July 5, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
14th Street and Constitution Ave., N.W.
Washington, DC 20230
RE: Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy
Docket No. 980422102-8102-01
Dear Ms. Coffin:
The Department of Commerce (ìCommerceî) seeks comments on how to structure a self-regulation regime that will protect on-line privacy. The Center for Media Education (ìCMEî) believes generally that industry self-regulation must be combined with government regulation to be an effective means of protecting privacy, especially with regard to children. As the Federal Trade Commission (ìFTCî) recently stated, children are a special vulnerable group who lack the analytical abilities and judgment of adults; and due to their age and lack of experience, they can easily be unfairly exploited. While the nine elements set forth by Commerce, including awareness, choice, data security, data integrity, consumer access, accountability, consumer recourse, verification and consequences, are each critical to preserving childrenís privacy, without government involvement, we are not convinced that the industry will implement them in a way that protects children.
Indeed, the recent report by the FTC on online privacy demonstrates the failure of the self-regulatory system, particularly as it relates to childrenís sites. The FTC found that 89 percent of the childrenís sites surveyed collected personally-identifiable information from children; 46 percent of these sites did not disclose their information collection practices; and less than 10 percent provide for some parental control over the collection of information from their children. Consequently, the FTC maintains that legislation is needed to protect children. We agree with this assessment, and encourage Commerce to support a solution that combines self-regulation with legislation.
CME has proposed guidelines for the government to adopt to protect childrenís privacy from being exploited by commercial marketers. These guidelines set forth in detail how Commerce should define its principles in order to protect children. Below, CME summarizes these guidelines and their applicability to Commerceís elements of self-regulation.
AWARENESS AND CHOICE
CME refers to Commerceís principles of ìawarenessî and ìchoiceî as ìnoticeî and ìconsent.î Generally, CME believes that marketers should limit the amount and detail of the information that they are collecting. If information is collected, information collectors/trackers must provide adequate notice before collecting/tracking personally-identifiable information or aggregate, anonymous information from children. The notice must be prominently-displayed, and unavoidable by anyone visiting the site. Without adequate notice, consent is meaningless because users do not understand that they are agreeing to reveal information about themselves.
To provide adequate notice, sites must disclose information about who is collecting information, what information is being collected, and how it will be used. Disclosure statements should explicitly describe how the information will and will not be used. Adequate notice must include a statement that valid parental consent is required before personally-identifiable information is collected. Users must also be informed of their rights of redress, including procedures for correcting or limiting the use of previously-collected information. For adequate notice, privacy policies must be disclosed on a site in a manner that is easy to understand and compelling from the perspective of a child.
CME believes that children cannot be asked to exercise ìchoiceî and that information collectors/trackers must involve parents or guardians in this process. Information collectors/trackers must obtain prior valid parental consent whenever personally-identifiable information is collected from children under the age of 13. This consent must be obtained at points of promotion and transaction, as well as all other points where information is collected, and must be valid only for the information practices described in the disclosure. Because children can be easily manipulated, information collectors/trackers must adopt this ìopt-inî approach. Opt-in ensures parental involvement and places the burden for obtaining consent on the party who wants the information.
When aggregate and anonymous information is collected, information collectors/trackers must provide children and parents with an opportunity to opt-out. Information collection should be permitted only if the collection/tracking practices are fully and effectively disclosed.
For effective consumer access, an information collector/tracker must provide a parent or guardian with the information that has been collected about her child upon request. The information must be provided within a reasonable time, at no charge, in a reasonable manner, and in a form that is readily intelligible. In addition, a parent or guardian must be able to have the data relating to her child deleted or changed.
CONSUMER RECOURSE, VERIFICATION AND CONSEQUENCES
CME also believes that Commerce must define enforcement in a manner that protects children. CME believes that self-regulation can be effective only when the self-regulated parties face the threat of material consequences for failure to adhere to an established code. Without this threat, compliance is unlikely. Bad actors will have no incentive to comply with the rules, and good actors will be at a competitive disadvantage for compliance. Thus, an effective enforcement mechanism is essential to any self-regulation model.
Commerce has proposed three types of enforcement: consumer recourse, verification, and consequences. CME agrees that each of these enforcement mechanisms should be included in any self-regulation model. However, CME believes that they will not be sufficiently effective, especially with regard to children, without the additional force of government regulation. Thus, CME maintains that legislation is needed to clarify that the FTC can take enforcement action under its authority to prosecute unfair and deceptive trade practices against sites that fail to implement adequate privacy policies.
CME agrees with Commerce that consumer recourse is critical to preserving online privacy and that it must be both simple and effective. Companies and trade associations should establish clear, accessible dispute resolution policies. These should be reinforced by legislation providing consumers a private right of action against violators of privacy policies, and allowing the FTC and/or other appropriate government agencies to prosecute such offenders. Yet, when it comes to children, consumer recourse is less meaningful. Children are very unlikely to file complaints because of missing privacy notifications or violations. Thus, because having the opportunity to file consumer complaints is not sufficient, the government must guarantee that all citizensí rights to privacy, including those of children, are protected and violations prosecuted.
Finally, CME agrees that consequences for failure to comply with fair information practices should be meaningful. Some of the punishments suggested by Commerce, including disqualification from membership in a trade association or from using a certifying seal, would be insufficient to protect consumers. A trade association that is financed by its members has little incentive to expel a member who violates stated privacy policies. In addition, when consumers access sites online, they have no knowledge of how that company is viewed by its peers. Similarly, the absence of a certifying seal is too subtle a means of educating Internet users, particularly children. Because these forms of punishment are likely to be ineffective, CME believes that legislation must be enacted which clarifies the FTCís authority to prosecute companies that fail to protect consumersí privacy as engaging in unfair practices.
EXAMPLES OF WEBSITES THAT VIOLATE CHILDRENíS PRIVACY RIGHTS
To provide some examples of the threats to childrenís privacy on the Internet, in response to Question 13, CME describes below some Web sites that violate childrenís privacy rights. As noted above, the recent FTC survey of childrenís Web sites has extensively documented that childrenís privacy on the Internet is not well-protected. The report found that the overwhelming majority of childrenís sites surveyed collect personal information from children, and that few sites take steps to provide meaningful parental involvement in the process.
<www.younginvestor.com > (visited June 19, 1998)
<www.popsicle.com> (visited June 19, 1998)
This space-themed site gives children the option of being a ìcommanderî or a ìpassenger.î As a commander, the visitor can ìwin free Popsicle Ice Pops and ride in the cool spaceship, not the bozo chair.î In contrast, the site tells children who choose to be a passenger, ìsure, you can ride in the big stuffed chair, but you'll miss out on the chance to win free Popsicles. Plus, it's really cold in outer space without a Spaceship. Why not be a Commander instead?î The commander is asked to fill out a ìshort survey.î The passenger is strongly encouraged to change her mind and become a commander -- ìAre you sure?î reads the screen when the visitor chooses to be a passenger. This siteís message is clear: it is ìcoolî to give out personal information about yourself, and if you donít, you will miss out on all the fun. The survey consists of a combination of questions about favorite TV shows and movies with questions on market preferences and Web habits. A privacy link states that the site adheres to CARU (Childrenís Advertising Review Unit) guidelines and that they ìrequireî kids to submit their parentsí e-mail address. However, if the parentsí information is left blank, the site still accepts the information and allows the child to proceed. Because this site does not require prior written parental consent (opt-in), its collection practices do not comply with the standards recommended in the recent FTC report.
<www.scurvyboy.com/blender/entry.html> (visited June 19, 1998)
This site is listed in Yahooligans, a Web directory for children, and is clearly directed at children and teenagers. The site invites visitors to the ìSunkist Smoothie Contestî and in the process collects information including full name, address, phone number, and e-mail address, and preferences. No privacy or parental notification statement is provided, nor is written prior parental consent requested prior to the data collection.
The sites described above are only a small sample of the numerous sites that fail to protect childrenís privacy. They demonstrate the failure of self-regulation and the need for legislation to protect childrenís privacy. The elements of self-regulation must be defined in a way that protects children and they must be combined with legislation that allows government prosecution of sites that violate childrenís privacy rights.
Kathryn Montgomery, President Randi M. Albert, Esq.
Katharina Kopp, Senior Policy Analyst Angela J. Campbell, Esq.
Center for Media Education Citizens Communications Project
1511 K Street, N.W. Suite 518 Institute for Public Representation
Washington, D.C. 20005 Georgetown University Law Center
(202) 628-2620 600 New Jersey Avenue, N.W., Suite 312
Washington, D.C. 20002
Counsel to Center for Media Education