Aristotle International, Inc., ("Aristotle")

ARISTOTLE

November 30, 2001

Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue, NW
Washington, D.C. 20580

Re: Children's Online Privacy Protection Rule -- Comment, P994504

To the Secretary:

Pursuant to the Notice of Proposed Rulemaking ("NPRM") published in the Federal Register on October 31, 2001 (66 Fed. Reg. 54963) (to be codified at 16 CFR Part 312), I submit these comments on behalf of Aristotle International, Inc., ("Aristotle") regarding the Federal Trade Commission's proposal to amend its Children's Online Privacy Protection Rule ("the Rule") to extend the time period during which website operators may use an e-mail message from the parent, coupled with additional steps, to obtain "verifiable parental consent" for the collection of personal information from children for internal use by the website operator.

Aristotle provides online authentication services based on government-issued identification checks. The system developed by Aristotle is the type approved by the District Court for the Southern District of New York earlier this year in a case involving age authentication for online tobacco sales. That New York federal court identified an acceptable, readily available, bona fide age verification system for online tobacco sales as follows:

1. When a customer seeks to place an order, an attempt must be made to match the name, address and date of birth provided by the customer against information contained in a databases of individuals whose age has been verified to be [21] years or older by reference to government-issued ID such as driver's license and voter registration records.

2. If the name, address and date of birth provided by the customer cannot be matched with that of an age-verified individual in such database, the customer is required to submit an age-verification kit consisting of a signed certification that the customer is of legal age and a copy of a valid government identification (driver's license, state identification card, passport, or military identification). (1)

Aristotle is particularly concerned over the use of COPPA's "verifiable parental consent" terminology in connection with the credit card safe harbor. We believe that the term is unintentionally perverting and diluting genuine standards of online verification by suggesting that credit cards prove "verifiable" adult consent.

It is well known that credit card companies have, in the last several years, begun spending untold amounts of advertising dollars marketing credit and debit cards specifically to minors. For just one example, major branding campaigns are currently underway nationwide for the VISA BUXX card, the very purpose of which is to introduce minors to the use of credit cards.

The major card companies already expressly acknowledge that access to a credit card is not proof of majority. For example, the promotion for VISA BUXX states:

Never provide your card number as proof of your age.

At times, some merchants have requested you provide them your credit card number as a proof of age. Never provide any of this information, as the card number does not validate an age.(2)

MasterCard also has acknowledged this same truism in Congressional testimony,(3) and American Express' Cobaltcard is expressly marketed to allow "young adults age 13 and over to build financial responsibility when they shop online and in stores".(4) Obviously, using a credit card cannot be an adequate age-verification standard for any purpose.

There is simply no longer anything presumptively "verifiable" or "parental" in the credit card safe harbor approved by COPPA. If the rule is to be extended, we urge that the Commission make clear that, due to the proliferation of youth-oriented credit cards in the last several years, the use of a credit card is no longer acceptable to the government as proof of adult status.

Thus we urge that the use of credit cards be expressly eliminated as a method of proving "parental consent". Reliance on credit cards for proof of adult status is inconsistent with the realities of the marketplace, and the sworn testimony provided to Congress by VISA.

Finally, any system that may increase the risk of credit card fraud should be considered highly suspect. As VISA also stated in Congressional testimony:

Moreover, using access to a credit card or debit card as a proxy for age actually could result in an inadvertent commission of criminal acts. Unauthorized use of a credit card is a criminal offense. If, for example, a child makes the mistake of using his or her parent's credit card without the parent's knowledge, and the parent later reports that unauthorized use, a criminal investigation might ensue before the true nature of the problem was discovered.

This not only would divert scarce enforcement resources from more important concerns, but also could create problems for the child and the family that are unrelated to and in addition to the harm against which the Act seeks to protect.(5)

Conclusion

In today's marketplace, placing a government imprimatur on the use of a credit card as proof of adult status is both unfounded and illogical. Claiming that use of such card shows "verifiable parental consent" as a matter of law also undermines legitimate efforts to establish higher standards for online verification, and may inadvertently encourage criminal activity.

For these reasons Aristotle urges that the use of credit cards to prove verifiable parental consent not be carried forward in any extension of the Rule that may be approved.

Sincerely,

J. Blair Richardson
General Counsel and Chief Privacy Officer
Aristotle

1. Santa Fe Natural Tobacco Co. and Brown & Williamson Tobacco Corp. v. Spitzer and Pataki, 00 Civ. 7274, slip op. at 59-60 (S.D. N.Y. June 8, 2001).

2. See http://www.visabuxx.com/centsible/tools_ecommerce.cfm.

3. "Access to a credit card or a debit card is not a good proxy for age. The mere fact that a person uses a credit card or a debit card in connection with a transaction does not mean that this person is an adult…. Thus, although [the Child Online Protection Act} assumes that only adults have access to a credit card or a debit card, it is important for the Commission to understand that this assumption is simply not true. As a result, the Commission may want to focus its attention on more suitable methods of verifying age."

Mark McCarthy, Visa VP for Public Policy, Congressional Testimony, June 9, 2000. See full text of testimony at www.copacommission.org/meetings/hearing1/maccarthy.test.pdf.

4. See http://amex.cobaltcard.com/amexindex.html

5. See testimony of Mark McCarthy, www.copacommission.org/meetings/hearing1/maccarthy.test.pdf, at page 3.