Comments of the Software & Information Industry Association (SIIA)
"Children's Online Privacy Protection Rule Amendment -
Submitted November 30, 2001
The Software & Information Industry Association (SIIA) appreciates the opportunity to provide the following comments on the Federal Trade Commission's (FTC's) proposal amending the Children's Online Privacy Protection Rule ("the Rule") to extend the time period during which website operators may use an e-mail message from the parent, coupled with additional steps, to obtain verifiable parental consent for the collection of personal information from children for internal use by the website operator.
In summary, SIIA supports the conclusion that an extension of at least two years is consistent with the Act, reflects the lack of pervasive implementing technologies that are cost-effective and usable, and the FTC's effective enforcement of the Act. SIIA strongly urges the FTC to make the "sliding scale approach" a permanent provision of the Rule.
The Software & Information Industry Association (SIIA) is the principal trade association of the software code and content industry with 800 members operating globally. Our members develop and market software and electronic content for business, education, consumers and the Internet. SIIA's membership is comprised of large and small software companies, e-businesses, and information companies, as well as many other large and small traditional and electronic commerce companies.
SIIA and its member companies have played a leadership role in promoting effective privacy protections for many years, and were one of the earliest industry leaders to recognize the importance of adopting effective privacy policies and privacy enhancing technological tools. As early on 1997, SIIA sent its issue brief to members, encouraging companies to adopt privacy policies that inform and respect consumer preferences. Since these early steps, SIIA has, through technical assistance and privacy seminars, worked with hundreds of companies to develop, write and implement effective, consumer-friendly privacy policies. In the U.S., we actively monitor developments at the Federal Trade Commission with regard to its Section 5 actions and in the legal frameworks of the Children's On-Line Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (G-L-B Act), and the Health Information Portability and Accountability Act (HIPAA). At the international level, SIIA is working to encourage company participation in the "safe harbor agreement" negotiated between the Department of Commerce and the European Union. SIIA continues to advise the Organization for Economic Cooperation and Development (OECD) on privacy enhancing technologies.
SIIA and its member companies are also at the forefront of developing global e-commerce markets in which business, consumers and users can have confidence. Thus, one of the priorities of our Association is to promote the recognition of electronic records, contracts and signatures as key steps toward providing a framework for promoting electronic transactions in both a domestic and global context. In particular, SIIA is monitoring implementation of the Uniform Electronic Transaction Act (UETA) by the states and the ESIGN bill in the U.S., as well as implementation of the European Union Electronic Signatures Directive generally. Implementation of the ESIGN bill is a high priority for SIIA and its members.
Support of at least a 2-year Extension
As the FTC correctly points out in its Notice of Proposed Rulemaking(1), as part of the effort to protect children's online privacy, Congress enacted the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq. ("COPPA"), to prohibit unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from children on the Internet.
The final Rule implementing COPPA, which became effective on April 21, 2000, imposes certain requirements on operators of websites or online services directed to children under 13 years of age, or other websites or online services that have actual knowledge that they have collected information from a child under 13 years of age. Among other things, the Rule requires that website operators obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age.
To achieve the verifiable parent consent, the Rule provides that, "[a]ny method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."(2) In order to allow time for reliable electronic methods of verification to become widely available and affordable, the Rule sets forth a sliding scale approach to obtaining verifiable parental consent depending on whether the information gathered will be disclosed to third parties or used only internally by the website operator.
For uses of personal information that will involve disclosing the information to the public or third parties, the Rule requires that website operators use the more reliable methods of obtaining verifiable parental consent. The methods identified in the Rule include: using a print-and-send form that can be faxed or mailed back to the website operator; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the above methods.(3) This provision is not affected by this Notice of Proposed Rule Making.
In contrast, if the website operator is collecting personal information for its internal use only, the Rule allows verifiable parental consent to be obtained through the use of an e-mail message from the parent, coupled with additional steps. Such additional steps are designed to provide assurances that the person providing the consent is the parent and the Rule includes examples such as: sending a confirmatory e-mail to the parent after receiving consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call.
Without the steps proposed in the Notice by the FTC, the sliding scale is set to expire on April 21, 2002, at which time website operators must obtain verifiable parental consent using the more stringent methods for all uses of personal information.(4) This deadline was predicated on an assumption that the sliding scale was necessary only in the short term because the more reliable methods of obtaining verifiable parental consent would soon be widely available and affordable.(5)
Based on all the facts - specifically, the lack of pervasive low-cost, end user-friendly implementations, the lack of evidence that the requirements of COPPA for gaining verifiable parental consent for information used only for internal purposes are not being met, and the lack of demonstrated need for stricter methods of obtaining consent for internal use -- the extension proposed by the FTC is reasonable and consistent with the requirements of the Act. SIIA also notes that the FTC has been successful in seeking enforcement actions under COPPA without adopting a "one size fits all" framework to obtain verifiable parental consent and instead relying on a sliding scale approach. The Rule as adopted was effective in striking a balance between the obvious need to protect children online and the need to maintain the interactivity that kids enjoy so much. Interactivity and consumer end use acceptability is the hallmark of the Internet and the Rule recognizes that.
To be absolutely clear, a phase out of the existing sliding scale and the adoption of a uniform set of methods that would cover internal use of children's information would have considerable negative economic consequences for Web sites falling under the COPPA rules. In many instances, the added burdens and costs imposed by the phase out of the sliding scale would cause some sites to cease interactions with children, reduce the quality of service and content, and possibly cease operations because the alternative verification mechanisms are too costly. The impact of such a result would disadvantage children the most -- depriving them of the benefits and opportunities presented by a diverse array of child-friendly Internet content.
It is, therefore, entirely appropriate for the FTC to extend this provision for at least another two years.
Based on our analysis of the legal requirements and public policy goals of COPPA, SIIA strongly supports making the current sliding scale permanent. Based on the evidence of COPPA implementation, a permanent sliding scale approach meets the requirements of the Act, achieves the goals of obtaining verifiable parental consent when the information gathered is used only for internal purposes, and will facilitate more services and content directed at children.
First, an initial 2-year deadline was appropriate at the time the Rule was finalized. A requirement that all parental consent be subject to strict verification procedures would have been unworkable and counterproductive. Moreover, there were legitimate questions raised by the availability of appropriate technologies to achieve the goal. In reviewing developments over the last two years, there are no clear signals that the anticipated verification technology - technology that must be low-cost, widely deployed and acceptable to consumer end users -- is likely to be economically and widely available in the consumer market in the foreseeable future. Thus, it is not clear why the sliding scale should only be extended for two years. We are just as likely to face the same challenges in two years as we do today.
Second, as we noted above, changing course in mid-stream would have considerable negative consequences, particularly for many small and medium size web-based business that serve children. Another extension for two years will have another direct impact: continued uncertainty for businesses that want to do more to provide value content and services to children about what business standards they must operate against. Our assessment of this market suggests that, in fact, this regulatory environment uncertainty (taken together with other economic and investment factors) has been an inhibition in this market. Many companies have been reluctant to make significant investments in children's online content and interactivity knowing that this regulatory framework might soon expire and require a complete revamping of a particular business model. Clarifying the rule to make the sliding scale permanent would contribute greatly to a predictable future for content and services oriented towards children.
Third and most significantly, the present approach has worked well. The key step for the FTC is to take into consideration both standards in the rule: "available technology" and "reasonable calculation." Most of the discussion has been on the former. The answer, in our view, is to focus on the latter. Consistent with industry practice, and with the FTC's own advisory committee's work in related areas, the sliding scale that provides for different methods between data gathered only for internal use and that which will be disclosed to third parties is "appropriate to the circumstances".(6) In adopting the sliding scale in the Rule, the Commission wisely acknowledged that the risks involved where an operator uses a child's personal information solely for its internal use, with no disclosure, were minimal.
We encourage the FTC to consider this analytical approach and make the sliding scale permanent in the Rule.
SIIA appreciates the opportunity to provide comments on this Notice of Proposed Rulemaking. Our members support the FTC's efforts to enforce COPPA fully. As a result, we believe that an extension of at least two-years for the sliding scale is consistent with the Act and indeed, for the reasons stated above, we strongly urge the FTC to make the sliding scale permanent in the Rule.
Please do not hesitate to contact us if we can provide further information or answer any questions.
2. 16 CFR 312.5(b)(1).
3. 16 CFR 312.5(b)(2).
5. 64 FR 59902 (1999).
6. See, e.g., Final Report of the FTC Advisory Committee on Online Access and Security, May 15, 2000. One of the recommendations of the Advisory Committee, related to Security, is directly on point: "[A] security program should be appropriate to the circumstances. This standard, which must be defined case by case, is sufficiently flexible to take into account changing security needs over time as well as the particular circumstances of the Web site -- including the risks it faces, the costs of protection, and the data it must protect.