05/18/00 Committee on the Judiciary

Good morning, Mr. Chairman, and thank you for the opportunity to appear before your subcommittee as it examines issues regarding online privacy and electronic communications. I am Marc Szafran, General Counsel of the Entertainment Software Rating Board (“ESRB”) and it is an honor to testify before you today.

The ESRB is an independent, self-regulatory entity that provides comprehensive support services to companies in the interactive entertainment industry. Established in 1994, the ESRB is the nation's leading, non-profit, entertainment software rating body. Although originally charged with developing a standardized rating system for entertainment software, since its inception the organization has grown proactively in protecting consumers and anticipating the evolving industry. Today — after rating over six thousand-five hundred game titles and having been praised by Senator Joe Lieberman as the “most comprehensive rating system of any entertainment medium in this country” — the ESRB has evolved into a dynamic and effective self-regulatory organization. This organization has established itself as one of the preeminent institutional models for effective and meaningful self-regulation for interactive entertainment. We now provide services not only for rating software titles, but for rating websites and online games, for ensuring online privacy protection, and most recently, for reviewing advertising created by the interactive entertainment industry.

As General Counsel, one of my primary responsibilities is to oversee the operations of ESRB Privacy Online; one of four divisions within the ESRB. ESRB launched the ESRB Privacy Online Program in June of 1999. This launch was in direct response to the Interactive Digital Software Association’s (“IDSA”)[1] own online privacy initiative. The IDSA had published a voluntary set of principles and guidelines regarding the online protection of personal data for the guidance of IDSA member companies. These far-reaching guidelines were at the forefront of industry initiated, self-regulatory protection for consumer privacy. They contained comprehensive protections regarding children, notice/disclosure, access, security and enforcement. As part of these guidelines, companies were required to procure the services of an independent, third party seal provider to monitor and enforce published privacy practices and provide consumer dispute resolution services.

ESRB’s familiarity with the nuances of the interactive entertainment industry and our reputation for helping consumers make educated choices in digital entertainment media indicated that we would be uniquely qualified as a seal provider for interactive entertainment companies. As a result, ESRB Privacy Online was created and customized to meet the unique online business models of the industry. To date, we have certified eight of the nation’s leading interactive entertainment software publishers and are currently in the process of certifying an additional six. Collectively these fourteen companies account for 75 percent of the $6.1 billion in revenues generated by the industry last year. In addition, we have eleven other companies that have requested our services.

The ESRB Privacy Online Program is an independent privacy seal program that guards the rights of Web consumers, and the interests of Web publishers, and makes the Internet a secure, reliable, and private place to share information and conduct business. From our principles and guidelines for fair information practices, to our Sentinel enforcement mechanisms, I’m confident that you will find we offer a comprehensive, meaningful and effective privacy seal service that can serve as a successful model for Internet self-regulation.

Today I will discuss in detail the ESRB Privacy Online Program, its mandatory requirements, and the services we offer as a seal provider. In addition, I will discuss why seal programs are resulting in effective and meaningful consumer online privacy as the Internet and electronic commerce continue to proliferate. This discussion will cover how: (i) self regulation and the ESRB Privacy Online Program provides effective consumer protection as an alternative to government regulation; (ii) our Program’s assessment mechanisms and alternative dispute resolution services operate; and, (iii) these assessment mechanisms and our compliance incentives provide effective and meaningful enforcement. I provide this testimony on behalf of ESRB with the hope that our experience can serve as a model for other consumer privacy protection initiatives and as an example of how industry-led self-regulatory programs can provide true protection for consumers in all areas of the global electronic arena.

Participating companies must adhere to rigorous ESRB Privacy Online Program requirements, including accepted Principles and Guidelines for Fair Information Practices (“Principles and Guidelines”). The Principles and Guidelines regulate online information collection and use practices by requiring participating companies to maintain a commitment to consumer notice, consumer choice, data access, children’s privacy protection, and data integrity. Compliance with the ESRB Privacy Online Program requires companies to display the ESRB Privacy Online Certification Seal on their homepage, all main pages, and any information entry points where a consumer could disclose their identity or personal information. This ensures that:

• Web users are given clear and simple notice of a site’s information practices;

• Web users have options regarding whether and how their personal information is used;

• Web users have reasonable access to information about them collected online and have the opportunity to correct any inaccuracies;

• Web users have assurances regarding the accuracy and security of personal information; and,

• Parents of children 12 and under can decide whether their child’s information is collected and how it can be used.

Companies that meet ESRB Privacy Online’s high standards are awarded the ESRB Privacy Online Certification Seal — a symbol of integrity and compliance. For the Web consumer, this seal offers an assurance that the site has adopted an approved privacy policy, that its stated privacy practices are being implemented as represented in their policy statement, and that the site submits to ongoing, independent, third-party monitoring and oversight mechanisms. Each Certification Seal includes a “click-to-confirm” option that automatically links a user to ESRB Privacy Online’s Authentication Page. The Authentication Page is located on a secure server and provides consumers with the ability to confirm that the site with which they are interacting is using a valid, certified ESRB Privacy Online Certification Seal and that the company is a participant in good standing with our program. This mechanism was implemented to ensure the integrity of the Seal and guard against misuse or misappropriation by unauthorized web sites.

Because participating companies must implement and publish privacy statements that inform consumers about its information practices, ESRB Privacy Online offers services to assist companies in creating or modifying these critical documents. These services include: (i) an online privacy statement composition program called the ESRB Privacy Statement Composer; and, (ii) a Policy/Statement Creation Assistance Team.

If a participating company does not have a privacy statement, the Composer helps a company create their first draft. This draft can subsequently be customized to meet a particular business model and unique privacy practices. The Composer provides companies with the framework for creating a compliant privacy statement that gives consumers notice regarding information collection practices and demonstrates a meaningful commitment to protecting online privacy.

Finally, with regard to drafting clear, complete and understandable privacy statements, ESRB Privacy Online's services also include the provision of a team of legal and business experts who are trained to help participating companies create compliant privacy policies and statements. The team is available to work one-on-one with companies to ensure that privacy policies and statements contain collection and use practices that adhere to all of ESRB's requirements and that can meet the parameters of most existing business models.

The certification process can be extremely rigorous and demanding for companies in a variety of ways. In many cases, companies are required to considerably modify existing internal practices to meet the requirements of the ESRB Privacy Online Program. From revising customer service procedures, to implementing new technical mechanisms such as online consent forms, creating multi-functional age fields, etc., to modifying existing marketing and promotional models, companies frequently can incur significant costs as a result of coming into privacy compliance. Often database procedures must be overhauled, additional personnel must be hired and trained, new security systems must be devised and implemented. For larger companies, this can be expensive and time-consuming. For smaller, “mom-and-pop” companies, these requirements can be even more significant. Responsible companies however, still realize the long term value of privacy compliance and sustain the rigors of certification to ensure effective consumer protection.

The Sentinel Program is ESRB Privacy Online’s enforcement and accountability mechanism; the apparatus that verifies that participating companies comply with their published information policies. The Sentinel Program is broken down into four distinct parts: Sentinel On-Site Audits, The Sentinel Consumer Online-Hotline, Sentinel Monitoring and Verification, and Sentinel Spot Checks.

Sentinel On-Site Audits. Prior to certification, and at annual intervals thereafter, each participating company must submit to an on-site audit. Each on-site audit is conducted by a staff attorney who is trained in the area of privacy law. Through these on-site audits, ESRB Privacy Online determines whether a company’s privacy statement is an accurate representation of its internal and external information practices. The on-site audit also provides ESRB Privacy Online with the opportunity to ensure that a company’s information practices meet all of our program’s requirements and such requirements are maintained on a consistent basis. ESRB will not grant or renew a certification without first conducting an on-site audit and certifying that a company meets the program’s criteria. ESRB Privacy Online maintains a record of each participating company’s on-site audit for a period of three (3) years.

Sentinel Monitoring and Verification. ESRB Privacy Online also conducts both random and scheduled quarterly reviews of a participating company’s information practices. The goal of these reviews is to provide effective ongoing enforcement and assure both the consumer and the participating company that a reliable safeguard exists to verify that a company’s privacy policy implementation is accurate, meaningful and effective. Monitoring reviews are unannounced and consist of specially trained online monitors methodically moving through a participating company’s Web site, Web page by Web page, URL by URL, ensuring that: (i) a functional link to the participating company’s privacy statement is posted on its homepage, all main pages, and at all information entry points; (ii) all personal information entry points include a date of birth field that can determine if a user is twelve years old or under and then activate the information entry point to not collect personal information and instead trigger a parental consent mechanism; and, (iii) comply with all other ESRB Privacy Online Program requirements. Each monitor is required to complete a comprehensive report that memorializes the reviewed company’s practices and must archive the site through an actual CD-ROM duplication. Both the monitor’s report and the CD-ROM are maintained by ESRB Privacy Online for a period of three (3) years. In addition, monitors are required to routinely input identifying privacy terms (i.e., “privacy policy,” “privacy statement,” “certification seal,” and “ESRB Privacy Online,”) into various search engines to ascertain if an unauthorized web site is misusing or misappropriating the ESRB Privacy Online Certification Seal.

Sentinel Spot Checks. ESRB Privacy Online also periodically conducts unannounced audits of each company's privacy practices through planted "spot checks." Sentinel Spot Checks are random, unannounced reviews of a participating company’s online information practices through a process known as “seeding.” The seeding of a participating company’s database is done by a Web monitor who submits fictitious consumer data at each information entry point. The Web site’s response is then tracked and recorded to determine if the company’s collection and use practices adheres to its privacy statement.

Consumer Online-Hotline. Another effective method for enforcement used by ESRB Privacy Online is the Sentinel Consumer Online-Hotline. The Sentinel Consumer Online-Hotline is a no-charge service that allows Web users who have a privacy grievance or who believe that a privacy violation has taken place on a participating company’s Web site to directly report the violation/grievance to ESRB Privacy Online. The reporting can be done swiftly and easily by filling out the Sentinel Consumer Online-Hotline form and indicating on the form the alleged privacy violation. ESRB Privacy Online responds immediately to all consumer concerns and/or complaints (See Consumer Redress below).

IV. EFFECTIVE INCENTIVES FOR PARTICIPATING WEB SITES’ COMPLIANCE WITH ESRB PRIVACY GUIDELINES.

ESRB Privacy Online provides effective incentives for a participating company’s compliance with its Principles and Guidelines. This performance standard is satisfied by ESRB Privacy Online through the following ways:

Contractual Obligations. To participate in the ESRB Privacy Online Program and post a Certification Seal, a company must first execute the ESRB Privacy Online License Agreement. As part of this Agreement and as a material obligation, participating companies must agree to comply at all times with the Principles and Guidelines. Failure to comply with the Principle and Guidelines could be interpreted by ESRB Privacy Online as a material breach of the Agreement and constitute a trademark infringement and a dilution of the goodwill and reputation attaching to our mark. As a result, this contractual arrangement serves as an effective incentive for participating companies to comply with our Principles and Guidelines. In the event of a breach, ESRB Privacy Online is prepared to pursue a number of remedies, including revocation of a company’s Certification Seal, canceling membership status, publication of a violation, the payment of fines, compensation in the form of voluntary payments to the United States Treasury in connection with an industry-directed privacy program; and pursue any other remedies available at law.

Consumer Redress. ESRB Privacy Online also requires that each participating company maintain an internal dispute resolution system that provides consumers with the ability to fairly and expeditiously resolve privacy grievances and receive appropriate remedies. Specifically, each participating company must create a simple, effective system that allows a Web user to lodge a complaint against a participating company. Each company must appoint an identifiable, accessible, and responsive individual who will serve as the participating company’s privacy policy administrator. This privacy policy administrator must be given the authority to investigate a Web user’s complaint and complete any necessary investigations in a timely manner. If the privacy policy administrator determines that a complaint is valid and/or that the participating company has not adhered to its information practices, the Web user should be offered a remedy. Such remedy must be appropriate under the circumstances of the case and may include the righting of the wrong (e.g., correction of any misinformation, cessation of further data collection from that consumer, or destruction of improperly collected data) or compensation for any harm caused.

If a Web user is still unsatisfied with the resolution of a complaint, or any other aspect of the participating company's internal dispute resolution process, the complaint must be directed to the ADR Officer at ESRB Privacy Online either at the Web user's own initiative or by company referral. At this point, ESRB Privacy Online, under the auspices of its ADR Officer, will implement its resolution processes, including investigations and compliance reviews. ESRB Privacy Online sponsored mediation or arbitration services seek to resolve disputes or complaints within a seven (7) to fourteen (14) day period.

Both ESRB Privacy Online and the participating company must maintain accurate records of any complaints and response to such complaints for a period of three (3) years.

Commission Referral. If a participating company fails to take appropriate actions in response to a valid complaint or an ESRB Privacy Online mandate, or in any way engages in a pattern of violating ESRB Privacy Online requirement’s, ESRB may invoke the remedies described above regarding contract breaches and is prepared to refer such company to the Federal Trade Commission for engaging in unfair and deceptive trade practices.

The global electronic marketplace is in its nascent stage. As such, the e-marketplace requires experienced and capable hands to assist it in achieving its fullest potential. A critical element of achieving this potential is to ensure that participating consumers are protected to the maximum extent possible. ESRB Privacy Online asserts that effective self-regulation is the best way to achieve this goal. This belief is grounded in the fact that the online industry is highly motivated to adapt quickly to marketplace changes and employ meaningful measures that will protect consumer rights. The people and companies that deal with the industry’s constant change and unique requirements are those in the best position to guide and refine its development. As all successful and responsible business people realize, consumer protection is an essential element of this development. An online business that cannot assure consumers that their privacy will be guarded is a business that will fail.

For this reason, ESRB Privacy Online believes, in agreement with what the Federal Trade Commission has thus far maintained, that it would be best for government to contain the regulatory impulse and facilitate self-regulation as the proper approach to protecting consumers in the e-marketplace. Government regulation could well obstruct the existing market incentives that have already begun to inspire merchant dedication to consumer protection. Furthermore, governmental regulations are jurisdictionally self-limited. In a global electronic market place, various differing jurisdictions and incompatible regulations will surely generate wasteful conflicts—conflicts between nations, between the federal and state governments, even between the states themselves. The result of these conflicts will certainly be the accompanying protracted litigation of choice-of-law statutes, provisions, and agreements.

Instead of impeding market incentives, government’s role should be to encourage and facilitate industry-led self-regulation. To be effective, the online industry requires speed and flexibility to self-regulate the dynamic e-marketplace. By combining adaptability with stability, self-regulatory programs led by industry and nurtured by government provide the most effective protection for consumers in the online arena. Such industry-led self-regulatory programs develop consumer confidence in a variety of ways.

Privacy Seals - Self-regulatory, industry-led privacy seal programs strive to protect the personally identifiable data that consumers may provide when they visit a website. Entities like ESRB Privacy Online, independently evaluate a website’s privacy policies to ensure that: (i) such policies comply with recognized principles for fair information practices; and, (ii) consumer data is not being mishandled. Such entities act as a proxy for the consumer, demanding the same privacy guarantees that a consumer would but with greater review and enforcement power than the individual consumer would be able to exercise. As a proxy consumer, seal providers have a vested interest in the transaction with the merchant, but owe allegiance to the consumer. The veracity and reliability of the third party’s seal is the sole market influence on the seal provider; if they do not provide effective protection for consumers, they lose credibility and thus effectiveness. It is this threat that prevents third-party seal providers from becoming facades that merchants might use to avoid governmental intervention. As a result, the consumer confidence that is required for a seal provider to operate is the most efficient and effective form of consumer protection in the global electronic marketplace.

Remedies - Not only do self-regulatory seal programs encourage confidence in the global electronic marketplace in their role as guides to reputable businesses, they also provide a mechanism for accountability and recourse. Seal providers like ESRB Privacy Online have a number of remedies available to them that the average consumer does not. Seal providers are in a position to impose penalties on non-conforming merchants. They are also able to exert market pressures on merchants by publicizing the names of non-conforming merchants; a stigma difficult for the average consumer to apply. Seal providers can make use of extensive alternative dispute resolution agreements with the merchants in order to ensure accountability. They can refer non-conforming merchants to applicable law enforcement and administrative bodies, such as the FTC, but with much more intensity than the individual consumer. Finally, seal providers can pursue breach of contract claims against merchants who fail to implement and maintain the requisite level of consumer protection.

Education - Industry-led self-regulatory programs also serve to educate the online community. Throughout the process of certification, both consumers and merchants learn the value of privacy protection. Consumers who learn and have confidence that they can control the use of their own personal information will be less likely to avoid e-commerce for that reason. By removing the most prevalent deterrent to e-commerce — consumer fears regarding privacy online — independent seal providers stimulate the electronic economy and provide effective protection for consumers. As merchants learn that consumers demand privacy protection, those who want to remain competitive in a burgeoning industry will regard privacy protection as a mere “cost of doing business” online. By providing cost-effective privacy certification services, third-party seal providers like ESRB Privacy Online help reduce the costs of doing business online and encourage greater self-regulation by industry.

Such self-regulation, led by industry with the support of government, makes superior use of market forces and the flexibility of industry to deal with the rapidly evolving nature of the Internet. By assuring consumer control of personal privacy, providing a variety of efficient remedies, and encouraging confidence in the global electronic marketplace through education, independent privacy seal providers such as ESRB Privacy Online will be able to provide the most effective protection for consumers on the Internet.

The emergence of the Internet and electronic commerce has brought the issue of online consumer privacy to the forefront of the electronic age. Consumers are increasingly conscious about protecting their privacy when they share information or transact business online. Web publishers are under intense scrutiny regarding online information collection practices. Fear about the loss of privacy is the single greatest obstacle to widespread consumer participation in the electronic marketplace. In the battle for electronic survival of the fittest, the companies that thrive will be the ones that implement and maintain effective, meaningful measures that guarantee the protection of consumer personal information. We believe that the ESRB Privacy Online program is the most complete, cost-effective and comprehensive means to achieve that goal. Backed and administered by the experience, expertise and success of established authorities in self-regulation and the Internet, ESRB Privacy Online provides clarity, support and direction for providing maximum online consumer privacy protection.

I thank the Committee for the opportunity to share these views and discuss these critical issues and look forward to working with the Courts and Intellectual Property Subcommittee in the future.

[1] The IDSA is the U.S. association exclusively dedicated to serving the business and public affairs needs of companies that publish video and computer games for video game consoles, personal computers, and the Internet.

I. INTRODUCTION