EPIC logo

Via Electronic Submission

Federal Trade Commission
Office of the Secretary
Room 159-H (Annex C)
600 Pennsylvania Ave, NW
Washington DC, 2005

June 27, 2005

In the Matter of COPPA Rule Review 2005, Project No. P054505


Comments of Electronic Privacy Information Center et al.

Pursuant to 16 C.F.R. Part 312: Children's Online Privacy Protection Rule, request for public comment released by the Federal Trade Commission (FTC), regarding the implementation of the Children’s Online Privacy Protection Act (COPPA)1we submit this comment.

Although more study is needed, all indications are that COPPA and its implementing rules provide an important tool in protecting the privacy and safety of children using the Internet. We thus urge that the FTC retain, enforce and strengthen its rules implementing COPPA and reject any attempt to weaken these important protections. We also stress that further action is needed to protect children from the offline sale of children's personal information.

  1. COPPA HAS IMPROVED CHILDREN'S PRIVACY AND SAFETY ON THE WEB.

The limited studies available point to increasing compliance that is making a real difference in how children's online experience in safeguarded. This impact is accentuated by the increasing use of the web by children. However, further research is required to understand how effectively COPPA, its rate of enforcement, and its compliance are improving children's privacy online.

    1. Evidence Points to Increasing Online Participation and Safety

A study conducted in October of 2000 addressed COPPA compliance and general data collection practices in sites directed at children.2 Two thirds (68%) of sites for children collected personal information.3 Most often collected were children's names and email addresses.4 Almost half collected birthdays and information on friends of the child; and a third asked for postal addresses.5 As for compliance, half the sites that collected personal information posted privacy notices.6 The study found that only 28% of sites were COPPA compliant, which it defined as having a privacy statement and parental permission.7

In 2002, the FTC published a survey on COPPA compliance.8 As of that time, the FTC found that a large number of sites had enacted privacy policies.9 These policies also showed that the collection and use of data was more limited than before COPPA.10 However, a majority of sites did not fully comply with COPPA, lacking key provisions such as parental notification and deletion rights.11

There have also been an increasing number of sites availing themselves of the accepted safe harbor programs. These programs also conduct self-regulation and refer complaints to the FTC.12 It is, however, difficult to assess whether this means that an increasing proportion of websites are becoming COPPA compliant.

Children's presence online continues to grow, increasing the benefits and importance of COPPA compliance. A recent Kaiser Family Foundation study found that since 1999 there have been significant increases in the number of kids who have a computer at home (73% to 85%), have internet access at home (47% to 74% ), and spend more than an hour a day online (5% to 22%).13

    1. Further Study Is Necessary To Gauge The Impact of COPPA.

There is a sense of increasing compliance, that COPPA has curtailed the development of a large data collection culture targeting children online. In order to asses the full impact of COPPA, the FTC should build upon its April 2002 study.

The FTC should undertake further empirical research and present these findings to Congress. We recommend that the following studies be undertaken:

  1. Compare current privacy practices with pre-COPPA practices. This will survey current COPPA compliance as well as show how COPPA has improved privacy online.
  2. Compare practices of uncovered websites and compliant child websites. This will measure what industry practices COPPA is actually protecting children from.
  3. Compare children and teenage oriented (ie, above 13, and beyond COPPA) websites and practices. This will show what minor oriented industry practices children are being protected from.

By showing the areas where COPPA has been successful – which programs are working, and which areas are not working – such a study would promote the policy of COPPA. More accurate information allows the crafting appropriate legislative, regulatory, enforcement, and self-regulating strategies for protecting children's privacy online. By continuously updating the knowledge of what privacy looks like for children on the web, the FTC, the public, and Congress can stay on the cutting edge of technology affecting children's privacy online.

  1. THERE IS A CONTINUING NEED FOR CLARIFYING COPPA VIA ENFORCEMENT

COPPA's gains ought to be maintained and furthered by keeping COPPA up to date and a meaningfully enforced. Website design techniques continue to advance, and the FTC should include the latest usability knowledge in its rules for determining when sites are directed at children. Second, the FTC needs to clarify the standards for actual knowledge. Third, the FTC should realize that the large numbers of safe harbor websites are backed by the threat of its continuing enforcement. Finally, as a re-iteration, "sliding scale" rules should continuously reflect the actual practices and technologies available. The clarification of these elements of the rules should come via actual enforcement. Promulgating, via press releases and consent decrees, a better understanding of these elements will promote the COPPA policy of protecting children online.

    1. Research and Enforcement Lead To Clarifying of "Directed at Children" Standard with Child-Friendly Usability Factors.

The language of COPPA defines that the rule applies to operators of commercial websites and online services that are directed to children under the age of 13.14

The FTC should begin using, in its COPPA language, the usability components being used to design cutting edge websites targeted at children. The FTC provides a FAQ about COPPA compliance.15 This includes a section on determining whether a website is directed at children:16

According to the Rule, the factors to use in determining whether your site is targeted to kids include subject matter, language, whether the site uses animated characters, and whether advertising on the site is directed at children. . . . These standards are similar to those for TV, radio and print advertising.

These guidelines do not incorporate some known usability components that are used to attract and keep child readers.17 The comparison to radio and print also misses some usability components that are present in the web's more interactive medium. The FTC should study the presence of these usability components, and their attraction to children. Several examples include:

Some of these factors will tend to attract children but also be discouraging for adult users.23 The presence of such kid-friendly / adult-unfriendly design components should be a more compelling indication that a website is being directed at children.

    1. Enforcement Leads To Clarifying of "Actual Knowledge" standard.

The FTC should, using its prosecutions, clarify what constitutes "actual knowledge" that minors are using a website. A previous complaint provides an example of how to proceed with this clarification.

Several privacy organizations filed a complaint with the FTC regarding the practices of Amazon.com.24 Users had identified their ages in product reviews they had submitted to Amazon.25 The complaint alleged that Amazon.com had actual knowledge that it was collecting information from children, since the product reviews were reviewed by Amazon.com employees.26 FTC action against this actual knowledge would clarify to all web users, not just Amazon.com, that this actual knowledge leads to COPPA liability.

    1. The Success of Safe Harbor Requires Continuing Enforcement Actions.

The FTC's enforcement actions increase the attraction of compliance with self regulator and safe harbor programs. One safe harbor program, CARU, that also works as a self-regulator, referred a non-compliant site to the FCC.27 FCC enforcement led to a six-figure settlement.28 Successful enforcement is magnified by the presence of self-regulatory alternatives, thus increasing the argument for enforcement.

    1. "Sliding Scale" Consent Mechanisms Should Not Weaken COPPA and Should Reflect Technological Innovations.

We encourage the Federal Trade Commission to consider EPIC's and other's comment on the "sliding scale" submitted on February 14th, 2005.29 That comment called for comprehensive surveys of how the "sliding scale" was being used. The comment warned against making permanent measures which could encourage the collection of children's data.

  1. FURTHER ACTION FROM THE FTC IS NEEDED TO ADDRESS OFFLINE SALE OF CHILDREN’S PERSONAL INFORMATION

In enacting COPPA, Congress sought to address a number of deceptive information practices that occur online. While COPPA has gone far in addressing those practices, there is still a thriving offline marketplace for children’s personal information. We urge the Commission to continue to analyze offline collection of personal information, especially where specious sweepstakes, college recruitment promises, or games are employed by direct marketers.

  1. CONCLUSION

With more comprehensive knowledge of privacy practices and failures on the web, and with the FTC continuing to strive to be on the cutting edge of enforcement and technology, children's privacy will continue to be protected online.

Respectfully Submitted,


Lillie Coney
Associate Director, EPIC

Guilherme Roschke
Law Clerk, EPIC

Amina Fazlullah
Law Clerk, EPIC

Jeff Chester
Center for Digital Democracy

Kathryn C. Montgomery, Ph.D.,
Professor, American University,
Co-founder, Center for Media Education

David Walsh, Ph.D.
President, National Institute on Media and the Family

Ken McEldowney
Executive Director, Consumer Action

Beth Givens
Director, Privacy Rights Clearinghouse

Jean Ann Fox
Director of Consumer Protection
Consumer Federation of America

Robert Ellis Smith
Privacy Journal


1 Children's Online Privacy Protection Rule: Request for Comments, 70 Fed. Reg. 21,107 (Apr. 22, 2005).

2 Xiaomei Cai et al., Children's Website Adherence to the FTC's Online Privacy Protection Rule, 31 J. of Applied Comm. Res. 346 (Nov. 2003).

3 Id. at 353.

4 Id. at 354.

5 Id.

6 Id. at 355.

7 Id. at 356.

8 Federal Trade Commission, Protecting Children's Privacy Under COPPA: A Survey on Compliance, April 2002, available at http://www.ftc.gov/os/2002/04/coppasurvey.pdf.

9 Id. at i.

10 Id. at i.

11 Id. at i.

12 See, eg., CARU News Releases, http://www.caru.org/news/index.asp.

13 Kaiser Family Foundation, Generation M: The Media in the Lives of 8-18 Year Olds (March 2005), available at http://www.kff.org/entmedia/entmedia030905nr.cfm.

14 13 U.S.C. § 1302(10) ("WEBSITE OR ONLINE SERVICE DIRECTED TO CHILDREN.—(A) IN GENERAL.—The term "website or online service directed to children" means—(i) a commercial website or online service that is targeted to children; or (ii) that portion of a commercial website or online service that is targeted to children.")

15 Federal Trade Commission, You, Your Privacy Policy, and COPPA, 8 , available at http://www.ftc.gov/bcp/conline/pubs/buspubs/coppakit.pdf.

16 Id.

17 See eg Michael L. Bernard, Criteria for optimal web design (designing for usability): How Can I Make My Website More Accessible to Children (Feb 8, 2003), http://psychology.wichita.edu/optimalweb/children.htm.

18 Jakob Nielsen, Kids' Corner: Website Usability for Children (Apr. 14, 2000), http://www.useit.com/alertbox/20020414.html.

19 Jorian Clarke, Cross-Cultural Design for Children in a Cyber Setting, in Usability and Internationalization of Information Technology, 253 (N. Aykin ed. 2005).

20 Clarke, supra note 19.

21 Clarke, supra note 19.

22 Nielsen, supra note 18.

23 Nielsen, supra note 18.

24 Complaint and Request for Injunction, investigation and Other Relief , In Re Amazon Inc. (Apr. 22, 2003), available at http://www.epic.org/privacy/amazon/coppacomplaint.html.

25 Id., at ¶¶ 26, 28, 29, 30, 31, 33.

26 Id., at ¶ 44.

27 CARU, FTC Acts on CARU Referral - Imposes Record $400,000 Penalty on UMG Recordings, Inc. (March 4, 2004), http://www.caru.org/news/2004/lilromeo2.asp.

28 Federal Trade Commission, UMG Recordings, Inc. to Pay $400,000, Bonzi Software, Inc. To Pay $75,000 to Settle COPPA Civil Penalty Charges (Feb 18, 2004), http://www.ftc.gov/opa/2004/02/bonziumg.htm.

29 Comment of Electronic Privacy Information Center, Sliding Scale 2005, Project Number P054503 (Feb 14, 2005), http://www.epic.org/privacy/kids/ftc_coppa_2-14-05.pdf.