| July 30, 1999 Secretary, Federal Trade Commission
Dear Mr. Secretary: PrivaSeek, Inc. ("PrivaSeek") appreciates the opportunity to submit supplemental comments relating to the Commission's Notice of Proposed Rulemaking ("the NPR") implementing the Children's Online Privacy Protection Act of 1998 ("COPPA" or "the Act"). PrivaSeek's initial written comments, which are part of the current rulemaking record, focus on the "verifiable parental consent" section of the proposed rule." It is our position that personal information from or about children should not be collected, used, or released to a third party without parental consent. We applaud industry leaders who, as a general rule, have employed any number of methods for obtaining parental consent prior to gathering information from children. As a general matter, PrivaSeek is concerned about the ability of mail and fax-in consent forms, credit card transactions, and toll-free telephone consent calls to be authenticated. We believe that technological solutions provide the most effective, efficient, and safest means of protecting sensitive online data without unnecessarily hindering either the growth of the electronic marketplace or the ability of consumers to control and gain value from their privacy preferences. We also urge the Commission to strongly consider the use of technology that provides anonymity. However, technologies that provide anonymous access to the Web could be misused and could impact the ability of law enforcement to investigate cases of stalking. The use of screen names and pseudonyms are also viable alternatives that should be given careful consideration. We would also urge the Commission to encourage industry to adopt solutions that support use and access by those consumers with disabilities. The World Wide Web Consortiums (W3C) Web Accessibility Initiative has published standards for developing Web based content that will support accessible access. Section 508 of the Americans With Disabilities Act (ADA) supports and in some cases requires such access. PrivaSeek was established as the first "consumer infomediary" dedicated to establishing a new global consumer-centric marketplace based on principles where consumers establish the rules for the collection and use of their information. Our model is based upon what has come to be known as "Permission-Based Marketing." Permission-Based Marketing is where consumers volunteer or request to be marketed to. Permission-Based Marketing is premised on the fundamental notion that individual consumers own their personal information and should be in control of it online. This includes the ability to track the use of their information and to control under what circumstance information is shared with sites that request it. In his book entitled "Permission Marketing," Seth Gordon, former CEO of Yoyodyne, describes permission marketing as:
In a recent article by Denise Caruso in DIGITAL COMMERCE entitled "An Upfront Approach to Internet Privacy," Seth Godin gave an example of how permission based marketing can be more effective than traditional Direct Marketing approaches. Before being acquired by Yahoo several months ago, Godin's company, Yoyodyne, created and ran 150 of these permission-style promotions. According to Godin, the typical response rate for these promotions has been 10 to 20 percent, compared with about 2 percent when traditional direct-marketing techniques have been employed. Companies have paid between $150 to $300 dollars and more to get a new customer using traditional direct marketing approaches. A leading Wall Street brokerage house is currently paying less than $15 dollars in media acquisition costs using the permission-based marketing. While this is still expensive, they have realized that the yield from anticipated, personal, and relevant marketing, i.e. permission-based, is much higher than any "cold calling" method. As PrivaSeek's first major initiative, in March of this year, we announced our "Persona" technology. After several months of testing, we are pleased to announce that earlier this month, we released the first commercial version of the Persona product, called Persona Valet. Persona acts as a negotiator of information between the individual consumer and the marketer's Web site. When consumers visit the PrivaSeek Web site, no information is collected from them. If they choose to become a PrivaSeek member, they then create an online "Persona" which includes information such as their name, address, and the preferred method for PrivaSeek to contact them. This limited information is used to create the user's Persona Account. The consumer may decide to provide additional information such as email address, phone numbers, interests and hobbies, and electronic commerce information such as credit card numbers and shipping addresses. Consumers are also asked to establish their personalized set of usages for their information. By setting their own preferences, they control what information is provided and under what circumstances the information may be shared with PrivaSeek-approved partners. A consumer's information is never disclosed to anyone without prior consent. Additionally, consumers can change their personalized set of privacy preferences at any time by accessing their account and making changes to the conditions that govern how PrivaSeek will manage their data. At the end of the day, it is the consumer who chooses how personal information is utilized. Persona Valet provides consumers with a useful tool for accomplishing routine tasks like shopping online and managing personal information on the Internet. When consumers surf or shop the Web, Valet automatically saves them time and effort by automatically completing forms that may be required to register for a service or make a purchase. Since PrivaSeek was created to assist consumers in keeping their personal information private, security is naturally one of the company's primary concerns. PrivaSeek relies on state-of-the-art technology at all points of information collection, transmission, and storage to ensure that the security and integrity of consumers' information is not compromised. Additionally, the information is stored in the "Persona WebVault," which is maintained at a facility with a long history of safeguarding sensitive information with audited data and physical security practices. PrivaSeek partners, including online merchants and content vendors, go through a rigorous approval process that includes a comprehensive privacy assessment by a team of third party privacy experts. If an organization is approved, it must sign a contract with PrivaSeek requiring the organization to abide by the information controls specified in the consumer's Persona. Under this contract, the company agrees to follow the consumer's specific instructions with regard to this information. If a consumer does not wish to have the information used for internal marketing purposes, the merchant may not use that information without violating the contract. If the organization in any way violates its contract with PrivaSeek, it will be dropped immediately as a PrivaSeek-approved partner, and PrivaSeek will take legal action against the company. Thus, the Persona technology not only enables consumers to automatically safeguard their personal information and identity on the Web, but to actually gain value from it. The Persona technology provides a secure method of storing data that can easily be audited by a third party. It also allows consumers to access their data and privacy preferences from any device that is connected to the Web. PrivaSeek does not collect information directly from children under the age of 18, as it is our belief that information about a child belongs to the child's parents. A Child Persona is being incorporated into the existing Persona infrastructure. Currently developing a companion technology that will allow parents to set the parameters for the collection, use, and release of their children's information to third parties. PrivaSeek's "Child Persona" solution combines a parental involvement component with secure digital authentication technology. The Child Persona is based on the idea that there is "sensitive information," i.e. information that can identify the child or otherwise put the child in potential harm. Furthermore, whether information is sensitive or not often depends on the context in which it is examined. For example, providing a first name and last name is not necessarily a problem, but combining it with an email address may be. Because it is difficult or impossible to really know the implications of certain combinations of data, it must be possible to employ an extremely conservative model of information delivery. Essentially, a Child Persona follows this model:
Finally, like Persona, the Child Persona will require that any PrivaSeek-approved third party be bound contractually to abide by a child's privacy preferences and information controls as set by the child's parent. Thus, parents will be in control of the amount of information sites can collect from and about children, as well as permissible uses for such information. We are extremely excited about this consumer enhancement tool and believe that it is a solution that will meet not only the parental consent component, but also all of the general requirements of COPPA and the proposed rule. Considerable time, effort, and resources have been devoted to the development of this and other new technologies designed to safeguard consumer data, both in terms of privacy enhancing products, as well as certification tools such as digital authentication technology. It is our sincere hope that the FTC will give serious consideration to the relatively low cost and multitude of benefits associated with the use of technology like PrivaSeek's Persona technology. We would ask that, just as a generous grace period has been provided for online companies to demonstrate their commitment to widely accepted fair information practices, these promising technologies be afforded an adequate opportunity for deployment, recognition, trust, and use both by consumers and the online marketplace. Thank you again for the opportunity to submit additional comments and to participate in the July 20th public workshop. We look forward to working with you and Commission staff in the future and serving as a resource to the Commission as it continues the important work before it. Submitted by: Dr. Steven Lucas, Esq. Elizabeth M. Palmquist, Esq. PrivaSeek, Inc. |