|The Children's Online Privacy Protection Rule, 16 CFR 312 provides
under §312.10(a) contains a "safe harbor" provision enabling industry groups or
others to submit self-regulatory guidelines that would implement the protections of the
Rule to the Federal Trade Commission for approval. Pursuant to this section of the Rule,
PrivacyBot.com has submitted proposed self-regulatory guidelines to the Commission for
As an individual concerned with protecting the privacy of children online, I am providing comment on Question 2 of the Notice of Proposed "Safe Harbor" Guidelines and Request for Public Comment.
Question 2 states: "Do the provisions of the proposed guidelines governing operators' information practices provide the "same or greater protection for children" as those contained in §§312.2 - 312.8 of the Children's Online Privacy Protection Rule?" (the "Rule"). Addressing pertinent provisions of the Rule in order:
§312.3 - Unfair or Deceptive Acts or Practices
§312.3(a) of the Rule states that an operator (in this case, PrivacyBot.com) must provide "notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information."
In addition, PrivacyBot.com has expanded what content the privacy notice must contain. PrivacyBot.com's proposed guidelines include such questions as why the personal information is collected and what rights visitors have to access, correct or removal personal information. This information is in addition to that already required by the Rule - what information is collected, how that information is used and disclosure practices for such information. This ensures that children are further protected beyond what the Rule requires.
§312.6 - Parental Consent
The Rule provides a parent with the "right... to review personal information provided by child...".
PrivacyBot.com's proposed guidelines provide only that "parents should be given a simple method to obtain a description of any personal information collected from their children...."
In this instance, the proposed guidelines by PrivacyBot.com fall short of full compliance with the Rule. PrivacyBot.com only allows parental access to a description of any personal information collected - it does not seem to allow a parent to actually view the personal information given by the child. In order to comply fully with the requirements of the Rule, the proposed guidelines must allow parents full access to all information collected or solicited from their child, not just a mere description of this information.
§312.8 - Confidentiality, security and integrity of personal information collected from children
The Rule provides for reasonable confidentiality and security of all personal information collected from children. PrivacyBot.com's proposed guidelines contain the requirement that operators "should implement reasonable data security measures." Their definition of "reasonable security measures" includes using secure web servers, firewalls, deleting personal information once it is no longer used, limiting employee access to personal information, training employees and using non-disclosure agreements with third parties to whom data may be disclosed. They propose to implement "technical, administrative and operational security measures that are reasonable under the circumstances to protect the confidentiality, security and integrity of any personal information collected from users."
Any personal information given to operators should be kept as secure as possible, especially where children are involved. PrivacyBot.com's security guidelines, as proposed, comply with the requirements of the Rule, and go so far as to give examples of what may be used in order to accomplish the goal of security and confidentiality. This is of practical value to any operator who is willing to comply with the requirements of the Rule but may not be aware of all technical, administrative or operational security or confidentiality options that may be available.
As a final comment, while the FTC's website is generally informative, there must be more information available about this issue in plain terms that non-technical people can understand.