Before the Comments of June 11, 1999 I. INTRODUCTION AND SUMMARY The Cricket Magazine Group; Fox Family Worldwide; Headbone; Nickelodeon; The Cartoon Network, Sports Illustrated For Kids, Time For Kids, and other Time Warner Inc. sites; and The Walt Disney Company are pleased to respond to the Commission’s request for comments on the verifiable consent issue raised in its Notice of Proposed Rulemaking to implement the Children’s Online Privacy Protection Act of 1998 ("COPPA"). We appreciate the Commission’s thoughtful inquiry concerning the critical issue of which methods of obtaining parental consent will satisfy the requirements of the final rule. The companies joining these comments are all major providers of valuable online content for children. We all offer free content that is primarily tailored for child audiences. We all take the privacy of child visitors to our sites seriously, have adopted programs to protect the privacy of those visitors, and support the balance of important interests that is embodied in COPPA. However, the ability of each company to provide interactive content for children on the Internet will be substantially impaired unless the Commission allows easy-to-use methods of online consent that impose minimal burdens on parents. Almost all of the signatories to these comments have filed comments in their own name. We submit these comments collectively to respond in detail to the Commission’s questions regarding methods of parental consent and to emphasize our uniform, strong belief that the Commission should recognize at least temporarily e-mail consent as an acceptable method of verifiable parental consent in its final rules. This approach would address the serious, although near-term problem of the absence of proposals in the NPRM for a relatively seamless means of online parental consent consistent with "available technology." 15 U.S.C. § 6501(9). We propose that the Commission approve e-mail consent with a specific sunset period of five years at which time the Commission would reassess "available technology" as part of its statutorily mandated review and report to Congress regarding implementation of the Act under 15 U.S.C. § 6506. The Commission would then adjust consent standards to reflect the availability of online consent mechanisms such as digital signatures, pre-selected parental privacy choices under the P3P platform, and other technological advances. We would be happy to work actively until the sunset to identify and implement these alternative consent technologies. However, until these consent technologies are widely available, it is essential that the Commission follow Congress’ direction to interpret the verifiable parental consent standard "flexibly" so as to avoid interfering with children’s access to the very portions of the Internet that are most valuable and appropriate for them and avoid driving them to inappropriate and, on occasion, to potentially dangerous locations. In addition, the final rule should include some low-cost consent methods. The rule applies to commercial Web sites, which are in business to earn a profit. Notwithstanding the euphoria over electronic commerce, it is difficult to earn a profit operating a free Web site—let alone a Web site specializing in educational and entertainment content for children. Although many of the signatories to these comments are major corporations, we all operate for commercial purposes and are constrained to generate a profit through all of our businesses, including our online operations. The Commission should be mindful that if the rule authorizes only consent methods that impose large costs on operators, it would dramatically reduce interactive offerings for children on the Internet and force remaining children’s sites to offset those costs by increasing their commercial content. Costly methods would be particularly onerous for the stand-alone children’s Web sites that are not backed by large corporate parents. The potential effects of such a rule would be to force existing sites to shut down, deter new sites from entering the marketplace, and to deny children the benefits of cutting edge-Internet innovators. Given the importance and complexity of the issues under consideration in this rule making proceeding, and the precedent that these rules may set for regulation of the Internet in the United States and other countries, we request that the Commission receive reply comments in this proceeding and hold a workshop focusing on the consent issue. II. THE VALUE OF CHILD-ORIENTED WEB SITES COPPA applies only to sites that are directed to children or know that they are dealing with a child. Consequently, if the Commission recognizes under COPPA only methods of parental consent that are difficult and costly to obtain, it will eliminate interactive opportunities for children at the very sites that are designed to be most interesting and useful to them. A high bar for parental consent would have the highly perverse effect of closing interactive opportunities for children at valuable sites tailored to their needs and driving children to sites that are not focused on their needs and interests, and are in some cases entirely inappropriate for them. This result would be at odds with the balance that Congress intended to strike in adopting COPPA. It specifically intended that COPPA be interpreted to "preserve[] the interactivity of children’s experience on the Internet and preserve[] children’s access to information." Statement of Sen. Bryan, 144 Cong. Rec. at S11657 (daily ed. Oct. 7, 1998). The participating companies not only provide educational and entertainment content of particular interest to younger audiences, we also have been at the forefront of providing family-friendly online environments in which children can learn and explore. We are known for offering dynamic and interactive places online that foster children’s educational and social development. Due to the regulatory uncertainty that preceded the release of this proposed rule, several members of our group have been chilled from collecting personal information online from children. This chilling effect has limited the content and these companies' sites and prevented them from offering children fully interactive, community online experiences. III. COPPA’s VERIFIABLE CONSENT STANDARD The NPRM indicates that in addition to e-mails with digital signatures, the Commission is "considering whether there are other e-mail-based mechanisms that would . . . provide sufficient assurance that the person providing the consent is the child’s parent." (NPRM, p.21) "Sufficient assurance" must be assessed in light of the statute and its very flexible definition of the term "verifiable parental consent." Congress specifically defined the term "verifiable parental consent" as encompassing "any reasonable effort (taking into consideration available technology)" to ensure parental authorization. 15 U.S.C. § 6501(9) (emphases added). As the legislative history specifically confirms: (1) "[t]he term should be interpreted flexibly," (2) "reasonable effort" suffices, and (3) reasonableness must be interpreted in light of the constraints of "available technology." Bryan Statement at S11657 (emphasis added). Indeed, in expressly creating an exception for collection of "online contact information"—which is specifically defined to include an e-mail address—in order to obtain parental consent, see 15 U.S.C. § 6502(b)(2)(B), Congress clearly envisioned that e-mail would play an important role in the statutory consent process. Our proposal is entirely consistent with the statutory consent standard. The statute expressly envisions a consent standard that will change over time, and will be easier to satisfy when consent technologies are less advanced. Congress also directed the Commission to construe the standard "flexibly," rather than rigidly. Finally, the statute requires a "reasonable effort," rather than assurance that all consent mechanisms will be completely effective. A temporary e-mail consent option is consistent with congressional intent and would encourage precisely the sort of innovation that the statute envisioned by encouraging further development of related online consent technologies.
In light of the flexibility of COPPA’s consent standard, it is entirely appropriate that a range of consent methods be acceptable under the Commission’s rules. In our experience, each of the methods of consent endorsed in the Commentary to the NPRM (at pp.20-21) is or will be of some value. However, without the addition of e-mail consent, children’s opportunities for interactive experiences online would be seriously limited in the coming years before other more verifiable technologies are more widely available. Several members of our group have experience in either an opt-in or opt-out context with various methods of consent discussed in the Commentary and covered by Question 13. We draw upon this experience, as well as all of our companies’ analyses of these methods of consent, to explain the need for acceptance of e-mail consent on an interim basis and to respond to Question 13’s inquiry regarding methods of consent. A. Methods Endorsed in the Commentary The Commission has requested comments and data regarding the feasibility, effectiveness, costs and or benefits of four methods of verifiable consent endorsed (on pp.20-21) of the Commentary: (1) mailing or faxing in print-outs of consent forms; (2) credit card verification; (3) parent calls to a toll-free telephone number; and (4) an e-mail accompanied by a digital signature. See Question 13. We discuss the feasibility, costs, benefits and effectiveness of each of these methods seriatim from the perspective of Web site operators, parents and children. Although we believe that each of these methods is useful in limited circumstances, and that all should be endorsed in the final rule, each creates difficult, burdensome, and costly hurdles to consent that would dramatically reduce children’s opportunities to obtain appropriate interactive content over the Internet. Moreover, these methods disadvantage lower-income children who may not have home computers, and whose parents may not have access to a fax machine or credit card.
While technologically feasible, these methods are among the most likely to chill children’s access to interactive sites that are appropriate for them. Most families do not have access to fax machines in their homes. Furthermore, Internet users are generally very reluctant to use "snail mail" for routine communications regarding online information. Even for those who are willing to use a mail-in or fax-in system, hard copy consent forms have the effect of disrupting the interactivity and spontaneity of the Internet medium—especially in situations in which parents are using the Internet together with their children. A delay of several days for delivery and processing of the hard copy form is a very long delay in the eyes of Internet users, especially children who are accustomed to instantaneous access to information. This delay will dissuade visitors from using sites covered by COPPA and steer them to others where there is interactivity and immediacy. Members of the coalition have experience with the impact of mail-in or fax-in consent on site usage. For example, last summer Time Warner’s Sports Illustrated For Kids site experienced an approximately 80% drop in responses to its offer of risk-free subscriptions of the magazine when it shifted from an e-mail notice and opt-out system (which the company had offered successfully with no complaints) to a mail-in or fax-in consent form system. The cost in time and money to the user of mailing in the response form is greater than the cost of sending an e-mail, and unless the operator’s fax number is a toll-free line, users will typically have to incur long distance phone charges for sending in the fax form. The cost to Web site operators of both methods is much more significant. For example, in order for a fax-in consent system to have any significant chance of success, it must be run through a toll-free fax number with significant attendant expenses (discussed below in subsection C.). For both mail-in and fax-in forms, operators must hire personnel to review and input information from forms received through either medium. For example, "nick.com," a Viacom Nickelodeon Web site, has investigated obtaining consent through these methods and found that labor costs associated with processing consent forms run between $5 and $15 per hour for sorting (depending on whether the company uses internal or external resources and the labor market in question). This figure translates to approximately $.08 to $.15 per letter processed depending upon the volume of letters received. In 1999, Nick.com has been averaging 1.8 million unique visitors per month. If only 10% of those visitors were to mail or fax in hard copies of consent forms, the cost would be as much as $248,400 per year. Headbone uses both methods. Last month, it incurred costs of approximately $.31 per child in labor costs alone collecting and inputting parental consent information into its computer system for its mail-in and fax-in consent offerings. Fox Kids Network runs various sweepstakes and contests for children that are promoted during its broadcasts as well as on its Web sites. Children can only enter by mailing in a postcard. The winners are picked at random. Fox incurs costs of over $100,000 per year paid to an outside company for fairly mechanical tasks such as collecting postcard entries and randomly selecting the winners. Fox holds approximately 8-10 contests per year with an average of 75,000-85,000 entrants per contest. From this experience, Fox estimates that it would incur much higher costs if it were required to perform or contract for more sophisticated and time consuming tasks of reviewing, screening, and tracking data entry for a similar number of written consent forms. Finally, as with most methods of verifiable consent discussed in the Commentary, even this method does not provide assurance that the parent is consenting. Anyone, including an older child, can sign such a form and mail or fax it back to the operator. 2. Credit card authorization As the Commentary itself suggests, this system is best adapted to situations in which information is requested "in connection with a transaction." (p.20) Although not seamless, this method allows rapid verification, and thus serves to advance the interactive nature of the medium. In other contexts—for interactivity at a free children’s site, for example—this method of consent, although technically feasible, is not widely available without a significant charge to the consumer and/or operator and requires information that the parent will likely be reluctant to produce. To date, most credit card companies have refused to allow use of their verification systems absent a transaction. The rule’s perverse effect would be to force sites into commercialization—that is, force the great majority of sites that do not sell products to sell products—just to secure parental consent. In addition, many lower income families do not have credit cards and cannot avail themselves of this opportunity for interactivity. Credit card verification is also particularly cumbersome for families whose children access interactive children’s sites through libraries and schools, and must obtain a credit card number at home and take it to the school or library to gain access to the site. Furthermore, outside of the transaction context discussed above, this method is likely to chill consents significantly. As numerous surveys confirm, consumers continue to be reluctant to provide their credit card information online. A National Consumers League survey released only last month indicates that 73% of consumers feel uncomfortable providing their credit card information to businesses online. Indeed, credit card information is precisely the sort of sensitive financial data that consumers are least likely to furnish in order for their children to visit a Web site. Even if this method were somehow available without cost to the consumer, many consumers would likely be confused by and somewhat skeptical of the Web site’s explanation that no charge will be incurred on their account. For example, Headbone offers a wide array of methods of parental consent, including credit card verification. Only 5 to 10% of the consents it currently receives from parents come via credit card verification. Moreover, as Visa’s comments indicate, credit card companies have expressed concern that proliferation of credit card numbers submitted for verification to sites that have not implemented strong security measures would increase credit card fraud. As noted above, credit card verification also typically has significant cost disadvantages. Verification of course comes with a price. Fox Family Worldwide, recently explored credit card verification and found that its Web site users would have to pay the credit card company a minimum fee of $2.99 for each authorization. In addition, FFW would be charged a percentage of this fee by the credit card company, ranging from 3 to 5%. Based on a typical estimate of approximately 5 million visitors per month to its Fox Kids Web site, even if only 20% of visitors used a credit card authorization to indicate parental consent, FFW could incur fees between $90,000 and $150,000 per month for verification. Aggregate costs to users would be far higher. Furthermore, operators incur additional fixed costs setting up verification and processing systems, as well as security measures such as SSL. Security measures are needed because collection and maintenance of credit card account numbers make a site more attractive to hackers and vulnerable to additional security risks. Sites forced to collect this type of sensitive information have little choice but to take steps to avoid the potential liability associated with these additional security risks. Finally, this method does not provide foolproof assurance of parental consent—children can obtain access to and use their parents’ credit cards without permission. 3. Toll-free phone and fax numbers Toll-free numbers are technically feasible, and quite easy for parents to use. Nonetheless, they impose significant costs on Web site operators. Operators must pay a monthly toll-free line charge, labor costs for dedicated live operators to answer the phone calls during business hours or to listen to recorded messages submitted after hours, as well as labor costs for data input and processing. Fox Family Worldwide recently maintained a toll-free number to field viewer inquiries when it changed the programming format of the Fox Family Channel. Because of the nature of the inquiries, Fox was able to utilize an automated toll-free system. The costs incurred for an automated system are significantly lower than those for the type of live operator system that would be have to be employed to obtain verifiable parental consent. Nonetheless, even this less expensive option triggered substantial costs. The minimum monthly charge alone was $3,500, regardless of usage. Although Fox did not use live operators, cost estimates for live operators included: (1) a $1,500 set up charge; (2) a per-minute charge for incoming calls that was more than six times the amount charged for automated calls; (3) a $55 per hour charge for each dedicated live operator; and (4) additional fees for training and call transcription. Thus, the annual hourly charges for live operators alone would amount to over $480,000 per year if Fox had contracted for only two live operators for 12 hours per day. This figure does not even account for the per-minute charges for each call, as well as set-up, training and transcription charges. As this example attests, this alternative is prohibitively expensive, especially for Web sites that generate little, if any, revenue. In addition, the toll-free number verification process can be slow and disruptive of the interactivity of the medium. For example, Headbone, a smaller operator, has found that the time between the parental request and the company’s data entry and e-mail response is anywhere from two to three days. Experiences with toll-free numbers in other contexts also indicate that some children use the numbers to place phone calls to the operator for fun, thus increasing the volume of calls and the costs to companies maintaining the numbers. Conversely, this method of consent may not be even be available to parents with young-sounding voices who wish to consent to their children’s participation. Finally, consent through a toll-free number also does not provide foolproof parental verification. It does little more than provide assurance that some adult is consenting to the child’s access to a site. Moreover, in some circumstances, an older child may be able to imitate the voice of an adult. 4. E-mail accompanied by a digital signature At present, digital signatures do not offer a viable means for obtaining parental consent. Several important obstacles currently impede the use of digital signatures: there is a lack of both consistent technological standards and consistent legal treatment for digital signatures; digital signatures impose a potential financial and technological burden on consumers and Web site operators; and consumers have yet to adopt digital signatures as a routine authentication method. As a result, in the near term digital signatures may impose technological and financial difficulties for both consumers and Web site operators. Currently there is no single encryption standard for digital signatures. The private sector has been pushing forward on the development of secure technology and technical standards. The biggest drawback of these various initiatives is that too many systems with differing technological and administrative standards have developed. Implementation of these different digital signature standards could significantly impede their use for parental verification. From a regulatory standpoint, there are numerous initiatives underway both domestically and internationally to establish systems for digital signatures and electronic authentication. They are far from consistent. Industry or government may develop a uniform digital signature standard in the coming years; however, at this juncture, parental consent must be addressed through more readily available and viable means. Thus, consumers and Web site operators run the risk that a particular digital signature will not be compatible with a particular Web site. In addition, online merchants and software vendors will need to design their software to integrate digital signature technology so that consumers can utilize the technology. From a consumer perspective, digital signatures are not technologically seamless to install. Users need to download the special software and take additional steps to integrate the digital signature software into the browser before the technology can be used. Users may also encounter technological problems when upgrading to a newer browser or when transferring digital signature information to an additional browser at home or at work. Furthermore, digital signature methods are expensive. For example, Cyber-Sign’s biometric verification system costs $850 for 10 users, and $35 for each additional user. Users must purchase a special digitizing pad and pressure-sensitive pen. In addition, digital signatures have not yet been embraced by consumers as a routine authentication method. Even though digital signature companies have existed for several years, most consumers do not use them. The largest digital signature company, VeriSign, Inc., has only issued 3.5 million individual digital IDs, which is less than 4% of the total number of Internet users in the U.S. In addition, VeriSign has issued only about 100,000 Web site digital certificates, far less than the total number of domestic Web sites. Finally, digital signatures may not provide a "silver bullet" that assures that a parent is actually providing consent. As with the other methods that the Commission is considering, there is no guarantee that a digital signature has not been compromised by someone else using the computer system, such as an older child. For example, if passwords used to obtain the digital signature initially are lost during set-up of a digital signature, the user will need to set up another digital signature, opening the possibility of other users obtaining a parent’s private key. B. The Final Rule Should Endorse E-Mail Consent on a Temporary Basis At present, an e-mail-based consent system without digital signatures offers the most efficient means by which to obtain verifiable parental consent. From the vantage points of Web site operators, parents and children alike, this method significantly reduces transaction costs and helps to preserve the spontaneity and interactivity of the medium. Nickelodeon and the Cartoon Network have had recent experience with an e-mail-based opt-out and consent system, and received overwhelmingly positive support from parents for this approach. For example, Nickelodeon used an e-mail-based opt-out system for a Rugrats movie contest it recently offered. To participate in the contest, the child would enter his or her first name and a parent’s e-mail address. Nickelodeon would then send an automated e-mail response to the parent indicating the child’s desire to participate in the contest. The e-mail gave the parents the choice of either not responding, thus assenting to their child’s participation, or clicking on a URL to withhold their consent and thus have the child’s name deleted. Even though the system was designed for opt-outs, 96% of parents whose children wanted to participate in the contest communicated with Nickelodeon to opt in to the program and express their support for Nickelodeon’s measures to help empower parents to control their children’s online experiences. E-mail consent is convenient for both parents and children. It has the significant advantage of occurring online—the preferred method of communication for most Internet users, and of occurring quickly, which makes good sense in light of a recent study indicating that 64% of children’s computer usage occurs in the presence of a parent. Consent that operates entirely by e-mail also reduces costs dramatically. Because consent information arrives in electronic form, it avoids the significant labor costs associated with sorting and processing mail, fax and telephone responses. In addition, it avoids the substantial verification and set-up fees required for credit card verification, as well as the significant labor, telephone and related charges associated with operating a toll-free number. Finally, with one or two safeguards, e-mail consent is essentially as reliable a method of securing parental consent as the other methods endorsed in the Commentary:
To the extent that the Commission seeks a further basis for verification in the second scenario, we propose the following safeguard options: first, the operator could be required to send a second e-mail to the parent at a different time of day or over the weekend, seeking verification from the parent that the parent in fact authorized the child’s participation at the site. If the parent replies that he or she was not the source of the authorization, then the operator must cancel the child’s registration, and delete the personal information from its database. Alternatively, the operator could ask the parent to submit with his or her consent some non-intrusive information that the child is unlikely to know, such as the city and zip code of the parent’s place of work, the parent’s county of residence, or the parent’s age and year of birth. This approach has the significant benefit of avoiding asking the parent for more personal information within the meaning of the Act and thereby chilling consent. In addition, it avoids the significant expense of a verification program that requires obtaining information rapidly from a third-party service, such as a credit card verification system. Finally, we strongly endorse the proposal in Question 14 of a sliding scale under which a more flexible range of consent mechanisms would be permissible depending on the use the operator plans to make of the information. This approach is fully consistent with the "flexible" reasonableness standard of COPPA’s consent standard discussed above, with the specific statutory purpose of protecting child safety in public fora such as chat rooms, Bryan Statement at S11657, and with the Commission’s discretion in implementing COPPA’s safe harbor. 15 U.S.C. § 6503(b). For example, an operator should be able to collect personal information for purposes of internal use only while waiting for receipt of an e-mail indicating parental consent, provided that the operator does not use or disclose the information for any other purpose until consent is received. This approach would directly advance the statutory purpose of "preserv[ing] the interactivity of children’s experience on the Internet" by giving children the ability to interact with sites designed for them on an intermediate and timely basis. See Bryan Statement at S11657. Conversely, where an operator’s activities demonstrably implicate child safety, the parental consent standard should be substantially less flexible. V. CONCLUSION For the foregoing reasons, The Cricket Magazine Group; Fox Family Worldwide; Headbone; Nickelodeon; The Cartoon Network, Sports Illustrated For Kids, Time For Kids, and other Time Warner Inc sites; and The Walt Disney Company all urge that the Commission’s final rule endorse the use of e-mail consent for a limited, five-year sunset period, whereupon the Commission would review and update consent standards under the Act as part of its statutory review of implementation of the Act. |