June 16, 1999 VIA FACSIMILE & REGULAR MAIL Honorable Donald S. Clark Secretary Federal Trade Commission Room H-159 600 Pennsylvania Avenue, NW Washington, DC 20580 Re: Children's Online Privacy Protection Act Dear Secretary Clark: The Office of Advocacy of the U.S. Small Business Administration (SBA) was established by Congress under Pub. L. No. 94-305 to advocate the views of small business before federal agencies and Congress. Advocacy is also required by 612(a) of the Regulatory Flexibility Act (RFA) (5 U.S.C. 601-612) to monitor agency compliance with the RFA. The Chief Counsel of Advocacy is authorized to appear as amicus curiae in regulatory appeals from final agency actions, and is allowed to present views with respect to compliance with the RFA, the adequacy of the rulemaking record with respect to small entities, and the effect of the rule on small entities. Id. On March 28, 1996, President Clinton signed the Small Business Regulatory Enforcement Fairness Act (SBREFA), Pub. L. 104-121, which made a number of significant changes to the RFA, the most significant being provisions to allow judicial review of agencies' compliance with the RFA. 5 U.S.C. 611. On April 27, 1999, the Federal Trade Commission (FTC) published a proposed rule on the Children's Online Privacy Protection Rule, Federal Register, Vol. 64, No. 80, p. 22750. The purpose of the proposal is to implement the Children's Online Privacy Protection Act of 1998 ("COPPA") which prohibits unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet. The FTC certified that the proposed rule would not have a significant economic impact on a substantial number of small businesses. The Office of Advocacy would like to state, as it has in the past, that the Federal Trade Commission consistently makes a good faith effort to comply with the requirements of the RFA. The Office of Advocacy truly appreciates the FTC's efforts. The Office of Advocacy recognizes the importance of protecting children's privacy on the Internet and that Congress has mandated an important social goal when it passed the COPPA. The Office of Advocacy is, however, concerned that the FTC's decision to certify this particular proposal will prevent it from obtaining the kind of information valuable to policy development that is generated when an agency performs a regulatory flexibility analysis. Our comments should not be interpreted as attempting to discourage the FTC from promulgating regulations nor as a request that the FTC change its proposal. Rather, this is a request that the FTC seek comment on the small entity impact and alternatives that it considered and rejected in attempting to fulfill its mandates under COPPA. Before enunciating our concerns, we believe that a brief review of the certification provision of the RFA would be helpful. Certification Section 605 of the RFA allows an agency to certify a rule, in lieu of preparing an IRFA or FRFA, if the proposed rulemaking is not expected to have a significant economic impact on a substantial number of small entities. If the head of the agency makes such a certification, the agency shall publish such a certification in the Federal Register at the time of the publication of the general notice of proposed rulemaking for the rule along with a statement providing the factual basis for the certification. The Requirements of the Rulemaking The Children's Online Privacy Protection Act of 1998 The goals of COPPA are to (1) enhance parental involvement in a child's online activities in order to protect the privacy of children in the online environment; (2) to help protect the safety of children in online fora such as chat rooms, home pages, and pen-pal services in which children may make public postings of identifying information; (3) to maintain the security of children's personal information collected online; and (4) to limit the collection of personal information from children without parental consent. Section 1303 of the Act directs the FTC to adopt regulations prohibiting unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet. Section 1303(b) sets forth a series of privacy protections to prevent unfair and deceptive online information collection from or about children. The Act specifies that operators of websites directed to children or who knowingly collect personal information from children to: (1) provide parents notice of their information practices; (2) obtain prior parental consent for the collection, use and/or disclosure of personal information from children (with certain limited exceptions for the collection of online contact information, e.g., an e-mail address); (3) provide a parent, upon request, with the ability to review the personal information collected from his/her child; (4) provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child; (5) limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and (6) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected. The FTC's implementation of COPPA prohibits operators of websites or online services directed to children from requiring them to provide any more personal information than is reasonably necessary as a condition precedent to children's participation in online activities. The proposed rule requires operators to: (1) post prominent links on their websites to a notice of how they collect and use personal information from children; (2) notify parents that they wish to collect personal information from their children; (3) obtain parental consent prior to collecting, using, or disclosing such information (parents then have the option of prohibiting operators from disclosing their child's personal information to third parties); (4) allow parents the opportunity to review and make changes to any information provided by their children; (5) delete a child's information and not collect information from a child in the future, upon the request of a parent; and (6) establish procedures to protect the confidentiality, security, and integrity of the personal information collected from children. Accordingly, if an operator maintains a database of children's personal information, the operator must provide notice to the parent and obtain parental consent prior to using such information after the rule is finalized. Furthermore, the proposal applies to the use or disclosure of personal information collected prior to the effective date of the final rule, if the operator wishes to use such information in the future. The RFA Requires a Factual Basis Before an Agency Can Issue a Certification. In the proposal, the FTC stated that: "The provision of the Regulatory Flexibility Act requiring an initial regulatory flexibility analysis (5 U.S.C. 603) does not apply because it is believed that the Rule will not have a significant economic impact on a substantial number of small entities (5 U.S.C. 605). This notice also serves as certification to the Small Business Administration of that determination. The Rule's requirements are expressly mandated by the Children's Online Privacy Protection Act of 1998. Thus, the economic impact of the Rule itself is not anticipated to be significant, since any additional costs of complying with the Rule, beyond those imposed by the statute or otherwise likely to be incurred in the ordinary course of business, are expected to be comparatively minimal. Where the Act permits, the regulations have been drafted so as to permit maximum flexibility in the way that affected firms achieve the goals of the Act. In any event, the costs borne by all firms, including small businesses, appear unavoidable under the terms of the Act.." Id. at 22761. The statement that ". the costs borne by all firms, including small businesses, appear unavoidable by the terms of the Act." may be true, but the certification lacks the factual detail required by the RFA which may not have been presented to Congress. That is the value of the RFA - it establishes a process for evaluating the effectiveness of regulation in achieving important public policy objectives, as in this case. An IRFA May Be Required for RFA Compliance Many of the Office of Advocacy's concerns would be addressed through the preparation of an IRFA. An IRFA would provide the public with necessary economic information on which the FTC would receive meaningful comments to consider when finalizing this important rule. Specifically, the feasibility of obtaining compliance, if the proposed rule arguably would require a commercial web-site to: (1) Develop a process for notifying and seeking approval from parents before collecting information from a child less than 13 years of age. This would require a web site to implement a PERL script function as part of its programming. PERL script would automatically send an inquiry to the parent's e-mail address when the child logs onto a site that would collect information. It is our understanding that PERL script is a not common language for web programmers to know and would require additional training to implement as well as several hours of work to incorporate the PERL script into the web-site. Would this materially affect compliance? (2) Alter current web HTML programming to ensure that the page does not use cookies to track visitors who are children. Many web sites, including Amason.com and Disney.com, use cookies extensively to track where a view goes on a web site. These cookies provide the web site with information on the visitor. The proposed rule would require all web pages to remove a very common technological practice that could take highly trained professionals days to complete. (3) Post the company's privacy policy on its web page. Information is needed to justify the cost. Drafting and implementing the procedures for a privacy policy could be expensive for a small business. It may require the assistance of an attorney for the policy to comply with the requirements of COPPA as well as part of an officer's time to implement the policy. It would be helpful to know what small businesses, if any, are affected by the provisions. If none, then the rule may not be onerous. Advocacy lists these possible costs to alert the FTC to the burden the proposal may be placing on small businesses. This is not to say that the cost should not be imposed, but the FTC needs to justify the cost in the context of the important societal goal of protecting our children on-line. Consideration of these impacts would give rationality to the rule. The FTC May Be Required to Prepare an IRFA Prior to Finalization of the Rule Although the FTC indicated in its certification that it would address a subsequent finding of significant economic impact by submitting a FRFA, the Office of Advocacy submits that the preparation of a FRFA will not cure the problem. If the impact is significant, the FTC may need to prepare an IRFA prior to the finalization of the rule. In an analogous fact situation involved in Southern Offshore Fishing Association v. Daley, 995 F. Supp. 1411 (M.D. Fl. 1998), the court held that preparation of a FRFA, when an initial analysis had not been prepared, violated the RFA and APA because the public had not had an opportunity to review and provide comments on the information in the IRFA or the agency's alternatives. An IRFA would not only identify the industry and the anticipated economic impact, it will also provide a valuable record to justify and add credibility to the rule. The FTC Should Consider Alternatives in Determining the Means of Implementation As stated previously, the RFA requires an agency to consider alternatives if a rule is expected to have a significant economic impact on a substantial number of small entities. Although the FTC states that the "Rule's requirements are expressly mandated by the Children's Online Privacy Protection Act of 1998", there is no indication that Congress has explicitly mandated a specific means of implementation. There may be alternative methods of implementation that may reduce the economic burden on small businesses, without sacrificing valuable child protection. For example, the FTC could provide a manual explaining the requirements or recommend "boilerplate" language that would meet the requirements of the law. Allowing a small firm to use boilerplate language may eliminate the need to hire an attorney to draft the language to be placed on the website. Although alternatives are not required if the impact is not significant, the Office of Advocacy contends that in this instance, it would be good public policy for the FTC to give careful consideration to implementation strategies that will clarify the requirements of the Act and provide guidance to small businesses that are attempting to abide by the law. Such an action will not only minimize confusion, it will also minimize the time and resources those small entities will be required to expend. Conclusion As stated at the outset, the Office of Advocacy recognizes that the public has an interest in protecting a child's privacy. However, it is also important to protect the rights of the public to be informed of the impact that a regulation may have on their interests so that they may participate in the regulatory process. See Northwest Mining Association v. Babbitt, 5 F. Supp. 2d 9 (D.D.C. 1998) at 14-15. If you would like to discuss this matter or if this office can be of any further assistance, please contact Jennifer A. Smith, Assistant Chief Counsel for Economic Regulation or Eric Menge, Assistant Chief Counsel for Telecommunications. Either may be reached either by mail at the above address or by telephone at (202) 205-6533. Thank you for your attention to this matter. Sincerely, Jere W. Glover Chief Counse Office of Advocacy Jennifer A. Smith Assistant Chief Counsel for Economic Regulation Eric E. Menge Assistant Chief Counsel for Telecommunications