November 30, 2001
TRUSTe, an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships in the evolving networked world based on respect for personal identity and information, respectfully submits these comments in the hopes that they will help provide the Federal Trade Commission (FTC) with feedback on the Children's Online Privacy Protection Rule 16 Part 312.5b, "email plus."
TRUSTe received safe harbor status for its Children's Privacy Program in May 2001 and currently provides safe harbor for a number of large Web sites including, Lycoszone.com, Yahooligans.com, and Microsoft Kids Channel. This past summer, TRUSTe in conjunction with Classroom Connect won a children's media award for the Parents' and Teachers' Guide to Online Privacy, a free resource for parents and teachers to understand how to protect children online.
At the time the FTC adopted 312.5b, it allowed a sliding scale of consent for Web sites' internal uses (including email plus) based upon a belief that superior authentication techniques would be available in two years. This assumption has not proven accurate. As the FTC notes, the rate of development and adoption of technologies and services that aid a company's ability to obtain verifiable parental consent has been much slower than originally expected. The proposal would perpetuate the sliding scale for an additional two years even though technology to ensure that parent's identity is still not widely available. TRUSTe believes that it would be unwise to extend the lessened protection of "email plus" rule for two additional years, unless the rule is modified, so that a delayed email to the parent's email address is not considered sufficient verifiable parental consent.
Currently, the TRUSTe Children's seal program does not allow for the use of "email plus" for receiving verifiable parental consent. Many of our children's seal holders have developed information collection practices so that they fall under one of the five exceptions or choose not to collect personal information from children.
For general audience Web sites, TRUSTe has a created a set of guidelines for compliance with COPPA. In these guidelines, we advise companies to use the "email plus" only in the instances where the verification is followed up by either sending a postal letter to the parent or a calling from a trained operator. We have not been willing to accept the email from the parent's email account because the child may falsify this too easily.
In considering whether to extend the email plus rule, TRUSTe recommends that the FTC tighten the rule so that using a delayed email to parent is no longer considered acceptable under the rule. Choosing to extend the compliance date every two years because new technological solutions have not been widely adopted, is likely to create a regulatory environment that does not place pressure or give incentive to companies to invest and use such systems.
Thank you for the opportunity to comment on the rule.
Rebecca J. Richards