|July 1, 2000
Donald S. Clark, Secretary
Re: ESRB Safe Harbor Proposal Comment P004504
Dear Mr. Secretary:
As a mother and online consumer concerned with the privacy of my familys personal data, I am responding to the Federal Trade Commissions ("FTC" or "Commission") request for comment concerning proposed self-regulatory guidelines submitted by ESRB Privacy Online ("ESRB") pursuant to the "Safe Harbor" provision (§312.10) of the Final Rule (16 C.F.R. 312) implementing the Childrens Online Privacy Protection Act of 1998 ("COPPA") (15 U.S.C. 6501, et seq.)
First, I would like to raise my general concerns regarding the self-regulatory process. Second, I wish to highlight the insufficiency of the criteria for approval of self-regulatory guidelines in subsection (2), independent assessment mechanism in order to answer question number three of the Safe Harbor Request for Comment. I believe ESRBs proposal demonstrates the wide variability with which to satisfy the requirements of the Commissions Final Rule.
I fully support the Commissions efforts to protect the online privacy rights of the public and especially children. My concern is whether industry self-regulation meets Congress mandate in COPPA to prohibit unfair or deceptive acts or practices in relation to the collection, use or disclosure of personally identifiable information from or about children on the internet. The FTC not only has the authority but the responsibility to regulate commercial internet sites and the criteria the Commission has provided to approve self-regulatory guidelines may be insufficient.
The FTCs Authority and Responsibility to regulate commercial internet sites
The Commissions primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. The FTCA provides the FTC with broad law enforcement authority over businesses engaged in commerce. I agree that the FTCs authority extends to commercial internet sites.
The Commissions statutory power arises from Section 5(a) of the FTC Act, which provides that "unfair or deceptive acts or practices in or affecting commerce are declared unlawful" (15 U.S.C. Sec. 45(a)(1)). "Unfair" practices are those that "cause or are likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." (15 U.S.C. Sec. 45(n)).
The Commission may promulgate trade regulation rules to remedy unfair or deceptive practices that occur on an industry-wide basis. Under Section 18 of the FTC Act, 15 U.S.C. Sec 57a, the FTC is authorized to dictate "rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce" if it has reason to believe the practices are "prevalent." (15 U.S.C. Sec. 57a(b)(3)).
COPPA Safe Harbor provisions may not provide sufficient criteria to evaluate proposals
Permitting operators to self-regulate without providing adequate criteria to evaluate their proposed guidelines may be an improper delegation of the FTCs authority to prohibit unfair or deceptive acts or practices in relation to internet commerce. Congress delegated the authority to the FTC to execute their mandate to protect consumers against unfair practices. Now the FTC passes this responsibility on without communicating sufficient criteria with which to evaluate self-regulatory proposals or indicating where the Commission will draw the line in making their determinations to approve or deny a proposal.
In its survey of over 1400 commercial web sites, the Commission already determined that the internet industry is not making efforts to implement effective self-regulatory programs to protect consumers online privacy. (Privacy Online: A Report to Congress) Industry leaders, such as Amazon.com, have voiced their disapproval of the regulations (Comment P994505) as "interfer[ing] with the overall customer experience and inherent benefits of the Internet as a commercial medium" and "chilling the interactive nature of the internet." This response is not surprising given the momentum of the industry, the incentives of commercial entities to target market their visitors, and the general lack of policing, regulation or enforcement that has existed on the internet.
In the interests of efficiency, operators have been permitted to self-regulate. The industry may be better positioned to provide controls and probably has much more expertise in the matter. But is the consumer protected when the farmer lets the fox guard the hen house? Does the Commission have the expertise to evaluate self-regulation policies proposed by the experts in this particularly maverick medium? As a consumer who looks to the government to police these actions, I am especially wary of self-regulatory proposals in areas of rapidly developing new technologies. If the industry is better positioned and more expert in developing guidelines, will the Commission know how to evaluate their proposals and monitor their compliance? If this is not the case, self-regulation will not adequately protect the public and the Commission would not be carrying out Congress mandate to protect the consumer from unfair practices and procedures in internet commerce which are "not reasonably avoidable by consumers themselves."
ESRBs Proposal in relation to the Commissions Criteria for Approval
Questions on the Proposed Guidelines:
3. Are the mechanisms used to assess operators compliance with the guidelines effective?
The Commission has provided criteria for approving self-regulatory guidelines in §312.10(b) of the Final Rule. Subsection (2) requires operators to come up with "an effective, mandatory mechanism for independent assessment of subject operators compliance with guidelines." The standard may be satisfied by:
ESRB is in the business of providing privacy programs for web sites. ESRB has proposed mechanisms which meet and exceed the above requirements of the Final Rule. ESRB has provided a variety of internal processes to ensure compliance including:
In addition, ESRB states it exceeds the criteria of the Final Rule through independent enforcement and accountability mechanisms of its Sentinel Program. This includes:
ESRBs assessment mechanisms may be more thorough than the majority of future proposals. It more than meets the criteria of the Final Rule. In contrast, the PrivacyBot proposal provides almost no assessment mechanism. Its "non obtrusive" system assumes the "good web citizen until we hear otherwise" or permits the operator to monitor themselves and ensure they meet Eligibility Standards with little if any checks.
There is a big difference between ESRBs Sentinel Program and a do-it-yourself "kit." The gap is large between these two proposals -- yet when a proposal crosses the FTCs desk that falls somewhere in the middle, the Rule provides little guidance. The Rule suggests "periodic review," "seeding," or "any other equally effective independent assessment mechanism." The rule is very general and hence, not very useful. Thus, it is unclear how the Commission will judge these proposals.
I am particularly concerned with letting operators define effective compliance without the Commission not already having done so. Suggestions of "periodic reviews of information practices" is not enough. This results in inconsistencies and little guidance for applicants or consumers. Instead of waiting for applicants to define the criteria or waiting for the handful of comments to arrive (4 for PrivacyBot.com, 7 for CARU), I would encourage the Commission to create sample processes for independently assessing compliance and publish more specific guidelines for applicants and consumers.
The Commission has not yet ruled on the approval or denial of the two proposals preceding ESRBs application. I encourage the Commission, when doing so, to clearly communicate the standards it used to evaluate these proposals and provide the public with information on how it arrived at its conclusion. This will be informative for the consumers who are entrusting the Commission to protect children on the internet and website operators wishing to comply with the regulations. It will also build more confidence in the public that the Commission is competently managing the program.
As a mother of children who will be much more facile with computers than me, I am concerned that the FTC is handing off its responsibility to monitor, investigate and promulgate rules which will protect these young consumers. The FTC leaves the industry to develop proposals to self-regulate without sufficiently stating the criteria it will use to evaluate these proposals. Congress has charged the Commission with this responsibility. The Commission is not acting within the scope of its authority to permit self-regulation of internet commerce unless it has sufficiently stated the criteria upon which to judge proposals and demonstrated the ability to evaluate the effectiveness of the proposed assessment mechanisms.
K N, Mother and Online Consumer