July 5, 1998

Ms. Jane Coffin

Office of International Affairs

National Telecommunications and Information Administration

Room 4898

14th St. and Constitution Ave., NW

Washington, DC 20230

Dear Ms. Coffin:

The Magazine Publishers of America (MPA) is pleased to comment on the Department of Commerce staff discussion paper "Elements of Effective Self Regulation for the Protection of Privacy" and to respond generally to questions on various aspects of Internet privacy including the effectiveness of self regulation for privacy. As articulated in the Administration’s A Framework for Global Electronic Commerce, which serves as the foundation for the Department of Commerce "Elements" paper, the government seeks a self-regulatory approach to privacy protection online. We believe such an approach is feasible and desirable and that the mechanisms needed to make self-regulation a success are rapidly developing. We urge the Administration to allow self-regulatory regimes adequate time to reach fruition. Industry understands that the growth of the Internet and electronic commerce is dependent on consumer confidence about personal privacy and is committed to implementing meaningful, consumer-friendly, self-regulatory online privacy protection programs.

MPA’s membership includes approximately 200 consumer magazine publishing companies in the United States, publishing over 1200 magazines. Our membership also includes over 50 international magazine companies. Our member magazines range from well-known, nationally distributed publications such as Time, The Reader’s Digest and National Geographic to smaller-circulation and local publications such as Harvard Business Review, The Net and Milwaukee magazines. Some of our members publish children’s magazines such as Sesame Street, Highlights for Children, and Nickelodeon. Many of our members are involved in new media magazine endeavors in addition to their traditional print offerings.

MPA has a long standing interest in promoting business practices that are respectful of our subscribers and readers. We and other industry groups with increasing presence on the Internet recognize the need for consumers to feel comfortable visiting our Web sites and to trust our companies to handle their personal information in a responsible and protective manner. We understand that if customers are not satisfied with a Web site’s privacy policy, they may choose to sever their relationship with the Web site operator.

As guidelines and principles have been developed by industry and government, we have shared these with our members. For example, MPA has for many years recommended the Direct Marketing Association (DMA)’s Guidelines for Ethical Business Practices to our members as an appropriate way to enhance customer relations. More recently, we provided our members with copies of DMA’s online self-regulatory guidelines, Privacy Principles and Guidance for Marketing Online, and Guidelines for Personal Information Protection. We also shared the "Elements" paper with our members with Web sites so they could see Commerce’s interpretation of the principles of fair information practices.

We strongly urge the Department of Commerce and other Federal agencies to give self-regulation of online privacy a chance to succeed. Despite the Federal Trade Commission’s disappointment with the levels of privacy policy disclosure at Web sites it surveyed in its March "sweep", there has been a substantial increase in the number of sites providing such disclosure. The DMA reported in May that 70% of the Kids Hot 100 Web sites have posted a statement regarding their information practices online. This is an increase of 84 percent since January, a remarkable increase in such a short period of time. The DMA reported similarly impressive results for the Biz Hot 100 and the Shopping Hot 100. Furthermore, even the FTC Web site sweep showed that well over two-thirds of the most popular 111 Web sites have information practice disclosures posted. These top 111 sites represent a large portion of Internet visits by consumers. The results for the most popular sites not only suggest that for many people privacy notification is a reality; they also suggest that the trend will continue as smaller Web sites follow the lead of the larger ones.

As awareness of the need for privacy protection online grows, the infrastructure needed to make self-regulation work is also growing. After a shaky start, the TRUST-e seal program is making great strides, both in rapid expansion of the number of Web sites that participate, as well as strengthening and enhancing the program. For example, while TRUST-e has traditionally confined its purview to disclosure of information practices, the organization has just announced plans to add a requirement that licensees provide choice (opt-out) to consumers to restrict use and disclosure of personally identifiable information. TRUST-e is also preparing special guidelines for children’s sites.

The level of interest in privacy seals is now sufficiently high to have led to the emergence of a second seal program being developed by the Council of Better Business Bureaus -- BBB online. This organization has been a symbol of consumer protection for 80 years and has a proven track record of providing recourse for consumers who have a complaint about a company’s business practices.

As demonstrated at the recent privacy summit held by Commerce, there is much activity on the technology front, with filtering systems increasingly sophisticated and available. Industry is helping to promote the development of privacy protection technology. For example, the DMA is a financial supporter of the World Wide Web Consortium’s work on P3P.

A number of MPA members and other companies have also sought to create coalitions to advance the success of privacy online self-regulation. One such coalition, which made its debut at the Commerce Department summit, is the Online Privacy Alliance. This group, with over 50 participating companies (including some MPA members) and associations, has as its goal to "lead and support self-regulatory initiatives that create an environment of trust and that foster the protection of individuals’ privacy online and in electronic commerce."

We are concerned that in recent public meetings on privacy protection, there seems to be a perception in some quarters that collecting information from consumers at Web sites only benefits Web site operators and marketers at the expense of consumers. This perception is not based on fact. Data collected from consumers is used to the customer’s advantage. This is true both for information provided by the customer through registration and surveys as well as navigational information captured by the Web site operator. This information may be used in the aggregate to determine the type of content that would be most interesting to site visitors. Individual information may be used to direct a visitor to certain sections of a Web site; for example, a site directed to children may have different content for different age groups. Individual information may also be used to tailor advertising and product offerings so that a visitor receives only information on products that are likely to be of interest.

A. Principles of Fair Information Practices

1. Awareness

We agree that a successful self-regulatory regime should include a mechanism to make consumers aware of company online privacy policies. Soon after the DMA published its Privacy Principles and Guidance for Marketing Online in March of 1997, MPA distributed a copy of the Principles to all our members. We recommended that our members review the guidance on online Notice and Opt Out which describe how to inform consumers about information practices and how to provide them with the opportunity to opt out from disclosure to others of information collected online. We directed our members with online sites that cater to children to the special principles that apply to online activities directed at children, explaining how parents should share in their child’s online experience. To help our members develop privacy policies, we provided information on the DMA privacy policy creation tool, as well as information on privacy policies developed by Time Warner and The McGraw-Hill Companies, two MPA member companies.

The key to fostering awareness in a self-regulatory context is to build a broad understanding among Web site operators of the need to develop and post privacy protection policies. To assist in getting the word out, MPA, in March, was one of four associations cosponsoring a multi-industry forum with The McGraw-Hill Companies on customer privacy on the Web. The informative and well-attended meeting, which brought together magazine companies, book publishers, and information companies, included an overview of industry self-regulation policies and several company case studies in privacy policy development. The day-long session also included workshops where companies could learn how to develop and implement a workable online privacy policy. Business-to-business education forums such as this can be particularly useful for smaller-size companies, who can learn from the experience of and get hands-on assistance from larger-size companies.

2. Choice

We agree that self-regulatory programs should provide consumers with the opportunity to exercise choice with respect to the use of personally identifiable information collected online. In January, we told our members that information practices statements should be prominently displayed, for example, on a home page or on the page where information is collected and that the statements should identify the type of personal information collected, if any, and describe how and by whom such information might be used. We also told our members that consumers should have an opportunity to restrict use of disclosure of personal information by "opting out", explaining that consumers should be able to request that their personal information not be rented, sold, or exchanged or that they not receive any future solicitations.

We also agree that, for sites directed at children, parents should share in their children’s online experiences. However, we do have concerns about the mechanisms being explored to obtain the explicit consent of a parent or guardian before a children’s Web site can collect any information from the child. These concerns are discussed in a separate section following our comments on the "Elements" paper.

3/4. Data Security/ Integrity

We agree that a self-regulatory system should include provisions to protect personally identifiable information from misuse. In May of 1997, we provided our membership with a copy of the DMA’s Personal Information Protection Guidelines, which include ten articles for dealing with the handling of personal data in data files, including the need to provide for the security of personal data in data bases. However, we believe that the appropriate level of data security may differ depending on the nature of data collected and maintained. In some cases, there may be no appreciable loss to consumers if personally identifiable information collected online is lost or destroyed.

We also agree that Web site operators should only maintain data needed for the purposes identified in the information practices disclosure. The extent to which companies should ensure that personal data is kept accurate, complete, and current will depend on the nature of and uses for the data.

The "Elements" paper states that companies should strive to assure that third parties to whom they transfer personal information assure the same level of data protection as the Web site operator collecting the information. We agree that all parties should be encouraged to handle consumer information in a secure manner and that companies should not transfer data to a third party until it has verified that the third party is a reputable organization and unlikely to intentionally misuse consumer data. However, we are concerned that the privacy policies of an unrelated company not be the responsibility of the company collecting the information. This could create a burdensome bureaucracy that would be difficult to police. We believe each individual company should be responsible for its own data protection policies following the self-regulatory regime appropriate to that type of Web site operator.

4. Consumer Access

We are concerned about a one-size-fits-all approach to providing consumers access to infomation about them that a company holds and allowing consumers to correct or amend that information. As noted by Commerce, providing access to consumer information can be costly and time consuming for companies, particularly larger-size companies with many independently operated Web sites. We are pleased that the "Elements" paper recognizes that the extent to which a Web site should provide consumers with access to information will differ depending on the nature of the information collected and the ways in which the information is to be used. If a potential mistake in the information we possess will not cause harm to consumers, it is not crucial to provide access, which could serve to undermine security, an even more important consideration.

B. Enforcement

We agree that self-regulation should include a mechanism to ensure that companies are following their privacy policies. Consumers need this confidence to embrace the Internet and electronic commerce, a goal we all seek. We are pleased that the Department of Commerce recognizes that there are a number of enforcement mechanisms that may be appropriate for different Web site operators and that implementation of the enforcement of self-regulation should not be rigid.

One option that Web sites may adopt is to participate in one of the emerging online privacy "seal" programs, such as TRUST-e or BBB online. This method is less expensive than an individually-contracted third-party audit while providing outside verification of a company’s compliance with its privacy policy. This mechanism may be appropriate for companies without adequate internal resources to dedicate to privacy policy enforcement.

Another type of outside compliance mechanism that is not as expensive as third-party audits are review boards, such as the currently existing National Advertising Review Council (NARC) and the Children’s Advertising Review Unit (CARU). This type of approach works through a complaint mechanism, with the review board reviewing privacy policies if compliance problems are suspected and seeking changes through voluntary cooperation.

As noted in the "Elements" paper, companies using highly sensitive information may be held to a higher standard of verification. Enforcement for such sites might involve an individually-contracted third-party audit. For example, the self-regulatory program recently adopted by the Individual Reference Services Group (IRSG) specifies that members of the Group undergo an annual compliance review by a third-party auditor. This is an expensive option and probably would not be needed for companies that are not collecting sensitive information, such as medical or financial information.

Some Web site operators may find that a self-assessment mechanism is the best approach. This will be particularly true for companies that already have established internal auditing procedures for other policies and that have the internal resources to dedicate to ensuring privacy policy compliance. Self-assessment is also likely to be most successful for companies with strong brand recognition, companies with which consumers have experience and ones they trust to stand by their word. This mechanism can provide greater oversight than a third-party audit, in that permanent assignment of personnel to monitoring compliance would ensure continuous monitoring as well as allow privacy policies to be fine-tuned in a timely manner. Personnel with permanent privacy compliance responsibility can also be helpful in training company employees on privacy issues.

In the "Elements" paper, the Department states that for information related to children, affirmative choice (opt-in) by consumers may be appropriate and that in these cases, companies should not use personal information unless its use is explicitly consented to by the parent or guardian. In its Report to Congress, the FTC, citing troubling results of its Web sweep, stated that fewer than 10 percent of children’s sites provide for some form of parental control over the collection of information from their kids. The FTC concluded by stating that it would recommend legislation requiring prior parental consent (opt-in) under certain circumstances for sites directed at children under the age of 13. The FTC suggested that opt-in would be required where the personal identifying information would enable someone to contact a child offline (regardless of the intended use of the information) or where the personal identifying information is publicly posted or disclosed to third parties.

The FTC did not specify how such parental consent should be obtained, mentioning in an endnote that parental notice raises some implementation issues. The FTC goes on to state that in those instances where parents and children have separate e-mail addresses, notice may be provided to parents electronically. In terms of providing verifiable parental consent, however, the FTC mentions that sites can simply direct children to print a consent form and have the parent return the signed form by regular mail or facsimile.

The FTC recommendation for legislation is similar to the Interactive Electronic Media Self-Regulatory Guidelines for Children’s Advertising of the Children’s Advertising Review Unit (CARU) which require that reasonable efforts be made to provide notice and choice to parents when information is collected from children online. CARU also suggests that the company obtain prior parental consent for personally identifiable information which would enable the recipient to directly contact the child offline or when such information will be publicly posted so as to enable others to communicate directly with the child online or shared with third parties. The CARU guidelines allow flexibility in how parental consent should be obtained.

We all share the goal of protecting children’s privacy online and believe that in all cases of data collection, intended use(s) of the data should be fully disclosed. We also believe it is crucial that the new functionality of this medium be respected and that new paradigms of privacy protection may be needed. We believe that it is important that a variety of mechanisms be deemed acceptable for obtaining parental consent and we urge potential regulators to consider the need to avoid destroying the online medium in an effort to stop information collection from children.

Children’s sites that collect information use that information to the children’s advantage. Some sites use information in an aggregate form to create meaningful experiences derived from total audience characteristics. This may be accomplished from polls or surveys of visitors to the site. Alternatively, children’s sites may use individual information to tailor a child’s online experience, for example, directing them to age and interest-appropriate sections of Web sites or providing a means to communicate with other children who share their interests.

Children’s Web sites may also collect personally identifiable information for children to participate in contests. In such cases, the Web site operator needs a means to communicate with a winner.

Many children’s Web sites do not collect personal information online for marketing purposes, but among those that do, information collected from registration, surveys, and navigational paths can be used to tailor marketing information to inform families of age and interest-appropriate products and services.

One key to success of children’s online sites is the interactivity and connectivity. Requiring a long break in the interactivity to allow for parental consent breaks that link. If a child has to print out a permission form which must be mailed by the parent, it will be quite a while before the child can continue the activity he or she was enjoying. In some cases, a child may not even be able to begin to enjoy what a child-oriented web site has to offer because they have to wait for a parent to receive, complete, and mail a parental consent form. While faxes can be returned more quickly than mail, most households do not have fax machines.

Creating parental consent restrictions that are unduly burdensome could also have unintended, negative consequences. If a child perceives that obtaining parental consent is too difficult, he may go back and alter his response to an age question to indicate that he is over 13 when he is not. Alternatively, a child may decide that the children-oriented site is too much trouble and may choose to leave the site altogether and go to an adult-oriented site that may not be as beneficial or educational. The parental consent requirement should not be implemented in a way that discourages children’s use of children’s Web sites.

As noted by the FTC, when parents and children have separate e-mail addresses, notice may be provided to parents electronically. Similarly, parents could provide consent electronically though their separate e-mail address. Electronic consent is also possible if parents provide credit card information to pay for a nominal registration fee or, in the case of magazines, to buy a subscription online.

Some Web site operators may also choose to use a telphone mechanism for parental consent, with parents calling an 800 number provided on the Web site. While this also breaks the interactivity link, the delay is not as great as with mailed-in consent forms.

We are hopeful that, in the not too distant future, there will be advances in technology that permit online parental consent in a simple and timely manner, for example, through the emergence of digital signature technology. It would be short-sighted to impose onerous and counterproductive off-line parental consent requirements that would negatively impact the develop of the online medium before such technological advances are available.

In the Request for Public Comment, the Department asks for comments on the need to strike a balance between freedom of information values and individual privacy concerns.

Ours is an industry that, quite literally, would not exist in its present form were it not for the primacy of the First Amendment in American law and public policy. The pages of our "traditional" magazines – and now the content of our "online" magazines and web pages – reflect the strong and principled bias of our nation’s jurisprudence in favor of the promotion and protection of editorial freedom and commercial speech. The response of our industry – and, indeed, of two centuries of judicial opinion – to any argument that First Amendment values need to be "balanced" with some other public policy concern is clear: the advocate of such "balancing" bears a very heavy burden of persuasion.

We acknowledge the validity of individual privacy concerns; and we recognize that technology has introduced a dynamic new element into the mix of considerations. Nonetheless, we caution against a rush to judgment. The current controversy over the impending implementation of the European Union Data Directive – involving a direct clash between Anglo-American and European legal and public policy heritages – illustrates the complexity of the freedom of information/privacy dichotomy in the digital age. These types of issues have serious implications for us not only as business persons, but also as representatives of journalists.

We believe that the wisdom of an evolutionary, self-regulatory approach to resolving the question of "balance" should be manifestly self-evident.

Thank you for consideration of our comments and concerns.

George Gross Rita Cohen

Executive Vice President Vice President

Government Affairs Economic and Legislative Analysis