent might easily be misplaced or deleted. Online access to parental control procedures allows parents to be informed of their rights under COPPA.

A parent’s ability to refuse particular uses is fundamental to the protection of children’s privacy. This power is complimentary to the detailed use descriptions discussed above. The same key principles–limiting collection and use to specified purposes–are implicated by both issues. A parent must know about an operator’s specific information uses so that she can approve the ones she considers appropriate for her child and refuse the rest. An "all-or-nothing" approach places parents in a quandary: if an operator has only a few unacceptable practices , parents must either withhold permission altogether (potentially cutting the child off from beneficial information or services) or grant consent despite their misgivings (undermining the reason for requiring consent in the first place). To avoid these problems, parents should be given the option to specify which particular uses of a child’s information they approve.

Any methods that require parents to provide credit card information as part of the consent process may be unduly burdensome. Such practices invade parental privacy and discourage consent, even if the operator’s uses and practices are otherwise unobjectionable. The other methods provide excellent means of obtaining parental consent.

EPIC urges that the Commission modify its proposed Rule in accordance with the principles of Fair Information Practices and the comments presented above.