This Saturday marks the one-year anniversary of an important ruling about privacy and children's websites. In anticipation of the occasion, the Annenberg Public Policy Center of the University of Pennsylvania decided to take a hard look at whether the Federal Trade Commission rule implementing the Children's Online Privacy Protection Act (COPPA) has been taken seriously.
So what does this mean for the conscientious parent of a typically Internet-curious child? You can't be too careful, says Joseph Turow, author of the study and professor at Penn's Annenberg School for Communication.
"What I tell my own kids, who are 14 and 17," he adds, "is to stick with familiar, brand-name sites." The bottom line, Mr. Turow explains further, is that "parents have to set ground rules for a family's information policy and talk with children early on about not revealing any information about themselves or their family. Age 6 or 7 is not too early for this."
Gone are the days when it was enough for parents to just tell their kids not to talk to strangers on the street. "With information privacy, we have entered a whole new era," Turow says.
But the situation is not all gloom and doom. "Websites are much less voracious than they were a few years ago," says Turow, "when sites would ask children their parents' income, what kind of car they drive, what their house looks like.... It was a feeding frenzy!"
He attributes the progress to COPPA, which was enacted by Congress in 1998 to regulate the collection, use, and disclosure of personal identifiable information from children on the Internet.
But some dotcoms still consider COPPA a dirty word. It is costly for them to comply, as staff must be hired not only to write privacy policies but also to monitor chat rooms and e-mails. Zeeks.com, based in Portland, Ore., has recently chosen to shut down its chat rooms and e-mail service rather than pay the price of compliance, which they predict would be about $200,000 per year. They are adding more online games, which they hope will make up for the loss of traffic.
Compliance can indeed cost as much as 10 percent of a company's overall revenue. But a breach of law might bring an even higher cost. "If you have a policy and you don't comply with it, you run the risk of either being investigated by the FTC or being sued by lawyers," says Robert Gellman, a privacy consultant based in Washington.
It's a Catch-22, says Jonathan Zuck, president of the Association for Competitive Technology, a trade group of about 9,000 small tech companies, many of whom are struggling to comply with COPPA.
In his testimony to Congress recently, Mr. Zuck lobbied for a closer look at the original law. "We all agree with the goal of protecting kids, but that hasn't been the net result," he says. "The law used vague language, and it was misinterpreted by the FTC." For example, he says, the parental consent rule was interpreted as a requirement to prevent kids in chat rooms and via e-mail from sharing any information with each other. "It's killing companies to pay for that, and kids are just lying about their age on adult sites. I'm not sure that's a net positive."
For more information, visit the following websites: The FTC at www.ftc.gov/ kidzprivacy; Children's Advertising Review Unit at www.caru.org; Annenberg Public Policy Center at www.appcpenn.org; cyberangels.org; and COPPA at www.wired kids.org/coppa1.html.
What the law says about children's privacy online
Websites geared toward children under age 13, which collect personal data on their visitors, must:
1. Provide parents with notice of how information is gathered from children.
2. Obtain parental consent before they collect, use, or disclose personal information.
3. Give parents a way to review the personal information collected.
4. Provide parents with a mechanism to prevent further collection of information, or further use of already stored data.
5. Limit the information to that necessary for the online activity.
6. Establish and maintain reasonable procedures to protect confidentiality and security of the information collected.
Personal information is defined as:
First and last name.
Home or other physical address, including street or city name.
Social Security number.
Any other identifier that enables the physical or online contacting of an individual.
Information concerning the child or parents that the website collects online and combines with an identifier described above.
(c) Copyright 2001. The Christian Science Monitor