November 30, 2001
RE: Children's Online Privacy Protection Rule Amendment - Comment, P994504
Dear Secretary Clark:
Privo appreciates the opportunity to provide insights and feedback on the proposed amendment to the Children's Online Privacy Protection Act. As an infomediary service formed for the sole purpose of helping companies effectively manage COPPA-compliant registration, we hope our answers will provide insight from a unique perspective.
Privo was incorporated in February 2001 to create a solution that enables companies to responsibly initiate and manage safe and profitable online relationships with children. In May, Privo began a limited sales and marketing effort to identify solution requirements for companies' unique needs across multiple industries providing interactive services for children online. Companies including top Fortune 500 companies are engaged in beta testing and Privo is finalizing a limited number of companies to participate in the Privo Pilot Program.
Privo addresses the complex regulatory environment and increasing privacy concerns of families in an economical, scalable and efficient way. The PrivoLockô solution provides companies with a way to responsibly maximize their marketing efforts to the large (and growing) children's online population. It is an efficient and economical technology- and service-based solution capable of securing verifiable parental consent, and provides a reliable outsourced service for the children's online industry. Privo qualifies as an "infomediary service", as anticipated in the COPPA.
We recognize that a reasonable extension to the email-plus exception may be a necessary transition into industry implementation of more reliable consent methods including use of infomediary services, such as Privo. Setting deadlines that occur in the next 12 months would motivate this transition. We would like to encourage the FTC to stand firm in implementing and enforcing its policies protecting children's privacy and empowering parents with the ability to participate, and specifically authorize use of, their children's personally identifiable information.
In order for consent management services to successfully launch full-service, affordable solutions that industry will adopt, then all constituents (providers, companies, investors) must be confident that COPPA is here to stay and that the FTC is serious about enforcement. We applaud the FTC commissioner's stance on increased focus to children's privacy and safety online in his October speech.
The FTC's adoption of the sliding scale of consent, and the original two-year period ending April 21, 2002, was seen, when it was proposed, as a reasonable attempt to allow the online industry to have time to absorb and react to the new COPPA requirements. Likewise, it was hoped that in the same period, technological solutions, and/or infomediary services would emerge to assist or support good faith industry attempts at compliance. Those solutions are now at hand.
On a policy level, serious concerns exist regarding the effectiveness or lack thereof of "e-mail plus" as a method of obtaining verifiable consent. When one examines the arguments in favor of this, two key advantages are usually mentioned - convenience for the parent and lower cost to the company. However, the cost and convenience to both the website and the parent should not be our only concern, if cost and convenience mean lowering the bar for children's privacy and security. Simply put, e-mail plus may not and often does not result in a reliable verification.
Privo appreciates the multiple and sometimes conflicting pressures on the Commission to balance the protection of children with reasonable regulatory measures for businesses.
Privo responds to the twin pressures by providing busy moms and dads an easy convenient method of providing reliable consent, while providing businesses a way to responsibly initiate and manage safe and profitable online relationships with children.
It is our position that holding to the original deadline, as close as is reasonably possible, for phasing out the "e-mail plus" sliding scale accomplishes the following important economic and policy goals:
E-mail plus (particularly with delayed e-mail as the confirmatory method) does not provide a reliable method of parental verification.
Privo applauds the FTC's continued effort to balance the needs of the online industry with its mission to protect consumers and, most particularly, children. We at Privo hope to emerge as a best-practice industry standard in trusted interactions with children online and hope to continue an open dialogue with the FTC.
Please find our responses to each question attached.
Responses to FTC Questions
1) Are secure electronic mechanisms now widely available to facilitate verifiable parental consent at a reasonable cost? Please include comments on the following:
Secure electronic technologies do not appear to have achieved a common acceptance on a mass level nor does adoption of such technologies appear to be likely on a wide basis in the near future.
We believe the more relevant question is whether there is more emphasis on this potential solution than is warranted. It may be a period of time before the general population both possesses and feels comfortable with digital signature technology. In the meantime, verifiable parental consent still must be the centerpiece of our policy objective. This points us toward infomediary services as the preferred and more likely solution.
The Problems With "e-mail plus"
It is the very "convenience" of e-mail plus that is its undoing. When the child requests registration at a site, he or she will be faced with providing parental consent when personally identifiable information is required. COPPA has had a major impact in bringing websites forward in "gating" their sites and there has been a significant reduction in unfettered interaction if the child is under 13.
It must be acknowledged however, that in today's world of increasingly savvy Internet users, there are many children under 13 years of age who are very resourceful and have learned how to "beat the system". It is commonplace for children to have the requisite knowledge to falsify their age or fabricate a spurious e-mail message that is allegedly from the parent or guardian. Even the COPPA Final Rule states:
"Based on the comments, the Commission is persuaded that e-mail alone does not satisfy the COPPA because it is easily subject to circumvention by children."
Of perhaps greater concern is that it is only a small step further for the child to create an e-mail account to send a "confirmatory" e-mail to the operator of a commercial website. Similar to the reasoning that a child would be too tempted to "borrow" a parent's credit card if they could use the credit card to verify age without a transaction, email-plus may tempt a child to establish an email address or have young friends participate in the consent process. This completes a fictitious agreement between the "parent/guardian" and the website. This also opens a door for the child to begin receiving inappropriate spam e-mail through the newly opened e-mail account as an unintended side consequence.
(2) Are infomediary services now widely available to facilitate verifiable parental consent at a reasonable cost?
Privo qualifies as an "infomediary service" anticipated by COPPA as a technology solution capable of obtaining reliable and secure verifiable parental consent efficient and economical for the online industry.
Below is an overview of the infomediary service that the Privo solution provides.
The Privo Solution
The Technology & Methodologies
The technology, processes and methodologies behind Privo's PrivoLockô platform are based on industry standards and provide for an extensible, scalable architecture that can be easily integrated into the current infrastructure of a website operator. PrivoLock's centralized components include:
The PrivoLockô system is a turnkey platform for privacy management between companies and families. Multi-channel parental consent verification simplifies the ability for parents to manage their child's online identity. Privo creates parental passwords that enable "next-time" ease in registration at other PrivoLock-enabled sites, eliminating redundancy in the registration process. The PrivoLock system allows parents to update permission in real-time. The parent/teacher no longer has to manage passwords from each site for each child. Moreover, the child benefits from the single username and password feature that enables interaction at all PrivoLock-enabled websites permissioned by his or her parent. The child can request additional permissions simply and quickly so he and she can access additional interactive features with the least amount of interruption for parental consent.
Ease of Implementation and adoption
The PrivoLock infrastructure and outsourced service components can easily, economically and efficiently be integrated into a company's systems. PrivoLock-enabled sites provide the system as a free, browser independent way to empower and educate parents. Permission-based relationships lead to increased brand trust, loyalty and frequency in usership. Because of its ease-of-use and scalability, websites that utilize PrivoLock can improve their current registration and retention success rates.
Privo employs an economies-of-scale model that absorbs a substantial portion of the initial registration cost to companies. By providing a centralized service, the cost is distributed across participating companies within various industries that interact with kids on the Internet. As infomediary services become the industry standard and trusted family facility for managing personal information, the compliance and permissioning services become increasing affordable and efficient.
Privo has been in a research and development phase for the past year and a half. We are poised to launch and are rolling out our Pilot Program in Q1 2002 with full implementation by Q3 2002.
(3) Is this proposed extension an adequate amount of time considering the current development of secure electronic mechanisms and/or infomediary services for obtaining verifiable parental consent at a reasonable cost? Please include comments on the following:
The FTC's adoption of the sliding scale of consent, and the original two-year period ending April 21, 2002, was seen, when it was proposed, as a reasonable attempt to allow the online content industry to have time to absorb and react to the new COPPA requirements. Likewise, it was hoped that in the same period, technological solutions, and/or infomediary services would emerge to assist or support good faith industry attempts at compliance. Privo, like most observers, applauds the FTC's continued attempt at balancing the needs of businesses with its mission to protect consumers and, most particularly, children.
However, the original two-year extension is expiring, and as with any deadline, the pressure is mounting for the anticipated solutions to emerge - in this case either digital signature technology or infomediary services. Privo, has worked diligently within this timeframe to emerge and launch itself as a solution, and we are pleased to announce our services are at hand.
Extending the sliding scale another two years, will remove what has been a healthy pressure for companies to find and adopt solutions.
As explained herein, Privo is launching as an affordable infomediary service in Q1 that will be fully available in Q3 2002.
(4) Should the extension be longer than two years?
Even if the FTC decides that some additional time is needed for the industry to develop and embrace verification technology, the proposed additional two years is excessive. We recognize that a reasonable extension to the email-plus exception may be a necessary transition into industry implementation of more reliable consent methods including use of infomediary services, such as Privo. Setting deadlines that occur in the next 12 months will motivate this transition. We would like to encourage the FTC to stand firm in implementing and enforcing its policies protecting children's privacy and empowering parents with the ability to participate, and specifically authorize use of their children's personally identifiable information.
(5) Rather than be extended, should the sliding scale mechanism be kept in place indefinitely, until the development of secure electronic mechanisms and/or infomediary services become widely available to facilitate verifiable parent consent at a reasonable cost?
To answer this question requires us to re-visit the underpinnings of COPPA and the purpose of Verifiable Parental Consent.
A Review of the Original Reasons for Adopting COPPA
In analyzing the idea of extending the e-mail plus method, it is instructive to review the original purposes of passing COPPA in the first place.
In 1996, when the debate first began in earnest, it became clear that there had arisen three threats from the growth of online services and content aimed at children under 13:
It became apparent that children were disclosing personal information actively and passively. This made it possible for companies to craft individualized messages and ads. Children are not aware of the potential consequences of disclosing information about themselves and their families. Children are also not yet familiar with the commercial intent behind such enjoyable activities such as giveaways, contests and surveys, which may be benign, but again, do not pass the test of an "informed decision" which only a parent can provide at such young ages.
Direct interaction by children online with sites intent on marketing to children creates an unfair advantage over children. COPPA was designed to reinstate the parent into the equation such that overzealous marketers or vulnerable children are protected from each other. Moreover, parents, not children must have the final say as to which sites their child will be allowed to interact with and what information may be disclosed.
Congress, and the Commission, wisely, developed COPPA as a reasonable method of securing more safety and protection for this vulnerable class of Internet users.
The principle holds firm that children need their parents consent before releasing personal information online.
Privo does not believe that the Commission, nor those who supported COPPA itself, have begun to waiver on their commitment to the protection of children or the essential role of parental consent. Recent comments by FTC Chairman Timothy J. Muris certainly suggest that this is true:
"FTC Chairman Announces Aggressive, Pro-Consumer Privacy Agenda
October 4, 2001
"Privacy has become a large and central part of the FTC's consumer protection mission.
" I was impressed by the widespread agreement on the importance of privacy issues and the importance of the FTC in protecting consumers' privacy. As a consumer protection agency, we respond to the American people. The FTC can reassure consumers that privacy promises will be honored. We are an agency with knowledge about both consumer protection and the way markets address consumer privacy concerns. We will increase our enforcement of laws protecting consumer privacy.
"Our privacy program will reduce the negative consequences of misuse of information, whatever the source. Today, I announce an ambitious, positive, pro-privacy agenda that begins with a substantial increase in the FTC's commitment to protecting consumer privacy. We plan to increase resources devoted to protecting privacy by 50 percent.
Enforcing The Children's Online Privacy Protection Act
"None of the worries we have about privacy is greater than concern for the privacy of our children.
In 1998, Congress enacted the Children's Online Privacy Protection Act (COPPA) to prevent the collection of personally identifiable information from young children without their parents' consent. We are working hard to ensure compliance with this statute. This year we filed four civil penalty actions to enforce COPPA, and we have additional matters under investigation."
Dramatically extending the exception period to April 21, 2004 may be perceived as inconsistent with the original intent of COPPA and the FTC's pronounced emphasis on protecting the privacy of children.
(6) What, if any, will be the negative impact of extending the time period for the sliding scale mechanism for obtaining verifiable parental consent? Please include comments on whether the extension will serve as a disincentive for industry to develop secure electronic mechanisms and/or infomediary services to facilitate verifiable parental consent at a reasonable cost.
We believe it was a wise strategy by Congress in enacting the COPPA legislation. The compliance challenge of obtaining the verifiable component of parental consent did indeed create a market for solution-providers.
Industry standards need to emerge to minimize the financial, administrative and legal challenges for companies while simplifying the end-user experience.
Privo has conscientiously developed a technology- and service-based solution that is economical and scalable in expectation that the expiration of the sliding scale would be a strong component for driving market need. The extension creates a limbo environment for providers and companies alike.
Lowering the bar to unreliable methods of verifiable consent is harmful to the widespread emergence of economical solutions to serve general audience sites as well as child, tween and teen targeted companies. The extension has the potential to create uncertainty in the necessity for full-compliance, and may hold back the natural evolution of developing industry standards for COPPA-compliant registration.
The Commission must remain consistent to its original goals and strategy in order to see them fulfilled. Changing course, even if for a new "date certain" introduces doubts as to whether enforcement of these provisions is truly intended or whether further extensions might be approved down the road.
Moreover, there is a fundamental question of fairness. Many sites that have taken leadership roles in the "high road" of compliance have dutifully attempted to come to grips with the requirements of COPPA. At the same time, well-informed observers of the industry as a whole are aware of sites in which compliance has been put off in hopes of lack of enforcement or change towards greater leniency.
Developing compliant registration processes with the email-plus exception still requires companies to make a significant technology investment to automate this process. Are we suggesting that companies are better off building a second round of short-term "band-aid" solutions? With companies concerned that efforts on email-plus have been for naught, a shorter extension period would allow the FTC, and the industry, time to evaluate existing and emerging market solutions.
Privo's infomediary service employs a centralized, economies of scale model that is fully capable of providing email-plus for customers, as well as obtaining the verifiable consent component at a minimal extra cost.
End of Comments.
Thank you for your consideration. Please do not hesitate to contact us with questions or for more information.