June 11, 1999
Mr. Donald S. Clark
Re: Children's Online Privacy Protection Rule -- Comment, P994504
Comments of Dell Computer Corporation
Dear Secretary Clark:
Dell Computer Corporation submits these comments in response to the Notice of Proposed Rulemaking published in the Federal Register on April 27, 1999 (64 Fed. Reg. 22749). ("Notice").
Dell is the world's foremost direct manufacturer of personal computers. Dell currently sells more than $18 million in a variety of products each day over the Web, which accounts for approximately 30% of our business. One of the companys strategic objectives is to obtain at least 50% of our worldwide revenue from online sales by the end of calendar year 2000.
At Dell, our relationship with the consumers who visit our sites is our top priority just as it is in the physical world. Our customers' privacy is a primary concern, and we are a proud participant in the BBB OnLine Privacy Program (and the first recipient of a BBB OnLine seal). In a larger sense, we are committed to the development of a global electronic marketplace that promotes trust and confidence between consumers and online businesses. We believe that these trusting relationships are encouraged when online businesses educate and inform consumers.
We also know through our extensive experience that online technology is changing and maturing at an unparalleled rate -- thus, the methods Dell and other online businesses use to educate, inform, and transact business with consumers are changing constantly. We are very concerned that the Commission not promulgate design standards or other specific rules that may create unintended consequences due to the rapid evolution of this medium and concomitant changes in consumers' habits, preferences, and level of experience. (Indeed, even companies like Dell that spend considerable time studying consumers' internet usage must struggle to adapt to this ever-changing environment.) In this context, specific rules adopted by the Commission may quickly become obsolete or counterproductive. The costs of unintended consequences would be large, due to the increasing importance of the internet to the U.S. economy.
Although our sites (www.dell.com and www.gigabuys.com) are not directed at children, our interest in generally fostering the development of electronic commerce prompts us to take the opportunity to assist the Commission in exploring certain issues raised in the Notice. We think that certain of the proposed rules, taken together with their likely precedential impact, have the potential to chill the development of global electronic commerce. The Commission should resist the urge to mandate design standards and should act with great caution in this context. In many cases, advances in technology (e.g., content-filtering browsers) may already empower parents to address many of the concerns raised by the Commission in this proceeding.
Dell will focus its comments on three issues: the methods by which "verifiable parental consent" may be obtained; the requirements necessary for notices to be prominent; and the security measures required of operators.
Methods of Providing Verifiable Parental Consent
Section 312.5(b) of the proposed rules provides that "[a]n operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology." The Commission has asked for comments on the feasibility, costs, and benefits of various methods of obtaining parental consent.
Dell believes that the performance standard ("reasonable efforts") set forth in Sec. 1302(9) of the Children's Online Privacy Protection Act of 1998 ("COPPA") provides appropriate guidance in the context of online commerce. The Commission should not impose detailed rules concerning the methods by which parental consent must be obtained, and should instead proceed on a case-by-case basis.
Many traditional consent methods may impose unnecessary costs and burdens if mandated in an online medium. For example, a requirement that a parent physically mail a signed consent form to a website operator would impose significant costs on that operator, who would have to deal with potentially thousands of forms and the chore of correlating each hard copy form with online information about the child who was the subject of the form. Although such a task may impose a relatively small burden on a company the size of Dell, it could create a significant entry barrier to small website operators, who may not have the time, personnel, or money to take on these tasks. Moreover, such a task would introduce significant delays into a medium where speed and ease of access are among the most valued attributes.
While traditional solutions to the problem of obtaining consent may not be well adapted to the online environment, the medium creates the opportunity for the development of new mechanisms for obtaining verifiable parental consent. As the Commission notes in its commentary, one such alternative on the horizon is the use of electronic mail accompanied by a valid digital signature. An e-mail mechanism offers a number of advantages over its physical counterpart: it should be simpler and less time-consuming for the parent, it can be almost immediate and therefore preserve the character of online interaction for the child, and it can allow an operator to more simply record when and if a parent has provided consent. Other online consent mechanisms, such as the use of a unique adult identifier like a credit card number, can offer similar advantages.
The use of electronic means for obtaining parental consent may have a desirable byproduct: encouraging parents to spend more time exploring the internet with their children. Dell believes that parents are in the best position to supervise their children's online activities when the family computer is in a common area and when parents (as well as children) check in regularly. Parents who become familiar with the internet and the use of electronic communications will be better able to establish practical rules for what their children can and cannot do online.
Dell suggests that the Commission leave Section 312.5(b) as proposed. The performance standard set forth in COPPA is adequate and will allow for the development of new modes of obtaining consent that are both reliable and fit the online medium.
The FTC should continue to work with industry to inform parents of the many tools available for safeguarding the privacy of children in the online environment.
Placement of Notices
Section 312.4(b) of the proposed rules lists an operator's obligations with respect to the placement of notice of its information practices. In particular, subsection (b)(1) requires that links to the notice be "placed in a prominent place on the home page . . . such that a typical visitor . . . can see the link without having to scroll down." While Dell appreciates the Commission's legitimate concern with consumers' access to appropriate online disclosures, Dell believes that Section 312.4(b) goes too far by mandating the specific placement of notices. The prominence of any link depends on the context in which the link appears. Accordingly, the Commission should adopt a flexible approach to placement that accommodates a range of effective alternatives.
Dell agrees with the Commission that an operator's information policy should not be hidden in nests of embedded hyperlinks or endless scroll-down sequences. So long as the link to this policy is clearly marked and readily noticeable, however, mandating placement "above the fold" is unwarranted. Whether a link is likely to attract attention depends on a number of context-specific factors and cannot be assessed in the abstract.
Moreover, the Commission's approach should recognize the unique qualities of the internet. This medium requires exploration by consumers. Internet users, irrespective of age, do not simply view what appears on a single frame and assume that they have seen all relevant information. Users know how to use a mouse and are accustomed to scrolling or using hyperlinks to access more detailed information. Indeed, one of the most significant findings of recent research into web-site usability by Jared Sprool, a leading expert on interface design, is that users are perfectly willing to scroll down to retrieve information. The strict prohibition against requiring a user to scroll down in Section 312.4(b) would proscribe potentially consumer-friendly alternatives.
Finally, differences in consumers' computer equipment make it virtually impossible for an operator to guarantee that a particular link will appear on a specific screen on every consumer's computer. Many factors, including the size and sophistication of the user's computer equipment and the settings embedded in the user's browser, affect what a consumer sees on a particular screen.
Section 312.8 of the proposed rules requires operators to "maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children." The Commission has requested comments concerning practices used by operators to maintain the safety and confidentiality of data collected online.
At Dell, security is a primary concern. Security methods are changing very quickly, however, and Dell constantly revises its security practices. Given the pace of change in this area, Dell believes that any specific security rules promulgated by the Commission will inevitably and quickly be outmoded. Additionally, while Dell expects its security practices would exceed any standards promulgated by the Commission, specific rules are likely unfairly to burden newer or smaller e-commerce entrants.
In adopting a final rule, the Commission should refrain from mandating any specific procedures, policies or mechanisms for safeguarding personal information. Given the vast array of effective internal procedures that operators conceivably could implement, the Commission need not dictate a specific mechanism (or set of mechanisms) for achieving compliance. Instead, consistent with the White House directive in A Framework for Global Electronic Commerce (<<http://www .whitehouse.gov/WH/New/Commerce/read.html>>), the Commission should take a minimalist approach to security procedures that emphasizes flexibility. The performance standard set forth in COPPA and in the proposed rule ("reasonable procedures") provides sufficient and appropriate guidance to online operators.