Safe Harbor ProposalComment, P004504
Donald S. Clark
Dear Mr. Clark:
The Center for Media Education, the Consumer Federation of America, the American Academy of Child and Adolescent Psychiatry, Junkbusters Corporation, the National Alliance for Non-violent Programming, Public Advocacy for Kids and the National Consumers League (hereinafter "CME/CFA, et al. ") respectfully submit these comments in response to the Federal Trade Commissions ("FTC" or "Commission") Notice of Proposed "Safe Harbor" Guidelines and Request for Public Comment. 65 Fed. Reg. 11947 (March 7, 2000) ("Safe Harbor Notice"). CME/CFA, et al. include a broad coalition of child advocacy, education, health and parents groups dedicated to improving the quality of electronic media, especially on behalf of children and their families.1
PrivacyBot.coms ("PrivacyBot") proposed self-regulatory guidelines ("guidelines") are the first to be submitted for approval under the Safe Harbor provisions of the Childrens Online Privacy Protection Rule ("COPPR"). See 16 C.F.R. § 312.10. Thus, the FTCs response to PrivacyBots guidelines will set the standard for approval of proposed guidelines submitted in the future. Approval of inadequate guidelines would set a dangerous precedent that undermines the goal of protecting childrens privacy in the online environment. Therefore, it is important that the FTC carefully review PrivacyBots proposed guidelines to ensure that they completely comply with the FTCs rules and with the underlying purpose of the Childrens Online Privacy Protection Act ("COPPA"), i.e., to prohibit the collection of personal information from children without the verifiable informed consent of their parents.
At the outset, CME/CFA, et al. are concerned with the overall effectiveness of PrivacyBots proposal. CME/CFA, et al. question if PrivacyBot as an organization has sufficient resources to: 1) ensure that its member websites stay in compliance and adequately protect childrens privacy and 2) promptly process the potentially large number of consumer complaints entering the Trustmark Registry system. Given that the fee for websites to join PrivacyBot for a full year is minimal ($30), and the fact that PrivacyBot already cites "technical considerations" (i.e., servers that are not powerful enough to handle the amount of traffic caused by a large volume of consumer complaints) as an excuse for charging consumers directly, (See Statement B) there seems to be a serious possibility that PrivacyBot may not have the capability of enforcing its guidelines should a significant number of high-traffic websites choose to participate in its seal program.
In addition to concerns about PrivacyBots resources, CME/CMA, et al. also believe the guidelines themselves do not meet the requirements set forth in COPPR. Safe Harbor programs will adequately protect children only if they fully comply with those requirements. Unfortunately, PrivacyBots proposed guidelines are deficient in several respects. First, the requirement that website visitors pay a fee for filing a complaint needs to be eliminated, as it creates a significant disincentive for consumers to file meritorious complaints and discriminates against those who may not have access to a credit card. Second, the mechanisms that PrivacyBot proposes to use to assess member websites compliance are inadequate since there are no independent, periodic reviews and they rely too heavily on individual consumer complaints that are burdensome to file. Third, the incentives for website operators compliance with the guidelines are not effective and need to be strengthened. Fourth, several provisions of the guidelines do not contain the "same or greater protections for children" as those contained in COPPA and must be changed. Fifth, the effectiveness of the online policy drafting system must be improved. In short, absent substantive changes, PrivacyBots proposed guidelines fail to adequately implement the protections contained in COPPR, do not meet the criteria for approval of self-regulatory guidelines set out in 16 CFR §312.10, and should not be approved by the FTC.
The Mandatory Filing Fee for Consumer Complaints Must Be Eliminated.
Question 5 of the Safe Harbor Notice asks if "the guidelines provide adequate means for resolving consumer complaints." 65 Fed. Reg. 11947 (Mar. 7, 2000). PrivacyBots current method for resolving consumer complaints is fundamentally flawed in that it requires consumers to pay a fee to file individual complaints.
The effectiveness of PrivacyBots Trustmark Registry System depends on consumer complaints. Yet, PrivacyBot intends to charge a mandatory fee of $1.50 per complaint. The only way that consumers can pay this fee is by submitting credit card information online. See PrivacyBot Mediation Service (Tab 3) at 2. PrivacyBot claims that the fee is necessary due to "technical reasons" and will "discourage complaints by minors and frivolous or multiple complaints that would detract from legitimate grievances." Statement B at 3.
Both the imposition of the fee itself and the requirement of credit card payment via the Internet create disincentives for consumers to file meritorious complaints, a fatal flaw in PrivacyBots consumer complaint scheme. The imposition of a fee which must be paid online runs into the same problems extensively discussed in Comments on the Proposed Rule and at the Public Workshop held on July 20, 1999: it contains a bias against those without credit cards, requires consumers to give up credit card information online (which many are still nervous to do), and it taxes consumers for complaining. See Public Workshop Tr. at 24, 31-2, 43, 117; Comments of Direct Marketing Association at 7; Comments of The Walt Disney Company and Infoseek Corporation at 8-9. Given the strong disincentive it creates for consumers to file complaints, the fee for filing a complaint must be eliminated in order for PrivacyBots proposed guidelines to be found effective.2
The Proposed Mechanisms to Assess Operators Compliance with the Guidelines are Ineffective and Need to Be Strengthened.
Question 3 of the Safe Harbor Notice asks if "the mechanisms used to assess operators compliance with the guidelines [are] effective." 65 Fed. Reg. 11947 (Mar. 7, 2000). CME/CFA, et al. believe that PrivacyBots compliance assessment mechanisms are ineffective since they do not guarantee periodic, independent assessments and rely too heavily on the filing of individual complaints.
PrivacyBots Terms of Service ("TOS"), one of the three documents that websites must agree to in order to join PrivacyBots Safe Harbor Program, contains the following terms regarding compliance assessments:
The TOS identifies two mechanisms that will be used as "first level" assessment checks: review of an operators Trustmark Registry statement to identify a "pattern or practice of unresolved privacy complaints" and "data seeding" of the operators data bases on either a random or targeted basis. See id. The TOS also refers to "manual assessments" used to identify problems, but because neither the TOS nor the ES identify what those assessments will consist of, one must assume "manual assessments" refers to "data-seeding." See id.
To be approved, these proposed assessment mechanisms must meet the performance standard of "an effective, mandatory mechanism for the independent assessment of subject operators compliance with the guidelines." 16 CFR § 312.10(b)(2) [emphasis added]. COPPR lists three suggested means of meeting this standard: 1) Periodic reviews of subject operators information practices conducted on a random basis either by the company promulgating the guidelines or an independent entity; 2) Periodic reviews of all subject operators information practices conducted by the promulgator or independent entity; and 3) Seeding of subject operators databases, if accompanied by either option 1 or 2 above. See 16 CFR § 312.10(b)(2)(i-iii). In order for another means of assessing compliance to meet the required performance standard, its effectiveness must equal that of the suggested alternatives. See 16 CFR §312.10(b)(2)(iv).
PrivacyBots proposed "first level" assessment mechanisms do not include periodic review of operators information practices by either PrivacyBot or an independent entity, and therefore do not include either of the first two mechanisms suggested in § 312.10(b)(2).3 We must assume PrivacyBot seeks to comply with COPPR by asserting that review of an operators Registry statement to identify a pattern or practice of unresolved privacy complaints is an "equally effective independent assessment mechanism." 16 CFR §312.10(b)(2)(iv).
CME/CFA, et al. believe that review of an operators Trustmark Registry statement to identify a "pattern or practice of unresolved privacy complaints" (ES at 6, TOS at 4) as the primary means of assessing compliance, without more, simply fails to meet the performance standard required by the regulation. 4
First, there is no assurance that consumers that are being harmed will file complaints. As discussed above, because filing a complaint requires a fee and the submission of credit-card information online, the complaint system is itself flawed and may not accurately reflect the actual number of legitimate consumer grievances.
Second, CME/CFA, et al. fail to see how complaints from consumers that have limited access to PrivacyBots guidelines can form the basis of a mechanism to assess compliance with those guidelines. Consumers are simply not in a position to make that analysis. It is likely that the vast majority of consumer complaints filed in the Trustmark Registry will have nothing to do with PrivacyBots Guidelines. Complaints will primarily refer either to a websites violations of its own policy (as the example complaint submitted with the proposed guidelines shows) (See Guidelines, Tab 8) or to general complaints about the websites privacy practices or policies. In fact, the online version of the "Information About Your Grievance" section in the Registrys complaint form (See Tab 8) contains a "Summary" field with a pull-down menu that does not even list violations of PrivacyBots guidelines as a reason for filing the complaint. See PrivacyBot Complaint Form (visited April 3, 2000) http://www.privacybot.com/complaint_form.php. Moreover, a websites noncompliance with PrivacyBots guidelines will not necessarily translate into more consumer complaints.5 In short, review of the patterns or practices of complaints in an operators registry offers no insight into operators compliance with PrivacyBots guidelines.
Third, the ES and TOS do not identify any quantifiable level of consumer complaints filed against a website that would be considered a "pattern or practice." Without an identifiable level of what constitutes a "pattern or practice" of unresolved complaints, website operators subject to the guidelines (and parents of children deciding whether to provide personal information) have no guidance as to when a websites privacy practices have generated a sufficient number of complaints to create a "warning sign" of possible privacy violations.
Fourth, it should be made more explicit in the guidelines that the number of complaints filed against a website is not the exclusive basis for PrivacyBot taking action. The guidelines should clearly state that PrivacyBot reserves the right to take immediate action if serious abuses are alleged regardless of the number of complaints filed.
Fifth, the proposed guidelines only refer to patterns of unresolved privacy complaints as creating a warning sign that more "additional assurances of ... compliance" are appropriate. See ES at 6, TOS at 4. Unresolved privacy complaints are defined by the guidelines as complaints that have not been resolved within 45 days after the website is notified of the complaint. See Mediation Rules at 2-3. The member websites can terminate complaints at any time during those 45 days, however, and no details of the termination will be listed on the registry statement. See id. Although the number of terminated complaints will be listed in the Registry, this figure will be listed separately from the number of unresolved complaints. As written, the guidelines suggest that only the number of unresolved, not terminated, complaints will count as warning signs.6 Therefore, PrivacyBot needs to clarify that the number of terminated, as well as unresolved, complaints will be used as early warning signs.
Lastly, the language of both the ES and the TOS state only that these mechanisms "may" be used, neglecting to strongly commit to actually performing these assessments or informing member operators that these assessments are mandatory. The ES notifies websites that "[PrivacyBot] may from time to time review the public Registry Statement for your site .... [and] may also conduct data seeding. ES at 4 [emphasis added]; see also, TOS at 6. Absent a clarification that the use of PrivacyBots assessment mechanisms are mandatory and will be performed, the proposed guidelines do not satisfy the Rules requirements.
While use of the Trustmark Registry as an automated assessment mechanism may be an efficient means of reinforcing other effective assessment mechanisms, it is not sufficient on its own.7 As they now read, the guidelines improperly shift the vast majority of the compliance assessment burden on the member operators and the public. COPPR requires that PrivacyBot itself establish mechanisms which ensure compliance with the guidelines. As the FTC noted, "Under the safe harbor provision, the Commission looks to the promulgators of guidelines, in the first instance, to ensure that those guidelines are effectively implemented." 64 Fed. Reg. 59907 (Nov. 3, 1999). Until they contain an effective independent mechanism for assessing compliance, PrivacyBots proposed guidelines fail the meet the performance standard required by § 312.10, and therefore cannot be approved.
The Incentives for Operators Compliance Contained in the Proposed Guidelines are Not Effective and Need to be Strengthened.
Question 4 of the Safe Harbor Notice asks if the incentives for operators compliance with the guidelines are effective. See 65 Fed. Reg. 11948 (Mar. 7, 2000). According to COPPR, self-regulatory guidelines must also include "effective incentives for . . . compliance with the guidelines." § 312.10(b)(3). PrivacyBots guidelines fail to meet the performance standard established by § 312.10(b)(3) and do not contain effective incentives for compliance.
The major incentive for websites to comply with the guidelines is the use of the Trustmark Registry. The Trustmark Registry allows PrivacyBot, consumers, and the FTC to assess the number of complaints a website has received and a websites responsiveness to consumer concerns/complaints in general. The guidelines do not allow the public at large to have access to the types of privacy complaints that are filed, only to the number of complaints in mediation, the number of refusals to mediate by the website and the number of unresolved complaints. See Mediation Rules at 3.
CFA/CME, et al. believe that only when the Trustmark Registry provides full notice about a websites response to all consumer complaints will the Trustmark Seals reporting mechanism have the potential to function as a strong incentive for websites to continue to abide by their own posted privacy policies, and if those policies are in compliance, with the guidelines themselves. Inclusion of the types of complaints filed against a website will also provide incentive for the websites to address particular problem areas in their privacy practices.
In addition, the guidelines have several provisions which need to be changed before they can be considered to include effective incentives for compliance.
First, websites are not required to remove the Trustmark Seal until 180 days after a formal investigation or legal proceeding is lodged against the site. See TOS at 4. Thus, even seriously non-compliant sites can continue to display the Trustmark Seal for a significant period of time. This would be misleading to the public.
Second, the guidelines offer no concrete bright line rule for when a site will be further reviewed or suspended or referred to the FTC. Without an identified point at which the number of complaints filed against a website, or when the seriousness of the alleged privacy abuse, will trigger further assessments, websites will have no significant incentive to comply with the guidelines. If the entire complaint process is made transparent with hard and fast rules on when an investigation is necessary and/or when a seal may be revoked, websites will have an incentive to mediate the legitimate complaints that are filed and keep the number of unresolved/terminated complaints low.
Third, membership in the Trustmark Seal Program is completely voluntary and may be terminated at any time, so websites that begin to accumulate a large number of unresolved or terminated complaints can simply quit and reapply for membership 6 months later. See TOS at 3. Without language in the guidelines stating that an accepted re-applicants Registry Statement will include information about previously unresolved and terminated complaints, the website operators have no incentive to adequately respond to legitimate consumer complaints.
Lastly, it is unclear if the Trustmark Seal itself will be clearly marked as a means to view or initiate complaints against the website. Without a clear indication that the Trustmark Seal functions as a tool to view or initiate complaints, consumers may not file legitimate complaints through the Trustmark system and may instead file complaints through a more traditional mechanism, such as e-mail, which would not be listed in the Trustmark Registry.
Several Provisions of the Proposed Guidelines Governing Operators Information Practices do not Provide "the same or greater protection for children" as Those Contained in COPPA.
In response to the Question 2 of the Safe Harbor Notice, CME/CFA, et al. submit that three parts of the proposed guidelines need to be changed to provide the "same or greater protection for children" as those contained in §§312.2-312.8 of COPPA.
§ 312.4: Notice
§ 312.5: Parental Consent
Section 312.5(b)(2) provides that until April 21, 2002, methods to obtain verifiable parental consent for the internal use of information may include use of e-mail "coupled with additional steps to provide assurances that the person providing consent is the parent." Methods of providing assurance that are suggested in COPPR include sending a delayed confirmatory e-mail to the parent or confirming consent through a delayed telephone call or letter. PrivacyBots guidelines fail to require or inform member websites that any such delayed notice given to parents to assure consent "must provide notice that the parent can revoke any consent given in response to the earlier e-mail." 16 C.F.R. § 312.5(b)(2). The guidelines should be changed to include this requirement in the sections outlining what websites must do to obtain verifiable parental consent.
§ 312.6: Right of Parent to Review Personal Information Provided by Child
Under §312.6(a)(3), the operator of a website is required to provide a parent whose child has submitted personal information a means, upon request, of reviewing any personal information collected from that child. Website operators that receive such requests must, under §312.6(a)(3)(i), "ensure that the requester is a parent of the child, taking into account available technology." PrivacyBots guidelines require that a website "provide parents a simple method, upon request, to see a description of specific types of personal information collected from their child and allow them to obtain such information," but neglects to include a requirement that website operators ensure that the requester is the childs parent. Although this requirement may be covered by the general requirement of "Reasonable Data Security Measures" (ES at 5), the guidelines should be changed to clarify in the section dealing with the right of parental review (ES at 2-3) that if a request is to review the actual personal information collected from the child, the website operator needs to ensure that the requester of the childs personal information is actually the parent of the child.
The effectiveness of the online policy drafting system must be improved.
Question 6 of the Safe Harbor Notice asks for comment on the effectiveness of automation in the proposed guidelines. See 65 Fed. Reg. 11947 (Mar. 7, 2000). CME/CFA, et al. believe the effectiveness of the automated drafting system would be enhanced if several additions and/or changes were made.
First, although Step Four, Question 2 in the drafting system asks operators if the site has features directed at children under 13 (See Tab 7), the drafting system would be more effective if operators were also asked at this point if their site has a sub-directory aimed at children or if they have a substantial belief that children will access the site.8 Without this language, operators of websites that have only sub-directories aimed at children may not be aware that they need to comply with any additional rules pertaining to childrens sites.
In short, the proposed drafting system ineffectively ensures initial compliance by providing website operators insufficient means by which to comply with all of COPPRs requirements.
PrivacyBots proposed guidelines, as now written, fail to adequately protect childrens privacy. Specifically, the guidelines are deficient because: 1) the mechanisms for assessing compliance identified in the proposed guidelines are ineffective and do not contain an effective independent mechanism for assessing compliance; 2) the mandatory fee for filing complaints burdens consumers with legitimate privacy grievances; 3) the incentives for website operators compliance with the guidelines are not effective; 4) several provisions in the proposed guidelines fail to provide the "same or greater protection" as those contained in COPPA; and 5) PrivacyBots online drafting system does not allow websites to draft Privacy Policies that are in compliance with COPPR. For these reasons, CME/CFA, et al. urge the FTC to deny approval of PrivacyBot.coms proposed "Safe Harbor" Guidelines unless and until all of the above deficiencies are remedied.
Counsel to CME/CFA, et al.
Center for Media Education (CME), founded in 1991, is a non-profit advocacy organization that works on behalf of children and families to promote public accessibility and accountability by the media. CME has been working for several years to protect the rights of children online. CME s 1996 report Web of Deception prompted the FTC to launch its initial inquiry into the practices of Web sites that target children.
Consumer Federation of America (CFA) is a non-profit association of some 260 pro-consumer groups, with a combined membership of 50 million, that was founded in 1968 to advance the consumer interest through advocacy and education. CFA has worked closely with CME to defend the rights of children s privacy online and jointly published a consumer education brochure for parents and children entitled, The Internet, Privacy and Your Child What You Need to Know as a Parent/Keeping Secrets About You on the Internet A Kid s Guide to Internet Privacy.
National Consumers League (NCL), founded in 1899, is America's pioneer consumer organization. NCL's three-pronged approach of research, education and advocacy has made it an effective representative and source of information for consumers and workers. NCL is a private, nonprofit organization representing the consumer on marketplace and workplace issues.
The American Academy of Child and Adolescent Psychiatry (AACAP) is a nonprofit professional organization representing over 6,500 child and adolescent psychiatrists. Its members are physicians with at least five years of additional training beyond medical school in general and child and adolescent psychiatry. Its members actively research, diagnose and treat psychiatric disorders affecting children, adolescents, and their families. The AACAP is committed to protecting the well-being and rights of children and their families.
Junkbusters Corp. helps consumers defend themselves against intrusive marketing and protect their privacy online. At http://www.junkbusters.com , the company provides extensive free resources for stopping telemarketing calls, unwanted physical mail, junk email, and commercial invasions of privacy on the Internet.
The National Alliance for Non-violent Programming (NANP) is a not-for-profit network of organizations with a long history of effective community involvement and education. Member organizations include the American Medical Women's Association, Jack and Jill of America, Inc., Jewish Women International, the Links, Inc., the National Association of Women Business Owners, National Council of LaRaza, Soroptimist International of the Americas, and YWCA of the U.S.A. With the capacity to reach two million people, NANP builds and supports community initiatives to promote and teach media literacy and non-violence. NANP headquarters in Greensboro, NC serves as the information, technical assistance, materials distribution and network center for member organizations, local initiatives and the general public.
Public Advocacy for Kids is a non-profit child advocacy organization devoted to education, health, telecommunication, and parental involvement issues at the federal level. Services provided on a consulting basis include advocacy training, child policy development, organizing for local and federal action, and communications development.