Children’s Online Privacy Protection Rule - - IRFA Comment, P994504
TO: Federal Trade Commission
DATE: August 5, 1999
Thank you for the chance to respond with comments on "ways in which the rule could be modified to reduce any costs or burdens for small entities consistent with the COPPA’s mandated requirements [and] whether and how technological developments... could reduce costs of implementing and complying with the rule...." (Questions for Comment 1-3).
A. Upcoming Technological Developments Will Substantially Reduce Costs.
Technological developments in the area of process automation will soon automate much of the "busy work" of operating a privacy seal program. Automation will nearly eliminate the 60+ hours of professional time required for sites to come into and maintain compliance. Privacy seal programs that embrace automation will be able to reduce compliance costs to about $30 per year.
The web-based technology, now in final testing, deploys a unified system of process automation to (i) draft compliant Privacy Policies; (ii) register sites for a seal program (including configuration and distribution of seals); (iii) provide an online system for filing consumer complaints; (iv) orchestrate online mediation of disputes; (v) report unfavorable mediation outcomes on a site’s public registry statement; (vi) administer client billing, reporting and communications, and (vii) automate workflow for any remaining manual processes.
The mediation and reporting subsystems are particularly important to emphasize. They allow seal programs to offer an automated independent assessment mechanism whereby consumers may lodge privacy complaints and have unfavorable outcomes reported publicly on a site’s registry statement. The mediation system is designed to help the parties reach a private resolution without having to go to court or file formal complaints with the Commission. The mediation system is independent, because its automated processes are not subject to subjective influences.
Administrative reports generated by the system will, in effect, provide an early warning radar system that seal program staff can use to identify problem sites requiring personal attention. Once administrators are alerted to a problem site, they can then assign an auditor to make further inquiries and, if warranted, perform a manual assessment as a condition of further membership.
B. The Rule Should Embrace Cost-Saving Technologies for Seal Programs.
The rule should more clearly recognize the part that process automation can play in operating a "safe harbor" privacy seal program. The operative clause is Section 312.10(b)(2), which establishes criteria that seal programs must meet to qualify for "safe harbor" status.
The rule requires seal programs to implement an effective, mandatory mechanism for the "independent assessment" of web sites’ compliance with the guidelines. Neither the statute nor legislative history of COPPA equate "independent" assessment with "manual" assessment.
Our concern with Section 312.10(b)(2) is that it gives two examples of independent assessment mechanisms. Both examples--random audits and comprehensive site audits—suggest manual processes. The rule doesn’t mention the use of automated processes (perhaps because they weren’t invented yet). Nevertheless, we want to make sure the limited examples are not someday interpreted as implicitly imposing manual audits as the only viable assessment mechanism.
We don’t think Congress or the Commission intend to saddle safe harbor programs with inefficient processes that cannot scale up for widespread implementation (how could programs backlogged by only a few hundred applications possibly cope with 25,000 applications in a week? Or 50,000 complaints?) Process automation must occur, because it offers the only way to implement COPPA’s substantive requirements in a timely manner at an affordable price.
The rule should acknowledge that process automation can provide first-level defense of privacy rights, when reinforced by manual assessments undertaken on a targeted, as-needed basis. This will achieve greater compliance than random manual audits performed on a hit-or-miss basis.
II. Proposed Modification to Section 312.10(b)(2).
For the reasons stated, we propose that Section 312.10(b)(2) be modified by adding a new clause (iii) as indicated by the bracketed language below:
"(2) an effective, mandatory mechanism for the independent assessment of subject operators’ compliance with the guidelines. This requirement may be satisfied by:
As a practical matter, COPPA cannot be implemented widely at reasonable cost unless privacy seal programs automate much of the "busy work" of running a safe harbor program. Compliance costs will otherwise simply drive small web sites out of business or produce a popular revolt. Section 312.10(b)(2) should therefore more clearly recognize the role that process automation can play in providing an early warning independent assessment mechanism, when reinforced by manual assessments undertaken on a targeted, as-needed basis.
Thank you for your time and consideration in this matter.
John A. Newman, Esq.
[PrivacyBot is a supplier of automated technology to privacy seal programs. The PrivacyBot system was developed by the makers of QuickForm Contracts Online, a legal automation specialist in business since 1991 and on the web since 1996 at http://www.quickforms.com].