TRUSTe
Bob Lewin, Executive Director
10080 N. Wolfe Road, SW3-160
Cupertino, CA 95014
(408) 342-1940

Secretary, Federal Trade Commission
Room H-159
600 Pennsylvania Avenue N.W.
Washington, DC 20580

TRUSTe, a non-profit, privacy seal program, respectfully submits these comments in the hopes that they will help define the best possible implementation of the Children’s Online Privacy Protection Rule. Our primary focus in preparing these comments has been to clarify how seal programs could incorporate the proposed rule into a functional oversight and monitoring program.

An explanation of how the information will be used should be included in the privacy statement; it should also be posted on the area of the Web site that is collecting the information about children so the user is not required to read the privacy statement in order to find out how the information will be used.  That is, the information should be clearly explained at the point of collection.   Also, it would be helpful to require all sites to refer to the privacy statement as either "Privacy Statement" or "Privacy Policy." Whatever it may be, for the benefit of the consumer, the phrase should be consistent across all Web sites. 

Only the basic details should be required.  Any further detail (very specific to a single company) would require the site to spend an unreasonable amount of time researching and maintaining the accuracy of the details of the third parties' information practices, especially given that new partnerships are formed and changed on an ongoing basis. In some cases it may be appropriate for the web site to provide a link a to the third party’s privacy statement.

The methods that a parent can use to review the information provided by the child should be posted in both the online privacy statement and in the notice that is sent out to parents.  It is likely that the parents will delete the email notice sent to them, so it would make sense to require the information to be posted on the Web site as well.   Undoubtedly, the parent will look for this type of information on the Web site.

In the case of mergers or new business partnerships, this formulation would likely be too burdensome and unreasonable to expect from a Web site, given the rate at which mergers and acquisitions occur in today’s Internet marketplace.  If there is not a significant change in the use of the information, then separate consent should not have to be obtained.  Mergers and new partnerships do not necessarily constitute a significant change in use.

The Rule should NOT allow the parent to refuse to consent to different internal uses of the child's personal information.  Allowing the parent to pick and choose which features should be available to their child is unreasonable.  The site cannot be expected to offer custom packages of services to each child.  However, the site needs to provide an opt-out for secondary uses, and the information collected should only be used to provide the stated services.

There should be greater flexibility because the information, if not shared with third parties or services that allow distribution of this information, would essentially be "locked in" at the site.  However, we would question the necessity of collecting the personal information in order for the child to experience the site. 

The use of a self-assessment worksheet, such as those currently used by seal programs, would be recommended. Investigations of user complaints are also an excellent assessment tool.

If an operator of a general web site collects age range information that includes ages both under and over thirteen (example: Age 10-18), would that operator still be required to meet all COPPA requirements?

Page 4 of the Rule document states that "Because the proposed Rule applies to the use or disclosure of personal information and just its collection, it protects personal information collected from children prior to the effective date of the final Rule if an operator wishes to use such information in the future." It is not clear what the determining date will be: will the Rule apply to information collected from those that are still under 13 at the time of the final ruling or those that were under 13 at the time the information was collected?  What about Web sites that have linked the personally identifiable information to age group classifications, such as "Under 13"?   Should the Web site consider all of these users to be under 13 if the site cannot be sure?  What if the user registered and indicated that he or she was a part of this age range years ago?  In these cases, will the operator by required to obtain consent by the effective date of the final rule or will additional time be granted?

In the case where the parent has refused to let the operator collect, use, distribute, or respond to the request of the child by email, or continue to collect, use, or distribute the personal information of a child, is the operator allowed to retain any information in order to know that child cannot have access to the site – or does the operator treat the child as a new user if the child comes back to the operator. For example in the case of a newsletter – the parent requests that the operator not send the child any more newsletters. The child re-registers for the newsletter. What is the operator’s obligation and what information can be retained to meet that obligation?

Should a listing of the name and address of all operators be required on the Web site?

Page 17 of the Rule document states, "A new notice and request for consent will be required, for example, if the operator wishes to use the information in a manner that was not included in the original notice, such as disclosing it to parties not covered by the original consent, including parties created by a merger or other corporate combination involving existing operators or third parties." Do companies need to receive consent in the case of a merger, even if the use of the information has not changed?

The bill mentions that a screen name that reveals a child's email address would be considered personally identifiable information.  In a many cases, the Web site requests a username. What obligation does the site have to ensure that the username does not contain personally identifiable information?

Does the bill limit the collection of demographic/hobby information in any way?