June 11, 1999
Secretary of the Commission, Donald S. Clark
Dear Secretary Clark:
America Online, Inc. ("AOL") hereby submits comments to the Federal Trade Commission ("FTC" or "Commission") with respect to its proposed rulemaking to implement the Childrens Online Privacy Protection Act of 1998 ("COPPA" or the "Act")./ AOL is committed to protecting the privacy and safety of the 18 million subscribers to its America Online subscription service and of the millions of visitors to its AOL.COM website, regardless of their age and maturity level./ Virtually since its inception, AOL has been working to ensure that childrens experiences online are as enriching and safe as possible. In pursuit of that goal, AOL has compiled an extensive array of offerings for children and their families to promote online privacy and safety.
AOLs comments are intended to highlight those areas where the Commission could improve the proposed rules governing childrens privacy by acknowledging certain best practices as a means of compliance or by simplifying, clarifying, or altering in some manner provisions that are unnecessarily burdensome or otherwise fail to achieve their stated purpose in an effective manner.
I. AOLs Commitment to Children
Childrens online privacy and safety has been -- and will always be -- one of AOLs top priorities. To that end, AOLs subscription service has made Parental Controls a key component of its offerings to subscribers since 1994, adding the Kids Only category in 1996, followed by the Young Teens category in 1997. From the moment adults sign up for its subscription service, AOL strongly encourages them to make use of its Parental Controls features for children 12 and under. Parental Controls enable parents to designate a separate Kids Only ("KO") screen name for children, which limits their childrens access to a specially designed KO Channel and websites selected as appropriate for children 12 and under. Parents are encouraged to employ similar control features on AOL for their teenage children as well.
To ensure that children have a rewarding and appropriate experience online, KO screen names are blocked from accessing Internet newsgroups or fee-based services that may not be appropriate for them. In addition, by default, KO screen names cannot send or receive Instant Messages (private real-time communication) and cannot access the AOL Member Directory. Other customization features enable parents to more closely tailor content and interactive features to the age and maturity level of their children. Through these "Custom Controls," parents can even choose to control from whom their children can receive e-mail.
In addition, AOL encourages children to use the Internet safely through other features on the service such as the "Kids Help" area. In the Kids Help area, AOLs "Online Safety Tips" remind children not to give out their home address or other identifying information to anyone online without seeking parental permission to do so and to notify AOL and their parents if they encounter anything online that makes them feel uncomfortable or unsafe. There is a special "Tell AOL" feature that children can use to alert AOL to any such concerns.
On the AOL.COM website, AOL does not collect personal information from children 12 and under, and takes steps to remind children not to give out personal information online without their parents consent. Although AOL.COM is primarily designed for an older audience, AOL provides an array of Safety Tips and features through the website to help parents and their children use the Internet safely. For example, AOL.COMs Safe Surfin site reminds kids to treat the Internet like any big city and to avoid strangers, dark alleys and other unsafe places. It also offers connections to websites that provide parents with: (a) a free video produced by AOL in conjunction with the National School Board on Internet safety, (b) advice on age-appropriate sites for children and (c) online safety tips from popular celebrities, such as the following:
In addition, AOLs collaboration with the American Library Association offers children an "Internet Drivers Ed" Program, which includes classes for children and their parents on Internet safety, as well as an interactive quiz that allows children to earn an official Internet drivers license for correctly answering questions about online safety. The Drivers Ed program also includes a list of Great Sites that are recommended for kids and six important online safety tips.
AOL encourages parents to participate in their childs experience in cyberspace and to review its important safety tips before their child explores the Internet. AOL also encourages parents and children to visit AOL.COMs Netfind Kids Only, which provides access to age-appropriate content available on the Web, and to use Web filtering technology to tailor their kids access to the Web.
In summary, AOL has been a leader in developing online safety and privacy protections for children, including integrated Parental Controls that limit a childs access to AOL and the Internet and special programs and features for children to help them use the Internet safely. AOL is committed to ensuring that children and their families have a rewarding experience online and that fair information practices are respected and promoted online for both children and adults.
II. AOLs Current Childrens Policies
AOL has developed and posted special childrens privacy policies on its subscription service and on the AOL.COM website. On the AOL subscription service, AOL implements these policies in areas on the service specifically designed for children, such as the Kids Only Channel. In areas on the service designed for children 12 and under, AOL and its partners require prior written parental consent (for example, by sending in a permission form by regular mail or by fax) before collecting or using names, addresses, telephone numbers or other information that identifies a child offline.
In addition, AOL obtains parental consent before a sub-account screen name can be created for children by providing parents with an "Important Notice to Parents" that describes AOLs information practices and explains how to set up Parental Controls. In order to create a screen name on the AOL service, a member must choose one of four basic access categories, even if the choice is full access to the service. For parents who are creating a screen name for their children, however, AOL strongly encourages them to select the Kids Only access category for screen names that will be used by children 12 and under. This process ensures that parents are aware that screen names are identifying information and consent to how their children may use screen names; for example, using the screen name to request an online newsletter, to post a message on a message board or to participate in a chat room.
III. The Commissions Proposed Rules
AOL applauds the FTCs efforts to ensure that all websites and online services (hereinafter "operators") follow appropriate fair information practices when personal information is being collected from children online. AOLs comments are intended to assist the Commission in crafting rules that protect children and, at the same time, respond to the legitimate concerns of operators about the difficulties of implementing certain provisions of the proposed rule.
AOLs comments are focused on the following provisions of the proposed rulemaking: (a) online notice -- including placement and content, (b) parental consent, and (c) the ability of parents to review personal information collected from children online. One of the major points highlighted in these comments is the fact that a subscription service, such as AOLs online service, uses unique business models and procedures that may require additional flexibility to be incorporated into the proposed rules. The Commission needs to recognize that, in the case of a subscription-based service, some of COPPAs statutory requirements -- including certain notices provided to parents and the mechanism for obtaining parental consent -- are satisfied at the time an individual signs up for the service or creates a screen name for his or her children. AOL hopes that the final rule will permit subscription-based online services to enjoy sufficient flexibility to continue these practices, which have worked extremely well thus far in protecting the safety and privacy of children online.
A. Online Notice
COPPA mandates that the Commission promulgate regulations for operators whose websites are, in whole or in part, targeted to and collecting personal information from children. The Act requires that such operators post notice on their sites of their information practices with respect to what personal information is collected from children, how the operator intends to use that information and the operators disclosure practices for such information. 15 U.S.C.A. § 6502(b)(1)(A)(i). The Commissions proposed rules on the Acts notice provisions cover placement of the link, content of the notice itself, as well as reasonable efforts to ensure that parents see the notice. AOLs comments pertain to the FTCs placement directives, content requirements and reasonable notice requirements.
a. Notice Placement: The Commissions Requirements for Where the Link to a Childrens Privacy Notice Must be Placed are Overly Specific, Impractical and Unnecessary
The Commissions proposed rules include a requirement that an operator post a link to a notice of its information practices with regard to children on "the homepage of its website or online service and at each place on the website or online service where personal information is collected from children." Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)). The Commission further specifies that the link must be prominently placed "such that a typical visitor . . . can see the link without having to scroll down." Id. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(1)(ii), (iii)).
b. Notice Placement: The Commissions Rules Should Give Operators Flexibility to Determine the Most Effective Locations for Posting Kids Privacy Links
The Commissions proposed rules with respect to the placement of links to the kids privacy notice also require the link to be posted "at each place on the website or online service where children directly provide, or are asked to provide, personal information . . .." Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(1)(iii)).
As the Commission is aware, this broadly sweeping requirement was not included in the Act itself; the Act states simply that an operator is required to "provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operators disclosure practices for such information." 15 U.S.C.A. § 6502(b)(1)(A)(i). In its proposed rules, the Commission added the requirement that a link to a kids privacy notice be posted at each place where personal information is collected from children. Its stated rationale for doing so was that (a) not every visitor enters a webpage through the homepage, and (b) a "link at the point of information collection guarantees that the notice will be seen by a parent . . ." Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(1)) (emphasis supplied).
The Commissions rules regarding placement of a link to the kids privacy notice should be more flexible to reduce the burden on operators, such as AOL, and to encourage them to experiment with effective and creative placement of such links. In the case of the AOL service, for instance, it would be extremely burdensome from a design standpoint for an operator to post a link to its kids privacy notice at every single location where "personal information" -- according to the FTCs proposed definition / -- could be collected. Such a provision would require AOL to provide a link for all of its chat rooms (areas where children can chat with other children in real time) and message boards that would be visible each time the child was about to post a message. This type of requirement would result in an unnecessarily repetitive series of links that are disproportionate to the use of the information, given that AOL does not even actively "collect" personal information from kids in this context but merely enables the child to post his or her screen name in a monitored environment.
The FTCs proposed rules are unnecessarily inflexible; they do not permit, much less encourage, operators to develop alternative design or placement methods that may be more effective than those proposed by the Commission. For example, AOL proposes that, in lieu of the FTCs "every page" requirement, operators be permitted to post a kids privacy notice link on the "Splash Page" that precedes access to areas where personal information could be collected. A Splash Page is the gateway page that a user must access (cannot skip) to get to the content beyond. / Moreover, Splash Pages -- as illustrated by the AOL Splash Pages included as attachments -- are endowed with color schemes and graphics designed to grab the viewers attention (start with a "bigger" splash) before they move to another webpage. Splash Pages are, therefore, an ideal attention-grabbing venue to place a clearly labeled link to an operators kids privacy notice that users can neither avoid nor fail to see. In AOLs view, placement of a kids privacy link on Splash Pages is likely to be more effective in ensuring visibility than the placement contemplated under the Commissions proposal.
c. Notice Content: The Commission Should Circumscribe its Online Notice Requirements to Take Advantage of the Dynamic Nature of the Internet and to Reduce the Burden on Operators
The Commissions proposed rules with respect to the actual content of an operators kids privacy notice specify that certain information be included in the posted notice, including, for all operators, the "name, address, phone number and e-mail address of all operators collecting personal information from children through the website or online service." Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(2)(i)). / The Commission evidently recognized that the online business community was likely to find this requirement unduly burdensome and, therefore, in the section on "Questions on the Proposed Rule" ("Questions") asked, with regard to this requirement, "[w]here there are multiple operators collecting personal information through the website, are there other efficient means of providing information that the Commission should consider?" Id. at 22,761-762, question 6. The answer to the Commissions question is a simple and resounding "yes."
It is impractical and burdensome to expect operators of an extensive online service like AOL to compile, maintain, and post information on all of its advertisers, content partners and affiliates that may be collecting personal information about children through its service. Instead, the FTC should limit the operators obligation to posting the name of the collectors, and perhaps a hyperlink to their privacy policies. Limiting the obligation in this manner is much more reasonable, and avoids the burdensome and largely unnecessary requirement that an operator, such as AOL, continuously monitor and update information more readily and accurately provided by another entity.
From AOLs perspective, the FTCs proposed rules appear to be particularly unnecessary since AOL has already taken steps to ensure that the advertisers and Interactive Content Partners ("ICPs") with whom it does business provide parents with the information they need to make an informed decision about the collection of personal information from their children. Among its best practices, AOL requires advertisers and ICPs to abide by AOLs stringent Kids Policies, as well as all applicable laws and regulations. Failure to do so will result in suspension or termination of the contract. Specifically, AOL currently requires that its advertisers and ICPs:
AOLs best practices help to ensure that the advertisers and content partners with whom it does business have and follow appropriate childrens privacy policies. Other operators may have similarly effective means for securing compliance with appropriate childrens privacy policies.
Thus, it is important that the FTCs rules recognize and account for the dynamic nature of the Internet and the steps that some operators have already taken to ensure that appropriate childrens privacy policies are adhered to by the other online companies with whom they do business. To that end, the final rules should limit the contact information operators must provide to parents on their own websites for advertisers, content partners and the like to that which is reasonably necessary to direct parents to other operators privacy policies.
d. Actual Notice to Parents: Reasonable Efforts to Provide Actual Notice to Parents Should be Flexible to Accommodate Best Practices of Online Services and Websites
The Commissions proposed rules state that "an operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of an operators practices with regard to the collection, use, and/or disclosure of the childs personal information, including any collection, use, and/or disclosure to which the parent has not previously consented." Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,755 (to be codified at 16 C.F.R. § 312.5). There are two aspects of this proposed provision that are of concern to AOL.
First, for AOLs subscription service, reasonable efforts to notify parents should be interpreted to include incorporating such notice into its "Terms of Service" and providing an "Important Notice to Parents" before a member can create a secondary screen name for children. All newcomers are required to read and acknowledge AOLs Terms of Service before registering as subscribers, and all members are informed of AOLs Kids Policies and the availability of Parental Controls before they can create a secondary screen name that might be used by children. The FTCs rules should permit -- in fact encourage -- AOL and other online services to provide actual notice to parents of their information practices, including those pertaining to children, along with the other information they ask consumers to read and acknowledge before they subscribe.
Second, the Commissions proposed rules require that operators send parents an updated notice and request for consent whenever an "operator wishes to use the information in a manner that was not included in the original notice, such as disclosing it to parties not covered by the original consent." Id. This formulation, as the Commission suggests in the Questions section: (a) may be more burdensome than necessary, and (b) may not be the only formulation that would meet the Commissions goals. Id. at 22,762, question 11.
Because the Internet is a dynamic and swiftly evolving medium, it is simply not feasible for operators to contact parents each time an operator changes (adds or subtracts by contract, merger or otherwise) an advertiser or content partner. Moreover, such a requirement is unnecessary, particularly when the operator, such as AOL, has its own childrens privacy standards to which its advertisers and content partners are bound by contract. / Unless AOLs own Kids Policies change in some significant manner, it is simply unnecessary for the company to contact its subscribers to inform them every time it adds or terminates an advertiser or content partner, which, like all others, is required to adhere to AOLs Kids Policies. Such notice is unlikely to be meaningful to consumers or welcomed by them. In fact, it has the potential to be counterproductive because it risks overwhelming consumers with vast amounts of relatively trivial information that has little, if any, bearing on the privacy concerns underlying the Act.
B. Verifiable Parental Consent
COPPA requires that website and online operators "obtain verifiable parental consent for the collection, use, or disclosure of personal information from children." 15 U.S.C.A. § 6502(b)(1)(A)(ii). The term "verifiable parental consent" is defined further in the Act to mean "any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operators" information practices. 15 U.S.C.A. § 6501(9). The FTCs proposed rules restate the Acts requirements, including the ambiguity inherent in coupling a seemingly inflexible requirement that consent be obtained with a "best efforts" proviso regarding the methods used to do so. AOLs comments focus on its Parental Controls tools as a unique means of securing parental consent and the need for flexibility with respect to the methods of obtaining consent that the Commission deems to be verifiable.
a. Because it is a Substantial Benefit to Consumers the FTCs Rules Should Permit Subscription Services, such as AOL, to Obtain Verifiable Parental Consent At the Time An Account is Opened or a Screen Name is Created
As previously discussed, AOL provides parents with a subscription-based tool, called "Parental Controls," which allows them to create a special screen name for their children and exercise control over their childrens online experience. Specifically, parents can use Parental Controls to limit their childrens access to the KO Channel and to websites that are pre-screened for age-appropriate content. This innovative feature of AOLs subscription service allows parents to decline to let their children participate in chat rooms or message boards operated by AOL or its Partners on the KO Channel, or to limit ability of their children to receive e-mail.
AOLs Parental Controls -- which are available to all of its subscribers and strongly recommended for parents -- offer members an effective means to control the personal information that is collected from their children by AOL at the time that they create a screen name for them. For consumers, Parental Controls offer a one-stop, easy to use and reliable service that provides appropriate privacy notices, a convenient place to provide consent and a means to tailor their childrens access to the Internet to meet their individual requirements. It is precisely the type of consumer-friendly child protection that the Congress sought to foster under the Act. Therefore, the Commission should encourage AOL and other online services to either maintain or create Parental Controls (or similarly innovative features) by endorsing, in its final rules, the concept of such "up-front" consent, as an appropriate and effective means for obtaining verifiable parental consent.
b. The FTCs Rules on Methods to Obtain Verifiable Parental Consent Should Both Incorporate the Best Practices of Online Services, such as AOL, and Remain Flexible to Accommodate New and Improved Technologies
In its proposed rules, the Commission has wisely declined to commit to any particular method for obtaining verifiable consent. AOL has two comments to offer to aid the Commission in its consideration of how verifiable consent can be obtained most effectively.
First, for an online subscription service, the most practical way to obtain verifiable parental consent is to use the information that parents provide to AOL when they originally subscribed to its service, including information from their credit card. As the Commission is aware, legitimate credit card companies do not issue cards to children below the age of 13, and, therefore, there is little danger that youngsters will be able to circumvent such a verification process. Moreover, in the event that an enterprising youngster misappropriates a credit card to sign up for AOLs (or any) online subscription service -- and indicates consent without actual parental involvement or approval -- that activity would certainly come to light quickly when payment for the card became due, thereby giving the parent an opportunity to take corrective action, including providing (or denying) verifiable consent.
Second, for the foreseeable future, the Commission should continue to decline to lock in the options that a website or online service can use to obtain verifiable parental consent. New technologies, such as digital signatures, can quickly replace existing technologies as the preferred means for obtaining and verifying consent. The Commission should remain flexible and open to such new technologies and approaches to obtaining verifiable consent, rather than prescribing specific methods that could soon become outdated.
C. Right to Review Childs Personal Information
COPPA requires operators to provide, upon request of a properly identified parent whose child has provided personal information to an operator, a description of the specific types of information collected from the child, an opportunity to refuse to permit the operator to use or maintain that information or obtain future information from the child, and a means for the parent to obtain any personal information collected from the child. 15 U.S.C.A. § 6502(b)(1)(B)(i)-(iii).
AOL has two major concerns about the FTCs proposed rules regarding the review of a childs personal information. First, the Commission should include, among its methods for identifying a parent making a request, provisions that replicate the identification procedures that AOL has implemented for its subscription service. Second, the FTC should make clear that these provisions do not apply where an operator has obtained a limited amount of personal information about a child for a newsletter mailing list to which the parent can easily unsubscribe, or when the operator keeps personal information about a child for only a short period of time.
a. The FTCs Rules Should Permit Parents to Use Their Credit Cards as Proper Identification
The Commission has identified a number of reasonable procedures that an operator can use to check a parents identity, such as obtaining a copy of their drivers license or devising a password system. Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,758 (to be codified at 16 C.F.R. § 312.6(b)). AOL suggests that the Commission add another procedure to the list, which replicates the method that AOL uses to confirm the identity of potential subscribers to its own service; specifically, obtaining verifiable credit card information from a parent that matches the information the parent used to become a subscriber. Such a procedure has a high degree of reliability for online services such as AOL, which require subscribers to guarantee payment through a credit card.
b.The FTCs Rules Should Make Special Accommodations for Mailings, such as Newsletters, to Which Parents Can Easily Unsubscribe, and Should Clarify its Policies with Respect to Personal Information Maintained for a Short Period of Time
The FTCs rules on a parents right to review personal information about their child should be limited in two respects. First, to the extent that an operator has collected limited personal information, such as an e-mail address, from the child (with the parents consent) for the sole purpose of sending the child a periodic newsletter or similar mailing, to which the parent can easily unsubscribe, the parents right to review the childs personal information connected with that mailing should be limited to confirmation that the child is or is not on its e-mail list. Under such circumstances, requiring operators to go through elaborate procedures for obtaining proper parental verification and searching for information when the only personal information collected is the screen name already created by the parents themselves -- is unnecessarily burdensome. Alerting the parent to whether the child is on the newsletter subscription list and explaining to the parent how to cancel the subscription should be sufficient to meet the review requirement in this instance.
Second, to the extent that an operator maintains personal information, such as a screen name, e-mail address or a persistent identifier, such as a cookie, about the child for a short period of time for purposes such as monitoring a chat room or a message board, the Commission should make it clear that its rules do not require operators to maintain that information so that parents may review it. In a footnote to the proposed rules, the Commission states that it does not intend to "require operators to keep databases of personal information collected from children even after the consented-to uses have been discontinued -- for example, because the parent may someday request it." Childrens Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,758 (to be codified at 16 C.F.R. § 312.6(b), n.12). However, the Commission should further clarify this rule and insert it in the body -- not a footnote -- of the final rules in order to make it clear that an operator has no obligation to retain personal information it collects from children simply so that parents may exercise their right of review.
In conclusion, AOL appreciates the Commissions efforts to implement this important statute that will help to protect the privacy and safety of children in the online environment. We look forward to working with the Commission to improve, clarify and simplify the proposed rules, and would be happy to provide any additional information that would be of help to the Commission.