June 11, 1999 Secretary of the Commission, Donald S. Clark
Dear Secretary Clark: America Online, Inc. ("AOL") hereby submits comments to the Federal Trade Commission ("FTC" or "Commission") with respect to its proposed rulemaking to implement the Children’s Online Privacy Protection Act of 1998 ("COPPA" or the "Act")./ AOL is committed to protecting the privacy and safety of the 18 million subscribers to its America Online subscription service and of the millions of visitors to its AOL.COM website, regardless of their age and maturity level./ Virtually since its inception, AOL has been working to ensure that children’s experiences online are as enriching and safe as possible. In pursuit of that goal, AOL has compiled an extensive array of offerings for children and their families to promote online privacy and safety. AOL’s comments are intended to highlight those areas where the Commission could improve the proposed rules governing children’s privacy by acknowledging certain best practices as a means of compliance or by simplifying, clarifying, or altering in some manner provisions that are unnecessarily burdensome or otherwise fail to achieve their stated purpose in an effective manner. I. AOL’s Commitment to Children Children’s online privacy and safety has been -- and will always be -- one of AOL’s top priorities. To that end, AOL’s subscription service has made Parental Controls a key component of its offerings to subscribers since 1994, adding the Kids Only category in 1996, followed by the Young Teens category in 1997. From the moment adults sign up for its subscription service, AOL strongly encourages them to make use of its Parental Controls features for children 12 and under. Parental Controls enable parents to designate a separate Kids Only ("KO") screen name for children, which limits their children’s access to a specially designed KO Channel and websites selected as appropriate for children 12 and under. Parents are encouraged to employ similar control features on AOL for their teenage children as well. To ensure that children have a rewarding and appropriate experience online, KO screen names are blocked from accessing Internet newsgroups or fee-based services that may not be appropriate for them. In addition, by default, KO screen names cannot send or receive Instant Messages (private real-time communication) and cannot access the AOL Member Directory. Other customization features enable parents to more closely tailor content and interactive features to the age and maturity level of their children. Through these "Custom Controls," parents can even choose to control from whom their children can receive e-mail. In addition, AOL encourages children to use the Internet safely through other features on the service such as the "Kids Help" area. In the Kids Help area, AOL’s "Online Safety Tips" remind children not to give out their home address or other identifying information to anyone online without seeking parental permission to do so and to notify AOL and their parents if they encounter anything online that makes them feel uncomfortable or unsafe. There is a special "Tell AOL" feature that children can use to alert AOL to any such concerns. On the AOL.COM website, AOL does not collect personal information from children 12 and under, and takes steps to remind children not to give out personal information online without their parents’ consent. Although AOL.COM is primarily designed for an older audience, AOL provides an array of Safety Tips and features through the website to help parents and their children use the Internet safely. For example, AOL.COM’s Safe Surfin’ site reminds kids to treat the Internet like any big city and to avoid strangers, dark alleys and other unsafe places. It also offers connections to websites that provide parents with: (a) a free video produced by AOL in conjunction with the National School Board on Internet safety, (b) advice on age-appropriate sites for children and (c) online safety tips from popular celebrities, such as the following:
In addition, AOL’s collaboration with the American Library Association offers children an "Internet Driver’s Ed" Program, which includes classes for children and their parents on Internet safety, as well as an interactive quiz that allows children to earn an official Internet driver’s license for correctly answering questions about online safety. The Drivers Ed program also includes a list of Great Sites that are recommended for kids and six important online safety tips.
AOL encourages parents to participate in their child’s experience in cyberspace and to review its important safety tips before their child explores the Internet. AOL also encourages parents and children to visit AOL.COM’s Netfind Kids Only, which provides access to age-appropriate content available on the Web, and to use Web filtering technology to tailor their kids’ access to the Web. In summary, AOL has been a leader in developing online safety and privacy protections for children, including integrated Parental Controls that limit a child’s access to AOL and the Internet and special programs and features for children to help them use the Internet safely. AOL is committed to ensuring that children and their families have a rewarding experience online and that fair information practices are respected and promoted online for both children and adults. II. AOL’s Current Children’s Policies AOL has developed and posted special children’s privacy policies on its subscription service and on the AOL.COM website. On the AOL subscription service, AOL implements these policies in areas on the service specifically designed for children, such as the Kids Only Channel. In areas on the service designed for children 12 and under, AOL and its partners require prior written parental consent (for example, by sending in a permission form by regular mail or by fax) before collecting or using names, addresses, telephone numbers or other information that identifies a child offline. In addition, AOL obtains parental consent before a sub-account screen name can be created for children by providing parents with an "Important Notice to Parents" that describes AOL’s information practices and explains how to set up Parental Controls. In order to create a screen name on the AOL service, a member must choose one of four basic access categories, even if the choice is full access to the service. For parents who are creating a screen name for their children, however, AOL strongly encourages them to select the Kids Only access category for screen names that will be used by children 12 and under. This process ensures that parents are aware that screen names are identifying information and consent to how their children may use screen names; for example, using the screen name to request an online newsletter, to post a message on a message board or to participate in a chat room. III. The Commission’s Proposed Rules AOL applauds the FTC’s efforts to ensure that all websites and online services (hereinafter "operators") follow appropriate fair information practices when personal information is being collected from children online. AOL’s comments are intended to assist the Commission in crafting rules that protect children and, at the same time, respond to the legitimate concerns of operators about the difficulties of implementing certain provisions of the proposed rule. AOL’s comments are focused on the following provisions of the proposed rulemaking: (a) online notice -- including placement and content, (b) parental consent, and (c) the ability of parents to review personal information collected from children online. One of the major points highlighted in these comments is the fact that a subscription service, such as AOL’s online service, uses unique business models and procedures that may require additional flexibility to be incorporated into the proposed rules. The Commission needs to recognize that, in the case of a subscription-based service, some of COPPA’s statutory requirements -- including certain notices provided to parents and the mechanism for obtaining parental consent -- are satisfied at the time an individual signs up for the service or creates a screen name for his or her children. AOL hopes that the final rule will permit subscription-based online services to enjoy sufficient flexibility to continue these practices, which have worked extremely well thus far in protecting the safety and privacy of children online. A. Online Notice COPPA mandates that the Commission promulgate regulations for operators whose websites are, in whole or in part, targeted to and collecting personal information from children. The Act requires that such operators post notice on their sites of their information practices with respect to what personal information is collected from children, how the operator intends to use that information and the operator’s disclosure practices for such information. 15 U.S.C.A. § 6502(b)(1)(A)(i). The Commission’s proposed rules on the Act’s notice provisions cover placement of the link, content of the notice itself, as well as reasonable efforts to ensure that parents see the notice. AOL’s comments pertain to the FTC’s placement directives, content requirements and reasonable notice requirements. a. Notice Placement: The Commission’s Requirements for Where the Link to a Children’s Privacy Notice Must be Placed are Overly Specific, Impractical and Unnecessary The Commission’s proposed rules include a requirement that an operator post a link to a notice of its information practices with regard to children on "the homepage of its website or online service and at each place on the website or online service where personal information is collected from children." Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)). The Commission further specifies that the link must be prominently placed "such that a typical visitor . . . can see the link without having to scroll down." Id. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(1)(ii), (iii)). AOL concurs with the Commission’s proposal that the link to an operator’s information practices with regard to children ("kid’s privacy notice") should be prominently placed on a website or online service. However, the Commission’s placement directive is overly specific in mandating exactly where on the homepage the link must be placed. For instance, the Commission’s prescription that such a link be visible without scrolling down is impractical and unnecessary. First, consumers have become accustomed to looking at the bottom of a webpage for a link to an operator’s privacy policy, as this is where the majority of such policies are currently located. Furthermore, as the Commission heard at its May 14, 1999 workshop on advertising, no two computer screens/settings are alike. / Therefore, a link that one "typical" user can see without scrolling down may require scrolling by another. Consequently, it would be impractical for the FTC to require that an operator design its website or online service so as to ensure that no "typical" user has to scroll down to reach the link to its kid’s privacy notice. Moreover, there is no compelling reason to require that the link to a kid’s privacy notice be separated from the link to the operator’s general privacy policies or to require either link to be placed at any particular location on a webpage. The only imperative should be to clearly label the link, wherever it is located. Congress did not -- and the Commission should not -- prescribe how the website must be designed in order to meet the Act’s objectives. Consequently, the Commission’s final rule should give operators the flexibility to place the link to its kid’s privacy notice with or near to the link to its general privacy policy, or anywhere else on a webpage, so long as it is labeled clearly and easy to find. b. Notice Placement: The Commission’s Rules Should Give Operators Flexibility to Determine the Most Effective Locations for Posting Kid’s Privacy Links The Commission’s proposed rules with respect to the placement of links to the kid’s privacy notice also require the link to be posted "at each place on the website or online service where children directly provide, or are asked to provide, personal information . . .." Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(1)(iii)). As the Commission is aware, this broadly sweeping requirement was not included in the Act itself; the Act states simply that an operator is required to "provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information." 15 U.S.C.A. § 6502(b)(1)(A)(i). In its proposed rules, the Commission added the requirement that a link to a kid’s privacy notice be posted at each place where personal information is collected from children. Its stated rationale for doing so was that (a) not every visitor enters a webpage through the homepage, and (b) a "link at the point of information collection guarantees that the notice will be seen by a parent . . ." Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(1)) (emphasis supplied). The Commission’s rules regarding placement of a link to the kid’s privacy notice should be more flexible to reduce the burden on operators, such as AOL, and to encourage them to experiment with effective and creative placement of such links. In the case of the AOL service, for instance, it would be extremely burdensome from a design standpoint for an operator to post a link to its kid’s privacy notice at every single location where "personal information" -- according to the FTC’s proposed definition / -- could be collected. Such a provision would require AOL to provide a link for all of its chat rooms (areas where children can chat with other children in real time) and message boards that would be visible each time the child was about to post a message. This type of requirement would result in an unnecessarily repetitive series of links that are disproportionate to the use of the information, given that AOL does not even actively "collect" personal information from kids in this context but merely enables the child to post his or her screen name in a monitored environment. The FTC’s proposed rules are unnecessarily inflexible; they do not permit, much less encourage, operators to develop alternative design or placement methods that may be more effective than those proposed by the Commission. For example, AOL proposes that, in lieu of the FTC’s "every page" requirement, operators be permitted to post a kid’s privacy notice link on the "Splash Page" that precedes access to areas where personal information could be collected. A Splash Page is the gateway page that a user must access (cannot skip) to get to the content beyond. / Moreover, Splash Pages -- as illustrated by the AOL Splash Pages included as attachments -- are endowed with color schemes and graphics designed to grab the viewers’ attention (start with a "bigger" splash) before they move to another webpage. Splash Pages are, therefore, an ideal attention-grabbing venue to place a clearly labeled link to an operator’s kid’s privacy notice that users can neither avoid nor fail to see. In AOL’s view, placement of a kid’s privacy link on Splash Pages is likely to be more effective in ensuring visibility than the placement contemplated under the Commission’s proposal. The Commission’s final rules should therefore give operators the flexibility to choose among a range of effective options to ensure that users see an operator’s link to its kid’s privacy notice. Those options should include the Commission’s recommendation (every collection page) and AOL’s recommendation (Splash Pages), as well as any other options suggested by commentators that appear likely to provide effective notice to parents of an operator’s kid’s privacy policy. c. Notice Content: The Commission Should Circumscribe its Online Notice Requirements to Take Advantage of the Dynamic Nature of the Internet and to Reduce the Burden on Operators The Commission’s proposed rules with respect to the actual content of an operator’s kids’ privacy notice specify that certain information be included in the posted notice, including, for all operators, the "name, address, phone number and e-mail address of all operators collecting personal information from children through the website or online service." Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,754 (to be codified at 16 C.F.R. § 312.4(b)(2)(i)). / The Commission evidently recognized that the online business community was likely to find this requirement unduly burdensome and, therefore, in the section on "Questions on the Proposed Rule" ("Questions") asked, with regard to this requirement, "[w]here there are multiple operators collecting personal information through the website, are there other efficient means of providing information that the Commission should consider?" Id. at 22,761-762, question 6. The answer to the Commission’s question is a simple and resounding "yes." It is impractical and burdensome to expect operators of an extensive online service like AOL to compile, maintain, and post information on all of its advertisers, content partners and affiliates that may be collecting personal information about children through its service. Instead, the FTC should limit the operator’s obligation to posting the name of the collectors, and perhaps a hyperlink to their privacy policies. Limiting the obligation in this manner is much more reasonable, and avoids the burdensome and largely unnecessary requirement that an operator, such as AOL, continuously monitor and update information more readily and accurately provided by another entity. From AOL’s perspective, the FTC’s proposed rules appear to be particularly unnecessary since AOL has already taken steps to ensure that the advertisers and Interactive Content Partners ("ICPs") with whom it does business provide parents with the information they need to make an informed decision about the collection of personal information from their children. Among its best practices, AOL requires advertisers and ICPs to abide by AOL’s stringent Kids Policies, as well as all applicable laws and regulations. Failure to do so will result in suspension or termination of the contract. Specifically, AOL currently requires that its advertisers and ICPs:
AOL’s best practices help to ensure that the advertisers and content partners with whom it does business have and follow appropriate children’s privacy policies. Other operators may have similarly effective means for securing compliance with appropriate children’s privacy policies. Thus, it is important that the FTC’s rules recognize and account for the dynamic nature of the Internet and the steps that some operators have already taken to ensure that appropriate children’s privacy policies are adhered to by the other online companies with whom they do business. To that end, the final rules should limit the contact information operators must provide to parents on their own websites for advertisers, content partners and the like to that which is reasonably necessary to direct parents to other operators’ privacy policies. d. Actual Notice to Parents: Reasonable Efforts to Provide Actual Notice to Parents Should be Flexible to Accommodate Best Practices of Online Services and Websites The Commission’s proposed rules state that "an operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of an operator’s practices with regard to the collection, use, and/or disclosure of the child’s personal information, including any collection, use, and/or disclosure to which the parent has not previously consented." Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,755 (to be codified at 16 C.F.R. § 312.5). There are two aspects of this proposed provision that are of concern to AOL. First, for AOL’s subscription service, reasonable efforts to notify parents should be interpreted to include incorporating such notice into its "Terms of Service" and providing an "Important Notice to Parents" before a member can create a secondary screen name for children. All newcomers are required to read and acknowledge AOL’s Terms of Service before registering as subscribers, and all members are informed of AOL’s Kids Policies and the availability of Parental Controls before they can create a secondary screen name that might be used by children. The FTC’s rules should permit -- in fact encourage -- AOL and other online services to provide actual notice to parents of their information practices, including those pertaining to children, along with the other information they ask consumers to read and acknowledge before they subscribe. Second, the Commission’s proposed rules require that operators send parents an updated notice and request for consent whenever an "operator wishes to use the information in a manner that was not included in the original notice, such as disclosing it to parties not covered by the original consent." Id. This formulation, as the Commission suggests in the Questions section: (a) may be more burdensome than necessary, and (b) may not be the only formulation that would meet the Commission’s goals. Id. at 22,762, question 11. Because the Internet is a dynamic and swiftly evolving medium, it is simply not feasible for operators to contact parents each time an operator changes (adds or subtracts by contract, merger or otherwise) an advertiser or content partner. Moreover, such a requirement is unnecessary, particularly when the operator, such as AOL, has its own children’s privacy standards to which its advertisers and content partners are bound by contract. / Unless AOL’s own Kids Policies change in some significant manner, it is simply unnecessary for the company to contact its subscribers to inform them every time it adds or terminates an advertiser or content partner, which, like all others, is required to adhere to AOL’s Kids Policies. Such notice is unlikely to be meaningful to consumers or welcomed by them. In fact, it has the potential to be counterproductive because it risks overwhelming consumers with vast amounts of relatively trivial information that has little, if any, bearing on the privacy concerns underlying the Act. B. Verifiable Parental Consent COPPA requires that website and online operators "obtain verifiable parental consent for the collection, use, or disclosure of personal information from children." 15 U.S.C.A. § 6502(b)(1)(A)(ii). The term "verifiable parental consent" is defined further in the Act to mean "any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s" information practices. 15 U.S.C.A. § 6501(9). The FTC’s proposed rules restate the Act’s requirements, including the ambiguity inherent in coupling a seemingly inflexible requirement that consent be obtained with a "best efforts" proviso regarding the methods used to do so. AOL’s comments focus on its Parental Controls tools as a unique means of securing parental consent and the need for flexibility with respect to the methods of obtaining consent that the Commission deems to be verifiable. a. Because it is a Substantial Benefit to Consumers the FTC’s Rules Should Permit Subscription Services, such as AOL, to Obtain Verifiable Parental Consent At the Time An Account is Opened or a Screen Name is Created As previously discussed, AOL provides parents with a subscription-based tool, called "Parental Controls," which allows them to create a special screen name for their children and exercise control over their children’s online experience. Specifically, parents can use Parental Controls to limit their children’s access to the KO Channel and to websites that are pre-screened for age-appropriate content. This innovative feature of AOL’s subscription service allows parents to decline to let their children participate in chat rooms or message boards operated by AOL or its Partners on the KO Channel, or to limit ability of their children to receive e-mail. AOL’s Parental Controls -- which are available to all of its subscribers and strongly recommended for parents -- offer members an effective means to control the personal information that is collected from their children by AOL at the time that they create a screen name for them. For consumers, Parental Controls offer a one-stop, easy to use and reliable service that provides appropriate privacy notices, a convenient place to provide consent and a means to tailor their children’s access to the Internet to meet their individual requirements. It is precisely the type of consumer-friendly child protection that the Congress sought to foster under the Act. Therefore, the Commission should encourage AOL and other online services to either maintain or create Parental Controls (or similarly innovative features) by endorsing, in its final rules, the concept of such "up-front" consent, as an appropriate and effective means for obtaining verifiable parental consent. b. The FTC’s Rules on Methods to Obtain Verifiable Parental Consent Should Both Incorporate the Best Practices of Online Services, such as AOL, and Remain Flexible to Accommodate New and Improved Technologies In its proposed rules, the Commission has wisely declined to commit to any particular method for obtaining verifiable consent. AOL has two comments to offer to aid the Commission in its consideration of how verifiable consent can be obtained most effectively. First, for an online subscription service, the most practical way to obtain verifiable parental consent is to use the information that parents provide to AOL when they originally subscribed to its service, including information from their credit card. As the Commission is aware, legitimate credit card companies do not issue cards to children below the age of 13, and, therefore, there is little danger that youngsters will be able to circumvent such a verification process. Moreover, in the event that an enterprising youngster misappropriates a credit card to sign up for AOL’s (or any) online subscription service -- and indicates consent without actual parental involvement or approval -- that activity would certainly come to light quickly when payment for the card became due, thereby giving the parent an opportunity to take corrective action, including providing (or denying) verifiable consent. Second, for the foreseeable future, the Commission should continue to decline to lock in the options that a website or online service can use to obtain verifiable parental consent. New technologies, such as digital signatures, can quickly replace existing technologies as the preferred means for obtaining and verifying consent. The Commission should remain flexible and open to such new technologies and approaches to obtaining verifiable consent, rather than prescribing specific methods that could soon become outdated. C. Right to Review Child’s Personal Information COPPA requires operators to provide, upon request of a properly identified parent whose child has provided personal information to an operator, a description of the specific types of information collected from the child, an opportunity to refuse to permit the operator to use or maintain that information or obtain future information from the child, and a means for the parent to obtain any personal information collected from the child. 15 U.S.C.A. § 6502(b)(1)(B)(i)-(iii). AOL has two major concerns about the FTC’s proposed rules regarding the review of a child’s personal information. First, the Commission should include, among its methods for identifying a parent making a request, provisions that replicate the identification procedures that AOL has implemented for its subscription service. Second, the FTC should make clear that these provisions do not apply where an operator has obtained a limited amount of personal information about a child for a newsletter mailing list to which the parent can easily unsubscribe, or when the operator keeps personal information about a child for only a short period of time. a. The FTC’s Rules Should Permit Parents to Use Their Credit Cards as Proper Identification The Commission has identified a number of reasonable procedures that an operator can use to check a parent’s identity, such as obtaining a copy of their driver’s license or devising a password system. Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,758 (to be codified at 16 C.F.R. § 312.6(b)). AOL suggests that the Commission add another procedure to the list, which replicates the method that AOL uses to confirm the identity of potential subscribers to its own service; specifically, obtaining verifiable credit card information from a parent that matches the information the parent used to become a subscriber. Such a procedure has a high degree of reliability for online services such as AOL, which require subscribers to guarantee payment through a credit card. b.The FTC’s Rules Should Make Special Accommodations for Mailings, such as Newsletters, to Which Parents Can Easily Unsubscribe, and Should Clarify its Policies with Respect to Personal Information Maintained for a Short Period of Time The FTC’s rules on a parent’s right to review personal information about their child should be limited in two respects. First, to the extent that an operator has collected limited personal information, such as an e-mail address, from the child (with the parent’s consent) for the sole purpose of sending the child a periodic newsletter or similar mailing, to which the parent can easily unsubscribe, the parent’s right to review the child’s personal information connected with that mailing should be limited to confirmation that the child is or is not on its e-mail list. Under such circumstances, requiring operators to go through elaborate procedures for obtaining proper parental verification and searching for information – when the only personal information collected is the screen name already created by the parents themselves -- is unnecessarily burdensome. Alerting the parent to whether the child is on the newsletter subscription list and explaining to the parent how to cancel the subscription should be sufficient to meet the review requirement in this instance. Second, to the extent that an operator maintains personal information, such as a screen name, e-mail address or a persistent identifier, such as a cookie, about the child for a short period of time for purposes such as monitoring a chat room or a message board, the Commission should make it clear that its rules do not require operators to maintain that information so that parents may review it. In a footnote to the proposed rules, the Commission states that it does not intend to "require operators to keep databases of personal information collected from children even after the consented-to uses have been discontinued -- for example, because the parent may someday request it." Children’s Online Privacy Protection Rule; Proposed Rule, 64 Fed. Reg. at 22,758 (to be codified at 16 C.F.R. § 312.6(b), n.12). However, the Commission should further clarify this rule and insert it in the body -- not a footnote -- of the final rules in order to make it clear that an operator has no obligation to retain personal information it collects from children simply so that parents may exercise their right of review. **************************************** In conclusion, AOL appreciates the Commission’s efforts to implement this important statute that will help to protect the privacy and safety of children in the online environment. We look forward to working with the Commission to improve, clarify and simplify the proposed rules, and would be happy to provide any additional information that would be of help to the Commission. Respectfully submitted, Jill Lesser Attachments |