The Center for Democracy and Technology (CDT) respectfully submits these comments in response to the Federal Trade Commission’s (FTC) proposed Rule implementing the Children’s Online Privacy Protection Act (COPPA). Notice of Proposed Rulemaking to Implement the Children’s Online Privacy Protection Act of 1998, and Proposed Rule, 64 Fed. Reg. 80 (April 27, 1999).

The Children's Online Privacy Protection Act was enacted to protect children's privacy and to limit predators' access to information, such as email, name, and address, that would allow them to contact children. CDT and others who worked on the legislation sought to provide these protections while at the same time preserving children's ability to communicate, interact, and seek out information online. To meet these objectives, the Act:

CDT is pleased to have the opportunity to comment upon the Federal Trade Commission's proposed Rule. We believe that the goal of the rulemaking process should be to implement the Act in a fashion that:

We commend the FTC 's first effort at implementing COPPA and continue to be heartened by the FTC's measured, thoughtful approach as reflected in the scheduling of the July 20, 1999 workshop. Our analysis of the proposed Rule, the questions raised by the FTC, and discussions we have had with various interested parties indicate to us that the workshop will be critical to the FTC's effort to achieve a sound implementation of COPPA. Further, we note that the Rule contains little analysis of the different needs of children and parents accessing the Internet in non-home settings. We believe this should be explored in the workshop.

The Center for Democracy and Technology supported the COPPA. We worked diligently with others to ensure that COPPA established privacy protections and maintained children's ability to participate, interact, and access information online. At the time of its introduction, we believed that case-by-case FTC enforcement actions were creating a patchwork of limited privacy protections and uncertain obligations. We believed that the COPPA would create predictable and understandable Rules that would better protect children's privacy, address parents' concerns, and provide businesses with clarity as to their obligations.

The passage of the Children's Online Privacy Protection Act (COPPA) was a watershed event. COPPA represented an effort to create a legal framework for privacy protection designed specifically for the Internet. COPPA has no off-line counterpart. This rulemaking is the first effort by a federal agency to implement Rules specifically for the Internet environment.

It is critically important that the FTC and those involved in this process remain mindful of the precedent setting nature of this endeavor. As Congress has discovered in its attempts to regulate speech, the Internet is a unique medium deserving its own analysis. COPPA was intended to afford children online privacy protections in a way that mapped onto the unique interactive features of the Internet. Meeting these goals requires the appropriate mix of parental involvement, responsible business practices, and oversight by the FTC. The success or failure of these Rules and this law will have an enormous impact on the future of privacy protections, speech, the Internet, electronic commerce, and future regulatory efforts in these areas. In many ways this is the test bed for whether government intervention can be successful in the online environment.

Comments

Our comments on the proposed Rule provide both general recommendations on the approaches to implementation that will best achieve the goal of protecting children's privacy, specific recommendations on individual sections, and responses to questions posed by the Commission.

Implementation of the Act should be guided by the following objectives:

Taken together these six principles will ensure that the Act is implemented in a way that maximizes children's privacy, maintains children's ability to use the Internet, and places regulatory requirements on those the bill was designed to reach. In light of the proposed Rule, we believe three of these principles need additional emphasis.

1. Clarity

The countless small actors on the Web, need to know whether they are covered and, if so, exactly what their obligations are under the Act.

Today, many Web sites are either not directed to children and/or do not collect "personal information" as defined by the Act. However, if the implementing guidelines don't provide clarity about when and how obligations under the Act are triggered, we fear that Web sites may err on the side of over-compliance, with a negative impact for both privacy and business.

For example, Web sites that provide online newsletters but are unsure of whether they are "child-oriented" may err on the side of informing a parent that their child has signed up to receive a newsletter. This could unintentionally infringe on older minors' access to information and privacy. (See section on Directed to Children) A lack of clarity may effectively place regulatory requirements on Web sites that should not be covered.

Importing the flexible approach the FTC employs in assessing whether an advertisement or program is targeted to children in other media may seem logical at first glance. We believe, however, that the broad diversity of players on the Web strongly argues for greater certainty. Providing self-assessment tools, bright-line Rules (where possible), and illustrative examples would assist Web sites in understanding the application of COPPA to their activities.

A sensible implementation of the Children's Online Privacy Protection Act should move companies operating in the online environment toward privacy-sensitive business practices. While the rulemaking will provide guidance to operators who collect personal information from children, we believe that the rulemaking should also provide guidance on how to pursue business practices that promote privacy by limiting the collection of personal information.

Many Web sites may want to avoid collecting information that would trigger the parental consent and parental access provisions of COPPA. Given clear guidance they could. Providing information about how to create engaging and interactive sites without collecting "personal information" and triggering the Act's more cumbersome statutory requirements would advance the goals of the Act while at the same time limiting the regulatory burdens placed on businesses:

Without such guidance we fear that Web sites may be unsure whether the data they collect is considered personal information (regardless of the clarity the definitions ultimately achieve) and err on the side of obtaining parental consent. This could, ironically, lead to the creation of new databases of personal information about parents and children that in turn create the potential for privacy mischief where none previously existed.

The Internet and Implementation.

From providing guidance and conducting outreach, to facilitating parents' rights to access, to object, and to grant or deny consent, we believe that the Internet should be used to the extent possible. We encourage the FTC to use the Internet to enhance understanding about the application and requirements of COPPA through tutorials, self-assessment tools, and other guidance materials. As discussed in our specific comments below, CDT believes that all parties should strive to find workable online tools to meet the communication needs of this Act. While there are difficult issues to resolve, we believe that this is key to the Act's success.

The following comments respond to specific Rules and questions posed by the FTC. Questions raised by the Commission are addressed, generally, within the context of the section to which they pertain.

Section 312.2 sets out the definitions included in the Act, expands on several definitions, and defines the term "collects or collection" which was not defined in the Act.

CDT concurs with the FTC's assessment that the terms "collects and collection" must be defined. All personal information collected pursuant to these regulations -- including information collected from parents, information collected offline, and information collected during the process of verifiable consent -- should be covered by this definition. The Rule appropriately clarifies the intent of the Act.

The word "personal" should be dropped from the first sentence of the proposed definition. While at the time it is collected information may not meet the definition of "personal information," it may later be combined with other information and become "personal information."

However, (b) of the definition needs to be clarified, or in the alternative exemptions need to be crafted. As written, section (b) suggests that if a child posts his or her age in a chatroom, message board, or other public posting that is not "directed to children," the operator of such would be subject to the Act. This would create an enormous burden on non child-directed services to monitor chatrooms, message boards, and other public posting areas. CDT does not believe that the Act was intended to place obligations on such services. A child's posting information about his or her age in this context should not be considered "collection."

CDT believes that the legislation should apply to the Internet regardless of how it is accessed. By adding the phrase " or other methods of transmission" the proposed Rule appropriately ensures that the Act will not become obsolete as the Internet and methods for accessing it evolve.

As the Section-by-Section summary of the Act states, the intent is "…to hold responsible the entity that collects the information, as well as the entity on whose behalf the information is collected" but to not cover "an online service (or other entity) who does not collect or use the information."

The proposed Rule is true to the intent of the legislation. It makes a distinction between the entity that is collecting and maintaining the personal information and the services that act as conduits. Under the Act conduits are not considered "operators." Similar to the federal law limiting the liability of Internet service providers for content on their service that they do not create, (47 U.S.C. 230(c)) the intent of the law is to ensure that Internet and online service providers are not placed in the position of monitoring the actions of every subscriber, Web site, link, and business.

CDT's understanding of the law would require that the FTC consider a Web site an operator only if it was collecting and maintaining personal information for its own use. If an Internet service provider is hosting a Web site for a business that collects and maintains personal information, the Internet service provider would not be considered an operator, rather the COPPA obligations would fall on the business. In this instance, the service provider would be considered to be providing support to the business. Similarly, Web hosting services would not be considered operators where they are acting as an agent of an operator. This is provided for in the definition and discussion of disclosure under the Rule.

However there are other instances, as the Rule and discussion note, where joint liability will be assumed. The Rule should provide further clarification on when an Internet or online service provider or Web site assumes responsibilities under the Act. Under what circumstances does an entity controlling a closed environment -- an online service or a Web site -- assume liability for the practices of other businesses operating within the environment? What are the specific factors that invoke such responsibility? Answers to these questions must be laid out as clearly as possible.

For example, if a banner ad placement company uses personal information to target advertisements to children's Web sites, is the Web site (which has a business relationship with the ad agency) jointly liable for the ad agency's actions under COPPA? Would it be desirable, practical or realistic for advertisers to independently contact parents seeking consent? Do parent's expect Web sites practices to apply to all interactions that occur at the site?

CDT's tentative thought is that joint liability in this setting would be likely to ensure compliance. In addition, shared statements of practices by the Web site and others who operate on the Web site make the implementation of the law less cumbersome for parents.

In the context of an online service or portal with areas designed for children, is the service or portal jointly liable for the practices of every partner in its proprietary system? Parents often seek out these environments because they limit children's exposure to the variety of practices and content on the broader Internet. Again, CDT's tentative assessment is that joint liability is appropriate in some settings.

CDT believes that the intent of the law and the FTC's proposed Rule is to place liability on the shoulders of those who can best handle it: the entity that is collecting and using the information (operator). However, because of the enormous amount of data generated by the use of the Internet we believe that the FTC should provide clearer guidance

Section 1302(8)(F) of the Act authorizes the Commission to expand the definition of "personal information" to include other identifiers that permit physical or online contacting of a specific individual. Under the proposed Rule, a persistent identifier or PSN is considered personal information only if it is associated with other personal identifying information.

CDT agrees that persistent identifiers associated with other personal information should be considered personal information. However, we believe that some persistent identifiers may on their own, not associated with other personal information, be considered personal information. We believe that during the workshop the FTC should explore the different functions and uses of existing persistent identifiers and identify factors that could lead them to be considered, on their own, "personal information."

For example, as discussed in the complaint filed by CDT and other organizations regarding the Intel Pentium III Processor Serial Number (PSN), there were several characteristics of the PSN that had the potential to make it a multi-purpose identifier used across the Web and across transactions. The PSN was designed at the outset to provide a single identifier for tracking individuals' activities. Intel promoted the PSN as a form of low-level authentication. In contrast, the use of a persistent identifier at a Web site and not relied upon by other Web sites is more akin to a pseudo identity. The use of single-site identifiers allows for customization and personalization; they can support traffic analysis by operators without the collection of more identifiable data. Even among site-specific persistent identifiers there is a wide range of uses with varied potential to impact on privacy. Some sites use new persistent identifiers within specific sessions (visits) and then discard them, others tie a persistent identifier to a visitor and use it to track his or her activities across multiple visits.

In addition, because some identifiers are so ubiquitously collected, but so rarely used as identifying information, the FTC should examine other methods of addressing the potential privacy issues they raise. For example, while a static IP address is a persistent identifier (it is consistently offered up by the computer to others on the network in order to communicate), considering it personal information would have some rather troubling consequences. IP addresses are routinely captured as part of the network communication -- although the length of time for which they are stored varies dramatically, as does the purpose for which they are used. If the IP address alone was considered "personal information," then every child-oriented Web site would be required to obtain parental consent. This would increase the collection of personal information about children by Web sites who do not collect other personal information, raising more potential privacy risks. As an alternative, the routine destruction of Web logs or IP addresses by operators could limit the potential privacy concern.

Online contact information: The term "online contact information" means an e-mail address or an-other substantially similar identifier that permits direct contact with a person online.

"Online contacting of a specific individual"

The phrases "online contacting of a specific individual" and "direct contact with a person online" are not defined under the Act or in the proposed Rule. While the addition of persistent identifiers combined with other personal information to the definition of "personal information" indicates that the FTC has concluded that this combination "permits the physical or online contacting of a specific individual," the Rule does not provide insight into the reasoning. Analyzing what "contacting" means on the Internet and under the Act is important.

During the workshop, the Commission should explore and define "online contacting (direct contact) of a specific individual." In defining these terms, the Commission should try to minimize the collection of information specifically identified in the Act as "personal information."

All parties involved in the drafting of COPPA agreed that email provides for "direct contact with a person online." In the offline world, there are several methods that businesses use to tailor messages to an audience. Some are based on what is clearly direct contact (i.e. direct mail), while others are based on assumptions about the audience that will be attracted to a particular item (advertisements within magazines). The online world has produced some hybrid of these methods. Through the use of transactional data and/or data provided by the individual, Web sites and online services provide customized services ranging from personal date books, to customized content and advertising. Where this is done without the collection of information considered "personal information" under the Act, this tailoring can be done with minimal impact on the privacy interest in personal information and without risk that information will be disclosed to those seeking to harm children. CDT believes that the proposed Rule for "personal information" reflects an understanding of the important distinction between fully identified interactions and anonymous or pseudonymous interactions. CDT believes that customization performed in an anonymous or pseudonymous fashion should not be considered to be "direct contact."

While the use of tracking tools raises privacy concerns, the Commission should be careful that the Rule is not interpreted in a fashion that diminishes privacy by requiring the collection of personally identifiable data in instances where it is currently not collected. Systems such as site-specific persistent identifiers stored in cookies allow for pseudo identities, which allow for the customization of online spaces without the collection of more intrusive personal information. The FTC should encourage the use of pseudo identities which are not linked to personal information over techniques that rely on "personal information" as defined by the Act. It would be counter-productive if a law designed to protect privacy were interpreted by the Commission to require businesses using pseudo identities to gather absolute identities.

CDT believes that effective and efficient means of communicating online between Web sites and parents for the purpose of obtaining consent, providing notice, and providing access to children's information are critical to the success of this legislation. Giving individuals, in this case parents, decision-making authority over the collection, use and disclosure of personal information is a core goal of COPPA. This goal will best be served if parents can exercise their rights in a manner that is efficient, medium-appropriate, and simple. Creating inefficient systems that will pose barriers to parents who want to communicate their consent, object to their children's continued receipt of information, or gain access to their children's information will not serve the interests of parents, privacy, or children.

CDT believes that finding workable models that are exclusively online is critically important. The FTC should identify workable systems that are geared towards reasonable children with reasonable parents and responsible businesses. It is difficult in the off-line world to obtain "verifiable" parental consent. We generally do not expect parents to send in affidavits and driver's licenses to verify the authenticity of their communications. While the Internet may pose some specific challenges to creating tools that are likely to reach parents and deter children from forging consent, we should strive to develop online methods.

The Social Security Administration’s study with providing access to personal earnings benefits online in a more secure fashion may prove useful here. While the SSA presented different (and perhaps more easily resolved) issues, the need for a thorough process, like the SSA's, to explore this issue is paramount. The Platform for Privacy Preferences, digital signatures and other technologies are promising possibilities, but they are not yet available. We look forward to participating in the workshop and examining options for obtaining parental consent.

As discussed above, we believe that the FTC should provide clear guidance on the definition "directed to children."

CDT believes that legislation to protect the privacy of all individuals acting online is both inevitable and necessary to ensure consumers' privacy on Internet. However, for several reasons COPPA's scope is, and should remain, operators clearly "directed to children" and those who ask for age information. The focus on parental consent and parental access to information make the provisions of the Act inappropriate for those over the age of 12, therefore ensuring that COPPA's impact is on Web sites directed towards those 12 and under is extremely important.

As introduced COPPA would have applied to a broader category of Web sites on online services. Due to concerns about the potential impact of the bill on older minor's First Amendment and privacy interests the scope of the bill was narrowed. Particularly, CDT and others were concerned that the initial bill would have unintentionally interfered with teenagers' ability to access information and enjoy the interactivity of the Internet. As applied to teenagers the bill would have: 1) required parental notification every time a teenager provided an email address to a Web site engaged in commerce; and, 2) created a parental right to access all information that a teenager shared with a Web site engaged in commerce -- potentially chilling protected First Amendment activities and undermining rather than enhancing teenagers privacy.

The Act as passed narrowed the coverage of the law to Web sites that are "directed to children" and reduced the age of those considered a child under the Act.

If businesses are unsure whether or not their Web site is targeted towards kids they may ask for parental consent in situations in which it is not necessary leading to the increased collection of personal information and they may notify parents of the activities of older minors. CDT suggests that the FTC can avoid this problem by providing guidance through examples, lists of factors for consideration, self-assessment questionnaires, and other materials to assist Web sites in determining whether or not they are directed to children. With the understanding that it could be overcome based on information arising during an investigation by the FTC, are there a series of indicators that could set a presumption that a Web site is not directed to children? Are there proactive steps that Web sites can take to ensure that they do no fall under this definition?

Section 312.4 provides detailed Rules on the information to be provided through operators' information practice notices posted at Web sites and provided to parents as part of the consent process. The Rule directs the placement of the notice on Web sites. The Rule also directs operators to use reasonable efforts to ensure parents receive notice. CDT generally supports the Rule, but has comments and recommendations on several sections.

CDT generally agrees with the Rule. However, there are instances, due to the definition of "collects," that it may not make sense. For example, if a parent has given consent for a child to engage in "chat" or email, it would be rather cumbersome for an operator to be required to provide a "link" to its policy every time the child engages in these activities. But under the definition of "collects" the release of an email address could trigger the placement of a notice link under this Rule.

CDT believes that the FTC should require operators to inform parents of the uses that third parties will make of their child's information and to inform parents if the third-parties information practices differ in a material way from the operators. However, CDT does not believe that operators should be able to release information to third parties who have not agreed to maintain the confidentiality, security, and integrity of the information. While the confidentiality, security and integrity of personal information released through certain "disclosures," such as public postings, can not be guaranteed, operators should release information to third parties only pursuant to an agreement that the confidentiality, security, and integrity of the information will be protected. In addition, Web site notices should provide parents with contact information (or a link to it) for third parties and their information practices.

Question 8

In response to Question 8, it would most likely be more convenient for parents if information about how to delete a child’s information is stated both on the Web site and in the notice provided to parents.

As the FTC states in the discussion of the Rule, notices sent to parents will form the basis of many parent's decision about whether to allow their child to disclose information. In the context of Web sites, they are likely to be the source of notice, with the Web based notice acting as a resource later on. In the context of a fee-based subscription service, Web or service-based notices are as likely to be the foundation for parent's decisions as sent notices.

CDT generally agrees with the proposed Rule and discussion. In addition to providing parent's the option of consenting to the collection and use but not the disclosure, the operator should also allow parent's to consent to the collection and use for the specific purpose while limiting other internal uses. This would buttress the prohibition on conditioning a child's participation on the disclosure of personal information not necessary for the activity. Question 12 suggests this approach -- operators should not only allow parents to not consent to use of information by third parties but to refuse consent to different internal uses of the child’s personal information. CDT believes that this option would provide parents greater control over their children’s information thereby furthering the goal of protecting children's privacy through the informed decision-making of their parents.

CDT believes that online mechanisms for obtaining parental consent, registering parent's objections, and providing parent's with the ability to review their child's information should be sought. In ascertaining whether a method of obtaining consent is reasonable the FTC must not hold the World Wide Web to a standard that we do not have in the offline world. We urge the FTC to use its workshop to identify online models to address the full range of communication needs of this legislation.

Question 11 Modification of Notice:

Question 11 requests comments on the appropriate method of requesting parent's permission to use children's information for additional purposes or otherwise modify the notice. Because the model for protecting children's privacy set out under the bill -- parental notice and consent -- requires parents to be fully informed of the practices of operators, CDT believes that changes to the terms can only occur with the affirmative response of the parent. It is important that parent's not be continuously barraged with notices requesting consent to additional uses of the children's data. Therefore, CDT believes it may be reasonable for the FTC to set limits on the frequency with which changes can occur. CDT would also suggest that it is possible that all changes may not rise to the level of requiring additional consent. However, CDT believes that identifying what, if any, changes to a policy might be considered "non-material" should be done through the workshop.

Question 17 Exception to parental consent

Question 17 requests comments on the length of time an operator can maintain personal information collected to facilitate the process of gaining parental consent. It also requests comments on the development of "do-no-contact" lists.

CDT does not believe that operators need to maintain information gathered for obtaining consent. If an operator sends the information needed for obtaining consent to the parent with directions to send the information back if they want to consent, there is no need for the operator to independently maintain the information during the interim period. Individuals who consent will provide the necessary information. This approach would provide greater assurance that children are not disclosing any personal contact information without their parent's consent. CDT suggests that the FTC collect further data on this issue to assess time frames, but also consider the alternative approach we've offered.

At this time CDT does not believe that "do-not-contact" lists should be created. Like all databases they are potentially subject to internal misuse and access by unauthorized parties. If a need for such a list is identified in the future the FTC can revisit this issue.

Question 18 Collection of parent v. child's information for obtaining consent

CDT has not identified instances in which the operator would need the child’s contact information rather than the parents to obtain parental consent.

Question 19 Child safety exception to parental consent

Question 19 requests comments on the situations involving child safety in which operators should be allowed to collect information from children without parental consent. CDT has not identified instances where child safety would be enhanced by the collection of personal information about either the child or the parent. However, where the operator has personal information, it should be permitted to use it to contact the parent, or in extreme cases (suicide threat/ reports of child abuse?) notify other appropriate parties, to protect the safety of the child. In general Web sites and online services should not be held responsible for the speech and actions of members. While entities' desires to provide safe environments for children should be commended, the scope of this exception should be quite narrow. The collection of this information can be the potential source of risks to children's safety.

The Act allows for information to be collected, used or disseminated without parental consent to protect the security or integrity of the Web site, take precautions against liability, respond to judicial process, or to provide information to law enforcement as permitted under other provisions of law. The provision should not allow operators to collect information in anticipation of hypothetical threats, judicial proceedings, or law enforcement requests. Where information has been collected under other provisions of the law, the provision should be read to permit its use or disclosure for these limited purposes without additional parental consent. In the area of law enforcement, the provision permits, but does not require, operators to disclose information to law enforcement who are authorized under other law, and follow the procedures required by law, to access it. For example, the limits on law enforcement access to information held by interactive computer services must be met before an operator can disclose information to a law enforcement authority.

At this time, CDT has not identified specific instances that merit additional exceptions. However, CDT does not believe that the issues surrounding the implementation of this Act in non-home settings have been considered. As the Act comes into force CDT believes activities meriting this exception may surface. In considering where exceptions are warranted, the children's ability to access information; and, the risk of parental notice on the child's willingness to seek out information should be top considerations. The Rules limiting the use of the information and requiring its destruction, collected without parental consent provide basic privacy protections.

Section 312.6 Right of Parent to Review Personal Information Provided by Child

Section 312.6 sets out the rights of parents to review information about their children and the obligations of operators to facilitate this right.

CDT generally agrees with the Rule and discussion. We suggest that access to the categories of data collected could be provided in a relatively non-tailored fashion and therefore not require parental verification. Assuming that an operator will collect the same categories of information from visitors, this provision could be met with a Web site form that tells parents the data categories maintained. For parents to have access to information about their child the operator should require some form of authentication. It would be preferable if this was set up through a password/email or other relatively secure online method. However, it is impossible to completely ensure that non-parents will not access information. Therefore, CDT believes that operators should require that parents provide the identifying information (in the categories that the Web site has said it collects) and only disclose the information (such as hobbies etc.) that is tied to this inherently identifiable data. A child's parent will know the identifying information, but may be interested in the other information collected by the Web site. An individual trying to find out information about the child, particularly details on how to locate the child will be unable to find out information that could lead to direct online or off-line contact.

CDT agrees with the Rule and discussion. Children should not be enticed to turn over personal information.

CDT agrees with the Commission's comment, in the discussion of the Rule, that it is a sound security practice to destroy any personal information that is no longer needed.

CDT believes that the rulemaking review should be scheduled at an earlier time. The impact of this law on children's online experiences and the development of the Internet may be quite profound. Therefore, we believe that a review should be conducted no later than three years after the effective date of the Rule, and potentially sooner.

CDT welcomes the opportunity to comment upon the proposed Rule and looks forward to working with the Federal Trade Commission and all interested parties to implement the Act in a manner true to its goals. We look forward to exploring the hard issues, identified in the comments, during the July workshop, and we are available at any other time to discuss the issues posed by COPPA implementation.