From: "Luis E.
Piedrahita" luis@corp.TalkCity.COM RE: Children˙s Online Privacy Protection Rule -- Comment, P994504 Talk City is a leading Internet provider of high-quality online communities and interactive services for businesses and consumers. For consumers, these communities offer services such as moderated chat, home pages, special event production, message boards, and online event guides. Our site includes a wide range of online communities that are located at www.talkcity.com. Responsible businesses will act in a responsible manner to ensure that their customers are respected and treated properly. It's in the long-term interest of any company to do so. We think that self-regulation of many issues concerning the Internet will come into being, without the need for major legislative action. We do welcome the passage of laws that call for certain guarantees to be met, and that then allow the industry to come up with the best way of implementing those guarantees. In reviewing COPPA, we feel that it is a fair law for ensuring that a child's personally identifiable information not be commercially exploited, and that parents be notified before their child is asked for any such information. What we feel is important is that the scope of the law not be enlarged in a manner that demands the "operators," as defined in the act, assume the role of being a parent online, or ensuring a level of safety that cannot be met. Here are our views on those questions asked by the Commission in the proposed guidelines, where we believe we have something to contribute: We have been implementing a privacy policy since 1997, and have seen the evolution of this issue, with many ideas come and go. We have seen interpretations of COPPA that:
We feel that if an operator maintains a site, whether it's for children or a general site, if no attempt is made to gather any personal identifiable information from a child, other than that allowed by Sec 1303(b)(2)(A), then no prior parental approval is necessary, even if the child is given access to interactive services such as chat areas, message boards, Web pages, etc. We have read proposals that state that a child should not be allowed to venture into a situation where they, on their own, may divulge personally identifiable information, in whatever form the situation may be (i.e. a chat room, e-mail, Web pages, etc.), without prior parental approval. The reasoning, we have been told, is that those wishing to obtain possible personally identifiable information may lay idle waiting for a child to divulge that information. so that it can be added to their marketing database, or that some human predators may use it to identify their next victims. The possibility of a child divulging that information also occurs when the child is dropped off at the movie theater to go see a movie. It occurs when a child goes off to a toy store while the parents may go shopping at another store in the mall. The risks are there whether in the virtual "cyber" world, or the real world. Movie theaters or toy stores do not have to obtain prior parental approval just to have a child enter into their commercial environments and watch a movie or check out the latest toys. Operators should not be penalized and have a higher business barrier placed on them because the medium that they choose to operate in is the Internet. It is also unreasonable for operators to have to change their businesses or incur costs because of some unknown third parties who may or may not actually be on their sites. Those concerned about the access to interactive sites, cite the safety aspect of a child divulging personal information in an interactive environment. Ensuring that does not happen is a parental role, and has been since we had addresses to cite. The fallout of interpretations that are very strict in requiring prior parental approval could be a operators converting to a subscription model to recover the incremental costs associated with compliance to COPA. Some operators may see the incremental costs and decide that the under-13 market is marginal, and remove any and all content for those under 13. It could mean fewer places on the Internet for kids under 13 to go to, or restrict access to only those who can convince their parents to pay for a monthly subscription to enter Internet sites. COPPA asks that an operator obtain verifiable parental pre-approval to safeguard the commercial exploitation of a child. In the same paragraph, the law goes on to stress the need to ensure that the parent receives the notice. It is important to recognize that this assurance starts with the child, the one wishing to join or participate in an online activity or service. Depending on the age and savvy of the child, he or she may be tempted to lie about his or her age, and other information. This situation exists where the operators maintain sites that are free to the end-user and rely on revenue from online advertisements, not credit card subscription memberships. We are not aware of any studies showing the percentage of children on the Internet -- or off the Internet -- that would tend to do this. Our own anecdotal memory is that given the chance, some kids will do it, especially as they get closer to the teen years. The Commission has stated its unwillingness to commit to any particular method or methods for the mechanism for verifiable parental consent. We applaud this action. In the case of operators that do not charge a subscription to participate, any system set up to comply with COPA would be a incremental expense not previously borne by the operator. We hope that the Commission allows for the industry and individual companies to evolve several systems rather than just one method. On the issue of information validity, we could equally assert, with some technological prejudice, that any e-mail should be accompanied by a valid digital signature, on the assumption that without it, the e-mail is not valid and should not be relied upon. We are in favor some form of digital signature, and unfortunately it is a practice that has not become widely accepted. We also note that the Commission does not place any requirement on postal mail or facsimile signatures. The assumption here is that if there is a signature on the document, by default it is valid. Falsification is not restricted to Internet sites, and they should not be singled out with overly astringent demands for verification. The Commission should consider allowing opreators to use any valid and logical verification system that causes some level of activity that, in general, only a parent would be capable of doing. This could be entering a credit card number, or some level of action and compliance that, generally speaking, only an adult could act upon. At this point we are evaluating various methods, including membership notification via e-mail, along with a password key, which would require action on the part of the parents if they wish to allow their child to participate on the site. The use of the password and the actions required to comply would provide sufficient assurance that the person providing the consent is the child's parent. In conclusion, to ensure that COPPA receives as much compliance as possible, we believe first, it's important that Internet operators are not forced into providing subscription-only models, possibly forcing many kids to not have much choice on what sites they can interact with. Second, the verification system should encourage those under the age of 13 to participate, and not to lie about their age. Third, the mechanism for obtaining verifiable parental consent should be reasonable, and place only nominal incremental costs on the operator. Luis Piedrahita |