CAN THE INTERNET REALLY POLICE ITSELF?
SELF-GOVERNANCE AND THE
1998 CHILDREN’S ONLINE PRIVACY PROTECTION ACT
(COPPA)

Jennifer Sweeney
IS 209 Final Paper
December 11, 2001

Introduction

Industry self-regulation is not a new concept. Its application to how consumers’ personal information in handled in the electronic business world however is a newer legacy of the Clinton Administration, an essential component necessary to Vice President Gore’s vision of a robust online economic marketplace. According to this view of the Information Superhighway, businesses would be permitted to develop and implement their own rules, subject to government approval.

This paper examines the emergence of safe harbor programs and the privacy seal industry as a means for companies to self-regulate their compliance with the provisions of the 1998 Children’s Online Privacy Protection Act (COPPA). Implementation of the COPPA Rule caused an untold number of dot-com enterprises in this country to rethink their practices regarding how they collect and handle customers’ personal information. Already struggling in the post-expansion dot-bust, the burden of making expensive and complicated changes in their data handling procedures to meet the provisions of COPPA may have contributed to the failure of some businesses (Wall Street Journal, April 24, 2001). Some others managed the changes and survived. One year after COPPA, many others do not yet comply at all with the new rules for privacy of children’s information on the Internet (Center for Media Education, 2001; Turow, 2001).

Opinion on the success of self-regulation differs depending on where you stand; the camps have sorted themselves out into the familiar government versus industry versus consumer rights advocates, each with definable, legitimate, and often opposing goals. The issues are complicated further because of how quickly technology changes, and the lack of precedent for what to do when e-businesses want to sell their valuable databases of customer information.

This paper will discuss some key background concepts on self-regulation using COPPA as a case study: fair information principles, safe harbor status, and the use of Internet privacy seal programs as a regulatory mechanism.

Background on COPPA

In the mid-1990’s as news accounts of bad things happening to kids online multiplied, legislators began devising what would eventually become the 1998 Children’s Online Privacy Protection Act (COPPA). COPPA was a significant part of an entire campaign of consciousness-raising about the dangers lurking on the Internet. Government, consumer rights advocates, and commercial websites engaged in providing games, chat, e-mail, and other necessities of online life together raised the chorus: don’t share personal information with strangers.

But in addition to fears of pedophiles prowling chat rooms, also emerging was the profile of the unscrupulous website operator, collecting as much personal information as possible to use in marketing yet more products and services to kids, often without the knowledge or consent of the kids involved or their parents. This wasn’t just happening to children of course, but COPPA spoke to the unique susceptibility of children to deceptive practices.

The legislative landscape is currently littered with a host of a new type of law related to privacy of personal information on the Internet. COPPA is but one of several [1], and the Federal government has pledged an “aggressive pro-consumer agenda” for 2002 (for example, see FTC, 2001). Central to the agenda is the concept of self-regulation, wherein industry polices itself to make sure the letter and the spirit of the law are observed.

COPPA was created to prevent online businesses from engaging in unfair or deceptive practices in connection with the personal information they collect from children who visit their websites. COPPA specifically required businesses whose websites engaged in activities marketed to children under the age of 13 to comply with certain rules regarding the collection and use of personal information on children. Under COPPA, website operators were required to:

1) provide parents with notification of their procedures regarding collection of information from children;

2) obtain prior verifiable parental approval for the collection, use, and/or disclosure of personal information from children;

3) provide a parent with the means to review a child’s personal information;

4) provide a parent with the means to prevent the further use of a child’s information, or the collection of further information;

5) limit the collection of personal information for online participation in a game, contest, or other activity to information that is reasonably necessary for the activity;

6) establish and maintain reasonable procedures to protect confidentiality, security, and integrity of the personal information collected.

COPPA directed the Federal Trade Commission to establish specific rules for implementing these provisions, which it published in 16 CFR Part 312. In fulfilling the above requirements, the FTC implementation of the COPPA Rule represented a slightly different interpretation of the Act. The FTC Rule specifically required “operators of websites or online services directed to children... who have actual knowledge that the person from whom they seek information is a child:

1) to post prominent links on their websites to a notice of how they collect, use, and/or disclose personal information from children;

2) with certain exceptions, to notify parents that they wish to collect information from their children and obtain parental consent prior to collecting, using, and/or disclosing such information;

3) not to condition a child’s participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity;

4) to allow parents the opportunity to review and/or have their children’s information deleted from the operator’s database and to prohibit further collection from the child;

5) to establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children.”

The Rule also provided for the establishment of a “safe harbor” for website operators following Commission-approved self-regulatory guidelines. The concept of safe harbor is explained below.

During the regulatory comment period, a multitude of issues were raised on virtually every provision of COPPA. Of particular significance was how parental consent could be verified and yet not be “unduly burdensome”; what constituted “reasonable” security procedures; and whether self-regulation and safe harbor principles constituted adequate compliance mechanisms at all. Although these issues were addressed in detail by the FTC in its 27-page final rule, in general the Commission’s decisions tended toward the less-restrictive, more liberal interpretations in almost every provision, in order to “strike an appropriate balance between maintaining children’s access to the Internet, preserving the interactivity of the medium, and minimizing potential burdens of compliance on companies, parents, and children” with the Act’s goals of protecting children’s information online.

Safe Harbor

“Safe harbor” programs are sets of guidelines for industry to use of their own volition, which have been approved by the government as being in compliance with a particular rule or law. That is, if a business follows the guidelines set out by the safe harbor, that business will be deemed to be in compliance with the law. The safe harbor agent also monitors and assesses compliance. The FTC approves safe harbor programs through a formal application process that includes review and public comment. Safe harbor principles were also a key component of the recent U.S. Department of Commerce participation in the European Commission’s Directive on Data Protection, wherein the parties agreed to abide by a set of guidelines on the protection of personal information in certain European countries (see Welcome to Safe Harbor).

Under COPPA to date, the FTC has granted safe harbor status to three independent organizations: TRUSTe, a private non-profit “trustmark” issuer; the Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus, and ESRB Privacy Online, a division of the Entertainment Software Rating Board. Each of these organizations proposed to the FTC a set of almost identical guidelines to which websites catering to children would have to adhere to in order to meet the demands of COPPA. In their application, websites would provide the safe harbor with sufficient information to determine whether the site was in compliance with the rules. If accepted, the website would then consent to periodic monitoring of its practices, and be expected to comply with requests to change practices to meet the rules.

Fair Information Principles

The underlying tenets for private sector participation in privacy regulation came out of an advisory committee of the U.S. Department of Health Education and Welfare in the early 1970’s where they subsequently formed the basis for the Privacy Act of 1974, the legislation that protects personal information collected and maintained by the government. The Clinton Administration actively supported the implementation of “meaningful, consumer-friendly, self-regulatory regimes to protect privacy” (NTIA, 1998). These regimes were based on a combination of what was then called “fair information principles” which provided substantive rules as well as the means to ensure that consumers know about the rules, that companies comply with them, and that consumers have recourse for injuries.

Fair information principles stress consumer awareness, choice, “appropriate levels ofsecurity,” and consumer access to their personally identifiable data.Although “the private sector is encouraged to develop its own ways of accomplishing this goal” (NTIA, 1998),these fair information principles specifically support the articulation and communication of privacy policies, the need for adequate data security, and more particular requirements when information related to children or health is involved.

Enforcement of fair information practices relies on consumer recourse, verification of identity, and consequences for failure to comply.Allowances are made for the private sector to design effective means to best suit the needs of the business and the consumer.“Because verification may be costly for business, work needs to be done to arrive at appropriate, cost-effective ways to provide companies with the means to provide verification.” (NTIA, 1998).

Consequences of a business’s failure to comply with fair information principles would include a variety of punishments: cancellation of the right to use a certifying seal or logo as well as being placed on a blacklist of sorts, or removal from a trade association.The business would also be responsible for costs of determining their non-compliance.Under COPPA, businesses could also be fined up to $10,000 for every time they collected information without properly posting a privacy policy on its website.

Privacy Seals

As described earlier, three organizations to date have applied for and been approved as safe harbors for COPPA.All of these organizations provide to their clients the use of a licensed logo, seal, or “trustmark” indicating the business’s affiliation with the issuing organization.It is essentially a “Good Housekeeping seal” for compliance with COPPA.The approved privacy seal agencies are to date: TRUSTe, with about 1,600 clients; CARU, with 781 clients (BBB OnLine Privacy Program); and ESRB, with 15 participants including Sony, Sega America, and Nintendo.

This is how it works.Websites submit an application to one of the approved safe harbors, which consists of a lengthy questionnaire on their privacy policies, including collection methods, notices, verification procedures, and so on, essentially following the checklist set out in the FTC COPPA Rule.

The safe harbor can accept the application or ask that changes be made.When the application is accepted, the website then enters into a formal agreement with the safe harbor to place its “trustmark” or seal on its website.The website agrees to follow the guidelines, submit to periodic monitoring, and to make changes in its practices if the safe harbor or government deems that necessary.Fines and other punishments can be levied if the website does not do all these things.

Privacy seal safe harbors are backed primarily by advertising agencies, software companies, and other market-driven interests.During the review and comment period of the application process establishing the safe harbors, commentary came from two distinct--and opposing--camps: those with economic interests and consumer interest watchdog groups such as the Center for Media Education.

The concerns raised by the consumer protection interests have not been resolved to the satisfaction of all, although the FTC addressed them in its implementation of the COPPA Rule.As mentioned previously, these concerns included the reliability of the verification process, and what exactly constitutes reasonable compliance.

The FTC receives over 6,000 complaints a week, an unknown percent of which are related to e-business privacy issues (Muris, 2001).TRUSTe has been receiving a gradually increasing number of complaints on the roughly 1,600 businesses who have applied and been awarded the TRUSTe Trustmark, amounting to approximately 260 complaints per month as of August 2001.None ofthe businesses in the TRUSTe program has been decertified, although the FTC has fined three enterprises for failing to adhere to COPPA Rules (ZDNet, April 19, 2001).

What the drafters of COPPA did not allow for however was the eventuality that entire databases of consumers’ personal information could change hands, rendering prior agreements null and void.

The Case of Toysmart.com

Toysmart.com was an online business specializing in selling education toys and related products.In compliance with COPPA, Toysmart had a privacy policy prominently placed on its website, and had obtained a TRUSTe trustmark attesting to its intention to abide by privacy guidelines on disclosure, use, and protection of personal information.Toysmart filed for bankruptcy and ceased operations in May 2000.In the process of selling off its assets to satisfy creditors, the company put up for sale its customer lists and databases of customer information—among the more valuable of Toysmart assets at the time(Newsome, 2000).

The privacy policy on Toysmart’s web page stated that “[W]hen you register with Toysmart.com, you can rest assured that your information will never be shared with a third party” (See Toysmart.com Privacy Statement).During the bankruptcy proceedings, the FTC argued that the sale was not permissible under COPPA, and after several rounds of negotiation and court rulings, sale of the database was approved under certain conditions.The conditions of the sale were essentially that the database be purchased by a retailer in a similar line of business (i.e., a toy retailer), and that the purchaser agree to uphold the promises Toysmart made to its customers in its original privacy statement.As of July 2001, a Disney subsidiary (also a major stockholder in Toysmart) seemed the most likely purchaser.

The FTC ruling approving the sale was close, split three to two.In statements from two of the approving commissioners and one dissenting, all expressed reservations about the sale.“To accept the bankruptcy settlement would place business concerns ahead of consumer privacy.... consumer privacy would be better protected by requiring that consumers themselves be given notice and choice before their detailed personal information is shared with or used by another corporate entity” (Statement of Commissioner Sheila F. Anthony).This view was reiterated by Commissioner Mozelle W. Thompson: “I urge any successor to provide Toysmart customers with notice and an opportunity to ‘opt out’ as a matter of good will and good business practice.”

In his dissenting statement, Commissioner Orson Swindle expressed much stronger reservation: “If we really believe that consumers attach great value to the privacy of their personal information... we should compel businesses to honor the promises they make to consumers... In my view, such a sale should not be permitted because ‘never’ really means never.”

Conclusion

At the present time it is difficult to estimate the success of the self-regulating apparatus put in place by the FTC regarding the privacy of information on children who use online services.Two reports on the status of COPPA implementation indicate that there have been some successes but acknowledge that more needs to be done to achieve the goal.In their report, Children’s Online Privacy Protection Act (COPPA): The First Year, the Center for Media Education ascertained that although COPPA appears to have had significant influence on the marketing and business practices of commercial web enterprises, they concede that parental consent is not being adequately sought or enforced.A report from the Annenberg Public Policy Center at the University of Pennsylvania concluded that websites “often did not live up to the spirit and sometimes even the letter behind the rules” (Turow, 2001).

It is arguable whether many of the COPPA provisions can actually be met in the real world with current technology.“Verifiable parental consent” is especially tricky.Consumer advocates have noted frequently that email alone is not sufficient, yet websites complain that more stringent measures would be too costly.The current rule allows for email verification for certain uses of certain information, and adds other steps for more sensitive situations or information, such as having parents sign and mail their approval via surface post, using digital signatures, or credit cards.A proposed change to the COPPA Rule would loosen the email verification procedures even more for certain instances.

The definitions of “reasonable security” and “adequate compliance” can be and have been interpreted quite broadly.According to the Annenberg survey, up to 68 percent of websites catering to children do not adequately post their policies, or do not have privacy policies, or otherwise fail to meet requirements of COPPA.Whether notices are “clearly written, understandable, and contain no unrelated confusing, or contradictory materials” (CARU Safe Harbor Program Requirements) is certainly a judgment call.The length and complicated wording of privacy notices have become legendary.

Despite government and industry stakeholders’ insistence on the importance of protecting personal information from misuse and fraud, the recent FTC ruling in the case of Toysmart.com indicated that the very information COPPA was designed to protect was not important enough to preclude the sale of a database of customer information during bankruptcy proceedings.Since that ruling, at least one other business, eBay, has indicated that they too would likely do the same should a similar fate befall them (ZDNet, April 3, 2001).

References

Bowman, Lisa.“FTC cracks down on kid’s privacy offenders.”ZDNet.April 19, 2001.

Center for Media Education.Children’s Online Protection Act (COPPA) - The First Year.Washington, DC:CME, April 19, 2001.

“eBay Might Share User Data in Event of Sale.”ZDNet.April 3, 2001.

Elements of Effective Self-Regulation for Protection of Privacy.Discussion Draft.National Technical Information Administration, January 1998.

Federal Trade Commission.New Rule Will Protect Privacy of Children Online.Press Release, October 20, 1999.

Muris, Timothy J.Protecting Consumers’ Privacy: 2002 and Beyond.Remarks of FTC Chairman Timothy J. Muris at the Privacy 2001 Conference, Cleveland, Ohio, October 4, 2001.

“New Children’s Privacy Rules Pose Obstacles for Some Sites.”Wall Street Journal, April 24, 2001, B:8:1

Newsome, Marian.Privacy and Failing Dot.coms: a Case Study of Toysmart.com.SANS Institute.December 20, 2000.

Turow, Joseph.Privacy Policies on Children’s Websites: Do They Play By the Rules?Report series no. 38.Annenberg Public Policy Center, University of Pennsylvania, March 2001.

[1] Others include COPA, CIPA, and the Gramm-Leach-Bliley Act; visit the Electronic Privacy Information Center (EPIC) or the Electronic Frontier Foundation websites for more information.

CAN THE INTERNET REALLY POLICE ITSELF? SELF-GOVERNANCE AND THE 1998 CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)