1
UNITED STATES FEDERAL TRADE COMMISSION 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
COPPA RULE REVIEW ROUNDTABLES
FEDERAL TRADE COMMISSION
CONFERENCE CENTER
601 NEW JERSEY AVENUE, N.W.
WASHINGTON, D.C.
WEDNESDAY, JUNE 2, 2010
8:45 A.M. TO 5:15 P.M.
Reported by: Susanne Bergling, RMR-CRR-CLR
2
CONTENTS 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
OPENING REMARKS: 7
David C. Vladeck
PANEL ONE: 11
Mary K. Engle, Moderator
Phyllis H. Marcus, Moderator
Michael F. Altschul
Angela Campbell
Edward Felten
Jeff J. McIntyre
John B. Morris, Jr.
Michael Warnecke
PANEL TWO: 74
Richard Quaresima, Moderator
Mamie Kresses, Moderator
J. Beckwith ("Becky") Burr
Jeffrey Greenbaum
Christine N. Jones
Gwenn Schurgin O'Keeffe
Guilherme C. Roschke
Phyllis B. Spaeth
Phil Terzian
3
PANEL THREE: 138 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Jessica Rich, Moderator
Michelle Rosenthal, Moderator
Maureen Cooney
Matt Galligan
Sheila A. Millar
Kathryn C. Montgomery
Paul Ohm
Jules Polonetsky
Heidi C. Salow
PANEL FOUR: 208
Mamie Kresses, Moderator
Phyllis H. Marcus, Moderator
Jules Cohen
Rebecca Newton
Martine Niejadlik
Alan Simpson
Denise Tayloe
Ron Zayas
4
PANEL FIVE: 271 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Phyllis H. Marcus, Moderator
Mamie Kresses, Moderator
Parry Aftab
Dona Fraser
Roslyn J. Kitchen
Susan Linn
Peter Maude
Izzy Neis
John Smedley
5
P R O C E E D I N G S 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
- - - - -
MS. KRESSES: Good morning. If everybody will
take a seat, we are going to try to get started. We
have a lot to do. Thank you.
We are delighted to have you here to discuss the
review of COPPA. We have five panels today that touch
some of the issues that we think are exciting and
challenging. There are many, many more issues in our
Federal Register notice, and we invite everybody to
please think carefully about them and do submit comments
on them.
The format we would like to have today, if
possible, is a very informal one. We would like the
audience to feel free to participate in the discussions.
So, if there are comments or questions that are
pertinent to the point being raised up here at the
table, feel free to raise your hand and ask for a
microphone. We are going to try that and hope that it
creates a free flow of dialogue. If it gets too
complicated or too disruptive, then we will go back to
just questions and comments at the end of each panel,
but let's give that a try.
In a moment, I'll introduce our bureau director,
but I have to make this required statement before we do.
6
This is our security briefing. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, you should know that anybody who goes
outside the building without an FTC badge will be
required to go back through security and the x-ray
machine prior to re-entry into the conference center.
If there is a fire or another reason for evacuation, we
will all leave the building, and we will go outside,
across the street, and stand in front of Georgetown
University. One of us will put up a hand and let you
know where the conference attendee section is. So, if
that happens, everybody just pay attention.
In the event that there is any sort of emergency
and it's deemed to be safer to stay inside, then we will
tell you where to go.
And finally, if you suspect any suspicious
activity, please report it to one of the conference
planners, and we will have it looked into. I believe
that's it.
Oh, yes. And for those of you who haven't been
to this building before, when you exit the conference
center, to your right, right behind the elevators, are
the bathrooms, men's and women's bathrooms.
We will also have several breaks, brief breaks,
during the day between sessions, and we are going to try
to keep to those as best as we can. We will have a few
7
slides with the language of the Rule, the pertinent 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
parts being discussed, and also let you know when the
breaks are coming.
So, finally, I would like to introduce our
Director of the Bureau of Consumer Protection, David
Vladeck. I think most of you know him, so I am not
going to say anything more.
And we really, really look forward to a
productive, open day. Thank you.
(Applause.)
MR. VLADECK: Good morning, everyone. We are a
federal agency on the move. We are actually starting a
panel before 9:00 a.m. I'm delighted to welcome you
here today for the 2010 COPPA roundtable. We have
picked an auspicious month to do this. Twelve years ago
this month, in what now seems to be the dark ages of
technology, the Federal Trade Commission issued a report
to Congress on privacy online.
Our June 1998 report, which I know many of you
in this room had a hand in drafting, recommended that
Congress "develop legislation placing parents in control
of the online collection and personal use of information
from their children." The notion was supported by
industry and the advocacy community, and just four short
months later, the Children Online Privacy Protective
8
Act, or COPPA, was born. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
At the time, approximately 14 percent of
American children were online. I know this well,
because at the time my sons were 10 and 12 years old.
Using the Internet for homework -- but not much --
informal learning, browsing, games, and, according to
our report, "corresponding with electronic pen pals by
email, placing messages on electronic bulletin boards,
and participating in chat rooms."
Their growing presence online was seen as
creating enormous opportunities for marketers. It also
presented safety concerns, as children were able to come
into contact with strangers without any parental
involvement and awareness.
And let me just, as an aside, say that the
problem that parents face today is a problem they still
face, which is by the time their kids are 10 or 12, they
are so much more technologically proficient than the
parent is that the idea of direct parental controls is a
difficult one to understand.
Now, let's fast forward 12 years to where we
stand today. According to a 2010 Kaiser Family
Foundation study, 84 percent of youth ages 8 to 18 have
Internet access at their homes, and in a typical day, 70
percent of 8- to 18-year-olds, in fact, go online. The
9
Kaiser study showed that the average young American 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
today spends practically every waking moment, except for
the time in school, using a smart phone, a computer, a
television, or another electronic device.
So, what do they do when they're online?
Activities only computer scientists or science fiction
writers among us could have conceived of in 1998. They
visit social networking sites, they download music, they
post and watch online videos, they watch TV online, they
create their own avatars, and move through online
virtual worlds.
And the concept of the computer, boy, that has
changed, too. Forget the clunky PC with the
freestanding tower. Now, a computer is something that
you hold in the palm of your hand and tuck into your
pocket. It gives you instant access to the Internet and
a host of online services barely imaginable just five
years ago.
Really, had we ever heard the term "app" before
the iPhone? Did we really know that the word "friend"
could be a verb? In just a few years, birds have gone
from the only things that tweeted to some sort of
anachronism.
Today, two-thirds of all 8- to 18-year-olds own
their own cell phones. It's just stunning. The
1
0
statistics are even more astounding when you consider 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
that 31 percent of 8- to 10-year-olds have a cell phone
and that 69 percent of 11- to 14-year-olds also own cell
phones. So, these devices are now ubiquitous.
Our rule review, including today's roundtable,
is all about how well this statute, this 12-year-old
statute, has stood the test of time in light of all
these head-spinning technological changes. We're taking
a look at the statute, even though we did just five
years ago, because things have changed that much.
Today, we're going to ask some fundamental
questions about COPPA. Is the basic requirement of
prior parental consent still sound? Does the COPPA
statute's coverage of websites located on the Internet
and online services reach the kinds of electronic media
children engage in today? How do we deal with the
statute's requirement that general audience websites
have "actual knowledge" that they are collecting
personal information from a child when we have no real
means of verifying age-identifying children? Should the
item of individually identifiable information currently
set out in the COPPA Rule be expanded to take account of
things such as mobile geolocation data or information
collected in connection with online behavioral
advertising? Are the methods for verifying parental
1
1
consent, such as using a print-and-send form, obsolete? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
And are the limited exceptions set out by Congress for
the collection of children's online contact information
without parental consent being adhered to properly?
We've got a lot to cover today and in the months
to come as we consider possible changes to the
Commission's Rule. So, without further adieu, I look
forward to a great discussion and to your assistance as
we move forward.
I'd like to thank our unbelievably talented
staff for putting this together. Mamie Kresses, Phyllis
Marcus have taken the lead. I know we're going to have
a productive day. Thank you very much.
(Applause.)
MS. MARCUS: I'd like to call up the speakers
for Panel One.
(Pause in the proceedings.)
MS. ENGLE: Good morning, everybody. My name is
Mary Engle. I'm the Associate Director For Advertising
Practices here at the FTC, and I'll be moderating the
first panel this morning, along with Phyllis Marcus, who
is a Senior Attorney in the Division of Advertising
Practices and I'm sure is well known to everyone in this
room as the head of our COPPA program.
The first panel this morning is going to
1
2
hopefully set the stage for some of the later 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
discussions, because it's going to look at some very
basic issues, which are the definitions and scope of
coverage of terms like "websites located on the
Internet" and "online services," which, as you know,
COPPA applies to the collection of personal information
from children through those.
So, what are the definitions of those terms?
What is their scope and extent of coverage? How have
they held up over the 12 years? And do they need to be
modified or how do they cover current activities and
things that are going on?
So, with us this morning, I'm very pleased, we
have a terrific panel to help us explore these issues.
Starting to your left, my right, we have Mike Altschul,
who's Senior Vice President and General Counsel of CTIA,
the wireless association.
Angela Campbell, who is a Professor at the
Institute of Public Representation at the Georgetown
University Law Center, right across the street, where we
convene in the event of an emergency.
Ed Felten, who is the Director and Professor of
Computer Science and Public Affairs at the Center for
Information Technology Policy at Princeton.
Of course, here is Phyllis.
1
3
Jeff McIntyre, who's Director of National Policy 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
at Children Now.
John Morris, who's General Counsel and Director
at the Center for Democracy & Technology.
And Michael Warnecke, who is counsel at the
Entertainment Software Association.
So, starting off, as Mamie mentioned, we are
going to have slides just of some of the terms and
definitions that we will have under discussion today.
So, COPPA covers operators of websites located on the
Internet and online services but only defines the
"Internet." It doesn't define "website." It doesn't
define "online services."
So, starting with the statute's definition of
"Internet," we are wondering whether this remains a
valid description of what we consider the Internet
today, and I'd like to start off asking Ed to address
that issue.
MR. FELTEN: Sure. Well, so, the definition of
Internet here is technology-based, right? It's based on
the TCP/IP suite of protocols, which are the basic
communication protocols used on the Internet. That was
true in 1998, and it's true today as well. And so I
think this was and still is a spot-on definition of what
"Internet" means, worldwide interconnection and the use
1
4
of TCP or IP or any of that suite of protocols. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. ENGLE: So, how extensive would you say the
definition of "Internet" is or what does it encompass?
MR. FELTEN: Sure.
MS. ENGLE: I mean, what about, you know, mobile
browsers and things like that that we didn't really have
back in 1998?
MR. FELTEN: Sure. Well, if you are using
your laptop or desktop computer to access anything that
you think of as the Internet, that would be covered. If
you're using your mobile phone to browse a website, send
email, or something, most of the things you would do on
a mobile phone, including, say, watching a YouTube
video, would be within the scope of the Internet as
defined here.
So, it's not focused so much on which device
you're using to access the website or online service as
it is focusing on the basic network technology. And
because the Internet is worldwide and is used by such a
wide range of services, this is actually quite broad
coverage, independent of the access device.
MS. ENGLE: Do any of our other panelists have
any other comments or different views on this scope of
the definition and its currency?
(No response.)
1
5
MS. ENGLE: Okay, good. So, we got that much 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
right, I guess -- pretty good -- back in 1998.
Well, what about -- you know, it's kind of a --
to me, it sort of seems like a curious language,
"website located on the Internet," that the COPPA
statute uses. Does that definition limit the scope of
the application in any way, "website located on the
Internet," or how does that -- what does that mean?
MR. FELTEN: Well, I think "website located on
the Internet," roughly speaking, would cover anything
that you can access through your browser on your
ordinary computer or mobile phone. So, if you can
access it in Internet Explorer or Mozilla Firefox or the
browser that's on your mobile phone, for example, then
it is a website located on the Internet.
MS. ENGLE: Are there websites that are not
located on the Internet?
MR. FELTEN: I think that the distinction here
would be with something like a corporate intranet, where
a company has a website that's set up just for internal
use by their employees, and that's not located on the
Internet. But if it's generally available, accessible
to the public, then a website would be on the Internet.
MS. ENGLE: Okay. What about the definition of
"online service?" Now, we didn't -- that term was not
1
6
defined in the statute or the Rule, and somehow we seem 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
like we have an intuitive understanding of it, but the
way it was used back in 1998 may have been different
from the way we think about it today.
Does Ed or others want to comment on -- John?
MR. MORRIS: Sure. I mean, I'll jump in on
that. My guess is that, you know, if we really put all
the members of Congress up on the lie detector back in
'98, you know, they thought that online service meant
AOL or Prodigy, because those were big online services.
But, you know, there's I don't think a reason to try to,
you know, narrow that term. I think the term is fairly
broad, and I think there is a fairly kind of broad
understanding of, you know, websites and nonweb-based
services that are available over the Internet. So, I
mean, I think the term "online service" can fairly be
read to be quite broad.
MS. ENGLE: So, "online" is sort of a synonym
for "over the Internet," a service that is available
over the Internet or connects to the Internet?
MR. MORRIS: I think that's fair enough, yeah.
MS. ENGLE: Angie?
MS. CAMPBELL: Thank you.
I was counsel to the Center for Media Education
when we negotiated the bill, and I think I agree
1
7
absolutely with Ed that the "Internet" was intended to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
be a very broad definition, and "online services" was
intended to be a broad or sort of a catch-all term that
would cover any service that was made available through
a computer or similar device connected to a network.
And I actually went and looked in some
dictionaries from that time period to confirm my
understanding, and the Webster's New World Pocket
Internet Dictionary from 1997 defines online as
"connected to a network or available from a network" and
defines online service -- online information service as
"a for-profit firm that makes current news, stock
quotes, or other information available to subscribers
over standard telephone lines."
And the Newton Telecom Dictionary from 1999
defines online as "available through the computer.
Online may refer to information on hard disks, such as
online documentation or online help or connection
through a modem to another computer." And then it
defines "online services" as "a commercial service that
gives computer users, i.e., its customers, access to a
variety of online offerings, such as shopping, games,
and chat rooms, as well as access to the Internet.
America Online and Microsoft Network are examples of
online services."
1
8
So, it was intended to be very broad, obviously 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
included everything on the Internet, but wasn't
necessarily limited to the Internet.
MS. ENGLE: Mike, did you want to --
MR. WARNECKE: Well, I mean, I think that the
online service today should be viewed in conjunction
with the Internet. If we were to take the view that
"online service" applies to any computer network that's
not covered by the definition of "Internet," it would
greatly expand I think the reach of COPPA in a way that
I don't think was intended.
MR. MCINTYRE: Okay, here we go. Yeah,
absolutely, it's got to be broad. Even in the
definition of the "Internet" that we have here, it
doesn't just refer to the technological base, but it
refers to the possible technological base, which it says
are any predecessor or successor protocols to such
protocols, such as TCP/IP.
For us, there's a great concern as well when we
see the growth of the wireless devices, for instance,
that the Internet isn't just something that we -- the
concerns about COPPA aren't just simply about Web-based
access but about communication, and that's the heart of
this, is communication. And it's communication in that
is information being exchanged? Is it going back and
1
9
forth? Where does the information end up at? You don't 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
need a Web site for that. You can use that through text
messaging.
Now, there are some tricky issues once we get
into texting, for instance, but absolutely, that sort of
communication, that sort of communication over an
Internet where information can be gathered and collected
through this purpose, absolutely, should be open to
interpretation here.
MR. FELTEN: So, I generally agree that a broad
reading of "online service" makes sense and that it's
not necessarily limited to just the Internet, although I
do think it would be limited to some kind of wide area
network. Congress wrote the statute with the two sort
of branches. One branch is "website located on the
Internet," and the other is "online service," which I
read as being broader. So, it's not necessarily any
network, but at least a service that's provided across
some kind of wide area network.
MS. ENGLE: Mike?
MR. ALTSCHUL: In the parallel universe of the
FCC just across the mall in Southwest, let's slice this
bologna a little thinner, so that depending on the
network address as opposed to the content, some messages
are categorized as communications -- if they use a phone
2
0
number, for example, as frequently happens in SMS 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
messaging -- but if the same content is transmitted by
the same user over the same wireless device that uses an
Internet address, domain name system address,
[email protected], then it's recognized really to be an
information or Internet access service.
While that may strain some of the applications,
in fact, federal courts now have relied on the FCC's
distinction in the context of enforcing the TCPA, which
applies to telephone calls against certain kinds of
commercial marketing activities. So, we just need to be
conscious of that distinction.
They both use IP formats, but one uses something
called SMTP, simple mail transfer protocol, and the
other is SMPP, which is the short message peer to peer,
typically what kids and teen-agers are using to send
messages within a wireless network.
MS. MARCUS: So, Mike, how would that map onto
the COPPA statute?
MR. ALTSCHUL: Well, clearly, if the address
used by the user or to reach the user is identifiable as
an Internet address, the common domain name system, it
is going to easily fall within COPPA. If a phone
number, as is often used in a text message, is used as
the address, there is certainly -- as I said, there is a
2
1
parallel universe of law that suggests it's a telephone 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
call and not an Internet service.
MR. MCINTYRE: I think there are debates that
are beginning to blossom, though, that are questioning
that. I mean, even in the recent --
MR. ALTSCHUL: There were debates and questions
at the beginning.
MR. MCINTYRE: Good. Let's continue those,
because I think that there's a real concern here that if
you have, for instance, the example of two teen-agers
that are using texting back and forth as going over a
telephone service, which may not be a problem under the
COPPA interpretation, but if those two teen-agers then
walk into a GameStop, for instance, where they are
texting and that information is being gathered by that
GameStop of the technology that they're using or how
they're using it or even the content of what they're
using it in, then at that point you have established a
commercial purpose, and I think it is and can be open to
COPPA interpretations.
MR. ALTSCHUL: Well, again, so far, at least in
federal court decisions I've seen, they have gone after
conduct like that under TCPA.
MR. MORRIS: And, I mean, you know, to the
extent that some of Mike's wireless carrier members are
2
2
providing text messaging services, you know, I think 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
it's actually very unlikely that that would go through
anything that the GameStop store could see. If the
GameStop store is offering a WiFi-based service, that
could well be connected to the Internet. There could
well be COPPA implications in that context. But if --
so, you know, it's a little unclear, you know, what the
GameStop example -- how that actually gets implemented.
MS. ENGLE: Anybody? Angie?
MS. CAMPBELL: Well, I just wanted to make sure
that everyone understood that whether or not something
is an online service or a website on the Internet is not
the only determination of whether it's going to be
covered by COPPA. So many things you might be concerned
about, you know, wouldn't be.
But just to give a real world example, what Jeff
was talking about, there's a service called Foursquare,
which is currently offering a promotion with Starbucks,
where a user can go into the Starbucks, and then they --
it's sort of like a game, where you check in using your
cell phone, that you're there, and if you check in a
certain number of times, then you get a barista badge,
and you can compete with your friends to become mayor of
the Starbucks, and if you're a mayor of the Starbucks,
which I think means you have been there the most number
2
3
of times, then you can actually get a dollar off a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
frappuccino. So, there are commercial applications.
Foursquare is actually making the data. They
get, through this service to Starbucks or to other
retailers that sign up for this service, so that they
can get very detailed information about who's checked
in, what their gender is, what time of day, what they
like, what they don't like, a whole lot of different
information for commercial purposes.
MS. ENGLE: Well, I think that might be a good
segue to the next topic we wanted to talk about, which
is mobile communication.
Oh, okay. All right, I'll go there. Does
anybody in the audience have questions about that before
we get to mobile? Yes. Here's the microphone.
UNIDENTIFIED SPEAKER: What about
noncommercial -- thought I know that the COPPA
specifically says "commercial," there's the problem with
noncommercial services, such as BitTorrent. How do we
deal with those?
MS. ENGLE: Well, you know, I think -- I mean,
the question in terms of whether BitTorrent is an online
service, we had a little bit of a discussion about that,
but, you know, the FTC, the scope of our jurisdiction
and authority extends to commercial services. I think
2
4
BitTorrent is -- I mean, obviously, companies that use 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
BitTorrent are in commerce. So, if they are otherwise
covered in some way, then we're there, but I don't think
that, you know, that protocol raises a particular issue.
MR. MCINTYRE: I'll say one small thing to kind
of support what Mary is saying, that when you look at
BitTorrent or you look at other sort of technological --
I hate to call them platforms, but when you look at the
sort of processes, one of the things that's really easy
to do for regulators and consumers and politicians is
very quickly you're kind of glassy-eyed when you start
talking about all the platforms that are available, and
suddenly we can shift the conversation away from where
it's supposed to be in this, which is about children,
and suddenly get much more caught up in kind of the TCPs
versus the IPs versus the iPads, iPhones, iPods, et
cetera, et cetera. It becomes very technologically-
based.
The heart of COPPA is about protecting children,
and so each time that we have these sort of discussions
and the questions about a different sort of platform or
a different sort of technological basis for the
advocates in this arena, what each time we're going to
try to do is bring it back to the simple question of is
it good for kids? Does it protect kids? Does it put
2
5
kids at risk? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
If it does, based on where the current research
shows it to or where the public health community
believes that it does, then at that point we are going
to start asking much more basic questions, other than
about kind of the technological platform and however
that may empower or disempower that risk.
MR. MORRIS: I mean, let me just respond. I'm
all for a broad reading of the applicability of COPPA,
you know, I think we all do want to protect kids.
Now, on the other hand, if it's good to protect
kids but it's outside the statute, then it's outside the
statute, and, you know, it may be a good idea to protect
kids, but -- and, you know -- I mean, no, you know, in a
particular way, but if it's outside the statute, then
it's outside the statute. So, I mean --
MS. ENGLE: So, for example, if Children Now had
a children's area on its website, you know, you are not
in commerce. You are not a commercial network that
would be subject to the FTC's jurisdiction, so
technically -- you know, it's that sort of thing. There
are limits on our jurisdiction, and -- in terms of who
we could actually pursue, yeah.
MR. MCINTYRE: And I think that's a valuable
question as well, then, because that also opens up other
2
6
nonprofit companies, if you will, or nonprofit 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
organizations and whether they should have more
oversight.
Does National Geographic? Does
Discovery/Hasbro? Does, you know, these other sort
of -- does Common Sense Media? Do these other groups
that have that, should there be some sort of privacy
consideration as they move forward?
MS. ENGLE: Question down here.
MR. ALTSCHUL: I just want to --
MS. MARCUS: Oh, hold on, Mike. One second.
Oh, go ahead, Mike.
MR. ALTSCHUL: I wanted to endorse John's
statement that we can't read "commercial" out of the
statute, and it's very easy to imagine an elementary
school setting up some kind of site that allows its
students to communicate and to share information with
one another over the Internet, and certainly personal
identifying information and other information otherwise
included under COPPA would be potentially available and
be available for use by third parties if the site wasn't
properly access-controlled, but, again, that would not
meet the commercial definition that's a part of the
statute.
MS. ENGLE: And it's not just that commercial
2
7
definition, but also elsewhere in the statute -- 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. ALTSCHUL: The purpose.
MS. ENGLE: -- it refers to the extent of the
FTC's jurisdiction is the extent of the jurisdiction we
have under the Federal Trade Commission Act, which is
limited to actual practices in commerce.
We have one question down here.
MS. TAYLOE: Good morning. Denise Tayloe with
Privo.
My question to the panel is specific. American
Idol says to text in a vote. I send it in with my cell
phone. They collect my cell phone number. It's now in
their database. Is that under COPPA?
MS. MARCUS: Mike, do you want to handle that?
MR. ALTSCHUL: Well, I think that there's a
larger body of law -- that I admit I'm not an expert in
-- as to what kind of information the promoters of
American Idol have as to their audience and what are the
purposes that they're doing their outreach, and perhaps
some later panel will be better suited than at least I
am to answer that question.
MS. MARCUS: Anyone else on the panel?
Ed?
MR. FELTEN: Well, I think texting in votes is
certainly something that occurs online. I think you can
2
8
make a good argument that, depending on the details of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
how this works, that it could be an "online service"
within the scope of COPPA. As to whether there is
information gathered that is personal information within
the scope of the statute, that I don't know.
MS. CAMPBELL: I would also add, I think it is
an online service, but not only do you have to also then
show that it's personal information, that it meets the
definition of that, but also that they know it's from a
child, and, you know, that's a factual question they may
or may not know. So, it could be and it may not -- it
may be covered by COPPA; it may not be.
MS. ENGLE: And later panels will explore those
issues.
Susan?
SUSAN LINN: Yes. I'd like to go back to the
question of what is commercial and what is not
commercial and your example of a school website. What
if there's advertising on the website, on the school's
website, or what if the website is funded by a
commercial company? Then what?
MR. ALTSCHUL: I think those are two different
questions. Certainly, there's a model in the area of
both schools and not-for-profit organizations where some
kind of sponsorship does not change the legal status of
2
9
the activity, but certainly when something is actually 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
sponsored by a commercial firm for a school, let's say,
but as part of that commercial agreement, the commercial
entity is entitled to information, I think that under
that circumstance, it would fall under the commercial
purpose.
The kind of ads that the -- you know, in the
back of high school yearbooks and so on may enable it
but I don't think would change the purpose of the
bulletin board or website.
MS. ENGLE: Okay. Going back to -- we've
touched on actually mobile communications, and, you
know, we have been very clear that when a child can
access the Web or a WAP site through a mobile device and
can provide or disclose personal information through
that, that that is covered by COPPA, that COPPA applies,
and I just wondered whether there's any disagreement
among the panel about that.
MR. ALTSCHUL: Well, you know, we had a pre-
call, and I think that all of us agreed that any kind of
Internet site that you can access over a desktop can
also be accessed today over a mobile device. And I
should say, that's true using commercially licensed
spectrum as well as the kind of WiFi access that's
available in this room and, you know, increasingly in
3
0
all other rooms. But the devices are increasingly 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
agnostic as to what kind of spectrum they interconnect
with to access content on the Internet.
MS. ENGLE: So, let's talk a little bit more
about the types of online services that can be accessed
via mobile devices. We heard about Foursquare, for
example, that's at a location, Angela mentioned, and
others. I probably should have -- if my 12-year-old
were here, she could probably tell me more about what
she does on her smart phone and the types of apps and
services than I personally use.
So, anybody want to volunteer to talk about what
kinds of online services or services that, you know, we
would agree are covered that you can access through
mobile devices?
Angela?
MS. CAMPBELL: Well, I went on my iPhone and
looked at the apps, and there is actually quite a large
number of apps that are specifically designed or appear
to be specifically designed for children to teach
letters and numbers and things like that. So, I think,
again, you can't just say all apps are online services
or all apps are not online services. Some of them will
be; some of them won't be.
If apps do allow children to receive targeted
3
1
advertisements or to purchase goods and services, to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
play games that are connected to a network, to obtain
information, to get access to the Internet, those would
be examples of online services that could be subject to
COPPA. If you're just, you know, downloading a game and
you're just playing the game on your phone and there's
no network connection, then that would not be an online
application.
MR. FELTEN: So, the way this part of the
statute is structured, it matters not so much what is
happening on the end device, whether you're in a browser
or in a, say, mobile phone app. What really matters is
the nature of the service and how it's provided across
the network. If it is either a website provided across
the Internet or if it is an online service under the
broad understanding that we generally seem to share
here, then regardless of whether it's accessed on a
mobile device or a stationary machine, regardless of
whether it's accessed via a website or via an app, it
would still be within the scope of COPPA. Again, it's
the nature of the service.
MR. MORRIS: I mean, I would suggest that we be
precise to figure out who might be covered. I
absolutely agree that if there is an app on my Android
phone -- I don't have an iPhone -- but if there's an app
3
2
on my Android phone that accesses an online service that 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
goes out and retrieves information or, you know, allows
me to post information, there's clearly an online
service involved. There's clearly COPPA applicability.
But I would suggest that the software designer
of the app may not be an operator of an online service.
He or she may just have written a piece of software and
made it available and then had no further connection to
the communication, no later involvement.
And so for that kind of individual, I would say
that the designer of the actual software is probably not
an operator of an online service, but to the extent that
software connects to an online service, then absolutely,
the operator of the online service is COPPA-covered.
So, I mean, you know, I think that one just needs to be
precise when we're talking about apps as to who might be
covered.
MR. FELTEN: Just if I could expand a little on
what John said, and I agree with that. If you look at
an example like Foursquare, which is a service for
recording your location over time and publishing that
information, Foursquare is an online service, and you
might access it via the Web, you might access it via,
say, an iPhone app that came from the Foursquare
company, or, in principle, you might access a service
3
3
like that via an app that was written by some third 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
party.
And as John points out, in a case like that,
where you're using an app that was provided by a third
party, which does nothing more than connect to
Foursquare's servers and provide information to
Foursquare servers, it seems to me that Foursquare, the
company, is providing the online service, and the app
developer is not necessarily an operator of an online
service, as the statute would have it.
Also, by the way, the operator of, say, the
wireless network that is used to transmit those bits up
to Foursquare in that scenario also is not the operator
of the online service.
MR. ALTSCHUL: That's the part of this panel I
like the best.
MR. MCINTYRE: I would indicate a great amount
of comfort with this, because it definitely begins to
draw some lines into some areas that can be gray and can
be an area where some kind of a tricky definition can
come up on this.
I think what's important with this is that as
it's been -- it's -- well, it is. It's cliché to talk
about the technology moving so fast right now, and so I
think the trick with the regulators in this instance is
3
4
being able to write language for a proposed regulation 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
in this area that is broad enough to be able to still
apply to that dynamic of collecting information on
technologies that we may only really kind of grasp that
are out there, kind of get an idea of protecting that
dynamic of information collection around children.
I don't know if the trick to that is being able
to be specific, like you're saying, to protect the
software developer, and instead going to Foursquare than
the online developer that may actually be collecting
that information. But, you know, we look back now at
1997 and 1998, you know, technologically as kind of the
quaint good ole' days, but, oh, God, how did I survive
with dial-up?
We want to be able to make sure that we allow
the language here to not just pull out the specific
instances and then give hard regulation about what we
know that exists, but also to be broad enough to be able
to apply itself so we don't find ourselves and the
Federal Trade Commission isn't outdated within 18
months.
MR. WARNECKE: If I could add something on that,
I mean, I think it's important when we're looking at
these scope issues to also consider the fact that not
all instantaneous communications are necessarily going
3
5
to fall within the scope of COPPA. I mean, you could 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
have a situation where the communication is not
utilizing the Internet, where it's not utilizing a
worldwide network of networks, but that personal
information is being communicated.
So, for example, let's say that six people in
the audience here had generic tablet computers and those
tablets had a dual connection mode that would allow the
users to connect to each other either through the
Internet or in a limited geographic region through
another technology that doesn't follow a wireless access
point or any cables.
Now, in the first instance, yes, the definition
of "Internet" would apply, but in the second sentence,
that instantaneous communication through a local, very
defined geographic area, that I would argue would not.
So, we need to be careful when we're looking at how
broadly it applies to new communications to keep that in
mind, and I think that would even be consistent with
what Ed was saying earlier about even online service
would have some limits in terms of how broadly it would
be defined.
MS. MARCUS: So, in your case, the tablet
communications would be neither a website located on the
Internet nor an online service?
3
6
MR. WARNECKE: That's my position. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. ALTSCHUL: And there are some -- I think the
software writers have locked down the vulnerabilities,
but there are certain kinds of access ports to wireless
devices, infrared and Bluetooth, that there were
commercial applications being designed to sort of
capture the information about that device, the phone
number and other aspects of the device, for people who
were just walking by an airport concourse or whatever
that was enabled to read and capture that kind of
information. That's not going over the Internet, but
that certainly would qualify as PII under, you know,
many contexts.
MS. MARCUS: We have a question from the
audience.
MR. GALLIGAN: Matt Galligan from SimpleGeo.
I'm on a panel a bit later.
But you've talked about computers, mobile
devices, but there are many other connected devices that
can access the Internet or wireless protocols. Great
examples would be video game devices, so Xbox, and
specifically speaking to your point, the Nintendo DS
comes prepackaged with a bit of software called
PictoChat, and PictoChat can create a local network
where anybody that is on that local network can
3
7
communicate with other people. That completely 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
circumvents the Internet, but anybody that is actually
connecting to that local network can communicate with
each other.
And so it could be, you know, the 10 DS users
around or it could be the 10 DS users around and the
11th that's sitting outside of the building that could
be communicating with those 10 people, and so that
software itself is providing communication, but there
are potential dangers there with the communication that
is going on, because it is circumventing the Internet
completely, but it's meaning that there are other people
that are being connected locally through a similar
service that you would find on the Internet.
MS. MARCUS: Matt, that's an excellent question,
and I'm going to ask the panelists to hold the answer,
because we are about to get to interactive gaming, but
thank you for raising that.
MS. ENGLE: Okay. So, we have been -- oh, one
more question from the audience.
MR. SAMET: Shai Samet with kidSAFE Seal.
You know, I just want to go back to a comment
that was made earlier about a question that was asked by
Denise regarding the American Idol text submission. I'd
like to understand. It seemed like there were some
3
8
contradictory remarks as to whether that would be 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
covered or would not be covered. I'd like to understand
what is it about this definition that would cover the
submission of a text message back to American Idol in
that example.
MS. MARCUS: John, do you want to --
MR. MORRIS: I'm not sure I do, but, you know, I
think Mike was suggesting that, you know, if it's a pure
telephone call not using an Internet-based address, that
possibly it is not covered by COPPA. You know, my
impression is that the wireless companies are pretty
sensitive, you know, on COPPA issues in general, and so
I'm not sure it actually makes a difference in terms of
their behavior as to whether it's kind of online or
offline, but I think one could argue that if it is just
something that happens on the telephone network, that
it's not covered by COPPA.
MR. FELTEN: I would disagree with that to the
extent that I don't think that something being provided
across, let's say, text messaging as a medium would
necessarily put it outside the scope of what is covered.
A service provided via text messaging, for example,
might be an "online service." It would not be a
"website provided on the Internet," but the Internet
limitation applies only to the website side of the fork,
3
9
if you will. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Now, in the case of American Idol, it does seem
to me that there's a reasonable argument that collecting
votes could be seen as an "online service," but whether
this meets the other requirements of the statute,
collection of personal information and knowledge that
there's a child and so on, that I don't know.
MR. ALTSCHUL: And we had discussed that factor,
the knowledge of the child, which is really a fact-based
inquiry. Television producers spend a lot of time
targeting and knowing the demographics of their viewers
and targeting advertisement -- selling advertisements
based on the demographics of their viewership. So, you
would have to determine -- I'm weak in popular culture,
so I can't tell you who advertises on American Idol, but
whether it's products that are designed to be purchased
by people who are older than 13 or under 13 would be
part of the fact-based inquiry.
MS. ENGLE: Well, that is a separate issue, and
I think -- so, I gather we really don't have agreement
at the table about whether text messages like that, that
kind of voting at American Idol, are covered right now.
MR. MORRIS: You know, I was not kind of trying
to urge disagreement. You know, I think one could make
an argument that if it is wholly on the telephone
4
0
system, it might not be reached here. I'm actually 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
personally quite comfortable with Ed's push-back to say
that this could easily be an "online service." You
know, again, it's correct to say it's not clear in most
texting contexts whether there's any direct knowledge,
and I have no more cultural knowledge than Mike does,
but I don't think that American Idol is aimed at the 12
and under set. I think it's more aimed -- but I may be
wrong.
MS. MARCUS: We have, I'm sure, some
disagreement on that in the room.
MS. ENGLE: That's a separate issue, I think.
MS. MARCUS: Right.
MS. ENGLE: But I think this is an area where we
will definitely want written comments, so it's something
to keep in mind as you're preparing written comments,
that particular issue. Is that something that is clear
or something where we would need clarification? And
that's going to apply throughout a number of other
issues.
You know, as you know, we have more flexibility
in the changes we make to the rule. If there needs to
be a change in the statute, that's something that
Congress will need to do. So, any views on this issue
would be very helpful to us.
4
1
MR. MCINTYRE: I might offer this, that I don't 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
think this reflects a disagreement as much as it
reflects kind of a threshold or a burden by which then
other panels may explore today, that if this is a
text-based service, if they determine the information is
being collected, if it is determined that a child is
submitting that information, then at that point, I think
the burden shifts, and we can kind of reframe the
conversation then about whether this particular instance
of the American Idol issue becomes then an online
service.
If those other things are held up as verified,
if they are children and they are submitting information
and it is collected, then that, I think, reframes this
conversation.
MR. ALTSCHUL: It may not be the best example,
because as I recall, 800-number voting is the alternate
mechanism for voting on American Idol, which is just a
traditional telephone network activity, and the
particular architecture used for this kind of short
message service is a virtual private network
architecture. Nothing is being translated or flowing
over the traditional network to network.
MS. ENGLE: So --
MS. MARCUS: Well, hold on, Denise. Let's keep
4
2
moving through our questions. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. ENGLE: So, kind of related to the question
of what information, you know, in the case of American
Idol, the texting and votes is just voting for somebody,
but in other situations, information may be being
collected, personal information, from the person or the
child, and I'd like to have a little bit of a discussion
about that.
What types of personal information are collected
through apps and how does that vary and is it more
active versus passive collection of information?
Mike?
MR. ALTSCHUL: Well, one piece of information
that typically will be collected will be the telephone
number associated with the wireless device, and the
COPPA statute does identify telephone numbers as
personal information. Interestingly, the
Telecommunications Act and Section 222, which deals with
similar kinds of issues, thanks to the lobbying
activities of directory publishers, does not include
telephone numbers and names and addresses as personal
identifying information.
So, we end up back on the horn of the dilemma.
Is a message sent using a phone number going to fall
under the Communications Act rules for telephone call
4
3
messages or will a message sent using an IP protocol 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
fall within COPPA and have the telephone number be
treated as personal information?
Another increasingly frequent source of
information is location information, and location
information is not provided without notice and consent
to the customer and subscriber, oftentimes the user.
The child may not actually be the subscriber to the
service; it would be the parents on a family plan. And,
you know, depending on the application when it's
downloaded, for example, if you download Google Maps to
your wireless device, there will be a long, you know,
terms of use license agreement which provides notice,
and presumably customers give consent to then provide
that location information in using any location-based
services enabled by their software.
So, those are the two fundamental pieces. the
telephone numbers provided by the network and
location-based information today -- and it's changed
just in the last two years or so -- increasingly is
provided by the wireless device without the involvement
of the wireless carrier.
MR. MORRIS: I am just going to toss out that
you should be aware that there is a huge diversity of
information that technology designers are designing the
4
4
platforms to allow to be transmitted from the devices. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I'm very involved in an ongoing standards discussion at
the Worldwide Web Consortium where we're discussing the
privacy implications of this kind of device's ability to
be able to transmit to a website the ambient temperature
in the room, the ambient noise level, the light level,
you know, a whole range of environmental facts, some of
which could have, you know, privacy implications.
I mean, you know, one could actually determine,
you know, where someone is not; you know, you can rule
out locations by knowing, as they're thinking about
doing, the barometric pressure kind of. There are
devices that are being designed that will, you know, be
able to convey the barometric pressure. And you can
say, well, you know, I know that that person cannot be
in this location if the baro -- you know, so there
are -- there's a huge diversity of information.
So, I mean, you shouldn't focus on just what's
available now. You should, you know, recognize that
there are things coming down the pike, applications and
devices that we really haven't kind of seen in the
market yet.
MS. ENGLE: And that's going to -- you know,
later on, we'll have a discussion of what constitutes
personal information, and as you know, that one of the
4
5
elements is that it allows you to contact a child online 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
or offline. So, perhaps that type of information will
be relevant to that, you know, if they are standing
inside or they are outside the building, for example.
Okay.
MS. MARCUS: In helping us think through the
information that's collected through mobile apps, does
it help for us to divide them between information that's
actively provided by users and information that's
passively collected from a user on the device, or
perhaps between applications that a user must pay for
versus those that are free? I'll throw this out to the
panel. Anyone?
MR. MCINTYRE: Can you define "active" and
"passive"?
MR. FELTEN: Well, I think what's intended here
is to draw a distinction between information that's
actively entered by the user versus information that's
just gathered. So, something like the barometric
pressure, if the device can measure that, leaving aside
whether it's personal information, that's information
that is collected by the device of its own accord. A
physical location also might be collected by the device,
as opposed to information like the user's name, which is
inherently going to be entered by a person.
4
6
So, it might be useful, just in thinking these 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
things through, to think about those cases -- to divide
those cases, although the language of the statute would
cover them both. It just talks about information being
collected.
MR. MORRIS: But, I mean, I -- I agree, but you
also might even need to have a third category or at
least recognize that in the passive category, you know,
when you install an app on this device, at the time of
installation, it will tell you the seven different data
points that this app uses and it transmits to the
network, and you have to agree to it.
So, you know, I suppose you might view, then,
that as passive after you've done the agreement, but
I -- so that there is passive data collection that
there's been no consent, no notice for at all. There is
somewhat passive data collection where you agreed when
you installed the app that this could be transmitted.
And then there's what you're actually typing in.
MR. FELTEN: So, the consent issues are likely
to be different in these cases, at least the way you
think about it, it is likely to be different in a case
where a user actually actively typed something in versus
one where it's gathered maybe with some kind of consent
in advance; maybe not.
4
7
MR. ALTSCHUL: To complicate it even further, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
there's the concept of implied consent, which is neither
active nor passive but somewhere in the middle. The
grandaddy of this kind of consent is for 911 calls or,
more recently, for concierge-type services where you
want driving directions.
So, in dialing 911, the Justice Department has
opined that the caller wishes to disclose their location
so they can be rescued or assisted by the dispatcher
without ever expressly consenting to provide their
location information. In using a location-based app to
find the nearest gas station, you can extend that to
say, well, if I'm looking -- if I've asked the app to
provide the nearest gas station, I'm consenting to
provide my location so that the app can figure out where
I am to find the nearest gas station.
MR. MCINTYRE: I'd like to make just a quick
shot at getting some unanimity on this just to make sure
no one on the panel is talking about getting informed
consent from a child. That is, we talk about loading
these applications and loading these apps, that the idea
of getting informed concept from a child underneath the
age of 13, much less in a younger age, is something that
does not exist.
Children developmentally cannot make that
4
8
decision for themselves, should not make that decision 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
for themselves, and don't have the developmental
capacity to be able to do that, and any commercial
application that relies on that in any capacity then
absolutely falls under this.
When we're talking about consent then at that
point, what we're talking about is parental consent for
the application used by a child, and that's a very
different thing. If we're talking about location
devices, that's a little different. That begins to get
into a gray area, at which point then we begin to argue
about the definition of commercial intent. You know,
GPS locators, no problem; OnStar, no problem; that sort
of stuff, no issues in the public health community for
that sort of stuff. In fact, you'll probably find a
great amount of advocacy for that sort of stuff.
But once that turns into a locator device to let
you know, as Angela's example was earlier on, that when
you're pinging that you're in Starbucks and you are able
to get points for that based on your location, then the
question changes.
MS. MARCUS: All right. And what you've pointed
out is COPPA's regime. I mean, it was not consent from
the user itself, but consent from a parent that was
anticipated.
4
9
MR. FELTEN: There's one more piece of your 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
initial question which we haven't addressed yet, and
that is whether an app is free or costs money, and I
don't think that matters in itself. The statute
requires that the website or online service be operated
for commercial purposes, but often a website or service
that's operated for commercial services provides an app
for free to the user, which is their interaction with,
and if that's the case, it would still be covered.
MS. ENGLE: So, turning now to interactive
gaming, which somebody earlier asked a question about
and wanted to address more specifically. So, would a
company that offers interactivity on a gaming device,
whether a handheld or a console, be an operator under
COPPA?
Mike, did you want to address that?
MR. WARNECKE: Sure. Perhaps, but I think you
need a little bit more information to answer that
question. I don't think mere interactivity alone is
determinative of the answer. You would have to figure
out what the device maker is doing with the information
that it's receiving, and if it's merely passing it
through as a conduit, then no, I don't think that
interactivity would make them an operator.
If, however, it's collecting and maintaining
5
0
that information and if it's doing so in a way that it's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
aware that it's directed to children or that it has
actual knowledge that kids under 13 are involved, then
you would maybe be an operator. You would have to look
at the FTC factors for being an operator. But I think
the main point here is that mere interactivity alone is
not determinative.
MS. MARCUS: Can you refine that distinction?
What would be the type of interactive gaming activity
that would be a conduit only?
MR. WARNECKE: You could have a situation, for
instance, where there is a Web browser capability in the
device but that the operator isn't collecting any -- the
game device operator -- or, I'm sorry, the game device
maker isn't collecting any information, but just
enabling the user to access the Internet.
MS. MARCUS: Does anyone have refinements on
that?
Angela?
MS. CAMPBELL: Well, it's clear that COPPA
covers chat rooms, and it seems to me that you could
have a situation where kids are communicating with each
other on their DS, for example, and it really is the
equivalent of a chat room, even if the information is
not being necessarily collected and used. So, I think
5
1
in that situation, again, parental consent would be 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
required.
MS. ENGLE: We had some earlier, I think,
opinions that if it's just a local network, so a few
kids in a room chatting with each other, I think we
heard an opinion earlier that that would not be covered
if it's not going over the Internet. Was there a
difference of opinion on that?
MS. CAMPBELL: I don't think it has to do with
geographic location necessarily. I mean, I think it has
to do with whether it's really a chat room where kids
are disclosing information, where parents don't have any
control over who is actually getting that information.
I think parents have to consent to that if they want
their kids to be able to do that under COPPA.
MR. WARNECKE: Well, I mean, a couple of
responses to that. First of all, I mean, I think that
goes to the basic question that we were addressing
earlier, though, that there are limits on the scope of
COPPA. It does apply only to certain networks and not
to every, you know, local communication that may occur.
But secondly, I think a larger point to make is
this, that the consoles have built within them parental
control functions that allow parents to limit this
information at the git-go, and so I think when we're
5
2
considering these issues, we need to be aware of that 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
backdrop of the parental controls that specifically
allow parents to address those issues.
MR. MORRIS: And, I mean, I would push back a
little bit, you know, for a DS that allows, you know,
essentially peer-to-peer communication within the room,
within the distance of a WiFi signal, you know, every
single computer laptop available can do that, and so my
question is since my child could take this laptop, could
create an ad hoc wireless network, and could communicate
with another child in the same room on an ad hoc
wireless network, there is nobody else involved in doing
that, does Apple in this case have a COPPA obligation to
get the parents' consent for that communication?
I would say that's not really workable. I'm a
little, you know, kind of anxious about the idea that
the maker of a device that has WiFi capability has a
COPPA obligation without more, without being somehow
involved in providing an online service that allows
communication. So, I'm a little -- I'm worried that
we're going too far here.
MS. ENGLE: So, who is the operator? Angela,
who would you consider then who had the obligation to
get parental consent in that situation? Nintendo who
makes the DS or who?
5
3
MS. CAMPBELL: Well, I mean, there's a lot of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
questions, and I think there are probably some gray
areas here, but I think you have to go back to what the
purpose of COPPA is, to protect children and to provide
a way for parents to know when they're interacting with
complete strangers or where other people may be
collecting information about them. And so, you know, I
think we have to talk about specific situations.
MR. MCINTYRE: If I may offer on this, I mean,
if we can get guarantees that these sort of
communications are happening in a closed network, then I
have got no problem with that. I mean, we're
essentially talking, to use a 1970s reference, to
nothing more than kind of like CB radios. If they are
talking to each other through whatever technological
platform and it's staying reframed within that space, I
don't think there's going to be an issue.
The problem here is that the way the technology
is formed here is it allows for loopholes in that, and
that's where we're concerned. We don't want to
overburden the technology or kind of point fingers where
they don't need to be pointed, but if I'm convinced that
it's six 12-year-olds that are talking, not an issue,
but if it's six 12-year-olds and a marketer from
McDonald's is suddenly thrown into the mix who can
5
4
collect information, which will come up in later panels, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
then at that point, it's an issue. It's the collection
of information and it's distributed. It's just a matter
of kind of how we pinpoint where -- operator and which
is the most appropriate definition for being able to --
MR. ALTSCHUL: Doesn't that read back into the
statute, though, a commercial purpose, which, you know,
we can't read out, and there are different models for
chat rooms. Some may be sponsored for free to attract,
you know, information -- you know, for a commercial
purpose. You can find out who is interested in your
products. Other kinds of commercial chat rooms may be
offered on a subscription basis. That would also be a
commercial purpose.
MR. MCINTYRE: Yes, absolutely. We see that the
trend in gaming, especially these days, is towards a
much more individualized sort of experience. I don't
think there's anybody among us that wants to be able to
inhibit that sort of technological growth or that sort
of individualized experience for the gamer these days as
well.
The trick comes in in making sure that this
isn't an interpretation based on exception but it's
based on rule instead and still is able to meet -- take
care of the spirit of COPPA while still adhering to the
5
5
ultimate missions. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MARCUS: I'd like a follow-up question,
then, to ask a follow-up question of Michael. Most
gaming systems, I would say all three of the big three,
offer parental controls as options, but in your opinion,
is that done as a best practice or because the
manufacturers have determined that COPPA applies to
those interactive gaming capabilities?
MR. WARNECKE: Well, I can't opine on the
specific motivations of any one company, but what I can
say is this, is that there are interests here that go
beyond merely protecting children for purposes of COPPA
compliance. There are brand protection issues. There's
issues of enabling parents and developing a good rapport
with parents to make sure that they have a comfort level
with the technology, that they feel comfortable with
kids using them and that they have some level of control
over what they're engaging in.
So, I think the desire to help families provide
a safe entertainment experience for their children is
the key motivating factor there, and, you know, this is
something that was, you know, in place and was done
apart from the COPPA compliance, but it's an example of
how the marketplace already has some features in place
to address these issues, not necessarily just for legal
5
6
compliance reasons, but because of a desire to enable 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
families to enjoy games in a safe manner.
MR. FELTEN: Well, in thinking about this issue
of when a game console company might be an operator, it
seems to me there are three sort of basic cases that are
worth thinking about. One of them is the one that
Michael pointed to at first where the game console
provides, say, a web browser or a way to access
something that occurs elsewhere. Let's say you can use
your game console to access Facebook. In that case,
there probably is an "online service" or "website on the
Internet" involved, but the game console maker is
presumably not the operator of it, and so it would be
Facebook or whoever else who would have any obligations
under COPPA.
A second case which we have talked about is the
case of communication within a room, let's say, between
devices, three kids who have Nintendo DS devices and
they're chattering with each other while they play, but
they're not connecting to a wide area network for this
purpose, and to me, that's not an "online service,"
because it's not online or it's not using the Internet.
And the third case is, let's say, a chat room
which is accessible via the device and which is really
available to everyone in the world on which to chat, and
5
7
there again, you have an "online service" or you have a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
website and you have to ask who's the operator of it.
If it's the game console company also, then yes, they
might have some obligation.
MR. MORRIS: Just to kind of add onto that, I
mean, I think this discussion highlights a critical need
for the Commission to, you know, not only ask about and
imagine what is possible, but look at what is actually
plausible and likely, because, I mean, certainly I could
envision a world where McDonald's sends people out into
the neighborhood with their DS-Lites and they create a
network, and they hope that kids in the neighborhood get
online, and then they can market to them without
touching an online service, and so maybe they're not
COPPA-compliant, but that seems pretty unlikely to me,
at least today.
I mean, it seems to me that, you know, most of
the motion in the technology development is toward
greater interactivity, greater connectivity to online
resources. I think that it is very likely that most
services that we're going to see are going to have an
online component, an "online service" component, and
even if we can imagine marketing to kids technologically
being done in a way that circumvents COPPA, you know, I
would suggest that until we actually see that kind of
5
8
behavior happening, it's not something we need to expand 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the reach of COPPA to envision a technical possibility
when it's, in fact, not a practical or a market or a
likely possibility.
MR. MCINTYRE: The exceptions always make for
bad rules on this, just as we have seen in terms of --
MS. MARCUS: But good conversation.
MR. MCINTYRE: -- text messaging and closed chat
rooms within gaming sites and whatnot as well, and I
would argue that I think Google does this already a
little bit. I am able to pull up a photo of my front
yard, my front door, my truck, and the gear that I have
on Google right now, and I can zone in. I was looking
for a friend that had bought a house recently in a
nearby neighborhood, and I was able to pull up almost
every information, including I could zone in and see
something that he had placed in his front window based
on the Google website. And this is from Google driving
around, you know, with their camera on the top.
So, I don't think in this particular example,
which may not be the greatest example, I don't think
it's as much of a reach to be able to say that we may be
able to begin to see location-based networks grow up
that marketers and advertisers are able to use for their
own purposes in gathering information.
5
9
MS. ENGLE: Okay. We just have a few minutes 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
left and there is a couple more topics that we would
like to cover, so we will move on now to interactive TV.
Actually -- no, we're good. It's 10:30. I was thinking
10:15.
So, interactive TV is a broad term that can
cover anything from using a wireless remote to purchase
product advertised in a commercial or changing the
actual viewing of a show that you're watching, and so
we're wondering, when would a provider of an interactive
TV service be considered an operator under COPPA? And,
you know, I am sure everybody knows, we're getting
closer and closer to interactive TV being something that
people are actually doing and using way more now than
just a few years ago when it was announced.
So, John or Jeff, did you want to take a stab at
that?
MR. MCINTYRE: Not really.
MR. MORRIS: Well, being a cultural Luddite, and
as far as I know, I've probably never used interactive
TV, I'm not sure I'm the best source, but, I mean, you
know, again, I actually would come back to what I just
said a moment ago. You know, I think that, you know,
whatever interactive TV was five or eight years ago, you
know, may have been being done, you know, using
6
0
proprietary signals between the cable network head end 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
and the home box, and thus, conceivably might skirt, you
know, the TCP/IP-ness that COPPA suggests for the
Internet definition.
But my impression is that, again, you know, more
and more things that are interactive are, in fact, tied
in to things on the Web, things -- I mean, you know,
we're not moving to a world, you know, where interactive
TV is going to be siloed off by itself. It's all going
to be, you know, I think a single rich experience, and
my guess is that that experience is most often going to
involve something that is pretty clearly an online
service.
And so, you know, I'm not sure that all
interactive TV, whatever that was five years ago, would
necessarily be an online service, but my guess is that
the interactive TV of today and the interactive TV of
tomorrow will likely involve an online service, and
thus, likely would be covered by COPPA.
MS. MARCUS: Angela?
MS. CAMPBELL: Yeah, I would agree. I mean,
again, I think the statute covers it. I think that we
knew back in '98 that digital television was already
being talked about. We envisioned it as being able to
connect to websites or website-like services, and, in
6
1
fact, the way it is developing is a way that you can get 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
more information about products; you can purchase things
online. So, it's clearly covered as an online service.
I just wanted to also mention that the FCC has
had a tentative conclusion since 2004 that any
interactive advertising targeted to children would not
be in the public interest and is not allowed. The
Chairman of the FCC said last summer that they were
planning to finalize that decision soon. So, I do think
that it would be covered by COPPA.
MR. FELTEN: I tend to agree. I agree
especially I think with John's point, that it's not
clear that interactive TV will pose difficult questions
beyond the difficult questions we already have in this
area; that is, that it's likely to look like perhaps an
online service that involves some video as opposed to
some entirely different kind of thing.
And so whether it qualifies as an "online
service" or meets the other requirements to be an
operator under COPPA I think will be a similar question
to what we would face with other kinds of services.
MR. MCINTYRE: I just want to make a brief,
quick mention that I think this is really cool, because
as recent as 2008, we were being told in the child
advocacy community and the public health community that
6
2
this was really a nascent technology and was something 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
that was probably not going to be -- you know, 10, 15
years off or so, that we just really didn't see that
these issues were going to arise.
And so to be able to have esteemed federal
representatives talking about the issues that this is
going to represent, especially on the heels of the
introduction of Google TV and what we see as the growth,
you know, with the interaction of DVRs and those sort of
technologies, this is something that's very real.
I don't know that it necessarily poses any new
issues that are any more tough than what we already
have, to mimic what Edward has said as well, but I think
when we also look at the arena, kind of what's been
happening in terms of online and in terms of the gaming
world, when you look at multiuser gaming instances,
where they go online, if there are commercial instances
and if there's an awareness of children that are playing
that, we already have this sort of larger on-screen that
can be interactive.
I think that's just kind of going to serve as a
good, perhaps, metaphorical model for how we are able to
view interactive television down the road. It's not
going to necessarily be, "Hey, it's cool, I can order a
pizza on my TV," but it's going to be much more about
6
3
the collection of information, that I think we're 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
comfortable with where we're at now.
MS. MARCUS: Michael, what are you thinking?
MR. WARNECKE: Well, I think that the issues
that we're seeing play out in the gaming devices and
interactive TV just illustrate the point that when we're
looking at "operator," we have to be really careful to
look at the specific facts and what's going on with the
technology and how the information is being used. It's
a little bit hard to address these issues in the
abstract.
MS. MARCUS: We have a question from the
audience.
MS. MONTGOMERY: Hi. I'm Kathryn Montgomery at
American University, and along with Angela, I was
involved in actually leading the campaign that resulted
in COPPA. So, it's heartening for me to hear that the
statute we all negotiated was written broadly enough and
inclusive enough and hopefully with some foresight, even
though we didn't know how it would all evolve, that
these new forms of marketing to children are covered.
I just want to sort of make a comment that we
could talk more about how these various platforms are
being used for marketing purposes. We've discussed
gaming a little bit, but the fact that in-game
6
4
marketing, in-game advertising is a growth area in all 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
of these platforms, mobile, huge growth areas for
marketing and marketing directed at children as well as
teens and adults.
And I think there are going to be a lot of other
questions that we will be addressing this afternoon that
will touch on what this is about, but I hope we get to
some of these issues.
So, for example, with mobile, I think we have to
look at how mobile works, how parents are involved in
mobile, how one does agree. I think that the questions
that Jeff raised are very important, what constitutes
opting- in and is it really meaningful, because the
purpose of this law was really to protect children from
manipulative marketing in the digital media.
And so I want to just keep the focus on that and
just underscore that I'm glad to see all these platforms
are included as we talk more about it.
MS. MARCUS: Sure, and just by virtue of design,
we had to kind of break up topics so that we can really
delve deeply into each one, and as you know, you are
going to be participating in a panel a little bit later,
and I hope you delve into that, and then we will be
talking about parental verification mechanisms in the
panel following yours.
6
5
You know, just to kind of close the loop on 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
interactive television, I think it was John who said
that we're going to move toward more television and
video -- I think it was said down here, too -- looking
like "online services" than others. So, just to note
our carve-out or to ask a general question, if it's a
broadcast network company that's soliciting interactive
participation from a child during the course of
programming, for the lawyers among us, would the FTC
have jurisdiction under that situation?
Mike?
MR. ALTSCHUL: I don't know.
MS. MARCUS: And, you know, that may --
MS. CAMPBELL: Well, why wouldn't they? I mean,
we have jurisdiction over broadcast advertisers. I --
you know, who do advertising. If they're collecting
information that's being used for commercial purposes --
absolutely.
MR. MORRIS: Although, let me push back -- and,
again, if we're talking about COPPA, you know, obviously
there are other statutes and things that the FTC
appropriately can regulate.
Now, if I go onto the street and every
tourist -- every young -- you know, every 12-year-old
who walks by, I say to them, "Go on Disney.com and have
6
6
fun," I'm a little skeptical that COPPA would apply to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
me, to me as just someone who, in a completely offline
way, is promoting an online service.
And so if a broadcast -- to come back to the
hypothetical, if a broadcast network simply airs a plain
old commercial that says, "Go online to Disney.com,"
well, clearly, Disney.com is an online service that's
covered by COPPA, but I'm a little unclear how you get
COPPA applying to the broadcaster of that commercial.
MR. MCINTYRE: What is this broadcast TV you
speak of? It reminds me of the VCRs and the
long-playing records we used to use.
I'm not sure that there is much -- in terms of a
regulatory definition, this is an important conversation
to be able to have, because it's going to a draw a
distinction between where the FTC powers are and where
the Federal Communications Commission powers are, and
the FCC is still kind of playing that out a little bit,
although we have seen indications from their tentative
conclusion on interactive advertising that they are
going to come out with some protective language there as
well, or they will at least reaffirm the protective
language there as well.
But to kind of play off something that Michael
mentioned earlier on is that, you know, all this stuff
6
7
is going to be integrated, and so the idea that a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
broadcaster is going to exist as kind of solely in its
own individual little bubble out there I think is a
broadcaster that's pretty doomed to begin with, and I
can't think of many instances -- I mean, you know, there
may be legal definitions for how the name is used, but,
you know, I think of ABC Disney; I think of NBC/Comcast,
if I can say that; I think of, you know, Viacom/CBS; I
think of all these services already beginning to merge
together.
And if a broadcaster is collecting information,
then we are going to see it, and we're able to, at the
Federal Communications, begin to get some foundations
laid out to be able to protect kids in that way, that,
yeah, if they just have -- you know, say Nick.com shows
up on the screen, then they can't -- you know, that may
not fall under COPPA regulations, but at the same point,
if that Nick.com flashes on the screen, then there are
certain things that can not happen on the website at the
same time, such as wholesaling requirements that point
to the importance of protecting kids in the online
environment in this instance.
And so I just don't see -- you know, the
broadcaster -- God bless his little airway-based
heart -- just may be, you know, as we imagine it with
6
8
the long-playing record album, an endangered species in 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
this regard and not something I would like to see the
Federal Trade Commission really spend a lot of
regulatory effort on.
MS. MARCUS: Okay. Now, to turn to another
controversial topic, we have a question about ad
networks and whether an ad network that is serving
targeted ads to kids or tweens should be considered an
online service.
Angela?
MS. CAMPBELL: Yes. Actually, in adopting the
COPPA rule, the FTC said that if companies collect
personal information directly from children who click on
ads placed on websites that are online services directed
at children or if companies collect personal information
from visitors who click on their ads on a general
audience site and the information reveals that the
visitor is a child, then they will be subject to the
Act. So, I think the Commission already has answered
this question.
But I guess I would add that, you know, an ad
network is targeting -- if they're targeting kids, you
know, that it's really the functional equivalent to
targeting computer users on the Internet and websites,
and so, you know, I think there is just no question that
6
9
it would be covered. You know, that doesn't necessarily 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mean the website itself is. I mean, you could have a
part of a website that is subject to COPPA and another
part that's not. But the part that is being used to
target ads to kids and to collect information from kids
would be covered by COPPA.
MR. MORRIS: So, we might have our first
concrete disagreement here. You know, absolutely, if
there is a website that has ads, that utilizes an ad
network, and either the ads or the website is targeted
at kids, the website is clearly covered by COPPA, has
full COPPA obligations.
To suggest that a piece of the website has
independent COPPA obligations, what that would lead to,
I would think, would be a requirement that two companies
gather the full information about the parents when, in
fact, the one company that is the operator of the
website -- I mean, to me, you know, an ad placed on a
website is not an independent website. It is one
graphic on a larger website. Clearly, the website
operator has to get full, verifiable parental consent.
But to suggest that the display of a particular
ad, I mean, that would I think suggest then that any
piece of the website that, you know, gets displayed to
kids might then have to go collect, you know, the
7
0
information about the parents and all. I mean, it seems 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to me that when there is clear COPPA culpability for the
website, it is unclear to me either whether the statute
covers an element on the page, but it's also unclear to
me, as a policy matter, whether we want to enforce and
create two COPPA interactions as opposed to one.
Now, having said that, I mean, if the ad
network, you know, crosses different sites, then any
website that uses the ad network has to get full COPPA,
you know, consent from the parent to do that website --
you know, to do the cross-site connection. And, I mean,
there has to be full disclosure to the parent about
exactly what is happening.
So, you know, there shouldn't be an end-run
around COPPA, but the website ought to be the
responsible party.
MS. CAMPBELL: Going back to the legislative
history, there is a section-by-section analysis that was
put into the Congressional Record by the sponsor of
COPPA, Senator Bryan, and he says that the term
"operator" is defined as the person or entity who both
operates a website or online service and collects
information on-site either directly or through a
subcontractor. The definition is intended to hold
responsible the entity that collects the information, as
7
1
well as the entity on whose behalf the information is 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
collected. It doesn't apply to the extent that it is
just used to -- that it doesn't collect information.
So, clearly, we understood from the beginning
that you could have more than one entity covered by
COPPA, and then there's also FTC cases that have been
brought against, for example, Bigmailbox, which operated
a chat room that resided on children's websites, and
they said that because they collected personal
information, that embedded component was itself subject
to COPPA.
So, I mean, they may be able to work out some
sort of agreements that they can share the parental
consent, but there clearly is the opportunity for both
to be covered.
MS. MARCUS: Thank you.
I'd like to at this point open the mics up for
questions from the audience, either about things that
we've just been talking about or things that we
mentioned earlier in the session, and for the next five
minutes we'll hear from people in the audience.
Anyone? We have a question over there.
UNIDENTIFIED SPEAKER: Based off of that example
that you just gave where you've got two business
entities serving up information, if there's parental
7
2
consent on the website with the operator, how is that ad 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
then covered by that parental consent, or are they now
not covered?
When a parent gives parental consent to a
website and collecting of PII and then you have got
another ad operator on the site, how is the parental
consent then given for that or how is that covered?
MS. CAMPBELL: Well, I think that's really the
topic of another panel, but I would say -- I mean, I
think it kind of goes to the adequacy of consent. I
mean, parents may be consenting for one thing and then
the information is being used for something entirely
different than what they thought they had consented for
their child to use. That would not be adequate consent.
MR. MORRIS: I would completely agree, I mean,
that any parental consent needs to provide full notice
and consent from the parent for any use and any, you
know, information. So, I mean, a website would need to
make clear, you know, your child will both be able to
play a game where he or she can tell their name to, you
know, to another game player and they will be served
targeted ads based on, you know, information collected.
And the parent needs to be able to understand both
elements and consent or not to both elements.
MR. WARNECKE: I'd like to address this
7
3
multiple-operator question in a slightly different 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
context, apart from the online advertising, and it's a
context that we generally seeing occurring quite
frequently in the game industry, and that is where you
have consent at the platform level that a parent gives
for certain communications to take place, and then a
couple of months later, the child acquires a game that
they play, and then the publisher's software comes up
and says, "Hey, we need parental consent for in-game
chat."
And this causes a big confusion with a parent
who doesn't understand, well, I previously gave consent
before, why am I being asked again for this same
consent? So, I think what would be very helpful in that
situation -- and I appreciate it's a little bit
different from the online advertising circumstance, but
it raises a similar issue -- is that if there was some
streamlined way where you could have one operator obtain
consent for multiple parties, subject, of course, to
appropriate disclosures and making sure that the parent
is fully informed. But if there was some flexibility to
do that, I think that would be very useful.
MR. MCINTYRE: I would add one last kind of
issue that is important, I think, for us to consider.
We talked a lot about, as we were talking about American
7
4
Idol and determining whether the user is a child, when 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
you're dealing with consent, I think it's also important
to make sure that you can consider whether the person
giving consent is, indeed, in fact, the parent or the
guardian.
I think there are a lot of instances that are
where the child is marking off on consent without ever
reading the consent notice, and I'm not sure how that's
resolved, but I think it's definitely an issue that
exists that who we think are the parents online may,
indeed, not be.
MS. ENGLE: Well, that's definitely a topic for
later in the day, an oldie but a goodie question for us.
MS. MARCUS: I think at this point we need to
wrap up. I thank all of our panelists and everyone in
the audience for being so interactive, and we hope that
this continues throughout the day.
(Applause.)
(Recess.)
MR. QUARESIMA: I'm Rick Quaresima. I'm an
Assistant Director in the Division of Advertising
Practices. With me as co-moderator is Mamie Kresses,
who, along with Phyllis Marcus, is the co-head of our
COPPA program.
The second panel today is going to talk about
7
5
discussing the legal and policy implications of COPPA's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
inclusion of an actual knowledge to general audience
operators. So, I would first like to introduce our
panelists.
Starting down here on my far right, we have
Becky Burr, who is a partner with WilmerHale.
Next to Becky, we have Dr. Gwenn O'Keeffe, M.D.,
and she is the CEO and editor-in-chief of Pediatrics
Now.
Then we have Phil Terzian, Senior Director of
Government Affairs of Activision Blizzard.
Coming down to the left of Mamie is Phyllis
Spaeth, Associate Director of the Children's Advertising
Review Unit, Council of Better Business Bureaus.
Then we have Guilherme Roschke, a graduate
fellow from the Institute for Public Representation,
Georgetown University Law Center.
And then Jeffrey Greenbaum, a partner at
Frankfurt Kurnit law firm.
And then Christine Jones, who's the General
Counsel of The Go Daddy Group.
So, right now, I think we are going to go down a
little bit deeper into the specific type of operator
covered by COPPA. We have talked about that COPPA
covered websites and online services, but there are two
7
6
different websites and online services that come within 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
that; those that are services that are directed to
children or operators that have actual knowledge that
they are collecting personal information from a child.
And this panel will deal with that actual knowledge
standard.
So, I'd like to open it by just sort of getting
back to the original purpose and the original passage of
COPPA and try to maybe get a little feel for how
Congress settled upon the actual knowledge standard for
general audience operators, as opposed to any other
standard.
So, I think I would like to begin a little bit
with Becky on that.
MS. BURR: Thanks.
We've been talking about gray areas, and I think
we all, sitting around the table in 1997 and 1998
talking about this, knew that there would be gray areas,
and specifically, that there were sites that would be
interesting to adults and interesting to children as
well. And the question is, you know, what are you going
to do with those sites?
The actual knowledge standard was adopted --
replaced the original draft language, which was
"knowingly," in Senator Bryan's original draft, the
7
7
language was "knowingly," and it was replaced with the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
actual knowledge standard in committee, in the Senate
committee, as a result of the hearings. The two
standards are very different.
Legally, the knowingly standard will allow you
to consider information, inferences, inferrals,
information that you should have known, whereas actual
knowledge is a direct and clear knowledge of a fact, as
distinguished from constructive knowledge.
So, it was a very deliberate move on the part of
Congress to distinguish the standard.
MR. QUARESIMA: Guilherme, do you have anything
that you would like to add to that?
MR. ROSCHKE: Yeah. I will just add that as
originally introduced, the bill only had a directed ad
section, was limited to that. Consumer groups then
proposed language to cover websites that know or should
reasonably know they are collecting information from
children. And then in the negotiations, the industry
retorted with, you know, the actual knowledge standard.
And so that's how we got to the actual knowledge.
MR. QUARESIMA: Okay. How has the requirement
of actual knowledge, as opposed to a constructive
knowledge, affected the development of various business
models? And I'd like to sort of make this a kind of
7
8
very broad-based question and get a lot of input from 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the panelists.
I think I'll begin, perhaps, with Jeffrey, and
then we can, you know, sort of work our way through.
MR. GREENBAUM: You know, obviously, I think
there are certain times, you know, when advertisers,
marketers, they want uncertainty. They want
flexibility. They want the ability to look at all the
facts and circumstances. And there are other times when
you need certainty, that it's just virtually impossible
to build a business, to, you know, plan what you're
going to do without a level of certainty that you know
that you can comply with. And I think that the actual
knowledge standard does that.
The way that we've got a standard right now that
is very clear, advertisers or operators know what they
need to do. They know when they have actual knowledge,
and they know when they don't, and it has allowed
businesses to develop, and I think as the discussion
will show, that, you know, many of the websites
available today, if we had a broader standard, if we had
a "knew or should have known" standard or had some sort
of constructive knowledge standard, I think what we
would find is that it just really wouldn't be workable,
that regardless of whether you have some kind of age
7
9
screening or not, I mean, the whole notion of that, you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
know, you're responsible for the content of everything
that's on your site, you know, and knowing what the
possible information that could be on there, is just
simply not workable and wouldn't work for the kinds of
websites that we have today.
MR. QUARESIMA: Anybody else?
Becky, do you want to --
MS. BURR: I just want to say that Congress made
a decision in passing Section 230 to ensure that
operators of websites would not necessarily be
responsible for everything that was on their site. That
was designed to promote innovation and uptake of
ecommerce, and the actual knowledge standard supports
that.
MS. JONES: And could I just say, as the evil
website operator on the panel, we're so glad they did?
MR. QUARESIMA: Why is that?
MS. JONES: Let me say at the outset, before I
got up here, I checked in with Foursquare, and I noticed
that at least four others in the room had done the same.
I sent out a geolocated tweet to tell people that I'm in
the room, and I also didn't mention the fact that I'm
over 13. So, we'll see if anybody has actual knowledge
when we leave here of what we're doing, information
8
0
we've collected, and whether or not there are children 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
in the room. That's just for you, Professor. We'll
sign you up with a Foursquare account before we leave, I
promise.
The reason we're happy about the fact that the
actual knowledge standard is actual knowledge and not
constructive knowledge, "knew or should have known," or
some lesser standard is because, let's face it,
businesses are in business to make money, and they want
to push the envelope.
Now, we're very careful at Go Daddy about what
information we collect and how we use it, but we have 41
million customers who maybe aren't quite so careful, and
we hear every time they do something wrong, and if there
weren't, as Becky pointed out, such a specific intent to
make the standard as high as it is, we would have a lot
more violations.
And so I say a little bit tongue in cheek that
businesses are happy about the standard, but really,
honestly, it has been a watermark, a benchmark, that
people can use to say either I knew or I didn't know and
don't ascribe knowledge to me if I didn't have the
actual knowledge. So, it's been something that people
have really backed up against to form business models to
make more money.
8
1
MR. TERZIAN: I'd like to, you know, reiterate 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the certainty aspect and how the predictability of that
is very helpful for site operators. I mean, the actual
knowledge standard does provide the certainty. It
allows you, you know, at a point in time, such as when
the user is registered, to make a quick, easy decision
as to whether or not that person is under 13 or not.
A "should know" standard, more murky or
uncertain, would have to be -- you know, it would be
hard to follow. I think there would be, you know, a
huge amount of businesses that would have to then adhere
to that.
MR. QUARESIMA: Gwenn, do you have any thoughts
on that?
DR. O'KEEFFE: You know, I think when you look
at actual knowledge in children, it's a sticky point,
because they're -- it's a strict definition right now of
actual knowledge, but we know children are on these
sites. So, I'm very uncomfortable with using just
actual knowledge from a -- and we will get to this more
in a little bit, but, you know, I think that, you know,
when you look at the Go Daddy and the -- you know, the
Foursquare, the Foursquare example that you just gave,
I'm not comfortable, you know, because I think it's --
when you look at businesses and what they have to do,
8
2
it's, I think, incompatible with what you have to do to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
keep children safe online and protect their privacy.
MR. QUARESIMA: Phyllis, let me turn this over
to you for a minute, and I think in some ways, I hear a
lot about certainty, but I'm not hearing a lot of
specifics about how some of the business models actually
have developed and what is the specific business model.
So, I would like to kind of talk about that. So, maybe
even in relation to figuring out what some of the models
were beforehand that you saw at CARU versus ones we know
of now.
MS. SPAETH: By the way, I'm not wearing my
bullet-proof vest, and I feel like, except for Gwenn,
I'm not in the real majority here. So, let me just
start by saying that I'm from the Children's Advertising
Review Unit, which is the self-regulatory arm of the
children's advertising industry, and I think we were
even a little ahead of the game when it came to online
media, because back in 1996, before I was even born,
CARU came up with self-regulatory guidelines on
interactive electronic media, which at the time had the
intent of covering websites directly, you know, intended
for children or targeted at children.
I came to CARU in 2000, and it was very clear,
even at the beginning, that there were lots of websites
8
3
that children were going to be going to, and I'm not 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
talking necessarily about general audience websites.
I'm talking about websites that were made for teens.
And what was interesting is even before then, there were
websites that had within their names "preteen chat,"
"kids this," "preteen that," so, like, somebody knew
somewhere that they were having children below the age
of 13 there.
And somewhere I believe in 2001, we changed our
guidelines to come up with what we call our "reasonable
expectation" standard, and what this says is our
guidelines cover websites that are directed to children
under 13 and those where there's a reasonable
expectation that a significant number of children will
be visiting. And in using this, we've decided that if
there is a site that has "teens" in its name -- or let
me step back a second.
What I think any child psychologist or parent
can tell you is that children model up. Every
10-year-old, especially girls, wants to be able to do
what the 15-year-old girls are doing, and if there is a
rock star, you know, any kind of pop icon that
15-year-olds are interested in, mark my words,
8-year-olds are, also.
So, we decided we can't just let all these teen
8
4
websites you know, out there and, you know, just doing 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
this little "don't ask, don't tell" thing, so that
everybody is free and clear. So, instead, with the
"reasonable expectation" standard, we were able to look
at sites and say, "Okay, what do you have to do now?"
If there is a reasonable expectation, it's not
that hard. Just do one neutral age screening so that
you ask people that want to register for their age in a
way that doesn't tip them off as to what age they should
be, so that you can ask for a date of birth, you can
have a drop-down menu from which you can pick a month,
date, and year of birth, but you can't say right next to
it, "You have to be 13 or over to register."
Neither can you then, when a child says that
they are 10 years old, can you have a screen that comes
up that says, "Oops, you're too young, go back and
reregister," or just, "Oops, you're too young," and the
kid just presses the back button, and there she is. She
changes her age, and she's in. So, the third part of
this is that you have to have some kind of a tracking
mechanism to stop a child from going back and changing
their age.
MR. QUARESIMA: Jeff, you had something?
MR. GREENBAUM: Yeah, a couple things. First, I
don't think you need to worry, Phyllis. I don't think
8
5
you need a bullet-proof vest. It doesn't matter where 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
you sit. I think that people are concerned about
children and are concerned about protecting children,
but it's about choices, and everything we do is about
choices. I think of my son in the playground and
deciding which thing is he allowed to go on. You know,
do I let him go on the small slide or the big slide?
Can he climb up the ladder by himself or not? We are
constantly making choices, and some of them are
difficult to make, and these are just more difficult to
make.
But I think that, you know, the reasonable
expectation that you're talking about is an interesting
one. I just don't think it relates to the actual
knowledge standard. I think it relates to the
"directed-to-children" standard, and I think that it may
be that in today's environment, we have to look at what
does it mean to be a site directed to children, and that
is something that may require some further exploration,
because it may be that "directed to children" meant
something very different.
And certainly in other contexts, you think
about, you know, when we've had concerns about a child
audience, there's a big difference between "directed to
children" and the percentage of the audience that is
8
6
children, and it's one of those difficult issues that 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
we've struggled with in other contexts. But I think
that it may be that, you know, it's not about actual
knowledge, because I think actual knowledge at least
gives someone an ability to plan their conduct.
I think that, on the other hand, if you relook
at perhaps "directed to children," you could make
decisions about the size of the audience, things like
that, things that, you know, give operators a certainty,
you know, certainty in the way that they proceed.
You know, finally, on the neutral age screening
thing, I think that you can't ignore, one, the cost
associated with that. I mean, it does require operators
to do additional things that have a cost, but also, that
doesn't change anything. Whether you are directed to a
general interest website -- whether you're directed to a
general interest audience and you don't age-screen or
whether you do neutral age-screen, you still have a
website where people are still, you know, giving you
information which still raises the same question. So, I
don't think that solves the problem when we're talking
about how do we address the actual knowledge issue.
MS. SPAETH: Well, hold on one second. There
are several things I have to answer there.
MR. QUARESIMA: Okay, quickly, because we need
8
7
to give other people an opportunity. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. SPAETH: Okay, I'll be very quick.
Okay, number one, I don't think we should get
into semantics here. I'm talking about the actualities
of the way we work, so that I don't care what you call
it, like which rubric it fits under. We do need to take
care of children.
And I also think we need to go back to the
purpose, as David Vladeck started off with. The purpose
of COPPA was twofold: One had to do with marketing to
children, gathering information from them. The second
part of it was a safety interest.
And I will tell that you when I first came to
CARU, most of the websites that we looked at -- I mean,
not only am I a Luddite, but I am really old-fashioned,
and I couldn't believe the sex that was going on in chat
rooms. So, all I'm saying is, there's a real interest.
You know, we're looking here to protect children.
And that's it. Everybody else go on.
MR. QUARESIMA: Okay.
MS. BURR: So, I think all of us want to protect
children, although I have to say that the congressional
purpose of COPPA was to prevent the use of manipulative
ads and unfair and deceptive practices. It wasn't a
child safety law.
8
8
But having said that, my problem with the -- why 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I think the actual knowledge standard is useful is
because I think verifiable parental consent is too
expensive to get, not putting up the age screen, that's
pretty easy. I don't think it costs that much to put up
the age screen, but what it does is it teaches kids to
lie. So, you don't change the number of kids who are on
the site. It's still a lot of kids under 13. They're
there, and they've lied to get there. And that's the
message we're sending, which I think is not a healthy
message.
MR. QUARESIMA: Let me just sort of follow up,
but if that's the message, do you have any proposal
to -- I mean, would a different standard at all solve --
try to address that problem?
MS. BURR: Well, I think that there are very
good reasons to think about different levels of parental
consent, maybe turning to a notice provision only if a
website is engaging in, you know, activities within a
certain parameter, so that there's a safe harbor not for
compliance with COPPA, but there's a safe harbor that
gets you out of the verifiable parental consent and
sends you into a no-penalty notification provision,
something like that.
I think those are the changes that would make
8
9
the most difference, that would encourage children to be 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
honest and encourage communication between parents and
children through notice, as opposed to not being able to
get on the site at that moment when the kid wants to.
MS. KRESSES: And I would go back to Jeff, who
had said earlier that a broader standard would not be
workable for all sorts of websites today, and I think
that it's just too easy to say, and so we need to look
at how would it not be workable and how would you work
around it if a reasonable expectation or a more
constructive knowledge standard were dropped on you from
the sky?
MR. GREENBAUM: Well, you know, again, I think
that there's -- I still think, you know, we're talking
about two different things. I think that the notion of,
you know, what an online service website or online
service directed to children, I think, you know, the FTC
could develop guidance that says, "What does it mean to
be directed to children?"
You know, it's one thing to have a site that is
obviously directed to kids, you know, the Dora website,
whatever it is. You know that that's directed to kids.
You know little kids are going on. You know, I think
you could also give guidance that says, you know, look
at your audience. Look at the number of kids that are
9
0
coming to your -- and look at the -- do demographic -- 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
do research. If you have a concern that there is a
substantial number of kids, you know, that may be
something that you could explore, but at least it would
give -- you know, it would give you certainty.
The issue that -- and I think we're going to
talk about this in a little more, is, you know, what
we're talking about here is not children generally. I
mean, the actual knowledge standard is not about actual
knowledge that you are collecting information from
"children." It is actual knowledge that you are
collecting personal information from "a child."
And I think that we have to go back to the
statute here, and what the statute is is either a
website that is directed to a child audience generally,
and I think we can explore that and develop that in a
way that perhaps is productive, but I think that in
terms of collecting personal information from "a child,"
it's temporal. It's about at a moment in time, you're
collecting personal information from a specific child.
And so that is a very, very high standard to
reach, to meet, and I think that it would be an
extremely difficult one to say that at any moment that a
child is entering into information on your website, you
have this obligation to, you know, have 11,000 people
9
1
standing by and reviewing the website and making sure 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
every key stroke goes in, and the minute the word "I'm
10" goes in, you go, "Got to delete that," because, you
know, you now have actual knowledge that you're
collecting information from a child.
So, obviously, you know, we have to be more --
we have to be rational. We have to say, "Well, look, we
know kids are going to lie. We realize we have set up a
system that leads kids to lie, and we know that there's
a tremendous amount of Web content." You look at the
amount of content that is posted every day on any major
social networking site, and you realize it's just simply
not possible to go and screen that or monitor that in
any kind of a productive way.
And I think the other problem -- and I think we
can talk more about this, too -- is you don't want to
create reverse incentives either. I mean, you do want
website operators to have the ability to engage in
conduct which helps protect the safety of people online,
that tries to protect the privacy of people online, and
to do that, you have to enable them to go and look at
things that they believe would be helpful.
But the minute that you start to go down that
road, you start to get into the question of, well, you
know, you were looking -- you started to look at that
9
2
site. You have that person there. You could have done 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
this, this and this. You should have known that those
kids were -- that there were kids there, if you had
looked a little bit deeper, looked deeper into the
comments. You start to get yourself into a murky world
which I think would be extremely unworkable.
MR. QUARESIMA: Actually, you had noticed
something that I -- you talked about something I did
want to explore, and that was the idea that operators of
websites directed to children and those that have actual
knowledge, that is, collecting personal information from
a child, and I did want to explore that and give some of
the other panelists an opportunity to speak on that.
Guilherme, did you have any thoughts on that?
MR. ROSCHKE: Well, I think that the --
MR. QUARESIMA: Would you agree with Jeff's
characterization on that?
MR. ROSCHKE: Not exactly. I think it would be
kind of wrong and it would protect children less to read
too much meaning into this. You know, let's take the
example of, like, behavioral targeting, where you're not
targeting -- you're probabilistically targeting
children. You know, I think that that would fit
probably under the directed-at-children standard, but
then there's a certain point, which depending on how
9
3
your behavioral targeting analytics are done, where you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
know that pretty much all of these are children, and at
a certain point where we can talk about you having
actual knowledge that you're collecting information from
a child.
MR. QUARESIMA: Gwenn, did you have anything to
add?
DR. O'KEEFFE: Yeah. I think -- well, there's a
lot of ways of looking at this. The first is, you know,
getting back to something Jeff said, we cannot, on any
level, be okay with a system that encourages children to
lie, and I think that, you know, from a developmental
point of view, to have a system that tells kids you can
lie about your age, we are teaching kids the wrong
lesson and putting them in just so many precarious
situations for their health, their well-being, their
safety, and their development. I mean, we're not even
talking about privacy yet. We are just putting them in
arm's length of danger.
Now, from a privacy point of view, we're putting
them at risk there, too. So, we are just teaching them,
"Hey, guys, go ahead and lie. We're cool with that."
We can't be cool with that. We can't be cool with that
as educators, we can't be cool with that as
professionals, we can't be cool with that as parents,
9
4
and we can't tell parents to be cool with that. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, if we are going to have some good come out
of today, we have to look at the statute and what we're
here to do on this panel and recognize that actual
knowledge doesn't work.
Now, constructive knowledge, that does work,
because we know that if a child posts information about
their life, that implies that they're 10, a website can
do something about that. Posting works. Posting
behavior works. Websites use behavioral targeting all
the time to do ads, to do all sorts of information
collecting. We know about a child and we can target who
they are by what they post about every single day. If
we change what type of knowledge we use to capture a
child, we can better serve their needs. Actual
knowledge isn't it.
MR. QUARESIMA: I'd like to go to the audience
now, if anybody has -- does anybody have a question in
the audience?
MS. LEVIN: Good morning. My name is Toby
Levin. I'm recently retired from federal service. I
was at the Federal Trade Commission when the agency was
working on legislation and the regulation and was the
first COPPA program manager.
So, if I can just bring a little historical
9
5
perspective on this and recognize that I think the FTC 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
staff did an amazing job in 1999 of coming up with a
regulation that works incredibly well, but recognizing
that it does create some compliance challenges and
obviously some challenges for industry as well.
I'd like to think of when we dealt with the
actual knowledge, we were not strictly identifying the
age registration as the only way to determine actual
knowledge. We were dealing with what was a common
practice at the time. We know that even for
nonchildren, date of birth is greatly desired by
websites. They want to know their audience very
specifically. So, they weren't doing age registration
just for COPPA. They were doing age registration
because it was valuable information.
So, the agency piggy-backed on what was a
convention at the time and then tried to use that in a
way to at least get kids to input ages and prevent them
from going back and changing them by requiring, as
Phyllis noted, that there be a mechanism in place to
prevent them from going back and changing their date of
birth.
But the rule itself doesn't limit actual
knowledge to age registration. It specifically gave
some other illustrations, some examples. It talked
9
6
about information that comes from a concerned parent, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
asking age-identifying questions, and we were just
recollecting examples of what we were aware of then. I
think since then, there are probably a lot of other
means by which actual knowledge can be determined.
We did note in the preamble the fact that
experiential evidence, actually data regarding -- you
know, empirical evidence regarding who, you know, who is
going to websites would be useful in identifying
websites directed to children, but I think if you look
at ads on a spectrum of where you have websites directed
to children all the way to actual knowledge, that
somewhere in between -- and maybe it's addressed by the
concept of constructive knowledge -- there's indicia
that children are going to -- and younger children --
are going to some of these websites.
MR. QUARESIMA: Let me -- actually, I can take
the opportunity, because I was going to go there anyway,
to sort of throw open to our panelists, I mean, what are
some of those other ways, you know, currently in the
online environment that a business might actually --
that might acquire this actual knowledge?
And I think we can start with our business
representatives. Christine, let me start with you on
that.
9
7
MS. JONES: There are many, and one of the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
things that we see a lot coming from customers whose
websites we host is complaints where mom calls and says,
"Daughter just was served up an advertisement for a
company that makes products for children, and why are
you serving my daughter with an ad that targets kids?"
So, we know somehow that ad network has knowledge that
probably the person looking at the screen at that
particular time is a kid.
So, this gets back to kind of what Gwenn was
saying. They're getting the information somehow, right?
They're looking at where the kid came from. So, did
they come from a child's website or a website designed
to solicit children? Did they have a web-browsing
history that they're collecting in their vast array of
data that goes into their algorithm to determine what ad
to pop up? Did they buy information from a website that
said specifically this person at this IP address is this
age?
There are a multitude of ways, and we see all of
them every day, because believe me, when you pick up the
phone 24 hours a day and the operators of websites that
you host don't, you get the phone calls. You get the
people saying, "Hey, Go Daddy, what's going on and why
are you targeting my kid?" And we say, "Well, actually,
9
8
sir, I'm sorry, I'm not targeting your kid, but let me 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
go talk to my customer who is."
So, there are a multitude of ways that people do
it. It's very clever. I'm not going to stand up here
and say I patently agree with Gwenn, that actual
knowledge is the wrong standard, but it's fascinating to
hear from you, from your perspective, because it's
completely different than ours. We're much more
responsive to the complaints, whereas you're sort of
suggesting a solution maybe that's different. So, I'd
love to hear more about what you think the standard
should be.
MR. QUARESIMA: Phil?
MR. TERZIAN: I just want to finish up on the
question real quick. I mean, it was just brought up,
you know, one excellent example is the one that the FTC
provided, which is if parents, a concerned parent, such
as myself as a parent, if I were to call and say that
"Hey, there's an issue," the companies have to then have
the knowledge. You know, we, of course, would have a
mechanic in place for parents to do that, as would I
assume most websites out there. So, that would be one
great example of where someone might have actual
knowledge.
MR. GREENBAUM: Also, just to finish up on the
9
9
point, I mean, I think the actual knowledge standard is 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
working in the sense that it has led to companies
complying with the Children's Online Privacy Protection
Act, and to the extent that operators obtain actual
knowledge, they're addressing it.
Now, I think that we may wish that Congress made
a different choice, and I think that that's something
that we could look at, but I think that, you know, in
terms of does the standard itself work and is it
workable, I think it is.
I think there's another thing that is important
to remember here, is there's no magic to age 13. I
mean, there's nothing that happens -- you know, there's
nothing that happens, unless you're having a Bar or Bat
Mitzvah, when you turn 13 that suddenly turns you into a
man or woman.
So, there is a spectrum, and we have picked a
moment in time that allows us to try to sort of gauge
where the behavior is, but I think that where you would
probably look, if you did the research, is that, you
know, kids that are really young on the spectrum are not
lying and are not getting their personal information
online, and as you get older, as you're more ready to be
able to deal with all of the things that the Internet
has to offer, you get better able to deal with it.
1
00
And I think that that's certainly an area where 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
we could do research on, but I also think that we have
to realize that there is no standard, there is no age
that is going to, you know, create a situation where no
kid can, you know, disclose personal information.
MR. QUARESIMA: Okay. I'll let you -- Gwenn,
and then I know we had another question in the audience.
DR. O'KEEFFE: Just a quick comment about age.
If you actually look at kids and their online behavior,
the younger kids just do not developmentally handle
online issues well, and it's not a matter of lying.
They don't have the developmental skills. So, they will
go online and get into a boatload of trouble because
they don't understand the wording, they don't understand
how to negotiate, they don't understand how to interact
properly. Teen-agers, in fact, you could argue 13 is
too young. So, we could have an entire panel about
that.
MS. AFTAB: Hi. My name is Parry Aftab, and I
was there in the days when Toby and Kathryn were. They
actually had done research on the ability of kids at
various ages to understand things, and that's where the
13-year-old age came from. They said that 13 was the
magic age, that kids understood it.
My real concern, though, is with the CDA and how
1
01
it's going to interact with this actual knowledge. If 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
we go into constructive knowledge, are we now going to
say that the websites and service providers that are
exempt from what their users are doing on their site and
don't have to monitor are now going to be required to
monitor because it's a general audience site that's
really popular with kids at the time?
And I think we have to be very cautious. I
mean, I run Wired Safety. I'm the one who's out there
trying to protect kids, but we have to be very careful
when we look at actual knowledge. If we move it to
constructive -- Gwenn, you know I love you -- if you
move it to constructive, what are you moving it to? So,
that means everyone now is going to have to monitor it.
The last issue is, kids lie. We know they lie
about their age. More importantly, they lie about the
age of their friends. So, if somebody is on Facebook,
legitimately 14 years old, and they don't like somebody
else in their class, they will report them as underage.
They will pretend to be their parents. They will do all
kinds of things to get somebody else out.
It's a form of cyberbullying, cyberbullying by
proxy. So, when we look at this, when you look at
actual knowledge and who's telling you what, we need to
realize that kids lie on both sides. "I'm 97. And oh,
1
02
by the way, my friend is 12." 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. KRESSES: Okay.
MS. BURR: I just want to not leave this issue
of advertising targeted to children untouched, because I
would say that if you are a website and you are
promoting your website as, you know, a demographics of
8- to 10-year-olds or 8- to 12-year-olds, that is
something that would certainly be part of the
consideration for directed to children from my
perspective. So, I don't think that we have to move
into this constructive versus actual knowledge world
because of behavioral targeting.
MS. KRESSES: And the Rule itself, the Statement
of Basis and Purpose does discuss that that is one
factor that we can look to, is both demographic
information and, you know, what advertising is doing,
but I think the question gets a lot harder when we're
talking about ads targeted to particular people, as
opposed to ads just sitting on the website.
Does anybody have any further thoughts on that
question of how we use that indicia? Okay.
MS. BURR: Well, I mean, if there's an ad
targeted to a specific person at age 9, I mean, I think
we have to at least think about whether in that case
we're talking about, you know, targeting a child.
1
03
MS. KRESSES: And then, Kathryn, go ahead. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MONTGOMERY: Yeah. I'm glad that we brought
up -- first of all, I want to thank Toby for reminding
us of the ways in which we all dealt with this difficult
question. I mean, I had said to Angela when the panel
started, "Oh, I hate this, because it's complicated."
It was complicated then, it's complicated now, and no
solution is perfect. But I appreciate Toby reminding us
that there were a number of different indicators that we
included in the definition.
The market, as everybody knows, has changed
tremendously, and I think it would be a mistake if the
Commission did not closely look at behavioral targeting
and profiling and analytics and that those kinds of data
collection practices, that are state of the art now in
the digital marketplace, as a source of information for
clarifying how this part of the rule works. Again, it
could be, you know, controversial and a knotty question
to address, but I think it's important.
The other thing that I would like to respond to
is what Phyllis was discussing, because I do think that
teen websites are a particular category that we may want
to look at more closely. It is true that kids watch up,
they want to go on the sites for teens, and developing
some more effective mechanisms that are industrywide
1
04
would be a really good idea. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
And then finally, I hope somebody will talk a
little bit more about social networks, because there's a
lot of knowledge that goes on there about -- there's a
lot of data money that goes on there as well, and they
shouldn't be overlooked.
MS. KRESSES: Okay. And in that vein of teen
marketing, of teen websites, Guilherme, do you think
that there is leeway within the actual knowledge
standard itself to deal with sites that target kind of
above and below that line?
MR. ROSCHKE: Well, I think that when you're
looking for -- you know, actual knowledge is a factual
determination, and one of the facts that would weigh
into that fact is that your website is attractive to
children, and so that would be part of the information
that you have when you're coming up with the knowledge
of the age of somebody on your website.
You know, other information would be things
like, for example, if somebody's visiting your website
with a kid-oriented browser, you know, that is
information that's available to you that you can use to
determine their age as well, and it could be part of
your actual knowledge determination.
MR. QUARESIMA: I'm sorry. Phyllis, you had
1
05
something? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. SPAETH: Yeah. I'm sorry, I don't want to
just toot CARU's horn, but I will say that since we
started looking at websites -- and I'm telling you, we
haven't really gone to adult-oriented websites, we've
done what I've said, which is look at teen-oriented
websites or things that we know that kids are interested
in.
We've done over 200 cases, and I would tell you
in the last year and a half, we have, I think, 25
reasonable knowledge cases, and everybody that we've
contacted, 95 percent or over, have agreed to make the
changes. And anybody can argue, yes, kids lie, and
that's a whole other thing that we have to deal with.
I'm the first one to say that, because I believe most
self-respecting 8-year-olds, you know, that want to get
on the Internet know to say they're 13.
But right now, we can only do what we can do,
and I do think that the reasonable expectation standard
works.
MR. QUARESIMA: You know, I think I want to
expand upon that. I wasn't going to go here quite yet,
but let's -- since we're here, and we've heard a lot
about the concern about -- that kids lie. So, if one of
the big concerns we're dealing with is kids lying, is
1
06
some sort of constructive knowledge standard actually 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
more protective of their privacy or less protective?
I mean, is it really in their interest to have
website operators going around trying to root out this
information? And, you know, I think I'd like to sort of
have a general discussion on that. Maybe we'll start
here with Phil and then have people pipe in.
MR. TERZIAN: So, just to reiterate, is it more
protective to have the site operators trying to weed out
potential children who might have said they are either
over the age of 12 or maybe they weren't screened at
all?
I would first say that I don't think it just
applies to children, because if you're trying to figure
out how old somebody is and you don't know how old they
really are, you're suddenly trying to figure out how old
everybody is, potentially, on your site. I mean, I'm
sure most of you have used Facebook and have seen
people's profile pictures some used when they were
younger, some use their kids, you know, I don't know how
you deal with something like that.
I think it's a burden you might not want to put
on the site operators, but it might also, I would say,
reduce your expectations of privacy as a user knowing
that every site operator out there is trying to figure
1
07
out who you are. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. GREENBAUM: Well, I think also we have to --
you know, obviously raise this raises significant
constitutional issues as well. I mean, you know, people
do -- you know, adults, teen-agers, you know, they do
have the right or there is certainly many socially
beneficial reasons why people would go online
anonymously and look for certain kinds of information or
do certain kinds of thing online.
And I think we have to be sensitive to the
notion that, you know, operating in a digital world,
operating in virtual words, this is part of what it
means to grow up today, and we have to figure out ways
that are going to allow kids to do that and allow kids
to practice for some of that, you know, building certain
types of relationships online as well. And those are
important things that could be lost if we took a
standard that was overprotective.
Of course, the standard is not constructive
knowledge, it's actual knowledge, and so it would
require, I think -- you know, I don't think that that's
something that can happen at the Commission, you know, I
think --
MR. QUARESIMA: I think that's right, yeah.
MR. GREENBAUM: -- but I do think -- I still get
1
08
back to I think that we keep getting the two issues a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
little bit intertwined, and I think that they are very,
very different. I think actual knowledge is specific.
I think that directed to children as a website -- I
mean, I think that what -- you know, Phil's point, which
is I think a very nice one, is that when you look at
directed to children in a rational way, you know, it may
just not mean -- it may mean many more things than some
people have understood it to mean.
And I think that CARU's very important work in
looking at teen-directed sites that are also very
attractive to young kids doesn't require any, you know,
rejiggering of the statute here or rejiggering of the
rule. It simply means for us to rethink or think a
little bit more deeply about what does it mean to be a
website directed to children without having to work with
the actual knowledge standard.
MR. QUARESIMA: Gwenn?
DR. O'KEEFFE: Well, you know, it may be that
instead of going -- you know, "constructive knowledge"
may not be the right phrase. It may be that we actually
have actual knowledge about kids by the way they post.
We just may need a better reporting system, because I do
agree with Parry that kids lie all the time, but younger
kids typically don't lie about things that they love to
1
09
tell stories about. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, if a kid is really excited about a fifth
grade field trip and they're sharing that wall to wall,
they're going to be factual about that, and if somebody
wants to report that, they may need a way to do that,
and then we could argue maybe that that is actual
knowledge. And right now, that can't be used.
So, maybe we just need to be more realistic
about today's sites and what sites kids are on and how
they're using information about themselves and what
information can be used for people to report, "Hey, I
know this kid is on that site." And we haven't even
gotten into the reporting of who was on these sites.
That's a whole different issue that we should probably
address, too.
But kids do often give away who they are. You
know, sometimes they fudge, and sometimes they, you
know, love to tell big whoppers, but, you know, a kid
will often, you know, give enough clues of who they are,
because that's who they tend to be. They tend to wear
their hearts on their sleeves that way when they're
talking to each other and they're really getting into,
you know, a nice little trail of -- a nice little peer
group, especially the younger kids, because the younger
kids stick together on Facebook and the social
1
10
networking sites. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. BURR: It's not a requirement that if
somebody reports it, why couldn't you use that
information?
MS. KRESSES: That is in the statement of basis
and purpose, that that is one method, and certainly it's
there, but I guess that leads to, you know, a sort of
finite question of what sense do any of the panelists
have of how easy it is for parents to report children
being on a site where they don't want them to be and how
responsive are the online services?
DR. O'KEEFFE: Well, it's easy to find the link
to report. I went on yesterday to both MySpace and
Facebook. MySpace's reporting links are right there on
the site. Facebook, you have to go to the help center
and then dig a little bit, it's a little harder, but if
you find the link, up comes a nice little form you can
fill out and there it is.
But I hear consistently from parents that
getting -- and actually, MySpace actually will take
you -- walk you right through, how do I delete my kid's
profile? Facebook, though, basically says if you want
to delete your kid's profile, talk to your kid, and then
if you need to reach a live person, parents will tell
you it's impossible, you know, and that's the issue,
1
11
that if you want to get response back, you can't find a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
person. There's no 800 number, in other words.
MS. KRESSES: And, Phyllis, from your
perspective, going beyond Facebook and MySpace, do you
have any sense of how difficult or easy it is for
parents?
MS. SPAETH: Absolutely not. Nobody has ever
complained to us about that, and I think that's very
interesting.
MR. QUARESIMA: Christine, I think you had
something you wanted to add?
MS. JONES: Well, this is where the people who
answer their phone 24 hours a day come in, because it is
absolutely impossible to get a live body at Facebook.
It just is. You just cannot get a person on the phone,
which is why, when you answer your phone 24/7, you end
up with all the lunatics calling you making complaints.
No offense, parents.
But I don't think -- we cannot lose sight of
your really, really, really good point on the CDA,
because if you start ascribing that responsibility to me
just because I pick up the phone -- and it's all
user-generated content. I didn't put that content out
there, folks. Some 8-year-old did, and, parent, why
don't you go figure out what your 8-year-old is doing?
1
12
I'm sorry to be so blunt about it, but come on. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
We know kids lie, we know they're under 13, and we know
you're -- they're giving the website actual knowledge.
So, why don't you figure out what your kid is doing
online instead of calling me and telling me it's my
fault.
I'm sorry, I didn't mean to get all emotional,
but wow.
MR. QUARESIMA: Interesting point, but I -- you
know, here's a question.
MS. JONES: And she brought up the CDA, so it's
her fault.
MR. QUARESIMA: But it raises an interesting
point. In this online environment where you have tens
of millions of users of a service, all right, you know,
and somebody has reported in some way, all right, a
parent, that my child, all right, has put this
information out there, all right, and does that trigger
actual knowledge on the part of somebody who is
collecting the information? In this case, collecting
can also mean providing a forum for disclosure.
So, I think, Jeffrey, you had some points.
MR. GREENBAUM: Well, I think there are also
important lessons to be learned from the DMCA as well,
and, you know, I think the DMCA was enacted right around
1
13
the same time as COPPA, and the DMCA made very, very 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
different choices. I mean, the DMCA has both an actual
knowledge standard as well as essentially a constructive
knowledge standard. The constructive knowledge standard
of the DMCA doesn't really work, doesn't really provide
any useful guidance. It's a very, very difficult thing
to apply, and I think that, you know, I think the lesson
of that is in the context of this very, very big online
world, you know, the constructive knowledge standard
doesn't or the red flag standard doesn't really work.
On the other hand, the actual knowledge
standard, combined with a procedure that enables someone
to send a take-down notice, enables someone to contact a
website and say, "There is infringing content online,
and it's mine and you should take it down." It's
something that operators have been able to implement.
Look, it's not without its challenges, it's not
without its gray areas, it's not without its
difficulties. I mean, when you're talking about a very,
very big website, a very, very big social network that
has huge amounts of content, there's enormous costs
associated with it, but it is a way that we have been
able to make a certain choice, that's been able to
address an issue in a certain way, and I think that
there is no reason that -- there is no reason to believe
1
14
that, you know, websites couldn't do something similar 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
in a privacy setting where they were given -- where
there was certainty and there was a procedure in place
that both allows the internet to continue to develop and
allows these sites to continue to develop, but gives
parents the ability to get information and to make
certain choices for their kids.
MS. JONES: Could I touch on that real briefly?
MR. QUARESIMA: Okay, okay, quickly.
MS. JONES: Just quickly. About ten years ago,
we wrote -- I/we wrote a mirror policy for trademark
infringement exactly mirroring the DMCA. Today I look
at other people's websites, I see it everywhere. It
works really well. So, I think Jeff's point is great.
Let's all go write a similar thing for parents to make a
report, we will go take them down like the DMCA, but
we've gotta have a hook, right? I have to have
something that makes it illegal in order for me to do
that. So, let's do that. Totally outside of this
panel, but let's do that, too.
MR. QUARESIMA: Well, it may not be outside of
this panel. I mean, in examining the statute, it might
require a statutory change. It also could be possible
to do that by the regulation, but let me turn to
Guilherme, because I think he had something to say.
1
15
MR. ROSCHKE: I think we should look back to -- 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
you know, one of the goals here is to put parents in
charge and put parents in control, and so there's this
notice system, and we're all concerned about how can we
make the notice work better. But I think the FTC should
seek comments on the ways for parents to more easily
communicate this actual knowledge standard, the actual
knowledge that's required.
So, for example, you know, what if I could give
a device to my child and then program the device such
that the device would automatically communicate to an
operator of a website the actual knowledge that they
would need to comply with COPPA, and, you know, that my
child can lie, but then the operator can just trust the
signal from the device as opposed to, you know, whatever
my child lies about?
You know, I think there are pluses and minuses
here, and I'm not 100 percent behind it, but I think
taking comment on this would be really instructive about
a way to put parents in charge.
MS. KRESSES: That's a good idea for a panel
forward when we talk about parental consent as well, so
if we don't get to that sort of point, somebody remind
me.
MR. QUARESIMA: Becky, you had a point, too.
1
16
MS. BURR: I just wanted to remind people about 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Parry's point about, you know, being put on notice does
not necessarily mean that you actually have a child. I
am sure it's true that there are friends who are
reporting each other in that case.
I think, though, as I -- in thinking about this,
if a site says, "Here's a place to report an underage
person," then under the FTC Act, forget the COPPA, they
have -- they're making a representation that they are
going to investigate that and make a determination about
whether they have actual knowledge on that basis.
I don't think you could assume that just having
a report provides actual knowledge, and I don't want to
lose sight of the CDA point, but where a site says,
"This is how you report and we will take action," I
don't think you need to change the law to take care of
that problem.
MS. KRESSES: That seems like a good opportunity
to ask the audience if you have -- if anybody would like
to make a comment on these points being raised.
MR. NICHOLSON: John Nicholson. I'm with
Pillsbury -- the law firm, not the dough boy.
And we're going to cover this later on today,
but my real concern about the knowledge standard comes
through the definition of what is personal information
1
17
and the way that we're moving to aggregations of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
individually nonidentifiable pieces of information
creating a statistically significant profile that
individually identifies a person.
And if you move from actual knowledge to
constructive knowledge and you have all those individual
pieces of information and some researcher does an
analysis that says, "Oh, well, if you have hair color
and car and family income and these individual pieces,
you can actually individually identify this person, you
can pick them out in their zip code, and you can do --
create a zip-plus-four and you know exactly who it is."
And then, when you get to that, does that
suddenly become constructive knowledge? And if you've
collected all of those things, do you have to then go
back and say, "Oh, well, gee, we collect all that
information. Somebody's just proven that identifies
people. Do I have to go back and look at all my
information to figure out whether or not I've got any
under 13s?"
MR. QUARESIMA: Okay, I think I do want -- we
are going to actually address something like that very
soon.
Yeah.
MS. TAYLOE: Hi. My big issue is that we all
1
18
know that kids have gmail accounts, AIM accounts, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Facebook accounts, MySpace accounts. I mean, we
could -- you know, I'm just topping those off because we
all recognize the names. And so when is industry going
to get out of the way and actually let kids tell the
truth? Because industry is the one who's forcing kids
to lie, because if kids could tell the truth, I have to
believe some percentage of 11- and 12-year-olds would
not lie, would engage the parent, and would ask for
consent, and maybe we'd start getting out of the "there
is no methods for consent," because there would be a
reason to process consent.
MS. KRESSES: So, are you saying, Denise, that
if companies offered more opportunities for consent, it
would lessen the amount of lying and that --
MS. TAYLOE: Yeah. I mean, to get an iTunes
account, you have to be 13. So, if you're an app
developer and you build a game, you rely on the fact
that, well, the only way you can access my game is with
the app that you had to be 13, so I don't have any
actual knowledge, you must be 13; or lots of companies
that I'm dealing with that have contests and they want
the kids to upload a YouTube video, and they are
directing the kid to go to their YouTube site and upload
their video, but they can't have a YouTube account or
1
19
gmail account to do so. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, I know there are people who advocate kids
shouldn't be on social networks, but there are lots of
parents who want their kids to have a Facebook account
to talk to their cousin or talk to their father who's in
the military or whoever it might be, and the companies
themselves are making no attempt to actually allow a
child to tell the truth and then get parental consent
under some method that becomes reasonable and scalable.
MS. KRESSES: Becky, did you want to comment on
that?
MS. BURR: Yeah, that comes back to my point
earlier, and I want to say, I think that this is a
function of the difficulty associated with getting
verifiable parental consent, and if you had a world in
which there was a broader scope of safe behavior that
permitted a website operator to rely on notice to the
parent only, you know, an email notice, and that it was
the parent's responsibility to then come back to the
website or the child and say no, that's something that
could be automated; that would foster communication.
I think there are -- is some percentage of 11-
and 12-year-olds who would provide their parents' email
address for that purpose. So, I mean, my only -- I
guess my point is that it's not -- from a practical
1
20
standpoint, the cost of getting verifiable parental 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
consent is still expensive in this environment.
MS. KRESSES: And Gwenn had one thing to say,
then we are going to move on to another question.
DR. O'KEEFFE: Just very quickly. The other
issue is that while I don't disagree with you that a lot
of kids would be truthful, it's not so much a matter of
truthfulness. It's a matter of there's still a digital
divide and participation gap. So, even if we didn't
have the age issue and even if we didn't have the
verifiable parental consent and we weren't dealing with
COPPA, getting younger kids online with their parents
knowing how to have them be online safely for the 8- to
12-year-olds is very challenging right now, because
parents don't understand the technologies as well as
we'd like them to understand them, especially for social
networking and even for things like AIM, and I don't --
you know, texting and all of those things.
I don't disagree that there are probably some
kids who could handle social networking, but certainly
not Facebook and certainly not for under 13. I would
even argue 13 can be too young because of the social
skills that it takes to negotiate that site right now.
But there are some new sites coming out for that age
group that would be a wonderful social networking site,
1
21
and I think that we have to respect the ages of kids 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
online and help parents be online more safely and that
13 is still a reasonable cut-off for kids outside of the
scope of COPPA.
MR. QUARESIMA: We have a couple of questions
from the audience. Let's see, I'm trying to balance
this.
Let me -- I am going to give some -- give at
least another five minutes, if not more, at the very end
for audience questions, but I do want to try to reach
two other topic areas, and one of them was essentially
to address this other question that we had over here, is
that if, you know, as part of the process, the
Commission expanded the definition of personal
information to include other things, I mean, how does
that -- how does that impact the actual knowledge? Will
it be easier to show actual knowledge if the definition
of personal information were broader?
So, let me, you know, start with -- I think let
me start with Christine maybe, if you had any thoughts
on that, and then we will go to Guilherme.
MS. JONES: I'm not sure if I know the color of
your car or -- what was the other thing you said?
UNIDENTIFIED SPEAKER: Hair color.
MS. JONES: -- hair color, that I have actual
1
22
knowledge of whether or not you're 13, but there's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
definitely some combination of factors that I could tie
together that would make me believe that you're a
certain demographic.
I would be really careful about going too far
down that path, just because suddenly am I going to have
actual knowledge because some Google algorithm served up
an ad to somebody who's on my website because they -- I
don't know. There's just a ridiculous number of things
that are going through my head right now in terms of the
actual knowledge that could be ascribed to me because of
some algorithm that I'm relying on from a third-party
provider.
So, I would caution against making that too
broad and having too many factors that are going into
that actual knowledge, the definition of what includes
actual knowledge.
MR. QUARESIMA: Guilherme, go ahead.
MR. ROSCHKE: I think if -- once we start
broadening the definition of PII, which would start to
capture more behavioral advertising, it would certainly
impact the sorts of -- the actual knowledge and also the
directed-at-children determinations that are made. So,
the third party -- I think a third-party ad network that
promised to, like, deliver ads to someone under 13 is
1
23
likely saying that they have actual knowledge that these 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
people are under 13, and they arguably also fit under
the directed-at-children standard.
You know, actual knowledge can also be derived
from other age-related information, such as the grade
that people are in in school, you know, if you've got
them participating in a social group, such as the Cub
Scouts, you know, so an ad network collecting -- using
or targeting this information would qualify under actual
knowledge.
And, you know, lastly, you know, I think we
don't really have a directed-at-children panel, but, you
know, they would also be considered directed at children
under the traditional standards of the content, like the
creative content that they are using as a directed at
children or, you know, are the interest categories that
they're using directed at children, much like you have a
Barbie website be directed at children, the same with,
you know, an interest category of Barbie fans would be
directed at children.
MR. QUARESIMA: Okay.
MR. GREENBAUM: You know, what I would just say
there is that there is a big difference between actual
knowledge that personal information is being collected
from a child versus that you have the ability to
1
24
determine whether information is being collected from a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
child. I think that those are two, you know, extremely
difficult things, and I don't think that the statute,
you know, would -- the second would fall under the
statute, but also, again, I don't think it would be
workable.
And the standard I would, apply which I think is
probably the standard we should judge all of this by, is
the phone number when you call Phyllis and Mamie and ask
them a question of, "Well, what do we do here?" And I
think it's important -- and if someone hasn't mentioned
already, I wanted to mention, which is I think that this
is such a model of really great government, which is
this -- the service that they have provided and the
ability -- and what they have given in terms of, you
know, being able to call up, have these conversations
with someone, you know, not the sort of notion of there
is no one at the other end of the line, but someone who
is really actually helping you comply, I think it works
so well. And I just want to commend them, because I
think it's an incredible thing.
But I look at some of these things and I would
say -- you know, I would call them up, and they would
go, "Yeah, I don't see how we would apply that." So, I
think we have to have a Phyllis and Mamie panel which
1
25
is, you know, we'll ask them these questions and see if 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
they could actually give us an answer, and then we will
know.
MS. KRESSES: Well, that actually -- you know,
it's people like Jeff and Becky and lots of people I see
out in the room that, you know, have, you know, in some
way contributed to the process that we're in now,
because we are, you know, reaching questions that are
not simple, and they apply to a lot of people. And so,
you know, we thought this is a way to get at that.
But I want to turn the discussion a little bit
around and ask the question, assuming that an operator
really does want to use its best efforts to identify
kids on its service who are lying about their ages, does
the actual knowledge standard deter the best efforts of
these companies because they don't want to acquire
actual knowledge? And I was wondering if anyone would
speak to that.
Phil.
MR. TERZIAN: I'll take that one. No, I
don't -- I would say no. You know, we're part of a safe
harbor program, and no one's really talked much about
that yet, but it's also something that's commendable
that the FTC provides and that there's four great
providers in the room here as well, and it's part of our
1
26
program, and we focus on screening and registration for 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
both compliance, you know, we don't do it in a tricky
way to try to, you know, check if you're under 13 here
or over 13. We do it very neutrally, in line with what
the FTC has given guidance on.
I think that's consistent with the intent of the
law and the practical realities of trying to screen out
the children, assuming, as we all agree, that, you know,
not every child is going to tell the truth, but I think
that's the best you can do with it, is leave it the way
it is.
The other thing is, what can you do post
registration? You know, it's one thing to talk about
trying to determine how old someone is at a set point in
time, predictable, consistent, versus trying to figure
out -- there's been a lot of talk on it already, so I
won't go into it -- trying to figure out what someone is
saying later on that might give rise to something else.
You know, in the vast world of user-generated content,
it's a very daunting task to even touch upon on that.
MS. KRESSES: Becky, do you have any thoughts on
that?
MS. BURR: I guess if you ask -- I mean, if you
age-gate, then you -- let me step back.
I don't -- I'm not sure it's the actual
1
27
knowledge standard that is a problem here. I think we 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
just have to be realistic about what a website can
actually do in an automated fashion that doesn't
require, you know, thousands of people standing up and
looking at the information afterwards.
My sense is that there are a lot of sites out
there that are responsible and do want to identify
underage children and are using various tools to do
that. They're not fool-proof. But to the extent that
tools still require a human being at the end of the line
to look at them, that is difficult and expensive and not
particularly consistent with the economics of most of
the websites.
MS. KRESSES: And would it help if there were
some sort of safe harbor for taking an effort, that you
would not be, you know, punished for that effort? Do
you think that would be something that businesses would
be interested in?
Christine?
MS. JONES: Well, we always like a good safe
harbor provision, and we use them to great effect every
day. The DMCA is a great example. But I think the
answer to your original question here is no, absolutely
not. If we go out and tell website operators to collect
more information about kids so we can figure out if
1
28
they're kids, that is counter-productive, guys. That 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
specifically does not protect their privacy, right?
We're collecting more information when we should be
collecting less information. So, the answer to that
question is no.
What website operators can do if they really
care about protecting kids is look at the collective
data that you have. If you think it might be a kid,
don't serve up porn spam, okay? If you think it's a
kid, then don't give them stuff that kids shouldn't see.
I mean, really, if we're really trying to protect
children here and really trying to protect kids'
privacy, don't collect more data about them, and don't
show them stuff that they shouldn't see.
I mean, honestly, it's not that hard if you're a
good website operator. Most of the ones that we've
talked about here today, the big ones, are, right? This
is about the smaller, maybe less upstanding corporate
citizens that we're trying to talk about, right?
MS. KRESSES: That's your words.
MR. GREENBAUM: This was not a statute that was
designed to create incentives for websites to monitor
the websites. I mean, it's not like the CDA, which, you
know, certainly provided the ability of websites to
monitor and take action when it felt it was necessary,
1
29
and, you know, certainly I think that many companies 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
will be very, very responsive to -- if there were ways
that -- you know, that the FTC or Congress, if
necessary, provided the incentives or the ability of
companies to do more that they wanted to do, I think
many, many companies want to do that, and I think that
there are many people that feel constrained.
I also think we have to recognize that there is
a limit to what we can do in a rule or a statute. At
some level, I think there's lots companies can do, but,
you know, there's people -- the people at the other end
of the line, the parents are going to have to do it,
too, and I think that we all have to recognize as
parents that, you know, a lot of this and a lot of the
great work that's been done is about the education, and
certainly COPPA served that role, too, but really, it's
going to require some in-person monitoring, too, and we
are going to have to continue to balance the interests
here to make sure that, you know, we get the good parts
out of both.
MS. BURR: Mamie, I would be really, really
careful about a safe harbor here, only because I think
that, you know, applying a standard across a huge
variety of websites is very, very hard to do, and you
may end up with a sort of de facto minimum --
1
30
MS. KRESSES: Floor. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. BURR: -- that comes back to bite you when
what you've selected as the safe harbor isn't possible
given the site arrangement.
MS. KRESSES: Okay.
MR. QUARESIMA: I want to --
DR. O'KEEFFE: One quick point. I just want to
echo what Jeff said. I mean, education is ultimately
the bottom line, and I think parental empowerment -- you
know, no rule is going to be fool-proof, but I think we
can all agree that we can empower parents to be more
involved with their kids and we can all help to educate.
And I don't think any of us do enough to do that, and I
think all businesses actually should take a more active
role in education.
And I think if everybody reinforced the same
messages about online protection and privacy of kids,
independent of this rule, kids would be safer online,
and help parents do a better job parenting online. If
everyone does that, frankly, a rule is not necessary.
MS. KRESSES: Okay.
MR. QUARESIMA: Phyllis, did you have something?
MS. SPAETH: Yeah. I just wanted to say that,
again, the Net Cetera guide is incredible. I'm thinking
about Ad Mongo -- which doesn't have to do with the
1
31
Internet, it has to do with advertising -- but that's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
something that goes into schools. I think that a
program that started teaching in schools about the use
of the Internet, starting at a really young age, when
kids first go online, I think that would do more than
anything.
MS. KRESSES: Okay. So, we only have a couple
minutes left, so I would really like to -- we would love
to hear from people on the other side of the table, any
other thoughts about the actual knowledge standard or
questions.
UNIDENTIFIED SPEAKER: I have two comments, one
in regards to the constructive knowledge standard or the
directed-to-children standard. You know, I think the
flexibility in that standard that exists today is a good
thing for industry, and in particular, when you look at
the types of games on the Internet today, many of which
are not for kids, a lot of them are animated, have heavy
animation. I think the world is animated today. We're
living in an avatar world. So, I think the flexibility
there and the consideration of various factors is a good
thing, and that should certainly stick to the extent
that it can.
The second comment I have is really with regards
to actual knowledge, and I don't think that this was a
1
32
point that was addressed on this panel -- forgive me, I 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
walked out for a few minutes -- but that is the issue of
who has the duty -- now, COPPA doesn't have an explicit
requirement to screen for age in particular, but the
question is, who has the duty, when you've got these
devices which are Apple devices, okay, and you have got
the front-end platform, which is iTunes, and then you
have got the third-party developers, and then the same
thing is true -- so, if you have got the third-party
apps, the mobile apps.
The same thing is true in the Facebook world.
You have got the Facebook platform, as well as other the
social network platforms, and you have got the
third-party developer, games and whatnot, sitting on top
of that, and there is data being exchanged, right, and
there are assumptions being made as to the ages of the
user, and today, most of these third-party apps, whether
they're on the mobile devices or in the Internet world,
are really relying on the original entry point, whether
it's Facebook, MySpace, iTunes, to determine what the
age of the user is. Is that -- who has that duty?
Where do we see that going? And is there any guidance
that could come out of COPPA on that issue?
MS. KRESSES: Does anybody on the panel want to
touch that?
1
33
Guilherme. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. ROSCHKE: I think to the extent that each
one of them is an operator of an online service, each
one has to make their own determination of whether they
are directed at children or whether they have actual
knowledge. You know, the information that's flowing
back and forth between these services can add to the
actual knowledge determination.
If I have Facebook Connect on my website and I
use the information from Facebook Connect, then that's
part of the knowledge that I have about my users.
Likewise, if Facebook Connect is just -- you know,
without me -- you know, is sending the information to
me, I -- that's -- that's part of the information that I
have available to me that would go into my determination
of the age of my users.
MS. KRESSES: And does that -- you've both
raised a good point and something we actually wanted to
get to and just didn't have time, but, Guillerme, does
the services like the OpenID and Facebook Connect,
Google Buzz, does that -- if kids are aging up to set up
those accounts, does that complicate the actual
knowledge discussion?
MR. ROSCHKE: I mean, I think it complicates it
in the sense that it adds more information to the actual
1
34
knowledge determination. I don't think it complicates 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
it too much from the point of view of information is now
more hidden.
And then you also have the determination of, you
know, whether their operator -- you know, who is the
operator of the online service? I think it's -- you
know, we saw here in the earlier panel that there could
be more than one. So, it's -- I don't -- I think each
unit here is going to make its own determin -- have to
be determined separately.
MS. KRESSES: Okay. We have, like, one or two
minutes. Do we have any other questions? There's
someone right here.
UNIDENTIFIED SPEAKER: In terms of the actual
knowledge standard, there are a number of websites who
follow Phyllis' recommendation of trying to do more. I
would say that I'm aware of several companies who
institute neutral age screening, per CARU/FTC
recommendations, to try to prevent collecting personal
information from somebody who's a child.
Those sites typically report that 25 to 30
percent of their complaints from adults is that they're
age-screened out; they can't access the content; they
can't go to the shop. And it goes back to I think a
point several panelists made, that these are
1
35
interconnected issues, that the standard that you apply 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
in going beyond that standard imposes costs on a company
and imposes burdens on the consumer that you're actually
trying to target.
I'm curious if any of the other panel members
have experience or comments on that particular issue.
MS. KRESSES: Anybody have any comment? Okay.
And I think there was another question right
here.
UNIDENTIFIED SPEAKER: In a recent survey of
under-13s, where they were playing online, two of the
top games in the top five of under-13s were actually
games that were on the Facebook platform, so they
shouldn't be playing them. Is it fair that websites
that do ask for age and do accept under-13s cannot sit
on that platform? So, they are excluded from sitting on
the Facebook platform, where are the games are just
age-gates?
MS. KRESSES: Does anyone want to comment on
that?
MS. JONES: I'm not sure I understood the
question.
MS. KRESSES: So --
UNIDENTIFIED SPEAKER: So, the question is, on
Facebook platform, you're over 13, okay? So, the games
1
36
that are on there, a recent survey of under-13s, two of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the top games they were playing were on the Facebook
platform. Is it fair that games that do ask for the age
of the users and do allow under-13s are excluded from
that platform, which is a powerful platform?
MS. KRESSES: That's a great question. I don't
know that we have an answer, but --
MS. BURR: Actually, I think it is a really
great question, and it is a question where if you had
some differentiation, you could address that problem.
So, you have a platform that you're providing notice to
parents on about -- you know, an email notice about your
kid is doing this, and then there's some game or some
add-on or something else that requires a greater level
of sophistication or maturity, you can age-screen, and
you're not penalized down the line. So, I actually
think that there is a way to do it, but it involves
changing the dynamics about how hard it is to get
parental consent.
MS. KRESSES: And with that, we are going to
come back for Panel Four, which talks about parental --
Panel Three, sorry, and then later Panel Four. So,
let's break for lunch.
(Applause.)
(Whereupon, at 12:03 p.m., a lunch recess was
1
37
taken.) 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
1
38
AFTERNOON SESSION 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(1:16 p.m.)
MS. RICH: So, welcome back after lunch. This
is Panel Three. My name is Jessica Rich. I'm Deputy
Director of the Bureau of Consumer Protection here at
the FTC. And this is Michelle Rosenthal from the FTC's
Division of Advertising Practices. We're going to
co-moderate.
So, this is the panel on personal information.
As you all know, the FTC issued its COPPA rule in 1999,
which is dated, as previously noted now, in what seems
like the dark ages in the online world. As part of this
Rule review, we're examining the rule's definition of
personal information. Does it still make sense?
Certainly the kinds of information that can be
used to contact an individual -- I'm having some trouble
with this mic -- okay, have changed over the last 11
years. Companies are collecting, retaining, combining,
using and sharing data in ways we never could have
anticipated a decade ago. The key question for us is,
what information permits the physical or online
contacting of a child under 13?
During this panel, we'll focus on the definition
of personal information, both in the rule and the COPPA
statute. As you may know, when promulgating the Rule,
1
39
we did not stray far from the definition in the statute, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
and as shown on the screen -- and I think each of you
has a handout -- the COPPA Rule currently includes in
its definition the following pieces of data:
First and last name; home or other physical
address, including street name and name of a city or
town; email address or a screen name that reveals an
individual's email address; telephone number; Social
Security number; persistent identifier if it's
associated with individually identifiable information;
or a combination of last name or a photograph with other
information if the combination permits physical or
online contacting; or information concerning the child
or his parents that the website collects from the child
online and combines with one of the identifiers we've
already listed.
In addition, Part (f) of the statute gives the
FTC authority to include any other identifier that
permits the physical or online contacting of a specific
individual. So, the big question is, what does it mean
to contact a specific individual?
In the past couple of years, we've had some
experience with the evolving nature of data and data use
and personal information and what that means in other
contexts. In 2008, in 2009, we issued a report and a
1
40
set of principles to address online behavioral 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
advertising. In that context, which is the use of data
to target personalized advertising, we said that the
traditional dividing line between personally
identifiable information, PII, and non-PII has become
blurry and may not make sense anymore, staring at the
person who wrote that report sitting right across from
me.
That's because certain data, once thought to be
anonymous, may no longer be so due to technological
changes, and just as important -- and this came up in
some prior panels -- little bits of anonymous
information, if pieced together, may actually become
personally identifiable once those pieces are put
together.
And we also -- we held some recent roundtables
on commercial privacy writ large, not just about kids,
and there we discussed the need to look at geolocation
data and static IP addresses and consider how those --
you know, how identifiable those pieces of information
are and how they implicate consumer privacy.
And just a few months ago, we expressed some
concern to Netflix that the release of large amounts of
consumer data that everyone thought was anonymous may
actually be reidentifiable given the state of technology
1
41
and the large quantities of available data that's out 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
there.
So, I imagine with this great group of
panelists, these issues are going to come up today, and
we want them to, but we need to remember and keep in
mind that the particular context and focus here is
children's online privacy and the concerns and
objectives that led to passage of COPPA and the
promulgation of the COPPA rules. So, we want to keep
bringing it back to that.
So, let me briefly introduce our panelists.
To my right, we have Maureen Cooney of TRUSTe, a
COPPA safe harbor.
We have Paul Ohm from the University of Colorado
Law School.
We have Sheila Millar from Keller and Heckman.
Michelle over here.
Kathryn Montgomery from American University.
Matt Galligan from SimpleGeo Company.
Jules Polonetsky from the Future of Privacy
Forum.
And Heidi -- is it Salow?
MS. SALOW: "Salow."
MS. RICH: "Salow," sorry -- from DLA Piper.
And Kathryn and Sheila, among others -- me, too,
1
42
actually -- have been members of the COPPA family from 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the very start, so they, along with Toby, who is still
here, and I'm sure many others of you can pipe -- oh,
Angela -- can pipe -- there she is, oh, yeah -- oh,
there you are -- can pipe up with a historical
perspective, when needed. So, let's get started.
So, we talked about the language of COPPA and --
of the Rule and the personal identifiers that are in
that now. So, speaking of historical contexts, maybe we
can talk about how we originally identified those list
of identifiers and what was the significance of those
identifiers. Some of them are obvious.
But, Kathryn, do you want to take that?
MS. MONTGOMERY: Sure. And it's really
heartening to see, you know, ten years later, how well
we've done implementing this law and how robust it is.
We were talking about words we weren't going to use
anymore, and we have had a very granular discussion
today, and as we all know in Washington, when we talk
about policy, the devil's in the details -- you didn't
have that on your list -- but, you know, it was a
challenge to do all of this.
I do want to remind people that -- and a couple
people have already mentioned it, maybe including me --
that we created COPPA and we advocates pushed for COPPA
1
43
because of concerns about digital marketing and about 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the need to ensure that there were some safeguards in
the new digital marketing environment, which was in its
earliest stages at that point.
And even then, we could see that the business
model that was governing most all of digital marketing
at the time was called one-to-one. It was the idea of
personalized marketing messages targeted at individuals,
and children were one of the most powerful, most
lucrative markets at the time, and there was an enormous
amount of energy and innovation going into developing
commercial applications aimed at children.
So, what we wanted was to ensure that there were
some safeguards, based on long-done studies, studies
over a number of decades, that showed that children
simply didn't have the developmental capacities, the
cognitive capacities, to deal with all of this and to
respond to many of the personal appeals, with marketers
talking at the time about wanting to develop
personalized, ongoing relationships between product
spokes-characters and children.
That was the one comment in a trade conference,
trade association conference, that just kind of hit me,
and, you know, it was an epiphany, and I realized, okay,
we need to do something to ensure that there are
1
44
safeguards. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, at the time, of course, children were being
mainly supplying information, and there weren't any
rules, it was like the wild west, so they were being
asked for all of this stuff. So, we wanted to specify
specifically what kinds of information would enable
marketers to communicate directly with them, but we were
also very aware at the time that the so-called passive
technological mechanisms for identifying children and
for collecting information from them -- at the time, I
remember one of the terms was mouse droppings, that one
seems to have gone by the way -- but it really was a
precursor -- I know, that's pretty disgusting -- but
that really was a precursor to what we have now with
cookies and other types of data collection and tracking
mechanisms.
So, what we see now -- also, the other thing I
just want to add here that nobody's really brought up is
that one of the goals of the law was to minimize data
collection from children, and often that gets missed and
people don't realize that that was one of the
intentions.
So, we're now at a time when the industry has
evolved, as everybody has been talking about, and I'm
pleased that the language in the law is flexible enough
1
45
to accommodate many of these new practices. So, it's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
very good that we're having this conversation today.
MS. RICH: So, does anyone -- so, we have
these -- the list -- is this one on?
MS. ROSENTHAL: Yeah.
MS. RICH: Okay. I seem to have trouble with
the mic today.
MS. MONTGOMERY: I thought we were sharing. Do
you want mine?
MS. RICH: That's okay. I can share with her.
So, we have a list of identifiers. Maybe we
could -- without trying to get too abstract here, maybe
we could talk a little about why these identifiers are
on this list, what characterizes them, which might help
us to determine whether there's things left off the list
or things that shouldn't be on the list anymore.
Jules, do you want to talk a little about what
it means to permit the online contacting of a specific
individual and why these identifiers are on it? And
maybe we can start talking about what else might fit
those criteria.
MS. POLONETSKY: Well, having still been in, I
guess, city or state government at the time of COPPA,
it's been a great experience to spend time over the
years with Parry and to hear from Kathryn and some of
1
46
the others who were so instrumental and with all of you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
at the Commission. So, the history of why and how one
picked these in those early days I'll leave to others,
other than they obviously are sort of the most obvious
subset of personal information.
But I think what has happened over the years
that has changed -- and I'm not sure this is something
that easily fits into the COPPA structure -- but what I
think has dramatically changed over the years, I think
in the time that these identifiers were selected, these
were the ways that, (a) you actually reached out and
touched somebody and visited them and, you know, called
them, visited their house, could contact them; and then
the second really interesting thing that comes along
with these sorts of things is they were the keys to all
the other data that's available about people.
And so by having a name or an address or a phone
number, the databases that are available for all the
other robust marketing purposes can be brought in and
queried. And if you didn't have any of those, it wasn't
really easy to bring in all the other data that's out
there online and offline.
I think what's happened on both those fronts --
the can I maintain a relationship with you and message
to you or can I correlate lots of other information out
1
47
there about you -- I think that's really dramatically 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
changed. It was always theoretically possible, but
today, it's par for the course for information to be
either deidentified or never actually identified, but
given that a user may show up and authenticate
somewhere, to correlate the other data that's available
about them, appending it throwing it over the wall,
leaving it on a cookie, and being able to maintain that
there's never been any identification, but yet, the
PII-connected data, all the other lifestyle stuff,
purchase activity, whatever it is, can end up being
available online, and, indeed, that's, you know, a
significant part. Technically, folks don't call it
behavioral. It's appending; it's adding data. It's not
necessarily your clickstream, but it's adding data.
So, to the extent that that was intended to be
the dividing line for PII or not, that's sort of long
been crossed. You know, around the world, folks argue,
"Well, therefore, it ought to be personal." I don't
think we've gone that far in the U.S., but clearly the
correlation of PII is no longer limited to PII.
Then I think the second thing that's happened
that has dramatically changed was you couldn't easily
maintain a relationship with somebody without them
identifying themselves in various places online or
1
48
offline and then correlating that, and today, whether 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
it's because of cookies, whether it's because of other
identifiers, I can maintain that relationship. That
wasn't that unique back then, but I think what's
happened today is I would have had to go to lots of
places and separately, you know, try to interact with
you. Today, because of ad exchanges and data exchanges,
I can maintain state with one user across websites,
across end networks, across sometimes even devices and
platforms.
I don't see how easily, you know, we broaden the
COPPA definition because it breaks down on a lot of
these other issues around actual knowledge, around, you
know, being able to get consent, but it certainly raises
a whole host of marketing issues that, you know, Kathryn
just kind of put out there as, well, we wanted to deal
with those. There is today a whole host of marketing
issues that can happen quite discretely, as well as
maintaining a relationship and messaging the same person
over lots of places because of the way the technology
and the data use has evolved.
MS. RICH: Okay. So, you have put forward two
basic things, which is maintain a relationship and
correlating other data so that you can end up
identifying somebody. Keeping those criteria in mind --
1
49
and people can add to that or dispute that -- I'd love 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to hear ideas about other data. I have my own little
list that I'm planning to get to, but better for the
panelists to toss it out, other data that may fit that
criteria that aren't on this list.
MR. GALLIGAN: Sure. So, I see three categories
of data, of identifiers, and I break them down as
exclusive, derivative, and additive. So, an exclusive
identifier is something that on its own can identify an
individual. That would be something like first
name/last name, physical address, telephone number,
Social Security number. Those are exclusive
identifiers, because without any other information, I
can find out the individual.
An additive identifier would be something like
with any one of those individual exclusive identifiers
or with multiple additive identifiers, I can find out a
identity. So, I can take -- let's just take
geolocation, for example, which is something that is
proposed. On its own, a coordinate doesn't necessarily
speak to who somebody is. It might speak to where they
are at that given time, but it also doesn't mean home or
work. It could mean anything. It could mean the coffee
shop down the street that they frequent. It could mean
the park that they like to go to. But just a coordinate
1
50
doesn't necessarily identify a specific individual. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
However, a coordinate attached to any one of
these other categories could better identify an
individual than even a physical address, because we're
going beyond an address to something far more specific
than an address. So, that's what I would consider an
additive identifier.
A derivative identifier is something we haven't
discussed, which is using a third party to identify a
person. So, Facebook Connect, for example. So, using
Facebook Connect, I can, let's just say, log in using my
Facebook identity, and it now generates an ID. If I was
a Web service using Facebook Connect to identify my
users, it generates an ID whenever I sign in. That ID
can be called using something called FQL, Facebook Query
Language, and by FQL, I can identify first name, last
name, gender, date of birth, address, anything that has
been allowed within FQL. And that's not necessarily
something that I own. I only own that ID, but by using
that ID, I can correlate that with any other information
that Facebook has on me.
And the same could be said for any API that has
personally identifiable information, be it Twitter, be
it Google's ID service, any of that. But that's I would
consider a derivative identifier.
1
51
MS. RICH: So, do all three classes of those fit 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the COPPA statute definition, which is an identifier
that permits the physical or online contacting of a
specific individual, or a subset?
MR. GALLIGAN: I think it just depends upon what
each one of them is. I think exclusive personal
identifier means that without a doubt, it does allow for
the contact, because you can find out anything else on
that list. Additive would mean that you would have to
have multiple sources to be able to get to that point,
but you could potentially get to that point if you had
multiple sources. Actually, I think derivative probably
is almost up there with exclusive, because most likely,
that information exists and resides somewhere else and
you're able to correlate that with something else.
But the additional problem with derivative is
that you question whose responsibility is it at that
point? Who's falling under the COPPA rule? Is it the
person that is collecting that identity, or is it the
person that "owns" that identity, meaning the original
service provider that actually has that information
stored in their database?
MS. RICH: Okay. So, does anyone else have
comment on the way he's characterizing this?
Paul?
1
52
MR. OHM: This is actually a comment on the way 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
you're characterizing things. Whenever people talk
about the COPPA family, I feel like I'm not quite a made
man yet, because I'm coming to this with fresh eyes, but
I think it helps me play the role of a judge looking at
this statute without living and eating and sleeping it,
as a lot of you have.
What I see when I read this statute is I'm not
sure that the language in (f), which is what you keep
citing to, which permits the physical or online
contacting, necessarily is the be-all and end-all of
what the FTC is supposed to regulate. I mean, I
understand that (f) is our guiding light, but the thing
I would say is if you look at the rest of the list and
if you look at Social Security number, in particular, I
mean, I think there is a judicial argument that we can
get some interpretive use out of why Congress included
Social Security numbers in the list, right?
What is it about a Social Security number? I
mean, there's obviously a lot of misinformation about
how secure it is, how sensitive it is, what it can be
used for, but the key attribute of a Social Security
number is it's the key to linking lots of different
databases together, right?
And so Congress, in its infinite wisdom, said
1
53
when we're talking about permitting the physical or 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
online contacting, we want to include Social Security
numbers because they're in this list of types of
information that are so linkable that we're going to,
per se, just add them to the list. So, I think
linkability has to be part of the Commission's charge
here.
I think the Commission has to look at different
types of information, and the Commission has to ask
itself, how linkable is this particular type of
information given what we know about the state of data
in the world, who holds data, the amounts of which they
hold data?
And I know one of the reasons I was invited to
be here is because I have done a lot of recent research
in reidentification. I don't want to monopolize the
microphone at this point, but I'm happy to throw the
proposition out there that the computer scientists have
recently begun to kind of chip away at this entire
construct, this idea that some pieces of information are
really, really, really linkable and some pieces of
information are not terribly linkable and we could worry
a lot less about them.
And if you are really aggressive about it -- and
I have been accused of being aggressive in the past --
1
54
there are lots and lots and lots of pieces of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
information that are much more linkable than we ever
realized and much more linkable than we realized in
1999, certainly. So, I have lots more to say about
that, but I will...
MS. SALOW: Jessica, this is Heidi. I will just
add one more thing. I liked the way you categorized
those three categories, and I think all three are
actually encompassed already in the definition. We
have -- I'm not sure if I am going to use the same
terminology, but the exclusive identifiers are the
obviously the individual data elements, right? We have
additive in (f) and in (g). And then I think we also
have -- what's the one, the reverse engineering?
MR. GALLIGAN: Derivative.
MS. SALOW: Derivative, we have that as well I
think in (f) and (g) built in.
And I also would agree with the linkage issue.
I would suggest that the way the definition is written
now actually leaves open lots of room for the FTC to
decide that there are other data elements out there that
can allow a company or a website operator to contact a
child without needing to even revisit. I think that
you've got the flexibility here to, you know, get in
line with technological developments, and I think that
1
55
was probably intentional. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. RICH: Okay, so -- oh, Sheila.
MS. MILLAR: I think that's right, and I also
think that it's important when we talk about any of
these issues that we keep in mind the greater construct
of the statute, because we need to talk about website
operators and online service providers and targeted to
kids, directed to kids, or actual knowledge about kids,
and the gray area, if you will, is in that
additive/derivative area where you don't know.
You might have an email address of an
individual. You have no idea that it's a child. But if
you've collected that at a kid-oriented website, then
you have kids' data, and you handle it appropriately.
I think to Kathryn's earlier point, one of the,
I think, important things to remember about COPPA is
that there was tremendous support by the business
community for COPPA, many of whom were active members of
CARU, as Phyllis mentioned, and who were living by many
of these rules -- not obviously in the same level of
detail or enforceability -- for a number of years before
COPPA was adopted.
And so for those kid sites, they've embraced
COPPA, they've lived by COPPA, they understand that
they're dealing with kids, and I think it gets harder
1
56
when you alter the definition, particularly if you're 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
going to expand the universe and expand the standard of
who knows what about you, you exponentially change the
burden, which is a very important issue, because a lot
of folks out there -- it's not that they don't care
about kids. Everybody cares about kids. Everybody
wants to protect kids. It's a matter of how do you do
it and what's a reasonable way to go about addressing
any issues to the extent there are issues?
MS. RICH: Okay, thanks.
Well, I wanted to get to sort of some concrete
examples, which I think people are dying to get to, and
the ones that we've certainly heard talked about today
and in comments, there's four different examples, and I
want to know if there's other classes of data we should
be talking about.
There's behavioral advertising, which has
already come up quite a bit today. There's geolocation
data, which Matt is dying to talk about. There's -- and
we are, too -- there's, of course, IP address, which is
constantly an issue that everyone wants to explore. And
there's aggregation of allegedly anonymous data, which
is a tall issue, as well as all of our concerns.
So, why don't we -- are there other obvious
categories of data that we should be debating today at
1
57
this panel? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MONTGOMERY: Can I --
MS. RICH: Yes.
MS. MONTGOMERY: I don't know if we have talked
about in-game advertising and avatars, but to the extent
that avatars are individually identifiable, I mean, we
would have to look more closely, but they do permit the
kinds of relationships and interactions and targeted
personalized marketing that this law was intended to
address.
MS. RICH: Okay, that's a great addition.
So, why don't we take these one at a time and
see where we go with this. So, why don't we start with
IP address, since it's the most basic, understanding
that IP address is actually collected far more than -- I
mean, it's collected immediately. So, we have got a
real issue about IP address, and if somebody would like
to just give us the basics on the theory as to why IP
address should and shouldn't be considered personally
identifiable information.
Paul?
MR. OHM: I mean, I can. And by the way, I
classified my research as a -- I'm an import/export
specialist. I was a computer science undergrad and then
a systems administrator for a few years and in that job
1
58
spent a lot of time living in the APACHE log files and 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
trying to figure out who was visiting the website for
what purposes, and I promise you they were all noble.
But the point -- I think this is commonplace to
everyone in this room -- is that there once was this
belief that IP addresses were these evanescent little
fragile bubbles that disappeared every time you hit
reload on your browser, and, of course, many, many, many
technological and organizational decisions have
conspired to make that really no longer true and that we
all know this, right?
Your cable modem is always on. Your DSL is
always on. Your computer with its DHDP settings is not
getting a dynamic IP address that frequently, and I'm at
the point now where my home computer has the same IP
address probably for months on end, at least the last
time I looked at it, and at work, it's even more
ridiculous. I'm basically always attached to a single
IP address.
So, the idea now is there is this very
persistent piece of information about your computer --
that's an important caveat, not necessarily you, but
your computer -- that, as you say, is promiscuously
handed out to everybody. So, the idea is that once you
have this IP address, you now have this fulcrum upon
1
59
which reidentification can occur, and if we attach it to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
a home address in this one instance and if we attach it
to a credit card in this instance and what you did on
Facebook last night in this instance, if you're a
savvy-enough data aggregator, you are going to be able
to use that one piece of information to correlate lots
of pieces of information.
So, what does this start to sound like? It
starts to sound like the modern Social Security number,
and what animated Congress to include Social Security
number in 1999, I'd submit, probably brings IP addresses
into a similar category, but let me have one important
caveat, and Sheila kind of made this point, which is we
can't break the Internet, right? And so you're right.
The APACHE log, for no pernicious reason, saves
IP addresses as soon as you install it. It seems like
it would be an unwise regulatory decision to then say
that anyone who collects IP addresses automatically has
to start worrying about COPPA, but my argument would be,
that's a matter for regulatory discretion and restraint
more than it is a hard question under the statute.
I would -- you know, I like to tell my students
when I see a legal battle which side would I rather
represent. Oh, yeah, I'll represent the side that
argues that IP addresses fit comfortably and squarely
1
60
within this list. So, then the question is, should we 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
really be putting this onerous burden on every website?
And I would say probably not.
MS. RICH: Well, let's get that answer. Should
we be putting this burden on every website?
MS. SALOW: I'm dying here, but I'll wait for
Jules.
MS. RICH: Kathryn first.
MS. MONTGOMERY: Age comes first.
Well, I think we need to always get back to the
goal of addressing marketing. So, if you look at how --
and you have to then look at contemporary business
models and the extent to which IP addresses -- and the
other things, and I think it's hard to talk about them
in isolation really, because that's not, in reality, how
they work.
It's a system of marketing that is designed to
identify individual consumers, and in the case of
children, then I think there is a burden, and I
understand as well that, you know, industry -- we did
negotiate with industry on a certain set of rules, but
there has been an understanding that the business
evolves, and those rules have to be updated -- in
response to your comment -- in ways that will really
meaningfully address what's going on.
1
61
So, for example, I've looked at some children's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
websites -- and we are going to be submitting comments
-- through the Center for Digital Democracy and the
Coalition For Children and Consumer Groups, where we can
see that children under 13 are on the sites that are
designed for them, parents may give permission, and the
privacy policy says we only do this and this and this,
but there is other evidence that suggests there's a lot
more going on there that may be enabling marketers to
personally market to individual children. And I'm not
certain that all of that's being disclosed.
MS. RICH: Jules?
MS. POLONETSKY: So, I mean, I guess one point
before we touch the IP address, which relates to it, you
know, it would be really interesting if what was here
was, you know, an identifier that's widely and globally
used, because that would include a lot of interesting
things, frequent flyer numbers. Social Security number
kind of comes with the government-backed you can't get
rid of it, this, you know, special category, this is
your passport number, and so forth.
So, I'm not sure I would look to it -- you know,
to make Paul's point, I think, you know, (f) perhaps,
you know, faints in that direction, although again, it
ends up being linked back to that tied with, you know,
1
62
PII. So, I think the statute and rule kind of push a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
little bit away from drawing the broad conclusion there.
And the second thing is, you know, Paul, in his
paper, does a great job of kind of looking at the scope
of research out there, and I think, you know, it's
certainly conventional wisdom in one part of the
community that just about anything when you've got a lot
of data or even not that much data can become
identifiable with enough rocket scientists or even maybe
with just enough smart people doing some work.
And if that's going to be the screen of, like,
whether something starts becoming verboten, we're
screwed, right, because the reality is that just about
covers, wow, everything that is out there. And to the
extent that we want to recognize that but yet give
people credit for not going ahead and trying to be
rocket scientists and come up with technologies -- and
obviously there are people doing it. There are people
fingerprinting browsers. There are actors around that
edge who are seeking to do so.
So, it's one thing, I think, to say, well, yeah,
if you're able to, if you're somehow managing to
accomplish this or you create a great likelihood or
you're going to publicly expose it, you know, in the
Netflix circumstance where there's, you know, reason to
1
63
say, well, wait a second, there is some risk or some 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
issue created, but if everyone falls under, you know,
the rule because of what is theoretically possible, I
think it really breaks the practical process.
So, bring that over to the IP address for a
second. Look, I mean, I think -- you can look at IP
address a number of ways. I don't know that anybody
would argue that if someone is using an IP address to
get your name and, you know, have it available next to
it, just using it as a substitute, you know, identifier
to hand around, that it isn't, you know, directly
linked, but in the reality of most circumstances, right,
it is either an item that with law enforcement or with
perhaps cooperation is sometimes -- maybe even often --
linkable to a person. So, I think let's take that over
there for a second and try and figure out, you know,
whether or not people are using it in a way that links
it to a person and pulls it into that category.
I think the second piece about it is it might be
a way that you can maintain state with users. So, it
might be kind of a really good cookie, right? It
frankly isn't as good as a cookie yet or you would find
most people using it. The industry is still using
cookies, A, because their technology is set up to do
that, and second, despite the messy frailty of the
1
64
cookie, it still is a bit more stable, it appears, and I 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
checked because one assumes with the increasing
stability of IP addresses and IP fixes and so forth, but
yet the most recent research, which isn't that fresh,
that I saw still shows that the average user can have,
you know, 10 or 12 IP addresses for whatever reason in a
month, and cookies end up being a little bit more stable
than that, although, frankly, probably not very reliably
good for more than another month, so as a tracking
device.
And then I think the third cut to think about
when you talk about IP addresses is does it allow that
correlation of non-PII, given that in the hands of some
folks, they do have a name behind it, and just like we
described the situation of a user coming to a site, you
know, registering, and the appended data being put over
on the cookie but no identification, clearly by working
with parties who have access, it can be a corrolator of
appended data.
So, I think when we look at these aspects of it,
you know, it fits in those buckets just because it has
this, you know, IP/IP. We spend so much time, I think
we ought to take a look at, you know, how is it being
used, how is it possibly, you know, going to be used in
practice, and then do these things fit into any of the
1
65
rules? I'd argue it's hard to easily fit it into the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
rules unless you're doing the more explicit PII and
linking things to it.
MS. RICH: Heidi?
MS. SALOW: Gosh, I have so many things, I'll
try to cut it down.
So, going back to what Paul said, I don't know
if I agree that the IP address is -- I don't know the
word he used, but pervasively, you know, shared in the
way --
MS. RICH: Promiscuous.
MS. SALOW: Thank you -- promiscuously shared in
the way that you describe.
MR. OHM: I just meant between computer and
website. I didn't mean among website.
MS. SALOW: Okay.
MR. OHM: No that you're giving it on every
single packet.
MS. SALOW: So, I think there's a perception
that that's happening, but I don't think it is from what
I know. So, that's one point.
The other point -- two other points: I'll go
back to what I said before, which is -- I'm too much of
a lawyer, I guess, but I keep looking at this
definition, and I do think that what we're
1
66
contemplating -- I agree that an IP address, when 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
combined with other information, can make it personally
identifiable. I mean, I think it would be really hard
to argue otherwise. You can certainly attach a computer
to a person, okay? And I think this definition is broad
enough to encompass that.
It says a persistent identifier, and especially
when we're talking about iPB6, okay? And then it says
"such as." Well, the "such as" is just an example,
right? It's -- so -- and then if you combine that with
(g), and then if you look at the statute which gives the
FTC authority to expand, I think you can still stay
within the confines of this idea that it needs to be
linked, because what I get concerned about -- and I know
a lot of companies are concerned about -- is if you
start calling an IP address, in and of itself,
personally identifiable, the ramifications are going to
be huge, and it goes well beyond COPPA, well beyond.
I just -- it's really important to think about
that. It's going to have huge implications for COPPA.
For example, if you want to talk about real world
examples, what that would mean is that the second that a
child goes to a website, the second they go there and
look at content, if the server is automatically
collecting the IP address, which is a normal function,
1
67
okay, of servers, at that point, does that mean that the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
site has already started collecting personal information
and has to then obtain verifiable parental consent?
What if the child is just, you know, browsing?
What if the child, you know, does not intend to go on a
blog or chat room or any of the above and they're just
looking at, you know, a picture or a game or, you know,
whatever, educational content, free content? There's a
ton of these sites out there. I'm telling -- and I've
polled people, and it will shut those sites down. It's
going to shut down the mom and pop sites. It's going to
shot down the not-for-profit educational sites if they
suddenly have to start worrying about COPPA when they
have never had to worry about it.
So, I just -- I really want to make sure that we
are -- you know, we can talk about sort of black letter
law, which is one thing, and we can debate about whether
an IP address, in and of itself, is black letter law PI,
but then, of course, we do have to talk about -- let's
talk about what that means in the context of not only
this set of rules, but in the context of other privacy
laws as well that could potentially be expanded down the
road.
MS. RICH: Well, relevant to your point, you
know, it's clear that everyone thinks when it's -- when
1
68
there's linking, it's frankly already covered and should 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
be covered, but what about -- is there some sort of
distinction -- and this is relevant to your point --
beyond linking about use?
I mean, Jules was suggesting that there's a use
component here that changes its nature. So, the
difference between the automatic transmission that
happens and retention, the use, the sharing. Is there
something around that that could make an IP address a
reasonable item for this list?
Anyone? Maureen?
MS. SALOW: Collection versus the use, yes.
Sorry, go ahead.
MS. RICH: Maureen?
MS. COONEY: Thank you. I think you hit exactly
on the point that we're concerned about as a safe
harbor, and I think probably the other safe harbors
would share that same concern, but as Jules, I think,
did a lovely job explaining, it is the linkability, but
it is the use. How do you do or design a compliance
program that keeps people attentive to what the purpose
of the statute was, which is to protect a very
vulnerable class, children, and really protect their
privacy? And it is about, you know, how that
information is used.
1
69
So, where's that IP address get you? What other 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
information is linked to it? And is the notice being
given in a vibrant enough way to tell the parent exactly
what is happening with that distinct identifier?
I think we looked at IP address and didn't
initially think that that should necessarily be
included, you know, as a rote or a default PII
identifier, because still, while you can attach it to
some individual children, there may be other members of
the family that are being -- so, if it's for behavioral
advertising that that IP address is facilitating
marketing, you know, to a particular IP address, it
isn't necessarily a particular child. It could be other
members of the family. It could be other children.
So, I think we -- you know, it is a matter, as
Paul said, of seeing how sophisticated are we as the
technologies evolve? What can we monitor? That's what
we look at. Can we monitor what the use is attached to
that IP address?
MS. RICH: Okay. So, we need to move on to
behavioral advertising, but I think we would be
particularly interested in comments on IP address and
how one could get at a standard -- you know, if people
think that's a good idea, that somehow links up to use,
that doesn't just say, "Trust me," you know, because it
1
70
has to be something that can be objectively measured and 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
doesn't just have the FTC and parents relying on how the
company decides to use the information, because that's
not protective enough. So, let's move on to behavioral
advertising.
So, behavioral advertising is an example of IP
address plus, and the question is, is data that may not
be personally identifiable in the traditional sense but
is used to target ads, would that be covered by COPPA?
And, Jules? Kathryn? Anyone else?
MS. MONTGOMERY: I'll jump in.
MS. RICH: I thought you would.
MS. MONTGOMERY: Okay. I would say yes. I
mean, my immediate response is the very nature of
behavioral advertising, and certainly the direction it
is taking toward personalized advertising, and if you
look and monitor the literature in the industry, this is
how the marketers are promoting what they're able to do
to deliver communications and establish relationships
with individual consumers. To the extent that that's
happening with children under the age of 13, I would
argue it fits under COPPA.
And I think, again, one of the problems for --
especially, I think, with behavioral advertising,
behavioral targeting, is that there really is not
1
71
sufficient transparency as to what's going on. You 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
know, it's not something that parents are necessarily
going to be able to tell, and I'm not even certain how
the FTC monitors this kind of thing, because it -- you
really do sort of have to trust that you are being told
what's actually happening, because where I'm finding
most of the information is from all of the other
literature in the field that describes what goes on in
many of these places, as well as promotional materials
for specific websites and content areas designed for
children.
MS. RICH: Jules, is the targeting of an ad
contacting a specific individual and can it be
correlated with other data, which is your other test?
MS. POLONETSKY: So, look, I mean, I think that
there's a problem that everyone wants to solve, and
whether squeezing it into the, you know, COPPA framework
is the best way to do it, I agree with Kathryn that we
shouldn't have, you know, kids being tailored with ads
that are going to be persuasive to them based on the
previous websites that they've been to.
Generally, that's not happening in the industry,
with the caveat that very often -- well, in ten years of
my experience, I've come across a couple -- and usually,
the reason it was there wasn't because somebody was
1
72
intentionally looking to create a -- you know, a profile 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
of, you know, here's this 6-year-old's surfing habits,
he'll click and he'll buy stuff. That's just not an
appealing audience, and at least most sites kind of got
the sense that tykes -- you know, junior ought not to be
there.
But what ends up happening often is you do a
deal with an ad network and you put in your 32 sites, as
one being bulk, and nobody says, "Oh, it's nonpersonal,
so nobody is going to talk about, you know, kids'
privacy." And so this small underage site ends up being
lumped in because the ad network doesn't have a way to
serve ads and not take the data.
So, over the years I have certainly seen, you
know, sites just inadvertently or because nobody had the
interest or capability of carving it out, throwing in
kids' sites, but generally, there isn't a big market --
in most of the leading ad networks, you can't go in and
buy the underage audience.
Where there's obviously gray around the edges is
that tween audience where there isn't clear personal
information being collected. The only information they
have about the age ranges are the services or, you know,
based on their marketing information. They've got some
big chunk of parents, and boom, there's a site in there,
1
73
and there are obviously some kids. And, again, they are 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
not collecting personal information, how you would
appropriately carve out the necessary audiences.
And so I think this is an area where, you know,
industry, when it did, I think, a fairly reasonable job
at putting together the behavioral advertising self-reg
rules, didn't nail it, because on the kids-related
marketing piece, they kind of stopped with, well, if
it's covered by COPPA, good, and if it's not, it's not,
when the reality is most folks aren't doing it. They
could have and should have taken off the table treating,
you know, a site that has a large audience of kids as a
profile that ought not to be created, just like other
sensitive information was excluded.
And so I think that would be an easy win for
kind of the industry to do, for the kind of marketing
practices to kind of get to. I don't see how, you know,
it fits easily into the COPPA bucket. It's just a
marketing thing that easily should stop. Most people
aren't doing it. It just ends up being, you know, let's
debate the tween piece, where I think there's
disagreement, or the teen piece, where I think Kathryn
and others have said, "Well, I don't even want them
advertising to teens." So that's where there's a
debate. There ought not to be a huge debate, but yet
1
74
it's not off the table technically under anybody's, you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
know, practices, so...
MS. RICH: Well, why doesn't it fit into COPPA?
First, does it enable you to contact a specific
individual and does it satisfy the goals of COPPA? So,
we've talked about the goals all day, which is to give
parents more control, to protect kids, and, you know, to
reduce information collection from kids. I mean, would
covering this targeted advertising serve those goals?
MR. GALLIGAN: So that the question I think that
was originally posted was, does this constitute contact?
So, is simply delivering an ad to a child, knowingly
delivering an ad to a child, constituting contact? And
specifically as it relates to behavior, I think part of
what was discussed earlier was the transparency as to
whether or not it is behavioral or contextual
advertising.
And, you know, contextual advertising is no
different than a marketer wanting to advertise on
Disney, you know, so I know exactly who the audience is.
I know that when I'm getting ready for putting an ad buy
out and I want to do an ad buy on Sunday morning
cartoons, I know exactly who I am marketing to. And if
I am doing the same thing on a website, I am
specifically targeting a specific group of individuals
1
75
based on the context. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Now, understanding that, how do you define the
differences between the kinds of ads that are delivered
based on behavior versus context? Because presumably
they may be the same thing. And then as an outside
party, how do I determine whether or not that was
through behavior or context?
So, as a website serving up those ads, does the
responsibility lie that if I am providing contextual
ads, that I'm not contacting an individual, but if I'm
targeting those ads, that I am contacting an individual?
And actually, I think the line is so blurred there that
to define serving an advertisement as contact, that is a
disingenuous thing.
MS. RICH: Well, except that there may be a
difference in what's collected from kids.
MS. SALOW: And that's what I was actually going
to say. I was going to say, to add to what both of you
are saying, there's a distinction between contextual and
behavioral, right, so we can make a line there.
Contextual I think of as being sort of like a push
versus a pull, right? So, you're pushing out content to
everybody equally, just like you said, based on where
they are, what website the computer is visiting at that
particular moment. Pull is you are -- I think you can
1
76
make a distinction, are you pulling personal 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
information, however you define that, to determine what
ad gets delivered?
In my mind, I think that does very clearly
already fall under COPPA. I think that that's
already or should already be governed by the COPPA
rules, because you're collecting the personal
information from a child. Again, then we get into the
actual knowledge standard, but you know it's a child,
and then you decide to send an ad. Why wouldn't that
already be covered by COPPA?
I think where it gets much grayer is the
contextual advertising scenario where you're not pulling
personal information from the child.
MS. RICH: Let me just ask Maureen, who's
probably addressed this in her self-regulatory
standards, to comment on this.
MS. COONEY: We think it could already be
covered by COPPA, not just under (f), which is what
we've been talking about, but under (g), which is so
broad, you know, information concerning the child or the
parents that's collected. So, I think it could be
there.
In the area of behavioral advertising versus
contextual, I think we find in programs that we're
1
77
developing around behavioral advertising that there are 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ways of monitoring, you know, whether or not advertising
was delivered in a behavioral targeted means rather than
contextually, and there may be additional ways that
industry will be adopting, through meta data taking and
other mechanisms, that programs like ours and others
will be able to monitor. So, we think it's important.
And then to the underlying issue of what's the
impact on a child, you know, the fact that profiles can
be built about children, delivered to them at a young
age, and then built upon as they're maturing, is that
fair? Isn't that fair? What does it -- I mean, how
does that impact them? We think that's very important
privacy-sensitive information that should be protected
and can be under COPPA.
MS. POLONETSKY: So let me just note, though,
that it's not necessarily a behavioral distinction that
we're kind of really talking about as well, right?
Behavioral is where and how I come up with the
assumption that this is a kid. So, that could be
because I'm at this kids' site or I've been at many
kids' sites, or it could be because I registered
somewhere else and, you know, this fact is now appended.
What we're really talking about is the cookie,
the IP, the identifier. Once we've decided this is a
1
78
kid and we've attached it to this identifier, this 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
identifier is something that now can be presented when
the user shows up in lots of other places, where they
don't necessarily present their name, and so I think,
you know, that's kind of the real question.
You know, the reason contextual is different is
because I'm not in any way doing anything about a
specific, you know, user. I'm saying "Put this here" as
opposed to "I can reach you and continue to market to
you as you go elsewhere," right?
MS. MONTGOMERY: Right, and retarget you and
tailor the advertising to you as a specific child, and
that's precisely the kind of thing we're concerned
about.
As to the monitoring issue, I am glad that you
are monitoring. I would hope that this information
could be made widely available. I know you can't always
do that, some of it's proprietary, but, you know, I
don't have a whole lot of confidence sometimes when I'm
just looking at a website and a privacy policy that the
marketer is engaging in practices that are completely
free and clear of, you know, of COPPA. So, I mean, I'm
glad you guys are around that. That's, I think, one of
the really good things about COPPA, is the safe harbor
provision and the combination of the government
1
79
regulation and the self-regulation and the education 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
that has to go on.
I don't see why we can't -- it seems to me
behavioral -- I'll get back to it again. Behavioral
targeting is included. I don't believe it's being done
in a widespread way -- you're right, Jules, I think
that's true -- with kids under 13, but I don't see why
it can't be clarified at this point in the rules and
just, you know, have us reach an understanding.
There are some areas that we're talking about
now where you'll have to kind of spell out when it
applies and when it doesn't, but I just think it's a
really important -- if there's one important message I
would like to make today, it's that these kinds of
business practices need to be effectively addressed by
the current law that we have on the books.
MS. RICH: Okay. So, let me take this one
question, then we are going to move on to aggregation.
UNIDENTIFIED SPEAKER: It feels like we're
putting the cart before the horse a little bit here,
because we haven't really -- you know, as the FTC has
addressed on a number of occasions, we haven't really
come to a conclusion about behavioral advertising in
toto and how it's going to be regulated and how it's
going to be governed, and in the absence of that
1
80
overarching framework, it seems kind of premature to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
say, "Okay, we think behavioral advertising is an issue,
let's address it under COPPA," when we haven't looked at
how it's going to be addressed overall.
If we look at how it's going to be addressed
overall, then we can look at that and say, "Is there
something about that overarching framework that is
insufficient as it's addressed to COPPA but not the
other way around?"
MS. RICH: Your point is well taken, except that
here we're dealing with a statute and a congressional
intent, whereas in the behavioral advertising context,
it is still policy work that we're encouraging
self-regulation. So, there is a distinction there, but
I understand the relationship.
Sheila wanted to make one quick comment, and
then we need to move on.
MS. MILLAR: Yeah. I think when we talk about
online behavioral advertising, it's important to make
not only the distinction with contextual advertising,
but the underlying concept of OBA is across unaffiliated
websites, and I think there is a vast difference between
information collection practices by what we call
first-party website and those unaffiliated websites or
ad networks that are serving targeted advertising.
1
81
So, I think when we think about the framework of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the statute, we not only have to think about,
definitionally, whether it's an IP address or linked
information, aggregated information, and whether it fits
under (f) or (g). I tend to agree with Maureen, I think
it's more likely under (g). But we need to keep these
distinctions between the entities involved, because
depending on how we define these issues, I think a
number of us have said we're going to break the
Internet. We don't want to do that.
We need to find what we agree on, what's
potentially harmful to kids, what's appropriate business
practices, in order to maintain a vibrant Internet, and
then figure out how to manage it in a rules setting
within the framework of the statute.
MS. ROSENTHAL: Okay. I think we're going to
move on to what I like to call the Paul Ohm section of
the panel.
MS. RICH: But others can talk.
MS. ROSENTHAL: No, just kidding.
So, we talked a little bit before about the
aggregation of allegedly anonymous data, and here we're
talking about data points that in and of themselves are
not identifiers, are not -- what was the term we used
previously? -- exclusive -- what was your term, Matt?
1
82
MS. RICH: Exclusive. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. ROSENTHAL: Just exclusive identifiers,
okay, but that together, when combined, could identify
an individual. And, you know, Jessica talked a little
bit about Netflix as an example, and there has been
concern in the past about AOL, when they released data
that, you know, each data point in and of itself was not
identifiable, but together they were.
So, I want to make a quick distinction. In the
behavioral advertising report that Jessica mentioned
earlier, we did away with the PII versus non-PII
distinction, and we said "data that reasonably could be
associated with a particular consumer." Here, in Part
(f), we have the word "permit." And so the question is,
is that different? Is there a different threshold here?
Because "permit" means to make possible.
Paul?
MR. OHM: Yeah. So, "permit" is a fascinating
word, and I think we should spend a little time on it.
I wanted to start by clarifying a point, for those of
you who haven't encountered all this research, that I
think is really critical, which is Jules used the phrase
"rocket science," and what we are learning is this is
anything but. And so what I think astounds me most
about the research coming out of computer science is
1
83
every time a supposedly "anonymized" database is 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
reidentified, experts -- I don't mean casual
observers -- experts in the field seem surprised by how
quickly it's done, how cheaply it's done, with what
rudimentary tools and techniques, the slowness of the
computers that are used, so that Tonia Sweeney, who had
a landmark study, used VISUAL BASIC, I think, which if
you know anything about coding, is cause for derision.
We are not talking about rocket science.
And more to the point, I think that over the
next five years, we're going to see that this trend
accelerates, that as computers get faster, outside
information gets richer, and what we have to understand,
it's all about the outside information, that we're going
to slowly but surely recalibrate our intuitions and
we're going to slowly but surely just lose the faith
that we have in "anonymization" today, okay?
So, what does this mean? This means that in
today's conversation that we're having on the panel, I
think we keep really bouncing back and forth between two
questions, which are very different. Question one is,
does the FTC have power underneath the definition in (f)
to extend the regulations to things like IP addresses?
And I think unequivocally the answer to that is yes. I
absolutely think it is. And you will have an amicus
1
84
brief written by me and my students when this gets 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
litigated someday in federal court.
But if the question is "should" we include
things like IP addresses, then I'm right on board with
Jules and Heidi and everyone else who's talked. You
know, it's the classic, with great power comes great
responsibility mean, right? So, the idea here I think
is it's a really dangerous thing to tell a federal
regulator, which is, "You now have the power of God.
Any piece of information out there that you want to deem
suddenly within this regulation, you have a very
colorable argument, based on lots of recent computer
science, that you have the power to do it."
And so then it gets to questions like, well,
then, should you and how are you going to break the
Internet? So, Heidi's point was we can't include IP
addresses in the list, because then every website will
be covered, but of course not, because we still have the
knowledge requirement, right?
MS. SALOW: Yeah, but that's a whole other --
MR. OHM: Which doesn't have to turn necessarily
on how we define personal information, at lease as I
read the statute. So, we can have an expansive
definition of personal information and interpretation of
the knowledge requirement that still excludes --
1
85
MS. SALOW: But they tie together, correct? I 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mean, they tie together.
MR. OHM: Not necessarily. Look at the
language. I'm not sure they are tied together.
MS. MILLAR: I think the task is that if, for
certain policy reasons, we want to expand the definition
and that there is a, for the sake of argument, a legal,
colorable basis to do that, then I think the response
is, does it make sense? Should there be exclusions?
And let me give you one good example.
You collect, as many of us have noted, IP
addresses. They're immediately logged when the visitor
hits the page, regardless of who that visitor is. Now,
for many kids' sites, their sites are structured to
following the COPPA FAQs and the guidance of CARU and
others to promote an anonymous experience. So, many,
many children's websites will allow that child to
participate by signing in with a user name and password.
If suddenly those items are personal
information, plus the IP address, you undercut this
assumption of how you provide a pretty anonymous
experience to a child and you force the websites to turn
to a more privacy-invasive model, perhaps, because you
have to collect more personal information.
The IP address alone will not allow that website
1
86
to contact the parent to get parental consent, and so 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
you have to really think through, with all of the
elements of the statute and the regulations, how would
such a universe look if we redefine these terms in a
different way? And then how do you practically offer
appropriate content intended for kids and get meaningful
parental consent?
I would say that an IP address, user name, and
password won't allow you to do that, and if you define
that as personal information, you then would force the
website operator into a different data collection
construct.
MS. ROSENTHAL: Okay. So, Sheila, you're
offering an example where the website is not -- you
know, they're getting this information, they're not
using it, they're promoting anonymity on the site.
What about an example where the website has
access to a large database or is appending data? Should
there be a difference if the website is actually getting
information elsewhere?
MR. OHM: So, let me just summarize really
quickly, and I think this is responsive to your
question. I think our conversation should be about
policy and not power. I think the question of power is
actually one where you've got angels on your side,
1
87
because of the way computer science has been evolving, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
and so the question is what are our guiding principles
that -- because I don't think anyone's making the
argument -- and I'm not an admin law expert -- that you
need to regulate anything that could colorably be called
personal information. I think the FTC is free to make
choices based on lots of policy.
So, I've heard lots of different policy
proposals thrown out. So, Jules said, "are you actively
reidentifying?" That's a wonderful principle on which
to build the rule. The second is, you know, think about
the policies behind COPPA. Why are we having this? So,
let me add one more to the mix. Quantity. So, the one
thing I would say is the research has suggested that the
more data you warehouse, the easier it's going to be to
do the kind of reidentification I'm talking about. And
so, and I might even write a comment to this respect in
this proceeding.
I would argue that once you get past a certain
amount of data living somewhere in your company, and
then you have actual knowledge that you're reaching out
to children, yeah, you probably fall within COPPA. You
probably should fall within COPPA. Let me be clear.
MS. POLONETSKY: And to stay at a policy level
for a second, you know, we don't really have an identity
1
88
-- you know, a parental verification access and methods, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
but what we're really sort of doing here is we're saying
that there is this kind of identity that's out there
that can be, you know, achieved, that other people can
create about you, and just one thinks that if we want a
solution here, whether we would maybe push the focus
more towards how do we advance the identity solutions
that come along with the full package?
And obviously they come with the privacy
challenges, but they also come with the, you know,
solution instead of sort of deeming identity to have
been created. I think until recently it probably just
wasn't really ripe, but when you take a look at, you
know, Facebook as a social media layer kind of -- where
people kind of got some use or websites thought it was
useful, boom, hundreds of thousands of sites kind of
adopting the various tools; the Government making
progress with, you know, access to various government
services.
We're probably at a more ripe time today, and
maybe the NTIA task force will come out, you know, with
some progress and there are the companies throughout the
room here from MakeSure and Privo and others, and if we
start looking at them not solely as verification but as
ways to solve identity, that's obviously the most
1
89
attractive privacy solution that could come along. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MILLAR: And I think retention also has a
role when you're talking about aggregated data. Some of
these issues potentially could be solved by limited
retention as well. And so the question, again, from a
policy standpoint is, what is the problem that we're
trying to solve? What are the benefits that kids have
from accessing the Internet? How do we address this
potential, but according to Jules and others, apparently
not reality of a lot of data aggregation and online
behavioral advertising targeted to teens?
But we want to be proactive in trying to
anticipate, how do we address issues that might affect
children's privacy? And I think we're all here to try
to solve some of those issues and be creative about
looking at ways to do that, and it may be that, you
know, retention and other approaches would be one way to
look at the issue and solve the problem.
MS. MONTGOMERY: Can I just respond?
MS. ROSENTHAL: You can respond, then we are
going to get to one more question and move on.
MS. MONTGOMERY: Okay. Well, I think these are
all really important questions, and it isn't a black and
white issue, but I do think what it suggests to me is
that we need more information on what the actual
1
90
practices are, and we need independent information. And 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I would hope that there would be some way that the FTC
could do an audit.
I mean, one of the most useful things -- and not
just an audit of what you can see on the website, but an
audit that looks really at what the contemporary
practices are and what the best practices are. One of
the most useful things that led to COPPA was the study
that David Vladeck talked about earlier today that the
FTC did. So, I think we're talking somewhat
hypothetically here, and it would be really useful if we
could have more information.
And I also just want to say that I agree that
there is a need to be able to create an accessible
experience for kids online. It's a terrific tool. I
want them to be able to go online and have a
personalized experience, but to do it in a way where
they're not being targeted with personalized advertising
and to do it in a way where the minimum amount of data
are collected.
So, those are the goals, you know, and I think
there are ways to do it, but we do need to take into
account what the current capabilities are with the
contemporary business models and make sure they're
covered.
1
91
MS. ROSENTHAL: All right. So, I wanted to get 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to one more question sort of in this category before we
move on to geolocation, which I know Matt is itching to
talk about.
Part (g) of the rule says, "Information
concerning the child or the parents of that child that
the website collects online from the child and combines
with an identifier described in this definition."
So, Maureen, you mentioned earlier that
behavioral advertising might actually fit under (g). If
there's no specific identifier involved, how would that
fit under (g)? You know, does (g) contemplate that type
of information?
MS. COONEY: So, I think we would look at that
in a couple of ways. One is the identifier may in some
cases be an IP address or it may be a cookie that's been
dropped, but what we would be looking at -- and, in
fact, so far we've been talking about pretty
sophisticated collection from children online, and
they're not really, you know, the types of experiences
that we're seeing at TRUSTe in our COPPA program, but
what we are seeing are some types of information about
children's interests that are so vibrant in the ways
that they're doing them now, through videos, where
there's no name attached to a picture but plenty of
1
92
other identifying information, including not necessarily 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
what we talk about as geolocation, but basic address
kinds of identifiers that you could pick up a lot of
information about children's interests through photos
that are being put on services or through videos. Those
are the two main areas that our clients are dealing
with.
And then from those interests, it would be
possible to do some targeted advertising, but that's not
what we're seeing as the present-day issue. It's safety
concerns for children and really reputational risks,
about building a profile, about their interests, that
they're a little bit naive and putting information out
there that, you know, may not be appropriate if it were
tracked.
MS. ROSENTHAL: Okay. I am going to move on to
geolocation, and I think it would be helpful to sort of
note that we're starting with the premise that what's
already covered is part (b). So, a home or other
physical address, including street name and name of a
city or a town.
So, the big picture question is whether that
language is adequate, given current business models, or
whether we need to move beyond that. So, Matt, maybe
you can talk about what geolocation means.
1
93
MR. GALLIGAN: Sure. So, you know, I'll first 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
start off to answer that question. It absolutely is not
adequate in the current language. If I were to give
anybody in the room my current coordinates, which would
be, you know, whatever, negative 37.0 -- blank and then,
you know, 105-blank, that would mean absolutely nothing
to anybody in this room, you know, and it, on face
value, means absolutely nothing. Sure, you might be
able to plug it into Google Maps or any of these other
services, but at face value, it means nothing.
However, you can take that and make a much more
accurate reading of where something has happened, an
event, you know, a physical address of where somebody is
standing. Under the current ruling or under the current
rule, it says, "a home or other physical address,
including street name, name of city or town," which
means that coordinate is not defined in that rule.
Now, I can correlate the coordinate to come up
with that but the coordinate itself is not specifically
called out in that rule. Coordinate may or may not be
able to be included in (b), because the information that
you get from the coordinate is derivative. So, it's not
necessarily identifying at face value, but as soon as I
plug it into a service that can identify that, then I
get some information back about the street name, you
1
94
know, city, town, things like that. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. ROSENTHAL: Okay. So, how specific should
geolocation be in order to trigger COPPA, if we were to
say geolocation is personal information?
MR. GALLIGAN: You know, I think that it
actually falls under the (f) or the (g), and I'm not --
probably the (g), or at least somewhat falls under that.
I don't know if the language itself needs to be
specifically called out, but on its own, it would need
to be combined with any of this other information for it
to become effective, because, you know, for instance, an
iPhone, as soon as you open the camera app for the very
first time, it says, "Would you like to allow this app
to use location?" And you never see that prompt ever
again, and every single picture that's then taken with
that iPhone stores the meta data of where that picture
was taken. And on its own, each one of those
coordinates may be an identifier of where somebody is,
but it's ethereal. It's where they were at that given
time.
Now, if you have enough information collected --
and this goes back to aggregate knowledge. If you have
enough information collected and you can start seeing
trends about where that person is, you might see two
locations, which might be school or work and home, and
1
95
you might see those things happening over and over and 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
over again.
Now, I think that it absolutely goes back to
aggregate knowledge, that with all of that information
put together, then you can start to build a profile
about somebody, but without any one of these other
identifiers, I don't think that it is an exclusive
identifier.
MS. ROSENTHAL: So, Jules, should geolocation be
included in the definition of personal information and,
if so, what would that look like?
MS. POLONETSKY: So, maybe let me again cop out
by saying, what should the question be, right? So, if
there's precise geoinformation that, frankly, acts as a
substitute for home address, if I actually have a
coordinate that can identify that precisely, that, you
know, this is the user's home address, how is it not
different than that user's home address, whether or not
you have got to go look it up or not? It's just a coded
term for a particular address.
I think the trickier issue is what about when
it's not your home address or, you know, this
identifying address, your place of work, your home,
whatever the category is that you've captured? What
about when it's just this body is here now? Is that
1
96
just another interesting data point, which, you know, is 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
no different than, okay, here's what we now know about
this person, and whether I have a lot of data points and
I know a lot about your activity, you know, it's no
different than, well, having lots of, you know, specific
marketing or interesting points, or is there something
about the fact that at some time we could walk over and
find you, because of the geo, that makes it interesting?
So, I think the latter example, I disagree with
Matt, in that in some cases it may just be a substitute
for a very precise coordinate that indicates your, you
know, permanent PII home address. In the other case, I
think it's a little trickier to figure out whether what
we -- is there a contact here? Is there -- you know,
what is it that we're capturing about this moving set of
information?
MS. ROSENTHAL: Okay. So, Kathryn, and then we
have a question from the audience.
MS. MONTGOMERY: I think, first of all, when we
talk about geolocation, generally the technology we're
talking about now is the mobile phone. I mean, there
may be others, but right now, that's, you know, what the
issue is. And I think you have to look at this in the
context of emerging practices with mobile marketing.
So, what can happen by having the location,
1
97
you're also going to know who the phone belongs to, and 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
you'll know more information by the very nature that
that's the device that's being used, you will know more
than just where that person is. You'll know that that
is the user of that telephone, right?
And then --
MR. GALLIGAN: Not necessarily.
MS. MONTGOMERY: Let me just --
MS. MILLAR: Not necessarily true, and you may
not know it's a child.
MS. MONTGOMERY: You'll know things about who's
been on that phone, too, or you might also, because you
might be collecting all kinds of other information about
how that phone is used. So, it would make it possible
to be able to identify when a child is near a particular
business, like a McDonald's, and send a coupon. And,
again, those are the kinds of things that we're
concerned about.
MR. GALLIGAN: So, knowing that it is a child is
the important component there and the phone --
MS. MONTGOMERY: Well, under COPPA -- under --
you know --
MR. GALLIGAN: Under COPPA, absolutely.
MS. MONTGOMERY: It is.
MR. GALLIGAN: That's what we're talking about
1
98
right? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MONTGOMERY: What we're talking about today.
MR. GALLIGAN: So, under COPPA, you know, you
have to know that it's a child to have it defined in
that way. Now, I certainly agree with actually both of
you in the regard that --
MS. MONTGOMERY: But you just said no.
MS. ROSENTHAL: You said it's not true.
MR. GALLIGAN: I agree to the extent that the
targeting based on geolocation should be covered.
But going back to his point, which is what is
this distinction between home and some other point that
you exist, and first off, the home question, yes, you
can determine that a coordinate is home, but you require
aggregate knowledge before you can determine that that
is home, because it's just a number, but with enough
numbers that is all within a similar area, you might be
able to determine that that is home.
But another point, without any other
information, say, other than with what Apple considers
device data, they actually specifically call it out as
TOS. Device data is defined as IMEI, which is the
specific device identifier, your SIM card number, your
phone number, and a couple other things that Apple just
has available in their DI. They specifically have
1
99
called out in their TOS -- now, this is just Apple, it's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
not across everybody else, and it probably could be a
best practice -- they specifically call out that you
cannot use that data to market.
MS. MONTGOMERY: Oh, Apple, yeah, and that could
be a best practice.
MR. GALLIGAN: It could be a best practice, but
it could also mean that it could be a baseline for a
rule. Now, I'm not a proposer of that, but I'm just
saying that that could potentially be that.
Now, I don't necessarily think that with device
data that you can still identify that it is a child,
because you also don't get access to what other apps are
included, are on that device; you don't know through
behavior necessarily, except for maybe --
MS. ROSENTHAL: Right, and we're assuming,
though, for purposes of the discussion that they know
that it is a child, that it's directed at a child, just
for this.
MR. GALLIGAN: Sure.
MS. MONTGOMERY: Because of the cross-platform
content networks, for example, whether it's social
networks or something else, you may very well know.
MR. GALLIGAN: Sure.
MS. ROSENTHAL: John, did you still have a
2
00
question? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
UNIDENTIFIED SPEAKER: No. Matt eventually got
to it, but just to make very clear that two location
points really can be a unique identifier. I mean, there
is only one person on the earth who regularly travels
from my home to her high school, and that's my daughter,
and, you know --
MS. ROSENTHAL: So, if we were to include
geolocation in the definition of personal information,
should there be a requirement that it is collected over
time, that it's not just one piece of geolocation data,
that it's aggregated in some way, or can we -- you
know --
UNIDENTIFIED SPEAKER: Well, to some extent, in
(g), you have kind of a catch-all, but the catch-all
correlates back to something in (a) through (f).
MS. ROSENTHAL: Exactly, right.
UNIDENTIFIED SPEAKER: And I think the point is
that you can have some (g)-type data points that taken
with other (g)-type data points could be a unique
identifier, and so, I mean, you know, it gets a little
harder on -- I mean, all you guys have been talking
about, you know, can you go back to a use, you know, an
idea of, you know, well, how do you use the IP address
or how do you use these data points and do you use it as
2
01
a unique identifier? And that's a possible approach. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. ROSENTHAL: Heidi, you have some clients
that are --
MS. SALOW: Oh, yeah. No, I was just going to
say, not even just on behalf of clients, but I think to
assume that because it's a mobile device, that suddenly
you -- whoever the "you" might be, because I think
that's another thing. We're talking a lot sort of very
generally about one or you having this information. I
think it really depends on who are we talking about,
right? To assume that because a person has a mobile
device, the world then knows I'm the owner of this
mobile device, I was in the Starbucks this morning, I --
you know, I bought a latte, and, you know, all of --
that's not really the case at all.
And, in fact, you can't even get -- Mike will
know this. You can't even get a cell phone number -- I
can't look up a cell phone number, okay? I can't find
your cell phone number. You have to give it to me.
It's not publicly available. So, no, I don't know who
you are.
MS. ROSENTHAL: So, let me just offer -- okay,
so it's not about necessarily knowing who you are. If I
have your email address, I don't necessarily know who
you are, but I can contact you online, and if I have
2
02
your geolocation, maybe I don't know who you are, but I 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
might be able to physically contact you. So, let's just
make sure we phrase it that way.
In that case, do you think --
MS. SALOW: So, now I think we're going to the
device versus individual, right, because you're
contacting my device? I'm just trying to clarify.
MS. ROSENTHAL: Okay, yes, right.
MS. SALOW: You don't know that I -- I know, I
realize -- I don't want to be the bad guy, but I just
want to --
MS. ROSENTHAL: No, I don't mean to -- right. I
don't want to put you on the spot but I want to make
sure that we explore that.
MS. SALOW: Just to be practical, because I
think we need to really think practically speaking
what's happening and who are we talking about has this
information. The wireless carrier knows who I am,
because I subscribe to the service, and when I signed up
for the service, I told them who I am.
And by the way, I know we talked about this
earlier, Michelle, but when you go back to IP addresses,
an IP address alone is not going to be the only
mechanism by which you can identify a mobile device.
There's already -- this already exists. The SIM card
2
03
identifies the mobile device already today. Everybody 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
has a SIM card in your device that's unique. So, you
know, we get worried when we talk about -- and, again,
I'm not saying it's not something we shouldn't be
concerned about, but it's already identifiable.
But anyway, going back to that, so I think the
carrier knows a lot about me as a subscriber, and the
carrier is subject to very strict rules, both under the
CPNI regime and under ECPA, the Electronic
Communications Privacy Act, as to who that information
can be shared with and for what purposes. So, you know,
I just wanted to make sure we were talking about the --
who we're talking about here.
MS. POLONETSKY: I think there's a simpler
example that maybe highlights this a little easier,
because the mobile starts bringing in all these other
factors that are -- so, here's a more real world
example.
Today, I'm at a website. A website obviously
can geo, in a general way, because of IP address, but
today, many computers that don't have built-in GPS,
however, can download a little plug-in that relies on
your WIFI antenna, you know, great attention in recent
weeks to the kind of Google WIFI, but obviously there's
Skyhook, there are other companies, and WIFI networks
2
04
are mapped. So, do we want to say, for instance, that 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
if you're a -- what we would be saying if we extended
geo is that if I'm a kids' site and it said, "Here,
click here so that you can get your precise whatever," I
click here to allow us to use -- most of the browsers
require this on sort of an opt-in basis. Firefox
actually is launching a little icon that's going to let
you know when their next version -- IE, may do that. I
have to check.
So, do we want to say that a child's site could
not collect -- right, that's not collecting any other
explicit personal information, that it couldn't use this
WIFI/geo thing to precisely take the location? That's
kind of a clear, clean shot at this question.
MS. ROSENTHAL: So, do we want to say that?
Paul?
MR. OHM: So, I see why you're all COPPA
experts, because it's like a beautiful Matrishka doll,
and every time you read this, you see a different layer
you didn't notice before. I might become a COPPA expert
after this.
So, look at (b). First of all, (b) is not
restricted to homes, right? It's any physical address.
Aren't you intrigued by the fact that Congress did not
care about the street number? All you need is the name
2
05
and the city? So, what is this, the megaphone rule? If 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I can drive to your street and yell an advertisement at
you?
But it does suggest to me that when you ask a
question about one coordinate at one moment in time, why
isn't that, exactly, the kind of interest that Congress
had in mind, right? I don't know what Congress was
thinking there, maybe they were worried about
megaphones, but again, I hate to be a broken record, I
don't think this is about power. I mean, Congress was
writing lots of blank checks here, I think this is about
whether is it a good idea or bad idea?
MS. ROSENTHAL: All right. So, let me attempt
to wrap up a little bit on the geolocation so we can get
to a couple more questions before we finish the panel.
Is there a way to articulate a clear standard on
geolocation? If we were to include it in the
definition, how would we do that? What would it look
like?
MS. MILLAR: Well, I think that we have talked a
little bit, and Paul's made a good point here, that
under (b), how different is precise geolocation where
you either have actual knowledge that you're dealing
with a child or on a kid-directed website or online
service that your kid targeted, then potentially it's
2
06
already covered. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I think the issue is whether or not there is any
reason to exclude it, as Paul suggested. You know, are
there beneficial reasons to include that sort of
information? Otherwise, currently, under COPPA, beyond
the exceptions, you're required to get parental consent,
and if you're getting the home address for purposes of
internal marketing to a child, you have the email-plus
option. So, maybe geolocation fits in the email-plus
construct; maybe it doesn't.
But I think that for the geolocation
information, if you're either kid-directed or have
actual knowledge -- and I think the actual knowledge is
the tough one, because I think in most circumstances,
you don't know. If somebody's going between school and
home, you know, dad may know that it's my daughter, but
service provider, assuming there's a website or an
online service involved, they may have no idea. They've
got a number and a location. So, they don't know.
So, again, I think you have to put the pieces
together to determine what's the right rule, but if you
have a kid-directed website or online service or
something with actual knowledge, I think geolocation
probably fits right within (b).
MR. GALLIGAN: I think it actually fits better
2
07
within (g), just because, like I said earlier, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
exclusively, a single point does not constitute -- well,
I guess it says "or other physical address." I am going
to agree with her. It's (b).
MS. ROSENTHAL: Final answer? Is that your
final answer, Matt?
MR. GALLIGAN: You know, in terms of calling it
any other physical address, I mean, it just -- any
coordinate defines any other physical address.
MS. MONTGOMERY: I just want to make sure COPPA
covers mobile marketing.
MR. GALLIGAN: But the one thing I will say
about coordinate and (b) is that coordinate will likely
need to be spelled out.
MS. SALOW: I was just going to say the same
thing. If you do -- I don't disagree that it falls
within (b), but if you are going to add geolocation,
please make it clear.
MS. ROSENTHAL: Sure. We'll do that.
MS. POLONETSKY: And I just want to throw in the
complication that the wireless carrier usually knows who
the account holder is, not who has the phone. So, the
five phones in my family, I haven't told anybody who has
which one of them and --
MS. MILLAR: Well, and that gets back to the
2
08
fundamental point that it's directed to children or 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
actual knowledge, and if you -- I mean, I can go as a
small business and buy six phones and give them to my
employees. There is no automatic assumption that just
because there's multiple cell phones attached to a
single subscriber that there are some kids in there, and
even if there were, you wouldn't know how old they were,
because they would be minors perhaps, but they may not
be. So, I think we really need to keep coming back to
the required statutory language and understand that
there are some limits to what people actually know about
you.
MS. ROSENTHAL: Okay. So we're just going to
wrap up, because I don't want to deprive you-all of your
break, but we, again, urge you to submit comments on all
of these topics and anything else that you think we
should cover.
MS. MONTGOMERY: We didn't cover H.
MS. ROSENTHAL: We're back at 3:00. Thank you
all.
(Applause.)
(Recess.)
MS. KRESSES: Let's go ahead and get started on
the parental verification panel. So, this panel, Panel
Four, is kind of a COPPA specialist panel. Many of you
2
09
perhaps have never had the joy of considering all the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
different methods of parental verification and, you
know, looking at them closely and wondering what works
and what doesn't, but what we'd like to do is take a
little bit of the panel, the start of the panel, and go
through the methods that have been outlined in the rule.
They're not exclusive. The rule was never meant to
confine anyone to those methods, but talk about whether
they're being used, how they're being used, are they
effective, and do they still make sense, and then move
into considering other potential methods and the pluses
and the challenges of potential new methods.
So, in this regard, also, you know, we really
would encourage audience participation and questions,
and we'd also encourage ideas. So, if you've been
thinking, "why hasn't anybody ever thought up this
perfect parental verification method," speak up.
Oh, let me introduce the panelists. Sorry.
To your left, we have Jules Cohen, who is the
Senior Trustworthy Computing Specialist with Microsoft.
We have Rebecca Newton, who is the Chief
Community and Safety Officer of Mind Candy, Inc.
We have Martine Neijadlik, who is the Senior
Director of Risk and Business Intelligence at BOKU,
which is a mobile payment system.
2
10
And then over here, we have Alan Simpson, who's 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the Vice President of Policy for Common Sense Media.
And Ron Zayas, who is the Chief Executive
Officer of eGuardian.
And then Denise Tayloe, who is President of
Privo, Inc., which is -- has one arm of Privo, Inc.,
which is a COPPA safe harbor.
So, let's -- okay, so just to take a minute to
look at the verified parental consent requirement of the
Rule, and there is a general standard, which is
basically that operators must make reasonable efforts to
obtain verifiable parental consent, taking into
consideration available technology, and that
requirement -- the methods have to be reasonably
calculated, in light of that technology, to ensure that
the person providing consent is the parent.
And then on the other side of the slide are the
methods that are laid out in the Rule, and, again, were
not meant to be exclusive but were deemed to meet those
requirements.
So, here we are, however many years later, and
the online world has changed a lot, and there's a lot
more potential things out there. So, we want to look at
the old and see how they're working and then look at the
new.
2
11
So, let me start with Rebecca Newton, and I want 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to start with the email-plus standard, and email-plus,
the Rule designated that where the collection of
information from a child was only for internal purposes,
so it was for the purposes of the website or the online
service, and not to be shared with third parties or to
be publicly disclosed, either by the website or by the
child, at the time the Rule was put into effect, that
was considered a less risky, a less disclosing method of
taking personal information.
And so the Rule carved out an exception that
where the information was only to be used for internal
purposes, that one could send an email to the parent
with notice, allow the parent to confirm, by email, that
they had received the notice and that they were
consenting, and then to follow that up with either
another email, a phone call, or a variety of other
options, but this was not considered an adequate method
for situations where personal information would be
disclosed publicly.
So, with that, Rebecca, does email-plus actually
meet the standard of ensuring that a person providing
consent is the child's parent?
MS. NEWTON: Well, that's a tricky question, but
I think as well as any of the others, it meets any of
2
12
the other standards. You never know that it's really a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
parent, and I haven't done any of the science behind
this, but just from being in this business for 16-plus
years, I think that it's fair to say that a
percentage -- I don't know what -- I can't be accurate
about the percentage -- of the registrations are kids
using their email addresses or possibly putting in their
parents' email address.
But I do see, where I work now, a fair amount of
bounce-backs. These are emails that aren't legitimate,
that say things like [email protected], and so, you
know, they want to -- I see a fair amount of that every
day, and so that sort of speaks to Dr. Gwenn's point
about they want to tell the truth. A certain percentage
want to do the right thing and want to tell the truth.
So, you know, it's as valid, I think, as any of the
other methods.
MS. KRESSES: So, in your experience, then, is
email-plus -- do you think it has the same assurance of
actually reaching a parent as the other methods in the
rule?
MS. NEWTON: I think it's as valid as the other
methods, yes.
MS. KRESSES: So, let me turn that then to Alan.
Do you have any experience from the parents and do you
2
13
have any knowledge of the effectiveness of email-plus? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. SIMPSON: Not directly, but I would echo
Rebecca's point, that there's a -- the standard may be a
little too high, recognizing that we know that kids will
cheat the system in some cases, but that a lot of kids
don't want to. I mean, the whole point of verification
is obviously making the best effort that we can, and
there is no such thing as a perfect effort.
We do get a fair amount of parent feedback on
our site around what my kids are doing that I didn't
know about. So, that's not a direct aspect of
email-plus. It's just more of a matter of the challenge
that all of these technologies and all of these
approaches will face.
MS. KRESSES: So, we wanted to touch on
email-plus first, because email-plus has had a long
history. It was supposed to be a very temporary
solution, and we extended it, because we didn't come up
with other technological choices that worked with the
same ease as email-plus, and then we ultimately, in our
2007 report, said that email-plus would be a permanent
standard for the foreseeable future.
And so it's interesting what you're saying,
Rebecca, that -- do you feel that the -- would you say
that email-plus, if it has the same reliability as other
2
14
standards, do you think that it still makes sense that 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
email-plus is limited for internal uses?
MS. NEWTON: I mean, I am probably going to say
the same thing over and over. I think it's -- yes. I
think it's as valid as the other methods, and I think it
still makes sense, unless we adapt available technology
and take a whole different sort of turn on this and go
for real parental verification as much as we possibly
could. Otherwise, there's no -- I mean, it's the most
valid thing we have, other than available technology
which is out there now.
MS. KRESSES: Let me ask a slightly different
question. Jules, actually, do you have any experience
from Microsoft on how consumers -- not just parents, but
computer users generally do -- how do they view the
distinction between internal uses and external uses?
MR. COHEN: No, I don't. I don't have --
actually, I don't have good data to suggest that they
think about them differently or that they think about
them one way or the other, but I would note that -- you
know, I think it's a valid distinction, because in the
internal case you have -- one org will hold the data,
and they will have stewardship mechanisms to manage the
data, and in the other model, where it leaves the org or
whatever stewardship mechanisms exist, you have much
2
15
looser reins on what happens with the data. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, you know, as policy-makers are thinking
about, you know, sliding scales for different kinds of
risk, this distinction seems to map pretty clearly to
two different kinds of risk.
MS. KRESSES: Actually, Denise, I wanted to ask
you, too, from your experience with Privo whether or not
you -- following up on what Rebecca said about
email-plus and whether it's a reliable method, in your
experience, do you have a comment on that?
MS. TAYLOE: Well, I would say that I
respectfully disagree with Rebecca that it is as good as
the other methods. I don't think any of the methods are
perfect, as Alan just mentioned, but if the goal is to
use reasonable methods in light of available technology,
and ten years later the best we can do is send an email
to a parent that a child provides us and get a
click-back, I would say that we, industry, haven't done
a good job of adopting new methods, creating new
methods, and that people are heavily relying on it. So,
that's one thing.
The second is that if you're supposed to be
reasonably assured you're dealing with a parent, I would
say that most of the methods don't do that and that
email-plus in no way even allows you to say you're
2
16
dealing with an adult. So, you know, yes, kids have 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
credit cards, but most don't.
You know, other methods that are available that
we're going to discuss later will help to do identity
verification to at least know that you're dealing with
an adult, so you can make the leap of faith that it's
likely to be a parent who's asserting that child.
So, you know, my thought is email-plus, as an
industry, we need to start moving away from it and find
other methods, and the quickest method that I see is let
a parent short code a message back from their cell phone
and use that as the mechanism as opposed to clicking a
link. Let a child give a parent email. If they don't
have a parent email, more kids know their parents' cell
phones than know their parents' email address.
MS. KRESSES: And do you know that doing that
SMS-type thing would give you more assurance that it's a
parent or the same as email-plus or less?
MS. TAYLOE: I think it would give you more
assurance. It's not the kids -- I mean, kids absolutely
have cell phones, but at least there is a cell phone
tied to a parent somewhere in the -- or tied to an adult
somewhere in the path. So, you can tell whether or not
the short code is coming back from a Verizon or a Sprint
or an AT&T versus, you know, a throw-away phone.
2
17
MS. KRESSES: Phyllis? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. SPAETH: (Off mic.) How do you know that
it's coming back from the parent as opposed to the
child?
MS. TAYLOE: I would just say you have
absolutely no assurance with an email. You have a
little -- at least we're moving up the scale versus sort
of staying and waiting for it to be perfect.
MS. SPAETH: Denise, I have no quibble with you
about that fact, but I think email-plus is nothing.
MS. TAYLOE: It's a joke, and everybody knows
it, yeah.
MS. SPAETH: Everybody knows it's a joke, yeah.
MS. KRESSES: Was that clear?
MS. TAYLOE: But it's good enough for internal
use right now. I mean, we're not trying to get the kids
over the border. We're trying to let them know when the
next Nintendo game comes out or something.
MS. KRESSES: And let me turn to Martine.
Martine operates BOKU, which is a -- it's a mobile
payment system, so this might be sort of a loaded
question, but if email-plus is a sufficient method to --
you know, assuming for the moment that it is a
sufficient method to get permission for internal use,
should the standard for a simple method be limited to
2
18
email or are there other equally facilitative methods 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
besides email that would work for these purposes?
MS. NIEJADLIK: Hi. Let me just say a couple
things, I think. First of all, prior to BOKU, I was
actually at PayPal, and I used to manage risk detection
for PayPal, and when I think about laws on the Internet,
the first two words that come to my mind is scalability
and global. So, is it global and is it scalable? And
if we are going to have rules that apply to the Internet
and enforce those on these companies, now think about
every country also having different rules, which is
something we're dealing with right now. It's got to
encompass both of those things.
Now, I think email-plus -- I would agree, it is
not as strong as some of the other methods, but when you
sort of intersect practicality with safety, you know,
it's really one of the only ones on the list that I
think is a viable option for people. So, I don't know
if it's the appropriate time to just sort of talk about
mobile -- what BOKU is doing --
MS. KRESSES: We are going to get to that.
MS. NIEJADLIK: Okay.
MS. KRESSES: When you say mesh practicality
with safety, what do you mean by that?
MS. NIEJADLIK: I mean something that's
2
19
completely automated, right, where a human being is not 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
getting on the phone with a parent, is not, you know,
looking at a fax machine, is not -- something that does
not require human interaction, that's completely
automated.
MS. KRESSES: Okay. Does anybody have any
other -- we're just trying to touch slightly on each of
the existing methods so we have time to go into other
things. Does anybody have any other observations or
questions on the email-plus method, whether or not, you
know, it should be limited to internal uses only?
whether or not it works? whether or not it's time for it
to go, as Denise would say? Anybody have any comments?
Yes, Parry.
MS. AFTAB: I think we need to recognize the
practicalities of all of this, and as you know, we have
been in this space forever. So, as you move out of
email-plus -- and Denise and I, I think, will disagree
on this one, because it's a great way of getting parents
out there to do something. They're uncomfortable with
credit cards, and a lot of people in this country don't
have them, and I don't want to lock children whose
parents don't have credit cards off of the Internet.
So, they don't know what a fax is. They, you
know, see licking a stamp as just beyond everyone. The
2
20
kids are on to a new site by the time a letter arrives. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Unless you can find a new way of doing this, and
email-plus works. Right now, it works. It's easy way
in, easy way out. It can be automated.
And so when you have got 8 million, 10 million,
12 million users in the kids' space, it allows you to do
something, but we need to recognize -- it may not be
time to kill it. It may be time, as we start looking at
this, to expand it.
MS. KRESSES: And by that you mean what?
MS. AFTAB: I think as we start looking -- you
know, the whole sunset provision, we thought this would
be out there for, like, two and a half minutes, but the
reason it's still there is because it does something
none of the other ones did. So, when we move from $45 a
kid to $15 a kid to get COPPA compliance on verifiable
parental consent -- and parents just aren't doing it
unless the kids pretend to be their parents -- we need
to find something parents will do.
Parents will send an email. So, we need to find
maybe that there's a way to expand it so it's even
beyond where it is on something that's a bit more
verifiable.
MS. KRESSES: Okay. I think Gwenn has a
statement or question.
22
1
DR. O'KEEFFE: I just wanted to echo quickly 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
what Parry said. I was about to say the identical
thing, so I'll just truncate it really quickly.
As somebody who also talks to a lot of parents
and sees the technology gap, parents -- Denise, I agree
with most of what you say, but texting just won't work
right now with today's parents, because there is a huge
technological gap in this country that we just simply
have to embrace. We have to embrace it. We have to hug
it. We have to notice it. We have to name it as the
experts, because you know what? Parents don't text.
And you know why? Because they're barely on the cell
phone themselves.
We have a lot of parents in this country who
don't even own cell phones themselves because they can't
afford it or they just don't know how to use it or
they're intimidated by it, but they do use email. Every
parent in this country uses email, even the
unsophisticated ones. So, let's not make this into more
than we have to. Let's keep it simple. I do agree that
someday we need to go to other technologies, and I love
texting myself, but I'm with Parry on this one. I think
we need to go the email route.
MS. KRESSES: Okay. Let me go to Shai, and then
I will go to Amanda, and then I will go to you, and then
2
22
we will move to the next topic. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. SAMET: I am going to agree and disagree. I
am going to agree with Parry and I am also going to
disagree with Gwenn to some degree. By the way, Shai
Samet. I run a privacy consulting firm and have done a
lot of work on COPPA in the past ten years.
I think email-plus has served a very beneficial
purpose, and somewhat unrelated to what the law
requires, what we're finding is that many of the kid
friendly websites, especially those for younger kids,
who have designed their chat functionalities so as not
to allow personal information to go through, are still
using email-plus to notify and get parents involved with
the fact that their kids are using those sites, and
that's an extremely valuable benefit and I think one
that could easily carry over to SMS.
I'm a parent, I have four kids all under the age
of 13, and I use my cell phone. My mother only uses her
cell phone, doesn't use email at all. So, I think --
you know, I think we would have to look at that data
more closely before we determine whether or not SMS is a
viable mechanism. It is true that kids know their -- my
daughter knows my cell phone number. She does not know
my email address. But then again, also, the fact that
she doesn't know my email address usually requires her
2
23
to call me to the computer and say, "Hey, dad, you know, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
what's your email address?" And through that I get
involved as well.
So there's a lot of mixed data out there and a
lot of opportunities here as well, but to get rid of
email-plus would be a very dangerous proposition,
especially given its benefit for those sites that are
using it.
MS. KRESSES: Okay, if we can pass the
microphone to Amanda.
MS. LENHART: I'm Amanda Lenhart from the Pew
Research Center, and we have done some research on how
teens and parents and families use mobile phones, and,
in fact, in many cases families are more likely to have
a mobile phone than a computer, and, in fact,
particularly with low-income families who often do not
have a computer at home or who have a highly shared
computer, but they do have mobile devices.
So, again, this begs the question, of course,
whether these kids are going to be going on websites and
whether -- if you don't have a computer in the home,
whether you actually necessarily need to be able to do
some of this verified parental consent, but parents are
actually more likely to have cell phones than other
adults. They are more likely to use them to text their
2
24
kids. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
So, they don't always know how to text. There
is a substantial subset of parents, about 25 or 30
percent, who don't text at all, don't know how to text,
and so they don't use that, but a lot of parents are
actually drawn into texting by their children.
Also, parents of younger kids now are in that
generation of people who actually do text and actually
text more than older adults. So, I wouldn't totally
eliminate text messaging or SMS as a potential way. I
would add it on. I would not substitute.
MS. TAYLOE: It's about options. I wouldn't say
any one. I'm all about providing options.
MS. KRESSES: Okay. And do you still --
UNIDENTIFIED SPEAKER: Nope. She covered
everything.
MS. KRESSES: Okay. All done.
And way in the back? Then we'll move to
something else.
TIM SPARAPANI: I think Parry is onto something,
and I think we should definitely be keeping email-plus
as an option. Recognizing that there isn't really any
way of authenticating anybody online, I think we should
be at least exploring the possibility that lots of
companies, mine included, are starting to get the
2
25
opportunity to have multifactorial ways of making 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
educated guesses about who people are online, what their
ages are, what they're up to, et cetera, and it seems to
me that the FTC would do itself a great deal of good to
allow for continued exploration by companies in this
area, because I think you will actually find that
companies will have the opportunity to do more
verification in the future.
MS. MARCUS: Well, and just to kind of build on
what Tim has said, we do interpret the general standard
that you see on the slide as the baseline standard, and
so the methods that satisfy the rule are illustrative
only. They are not meant to be exclusive, and the
general standard does provide for the kinds of
exploration that you've suggested.
Now, it might be -- and we'll certainly talk
about this -- that people are too nervous to try
something other than that which is set forth in the
rule, but, you know, we have to meet this baseline
standard, that we have to at least try to ensure that
it's a parent, but it wouldn't be meant to preclude
exploration.
MS. KRESSES: It is any method reasonably
calculated, so it was never intended to be an exclusive,
you know, list. So, let me go to Peter, and then
2
26
let's -- 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MR. ZAYAS: Maybe if I can just interject for
one second, the thing I think we keep missing here is
that the intent is to get parental consent, and that
seems to be very absent from the net effect here. There
is no way to verify that it's a parent. There is no way
to verify that the kid isn't making the address up or
doesn't know the address or whatever the case may be.
I think phones are a great way to do it, but
nonetheless, if the intent here is to get verifiable
parental consent, the fact that a system works but
doesn't do that I think means it's not a very effective
system to use.
MS. KRESSES: Okay. Phyllis, you already had a
turn on this one.
You gave up your turn, but we'll let you go
anyway.
UNIDENTIFIED SPEAKER: I was trying to be
efficient. Going back to the point you just made about
being conservative, I advise a lot of companies in this
space, and I would never advise one of my clients to do
anything beyond what is on the list for fear that it
wouldn't be acceptable. I mean, because the standard
says to ensure that the person providing consent is the
child's parent, and that's the point that was just made,
2
27
and living up to the "ensure" is virtually impossible, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
but it's really impossible outside of the six things
that are there from a legal standpoint.
MR. SIMPSON: Don't we all agree that the six
things there don't really ensure?
UNIDENTIFIED SPEAKER: I'm agreeing with you
that those don't work either, but from a liability
perspective for my clients, at a thousand bucks a pop,
I'm not going to tell them to go beyond that.
MS. KRESSES: Okay, let's do this: Let's move
on to the other existing methods up here, and we'll try
to go through them, you know, fairly expeditiously.
So, it is not a rhetorical question, but I want
to know if we are seeing people still using the print
and send method or an equivalent of that or the print
and scan -- yeah, we, a couple years ago, Phyllis and I
revised our website -- the agency's COPPA website -- to
say that, you know, we would recognize a scan as a
print-and-send, obviously in the modern world.
But, Denise, in your experience, is that a
format that is still being used and why or why not?
MS. TAYLOE: Okay. So, yes, some people use it.
If you try to use it as your sole method, you'll fail
miserably. If you only offer things like credit card,
you'll scare the bejesus out of people and they, not
2
28
having choice to do something less personal, is a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
problem.
So, here's my experience: We offer five methods
as a sort of standard: last four digits of Social,
driver's license, credit card, print and send, whether a
fax or in the mail, or a phone call. And consistently,
we get about 7 percent that will choose phone and a
printed form; 82 percent that will choose last four
digits of Social, because it happens in nanoseconds,
it's automated; and then the credit card is very low, 4
or 5 percent; driver's license, low, because it's just
hard -- it's hard data to get.
So, I would say that I would not want it to be
taken off the table, because I think that if I'm looking
at choices and the fact that I can do something offline
makes me feel more comfortable maybe about choosing
something that's online.
MS. KRESSES: Okay. And just so we are all on
the same page, when you collect the last four digits of
the Social Security number, what other information do
you take from the parent to make that work?
MS. TAYLOE: So, it's up to the relying party's
site that uses the service what level of assurance they
want. The minimum data that you need in order to decide
whether you've got an identity is the last name and last
2
29
four, but typically a parent account is a first name, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
last name, a zip code, a date of birth, and the last
four.
And then, of course, just like credit cards, the
last four are not retained. So, you hit the data
aggregator, you get data back, we pine through. If we
can find a match, then we process a pass, we flush the
last four, and we're left with a parent account that has
an email address associated. So, from that point
forward, the parent can permission off of their email.
MS. KRESSES: Okay, thank you.
All right, and then let's go to the credit card
use, too, and then we'll go into some new methods.
So, Jules, do you know to what extent an --
well, actually, let me ask this to Rebecca. I think
this would be better for her.
So, Rebecca, to what extent is the credit card
method being used for verification? And also, so we can
think about both issues, is it being used the way the
Rule contemplated that it has to be used, in connection
with a transaction rather than just as an identifier?
MS. NEWTON: Well, we don't use it, so -- but I
went out and did my own research, and I went on 11 top
kids' sites, and out of those 11 sites, four demanded or
required fax back or what we call a print-and-send; four
2
30
required credit card or some kind of a membership 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
transaction; three of them used email-plus; nobody used
the digital cert or toll-free.
So, I mean, I think it's just -- I'm just going
to be singing this same song. It's as -- I see a lot of
credit card fraud every day on our site, a lot, and it's
kids taking their parents' credit card and also people
buying credit cards online. So, I think it's just as --
it's used, but -- on some of these major sites, four of
the top 11, but I think that it's not any more valid
than any other site.
And the one point I want to make is that it -- I
think it also -- in a lot of cases for kids, it forces
them to lie about how old they are, and so, you know, we
know that that's -- that's something we talked about
this morning, and that's true with a lot of these
methods. But in my opinion, email-plus doesn't force as
much lying as the rest of these methods, in my
observation as well.
MS. KRESSES: Okay. And does anybody on the
panel -- I'll throw this out to anybody -- have a
thought on -- well, I think what you've said probably
goes to this, but whether a small transaction fee in
connection with consent is something that parents are
comfortable with or not?
2
31
MS. TAYLOE: That's what Yahoo does. If you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
identify yourself as 12 and under, they process -- I
think it's 50 cents. They take the transaction fee out,
and they donate the rest to NCMEC.
Now, for a number of years, they were just doing
an algorithm to see whether or not it was actually a
MasterCard or Visa number, which was not -- didn't have
a transaction, and I don't see as many people doing that
now.
And, Jules, what do you guys do at Microsoft?
Don't you use a credit card?
MR. COHEN: We use a credit card today.
MS. TAYLOE: Yeah. And I agree with Parry, you
know, there is Sol, there is some huge percentage of
parents that don't have credit cards and it's a tough
method if it's the only one you give people.
MS. KRESSES: Do you get any feedback on whether
people are comfortable with that?
MR. COHEN: I haven't seen any feedback, and I'm
not the COPPA expert. I have some expertise in this
space, but I don't have data on that one.
MS. NIEJADLIK: Jules, are you guys charging or
just authing?
MR. COHEN: Right now, we're just authing, but
there's a process in place to move to another standard.
2
32
MS. NIEJADLIK: Just coming from the payment 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
industry, the card associations, they have always said
that it's not okay to auth a card without a charge, and
they're actually starting to crack down on that now.
MS. KRESSES: And we don't think that's okay
either. I mean, the Rule was intended for a
transaction, and there's a little bit of discussion in
the rule about why that's the case, and a part of that
is that with a transaction, you have some recourse, too,
that you will get a bill. If something sticks out, you
would investigate it, you know, if it's a dollar -- you
know, we don't know how practical that is, how much it's
being investigated, but actually, the language of the
Rule actually requires a transaction. So, that's been
something that we've been educating people on in the
last few years, because it has come to our attention
that there's some -- you know, that there is a lack of
clarity there.
Roz?
MS. KITCHEN: I would just suggest that if
you're going to charge the under 13s a transaction fee
in order to get verifiable parental consent, that's not
going to work in the promotion industry, where we want
to possibly allow the child to participate in a
sweepstakes. You're going to have a situation of
2
33
potentially an illegal lottery at that point. So, in 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
complying with COPPA, you're violating all of the 50
states' lottery laws.
MS. TAYLOE: Well, email-plus is good enough for
sweepstakes and promotions and all the internal use,
right?
MS. AFTAB: There can be an exception, too.
MS. KITCHEN: (Off mic.) It depends how the
operator is using that information, if it goes
further --
MS. TAYLOE: You mean whether they share it?
MS. KITCHEN: (Off mic.) -- and also if you
collect user-generated content, perhaps you can't use
the exception.
MS. KRESSES: Okay, Parry, and then we want to
move on.
MS. AFTAB: I will be fast. I represent a lot
of the newer companies now that are looking for
COPPA-cleared communities and that kind of thing, and
they're all trying to charge a dollar or 50 cents, and
they are trying to donate it back to Cyber Safety and
the rest of it. Huge push-back. Parents aren't doing
it at all. So, if you're doing it, it's nice to saying
you're doing it, but if you don't have a backup that's
going to work, you're out of business.
2
34
MS. KRESSES: Okay. And, Alan, do you have any 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
sense of whether the use of a credit card still provides
as much assurance of a parent or an adult, let's say, as
it may have ten years ago?
MR. SIMPSON: I don't think it's changed much.
I mean, I went back and looked at this after we talked
about that earlier. Those numbers -- and in college
kids, you see a huge boost in credit card or debit card
ownership, but when you talk about under 13, those
numbers aren't really significant.
So, does it prove -- again, what standard of
verifiable are we looking for here? It's as reliable as
anything else, and it's not likely to see -- have
someone under 13. It's a very small number.
MS. KRESSES: Okay. Does anybody -- yes?
MR. LEMONS: Chris Lemons from RelyID. A couple
points to throw in.
One is that a lot of credit card companies, the
banks now are moving purely to online statements. The
way you used to know that you had gotten a charge
against your credit card is you got an envelope in the
mail, and you opened it because it came in to see what
was in it. Now, it's more you have to click onto the
email that they sent you saying your online statement is
available, go to the website, remember your log-in and
2
35
password, then scan through a couple pages of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
transactions.
I think that's much less reliable in terms of
ensuring that a parent knows that transaction ever
occurred. And all the kid has to do is sneak downstairs
and get mom's wallet, right? So, there's less of the
feedback loop than there used to be.
The other point is that I think the credit card
associations are moving strongly away from using credit
cards as authentication, period. Visa has come out with
a statement saying that they don't want to use for age
authentication, right, which is just a step from
identity authentication.
MS. KRESSES: Thank you.
Alan or Denise or Rebecca, any of you, are you
hearing many complaints about parents -- about kids
falsifying verification?
MS. NEWTON: Well, yeah, I mean, I get some. I
don't -- you know, out of 70,000 a day, I think I maybe
average a half of one a day or something like that. So,
I mean, it definitely -- it -- I mean, this is a
different question, I guess, than you're going to ask
about deleting PII. Is that right? You're not asking
about that.
MS. KRESSES: Yeah. No, we will get to that,
2
36
but yeah, that was my question, is whether -- are 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
parents -- are parents calling and complaining, "well,
my kid used my credit card without authority or my
kid -- you know, somehow my kid got on there and I never
consented?" Are we hearing a lot of complaints?
MS. NEWTON: Some of that. I wouldn't say a
lot, but I definitely hear it.
MS. KRESSES: Ron?
MR. ZAYAS: One of the things we did, not a
formal survey, but we went to about a hundred different
schools and we matched the parents and the kids to the
schools, and we asked the parents, how many of your
kids -- and these are between middle school and
elementary -- how many of your kids have a Facebook or
MySpace account? And almost universally, the parents
said "my children don't." And then we matched it up
with their actual children, and we asked them how many
of you have a MySpace -- and about 60 to 70 percent of
them did.
So, I don't know that it's so much are parents
complaining that they're not getting asked or that they
even know it exists would be a better question.
MS. KRESSES: All right. Okay. So, let's move
to the last -- in the Rule, there's also the language
about using a digital certificate that uses public key
2
37
technology. Where is that at? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. NEWTON: I've never seen it anyplace, so I
don't know about that.
MS. KRESSES: What happened with -- Jules, do
you have just some brief thoughts on what happened there
or didn't happen?
MR. COHEN: So, a couple thoughts on digital
certificates in general. One of the -- so, the way I
think about digital certificates is that they're
generally being analoged to the cards that you have in
your wallet. So, you have a bunch of identity tokens in
your wallet as an adult, and they represent different
things that people have said about you. Your driver's
license, the DMV says you have passed the test to drive;
the AAA card in my wallet says I'm current with my AAA
membership if I have one; my student ID says something
else about me. Those are certificates in the real
world.
So, digital certificates would be essentially
the same thing, analogous to each of those things in the
virtual world, and they can carry the same kinds of
identity information about the bearers, you know, a set
of claims, he's over the age of something, has brown
hair, you know, whatever the claims may be, is a student
at, you know, some university.
2
38
And so in the context of COPPA, what a digital 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
certificate might do is allow somebody who has been
issued the digital certificate by, you know, an approved
issuer, like Denise or somebody, the ability to present
that token at a bunch of relying parties, a bunch of
sites who will accept it. So, it's more of a vehicle
for conveying the trust that's been created during an
issuance process, during the approving process, than
necessarily an approving process that would stand alone.
So, the interesting question is, where are they?
And, you know, that technology was nascent ten years
ago. It continues to be nascent. And part of the
reason for that is that there haven't been huge needs
over the last ten years, although we're beginning to see
them now, that would drive that kind of technology into
consumers' hands, into citizens' hands. The kinds of
needs that we see are the kinds of ones that we see
here, where you need to get a reasonable proof of
something, in this case verifiable parental consent, at
a reasonable level of assurance, you know, how strongly
do you want to know that that is the case, and we see
similar needs in other industries that are, I think,
going to drive some of the adoption of this stuff.
Denise has done some pioneering work in this
space. Microsoft actually has spent some time with her
2
39
collaborating, but, you know, in places like health care 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
and places like finance and places like, you know, tax
and government transactions, as those kinds of things
move online, I think we'll see more needs to use digital
certificates in a significant way, and that might help
bring it in a more meaningful way into this space. But,
you know, at this point, it's rather nascent, and we can
talk a little bit more about it if --
MS. KRESSES: Do you think that the popularity
or the rising popularity of OpenID and, you know,
services like OpenID or Facebook Connect, Google Buzz,
and all the other ones that I can't think of, whether or
not that in any way could push a movement towards, you
know, using some sort of digital certificate or ID for
parents?
MR. COHEN: So, here's the way I would think
about it, is that there are lots of ways to issue IDs.
OpenID is an ID, my driver's license is an ID, and those
IDs are only as good as the strength of the issuance
process. And so one of the things that I think
policy-makers need to grapple with is you can apply a
very robust issuance process, you know, the kind you get
when you go through -- when you get a passport or a
driver's license, to an OpenID, and that would be a very
strong process backing a not-so-strong usage, or a
2
40
different way to say that is you can issue me a very 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
strong credential, but if there isn't security attached
to it after the fact, it's just a user name or password,
and I can give it to you or I can give it to Denise or I
can give it to Ron. The subsequent uses aren't very
robust, and that's sort of challenging, or I can attach
to a smart card or something very robust, and then I end
up in a place where I have a much higher level of
assurance that the person coming back is the person it
was actually issued to begin with.
So, the things like Facebook Connect and OpenID
and Info Cards and the various technologies in this
space are all great things to pass around claims about
people that have been made, but they're only as strong
as whatever offline or, you know, online issuance
process backs them. So, we end up in the same place.
I can issue you a very strong digital credential
based on email-plus, but it's only as good as the
verification that occurred up front. So, they are a
vehicle for disseminating proofs.
MS. TAYLOE: I would say Facebook Connect and
OpenID and all of that, though, works great for the
parent. So, earlier somebody was talking about how
Facebook Connect works. So, if you said, "Hey, parent,
we need you to create your parent account, you can use
2
41
your Facebook log-on to do that," most parents or a lot 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
of parents now have Facebook accounts. You can suck up
the data about them from their Facebook through the
open -- the API that's provided, present that to the
parent so they don't have to fill in any of the
information, then layer it with it's either an email to
them that they click, now you have an email-plus, but
they can now do this with their Facebook account, you
know, logging on to deliver the consent going forward.
So, I think those things actually play in in creating
the accounts as well.
MS. KRESSES: We got a comment just a couple
days ago about advocating for the use of eSign for
parental consent, and actually, this is something that
we thought about. You know, it's not uncommon to just
now type your name into forms.
And, Alan, how do you see -- do you see the use
of eSign as workable for providing reasonable insurance
of parents or --
MR. SIMPSON: I think it's a reasonable place to
look, because Jules' point is very valid. I mean, all
of these are undergirded by how robust is the system
beneath it, and actually, when we were talking about
that, I had a flashback to friends of mine -- not, of
course, me -- faking their IDs back at certain ages.
2
42
All of these things can be built around. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
But having something better, having something
like eSign, where the balance between accessible
technology, easy technology, and some greater level of
verification is where we're, I think, aiming. The
perfect won't be reached. So, is eSign an option?
Would it get more parents engaged?
I liked the point that someone made earlier
about not even just some of the benefit here of
notification, at least getting parents engaged in the
fact that your kid is now going to this site. Okay,
maybe I didn't really get an informed consent there, but
maybe I got a slightly greater awareness on the part of
that parent that this is what my kids are doing.
MS. KRESSES: And with that would you want to
see an opt-out as far as your parent -- your children --
your parents are engaging on a site.
You know, would you want to see an opt -- do you
think it would be sufficient to give parents an opt-out
in certain circumstances?
MR. SIMPSON: I think it would help a lot. I
mean, that's sort of shorter-term engagement that we can
kind of guess in this space that those things might be
helpful. Getting an 18-page document isn't going to
work. Being asked to print out and sign and fax
2
43
obviously has only been taken up by so many. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. KRESSES: Um-hum, okay. Let's go into
mobile phones, and we're going to delve a little into
Martine's experience and really do welcome, you know,
questions and comments, too, as we face new -- you know,
new possibilities and we closely consider them.
So, obviously it's been said many, many times
that mobile phones are becoming a central mode of
communication, and we know that they're being used as
payment devices as well, and, you know, in other parts
of the world, it's been going on longer than here. So,
you know, I want to ask the question of what role can
they play in parental verification and when? When would
it work if there's a role?
So, let me just start with you, Martine, and if
you could give a little background on what you're
contemplating for a potential mobile phone method.
MS. NIEJADLIK: Okay. So, first, let me just
say that mobile obviously comes up a lot, and it can
mean many, many different things. It can be used in
many different ways. And even when you talk about
mobile payments, which is what I say we do as a company,
if you talk to PayPal, they'll say they do mobile
payments and it's actually very different from what we
do.
2
44
So, let me just take a minute quickly and just 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
describe what it is that we do and then what we're
thinking about in terms of authentication. So, some
people joked earlier about texting American Idol and
weren't really too familiar with that or hadn't had that
experience. I'm going to take you into another
experience now.
So, pretend you're on Facebook and you're
playing a game, Farmville -- who's heard of Farmville?
-- a lot of people, okay -- and so you want to buy a
tractor for your farm, right? You want your farm to be
really great and you want to get a tractor, because
you're tired of mowing the lawn, and the tractor costs
$5. So, one of the things that you can do now is you
can pay with your mobile phone, and what that means is
that we will charge direct to the carrier.
So, there's no credit card, there's no bank
account. The way the flow looks is that you say I want
to buy a tractor, you click on "pay by mobile," you give
us your telephone number, and then what we do, for every
transaction that comes through our site, is we send an
SMS message to confirm that it's actually you who is
giving us the phone number and I'm just not giving
Rebecca's number, and then you have to reply to that
text message, and when you reply, we go ahead and we
2
45
bill the carrier. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
The billing, by the way, the way we do it occurs
through a platform called Premium SMS, which is
something that has existed for a long time for the
purchase of ringtones and other things that people use
on mobile, so we're leveraging that now to offer mobile
payments as an option. We're particularly focused on
digital goods and virtual worlds and social networking
and that whole sort of space, and one of the main
reasons for that today is because the carriers charge a
very large fee to be able to use one of these payments,
and so it doesn't make too much sense in the physical
world at the moment, but we certainly see it moving in
the direction -- and very quickly -- that it's going to
start applying to many other areas as well.
So, it's sort of the fact that we're in social
networking and digital goods and all that sort of stuff
is the main reason I'm here today. We certainly
recognize, as everybody knows in the room, that there
are children who are using these services, despite the
fact that, you know, Facebook says you have to be 13,
and particularly because we're a payment service, we
feel the responsibility to ensure that children are not
spending exorbitant amounts of money online, right, not
buying all this stuff and playing these games.
2
46
And so what we are contemplating doing now is to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
introduce another step into the payment flow whereby
instead of just directly texting the child to confirm
that they want to make a payment, the child's got the
phone, so, sure, great, let me make a payment. We would
instead text the parent. We may offer email as an
option as well if that continues to exist, ask the
parent if we have consent to, (a) collect the phone
number from the child to do the billing, and then (b) to
process the transaction.
We see actually some super-interesting things in
utilizing this technology. Number one is that one of
the downsides I think of email is that people can create
many, many, many, many different email addresses. You
can't really do that with a phone. I mean, yes, you can
buy prepaid cards. They're not very popular in the U.S.
They're more popular internationally, but it still would
be a burden to go and buy many, many prepaid cards to
try to get around that. So, it's very sticky, right?
As soon as somebody gives us a phone number and
gives us an age, you can't really just go back and say,
"Well, no, let me give you another phone number,"
because that's not your phone anymore. So, that's one
of the big benefits.
Two, we're doing this actual physical device
2
47
verification, which is extremely unique. I've been in 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the fraud space on the Internet pretty much since it
existed, and, you know, lots of companies now are
issuing these tokens, like you have a little PayPal
token you can carry around in your wallet. The fact of
the matter is nobody has them, and nobody wants to carry
around, you know, 50 of these things on their key chain.
So, this is a physical device that has already been
issued, is available to people, and people have it,
which is wonderful.
And so by doing this type of verification, it's
much different from just asking questions -- you know,
what's your mother's maiden name, what's your password,
what's this, what's that -- and then you get people who
try to steal that information or guess that information,
those kinds of things. So, that's a big benefit as
well.
Today, in the mobile industry, there are tools
available, and we actually see there being even more
tools being available. So, in the U.S., for example, I
think pretty much all the carriers offer the ability to
block Premium SMS. So, when a parent issues a phone to
a child -- and they may or may not realize today that
that's a payment instrument, they will figure that out
eventually soon -- they have the ability to say, "Well,
2
48
I don't want this physical device to be used for 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
payments," and they can issue that block.
I've already, just yesterday actually, heard
that there are other countries that are getting on that
bandwagon as well. So, that's great. It's a very
global payment option. So, we today are live in 60
countries with almost 200 carriers, and we reach 2
billion people out of the 6 billion in the world. So,
there are 2 billion people that have phones that could
pay through our service that are SMS-enabled, et cetera,
et cetera. So, that's fabulous as well. So, a lot of
people have phones.
MS. KRESSES: If you could -- I am going to ask
you the question first, and then I am going to ask some
other folks on the panel, too. What do you see as --
you know, looking at the standard that, you know, it has
to be a -- you know, a method reasonably calculated to
obtain verifiable consent and reasonably calculated to
ensure that it -- that the person giving consent is the
parent, what do you see as the challenges to having that
level of assurance and what would you like to see, you
know, from other -- what would you like to see from the
carriers or the device makers, et cetera, that would --
if there are challenges that would change those
challenges?
2
49
MS. NIEJADLIK: Um-hum. So, Mamie, you and I 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
have chatted a little bit about this. I think another
thing that we're sort of thinking about is when a child
is coming through to process this payment, should we
bill the child or should we bill the parent, right? We
now actually have the opportunity to do either, because
we have collected the phone numbers of each one.
So, if, for example, we introduce the option of,
well, let me just bill the parent, the child is
certainly going to be less incented to provide their
best friend's phone number, because their best friend is
going to get in trouble when that charge shows up on
their bill. So, that's one thing that we're sort of
thinking about.
I think there's benefits to billing the child
and billing the parent, and I think that's something we
will probably test to sort of see what the acceptance
is.
I think in the mobile space, again, there are
tools, like blocking the Premium SMS that's out there.
We actually also got notice very recently that at least
one carrier in the U.S. is planning to build a zip code
verification tool. So, one thing we could do is we
could pass in the zip code and we could find out if that
was really the zip code associated with the plan.
2
50
So, we could say, for example -- we could even 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
do it location-based right? You could say, well, give
me the zip code of the child and give me the zip code of
the parent, and if those were in two totally different
places or neither one of them verifies with the carrier,
that could indicate that maybe this wasn't really the
parent. You could expect if the kid and parent is on
the same plan, they probably have the same zip code as
well.
So, lots of things like that that are coming out
in the industry that will make the verification even
stronger, but even today with the charge happening in
combination with the phone and just to your point about
parents not really using SMS, you know, I think -- I
think the tendency to use SMS is probably also a little
bit different if I'm just picking up my phone and I'm
just texting you versus if I have my phone and all of a
sudden it beeps and it says, "Oh, your child it trying
to do something. Are you okay with it? Respond yes or
respond no." I'm probably much more likely to be able
to do that and follow those instructions than just sort
of creating my own SMS.
DR. O'KEEFFE: I think the 30 percent of parents
that Amanda is mentioning are a lot of parents that
aren't using texting, so, you know, I was making
2
51
obviously a sweeping generalization, but when I see 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
parents come into a clinic, for example, or just walking
down the street or even my own town in Massachusetts,
which is a nice middle class town, you would be
surprised how many parents still aren't embracing
texting. So, some are cultural, some are socioeconomic,
we can't make global generalizations, but 30 percent is
still 30 percent. That's a lot of people.
MS. KRESSES: Let me ask Alan, and then we'll
take some questions. What do you see -- I shouldn't say
what do you see. Do you see challenges from either the
reliability standpoint or parents' acceptance of a
mobile system like this?
MR. SIMPSON: I see opportunity. I mean, there
are the same challenges for all of these things, but in
the earlier discussion about mobile -- and we talked
about this a little bit in our earlier call and I've
talked to a number of people about it -- I don't see why
you don't have mobile phone companies already out there
proactively saying, "Hey, when you're coming in here to
get five phones, we're going to make a hunch that you're
doing a family plan. Do you want to register those
phones to specific ages?" Totally an option. The FTC
obviously wouldn't mandate it, but why not enable those
phones so that you know which one belongs to the parent?
2
52
There is a signature on those phones. You know which 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ones belong to kids that are under 13.
I'm not a technologist, but some of this stuff
seems -- the fact that we are increasingly moving into a
space where we can pay for things with our mobile phones
means we can do a lot of other things with them as well,
and I see a lot of opportunity there. I fully
appreciate Gwenn's point, but none of these things solve
for every family, and adding technologies that would --
DR. O'KEEFFE: What you said is perfect for
safety. That's a whole another issue.
MR. SIMPSON: Right. For safety, for a better
verification, that, okay, this phone -- again, there
should be an option, but why not have a family phone
system where we know that these phones are kid phones
that belong to this phone, which is a parent phone?
MS. KRESSES: And, Ron, you looked like you had
something to say.
MR. ZAYAS: Yeah. I think that it's a great
layer for three different reasons. Number one, it's an
opt-in from the parent. By saying at the point of
purchase when you're buying an iPhone or you're buying
any kind of a mobile phone or an iTouch or anything
else -- not that I'm a heavy Apple person -- but you're
making it aware to the parent that here is an extra
2
53
parent. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Sprint -- we have both AT&T for our iPhones and
then we have Sprint for our children's phones, and they
do a very good job of saying, "Look at all the things
that we have for kids' phones. You can locate them.
You can, you know, limit their amount of time. You can
do all these things with it." It's a great marketing
for the phone companies. It's a great way to make the
parents aware.
Second, the opt-in is good, because now the
parents who want to put this protection, put it in, and
the ones who don't, don't. The second thing is that it
can apply to lots of different areas. Cable connectors
can do -- you know, your cable provider can do this in
many different ways, too, obviously limit it to the
computers, but you can have a token where they log in --
where the child logs in or the computer IP comes in, and
right away, you can log a computer and say, "This is a
computer that my child uses, and I want them to know
that."
The third level, though, here that needs to be
very important, and if it becomes one of these standards
where the FTC can help promote this, is if you say to
the Facebooks of the world and the MySpaces, "This is
something that's available. This is something that
2
54
meets this requirement, and we think it's a good way of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
doing this," it puts a lot of pressure on the content
ones to not only say the token exists, whether it's an
OpenID or whatever it is, the token exists, but on the
other end, if the token does exist, you probably should
be listening for that token and you should probably be
respecting that. That's a very strong rule that, when
you put it on top of all the other ones, ends up
covering a lot of people.
MS. KRESSES: Okay. Yes, Peter.
UNIDENTIFIED SPEAKER: (Low mic). There's
clearly a lot of vendors trying to solve this problem,
okay, and the big problem is the cost of going beyond
the email-plus, right, that no one wants to do the big
authentication piece, because the cost of acquisition of
a user is so high when you do that piece. But all the
different providers that have got solutions, I would
urge you, as a plea, to come up with a protocol, lay it
on top of OpenID or (inaudible) something like that,
that allows all providers to exchange the policy
information that the parent wants to that site, either
be it as simple as authorizing them to use that site or
to say I allow them to use this type of chat level or I
allow them to make purchases on the site or make friends
on the site.
2
55
But that's something the FTC could get behind. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
They can't get behind the vendor. They can't say, "Hey,
use this vendor or that vendor," but you could say,
"This is the protocol that will allow parents to share
the policy requirements to that site," and that's
something I'd like to see everyone get together and say,
"Let's do that." Hey, we're not in that business, but
you guys all are, so...
MS. KRESSES: Okay, yes.
MR. O'HENRY: Mark O'Henry with the Software &
Information Industry Association.
The only problem -- our industry is one of the
biggest fans of using encryption digital technology to
authenticate. The problem, though, is the standard that
the gentleman just uttered is not the standard of COPPA,
and that's the problem we have, which is how does the
infrastructure of digital certificates ensure that the
person providing consent is the child's parent? That is
a very unique standard which would require, based on our
experience, and I worked in the Federal Government on
this issue when you-all were -- I think I was still
trying to put together a bridge certificate policy.
That's not just a technological investment.
It's a broader investment about a structure that
verifies that, and that's the challenge we're going to
2
56
have with trying to take commercial models, which may 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
not need to have that level of insurance as it happens,
and applying it to the COPPA standard. That's the
fundamental problem we've got, is having it be
pervasive.
MR. ZAYAS: But nothing up here would meet that
standard today, so --
MR. O'HENRY: But because of the nature of
digital certificate technology, it's held to a higher
standard, because these things get as close as possible.
There is no equivalent in the digital certificate
environment.
MS. MARCUS: Did you still have a thought?
UNIDENTIFIED SPEAKER: Yeah. I was just going
to go back to the voluntary offering up of information
and designating individual devices as children's
devices. Since Heidi's not here to speak for the
telecom industry, I'll step in.
To what -- going back to our earlier sessions,
to what extent, if that's not in any way regulated, if
it's not required, if it's not designated as being
authorized, to what extent does that type of provision
of information to the telecom carrier constitute
constructive knowledge or actual knowledge and to what
extent do those telecom carriers have to process that
2
57
through all of their systems and to any of their 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
suppliers? Just the question is how far does that have
to go if you give that knowledge?
MS. KRESSES: Okay. And then let me turn the
question back, too, let's assume -- we're talking about
a lot of sort of at-purchase ideas, which are, you know,
great ideas, and we -- you know, we've heard talk of
them before, but let's just assume for the moment that
we have a parent who, you know, gave their kid a phone,
but they -- you know, they got it at the mall, and they
want to be out of there in five minutes, and they didn't
do any of that, and now, they have a phone for -- and
they want to use it as the means to getting payment, and
we'll assume for the moment that they're a law-abiding
child that identifies themselves as being 11.
Rebecca, in that situation, do you see any
concerns with the use of mobile or how do you equate it
as far as reliability to other systems?
MS. NEWTON: Well, in that instance, I don't
think it's any more reliable than any other method. I
think in the instance of -- where they've gone in and
they've registered and they've said this is my kid, then
it's obviously -- to me it's obvious that it's much more
reliable.
MS. KRESSES: Okay. And are there -- and I
2
58
guess I would throw it out, too, are there -- I think 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Martine raised a lot of suggestions for ways to increase
the reliability as the technology develops. Are there
other suggestions on using mobile and at the same time,
you know, ensuring added layers of reliability?
MR. LEMONS: Chris Lemons with RelyID.
I think part of the problem that we're seeing in
the market is that the methods on the right-hand side of
the slide up there don't actually achieve the general
standard that's on the left, but because everybody knows
they can do what's on the right-hand side, no one has a
marketplace to serve. So, as somebody mentioned
earlier, the conservative approach is pick one or two or
three of the things on the right-hand side and let the
kids lie, instead of going out and searching for
something that actually achieves what's on the left hand
of that slide.
I think one approach for the Commission might be
simply to get rid of its listing of methods and fall
back on the standard that the general standard is the
standard, and use some discretion about not enforcing
that strictly until there's good technology out there,
but signal to the market that what's currently
acceptable isn't gonna be.
MS. KRESSES: Okay. Well, that's a lot -- doing
2
59
a lot of things, so changing it just to the general 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
standard and sending a signal and you're probably
scaring a lot of people in the room, but actually, that
is one of the questions that we wanted to touch on
today, and we'd love to hear other opinions, is what is
the better way to move forward and what is the better
way to give guidance?
Is the better way to give guidance to simply
have the general standard? Is it helpful to enumerate
possibilities and potentially add more to the list or is
it better to get rid of the list? So, for a couple
minutes, we would welcome thoughts on that.
Parry?
MS. AFTAB: The real problem here has always
been, from the beginning, is you never know if you have
got a parent, and not only if you have got a parent, you
don't know if you have the custodial parent who has the
legal rights over this kid, and the only people who know
that, if the kids are in school, are schools. So,
they're the ones who know which parents are really
parents, who has the authority, the people who are on
the forms, the people who can do that, and until
somebody works on a model that can deal with schools and
not offend FERPA, so that you can conform, and I think
as we're looking at mobile technologies, finding schools
2
60
that will partner with you, maybe if we just start with 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
private schools that don't have to contend with some of
these issues, you turn around and say to the parents,
"You can authenticate with the school, one-time
authentication, we will know that you're the parent,
thereafter you'll have it," you are starting to see that
model work.
It's not scalable at 425 million people on
Facebook, but it will work for the sites that are 500
million to -- 500 million -- 500,000 to 2 million, which
is a lot of the preteen stuff. It's a good way to get
there. Unless you work with the schools, you're never
going to get the stuff, because nobody else has this
information.
MS. KRESSES: Okay. And we are going to go
right to that in a second. I just don't want to
preclude the opportunity if anybody else has a thought
whether the standard should be broad, narrow, longer,
shorter.
Sheila?
MS. MILLAR: Yeah. I think there are two
things. One is that the different methods that satisfy
the rule are related to the information collection. So,
you allow for email-plus where you're only doing interim
marketing to the child. The other more robust methods
2
61
involve data sharing and disclosures, and so I think we 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
need to keep those different marketing opportunities or
different disclosure issues in mind when we think about
the methods that satisfy the rule.
I think having the enumerated methods which
people are accustomed to after 12 years of dealing with
COPPA remains helpful, but exploring new methods,
whether it's new ways to look at digital signatures
where you can actually sign on your computer or mobile
technologies, mobile phone technologies, all of that is
worth exploring, but I think we have to go back to
certain methods, you may require more robust methods for
different types of data collection and use than others.
MS. KRESSES: Okay. I think we had a question
here first and then we'll go to Phyllis Spaeth, right in
front of you.
UNIDENTIFIED SPEAKER: Let me just say that I
feel like it's deja vu all over again. It's like we're
repeating the conversation from when the Rule was first
adopted, which is the problem with just going to a
general standard, is read literally, we would have to
provide a birth certificate and DNA sample to meet the
standard. Everyone realized that was absurd for a lot
of reasons. It didn't achieve the goals of the Act and
it also was just impractical.
2
62
So, the methods, again, to repeat -- and we can 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
go back and check the transcripts from ten years ago --
these came as close as we can to creating a legal nexus
that suggests, better than nothing, that the parent is
the person signing this or doing the things that are
there, so...
MS. KRESSES: Okay. Phyllis, can I bump you,
because the other Phyllis just told me how little time
we have left. So, let's save it until the end of the
discussion.
So, Parry raised the school model, and, wow, Ron
has something to say about the school model. So, I --
you know, and again, because I poorly managed our time
here, Ron, if you could give us just a brief synopsis
of, you know, what you're trying to do and a little bit
of what you see as the opportunities and the challenges.
MR. ZAYAS: Very quickly, eGuardian came up with
the idea or worked with -- everybody comes up with
different ideas -- of going through the schools and
saying the school is a great place to verify. They know
the parent. They know the custodial parents. They know
the age of the child, and it's very hard to fake. You
can't just say "Well, I screwed this one up, let me
create another child at another school." You just can't
do that.
2
63
So, we work with the schools, and originally, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
there was some push-back from the schools of dealing
with a private entity and saying, "Why would we give you
that information?" And the legal hurdles were cleared,
you know, because again, the parent is initiating this.
The school is not giving out the information. The
parent is initiating the information. The school is
verifying it.
But realistically, we found a non-profit should
do this. A private entity should never have this
information. We looked at people who were trying to buy
our company, and we realized they were trying to buy us
for the wrong reasons. A non-profit, a third party, can
have this information, but that information exists.
Tap into that information. Tie it into an
OpenID or tie it into a type of token or certification,
and you now have something that you can uniquely give to
a parent who they can control, and they can opt in and
say, if this exists, places like Facebook should read
it, and MySpace and whoever else, if it exists, if the
parent or if the unit, the phone, whatever it is, sends
you an ID that says "this is the child and I'm the
parent," that should override anything the child types
in.
And, again, obviously our company does this, but
2
64
it's not the point of our company doing this. This 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
should be open to everybody. This -- as you were
saying, open to every company that's out there, but we
have that information, at least in the U.S., and in most
western nations, it exists, and if somebody just pushed
it a little bit, if somebody said this could be one of
the ways to meet that, I think you'd see a lot of
websites starting to take that information.
MS. KRESSES: Adam?
MR. THIERER: A very brief question on that
point. Adam Thierer with The Progress & Freedom
Foundation.
I do wonder if we want to make schools into DMVs
for kids, because there are liability questions and
privacy questions that pervade the use of personal
information about kids, and if we made this a new COPPA
standard, I mean, we'd be requiring, you know, check
points at every school door for credentialing kids to
say, you've got to hand over information to do what? I
mean, that puts the schools in a really difficult bind.
It also raises the question of is there greater
potential for identity theft because of this? And then,
of course, there's the question of what about -- are we
incentivising kids, instead of to lie about their age,
to trade -- to barter in digital credentials? I mean,
2
65
older brother giving to younger or whatever? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. KRESSES: Let's do this: Let's let Ron --
can you back up a little and tell us actually what
information you get, who you get it from, who verifies
it, and then what people either carry in their heads or
in their hands?
MR. ZAYAS: The parents tend to provide -- first
of all, it's always initiated by the parent. The parent
has to say, "I want to verify my child." So, the parent
would say the child's name, the child's age, who they
are, and a physical address and a signature, and there's
an electronic way of doing that, we won't go into that,
but the school then gets the information and verifies
it.
By the way, schools do that today. There's the
YMCA, there's soccer, there's lots of different areas
where you have to verify the name and age of child, and
the school is the way to do it, and they already have a
process for doing it. They already have an individual
there generally who's bonded to be able to do this. So,
the liability already exists or the function exists to
do that.
The second thing is that once the parent does
that, then they're issued an ID, and that ID should not
have anything other than the parent's email, their
2
66
verified email, tied to it. So, you're not pushing out 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
information on this is Bobby Smith. That should be an
anonymous token. It simply says, though, that now that
it's tied to this log-in, if there's ever a problem or
we need any verification, we know the email that we're
going back to. And if you do that, I think you're
protecting a lot of information.
The parent can even release and say, "You know
what? I want to release my child's age," which
automatically gets updated, but it's the parent's
decision to decide what gets updated, and by the way,
you could have different levels. For one type of
website, you might want to release other information.
For some, you might only want to release the most basic
information. But it puts the control back in the
parent.
MS. KRESSES: Okay. And I think, John, you had
a comment on this procedure as well?
UNIDENTIFIED SPEAKER: Yeah. I mean, just kind
of the broad comment that, you know, imagine we could
come up with a system that provided a unique digital
certificate for all school-age kids in the country. I
actually still don't understand how that works in
practice for sites like Facebook or MySpace that are, in
fact, intending to reach both older minors and adults,
2
67
because, I mean, you know, a child gets on and says, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
"I'm 18 years old," and so, you know, do we have to go
verify and identify all 400 million Facebook users in
order to be able to force those who have these
identifiers to come up with it? You know, so, I mean,
it can work in some scenarios, but I'm not sure it works
on a Facebook.
MR. ZAYAS: And we see it -- and we worked very
closely with Facebook, by the way -- we didn't get
anywhere, but we worked very closely with Facebook --
and now that Chris Kelly is running for Attorney General
of California, we haven't gotten his full attention.
The main thing here, by the way, is not
necessarily that you go backwards, but it's tying that
ID to certain -- if I say, "I want that ID sitting on my
child's computer," then when my child uses that computer
and goes to Facebook, it's being transmitted then. If I
say I want it on their phone, it's being transmitted
then. And if I don't want to have it on their phone,
then I don't do it, and my child is free to do whatever
I want.
But the idea would be that as Facebook gets
somebody coming onto their site that's saying, "I am on
a protected or I have an ID that's being transmitted,"
that they would listen for that ID, and that now they
2
68
know who the parent is. That's the whole idea. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. KRESSES: And, Jules, do you have any
thoughts on how -- whether this is a useful system and,
if so, how it could be furthered? Is there -- it sounds
like, you know, Adam's raised the concern, you know, of
privacy concern, and John has raised more of a
technology concern. Do you have any thoughts on either
of those and whether this could be use understand some
way that would avert those?
MR. COHEN: There are certainly ways -- so,
generally speaking, the schools are an authoritative
source for some pieces of information, just like for
adults, you know, there are other institutions that are
an authoritative source, and if you want to -- as a
policy-maker, if you want to say this is the level of
assurance that would be required for this kind of a
transaction, then it might be interesting to look at
schools as a source of that information. We've talked
about this in the past, you know, as a group.
The thing that I think is important is to
separate the method of getting that level of assurance,
the school or the DMV or the email-plus, whatever that
method is, from the technology that's used to convey
that piece. So, the technology that's used to convey it
might be a phone or it might be email or it might be a
2
69
smart card or various different levels of assurance, but 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
that's the piece that the technology can manage, and the
technology can manage how secure that is, how privacy
friendly that is, and there are a bunch of policy levels
that you can tweak inside the technology ecosystem.
But I think the key thing is to separate the
technology decisions that are made from the policy
decisions that are made about the proofing process and
what is the right level of assurance. I think
separating those two helps sort of keep the conversation
going.
MS. KRESSES: I hate to do this, but I am going
to take two questions or thoughts and then we have to
stop. I think Kathryn's hand was up first.
Oh, yeah, you know what, that would not be
right. Phyllis has been waiting, and then we'll do
Kathryn.
MS. MONTGOMERY: All right.
MS. SPAETH: I'll be really quick.
I was just wondering -- and I know we've
discussed this, Mamie -- in light of the fact that all
new computers now come with internal cameras and
internal mics, what about using something like Skype?
MS. KRESSES: And that's a very good point that
we were going to get to, so I'm glad that you raised it.
2
70
And Kathryn? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MONTGOMERY: Well, this is a very
interesting discussion, and whenever we go down this
road, I start getting the heebie-jeebies, I have to tell
you. As a parent and as a privacy advocate, a lot of
these solutions sound like they may, you know, raise
more problems, and some people have, you know, raised
that question as well.
I want to ask a couple questions. One, you
know, we know these methods are imprecise, you know,
faulty. From the beginning, we knew that. Has there
been any assessment of how they're being used, how
effectively they're being used, what works and what
doesn't work? And I had to step out for a few minutes,
so if you've addressed it, I apologize.
And secondly, you know, to what extent are
parents opting in to things they don't fully understand?
And because one of my concerns is that these methods --
that everybody is focusing on these methods in order to,
you know, maximize data collection, and I want to ensure
that the principle of minimizing data collection is
adhered to here and the focus on marketing safeguards
for children.
MS. KRESSES: And those are good questions, and,
you know, we don't have any data on that, and we can't
2
71
really answer this second, but these -- you know, again, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
I mean, I think a lot of good thoughts have been raised
from a policy perspective, a technology perspective, and
a parental acceptance, and other things. So, I
really -- again, as in every panel, we urge you to
comment from any of those perspectives, and, you know,
if you know of others that should be commenting, to get
the word out.
So, we're going to end this panel and move on to
Panel Five. Thank you.
(Applause.)
(Brief recess.)
MS. MARCUS: I really thank everybody for
hanging in there with us. This has been an enormously
substantive day, and I know that it's a lot to wrap your
heads around. Mamie and I often joke that COPPA is
Talmudic in its complexity, so we have dealt with a lot
of brain-benders today and we will deal with just a few
more as we talk about COPPA's exceptions to parental
consent.
I'd like to introduce our panelists.
On your left is Parry Aftab, the Executive
Director of Wiredsafety.org.
Next to her is Izzy Neis, the Director of User
Engagement for Gazillion Entertainment.
2
72
Then Dona Fraser, the Director of Privacy Online 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
for the Entertainment Software Rating Board.
Mamie is directly next to me.
To your right, Susan Linn, the Director for the
Campaign for a Commercial-Free Childhood.
Then John Smedley, the President of Sony Online
Entertainment.
Roz Kitchen, Partner at Cohen Silverman Rowan.
And finally, Peter Maude, Chief Technology
Officer for Crisp Thinking.
In this panel, we are going to talk about
COPPA's exceptions for parental consent, which were
actually built into the statute. I am going to put an
enormously densely-worded slide up. You do not need to
memorize it or read it now. I am small enough that I
think I am not blocking the little bit of language at
the bottom, and you also have it in your packet.
But suffice it to say that there are some
exceptions built into the statute where the requirement
of prior parental consent would not come into play,
primarily for an operator's collection of a child's
online contact information. And just as a reminder, the
Rule defines online contact information both as an email
address, an IM identifier, or -- I don't have the slide
in front of me -- it would be other means to connect a
2
73
child online, but not as expansive necessarily as we 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
were talking this afternoon about personal information.
I'd like to start with a basic question for
those of us at the table -- myself excluded, actually --
who were there at the beginning of COPPA as to why
Congress built in any exceptions to verifiable parental
consent.
Parry?
MS. AFTAB: Okay. When it comes to the oldest
person at the panel, I tend to fit there. So, we were
there in the very beginning of when COPPA became law and
when the FTC said if you don't listen, we're going to
make a law, and everyone said yeah and didn't listen, so
they made a law.
We need to understand that in the beginning, it
came out against marketing. It all started with
kidscom.com and then the CME letter that Kathryn's
talked about, and it was all about marketing. What
information are you collecting from kids? How are you
using it? How are parents engaged? What do they know
about what you're doing?
During the process, however, it also became
about safety, and because the FTC has dual prong, both
consumer protection and safety jurisdiction, it became
about protecting children from sexual predators. And
2
74
you have to remember, we're talking about 1997, 1998. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
That was what everything was about on the Internet.
Everyone was afraid that their children would be
abducted immediately if they met anyone on the Internet.
So, as they started looking at what we can do,
we recognized that we wanted to protect children from
giving away too much personal information online and
communicating with Internet sexual predators, who would
immediately come to their house and abduct them, and an
awful lot of that had to do with offline contact
information. Where do you live? How can I find you?
How will I find you on the street and grab you and steal
you? And so a lot of it came from there.
At the same time, we recognized that if we were
going to get parents involved in whatever was going on
and try to get their consent or notify them, we had to
reach them, and we were concerned that any other way
wouldn't reach the parents unless we did them through
the kids. So, we had the ability of the sites to
collect certain kinds of information for certain limited
purposes and deal with it in that way, and at the same
time, we were protecting children from sharing offline
information.
We further recognized that there was a need for
the sites to protect themselves -- the security of the
2
75
sites themselves, the safety of the children while they 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
were there -- and if parents weren't giving consent, did
that mean that these children would be lost forever in
cyberspace? And so as we looked at the exceptions, it
was you don't have to get prior consent, you can keep it
under certain circumstances, and here, more than any
other place, you will see that you deal with use, not
information.
So, although we deal with offline contact
information there, a large part of it is, how are you
using the information you have? And so we see more of
that in this section than you do in others. So, it was
very practical and fear-based as we were doing that.
Now we recognize cyberbullies are kids who go to
the kid's school and they know where you are all the
time. There is less of a concern about Internet sexual
predators -- serious risk, but not as prevalent as
others -- and I think that sometimes the exceptions are
eating the Rule.
MS. MARCUS: Okay, and we will definitely
discuss that in this hour together.
Dona, do you agree or is there something you
would like to add?
MS. FRASER: No, I agree. I think, in addition,
Congress I think did not want to unintentionally
2
76
interfere with a child's ability to enjoy the Internet 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
as well as be able to access timely information, either
from their schools or libraries or things like that.
So, I think there was certain consideration given to
that as well.
MS. MARCUS: Kathryn or Angela, what do you guys
think?
MS. MONTGOMERY: Oh, thank you, I am sitting
here trying to remember it all. I don't remember in our
discussion so much of a focus on safety. You know,
Parry's right, that was the kind of era that we were in.
There was a lot of public debate about it, and COPPA got
discussed in that context, but as I recall, it was to
try to create some balance between ensuring an online
experience for young people that would allow them to
interact and enjoy and be online, but to do it in a way
that circumscribed the ability of online marketers to
effectively target them and to maintain ongoing
communication with them.
So, I remember examples -- and, Angela, you can
correct me if you remember it differently -- but I can
remember discussions about creating an online
newsletter, for example, that you would like to be able
to have them get and could we do that. My concern was
always, is that an online newsletter that's basically a
2
77
marketing message that's going to come to them every day 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
or every week? But it was really framed more in the
context of educational content, informational content
and a good experience, and --
MS. AFTAB: But the chat part about posting
personal information had to do with -- predators.
MS. CAMPBELL: The chat was a kind of add-on.
MS. MONTGOMERY: And you're right, it was a set
of hopefully practical ways to deal with all of these
things.
MS. MARCUS: What I'm hearing is that, you know,
for a variety of reasons, the collection of online
contact information was seen as possibly slightly less
of a privacy concern in this context.
MS. MONTGOMERY: Yes, that's true.
MS. MARCUS: And I'm wondering if that's still
the case.
Susan?
MS. LINN: Well, I was struck by what Parry just
said, that what we found is that there's -- that sexual
predators are less of a concern.
MS. AFTAB: Not less of a concern. Less of a
overhyped concern.
MS. LINN: But no, you're right. No, I'm
supporting what you said, but I think that the converse
2
78
of that is that marketing to children has escalated just 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
exponentially on the Web, and that's really where the
primary harms are, and I think that we've hardly touched
on marketing today, really, and what we haven't talked
about are the harms of marketing to kids, and I think we
need to at least say that marketing -- research shows
that marketing is a factor in childhood obesity, eating
disorders, precocious sexuality, youth violence, the
erosion of creative play, which is the foundation of
learning, and also the acquisition of materialistic
values, the false notion that things we buy make us
happy, to say nothing of underage tobacco use and
alcohol use.
So, I think, you know, that I, you know, share
Kathryn's wish that children have a nice, happy, fun,
productive, educational time online, but I really think
we have to deal with the marketing.
MS. MARCUS: Roz, what do you think?
MS. KITCHEN: I honestly disagree with Susan,
because I think that generally as COPPA has evolved and
more and more responsible companies are reading the
statute and thinking, "oh, my gosh, what do I have to
do?" they're tending to take a step back and saying,
"you know, we might have a couple of kids' products out
there, but we're not -- our target audience is not the
2
79
child. It's the mom who's going to the store and buying 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
it or dad who's going to the store and buying it."
And so they are -- from what I've gathered and
from my clients, I'm seeing less of a push to market to
the under 13s, more of a push to market to their parents
for sure, and a lot more responsible -- you know, the
companies that are sending people here today, the
companies that pay for me and other people to represent
them, they are the ones that are kind of making sure
that they've complied, because they are a direct
children's website or they are directly involved only
with that space in the marketplace, so they have to
market to children, there's no way around it, or they're
saying we really don't have to do this by virtue of the
products, the information, the services that we offer.
So, they're taking a step back.
MS. MARCUS: Dona, are these exceptions widely
used?
MS. FRASER: I think that they are. I think
primarily you're probably looking at the ability to
obtain verifiable parental consent, and the one-time use
for the companies that we deal with, those are the ones
that I think they are mostly used.
MS. MARCUS: And the one-time use, we
affectionately call it the "one-time use exception," it
2
80
is number 2 on the screen behind me, which permits the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
collection of online contact information for the sole
purpose of responding directly to the child one time.
The information is not to be used to recontact the
child, and it's to be deleted by the operator
immediately thereafter. So, you see the use of the
one-time use exception in your experience?
MS. FRASER: Right. I think you're looking at
the password reset, you're looking at tech help, you're
looking at send-a-friend thing, those types of things,
one-time use.
MS. MARCUS: Roz?
MS. KITCHEN: "Why don't you offer this product
in green? I really like green. "
MS. MARCUS: But in addition to the one-time
inquiry by a child, what about what we call the
"multiple-use exception," which is number 3 and the most
densely worded of the exceptions? Do you see a lot of
use?
This permits an operator to collect the online
contact information from a child to be able to
communicate with that child more than once, but
immediately after communicating with the child the first
time, the operator has to send the parent an opt-out
notice.
2
81
Roz, do you see the multiple-use exception? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. KITCHEN: Initially in the promotions
industry, this exception was being used quite widely
with regard to sweepstakes entries, but more and more,
as we've kind of moved towards the collection of
user-generated content in connection with a contest, for
example, we're not -- you really don't fall within the
exception. So, if you're being responsible and you're
reading the statute fairly narrowly -- and you guys know
I take a fairly conservative position, especially with
regards to sweepstakes and contests -- but when you're
talking about children's entry into that, what
information they had to provide, this online contact
information, which can't be used for any other purpose,
well, if you're in connection with a contest and you're
collecting user-generated content, that perhaps you're
putting a video on a website where they have
identifiable features in that video, it's more than
online contact information, and the marketer isn't going
to go to the trouble of doing all of this if they can
only use it in connection with that contest. They may
want to go beyond that, and if they've got -- you know,
so they'll take other steps to get parental consent
without falling under this exception, is the things that
I am seeing.
2
82
MS. MARCUS: What about Kathryn's example of 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
newsletters, an ongoing communication with the child?
MS. AFTAB: That's where we're seeing it used
most often, is newsletters, e-news, alerts, new
products, information about a new feature on the site,
something really cool that's come out, and so we see
that repeated newsletter or notices to the kids at the
site.
MS. KITCHEN: Signing up for a catalog, consent
to a catalog.
MS. AFTAB: An online catalog, sales, that kind
of thing, new offerings in virtual worlds. Now you can
buy a new tractor, now you can buy a new fish, now you
can go to outer space.
MS. MARCUS: Izzy, what's your experience?
MR. NEIS: I'm pretty well immersed in the
industry in general for kids. I have my email all over
the place, like logging in as a child, because I want to
watch how safety is used in practice, in follow-up. For
the most part, I am not as concerned about the
collection of this kind of data for companies that are
built for kids, because they understand these
limitations. They're following the rules for the most
part, and if they don't, they usually get their hand
slapped relatively quickly, because everybody is very
2
83
concerned about making sure we stay with safety. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Where the concern comes with marketing-type
collection of data isn't so much in this process. It's
more what everybody has been talking about all day long
about data mining and all of that, and that doesn't have
necessarily anything to do with this directly, what
we're talking about at this time. So, getting off on
that tangent probably isn't ideal for this conversation.
But for the most part, everybody is dealing with
newsletters, alerts, just as Parry said, 1V1 email
contact, so it's basically customer service stuff, like
"I lost my potion. Where is my potion?" You know, you
tell the child, "Well, here's your potion," that kind of
stuff, or whatever game they're playing.
MS. MONTGOMERY: Can I ask a question, because I
wanted to know how this all turned out?
So, am I hearing you correctly that kids are
being targeted then with email communications for
products and with advertising?
MS. NEIS: No, because of the --
MS. MONTGOMERY: I'm asking Parry, actually.
MS. AFTAB: I wasn't sure. What will happen
is -- well, yeah, I don't know that it's targeting
specific kids. It's targeting all kids. So, if you are
not XYZ Virtual World and they have a new character that
2
84
you can now earn, they'll say there's a new character 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
out there, and you're going to have to earn 2000 points
or you'll have to do that, or there's a new section of
the world that has these new things that you can engage
with.
What we're seeing as the multiple-use exception
is it's the constant communication about the world,
about opportunities, about newsletters, about alerts,
about a whole bunch of different things. It's not
profile targeting to kids in that specific instance. It
is information that's out there about anything new
that's happening at the site.
MS. MONTGOMERY: I want to follow up.
MS. MARCUS: Hold on, Kathryn.
MS. MONTGOMERY: I just want to --
MS. MARCUS: Well, wait. We are definitely
going to get to misuse. That's my next question.
MS. MONTGOMERY: I worry that these will create
some loopholes.
MS. MARCUS: Okay. Well, we're getting there.
Guillerme?
MR. ROSCHKE: Yes. I have a question about the
newsletter issue as well, and I'm wondering if people
have more information on how they work. My
understanding is most of email newsletter services
2
85
actually track whether the emails have been read. They 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
track what links people are clicking on. Would that
information collection stay under the exception of, you
know, here, this exception is only for online contact
information. That means that I shouldn't be allowed to
track whether the email has been read and whether any
links have been clicked on from the email. Is that
correct?
MS. MARCUS: Maybe. Maybe not.
MR. NEIS: From an operator's perspective, it's
very hard to narrow down to an individual which
person -- it's kind of costly to be like, okay, I sent
out 30,000 emails to the people who opt in to the email,
and now I'm going to track down to this one person to
see if they've opened up the links. It's timely and not
necessary. You don't really see that happening in
operations.
MS. MARCUS: Dona, let's talk about misuse. Is
this what -- you know, what your interpretation of this
narrow exception is?
MS. FRASER: I think that you have companies
that are -- oh, thanks. I think that you have companies
who are collecting the information and using it in ways
that clearly are not intended and are not giving the
parents notice, they are not giving them opt-in or
2
86
opt-out consent, and it may be -- I don't know, I don't 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
see Denise -- oh, there she is, okay. She and I have
talked about this on multiple occasions. I am going to
use the example that we've talked about, which is a
company that sends out a birthday notice email, and
they're collecting the email address simply to notify
you on your birthday. The next thing you know -- which
only should be one time a year, but now, the next thing
you know, you're receiving ten emails in the matter of
two months.
So, those types of things are happening, where
there's no disclosure of that information, where there's
no -- they have not allowed -- they have not told you
from the outset what they are going to do with that
information. They have only told you this is simply for
a birthday club or a birthday newsletter.
MS. TAYLOE: Which, technically, adding the data
for -- technically, adding data for -- to the email --
so, if you are going to use notice and opt-out, you are
supposed to have first name and email address. When you
add a date of birth, you have added a piece of
information that are you aggregating against that, that
should step you up to email-plus. If it stepped up to
email-plus, then they could ask permission to have this
sort of interaction, but instead, they are using notice
2
87
and opt-out in place of email-plus and adding this other 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
data.
And the other big one is user name and password
against an email address. The email is for newsletters,
but the user name and password is gathering points and
likes and dislikes. So, it's not that every kid gets
the exact same newsletter. They get something tailored
based on when they were last in that game or how many
points they might have or what they can do, so...
MS. FRASER: Right, and I think that -- I mean,
there are companies who are obviously using deceptive
practices. Whether or not it's an intentional act I
think is -- we don't really know unless we're dealing
with those companies specifically. There are some
companies who are just not aware of the law.
MS. MARCUS: Just not aware of the law or
perhaps reading this exception more broadly than it was
intended?
MS. FRASER: I think it's both.
MS. AFTAB: I think lots of confusion. They get
them all mixed up.
MS. TAYLOE: And copycatting. They go steal the
privacy policy from the other site. It's a big site
that sometimes gets it wrong. You guys have nailed a
couple big brands, right, that have big fancy lawyers,
2
88
and then other little companies are following them 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
saying, "Well, they do it so I should do it," but they
don't understand that, you know, Club Penguin actually
does a really good job of deleting a whole ton of data
that you type on one end that doesn't show on the other,
but the little new site that looks at it says, "Well,
they're using email-plus, so I can use email-plus, even
though I have a black list, not a white list." It's
copycatting from bigger companies.
MS. AFTAB: Most of them have no idea what
they're doing with information. They really don't
have -- they haven't mapped data, haven't mapped
information, and that's part of the problem. They think
it's just a newsletter, and they haven't thought it all
through, and that's a big problem. Big companies and
small companies alike.
MS. FRASER: I think because they don't know
they have to, honestly. I think there are some people
who are ignorant to the fact that this law even exists.
MS. KITCHEN: And I would also say, too, that a
lot of big companies rely on third-party vendors to
provide this service, and they're huge companies relying
on these little tiny vendors that don't go get the big
fancy lawyers or -- you know, and so it's kind of this
trickle-down effect of nobody knows what anybody else is
2
89
doing, and everybody thinks, well, because they're 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
so-and-so, they must know, but they're relying --
MS. AFTAB: And games and virtual worlds have
changed everything.
MS. KITCHEN: They really have.
MS. MARCUS: Susan, what do you think?
MS. LINN: The multiple-use exception is the one
that really troubles me the most of all of these
exceptions, and it troubles me for lots of reasons, and
one of them -- I'd like to go back to cell phones and
texting and the fact that kids are contacting these
companies. I mean, these companies -- like McDonald's,
for instance, had a text McFlurry campaign, and kids are
being encouraged to text just about everywhere they
look. So, they're contacting these companies. The
companies are getting back to them. Then they can keep
doing that or they can keep, you know, going back
without getting parental permission.
That's really, really troubling to me, because
the parents aren't going to have any idea of what's
going on. Once a child has a cell phone, there is no
way that the parents can know what that child's doing on
the phone. It's really -- I mean, it's really, really
difficult. So, once we get to mobile marketing, I think
that some of these loopholes and exceptions really need
2
90
to be closed, and that's the one that troubles me the 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
most.
MS. NIEJADLIK: I'm not sure if many folks know,
and I have no idea what the McFlurry campaign was -- can
you hear me? Okay.
When they create those sorts of campaigns, what
they are doing is they are doing it through a short
code, and so McFlurry is something that has been
assigned to McDonald's in that particular case, and
Haiti is another example that the Red Cross used when
there was the disaster in Haiti, et cetera, et cetera.
And in order to get a short code, which is the entire
way our company operates, you have to go specifically
request through the carriers, you have to submit a
campaign, and you have to say exactly what it is you're
going to do, and they specifically approve that one
thing, and you don't get to use that short code for
anything else. So, just a tidbit of information. I
mean, presumably --
MS. LINN: They don't get the child's cell phone
number or they can't contact the child again or --
MS. TAYLOE: Yes. You get -- I mean, when we
have a parent hit a short code back to create their
parent account, we get the cell phone number and the
carrier that it came from. So, is that typical? I
2
91
don't know if that's typical. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. NIEJADLIK: You have to receive that as part
of receiving the message, but there is an organization
called the MMA, which is the Mobile Marketing
Association, and they have rules against what you're
able to do with respect to SMS'ing people, and you can't
just randomly SMS them with marketing messages. You are
not allowed to do that. So, if somebody is doing that
in a short code, they are violating the rules, and they
can have the short code turned off.
MS. TAYLOE: Can you take the cell phone number?
Is there a rule against taking the number that you
receive and doing a data lookup, at Targets or Axiom or
Equifax or any of the other guys that have the cell
phone -- every time we make a purchase online and we
give them our cell phone, that data now goes to Axiom
who has 300 million of us sitting in their database, and
you can -- marketers can legitimately submit a cell
phone or submit a phone and get back the data that's
associated to it if it exists. Are there rules about
that, do you know?
MS. NIEJADLIK: I would have to check on that
specifically. Most of what we do is a response to our
own message and not just inbound, you know, receipt
randomly of messages.
2
92
MS. TAYLOE: Right. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. MARCUS: So, okay, we could go on this
thread for a while, but I want to get back to the
exceptions themselves, and what I'm hearing in the room
is that this multiple-use exception should be read very,
very narrowly. Do I see some assent on that? And
that -- and if people disagree, I would like to hear
that, but what I've been hearing from people is that it
should be read strictly to include only a child's online
contact information. So, if we're getting some other
piece of personal information from a child, for example,
their cell phone, that would be outside of this
exception at the outset.
Is there someone in the back?
UNIDENTIFIED SPEAKER: Yeah. I don't disagree
with that interpretation at all. What I think is
interesting is you can look at this as an exception or a
loophole that's being misused or you can kind of look at
this as being kind of almost like a lower verifiable
parental consent method, because it has this opt-out
requirement.
So, it might be interesting to think about this,
instead of them being misused, maybe -- or maybe
people -- instead of looking at this as people are
trying to rely on the exceptions too much, maybe this is
2
93
a reason for why we should expand the list of approved 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
parental consent methods and provide more granularity,
like maybe email-plus filtering or email-plus parental
controls, so that people go outside of relying on these
exceptions and go more the parental consent realm.
MS. MARCUS: I would say yes, but in this
instance, these exceptions were set forth by Congress,
so this is not a change that we could make here at the
Commission level. They were carved into the statute
themselves.
MS. KRESSES: You know, if that's a comment
that -- if people want to comment on added uses in this
regard, certainly they should do it, and if people want
to comment on, you know, restricting it, certainly they
should do it, because everything is open for discussion.
MS. MARCUS: And one last question for the
people on the panel with respect to this, is it possible
that what marketers and other operators thought was that
they could build, on top of the collection of online
contact information, other items of information that are
not considered personal under the Rule? So that perhaps
there was a misunderstanding, that they could collect
zip code, for example, which is not enumerated as
personal, and they could put that on top of online
contact information and then personalize a message to a
2
94
child and wouldn't run afoul of COPPA? 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
MS. AFTAB: Yeah, and, Phyllis, that's what I
see often enough, with even sophisticated people, they
think that they can do this because it's nonpersonally
identifiable on other things and it's attached to the
email. What we need to remind them is it's like the
Midas touch. You have got personally identifiable
information, you touch anything else, it becomes gold,
and they don't understand that, and that's been part of
the problem.
But they think it's okay that I understand that
this child likes baseball and this child has this
account and other things, because I'm only asking for
this piece of personally identifiable information. I
see that 80 percent of the time when I find problems.
MS. LINN: I think that's a really good point,
Parry, because one of the things that is concerning is
that younger and younger children are engaged in virtual
worlds where you bring a lot of yourself into the world,
and so these companies are getting lots and lots of
information about children's preferences, and, I mean,
it's really troubling, that information combined with
whatever personal information that they're allowed to
have, and that's concerning. They learn a lot about
these kids.
2
95
MS. MARCUS: So, I would like to move on to 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
another very hot topic, which is that of chat, and it
seems that chat in kids' spaces has become an
increasingly popular feature and with many sites
offering some format of filtered chat.
I'd like to talk about how children's sites that
offer chat are handling the parental consent process,
and I'll start, John, with you.
MR. SMEDLEY: So, I'm from Sony Online. We make
a game called Free Realms. We have had just about 12
million people come through, and probably 90 percent of
them are kids, and --
MS. MARCUS: Just to clarify, that's kids under
age 13?
MR. SMEDLEY: Yes. What we've found is that the
smartest thing to do is to use a white list chat method
and apply it to everybody. You simply cannot have a
really safe place where a 14-year-old and a 12-year-old
are going to have a conversation with open chat. It's
just -- I don't believe that's possible. I've been
making these games for, you know, 12 years now, and I've
got four kids under the age of 15, and, in fact, I've
been bitten a few times by a few sites. One of my
daughters got asked to be somebody's girlfriend, which I
was thrilled about, she was 11, so it was great.
2
96
It's a tough thing, because kids want to chat, 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
but there is no possible way to keep them safe without
doing some kind of a white list chat. They are smarter
than we are, and a black list chat simply doesn't work,
and we've seen both sides of this, and that's just
simply the conclusion we've come to.
MS. MARCUS: So, in your case, I'd like you to
describe what you mean by white list chat and then talk
about what Sony does on the parental consent process,
and before you do that, I just want to draw everyone's
attention to this slide.
Under the Rule, an operator would be deemed to
have collected information not just when they actively
collect information by requesting that a child submit
her information online, but also where an operator
enables a child to post her personal information; for
example, in a chat room or on a message board or by
other means. And then we have an exception: Except
where the operator deletes all personally identifiable
information from the postings by children before those
postings are made.
And so what that means is that when an operator
strips out personally identifiable information before it
goes live on a site, then that operator won't be deemed
to have collected that information. The information
2
97
will never have been disclosed to the public. And so 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
conceivably, in that case, an operator won't have had to
obtain parental content for that use if the operator
isn't collecting anything else.
And so what, John, you're describing is a white
list chat, and what is that exactly and do you have to
get parental content?
MR. SMEDLEY: So, our view is that you do not
have to get parental consent, because we're never in any
way, shape, or form letting a child give any kind of PII
whatsoever. So, we do not -- for example, our message
boards, we do not let under-13s post, period. We took
the safest approach. In our chat, you can only use
words that are preapproved. Does this make it really
messy and hard for kids to communicate? Yes. Do they
try to get around it? Yes. Are they successful? No.
And it's a constant battle, because they're
trying to come up with new ways, and you have to
constantly be trying to think ahead of what they are.
For example, oh, so let's not use numbers, so that
people can't communicate phone numbers. Well, you would
be amazed how many kids out there know Roman numerals.
MS. NEIS: Or fort fort high stick steven, ate,
A-T-E.
MR. SMEDLEY: Exactly. You constantly get into
2
98
this -- it's a never-ending battle, but we decided that 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the right way to fight is simply not to let kids chat.
They are basically picking from a preapproved list of
words, period, and we're making it that simple, and
we're applying -- because this game is directly designed
for young kids, we have made the choice that we don't
want older kids to be able to communicate with the
younger kids in any kind of, you know, really easy
manner.
MS. MARCUS: Peter, what's your experience here?
MR. MAUDE: I think, you know, our experience is
that the white list gives you that better protection,
but, you know, there are ways around it, and the
examples we have just been giving, sticks having to give
out numbers. If I give you two communication tokens, a
one and a zero, I can give out personal information. I
mean, it takes a lot to get around it, and there is no
way that can end up in the marketing database, right,
but it goes out. So, we need to except where the
limitations -- if we are going to have communication,
the smart kids are going to find ways around it.
MS. MARCUS: What's the difference between a
white list and a black list?
MR. MAUDE: The white list is a preapproved
list. So, it's safer because you can't give out street
2
99
name, right, because it's not on the list. So, I can't 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
say it's the intersection of Chestnut and High, Balsam
and Fillmore, right, because those words wouldn't be in
the preapproved white list.
Now, there are ways around that. Salt Lake City
is a great example, okay? You can describe Salt Lake
City in words that are on the white list, but it takes
some doing. So, we think that the kind of white list
approach is safer, but there is no panacea in the sense
of absolutely eliminating personal information from your
chat.
MR. NEIS: There's a lot of different ways of
doing it. White list is a good example. There is also
ways of kind of managing almost a black list/white list
approach as well. You can have dictionary chat. The
point is you have to understand what's in your lists.
You have to have a full grasp of what you're providing
for your community, because, like, some of the issues
I've come across, say you have a sports site for kids,
and what the operators of that sports site don't
understand is numbers equate all sorts of varieties of
PII, like you may say, "Okay, well, you know, three
digits," and three digits in a sentence is fine, because
those three digits don't equate a phone number. All you
have to say is, "Hey, my digits are 815," enter that,
3
00
then have another one go through, "455," enter that, and 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
then finish off the -- there's tons of ways around it.
It's just being smart.
Now, aside from disallowing kids straight off
the bat, there are other Jedi mind tricks, if you will,
of allowing kids to feel like maybe they're not as
frustrated, because the problem that we have as
operators for kids' sites is kids get frustrated, so
they see a word redded out and they can't type it
anymore and they're mad, right? So, what are they going
to do? They are going to phonetically spell it out.
And, man, I can give you tons and tons and tons and tons
of examples for that. It becomes a nightmare, and it
becomes a nightmare for your list to manage.
There are other ways to allowing the user to
think that they said it. So, they type what they are
trying to say; maybe they see it but no one else in the
room sees it. I mean, if you have been to Club Penguin,
this is just my guess, about 60 percent of what you
think you're typing no one else can see. And that's not
educationally fantastic, because kids are like, well,
you know, they think they can say it, they think they
can say it anywhere, but the grander problem is kids
don't understand why they can't tell you -- like, they
grew up knowing their basics, right? You have to know
3
01
your phone number to -- you know, if you ever get lost. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
You have to know these things, very -- they hold their
personality very, you know, close to them. So, if
they're in a world, sharing any information about
themselves is kind of exciting, you know? So, how do
you protect them?
If you say to a kid, "Okay, so I'm going to
black list or I'm going to not allow the word 'Street,'"
and they're trying to say, "I want to go -- let's go to
Main Street," which is maybe a room in the world, that
becomes very frustrating if they get a pop-up message
that says, "That language is not allowed. You're on 30
minutes silence." They are like "Aaah, that's not fun."
So, how do you allow them to feel that way? And
that's why some sites, like, say, Club Penguin, allow
the Jedi mind trick of the author saying it, no one else
in the world says it, have post-talk moderation tools on
the back end that find that, and then you as an operator
of the site can then decide, is this child innocently
trying to talk about something or is this somebody who's
trying to get personal information out of children,
because if that person then broke your TUS, get them out
of your world. So, sorry, my little tangent there.
MS. MARCUS: Dona, I want to -- you know, we
have this very strict requirement, and, you know, the
3
02
Rule says what the Rule says, and unless all information 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
is prestripped, it is considered to be a collection, and
so what kind of rules of the road should we have at the
FTC and then what advice should we be giving, because we
get this question all the time about what formats of
chat are permissible, and, frankly, the questions come
from people who are trying to figure out if they can
offer chat without obtaining full-blown verifiable
parental consent, which, as we've discussed during the
day, is seen as somewhat of an obstacle to some fun,
enjoyment, and instantaneous enjoyment.
MS. FRASER: I think John has it right in
regards of what Free Realms is doing, you know, there is
no open chat. I think once you are engaging children in
open chat, you must get not just parental consent, you
know, plus you must get some form of heightened
verifiable parental consent, because you don't know what
kind of information is going to be exchanged or
disclosed, and if you're not monitoring that chat room,
if there's -- if you're not doing what Izzy was talking
about where you have somebody who's just typing in and
it's not popping up on the screen first and it's just
instantaneously going out there, then you must obtain
that verifiable parental consent.
MS. MARCUS: Peter, what do you think? I mean,
3
03
you know, we get a lot of questions from people who want 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
to know about automated systems and whether their
automated systems are good enough under COPPA.
MR. MAUDE: I think, you know, you can never
take people out of the equation. You can deal with the
scale, and our solutions help deal with the scale. I
think one of the issues is to not look at a very narrow,
is this line of content a problem? You need to look at
the person behind the content, and that's one of the
things that we do.
If you are constantly trying to get personal
information from people, your score as an information
threat will rise, and that means it brings it up onto
the radar of the moderators to say, why does this person
keep asking for personal information?
Again, another important point is to always take
what they intend to say and use that. Intent is so
important. You may be filtering it, but if they are
trying to get out personal information, you need to let
them know. So, even though it's -- even though it goes
red and no one gets to say it, we still look at that and
say, you know, "Stop doing this, stop giving out
personal information;" or if it's worse than that, we're
seeing profanities or cyberbullying, even though it's
not going through, the offensive, profane words, we
3
04
still say, "Hey, stop doing this, you know, you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
shouldn't be talking to people in the world like that,"
even though it's not getting to...
MS. AFTAB: I think it's important, though, that
we separate the law from safety, and what you're talking
about is safety, and COPPA here has something very
specific. The question is, can the kid share personally
identifiable information through the use of technology?
And if you're using it with seven tabs down, white list
only, you're smart about what you do, you understand the
use of numbers and all of their symbols and all of their
code, in this case, they're not going to be able to
share personally identifiable information for the
purposes of COPPA.
The problem here is you've got white lists and
you've got white lists. So, a lot of people put them
together and think they're fine, and they are not high
quality, they don't understand what they're doing, and
the right ones that work for the purposes of making sure
kids can't share this stuff are old-time things that
have been out there for a really long time that kids
have tried to break forever. When you look at Neopets
and some of the older ones that are out there and
Toontown, the first time -- before COPPA, in 1998,
Toontown had a drop-down menu that I designed for
3
05
Disney, because we couldn't figure out anything better 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
in 1998.
So, the world has changed now, but we -- unless
we come up with standards on best practices on white
lists, on what parents are allowed to expect at a site,
we're in a lot of trouble.
MS. MARCUS: Roz, is there any room here for a
safe harbor situation? I mean, I'm definitely hearing
white lists as kind of the gold standard, but Peter
raised some other issues, some posting chat or live
moderated chat, which Izzy was talking about, too. Is
there a construct that we can use here where we can
check down a list and say, okay, or in these instances,
it's going to be good enough for now, but you have to
make your list or your filter better each night? What
do you think?
MS. KITCHEN: I don't know if I'm the best
person to answer that, I have to be honest, but -- I'm
going to -- I'm going to pass on that question.
MS. MARCUS: Okay.
Dona, what do you think?
MS. FRASER: I was going to go back to the point
we were making before in regards to engaging parents. I
think that we're leaving out the parent in this whole
process, and I think that if you are going to have a
3
06
site that's engaging children under 12 years old, you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
have to engage a parent from the outset. I think
setting up parental controls the same way that we do in
an offline environment with handhelds, it can be used in
an online environment. That's what we advise our member
companies to do, is set up parental controls, so that
the only information that you're collecting from the
child at the beginning is the parents' email, and after
that, the entire account is set up by the parents.
MS. MARCUS: We have this kind of strange
situation that I think Shai was pointing out during the
last panel, which is sites that don't have to collect
information from the child about the parent, but are
choosing to contact a parent and notify them. How does
that fall within COPPA's --
MS. AFTAB: Good policy.
MS. MARCUS: Well, it's good policy, but we end
up in this strange situation where the site might be
risking a COPPA violation because they're collecting the
parents' online information from the kid for a different
purpose.
MS. AFTAB: I wanted to stay on best practices,
if I could just answer that last question, and it's my
ad of the day. We have something called the Socially
Safe Seal, which is the first best practices seal that's
3
07
being offered, and a lot of the people in the room and a 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
lot of people not in the room have applied for it, and
we actually go out and audit the site, we look at the
white list, we look at the black list, we try to break
them, we check the training and vetting and
certification of moderators and their practices from
start to finish.
If they do that and they do it right, they get
the seal, and if there's a safe harbor, that's a great
standard that we can start looking at. Do they know
what they're doing? Can we trust them with our kids?
And if not, then they're going to have to go through
verifiable parental consent, and good luck. And I think
we need to start looking at that standard and find
others like it.
MS. MARCUS: I think that's -- is that Amy? Hi,
Amy.
MS. PRITCHARD: Hi, I'm Amy Pritchard. I'm an
attorney and also the CEO at Metaverse Mod Squad, and I
would say with our company, we have spent hundreds of
thousands of hours with these kids and have hundreds of
clients, and so I see -- what I'm worried about is the
"white list good, black list bad." It's case by case.
I have worked with horrible white lists, as
Parry pointed out, and I have worked with absolutely
3
08
ironclad black lists. So, I just want to go on record 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
as saying let's look at the filter itself and not the
label.
MS. MARCUS: This is a very hard standard for us
to apply, because what ends up happening is, you know,
1-800-Mamie and Phyllis, and then we're asked by
operators to --
MS. AFTAB: That's because you own the COPPA
site for the FTC.
MS. MARCUS: We're asked to assess a filter in a
chat room that we don't have enough information on. We
are not, you know, spending a hundred thousand hours
with kids in a room trying to figure out how to crack
it, and then everyone is pointing to some of the other
operators and saying that "they do it this way, why
can't we do it that way?"
So, I think my entire body of questions here is
aimed at trying to figure out if there are some
articulable rules that we can put out there with respect
to chat, which is this increasingly popular feature of
sites, that would help website operators but would not
obviate COPPA's original intent.
MR. NEIS: It is only going to get harder.
MS. AFTAB: And it's not a rule, it's a
combination of things, so that if you have got
3
09
premoderation, you are tracking reputation, you are 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
dealing with different things, you can find things
faster beforehand and you can stop them afterwards. So,
it's not -- it's as you were talking about, you know,
and I have a great deal of respect for you. If you have
got really well-trained moderators, you can deal with a
little bit less technology. If you don't, you need a
lot more technology, and it has to be updated. So, it's
kind of this flow, and at the end --
MS. PRITCHARD: We always need great technology.
MS. AFTAB: But you know what I'm talking about.
MS. PRITCHARD: And it is definitely a piece.
So, what I'm concerned about is a piece is going to be a
stand-alone, yes, good, or no, bad, and that's -- that's
where we get dangerous. And also, if we lock down chat
to -- let's say even just a drop-down list, because
let's face it, if you really want to prevent any PII,
it's no chat.
MR. NEIS: It's scripted, and that's when your
numbers go "whooo."
MS. PRITCHARD: And you know where our kids are
going to go? Our kids are going to go to World of
Warcraft.
MS. AFTAB: And Blizzard was here and we liked
them.
3
10
MS. PRITCHARD: My husband said this is why they 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
created skate parks, got the kids off the streets.
MS. MARCUS: I'd like to move now -- you guys
have given us a lot to think about, and I really will
encourage people in this room, and tell your friends,
you know, that we need to hear more on this point,
please, because I'm still, you know, hearing a
vacillation between a potential safe harbor system or
the ironclad Rule right now, but, you know, what Mamie
and I are pretty much telling people that are calling
now is "stay tuned, but, you know, right now we have got
this strict rule, and that's it, and unless you can
guarantee 100 percent stripping, 100 percent, we don't
have leeway within this Rule."
I'd like to move to the black listing of a
child's online contact information, because we get a lot
of questions from operators about that and where that
falls within one of the exceptions, and we've heard that
a strict interpretation of the Rule wouldn't permit
operators to retain a child's online contact information
for the purpose of preventing that child from
reregistering on a site; for example, when she's
underage.
Is this right or would exception 5 -- whoops, I
have got to move back to exception 5, which is the
3
11
safety -- is it exception 4 or exception 5? Exception 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
5, which permits the retention of child's name and
online contact information to protect the security or
integrity of a website or online service.
Would keeping a child's online contact
information fall within exception 5 if you are trying to
keep them off the site and keep your site secure from
underage participation?
MR. NEIS: It depends on the information
collected. I mean, a lot of the kids' sites these days
are going straight to email-plus, which is kind of the
parents' email -- assumed, right, we have to look at it,
that for the most part people hold it the way it should
be. So, if you're collecting a parent's information, I
mean, the child that's attached to that parent's
information is breaking the rules, and they've been
parent-verified through the click-through, you have to
be able to protect your overall audience, right?
For me this becomes more of a larger billing
question, too. It goes into the whole area of if you
have a paying member, you have to collect that
information, and it should be the parents' information,
right? So, there's a lot of variables in that one.
MS. AFTAB: I'm sorry. I think what it comes
down to, what's personal information? So, that IP
3
12
question, if IP information becomes personally 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
identifiable information for the purposes of this, we
are in a lot of trouble, because the sites are
collecting IP for security purposes, but they are not
keeping email addresses and names to protect the site
unless you have got a known hacker, a kid who is trying
to hurt somebody else.
MS. MARCUS: But theoretically, if we read
exception 5 this way, they could keep a child's online
contact information. Yes?
MS. TAYLOE: Yeah, but it doesn't do you a lot
of good, because you can't add date of birth to it, and
so you can't age out of it. I mean, isn't the issue
that I say I'm 11, here's my email address, submit, we
have to do the drop the cookie and all of that, and what
some of us are saying is, "Gee, it would be really nice
if the kid comes back tomorrow and gives us that same
email, we could say, 'Sorry, you need to now prove
yourself as an adult versus being able to change your
age,'" but we can't keep the date of birth against the
email.
MS. MARCUS: Well, sure. What's good for goose
is good for gander. So, you know, if we're reading
these narrowly, we have to read all of them narrowly.
Is anyone using exception 5?
3
13
MS. AFTAB: Yes. We use exception 5 when you 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
are dealing with kids who are trying to take down the
site, so kids who are gaming the site, security risks to
the site, kids who are trying to collect passwords from
other people, and that's where you're seeing it used,
really to protect the integrity of the site. And as we
know, our best hackers are sort of 8, but, you know,
they're out there and they're doing that. So, you're
seeing that there.
Four you're seeing when you're dealing with kids
who have indicated suicide or molestation issues, and
then the question is, do you have to notify the parents?
That's where we're seeing a lot of confusion. So, if a
kid -- and they do it at the age of six, seven, eight,
ten -- tell you that daddy's hurting them or they're
going to kill themselves or something, especially when
you have put them on hold for 30 minutes, now what do
you do to protect the safety of that child, because you
are required that you are using it only in a certain
way, and you have to have reasonable efforts to notify
the parent, and that's very confusing when you're
dealing with a high-risk situation.
MS. MARCUS: Some of these exceptions, I will
say, you know, you can get mired in them, and we scratch
our heads and say, "Gosh, why did we collectively say
3
14
that?" 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
And here's, you know, kind of a gimme:
Exception 3 provides for a parent to be notified by
postal mail. When we read this again -- I will say I
was not involved in drafting the Rule, and I said,
"What?" You know, postal mail? You know, now you've
collected a parent's or a child's home address on this.
Do operators use the postal address in order to
do the opt-out?
MS. KRESSES: None of you ever noticed that.
MS. MARCUS: Well, we can't hide from it
anymore. That's what I'll say. This is the grand
outing.
MS. MONTGOMERY: It includes postal mail.
MS. MARCUS: Methods to notify parents.
MS. MONTGOMERY: That was the olden days.
MS. KRESSES: That's what the question is. Is
there some reason that that was in there that we haven't
figured out?
MS. MARCUS: Dona, what do you think?
MS. FRASER: I think that if the initial contact
happens online, it should remain online. I think the
problem is that there's this -- you know, from the point
that you decide to put something in the mail and by the
time it gets there, the parent has forgotten. You are
3
15
going to think it's spam. You are going to throw it 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
out. I think once you're online, I think that's the way
to remain online. Whatever the initial contact was,
that's how it should remain.
MS. AFTAB: It came from the olden days where
the kids might have access at school and parents may not
have access at home, especially lower income and
disenfranchised people, and those things are -- I'm not
saying that they're fully over, but I think everybody
has connection to something electronic.
MS. MARCUS: I mean, it seemed curious to us,
because we started this entire conversation by saying
that online contact information was seen as having --
carrying less of a privacy risk, and then if you're
adding onto that a child's home address, that's a great
expansion of your information collection.
I think, unfortunately, we have got to wrap up
now. Thank you, guys. I mean, this is a good audience
for the end of the day, and we really, really thank you
for coming.
Should we do a little closing remarks? Okay, we
are not going to do the traditional closing remarks,
where we say, "In Panel One we heard this, and in Panel
Two we heard this," because all of you guys have been
here all day. I think we have gotten a tremendous
3
16
amount out of this. 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
The story isn't written yet. We have until June
30th to collect your feedback and then to start
seriously process it. Thank you, enjoy the rest of your
week, and good night.
(Applause.)
(Whereupon, at 5:13 p.m., the roundtable was
concluded.)
3
17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C E R T I F I C A T I O N O F R E P O R T E R
DOCKET/FILE NUMBER: P104503
CASE TITLE: COPPA RULE REVIEW ROUNDTABLES
DATE: JUNE 2, 2010
I HEREBY CERTIFY that the transcript contained
herein is a full and accurate transcript of the notes
taken by me at the hearing on the above cause before the
FEDERAL TRADE COMMISSION to the best of my knowledge and
belief.
DATED: 6/15/2010
SUSANNE BERGLING, RMR-CRR-CLR
C E R T I F I C A T I O N O F P R O O F R E A D E R
I HEREBY CERTIFY that I proofread the transcript
for accuracy in spelling, hyphenation, punctuation and
format.
SARA J. VANCE, CMRS