June 11, 1999 Via Hand Delivery and Electronic Mail Re: Children’s Online Privacy Protection Rule -- Comment, P994504 Dear Secretary: Visa U.S.A. ("Visa") is pleased to submit this comment letter to the Federal Trade Commission ("FTC") in response to its request for comment on the Notice of Proposed Rulemaking ("Proposal"), dated April 20, 1999 to implement the Children’s Online Privacy Protection Act of 1998. Visa appreciates the opportunity to comment on the Proposal. The Visa payment system is the largest consumer payment system in the world. Visa is a joint venture comprised of more than 21,000 financial institution members from around the world that have issued over 640 million Visa payment cards, which are accepted at more than 14 million merchant locations and over 400,000 automated teller machines worldwide. Visa -- which provides transaction authorization, clearing and settlement, and risk management services to its financial institution members -- supports more than one trillion dollars in Visa-related payment transactions annually throughout the world. This comment letter focuses on the suggestion in Section 312.5(b) of the Proposal that use of a credit card may be employed as a mechanism for obtaining "verifiable parental consent" (so-called "credit card verification") prior to any "collection, use, and/or disclosure of personal information collected from children." While Visa understands and appreciates the intent of this provision of the Proposal, Visa believes that the use of a credit card is not a suitable proxy for parental consent. Simply put, the use of a credit card "in connection with a transaction" over the Internet does not, in itself, demonstrate parental consent, since the use of credit card verification would not preclude a child from posing as the adult cardholder. Moreover, there are significant unintended consequences to this Proposal. Inadvertent Commission of Criminal Acts. In addition, establishing credit card verification as a means for preventing child access to certain Web sites may create more harm than good. Unauthorized use of a credit card is a criminal offense. If, for example, a child made the mistake of using a credit card in connection with an Internet transaction without the knowledge of his or her parent, and the parent reported that unauthorized use, a criminal investigation might ensue before the true nature of the problem was discovered. This not only would divert scarce enforcement resources from more important concerns, but also could create problems for the child and the family that are far worse than the harm against which the Proposal seeks to protect. Curtailed Use of the Internet in Schools and Libraries. The use of a credit card as a means of verifying parental consent assumes either that parents are physically present to input their credit card information each time it is required, or that parents indicate their consent by providing their credit card information to their children (which means that parents must relinquish, at least to some degree, control over use of that information). In this regard, reliance on credit card verification would discriminate against families who rely solely or substantially on schools and other public facilities to provide them with access to the Internet. Under such circumstances, use of credit card verification simply would not work unless parents turned over to their children the credit card (or account number). This would not only increase the risk of unauthorized use problems, but would also vitiate any notion that the use of the credit card represents meaningful parental consent since, as a practical matter, the child would have the opportunity to use the credit card in ways not consented to by the parent. Compromised Fraud and Risk Prediction Tools. The establishment of credit card verification by parents (or children with parental consent) would have adverse consequences on existing efforts to prevent and detect fraud. Visa and its members have developed sophisticated systems that are designed to detect credit card usage patterns that are indicative of fraud. These fraud detection programs are dependent upon the accuracy of information that is derived from merchant requests for authorization for a credit card transaction. If that information is tainted by Web site operators who frequently use the credit card authorization systems as proxy for parental consent, rather than for the transactions for which the systems were designed, the reliability of these risk prevention systems could be severely undermined. Thus, for the reasons discussed above, we urge the FTC to revise the Proposal to make clear that use of a credit card is not evidence of verifiable parental consent and, instead, to focus on other mechanisms for achieving this important objective. Once again, Visa appreciates this opportunity to comment on the proposed rulemaking. If you have any questions concerning these comments, or if we can otherwise be of assistance in connection with this matter, please do not hesitate to contact me at (650) 432-3111. Sincerely yours, Russell Schrader |