Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

The McGraw-Hill Companies (hereafter "McGraw-Hill") welcomes this opportunity to offer comments in response to the Federal Trade Commission’s (the "Commission") Notice of Proposed Rulemaking ("NPRM") to implement the Children’s Online Privacy Protection Act of 1998 (the "Act") through the proposed Children’s Online Privacy Protection Rule (the "Rule").

We congratulate the Commission on its thoughtful consideration of appropriate methods to be used to implement the Act and on its efforts to balance the responsible and legitimate business collection and use of information from children and the need to protect children from potential abuse online.

McGraw-Hill is a global publishing, information and media, and financial services company with 16,500 employees located in over 40 states in the U.S., and in 30 other countries. We distribute our products and services via traditional media, as well as electronically, to customers around the globe. We recognize that appropriate and fair information practices are essential for achieving our objectives. McGraw-Hill has already devoted considerable effort to developing and implementing customer privacy protection practices within our company and publicly announced its comprehensive Customer Privacy Policy at the Commission’s June 1997 Public Workshop on Consumer Information Privacy.

Key elements of McGraw-Hill’s Customer Privacy Policy include Notice, Choice, Review and Correction, Security and Integrity of Data, and Compliance. Our Policy provides customers with a clear understanding of the personally-identifiable information collected from them, the uses that will be made of such information, and the choices customers may exercise to restrict the subsequent use of that information. We provide additional safeguards for "Sensitive Data," a term that includes most information collected about children. For example, McGraw-Hill never shares information collected from children with external third parties. Our Customer Privacy Policy has been recognized as a model for our industry.

In January 1999, we updated our Policy to reflect "lessons learned" from that implementation, customer feedback, changes in technology and business processes, as well as changes in customer and policy maker sentiment. Our experience is proof that organizations must have flexibility to implement appropriate privacy protection rules in a manner consistent with a rapidly changing business and political environment. We also learned that in order to be effective, rules regarding protection of customer data must be clear and simple to understand and not overly burdensome to implement, both from the standpoint of businesses and customers.

McGraw-Hill operates more than 80 Websites, including some that currently provide products or services intended for use by children, largely for educational purposes. Therefore, rules affecting how Websites or online services interact with children and their parents will have a significant effect on our business. We look forward to continuing to work with the Commission to assure that personal information about children under 13 is reasonably protected, and that parents receive clear and concise notice regarding the collection, use and maintenance practices for such personal information.

A. McGraw-Hill Generally Endorses AAP and DMA Comments

At the outset, McGraw-Hill would like to state that it has reviewed the comments on the NPRM being submitted by the Association of American Publishers (the "AAP") and the Direct Marketing Association (the "DMA"), and generally endorses and concurs with the more detailed comments and positions they raise. The comments below address issues of particular interest to our company, some of which overlap with the AAP’s and/or the DMA’s comparable comments on the same points.

McGraw-Hill respectfully requests that the Commission consider the impact of the application of the proposed Rule on educational programs, activities and services being conducted online. Below we briefly explain how educational materials are being used in the online environment and how the proposed rules may have an unintended consequence of stifling the integration of technology and educational content.

McGraw-Hill concurs with the AAP that a broad exemption from the application of the Act and the Rule should be provided for online educational programs administered to children under 13. This exemption should apply to both commercial and non-commercial online programs. Without such an exemption, the Rule would: (i) unduly restrict children’s access to valuable online educational resources, and (ii) materially interfere with the organized administration of education as promulgated by state and local educational authorities.

McGraw-Hill Educational and Professional Publishing Group publishes educational materials and programs, including textbooks, workbooks and supplemental materials traditionally used in classrooms or as homework assignments. McGraw-Hill also publishes, administers and scores tests and programs used by schools in evaluating students’ academic progress, the effectiveness of curricula, etc. Commonly, such tests are contracted for by a state, school district or school, and are administered to all students in the intended audience. Traditionally, such tests are administered by "paper and pencil." The results are then scored, sometimes by the educational authority that contracted for the testing, and in other instances, by the educational publisher who provides a report to that authority.

Increasingly, educational activities that traditionally took place with pencil and paper in a classroom or at home are being made available or conducted online, both in and outside the classroom (including at home), and both informally (by a child-initiated use of online supplemental or enrichment activities) or formally (at a teacher’s instigation, whether or not in a classroom). Many educational publishers, including McGraw-Hill, also offer courses that are marketed, ordered, paid for, conducted, and (if applicable) graded online.

More than ever, an educated public is a necessity of the future. To that end, educators, government and private industry have announced goals for expanding "distance learning" and other online educational opportunities. We are concerned that the proposed Rule would impose restrictions on that access that would, in turn, stifle the availability of online educational opportunities, to the detriment of individual students and society as a whole.

The inherent interactivity of many online educational programs will require that participants identify themselves and give responses. Some online educational programs will involve recording and reporting course or test results to parents, teachers and/or school officials, as applicable. All of these responses and data would seem to fall within the proposed Rule’s definition of "personal information," and thus be governed by the regulations, even if that personal information is not used for anything other than educational purposes.

Requiring "verifiable parental consent" as a prerequisite to a child’s participation in such online activities would significantly discourage children’s spontaneous participation in these activities, whether at school (during or after normal classroom hours) or at home. Requiring parental consent also would greatly complicate the use of online programs in a structured school environment, much less in a "study hall," a library, after school hours or at home. For example, even in a structured classroom environment, the failure of even a single child to obtain the requisite parental consent could preclude the use of a program as a classroom or school-wide activity. Unquestionably, the "verifiable parental consent" requirement would, as a practical matter, prevent many children from accessing many online educational programs entirely, either at school or at home.

Further, the Commission should recognize that the financial and technological resources necessary to access educational resources online (much less to consent to such access) are far from universal. For large sections of the population, a child’s only feasible access and introduction to computers and online educational programs will be in a classroom or other educationally supported environment. Access to and use of these resources must be readily available to the child who does not have a computer at home, or whose "parent" is not sufficiently involved in the child’s education to provide consent, or whose parent (even if interested) lacks the resources to be able to respond to a verifiable consent requirement. Without such ready access, a large portion of our children will be cut off from developing modern computer skills and accessing educational opportunities available to their more advantaged peers.

The need for a broad exemption for educational uses is made more manifest when examining the Commission’s currently suggested means of obtaining a parent’s "verifiable consent." For example: (i) a parent may not have a driver’s license to evidence co-residence; (ii) not everyone has a credit card or even a bank account, much less a home computer or e-mail address (business or home), at which to be contacted and/or from which to respond; and (iii) one cannot fault a single parent who is unable to take the time from work or from his or her child to hunt down and provide the required means of consent. If anything, the more disadvantaged and least sophisticated are the most likely to be intimidated by both the Rule’s extensive notice and consent requirements, with the probable result that this most needy segment of the population will turn away in confusion, and even fear, from these online educational resources.

In a related context, applying the prior parental consent requirement to assessment, evaluation or online tests or course programs mandated or accepted by states, school districts or schools could create chaos in the orderly administration of academics by enabling a parent, effectively, to prevent a child’s participation in such activities, merely because the activity is being conducted online, rather than on paper. Clearly, a parent should not be able to "opt" his child out from an otherwise compulsory educational program in which the student is otherwise participating simply because that program is now being administered online.

In short, the Rule should exempt online activities that provide, support or build upon systematic curricular instruction, whether the activities are formally tied to school work or are initiated independently by the child. This exemption should apply to all online educational programs, as suggested by the AAP, and not be limited to only classroom participation. Accordingly, we would suggest that the scope of the educational exemption be limited to the collection of personal information reasonably necessary and appropriate to effect participation in an online educational program, and for the performance of that program, and preclude such information from being used for any but educational purposes.

Absent a broad exemption from the verifiable parental consent requirement for online educational programs, at least some of the benefits of the use of these programs could be preserved by modifying the proposed Rule’s definition of "verifiable parental consent" to include consent obtained by educational institutions on behalf of their students. Such a change would allow the operators of Websites or online services devoted to educational purposes, in whole or in part, to collect and use personally identifying information from students, subject to notice requirements, in reliance upon representations from a school or other bona fide educational institution that the parents of the students have consented to collection or use. This would include information collected in the course of the student’s online access from the classroom, the school library, or even from home, if it is part of the school curriculum or extracurricular activities.

In addition, we note that any educational exemption must exempt at least accredited and/or otherwise authorized online testing and/or course programs from the coverage of Section 312.6 of the proposed Rule. This section would enable a parent to require the deletion of personal information, including test or course material, even in contravention of the requirements of the educational authority that mandated the tests or accredited courses in the first place. Changing or deleting course grades or test scores would obviously be inappropriate.

An unfettered parental right to change or delete this type of information is also inconsistent with both the Federal Educational Records Privacy Act ("FERPA") and the implementation of state, district or school-mandated online educational programs. Under FERPA, a parent has the right to review information that forms or is intended to become a part of a student’s school records. According to FERPA, parental review rights are contingent upon the holding of a hearing, conducted in accordance with procedures and policies administered by the relevant educational agency. Further, a parent’s rights to review this information are not absolute; they are evaluated and exercised in a structured, coherent context. No comparable structured, knowledgeable administrative oversight would apply to a parent’s exercise of the "revise and deletion" rights proposed in the NPRM. The rights appear to be absolute, without regard to context, purpose, or the need for evaluation by a knowledgeable and informed third party. Therefore, we strongly urge that, with respect to online educational programs, parental access rights to this type of data be limited, to encompass only review, inspection and correction of demonstrably incorrect information.

Similar limitations on a parent’s right to require changes to or the deletion of personal information are inappropriate when applied to the types of circumstances described in subsections 312.5(c)(4) and (5) of the Rule. These are the exceptions to the parental consent requirements in instances where personal information is obtained for the security and safety of a child or to ensure Website security, or in response to judicial process, etc. Allowing a parent to make changes or deletions in either of these contexts would be of concern to all online providers and should be of concern to the general public.

Section 1303(b)(1)(B)(iii) of the Act specifically provides the Commission with the authority to limit parental access and review in a manner "reasonable under the circumstances." As described above, unfettered parental access and review rights to information collected in the course of online educational programs could compromise the benefits of such programs to students and the society as a whole. The Commission should exercise its authority to limit the scope and impact of the access and review rights in this regard, as these are precisely the types of situations in which Congress wanted the Commission to exercise such discretion.

The Commission proposes that an operator will be required to obtain consent from a parent for the continued use or maintenance of information collected prior to implementation of the Rule. McGraw-Hill objects strongly to the retroactive application of the Act. Applying the Act retroactively is contrary to the standard presumption against applying legislation retroactively and, as cogently argued by the DMA, is inconsistent with the stated intent of the Act. Retroactivity would pose significant and undue financial, record keeping, and managerial burdens on online services. Instead, the Commission should rely on its existing authority to act in specific instances, when and if a particular organization acts in a "deceptive or unfair" manner with respect to previously collected information.

Additionally, retroactive application of the Rule would require operators who have already obtained parental consent to contact parents a second time. This would seem to be a needless and even counterproductive requirement that would almost certainly confuse parents.

Further, if the Act were to be applied retroactively, the extent to which the Act’s notice and consent requirements apply to previously obtained personal information is unclear. For example, what responsibility would operators have if the original notice did not include each of the proposed data points?

The proposed definition of "collects or collection" should be narrowed to conform with the intent and plain language of the Act and its legislative history. The proposed definition encompasses information requested online, even if that information is transmitted to the operator via another media. This application is clearly beyond the scope of the Act, which applies only to information "collected online from a child" [emphasis added]. As a practical matter, it would be virtually impossible for Website operators to track and coordinate the receipt of information requested online but received via other media. The requirement would entail development of extensive record-keeping and management systems, the costs of which would be excessive, and ultimately would result in the development of cross-referencing and record-keeping processes directly contrary to the Act’s intent. The Rule should be limited to the collection of personal information online, in conformity with the plain language of the Act.

The NPRM defines "personal information" as "individually identifiable information about an individual collected online," including a first and last name, home or other physical address, etc. However, the Rule does not address information collected in a personally identifiable form that is subsequently used and maintained only in unidentifiable "aggregated" form. Although it may be appropriate to tell parents how such information will be used, including whether it will be used in individual or aggregated form, it would not be possible, for example, for parents to review this information once it has been aggregated.

The NPRM uses a series of criteria to determine whether a Website or portion thereof is directed to children, including (but not limited to):

The Commission should also take into consideration the overall nature of the site.

For example, numerous Websites market learning materials to educators or parents of children under 13. Children are not the targeted audiences for those Websites, nor are the sites designed to attract or appeal to children. However, the sites include examples of the products and services being offered, such as workbooks and other educational materials. These materials typically contain artwork, characters and language that are readily understood by and would appeal to children under 13. This practice is reasonably necessary to provide parents and educators with a clear description of the products and services being offered, so that they can purchase the best available educational materials for children. However, these sites are not directed to or intended to be used by children, even though "child friendly" elements (graphics, artwork, etc.) appear on the sites.

In many instances the Commission proposed criteria will be sound indicators of whether or not a site is "directed to children." Additional indicators could include: to whom the site is being targeted; how traffic is being "driven" to it; how a site is registered with search engines; and/or how the site markets itself to advertisers. However, looking to only one or a few of such indicators in isolation could be misleading in certain instances. We strongly encourage the Commission to consider the totality of such indicators in evaluating the nature of any Website.

McGraw-Hill strongly supports a requirement that notices "be clearly and understandably written, be complete and must contain no unrelated, confusing, or contradictory materials." We further support the requirement that notices be clearly labeled so individuals will be able to easily recognize and find them within a site.

However, as an overall matter, the proposed notice requirements are in some respects unnecessarily burdensome and in many respects, overly long and complex.

Content of Notice – The NPRM dictates the content of the notice in such detail that any resulting notice likely would be overwhelming and confusing to its intended audience, defeating its purpose and intent. As proposed, the notice would contain at least a dozen data sets. That is far too much information to constitute effective notice. The average person will simply "tune out" when faced with such an onslaught of detailed and technical information. For instance, it would not seem necessary to specifically describe the types of information being collected unless such collection is not obvious. Indeed, it would undoubtedly irritate the average person to be notified that one is collecting his or her name, address, telephone number, etc., when, simultaneously, that person is typing in that information.

Further, it is inappropriate and probably impossible in many instances to require an operator to provide detail about third party information practices or third party commitments to "maintain the confidentiality, security and integrity" of information. Researching the privacy practices of third parties is not mandated by the Act. Such information would almost certainly become rapidly outdated and misleading and could result in liability for even the best-intentioned operators. We concur with the additional points raised by the DMA in this regard.

The NPRM requirement that organizations provide essentially the same notice, containing all data sets, three times – on the home page, at the point of collection, and in subsequent notices to a parent – also may defeat, rather than effect, its stated purpose. This requirement should be reconsidered to ensure that the appropriate information is being conveyed to parents and children in a meaningful manner. For example, within a single site, cookies or similar technology may be used in some areas to customize the individual’s experience, but such information is not shared with a third party. However, in other areas of the same site, postal and e-mail addresses may be collected and shared with third parties. In these circumstances, requiring the same notice on the home page to describe all possible uses of the information would be cumbersome and counterproductive. It would be more reasonable and effective to allow at least some of the prescribed notice elements to appear in the each specific "point of entry" notice or the subsequent direct notice to parents. This is where the notice can be most easily and effectively tailored to reflect the types of data collection occurring at each point. Information targeted to parents, such as whom to contact to review information collected from a child, would be more appropriately contained in the subsequent notice to parents, but offers little value in a notice "linked to" from the home page.

Location of Notice - The proposed requirement for the notice to be "placed in a prominent place on the home page of the website or online service such that a typical visitor to the home page can see the link without having to scroll down" [emphasis added] is both onerous and contrary to established Internet practices and user expectations. Prescribing the precise placement of the notice inappropriately and unnecessarily reduces the operator’s control over the design and editorial value of valuable online "real estate." In any event, the location of the notice is not even necessarily within the operator’s control: web pages appear differently when accessed by different users, depending on the technology used. As online privacy notices become even more common than they are now, individuals will become increasingly accustomed to locating these notices, thereby rendering a highly specific placement requirement unnecessary.

Where only a portion of a site or service is directed to children, this "top of the home page" requirement is particularly burdensome and unjustified, especially since the Rule also requires a comparable notice at each point where information is collected.

McGraw-Hill commends the Commission for its recognition that technology may play a pivotal role in the ability and ease of organizations to adequately obtain verifiable parental consent. It is imperative that we not preclude the use of emerging technological solutions.

Further, the means of verifying parental consent should reflect a balance between the legitimate business uses of personal information collected from children against the obvious need to protect children from potential abuse.

McGraw-Hill employs a variety of methods to obtain "verifiable parental consent." For instance, children may print out an e-mailed "parental consent form," obtain a parental signature, and fax or mail the completed form back. In other instances, a credit card is used to document parental consent for an online purchase of an online educational program (during which course-related personal information is necessarily obtained). Rather than dictate a limited list of "acceptable" methods for obtaining verifiable parental consent, the Commission should allow organizations to apply the most reasonable methods of doing so, based on the type of information being collected, the intended uses of such information, available technology and the overall context of the transaction. These methods may include (a) partnering with third parties to obtain consent on an organization’s behalf; or (b) requiring children under 13 to provide their parents’ e-mail address in order to send a separate e-mail communications to parents requesting consent.

Generally, McGraw-Hill concurs with and wishes to reiterate the points raised by the DMA in its comments pertaining to the NPRM’s overly broad grant of rights to parents to "cherry pick" an operator’s intended collection and use of personal information, etc. The NPRM establishes an expansive parental right to refuse to permit further use or collection of a child’s information, without allowing the operator to deny service to a child if the parent consents only to a portion of the collection and use described in the operator’s notice. This result goes beyond the intent of the Act and would impose excessive and unreasonable burdens on operators to monitor and accommodate individualized consent requirements. Congress clearly intended that an operator be entitled to deny services to the extent that limited parental consent results in undue burden on the operator. Section 1303(b)(3) entitles operators, if they so choose, to take an "all or nothing" approach, and to terminate (and thus collect no further data) and delete existing data if parents decline to consent to some aspect of the operator’s intended use of the information.

In addition to our earlier comments regarding an educational exemption from the Rule, McGraw-Hill generally concurs with DMA’s comments on this section of the NPRM. The NPRM creates a parental right to change data, not just to correct information reasonably substantiated to be incorrect. This concept of "altering" data is much more comprehensive than the Act proscribed. The Act established only a parental right to obtain information collected online from the child or to allow the parent to refuse to permit further use, maintenance or online collection of data.

Although many organizations, including McGraw-Hill, permit customers to "correct" data collected directly from them, "altering" data creates a much broader and ill-defined right, and places the integrity and accuracy of collected data at risk. We strongly encourage the Commission to narrow the scope of this provision, consistent with the Act’s language and sound public policy.

The Commission would require self-regulatory guidelines to include "independent assessment" of compliance. Specifically, we object to the statement that "assessment mechanisms must not be based solely on self-assessment by subject operators." This requirement ignores the fact that the Act does not preclude an individual organization from conducting its own internal assessments to satisfy the Safe Harbor exemption. Organizations such as McGraw-Hill, which are not part of a third-party compliance program, should not be precluded from participating in the Safe Harbor if their privacy practices are carried out consistent with the Act. Although it may be appropriate for the Commission to establish the types of criteria that either an internal or third-party assessment should review, organizations should have flexibility based on their relationship with customers, the types of information being collected, and how such information is used to determine how best to comply with the Act.

For example, McGraw-Hill uses the following processes and procedures to ensure compliance with our stated policy:

Oversight: We have established a Customer Privacy Steering Committee, comprised of senior business and corporate executives, charged with overseeing corporate-wide implementation of our Customer Privacy Policy, responding to issues raised by customers, conducting training and updating the Policy.

Review: We conduct periodic internal reviews of Privacy Policy compliance. Senior management is notified of any failure to comply to ensure that changes are made to bring the business unit in question into compliance.

Ethics: Integrity is the cornerstone of everything we do. Therefore, we have expanded our Code of Business Ethics to include a commitment to complying with our Privacy Policy and trigger disciplinary actions in cases where compliance is lacking.

Privacy Point of Contact: In each business unit, we have designated a Privacy Official – a person customers can contact directly, by phone, fax or e-mail, to raise and resolve their privacy concerns.

Reporting: Annually, we will post on our Websites and make available in print a business privacy report. It will tell our customers about our commitment to our Policy, our progress in implementing it across the corporation, and any changes in the Policy made in the last year.

In essence, we have integrated our Privacy Policy and compliance mechanism into our business processes. By doing so, we recognize and respond to the business realities that can affect our implementation – broken links, changes in Privacy Officials and simple human error. The key to success is having a process in place to quickly fix a problem and right the wrong. This does not require "independent" oversight.

We believe that a self-assessment procedure that includes these types of processes and procedures will provide businesses with the flexibility to tailor appropriate compliance programs for their businesses while providing assurances to customers and policy makers that stated policies are being followed consistent with the Act.

The NPRM requires organizations to allow parents to "delete" information collected from children online but then also contradictorily solicits comments regarding required maintenance of a "do-not-contact" list to avoid sending multiple requests for consent to a parent who previously refused consent. Current business processes, however, should be balanced in implementing these two principles. For instance, McGraw-Hill allows parents to restrict use of information collected from a child, including internal sharing. We also comply with customer requests not to be contacted. If we allow parents to "delete" a child’s information, we will be unable to track whether a subsequent request not to contact a child comes from the parent or guardian. The Commission should recognize that in those instances, when organizations are taking reasonable measures to comply with an individual’s request (or in this case a parent’s request) not to be further contacted, it is literally impossible to do so if an individual’s record is literally deleted. Therefore, organizations should have the flexibility to retain information that is necessary to maintain a "do-not-contact" list, such as name and address. Other information, such as customer preferences, etc., that is not related to the do-not-contact function, should be deleted, consistent with the Act’s intent. In revising the NPRM, the Commission should allow organizations the flexibility to apply these two principles in a manner that is (a) consistent with the Act and (b) reasonable, based on existing business processes.

In light of the importance of the proposed Rule and its potential for imposing significant and potentially expensive burdens on Internet activities -- the costs of which will inevitably be borne both by online providers and consumers -- we strongly encourage the Commission to hold a workshop with industry, policy makers and children’s advocates to fully vet the complex issues surrounding the NPRM. For the Act and the Rule to be effective in the real world, so that e-commerce can reach its full potential to serve both businesses and consumers -- including children, their parents and educators -- it is imperative that the implementing regulations be realistic and workable, balancing legitimate business reasons for collecting personal information from children under 13 with the societal need to safeguard our children.

McGraw-Hill looks forward to working with the Commission as it further develops revised rules to implement the Act.

Respectfully submitted,

Cynthia H. Braddon Katherine D. Roome

Co-Chair, The McGraw-Hill Companies Co-Chair, The McGraw-Hill Companies

Privacy Steering Committee Privacy Steering Committee