| |
INTRODUCTION
Good
afternoon, Mr. Chairman and members of the Subcommittee.
I am Jonathan Zuck, President of the Association for Competitive
Technology, or ACT. ACT is a
national, Information Technology industry group that represents the full
spectrum of tech firms, many of which are small and midsize business, that are
software developers, IT trainers, technology consultants, dot-coms, integrators
and hardware developers.
While
ACT members vary in their businesses, they share a common desire to maintain the
competitive nature of today’s vibrant technology sector that has been
responsible for America’s “new economy.”
It
is my sincere honor to testify before this subcommittee today.
As a professional software developer and technology educator who spent
fifteen years speaking at technical conferences around the world, I am humbled
by this opportunity and appreciate greatly your interest in learning more about
the effects of information privacy statutes on the information technology (IT)
industry. I am here to discuss the effects of the Child Online Privacy
Protection Act (COPPA) and related regulations.
I
think I’m the token “techie” on this panel – so I look forward to
getting into some real life experiences that have arisen under COPPA.
I want to begin by saying that protecting a child’s privacy is of
paramount importance to the IT industry and me.
I do not want to suggest that there we should diminish our efforts to
protect children’s privacy. My
testimony today is focused on the events surrounding the development of COPPA
and the subsequent rulemaking as well as the impacts they, and in particular the
final COPPA rulemaking, have had on small IT business. The unintended
consequence of COPPA’s implementation I believe is that rather than providing
a marked increase in privacy protection, that the cost to comply with COPPA has
led some “kid friendly” sites to have to curtail operations or shut down
completely.
The
Development of COPPA
As
you are aware, Congress enacted COPPA in late 1998 after a recommendation by the
Federal Trade Commission (FTC). It
was made part of the Omnibus Consolidated and Emergency Supplemental
Appropriations bill for fiscal year 1999.
Notably, the legislation was passed without mark-up hearings in either
the House or the Senate. In other words, there was none of the detailed deliberation
or scrutiny of the legislation’s language that ordinarily accompanies a
bill’s passage through Congress. Consequently,
there is no committee report on the bill, either from the House or from the
Senate. During the course of 1998,
government officials and private industry representatives expressed concern
about children’s privacy, and their statements appear in the Congressional
record. FTC Chairman Robert
Pitofsky testified before the Telecommunications, Trade, and Consumer Protection
Subcommittee of the House Commerce Committee on July 21, 1998, on Privacy in
Cyberspace. The Center for
Democracy and Technology, America Online, the American Library Association, and
Chairman Pitofsky submitted testimony to the Communications Subcommittee of the
Senate Commerce Committee on September 23, 1998.
However, only two statements by Sen. Richard Bryan (D-Nev.) form the
authoritative legislative history of the Act – one statement introducing the
legislation, and another as a part of the conference report for the Omnibus
bill.
As I will discuss further, I believe that many now realize that there are
lessons to be learned from how quickly COPPA moved through the legislative
process.
COPPA
contains a requirement that the FTC issue and enforce rules concerning
children's online privacy. The FTC issued a notice of proposed rulemaking on August 11,
1999 and received 132 comments during the 45-day comment period.
During its deliberations, the FTC also held a public workshop aimed at
helping the agency understand how industry might try to implement the rule.
The final rule was issued on November 3, 1999 and became effective April
21, 2000.
COPPA
Requirements
As I
mentioned before, it is the COPPA rule that has had the greatest impact on small
IT companies. The COPPA rule
applies to operators of commercial websites and online services directed to
children under age 13, where personal information is collected.
The rule also applies to operators of general interest sites with actual
knowledge that they are collecting information from children under 13.
Those covered by the COPPA rule must (1) post a privacy policy and links
to the policy; (2) give parents notice of its information practices; (3) with
certain exceptions, obtain verifiable parental consent before collecting, using
or disclosing personal information from children; and (4) provide parental
access to information collected from children, and the opportunity to delete
such c information and to opt out of future collection.
Privacy
Policy and Notice – The Rule requires operators to post a policy
that includes: (a) the names and contact information for all operators; (b) the
types and amount of personal information collected through the site; (c) how
personal information would be used; (d) whether the personal information would
be disclosed to third parties, the types of business in which those third
parties are engaged, whether those third parties have agreed to take steps to
protect the information and a statement that parents have the right to refuse
consent to the disclosure of information to third parties; (e) that the operator
may not condition a child’s participation in an activity on the provision of
more personal information than is necessary to participate in the activity; and
(f) that parents may review, amend or delete a child’s personal information.
This policy and links must be in a place where “a typical visitor [to
the site] would see the link without having to scroll down form the initial
viewing screen.”
Verifiable
Parental Consent – Operators are required to obtain verifiable parental
consent before the use or disclosure of a child’s personal information,
including consent to material changes in the collection or use of the
information.
In addition, operators must give the parent the option to consent to the
collection and use of the child’s information without automatically consenting
to its disclosure to third parties.
The operator must use reasonable mechanisms to verify that the consent is
actually from the child’s parent.
These mechanisms include: (a) providing a consent form; (b) requiring a
parent to use a credit card in connection with the transaction; (c) having a
toll free telephone number staffed by trained personnel; (d) using a digital
certificate that uses public key technology; and (e) using an e-mail accompanied
by a PIN or password obtained through one of the aforementioned methods.
There are four exceptions to the prior consent requirement.
The exceptions are situations (a) where the operator collects the child’s name
or online contact information solely for providing notice under section 314.4 of
the Rule, (b) where the operator collects online contact information solely to
respond to a one time specific request from the child and is not used to
recontact the child, (c) where the operator collects the online contact
information to respond directly to more than one request from a child provided
the information is use for no other purpose and (d) where the operator collects
the name and online contact information to protect the safety of a child
participant on a site or online service provided that reasonable efforts were
made provide a parent notice per section 312.4(c).
Right
of Parent to Review a Child’s Personal Information
– Once a child has provided personal information, a parent may request the
following: (a) a description of the specific types or categories of personal
information collected by the operator (e.g., name, address, telephone number,
e-mail and hobbies); (b) the opportunity at any time to refuse to allow
the operator to further use or collect a child’s personal information and
direct the operator to delete the information and (c) a reasonable means to
review any personal information gathered from the child.
The
“Net” Effects of COPPA
Many
commentators, while sensing the importance of protecting a child’s privacy,
objected to complex and burdensome nature of the COPPA Rule.
Indeed, some comments suggested that confusion based on the complexity of
these regulations could diminish their effectiveness.
Further comments noted, and I agree, that the rule as promulgated places
barriers (e.g., costs) that can inhibit the growth and development of the
Internet. Given this, the question
that must be asked is: How effective have the COPPA rules been at protecting
children’s online privacy, and at what price?
COPPA’s
Effectiveness
One
way to measure COPPA’s effectiveness is to look at compliance.
The FTC has completed random “sweeps” of web sites to check for
compliance. The FTC has found that
approximately half are in compliance with COPPA’s requirements.
Those who are not are receiving e-mails urging them to comply and that
the FTC will “will monitor web sites to determine whether legal action is
warranted.”
The
private sector is also looking at the effectiveness of COPPA compliance. A study
released last month by Joseph Turow of the Annenberg School of Communication at
University of Pennsylvania titled, Privacy Policies on Children’s Websites:
Do They Play By the Rules? found that of
162 top children’s web sites, 114 (or 70%) linked to a privacy policy
as envisioned under section 312.4 of the Rule.
The study noted that of the 48 sites that did not post a privacy policy,
32 (or 20%) did not collect personal information from children and only 17 sites
posted no policy yet collected personal information.
The study thus concluded that because 90% of sites “correctly followed
COPPA in posting or not posting a link” this component of the rule is
successful.
One success story in this vein is MaMaMedia.com which allows children to
participate in “engaging activities help them gain technological fluency and
expand their minds through playful learning.” This site has a link to its
privacy policy on its home page and on the registration page. The policy
explains why it asks kids to register, what information it collects, tells
parents that members can change information or cancel an account, allows members
to opt out of receiving e-mail from MaMaMedia, explains its use of cookies,
provides the name, phone number, postal address and e-mail address of someone to
contact regarding its privacy policy, and asks parents to provide a parental
e-mail address on the kids’ registration page.
Despite
the high level of compliance, the study points out the flaw in relying on
compliance as the sole measure of effectiveness.
The study found that “the biggest problem with privacy policies was the
time to figure out what they said.”
Clearly, this is an unintended consequence of the COPPA rule.
However, the depth of the rule’s requirements made this result
inevitable. The enforcement
provisions of the rule obviate the creation of a simple, clearly understandable
privacy policy that may inadvertently end up costing hundreds of thousands of
dollars.
This would lead me to question the overall effectiveness of the privacy
policies and suggest that this is not a model for future legislation or
regulation.
Another
unintended but practical result that undermines COPPA’s effectiveness is that
it is aimed at children’s sites that provide educational and fun experiences
for children while missing adult sites that could do real harm. Steven G. Bryan, President and CEO of Zeeks.com made the following analogy in his public comments
on the Rule, which I find persuasive:
“
Imagine a child walking down a street and arrives at 2 movie theaters, one
across the street from the other. The one on the left side is well lit, plays
only G-rated movies, is staffed by adults who monitor and supervise behavior,
and serves good wholesome food in the snack bar (I consider Red Vines to be
Wholesome). The theater on the right side plays R-rated movies, has little adult
presence, is dark, and serves junk food. This law, if applied to my metaphorical
world, would require parental permission before entering the G-Rated theater,
but would require none whatsoever to enter the R-rated one. Where do you think
the kids will go? We will drive children away from the very sites designed for
them.”
Moreover,
as California Computer News noted: “ While
the drafters of COPPA appear to have had good intentions, it's unfortunate that
their lack of foresight into the law's affects could mean an end to many of the
most educational, creative and fun websites available to kids.”
The
Costs of Compliance
While
much is unknown as to what benefits will come from regulating privacy, there is
already evidence of harm. The FTC
concluded in its certification to avoid a Regulatory Flexibility analysis that,
“any additional costs of complying with the Rule, beyond those imposed by the
statute or otherwise likely to be incurred in the ordinary course of business,
are expected to be comparatively minimal.”
Were they ever wrong. Each
and everyday, small IT companies make decisions critical to their survival.
The complexity and costs associated with a regulatory scheme such as
COPPA force these companies to forgo other needed investments or incur
significant additional costs. For
example, Wall Street Journal Interactive reported that FreeZone, a web portal
for kids between 8 and 14, estimates it will spend about $100,000 per year to
comply with COPPA. Another company
that I previously mentioned, Zeeks.com, pulled all of its interactive content
because the $200,000 per year cost to employ chat-room supervisors, monitor
phone lines to answer parents' questions, and process COPPA permission forms was
"the straw that broke the camel's back."
ZDNet
News has reported that complying with COPPA could cost as much as $500,000.
One of our members tells us that they spend 10% of their total resources
complying with COPPA requirements. The
brunt of the costs mentioned above are associated with hiring and continually
training personnel to program and monitor the site as well as to answer
parents’ questions and requests for access.
There are also direct costs, including ongoing programming and tracking
to meet the notice, consent and access provisions of the Rule.
It
is also worth noting that not all of the COPPA requirements, as interpreted by
the FTC, seem to flow directly from the legislative language.
For instance, the COPPA legislation generally prohibits Web site
operators and online service providers from “collecting” personally
identifiable information from children without parental consent.
I am not a lawyer, but to me, this general rule makes sense if you are a
business and you affirmatively and actively are trying to gather information
from children. To me, that is what
“collecting” information means.
However,
under Section 312.2 of the FTC’s
Rule, the act of collecting includes “enabling children to make
personal information publicly available through a chat room, message board or
other means” (except where the operator deletes any personal information
before it is made public).
This is an extraordinarily broad definition of what it means to
“collect” information. Taken to
its extreme, it means that every Web site that offers a bulletin board service
or a chat room is “collecting” information about its visitors (even if the
site operator never stores or, let alone, looks at the information).
It also means that, under the COPPA rule, all those sites arguably would
have to institute blocking or monitoring and parental consent mechanisms if the
operator learns that a single child has used the bulletin board service or chat
room. To address this possibility,
the FTC has said that “the Commission likely will not pursue an entity that is
an ‘operator,’ but has not facilitated or participated in, and has no reason
to know of, any Rule violation.”
But even that statement does not alter the fact that COPPA could affect
every site on the Web that offers some form of bulletin board service.
This outcome is all the more troublesome when, in my mind, it is not at
all clear that that is what Congress intended.
Moreover,
any site that implements a parental consent mechanism must also have a means for
authenticating children and their parents; otherwise, the site has no way of
knowing either who a child is or who is granting consent on behalf of this child
or seeking access to the child's personal information.
Indeed, authentication is essential to
the
COPPA compliance scheme since nothing could be more detrimental to children's'
on-line privacy than allowing the wrong person to gain access to a child's data.
As noted in the "Final Report of the FTC Advisory Committee on
Online Access and Security," however, authentication always involves a
tradeoff between security and ease of
access--strong
authentication often makes it burdensome and difficult to establish an account
or set up a profile.
In complying with COPPA, therefore, sites that do not ordinarily
"collect" personal information about children must also take on the
additional burden and costs of implementing appropriate authentication
techniques.
The
Role of Technology and Consumer Empowerment
The softening economy has already caused
venture capital funds to dry up and created a rash of layoffs among IT start-ups
that are working hard to carve a niche in the e-commerce sector.
Burdening these entrepreneurs with more laws would squeeze out many
hundreds of smart people with sound business models.
Using
rich technology and empowering consumers (i.e., parents), in addition to sound
public policy is perhaps the most effective way to protect a child’s online
privacy. There are products
available to parents to assist them in protecting their child’s online
experience. For example, Microsoft
offers “Kids Passport” which is a service that helps you conveniently
protect and control your children's online privacy. You can control what
information your children can share with participating Web sites, and what those
sites can do with that information. In addition, you have the flexibility of
making specific choices for each child and for each site, all in one convenient,
centralized location.
One
of the most interesting technologies coming down the pike is the platform for
privacy preferences (P3P), which is an extension of some of the technology that
exists today. Sponsored by the World Wide Web Consortium (W3C), P3P is a
framework for products and practices that will let World Wide Web users control
the amount of personal information they share with Web sites. It's described as
a "privacy assistant." Using a P3P application, a parent can work with
their child to enter appropriate personal information once and not have to
repeatedly reenter it at different Web sites. The P3P application can inform the
user of a Web site's practices with regard to gathering and reusing its
visitors' personal information. Parents will thus be able to limit the
information that a specific site can obtain.
There
are software products on the market that allow you to generate a privacy policy
that can be read by a browser as well as one which can be read by humans. It is
therefore very easy to participate in the P3P movement and become a good actor
on the Net. Once the standards have ironed themselves out, it will be possible
for a browser to detect the privacy policy of the site you are about to visit
and compare it to the preferences you have set. The browser can then warn you of
a difference and help you to decide what sort of information you should and
shouldn’t share with the site. Sometimes, it’s just this sort of friendly
reminder that is all that is needed to help consumers remain conscious of this
issue and protect their information accordingly.
ACT
advocates a third prong to our online privacy position, which perhaps is the
most important one – consumer education and empowerment.
Industry must do its part to provide the necessary tools and information
to consumers so they feel educated and empowered when using the Internet.
CONCLUSION
– Avoid the law of unintended consequences
In my
discussion today, we’ve hit upon some of the key factors that I see as a
software developer and a tech futurist that determine how effective a privacy
regulation like COPPA is at providing children with safe and personal Internet
experiences. COPPA was the product
of a rushed process and I want to commend the Chairman and this committee on
taking the time to thoroughly think about and discuss the small business
perspective before crafting a comprehensive privacy law.
COPPA and its regulations are limited in scope yet have significant
impacts on the IT industry. I urge
you to keep this in mind when debating whether to enact sweeping privacy laws
that will impact every industry. Industry
and Congress must work together to address parental demands and weed-out the bad
actors in the privacy space thereby enhancing consumer privacy, safety, and
confidence.
|
|
