COMMENTS OF THE
June 11, 1999
TABLE OF CONTENTS
II. VERIFIABLE CONSENT SHOULD BE INTERPRETED FLEXIBLY IN ACCORDANCE WITH THE PLAIN LANGUAGE OF THE STATUTE.
III. EXCEPTIONS TO PARENTAL CONSENT
IV. PARENTS RIGHT TO DISCLOSURE AND OPT-OUT OF INFORMATION COLLECTED FROM THEIR CHILD
V. THE NPRMS NOTICE REQUIREMENTS ARE EXCESSIVELY AND UNNECESSARILY COMPLEX AND REGULATORY, AND MUST BE SHORTENED AND SIMPLIFIED SIGNIFICANTLY.
VI. THE SAFE HARBOR PROVISION SHOULD BE MODIFIED TO PROVIDE GREATER INCENTIVES FOR SELF-REGULATION.
VII. DEFINITIONS AND OTHER ISSUES OF SCOPE OF THE RULE
VIII. BROAD STRICT AND VICARIOUS LIABILITY
IX. CONFIDENTIALITY, SECURITY AND INTEGRITY PROTECTIONS
X. ASSUMPTION THAT COLLECTION OF INFORMATION FROM CHILDREN IS BAD
The Direct Marketing Association, Inc. ("The DMA") is pleased to comment on the Federal Trade Commissions ("the Commissions") Notice of Proposed Rulemaking to implement the Childrens Online Privacy Protection Act of 1998 ("COPPA" or "the Act").
The DMA is the largest trade association for businesses interested in direct, database, and interactive marketing and electronic commerce. The DMA represents more than 4,500 companies in the United States and 54 other nations. Founded in 1917, its members include direct mailers and direct marketers from 50 different industry segments, as well as the non-profit sector. Included are catalogers, financial services, book and magazine publishers, retail stores, industrial manufacturers, Internet-based businesses, and a host of other segments, as well as the service industries that support them.
The DMA member companies have a major stake in the success of electronic commerce, and are among those most likely to benefit immediately from its growth. The DMAs leadership is continuing to extend into the Internet and electronic commerce areas with its recent acquisitions of the Internet Alliance and the Association for Interactive Media. Members of The DMA include prominent childrens content providers such as Highlights for Children, Grolier, and Disney, as well as other e-commerce leaders including L.L. Bean, Time Inc., Dell Computer, Gateway 2000, DoubleClick, eBay, and America Online.
Last fall, The DMA supported and worked actively with the Commission on the passage of the Childrens Online Privacy Protection Act. The DMA supported this legislation because we believe that young children present a special case. Unlike adults, children may not fully understand choices regarding privacy. The legislation was based in part on existing DMA guidelines, followed by its members.
The DMA appreciates the Commissions thorough inquiry into issues raised by COPPA on questions such as the proper means of obtaining parental consent. However, we have serious concerns that significant aspects of the proposed rule would impose overly regulatory, highly impractical requirements on website operators. The extensive body of regulations set forth in the NPRM are so complex and restrictive we expect they would deter many operators from collecting any information online from children or from establishing interactive commercial sites for an audience of children.
Taken as a whole, these requirements would undermine the balance that Congress sought to achieve through COPPA by compromising "the interactivity of childrens experience on the Internet." 144 Cong. Rec. S11657 (daily ed. Oct. 7, 1998) (remarks of Sen. Bryan) (hereafter "Bryan Statement"). The final rules should be revised to eliminate excessive, overly burdensome access restrictions and other regulatory requirements discussed below in order to avoid the unintentional effect of discouraging children from having interactive experiences at the many appropriate child-friendly Internet sites of our members.
In light of the importance and complexity of the proposed rules, The DMA requests that the Commission accept reply comments in response to the comments filed in this proceeding. The rules set forth in the NPRM represent the most detailed regulation of the Internet heretofore proposed under United States law. Although the NPRM intends to address a narrow legal area, it does so in extraordinary depth, raising a number of complex practical, legal and technological issues that may produce negative unintended consequences. It is, therefore, critical that the Commission have the benefit of a thorough discussion of the myriad issues that its rulemaking has set forth. Reply comments would provide the Commission with a far clearer record on the many empirical questions included in the NPRM, as well as on a number of other important issues that the NPRM may not have anticipated.
The DMA is concerned that the highly regulatory approach taken in several important aspects of the proposed rules would send a negative signal to other countries that seek to impose heavy regulation of electronic commerce, which would dilute the United States extremely valuable competitive advantage in the Internet industry. This would be inconsistent with overall Administration policy on the Internet. Moreover, some of these requirements are inconsistent with the plain language of the detailed statutory scheme that the rule is to implement.
Our comments, among other points, urge the Commission in its final rules to: (1) endorse easy-to-use e-mail-based consent mechanisms that will not chill the availability of interactive sites for children; (2) reject parental "rights" to pick and choose between practices set forth in the operators privacy notice, rather than accepting or refusing to consent to the operators practices as a whole; (3) clarify certain exceptions to parental consent; (4) reject a parental "right" to alter data an operator has collected; (5) simplify significantly the rules lengthy notice requirements; (6) modify the safe harbor provision so that it is less prescriptive, provides greater incentives for operators to join self-regulatory efforts, and leaves room for true self-regulation to resolve compliance problems; (7) make clear that the rules do not apply retroactively to information collected before the statutes effective date; (8) modify the definition of "collection" so that is does not apply to material submitted to an operator through other media or to inadvertent collection of information; (9) clarify that the statute does not impose strict or vicarious liability for the conduct of third-party contractors where contractors agree to follow the requirements of the statute; and (10) clarify the Commentarys discussion of security measures.
II. VERIFIABLE CONSENT SHOULD BE INTERPRETED FLEXIBLY IN ACCORDANCE WITH THE PLAIN LANGUAGE OF THE STATUTE.
The DMA welcomes the Commissions review of methods of obtaining parental consent that are practical for website operators, parents and children alike. (NPRM, p.21) Defining a standard of verifiable consent is challenging given the current technological framework of the Internet. As the Commission develops regulations in this area, a variety of means of compliance should allow for flexibility in compliance and for continued technological and business developments in this area.
A. The statutory consent standard
"Sufficient assurance" must be assessed in light of the statute, and the term "verifiable parental consent" is defined very flexibly in COPPA. The relevant standard for consent under the act is reasonable effort, not whether the method of consent provides a very high level of assurance that the parent is actually consenting. Notwithstanding its use of the word "verifiable," Congress specifically defined the term "verifiable parental consent" as encompassing "any reasonable effort (taking into consideration available technology)" to ensure parental authorization. 15 U.S.C. § 6501(9) (emphases added). As the legislative history specifically confirms: (1) "[t]he term should be interpreted flexibly," (2) "reasonable effort" suffices, and (3) reasonableness must be interpreted in light of the constraints of "available technology." Bryan Statement at S11657. Moreover, e-mail consent is contemplated by the statute. COPPA contains an exception to parental consent for collection of "online contact information" in order to secure parental consent. 15 U.S.C. § 6502 (b)(2)(B). Online contact information is in turn defined primarily as an e-mail address. See id. § 6501(12).
Members of The DMA have been actively exploring means of obtaining verifiable consent and the level of effort that will be required to comply with this requirement. An evaluation of the various means of obtaining such consent should be a focal point of any workshop on these rules.
B. Methods of obtaining parental consent
Questions 12-16 explore the different components and possibilities associated with obtaining parental consent. In general, we believe that in light of the flexible statutory language and the experimentation that is likely to occur in this area, the Commission should adopt a flexible verifiable consent approach that allows operators to choose from a range of methods that work best for them. However, in order to provide needed certainty for operators working to conform to the Commissions rules, it should specify a list of methods, including e-mail consent, that satisfy the Commissions rules.
With regard to specific methods for obtaining parental consent discussed in Question 13 and on pp.20-21 of the NPRM, the Commission should recognize e-mail consent under further, defined circumstances, as well as developments likely to be incorporated in the P3P standard and other emerging technologies to allow parents to pre-select privacy preferences for their children.
In answer to Question 13(f), e-mail accompanied by digital signatures holds significant promise as a means for obtaining verifiable consent, but presently digital signatures are costly and have very modest market penetration and would, therefore, be impossible to implement on a broad scale. There are continuing debates and differing standards that have emerged for digital signatures, making the prospect of adoption of such technologies in the near future unrealistic.
With regard to Question 13(d), other e-mail-based mechanisms are easy to implement and satisfy the statutes "reasonable effort" standard. For example, receiving e-mail consent from an e-mail address that is different from the childs satisfies the "reasonable effort" requirement. Furthermore, if the parent and child share the same e-mail address, the reasonable effort standard is satisfied if: (1) the e-mail seeking consent is sent at a time of the day when a child would not reasonably be expected to receive it; or (2) the e-mail consent form is returned containing information that a child would be unlikely to know; and (3) a subsequent e-mail is sent to the parent for verification purposes asking the parent to respond if the response providing consent was not from one of the childs parents.
E-mail and other methods of online consent are far preferable to (although not a complete substitute for) the mail, fax, credit card and toll-free telephone approaches suggested in the notice. Although each of these non-online consent methods is of some use, they all are cumbersome enough to chill consents and to reduce interactivity opportunities for children without significant online consent possibilities.
Residential online users are reluctant to use "snail mail," and often do not have access to fax machines. Furthermore, printing out, signing and mailing back forms is something that most Internet users are highly averse to doing once accustomed to communicating instantaneously at no cost online. These methods also have the disadvantage of being slow. Neither can be processed immediately and automatically, unlike e-mail, and postal mail often takes multiple days¾ itself a long time in the eyes of many Internet users¾ and perhaps weeks to process and enter the information. Indeed, last summer Time Warners Sports Illustrated For Kids site experienced an approximately 80% drop in responses to its offer of risk-free subscriptions to the magazine when it shifted from an e-mail notice and opt-out system (which the company had offered successfully with no complaints) to a mail-in or fax-in consent form system.
Credit card verification is equally unpromising as a vehicle for verifiable consent. As the ACLU v. Reno litigation clearly established, use of this methodology is "not economically feasible for most noncommercial speakers," Reno v. ACLU, 117 S. Ct. 2329, 2349 (1997), and is little better for free non-commercial sites. It typically imposes costs up to $3 per verification. Furthermore, heavy reliance on credit card numbers as a means of consent would seriously restrict interactive experiences for children because nearly 75% of consumers are reluctant to give out their credit card numbers online. Louis Harris & Associates, 1999 National Consumers League, Consumers and the 21st Century at 15 (May 1999).
Heavy reliance on credit card verification also would run counter to Administration policy by discriminating against lower-income children, whose parents often do not have credit cards, thereby denying them experiences at sites tailored especially to their age group. Additionally, some of our credit card company members have expressed concern that proliferation of credit card numbers submitted for verification to sites that have not implemented strong security measures would increase credit card fraud. For example, sites that do not complete financial transactions may not be set up to ensure adequate security, so that there is a real possibility of fostering identity theft.
Toll-free numbers are more convenient and from the callers voice alone can provide a reliable indication that the caller is at least 13 years old. However, they involve significant telephony, dedicated operator, and data input costs, and are much too expensive for many operators to afford.
Finally, The DMA commends the Commission for its statement in the Commentary that consent services may be performed for third parties by portals and online services. (p.21) However, many if not most websites will not have partnering arrangements with portals and online services, and the Commission should be cautious not to dictate business models that would require affiliations with portal or other online services. Accordingly, it should be acceptable, as the Commentary suggests (at p.21), for third-party businesses to perform the same consent services, provided that they too are subject to applicable requirements of COPPA.
C. Parental "right" to pick and choose between practices set forth in the operators notice
1. Consenting to collection and use, but not to disclosure
The parental right, set forth in § 312.5(a)(2), to consent to collection and use of personal information "without consenting to disclosure" as presently framed is overbroad and inconsistent with the statute. The proposed rule currently reads that the "operator must give the parent the option to consent" only to collection, id. (emphases added), imposing upon the operator an affirmative obligation to provide service to the child if the parent consents only to collection and use. This obligation is inconsistent with the statute. The consent provision of COPPA requires the operator "to obtain verifiable parental consent" (emphasis added). 15 U.S.C. § 6502(b)(1)(A)(ii). However, nowhere does it suggest that the operator must provide service to the child if the parent consents to any (or all) of these categories. Under the rules, the operator of course has that option, but it should not be mandatory.
Indeed, with regard to the analogous parental right to opt out of further use, maintenance or collection under § 6502(b)(1)(B)(ii), the statute expressly provides that the operator may terminate service to the child. § 6502(c). This provision must be deleted, or at least modified so that it expressly disavows any obligation for operators to provide service if a parent refuses to accept any part of an operators practices described in the notice.
2. Picking and choosing between different internal uses
The statute states that "a request for authorization for future collection, use and disclosure described in the notice" is sufficient to fulfill the statutory consent requirement. 15 U.S.C. § 6501(9) (emphases added). This language is incompatible in three fundamental respects with the notion set forth in Question 12 (at p.37) that parents should be given the option to pick and choose between different internal uses of the childs information.
As the statutory language makes plain, under COPPA parents do not consent to one or more particular uses, but to all internal use of the information described in the notice. First, the term "use" not only appears in the singular, but also without a preceding article, so that consent is clearly not given to particular uses. Second, consent is to "use . . . described in the notice," indicating that the offer described in the notice is what the parent either rejects or accepts through consent. Third, this provision specifically authorizes broad requests for and authorizations for "collection, use and disclosure" of information. The sort of particularized consent envisioned by the question is completely at odds with this system.
The result is not only statutorily required, but also good policy. Consents to particular internal uses would greatly complicate the notice and consent process, and would require extensive coding of data, thereby increasing operators costs significantly and discouraging them from offering interactive sites for children.
III. EXCEPTIONS TO PARENTAL CONSENT
A. Notification to parents for online contact information should follow the time frame set out in the statute¾ "before any additional response after the initial response to the child."
The Commissions proposed regulations concerning exceptions to parental consent are inconsistent with the statute in a few respects. First, § 312.5(c)(3) requires "immediate" notification to parents in the case of online contact information used more than once to respond to a specific request of a child. The statute sets out a different time frame¾ "before any additional response after the initial response to the child." See 15 U.S.C. § 6502(b)(2)(C)(i).
Requiring notice "immediately" after the first response is far too rigid a requirement to be consistent with the statutory framework. In the case of a monthly or bi-monthly newsletter, for example, if notice is sent 15 days or a month after the initial response, it would still be timely. The DMA recommends that the time frame for notice in § 312.5(c)(3) be changed to "a reasonable time before the second response."
B. Dissemination must be permitted for the statutory purposes addressed in § 312.5(c)(5).
Second, 15 U.S.C. § 6502(b)(2)(E) expressly allows collection, use and dissemination of personal information for a set of statutory purposes. The version of § 312.5(c)(5) as set forth on p.23 of the Commentary, omits the words "or disseminated" from the second to last line. This clause should be added to the regulation to correctly reflect the language of the statute.
C. The regulations should clarify that a childs specific intention to receive information from a site, not the specificity of the scope of the request, governs whether the response to request-of-a-child exceptions apply.
The Commentarys proposed requirement that a childs request under § 312.5(c)(2) be "specific in scope" (p. 22) requires further clarification in order adequately to capture the meaning of the phrase "specific request of a child" in 15 U.S.C. § 6502(b)(2)(A). For purposes of the statute, what is important is that the child specifically indicates his or her desire to receive information from the site, not that the child frames the request so as to request specific information. The particular information requested is irrelevant for both privacy and safety considerations. Moreover, it would be extraordinarily difficult for sites to screen requests based upon whether they request specific information. Indeed, that approach would raise vagueness concerns. This requirement should be deleted from the Commentary.
D. The child safety exception should apply in areas specifically designated by operators.
With regard to child safety, the Commission makes the broad assumption that "parents are in the best position . . . to intervene if a child is threatening another child while engaged in a chat room." (p.23) While this will usually be true, there are situations, for example, where a parent or guardian is not available, where a direct warning or intervention with the child or notification of law enforcement officials may be necessary. Indeed, the recent tragedy in Littleton, Colorado is a reminder that warning parents may be insufficient to prevent harmful conduct by their children. The child safety exception of 15 U.S.C. § 6502(b)(2)(D) should apply where the operators segregates or specially designates the data for that purpose. See Question 19.
E. The Commission should clarify that there is an exception to parental consent and notice and opt-out for letters to the editor, submissions the operator strips of personal information, and requests for access to websites approved by teachers or school administrators.
With regard to additional exceptions to prior parental consent that the Commission should recognize under 15 U.S.C. § 6501(b)(2)(C)(ii), discussed in Question 21, The DMA strongly recommends that the Commission allow bona fide childrens online magazine sites to accept and publish letters to the editor collected with personal information from children, provided that the personal information in the letters is not used or disclosed in individually identifiable form. These letters are an important part of the service of magazines such as Highlights for Children. Operators cannot accept them by e-mail without collecting the childs e-mail address. Furthermore, many children who write letters about family problems, for example, do not want their parents to be notified about them. Indeed, in a disturbing number of cases, such letters describe cruelty children have endured at the hands of parents or guardians.
Moreover, as discussed more fully below, this exception should also apply to requests by children to submit personal information to the operator (such as sending an e-mail to the operator) if the operator strips individually identifiable information out of the submission and does not use or disclose it. Such a rule would provide very helpful incentives to operators to make information that they collect (and in many cases are unable to collect without some personal information) non-individually identifiable. Because such a process minimizes privacy and safety concerns, the Commission should encourage electronic collection processes that produce material that is not individually identifiable.
Finally, as discussed further below, the Commission should recognize either under § 6502(b)(2)(C)(ii) or its discretion to approve special methods of verifiable consent in schools, that a parental consent right would not apply when children are using websites at schools. To require that teachers obtain consent from parents for every childrens site that collects information would put an unnecessarily bureaucratic framework in place for schools and could result in limiting the excellent educational services that sites are developing. Instead, the teacher or school administration should be able to furnish consent for educational uses of websites in school without parental consent or notice and opt-out.
F. Answers to other questions on parental consent
Question 17(a) asks what is a reasonable time after which information collected for purposes of seeking parental consent should be deleted when consent is not obtained. In The DMAs view, two months is an appropriate time, based upon the experience of our members who already seek parental consent.
With regard to Question 17(b) regarding requiring operators to maintain a "do-not-contact" list to avoid multiple requests for consent, such a requirement would be inconsistent with the legislative history and structure of the statute. The legislative history specifically provides that even after a parent has demanded (and obtained) no further retention of a childs information, the operator may seek consent from the same parent in the future. Bryan Statement at S11658. Imposing the same sort of preclusion against future contacts, but only in cases where consent has been denied initially, would be an odd result inconsistent with congressional intent.
Furthermore, this requirement would contravene the structure of the statute (and one of the expressed purposes of the Commentary, at p.25, n.12) by requiring operators to maintain records on children and parents who have refused consent. Additional costs of such a requirement would include extra coding and record-keeping for the operator for all incoming requests, and delays in online sign-ups while the operator checked each request against a do-not-contact list. Benefits would be minimal, as parents could simply throw away any request for consent and, if they were bothered by receipt of consent requests, could contact the operator directly.
Alternatively, as discussed below, operators should be allowed to maintain suppress lists with respect to both operators requests for consent and parents requests for no further maintenance of information already collected. However, at most, use of a do-not-contact list should be required only where the parent opts out of further contacts from the operator. A mandatory do-not-contact list is too rigid in the case of refusal to grant consent. For example, parents who deny consent for an eight-year-old to disclose information, may have a very different opinion with regard to the same child only a few years later.
Moreover, in the event that the Commission approves a do-not-contact list, it must clarify that operators are not strictly liable if they fail to honor the list. For example, users often switch their ISP, domain name, and other technological means of identifying them. In these situations, operators may well not know that they are interacting with an individual on their do-not-contact list. The Commission should make clear that operators are not liable in such situations.
Question 18 asks whether under the exception for collection in order to seek parental consent there are circumstances that would necessitate collection of a childs online contact information. Collection of this information will almost always be necessary in order to complete the registration process or otherwise to contact the child at the conclusion of the consent process to inform the child that he or she may proceed at the site with the activity in question. In any event, the statutes use of the word "or" throughout 15 U.S.C. § 6502(b)(2)(B) amid a list of permitted activities does not leave the Commission discretion to exclude certain listed information from the statutory exception.
Question 20 asks whether collection of a childs name or e-mail address is necessary for three of the purposes set forth in 15 U.S.C. § 6502(b)(2)(E). It is necessary for all three purposes because this information is the only way to identify users of a site. For example, in the case of computer hacking (which is commonly perpetrated by younger computer users) or other forms of illegal activity, the ability to identify a user is essential to tracking perpetrators of criminal activity and revoking access to a site by an individual who presents a security threat. Information regarding the identity of wrongdoers will in many instances be necessary to aid in law enforcement. Furthermore, where children report parental abuse online, the identity of the child must be disclosed to the authorities without notice to or consent of the parent. Finally, if the information is in the possession of the operator for other reasons, it is necessary to aid in the judicial process in the case of any subpoena or other court order that requires disclosure of information in the possession of the operator. For example, subpoenas issued under the Digital Millennium Copyright Act, 17 U.S.C. § 512(h), require service providers to supply the identity of an alleged infringer of copyright upon receipt of a subpoena from a copyright owner or its agent.
IV. PARENTS RIGHT TO DISCLOSURE AND OPT-OUT OF INFORMATION COLLECTED FROM THEIR CHILD
A. Parental disclosure
COPPA requires marketers to offer parents a "reasonable" means to obtain the information collected online from their child, and provides marketers with immunity from liability for disclosures to parents "made in good faith and following reasonable procedures." 15 U.S.C. § 6502(b)(1)(B)(iii) and (a)(2). The NPRMs proposed regulations require operators to offer a "means" for parental review of information collected online by the operator about their child. § 312.6(a)(3).
An essential part of the legislative compromise on this issue is immunity for operators who carry out in good faith the disclosure obligation of the statute¾ an obligation that industry did not seek and that stands in contrast to most U.S. commercial privacy laws. Indeed, the legislative history emphasizes that "[i]t would be inappropriate for operators to be liable under another source of law for disclosures made in a good faith effort to fulfill the disclosure obligation under this subsection." Bryan Statement at S11658. Moreover, common law tort already provides a backdrop of incentives for operators to take precautions to ensure that information is not wrongly disclosed. Thus, it is unnecessary for the Commission to create an extra overlay of regulation in this area that is not found in the statute.
For this reason, rather than attempt to extend liability already found at common law, the Commission should spell out clearly several examples of precautions that industry may take to protect itself from liability under other laws for a disclosure made under COPPA, as provided in § 312.6(b). For the same reasons, the Commission should also make clear that good faith disclosures of information to someone who purports to be a parent do not produce liability under the Commissions rules.
This is particularly important because the proposed rule sets out confusing and seemingly contradictory obligations on operators: "ensur[ing] that the requestor is a parent of that child" and providing a means of screening parents that is "not . . . unduly burdensome to the parent." § 312.6(a)(3)(i) and (ii). Indeed, the NPRMs use of the word "must" before these contradictory obligations to describe the disclosure obligation could be misconstrued as creating liability under the rule if an operator makes the wrong choice. This result would be particularly inappropriate because the statute requires, and creates immunity for, disclosure, and nowhere suggests liability under COPPA if the means of screening parents are not "reasonable under the circumstances." 15 U.S.C. § 6502(b)(1)(B)(iii).
At the very least, the Commission should insert the word "reasonably" at the start of § 312.6(a)(3)(i), which would make the provision consistent with the statutory language and with the Commentary, which states the screening mechanism need only "reasonably ensure" that the requestor is a parent of the child. Compare § 312.6(a)(3)(i) with p.25.
The particular methods of identifying parents listed in the Commentary (at p.25)¾ requiring a copy of a drivers license proving domicile at the same address as the child, providing a password chosen at the time parental consent is provided¾ are adequate to identify parents. These should be specifically listed as examples in the regulation in order adequately to inform operators and the public at large. The DMA believes that any such requests by parents also should be in writing to provide a record that such a request in fact occurred. In addition, operators should not be put in the potentially awkward situation of determining which parent can obtain access in custody situations. The Commission should make clear that operators will not be liable in such situations. The DMA looks forward to reviewing responses to Question 22 and responding to suggestions of additional means at a later time.
Finally, The DMA agrees strongly with the Commentarys observation (at p.25, n.12) that disclosure of "the specific types of information collected" under § 6502(b)(1)(B)(i) should not be subject to stringent identification requirements, as none of this information relates to an individual child.
B. Parental "right" to alter data
The NPRMs attempt in § 312.6(a)(3) to create a parental right to alter data collected by an operator goes far beyond and is contrary to the detailed statutory scheme set forth in COPPA. The statutory provision in question provides parental rights only "to obtain" information collected online from the parents child and "to refuse to permit . . . further use or maintenance . . . or future online collection." See 15 U.S.C. § 6502(b)(1)(B)(ii) and (iii). Altering data is of course an entirely different concept than "obtaining" it or opting out of its collection, use and disclosure.
Neither the statute nor its legislative history makes any mention of a parental right of correction or alteration, even though this right is commonly understood as distinct from the access and opt-out rights set forth in the statute. Furthermore, an unlimited right to alter data runs directly counter to the statutory goal of preserving the "integrity of personal information collected from children." See 15 U.S.C. § 6502(b)(1)(D).
The Commissions regulatory authority under COPPA is confined to promulgating regulations that fulfill the specific provisions of the statute. See 15 U.S.C. § 6502(b)(1). Nor does the Federal Trade Commission possess any additional rulemaking authority on this record. 15 U.S.C. § 45(n) expressly prohibits policy considerations from serving as the basis for declaring an act or practice "unfair." The Commission must affirmatively demonstrate that the act or practice "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition" before such rulemaking authority may be exercised. Id. Such a finding simply cannot be supported.
Proposed § 312.6(a)(3)s creation of a parental right to "mak[e] changes" to data is also bad policy. This right is in fact even broader (and less defensible) than a right of correction. It is in no way limited to correcting errors, and applies to all personal information about the child in all circumstances. In adopting COPPA, Congress certainly had no intention of requiring operators to accept false information.
Furthermore, the categorical rule is unnecessary. Operators may accede to parental requests to change some sensitive data regardless of this rule¾ either because it is the right thing to do or because the parent has the right to insist on deletion of all the data. However, the proposed rule fundamentally alters the statutory opt-out relationship between the parent and the marketer in a way that would result in incomplete and inaccurate data.
The Commission must adhere to the language of the statute, delete the phrase "and making changes to" in the second line of § 312.6(a)(3), and rely upon the parental opt-out right as a more than sufficient incentive for negotiation between the operator and the parent. The requirement in § 312.4(b)(2)(vi) to notify parents that they have the ability to make such changes must likewise be deleted.
C. Scope of the parental opt-out of use, maintenance, and future collection
As noted above, the legislative history regarding this opt-out makes clear that the
opt-out "operates as a revocation of consent that the parent has previously
given," and does not preclude the operator from seeking consent from the same parent
for the same or different activities. Bryan Statement at S11658. Accordingly, the second
line of § 312.6(a)(2) should be changed by inserting the phrase "under the
consent previously given" after the phrase "from that child." This
change in the regulation is necessary both to reflect congressional intent, and to avoid
imposing a heavy record-keeping and programming burden upon operators, as well as
obligations to retain personal information.
V. The NPRMS notice requirements are excessively and unnecessarily complex and regulatory, and must be shortened and simplified significantly.
The NPRM proposes enormously detailed regulation of the content, form and timing of notices to obtain parental consent and notices for opt out. The Commission should make significant changes to these proposed notice regulations. Unless changed, the proposed rule would overturn sound, established privacy practices in the Internet industry, require all operators to expend significant legal fees to comply with the rule, and require such precision in the notice that operators would repeatedly be required to seek further consents from parents.
The level of detail required for website notices should be cut back significantly. As Question 8 suggests, it is inappropriate to require the same amount of information on the website as in a notice supplied directly to a parent. Website notice plays a largely redundant and far less important function given the Acts heavy emphasis upon parental control over childrens online disclosures of personal information.
The Commentary suggests that marketers face the "challenge" of not overloading parents with information. (p.16) In fact, it is the proposed rule itself that requires so much disclosure that it would disserve even the privacy interests it is designed to further by overwhelming parents and children alike with more information than they could assimilate. See Ford Motor Credit Company v. Milhollin, 444 U.S. 555 (1980) (meaningful disclosure does not mean more disclosure, rather "it describes a balance between competing considerations of complete disclosure . . . and the need to avoid . . . [informational overload.]" (quoting S. Rep. No. 96-73, at 3)); see also Scofield v. American Tele-Cable, 973 F.2d 874, 880 (10th Cir. 1992) ("The virtue of meaningful disclosure is lost when the inclusion of too much information results in . . . just another legal document instead of the simple, concise disclosure form Congress intended.") (quotations omitted). We submit that it is the responsibility of those crafting regulatory requirements to avoid creating such challenges.
The proposed notice regulations alone occupy three single-spaced pages of text. This level of detail is in no way required by the statute, which simply requires operators to "provide notice on the website" of their collection, use and disclosure practices regarding personal information. 15 U.S.C. § 6502(b)(A)(i). The legislative history adds only that "notice should be clear, prominent and understandable." Bryan Statement at S11658. We address the changes that the Commission should make to § 312.4 in the order of the proposed text and of the Commissions questions regarding notice.
A. Placement of privacy hyperlinks
1. Requiring that the links be visible without having to scroll down
Question 5(a) asks whether there are "other effective ways of placing notices that should be included in the proposed rule." The answer is that placing the link prominently at the bottom of a webpage or any other location that is easy to find and read is sufficient to protect the privacy interests of the statute. Because this information will also be supplied directly to the parent, whom the statute gives control over a sites ability to collect, use and disclose information from the child, cf. Question 8, prescribing placement of the hyperlink is not only burdensome, but unnecessary.
2. Clarifying application of the requirement where only a portion of the site is directed to children
In addition, the final rules should clarify that where only a portion of a website is directed to children under the rules, the hyperlink to the operators childrens privacy notice may be placed on the home page for the childrens portion of the site, instead of on the home page for the entire site.
COPPA applies not only to sites that are entirely directed to children, but also to "that portion of a commercial website . . . that is targeted to children." 15 U.S.C. § 6501(10)(A)(i). In many instances, COPPAs requirements will apply to only a small portion of a large, general interest website. In such circumstances, the overwhelming majority of visitors to the sites homepage will have no interest in the sites childrens privacy notice. By contrast, users interested in the sites childrens content will typically go directly to the designated childrens area. In such circumstances, the operator should have the option of fulfilling its obligation under § 312.4(b)(1)(ii) by placing the childrens privacy notice link at the main entry point to the childrens portion of the site.
Accordingly, the notice requirement of § 312.4(b)(1)(ii) should be amended to take account of this distinction and, where only a portion of the site is targeted to children, give the operator the option of placing its childrens privacy notice on the homepage for the childrens portion of the site, instead of on the homepage of the entire site.
B. Requirement to provide notice regarding privacy practices of others
Section 312.4 also is overly regulatory in requiring inclusion of a significant amount of text regarding the practices of third parties who receive the information. The first of these requirements, disclosure regarding operators collecting information through the site under § 312.4(b)(2)(i), is worded too broadly and should be clarified.
Second, it is possible that the third-party operators referred to in the question may transfer information to other parties without the knowledge of the original operator. In this circumstance, the operator who disclosed the information, not the original operator, should be responsible for notifying the public on its website of its information practices. Because the transferor would also be an operator subject to the requirements of COPPA, this allocation of responsibility is entirely appropriate and does not create a loophole.
Therefore, § 312.4(b)(2)(i) should be amended to strike "address, phone number and e-mail address" on its first line and replace it with the phrase "and a URL for or hyperlink to the website of." In addition, the word "directly" should be inserted immediately before "through the website or online service" in the last line of the paragraph.
Furthermore, in response to Question 7, it would be entirely inappropriate to require an operator to provide any detail about third parties information practices. The statute requires only that an operator describe its own practices, including "the operators disclosure practices for" the personal information it collects. 15 U.S.C. § 6502(b)(1)(A)(i) (emphasis added). There is no basis in the statute or its legislative history for requiring disclosure regarding practices of others. Moreover, such a rule would be bad policy. Given the remote nature of Internet communications, operators are simply not able to verify or guarantee the practices of third parties beyond obtaining contractual commitments from the entities to whom they disclose the information.
Similarly, the statute appears to provide no basis for § 312.4(b)(2)(iv)s requiring a statement regarding a third partys commitment "to maintain the confidentiality, security and integrity" of information obtained from the operator. Operators are of course bound under 15 U.S.C. § 6502(b)(1)(D) to "establish and maintain reasonable procedures" in this regard themselves, and may choose to include this information in the notice. However, this disclosure requirement is not authorized by the statute.
C. Excessive specificity regarding use and disclosure
Question 10(a) asks what information set forth in the notice is unnecessarily detailed. Notice regarding an operators uses of the personal information and the types of businesses and uses of third parties to whom it discloses personal information is another area where the notice requirements as currently framed are overly and unnecessarily detailed. This approach risks overwhelming recipients with information, as well as greatly narrowing the scope of parental consent as originally given so as to require repeated requests for additional consents, as the Commentary indicates at p.18.
The purpose of notice should be to provide general disclosure of the types of uses of the information and the entities who will receive it. See Scofield, 973 F.2d at 881-82 (interpreting similar notice requirement in the Cable Privacy Act). Therefore, it should be sufficient under the statute to disclose that the information will be used, for example, for marketing purposes or order fulfillment. See Scofield, 973 F.2d at 882.
However, § 312.4(b)(2)(iii) appears to leave room for requiring disclosure that the information will be used for routine internal purposes such as record-keeping and for other uses. This provision should mirror the language in the next paragraph, requiring simply that the operator disclose "the general purposes for which such personal information is or may be used, such as marketing or order fulfillment." Requiring a broader list of information to parents and children will simply provide unnecessary detail.
The Commentary to § 312.4(b)(2)(iv) suggests that operators must list detail such as whether third parties who will receive the information are engaged in activities such as "list brokering . . . [or] magazine publishing." Again, this information is overly detailed, and would require additional consents if these parties businesses change somewhat in the future. Disclosing the general nature of the business should suffice.
D.Impact of mergers
Section 312.5(a)(1) requires obtaining consent again before any use or disclosure of information that is not covered by the original consent¾ including sharing the information due to a subsequent merger or joint venture. Question 11 asks whether this formulation provides adequate protections given frequent mergers in the Internet industry, if it is overly burdensome, and if an alternative would provide sufficient protection.
Mergers bear significantly on a childs privacy interest only if the nature of the merged companys business changes significantly in relation to the description offered to parents before the merger in the statutory notice. In fact, mergers create a problem only if the notice is required to be excessively detailed (e.g., specifying the specific industries that third parties are engaged in) so that the consent does not adequately reflect the business of the merged company. Requiring precision in the notice so as to create the need for additional consents would prove unnecessarily cumbersome, and could be avoided by allowing more general notice in the first instance regarding use and disclosure. Furthermore, if parents are dissatisfied with any marketing activities after the merger, they can of course exercise their statutory opt-out right.
E. Listing consumer rights under the statute is unnecessary.
In addition, the inclusion of lengthy text regarding consumers rights under the statute is not necessary. Indeed, the statute does not provide a basis for requiring operators to inform parents of all their rights under the Act, and how they can exercise them. Congress is well aware of how to draft such requirements, see, e.g., 47 U.S.C. § 551(a)(1)(E) (Cable Subscriber Privacy Act), but chose not provide for such a requirement in COPPA. Furthermore, this information is unnecessary. For example, when an operator asks for parental consent, a parent will know that consent is required. Therefore, the requirement in § 312.4(c)(ii) that this be specifically mentioned is unnecessary.
At the very least, to avoid cluttering the notice with still more information, operators should have the option of complying by hyperlinking to a list of those rights on the Commissions website or by providing the URL for that list in written notice to the parent.
F. Clarifying methods of providing notice directly to the parent
Whereas § 312.5(c)(3) provides specific examples of acceptable and unacceptable means of delivering notice, § 312.4(c) leaves these means open-ended, discussing them only in the Commentary (at p.18). For the sake of consistency and clarity, the Commission should insert the sentence "Such means include, but are not limited to, sending the notice by postal mail, sending the notice to the parents e-mail address, or having the child print out a form to give to the parent." at the end of § 312.5(c)(3).
VI. THE SAFE HARBOR PROVISION SHOULD BE MODIFIED TO PROVIDE GREATER INCENTIVES FOR SELF-REGULATION.
The safe harbor provision of the proposed rules should be modified in three respects. First, § 312.10(b)(1) and (c)(1) should be changed to leave the Commission discretion to approve self-regulatory guidelines on their overall merits, rather than based only upon whether they meet all the requirements of the rules. The existing formulation is overly prescriptive and appears to leave no room for the Commission to allow self-regulation to meet the requirements of the statute in other ways. As such, prescribing the content of safe harbor guides goes far to remove the "self" from self-regulation, and does not satisfy the statutory injunction "to provide incentives for self-regulation by operators." 15 U.S.C. § 6503(b)(1).
Section 312.10(b)(2) would require an industry self-regulatory organization affirmatively to monitor and seek out violators. This regime differs markedly from the manner in which most self-regulatory regimes currently operate. Whereas some form of oversight may be incorporated into a self-regulatory mechanism, it usually is only part of a process that also includes complaints brought to the attention of the organization, which then administers its guidelines and follows due process and enforcement procedures. In its current form, § 312.10(b)(2) relegates the safe harbor provision to little more than the deputization of an industry organization, which then would be expected affirmatively to police the industry on behalf of a law enforcement agency. The expense and staff or personnel requirements of that undertaking alone would serve as a disincentive to participation. In fact, the mandate goes further than the Commissions own charter.
Finally, § 312.10(b)(3) requires an organizations enforcement procedures to (i) publicly disclose the identity of any violator, (ii) obtain consumer redress, (iii) obtain voluntary payments by violators to the United States Treasury, or (iv) refer a violator to the Commission for law enforcement, regardless of whether the organization has brought the company into compliance through other means. Again, this is contrary to the traditional notion of a self-regulatory program. Many, if not most, self-regulatory programs treat complaints and potential violators confidentially in an effort to obtain cooperation, which is more likely to occur when the accused company does not expect some form of public sanction or embarrassment at the outset. It appears counterproductive and inconsistent with the concept of a safe harbor, for example, to require disclosure of the identities of companies who commit to change their ways through self-regulation. On the other hand, if the company is uncooperative, then public disclosure is appropriate.
The current safe harbor provision, however, requires a regime of law enforcement rather than self-regulation. Its approach would significantly discourage participation in the safe harbor process, and discourage membership in any trade association adopting safe harbor guidelines, and contravene the express statutory purpose that the Commission "provide incentives for self-regulation for operators to implement [COPPAs] requirements." 15 U.S.C. § 6503(b)(1).
We ask the Commission to reconsider the structure of its safe harbor proposal to give it discretion to approve self-regulatory organizations guidelines on their overall merits, rather than on the basis of rigid, prescriptive requirements, to provide that such organizations may fulfill the safe harbor rules by reacting to complaints brought to their attention, and to allow the traditional confidential due process procedure to be followed without mandatory public and financial sanctions being imposed unless the operator does not bring its conduct into compliance with the self-regulatory guidelines approved by the Commission.
VII. DEFINITIONS AND OTHER ISSUES OF SCOPE OF THE RULE
A. Retroactive application
The Commentary (at p.4) indicates that the Commission will apply the rules to use and disclosure of information collected before the Acts effective date. This position should be reversed in the final order because it is a strained reading of the statute that runs counter to the presumption against retroactive application of legislation. Moreover, it would create major operational difficulties for, and impose major unjustified costs upon, many operators without fair warning.
The rationale set forth in the Commentary for retroactive application is that the proposed rule "applies to the use or disclosure . . . not just . . . collection." Id. However, the statutory prohibition that provides the sole basis for the Commissions rulemaking authority applies only to collection. 15 U.S.C. § 6502(a)(1). The Supreme Court has held that when a statute does not contain express language to the contrary, the presumption is that the statute will not operate retroactively without specific congressional intent that would support such a result. Here, no such intent exists, thus raising significant concerns as to the legality of retroactive application.
In determining retroactivity, a primary consideration is whether substantial inequity would result from such application. Noting that prospective application remains the appropriate default rule, the Supreme Court explained that "the presumption against retroactive regulation is deeply rooted in our jurisprudence, and embodies a legal doctrine centuries older than our republic." Id. at 265 (citations omitted). A manifestation of congressional intent is necessary to "ensure that the benefits of retroactivity outweigh the potential for disruption or unfairness." In Landgraf, a primary consideration in the Courts analysis in determining retroactivity was whether new law creates "new legal consequence to events completed before its enactment." Id. at 270. Put another way, a statute is applied retroactively if its application "would impair rights a party possessed when it acted, increase a partys liability for past conduct, or impose new duties with respect to transactions already completed." Here the event completed before enactment is the collection and processing of information. To apply this statute to information collected from children prior to the enactment of the statute would cause significant hardship on operators.
The Commentary (at pp.4-5) seriously underestimates the difficulty of requiring consent for information previously collected. Applying the statute to this information would confront operators with the stark choice of either jettisoning all data collected to date without parental consent, or conducting expensive reviews of data previously collected online. Such reviews would have to determine: (1) whether the data are covered by the Act; (2) whether parental consent was previously obtained for that data; (3) whether the operator has the information necessary to notify the parents to seek consent/provide opt-out notice; and (4) if not, how to obtain that information and seek parental consent where possible. It would thereby impose significant costs and significant operational problems on operators.
Reaching back to apply these rules to information collected before the rules take effect and operators are on notice of what the rules require and are able to set up systems accordingly is the essence of an unfair retroactive rule. Accordingly, the Commission should apply the rule only to information collected after COPPA takes effect.
B. Reaching data that is faxed or mailed in to the marketer, but requested online
The Commission should also narrow the NPRMs proposed definition of "collects or collection" in § 312.2. The NPRMs proposed definition attempts to interpret the word "collect" as encompassing information requested online, "regardless of how that personal information is transmitted to the operator." Id. The definition is intended to cover material requested online, even if it is submitted to the operator through other media. This rule is at odds with the plain language of the statute and its legislative history, which repeatedly state that COPPA applies only to information collected online.
A core feature of COPPA is explicit language limiting the statute to information "collected online from a child." 15 U.S.C. §§ 6501(8), 6502(a)(1). As the legislative history states very clearly, "This is an online childrens privacy bill, and its reach is limited to information collected online from a child." Bryan Statement at S11657 (emphasis added). Information that is actually collected through other means is therefore beyond the ambit of the statute, and of the Commissions rulemaking authority.
Furthermore, it would be very difficult for operators to implement the proposed rule except in the specific instance (cited in the Commentary at p.6) of submission of print-outs of operators webpages mailed or faxed back to the operator. In most other instances, a website operator, for example, would have no idea whether the submitter is responding to an online request.
C. The definition of personal information
The DMA also urges the Commission to clarify the proposed rules definition of personal information to provide clear protections for efforts to make information collected online from children non-individually identifiable.
Paragraph (f) of the definition of "personal information" in § 312.2 defines as personal information "a persistent identifier . . . where such identifier is associated with personal identifying information . . .." This formulation appears overbroad because use of the passive voice in the phrase "is associated with" bears no relationship to information actually in the possession of the operator. Read literally, the phrase would render useless serious efforts to make personal information non-individually identifiable even if the only association with personal information rests with an escrow agent in a secure location outside the possession of the operator. Similar to what is done to protect patient privacy when conducting longitudinal medical studies, an escrow agent could assign a code to a user and thereby ensure that the individual interacted pseudonymously with the site¾ i.e., that his or her activities are tracked, but without collection of any of the identifiers listed at 15 U.S.C. § 6501(8).
However, as with the process of aggregating data that is collected in an identifiable form, this process requires the escrow agent to collect identifying information before the agent can mask or remove it. The common theme is that data collectors should be encouraged to remove the identifying characteristics of data when such characteristics are not needed for the purposes for which organizations are using the information. The subscriber privacy provisions of the Cable Act, for example, purposefully do not reach the process of converting personally identifiable information into aggregate information. See, e.g., S. Rep. No. 67, 98th Cong., 1st Sess. 28 (1983) (the application of 47 U.S.C. § 551 to the collection of personally identifiable information "is not intended to cover the electronic collection process used to produce aggregate records that are not individually identifiable").
This definition should be modified to make clear that where (1) the association with personal identifying information is available only to an escrow agent who adheres to the confidentiality and security requirements of § 312.8, and (2) the information in the possession of the operator is not individually identifiable, then the identifier is not personal information, and the operator either should be exempt from the statutes consent and notice opt-out provisions or should not be considered to be collecting personal information.
In addition, the definition of "personal information" in § 312.2 contains inconsistent language that could be misconstrued to reach information such as screen names that are not personal information under the statute. Use of the term "personal identifying information" in paragraph (f) of the definition is unclear and should be replaced with either the term "individually identifying information" or the term "personal information." Furthermore, the phrase "an identifier described in this paragraph" in paragraph (g) could be construed to cover identifiers in paragraph (f) that are not associated with personal information. This ambiguity should be clarified by inserting the phrase "that is, or is associated with, personal information" at the end of paragraph (g).
D. Definition of disclosure
The proposed rules definition of "disclosure" should also be clarified in at least one respect. The final sentence of subsection (b) of this definition covers "any other means that would enable a child to reveal personal information to others online." This definition is overbroad.
For example, the definition may apply to simply offering Internet access through which a child can communicate online, even if e-mail is not available through the service. Unless modified, this aspect of the definition could interfere with efforts to connect classrooms to the Internet, such as the "E-rate" program by requiring the online service¾ rather than the school¾ to obtain parental consent before a student receives Internet access.
The definition should be revised slightly by striking the word "other" and inserting the word "similar" in the second to last line, and inserting the word "publicly" after "reveal personal information" in the last line of the definition, and should specifically exempt simple provision of Internet or online access.
VIII. BROAD STRICT AND VICARIOUS LIABILITY
The NPRM appears to impose a number of broad liability rules that are not found in the statute, and should be narrowed considerably. First, the Commentary to the definition of "disclosure" proposes (at p.7) that operators be strictly liable for technical support contractors (e.g., website hosting companies) or order fulfillment contractors violations of the rules disclosure or information safeguards requirements. This rule is unworkable because operators are not in a position to do more than obtain contractual assurances from their technical support and fulfillment contractors that such contractors will follow the confidentiality, security and integrity requirements of § 312.7. Furthermore, the Commissions proposal would apply over and above existing common law liability rules.
Imposing strict liability for contractors actions would simply distort the market for these services by forcing operators to perform these functions themselves or to refuse to do business with contractors that cannot completely indemnify them for violations of the Commissions rules. The better approach is to require the operators, upon the effective date of these rules, to take reasonable steps¾ for example, securing an agreement to follow the requirements of § 312.7 and terminating the agreement if they learn that the contractor is violating this commitment¾ before giving such contractors access to personal information covered by COPPA. In other respects, it is sufficient to leave the law where it is, and allow common law rules to provide further incentives for sound practices.
Finally, in response to Question 3(a), the Commentary to the definition of an "operator" is not sufficiently clear. As currently worded, it can be read as suggesting (in the last sentence of the last full paragraph of p.8) a rule of joint liability for websites/online services and others who have access to or control over the information collected. This rule is unnecessary because, as the Commentary itself notes, both entities are "operators" within the definition of the rules and therefore subject to FTC enforcement. Accordingly, the Commentary should be clarified by striking the word "the" immediately before the phrase "obligations of the proposed Rule" and inserting the word "its."
IX. CONFIDENTIALITY, SECURITY AND INTEGRITY PROTECTIONS
The Commentary to § 312.2(8) indicates that "reasonable procedures" required by the rule "may include" a long list of technical measures, as well as employee training and sanctions to ensure that security measures are implemented effectively. (p.27) The list of technical measures is set out in the conjunctive ("and"). The DMA assumes that the Commission does not intend that operators use more than one or two of these measures. Indeed, implementing all of them would be extraordinarily costly and highly impractical.
For example, many operators who specialize exclusively in providing childrens content require that the overwhelming majority of their staff be able to access personal information in order to do their jobs¾ in handling letters to the editor, subscriptions, order fulfillment, etc. Therefore, the list of technical measures in the second sentence of the paragraph, should be changed to the disjunctive (replacing the "and" just after the last semicolon with an "or").
X. ASSUMPTION THAT COLLECTION OF INFORMATION FROM CHILDREN IS BAD
Finally, The DMA questions the NPRMs assumption, expressed repeatedly throughout the Commentary, that commercial collection of individually identifiable information from children, even subject to all the safeguards of the statute, is a bad thing and should be avoided. For example, the Commentary suggests that marketers should refrain from collecting individually identifiable information even with consent, or should delete collected information as soon as possible, even if they follow sound security practices. Similarly, it suggests that operators devote webspace to posting answers to frequently asked questions, instead of collecting the childs e-mail address only temporarily for the sole purpose of responding to the childs inquiry, as specifically provided in § 6504(b)(2)(A). See p. 22.
We are aware of absolutely no evidence that any child has been harmed due to the collection of personally identifiable information by commercial websites. The legislative history of COPPA confirms this, making clear that online safety concerns relate to "online fora such as chatrooms, home pages, and pen-pal services in which children may make public postings of identifying information." Bryan Statement at S11657 (emphasis added). Indeed, if the Commission and other policymakers are truly concerned about child safety, they should devote less rhetoric to commercial collection of information. Instead, policymakers would address child safety issues far more effectively if they focused on personal information regarding children in the possession of others, including extensive information in the hands of community organizations, as well as government agencies that handle large amounts of information regarding children.
Accordingly, the Commission should either delete these statements or at least balance them with an explicit acknowledgement that they relate to the Commissions view of additional privacy considerations over and above those addressed in the statute, rather than child safety concerns.
For the foregoing reasons, The DMA urges the Commission to revise its proposed rules in a number of important respects in order to achieve the important statutory goals of COPPA in a less regulatory fashion that is faithful to the language and purpose of the statute.