National Retail Federation - Kidsrule Comment

June 11, 1999

Secretary

Federal Trade Commission
Room H-159
600 Pennsylvania Ave, NW
Washington, DC 20580

On behalf of the members of the National Retail Federation, thank you for the opportunity to comment on the Federal Trade Commission’s proposed rule with respect to the Children’s Online Privacy Protection Act enacted by Congress last fall.

By way of background, the National Retail Federation is the world’s largest retail trade association with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalogue, Internet, and independent stores. NRF members represent an industry that encompasses more than 1.4 million U.S. retail establishments, employs more than 20 million people –about 1 in 5 American workers – and registered 1998 sales of $2.7 trillion. NRF’s international members operate stores in more than 50 nations. In its role as the retail industry’s umbrella group, NRF also represents 32 national and 50 state associations in the U.S. as well as 36 national associations representing retailers abroad.

We understand the need for, and importance of, the Children’s Online Privacy Protection Act and the special case presented when dealing with children; however, the proposed regulations are too complex and restrictive, and would unduly burden the development of the Internet. The rule should provide a better balance that allows the Internet to continue to evolve and grow (which benefits children), while also protecting the interests of children and parent.

The following are brief comments on the FTC rule implementing the Children’s Online Privacy Protection Act of 1998. The comments are made by page number and/or by section of the proposed rule:

1. Pages 4-5 of the Preamble: The FTC states that the rule will apply retroactively and will require web site operators to obtain parental consent prior to using any previously collected information once the rule is effective. This may be difficult and unduly burdensome for web sites, particularly because they may not have developed the more sophisticated technology that may be needed to implement the requirements of the rule. At a minimum, it should be shifted to a notice and opportunity to opt-out, rather than an active consent requirement, which is consistent with other credit laws and imposes a lesser burden, while still providing protection.

Section 312.2: Definitions

Collects or Collection (see page 6): These terms are defined to include passive tracking methods, such as cookies. It would be preferable that collection be defined to include only information actively provided by the child. Also, the rule should clarify that operators are allowed to collect information, so long as it is not personally identifiable (e.g., a blind survey or questionnaire, or material submitted that is not linked to any personally identifiable information). This might be more appropriate done under the definition of "personally identifiable information."

b. Disclosure (see pages 6-7): The definition of "support for the internal operations of the web site or online service" should not be limited to "activities necessary to maintain the technical functioning." As noted in the commentary, it also should include ordering, fulfillment and other activities related to the internal operation of the web site (e.g., payment and order processing or provision of content), so long as the party providing the support uses it only for the operational function it is fulfilling and does not use or disclose it for another purpose. This is appropriate because you protect the information but still allow web site operators the flexibility to enter into various types of business arrangements (e.g., a second web site may provide some co-branded content or may actually process or fill orders on the web site operator’s behalf through a linked web site). (It also would be ideal to delete the word "internal" from "internal operations," but that is part of the statute.)

Operator (see pages 8-9): The definition of operator, as explained in the commentary, would not include affiliates. This is problematic given that many corporations use affiliates to provide various services (e.g., credit processing and fulfillment) and often have linked computer and database systems. While affiliates may provide services related to the internal operations of the web site and therefore fall within an exception to the definition of third party, otherwise treating affiliates as third parties sets a bad precedent. To the extent that we could have affiliates included within the term "operator," it would be preferable. The logic for that may be the strong links in providing services, such as credit processing and fulfillment, and the use of shared systems and databases and that, if affiliates are included within the definition of operator, they have the same obligations as the operator.

Website or online service directed to children (see pages 10-11): We seek to clarify that displaying merchandise that might appeal to a child (e.g., toys or children’s apparel) for purchase should not be considered, at least in isolation, as directing a web site toward children. Because children do not generally have credit cards or other forms of payment that may be used online (or at least not without parental consent), most child-oriented merchandise is, in fact, geared toward adult consumers who can make payment. This is particularly true if you are talking about a general retailer that has a large assortment of merchandise, with only some designed for children.

Also, we recommend that one of the factors to be considered in deciding if the site is directed toward children is whether the site has a posted policy stating that its policy is to accept orders and information only from individuals above a certain age.

3. Section 312.4(b)(1) (see pages 12-13): This requires the link to the notice regarding Children’s Privacy to be on the home page and to be specifically identified as being related to children’s privacy. This requirement should be more flexible and should impose a more general standard (e.g., clear and prominent notice), rather than very specific requirements. For example, the notice should not have to be provided through a link; other formats should be allowable so long as they are prominent and are designed to ensure that the notice is provided before any personal information is submitted (e.g., a pop-up that appears when the information is requested). Also, if a link is used, it should not have to be on the home page, so long as is prominently posted on the web site or on the pages or section of the site where information is collected. This is particularly true if a general website only has a small part directed to children. Also, it should be acceptable to have a link called "Privacy," or using some other similar term, rather than tying it to children specifically,. This is important because a site should not have to have two links for "Privacy" and "Children’s Privacy." Also, the rule should not specify that the link must be placed so no scrolling down is necessary. Users are used to scrolling down, and it will not prevent them from seeing the notice. Also, users may control their screen size, so even if a site attempts to place the link where no scrolling is required, the users settings may mean scrolling is required. The bottom line here is providing more flexibility, particularly given the changing nature of the technology.

Section 312.3(b)(2)(ii) & (iii) (see pages 13-15): This requires significant detail regarding the types of information collected and the third parties to which it will be disclosed. More general information should be sufficient so long as it puts the parents on notice of the general types of information collected and third parties with whom it will be shared. This is particularly important because the rule (Section 312.(c)) requires parents to provide an updated notice and obtain a new consent if it wishes to collect different types of information or use it differently. This would be very burdensome, so operators should be allowed to use general categories that provide sufficient notice, without too much detail.

Section 312.2(b)(iv) (see pages 15-16): This section requires the operator to allow the parent to consent to its use of the information, but not disclosure to third parties. The operator should have the right to condition web site use on its ability to provide information to third parties, as that may be the means by which the site generates revenues or otherwise conducts business. Also, as mentioned earlier, to the extent that affiliates are considered third parties, a site might want to condition participation, at a minimum, on affiliate sharing, which should be acceptable.

Section 312.5 (pages 19-20): Maximum flexibility on the acceptable forms of parental consent should be encouraged. Means of verifying identity are constantly evolving, and operators should not be tied into using regular mail, credit card numbers or 800 numbers, which may be cumbersome for both the operator and the parents. Also, it may lead to fewer children interacting with websites because these means would take a substantial amount of time. With this in mind, it should be permissible to use e-mail consent, provided you take steps reasonably designed to ensure that the parent, and not the child, is consenting. For example, if the parent has a separate e-mail address, the operator should be able to send an e-mail to that address. The e-mail also could ask questions that a child likely would not be able to answer. The FTC also should be commended for providing that consents may be performed for websites by portals or online services. However, this should be allowed, as noted in the commentary, for all third parties, so long as they comply with the applicable requirements (e.g., a group of web sites could enter into an arrangement with a third web site that secures a broad consent for specified types of websites that abide by certain policy standards).

Section 312.6: Section 312.6 requires the operator to allow the parent to "make changes to" the personal information maintained by the operator. This is not required under the statute, and should not be required under the rule. This could prove to be a burdensome requirement from a technical and administrative perspective, and could undermine the goal of preserving the integrity of information collected from children. The rights of the parent to opt-out of the collection, use and maintenance of the child’s personal information is sufficient protection against a site that is not voluntarily willing to change certain information, as it should be willing to do as a matter of good customer service if any information is inaccurate.

Given the breadth and significance of the rule, we recommend that the FTC allow the opportunity to summit reply comments. Once again, thank you for the opportunity to comment on the proposed rule. Should you have any questions, please feel free to contact me.