CAN THE INTERNET REALLY POLICE ITSELF?
SELF-GOVERNANCE AND THE
1998 CHILDREN’S ONLINE PRIVACY PROTECTION ACT
Opinion on the success of self-regulation differs depending on where you stand; the camps have sorted themselves out into the familiar government versus industry versus consumer rights advocates, each with definable, legitimate, and often opposing goals. The issues are complicated further because of how quickly technology changes, and the lack of precedent for what to do when e-businesses want to sell their valuable databases of customer information.
This paper will discuss some
key background concepts on self-regulation using COPPA as a case study:
fair information principles, safe harbor status, and the use of Internet
privacy seal programs as a regulatory mechanism.
3) provide a parent with the means to review a child’s personal information;
4) provide a parent with the means to prevent the further use of a child’s information, or the collection of further information;
5) limit the collection of personal information for online participation in a game, contest, or other activity to information that is reasonably necessary for the activity;
and maintain reasonable procedures to protect confidentiality, security,
and integrity of the personal information collected.
COPPA directed the Federal Trade Commission to establish specific rules for implementing these provisions, which it published in 16 CFR Part 312. In fulfilling the above requirements, the FTC implementation of the COPPA Rule represented a slightly different interpretation of the Act. The FTC Rule specifically required “operators of websites or online services directed to children... who have actual knowledge that the person from whom they seek information is a child:
1) to post prominent links on their websites to a notice of how they collect, use, and/or disclose personal information from children;
2) with certain exceptions, to notify parents that they wish to collect information from their children and obtain parental consent prior to collecting, using, and/or disclosing such information;
3) not to condition a child’s participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity;
4) to allow parents the opportunity to review and/or have their children’s information deleted from the operator’s database and to prohibit further collection from the child;
5) to establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children.”
The Rule also provided for the establishment of a “safe harbor” for website operators following Commission-approved self-regulatory guidelines. The concept of safe harbor is explained below.
During the regulatory comment
period, a multitude of issues were raised on virtually every provision
of COPPA. Of particular significance was how parental consent
could be verified and yet not be “unduly burdensome”; what constituted
“reasonable” security procedures; and whether self-regulation and safe
harbor principles constituted adequate compliance mechanisms at all.
Although these issues were addressed in detail by the FTC in its 27-page
final rule, in general the Commission’s decisions tended toward the less-restrictive,
more liberal interpretations in almost every provision, in order to “strike
an appropriate balance between maintaining children’s access to the Internet,
preserving the interactivity of the medium, and minimizing potential burdens
of compliance on companies, parents, and children” with the Act’s goals
of protecting children’s information online.
Enforcement of fair information practices relies on consumer recourse, verification of identity, and consequences for failure to comply.Allowances are made for the private sector to design effective means to best suit the needs of the business and the consumer.“Because verification may be costly for business, work needs to be done to arrive at appropriate, cost-effective ways to provide companies with the means to provide verification.” (NTIA, 1998).
This is how it works.Websites submit an application to one of the approved safe harbors, which consists of a lengthy questionnaire on their privacy policies, including collection methods, notices, verification procedures, and so on, essentially following the checklist set out in the FTC COPPA Rule.
The safe harbor can accept the application or ask that changes be made.When the application is accepted, the website then enters into a formal agreement with the safe harbor to place its “trustmark” or seal on its website.The website agrees to follow the guidelines, submit to periodic monitoring, and to make changes in its practices if the safe harbor or government deems that necessary.Fines and other punishments can be levied if the website does not do all these things.
Privacy seal safe harbors are backed primarily by advertising agencies, software companies, and other market-driven interests.During the review and comment period of the application process establishing the safe harbors, commentary came from two distinct--and opposing--camps: those with economic interests and consumer interest watchdog groups such as the Center for Media Education.
The concerns raised by the consumer protection interests have not been resolved to the satisfaction of all, although the FTC addressed them in its implementation of the COPPA Rule.As mentioned previously, these concerns included the reliability of the verification process, and what exactly constitutes reasonable compliance.
The FTC receives over 6,000 complaints a week, an unknown percent of which are related to e-business privacy issues (Muris, 2001).TRUSTe has been receiving a gradually increasing number of complaints on the roughly 1,600 businesses who have applied and been awarded the TRUSTe Trustmark, amounting to approximately 260 complaints per month as of August 2001.None ofthe businesses in the TRUSTe program has been decertified, although the FTC has fined three enterprises for failing to adhere to COPPA Rules (ZDNet, April 19, 2001).
What the drafters of COPPA did not allow for however was the eventuality that entire databases of consumers’ personal information could change hands, rendering prior agreements null and void.
The FTC ruling approving the sale was close, split three to two.In statements from two of the approving commissioners and one dissenting, all expressed reservations about the sale.“To accept the bankruptcy settlement would place business concerns ahead of consumer privacy.... consumer privacy would be better protected by requiring that consumers themselves be given notice and choice before their detailed personal information is shared with or used by another corporate entity” (Statement of Commissioner Sheila F. Anthony).This view was reiterated by Commissioner Mozelle W. Thompson: “I urge any successor to provide Toysmart customers with notice and an opportunity to ‘opt out’ as a matter of good will and good business practice.”
In his dissenting statement, Commissioner Orson Swindle expressed much stronger reservation: “If we really believe that consumers attach great value to the privacy of their personal information... we should compel businesses to honor the promises they make to consumers... In my view, such a sale should not be permitted because ‘never’ really means never.”
It is arguable whether many of the COPPA provisions can actually be met in the real world with current technology.“Verifiable parental consent” is especially tricky.Consumer advocates have noted frequently that email alone is not sufficient, yet websites complain that more stringent measures would be too costly.The current rule allows for email verification for certain uses of certain information, and adds other steps for more sensitive situations or information, such as having parents sign and mail their approval via surface post, using digital signatures, or credit cards.A proposed change to the COPPA Rule would loosen the email verification procedures even more for certain instances.
The definitions of “reasonable security” and “adequate compliance” can be and have been interpreted quite broadly.According to the Annenberg survey, up to 68 percent of websites catering to children do not adequately post their policies, or do not have privacy policies, or otherwise fail to meet requirements of COPPA.Whether notices are “clearly written, understandable, and contain no unrelated confusing, or contradictory materials” (CARU Safe Harbor Program Requirements) is certainly a judgment call.The length and complicated wording of privacy notices have become legendary.
Despite government and industry stakeholders’ insistence on the importance of protecting personal information from misuse and fraud, the recent FTC ruling in the case of Toysmart.com indicated that the very information COPPA was designed to protect was not important enough to preclude the sale of a database of customer information during bankruptcy proceedings.Since that ruling, at least one other business, eBay, has indicated that they too would likely do the same should a similar fate befall them (ZDNet, April 3, 2001).
Center for Media Education.Children’s Online Protection Act (COPPA) - The First Year.Washington, DC:CME, April 19, 2001.
“eBay Might Share User Data in Event of Sale.”ZDNet.April
of Effective Self-Regulation for Protection of Privacy.Discussion
Draft.National Technical Information
Administration, January 1998.
Federal Trade Commission.New
Rule Will Protect Privacy of Children Online.Press
Release, October 20, 1999.
Muris, Timothy J.Protecting
Consumers’ Privacy: 2002 and Beyond.Remarks
of FTC Chairman Timothy J. Muris at the Privacy 2001 Conference, Cleveland,
Ohio, October 4, 2001.
“New Children’s Privacy Rules Pose Obstacles for Some
Sites.”Wall Street Journal,
April 24, 2001, B:8:1
and Failing Dot.coms: a Case Study of Toysmart.com.SANS
Institute.December 20, 2000.
Policies on Children’s Websites: Do They Play By the Rules?Report
series no. 38.Annenberg Public
Policy Center, University of Pennsylvania, March 2001.