Online Privacy Isn't Child's Play

The move last week by the U.S. Federal Trade Commission is drawing a strong reaction from the Web sites singled out for violating children's privacy protection rules.

Spokespeople from those Web sites said they believe the FTC's policy enforcement is "aggressive" and say that the wording of the Children's Online Privacy Protection Act (COPPA) is too vague. The FTC, meanwhile, claims that its actions have been a successful step in protecting the privacy of Web-surfing kids.

The FTC's battle to regulate the privacy of children online, and the difficulty some Web operators have faced in complying with the regulations, perhaps only foreshadow the roadblocks operators and regulators face in dealing with privacy issues for a medium as far-reaching as the Web.

Coinciding with the one-year anniversary of the COPPA rule, the FTC settled with three Web operators last Thursday, charging Monarch Services and Girls' Life, the operators of GirlsLife.com; Nolan Quan, the operator of BigMailbox.com; and LookSmart a combined $100,000 in civil penalties for violating COPPA.

Breaking the Rules?

The Web operators offered children access to services such as chat rooms, free e-mail, bulletin boards, and advice columns.

The FTC claims that the sites, which are the first to be charged under COPPA, failed to post privacy policies and illegally collected telephone numbers, home addresses, e-mail addresses, and other information from children under the age of 13.

Under COPPA, which went into effect April 21, 2000, commercial Web sites are prohibited from soliciting personal information from kids under 13 without directly notifying parents of collection practices and then obtaining permission to solicit personal information from the minors.

But spokespeople from two of the sites charged claim that guidelines on how to operate under the rule have been vague, and have expressed surprise that the FTC has taken legal action with Web operators that they feel are on the low end of the violation curve.

"In this case it was odd that they took an interpretation of the rule that was at the very least extremely aggressive," says Reed Freeman, an attorney for BigMailbox.com, who used to work at the FTC.

Toby Levin, a senior attorney at the FTC, says that although the cases settled last week didn't represent the most serious COPPA violators, they did represent the worst type of violation--namely, lack of a privacy policy and a parental consent mechanism.

Confusion and Compliance

Karen Bokram, publisher of the Girls' Life site, says that because of the rule's vague language her company asked for guidance from the FTC on how to comply.

"They never once, despite repeated written requests for clarification, gave it to us," Bokram says.

However, Levin says that the agency has made the rules regarding COPPA clear. The agency has a Web site with the regulations posted, and offers compliance seminars, as well as a hotline and e-mail address for questions.

Despite the FTC's efforts, some sites stumbled over the new law.

Freeman says BigMailbox.com tried to avoid being considered as a children's site altogether by not allowing users to subscribe to the service unless they said how old they were. If the user was under 13, he or she was denied access. The FTC still held the site accountable to COPPA, however, and the site was flagged for soliciting personal information from kids and failing to make its privacy policy clear.

Levin says that in the case of mixed-audience sites, it is not enough simply to block users under 13, and essentially invite them to lie about their age.

"They must be monitored in a neutral fashion," Levin says.

Bokram admits that her site solicited personal information for change-of-address forms and poetry submissions, but says the information was not retained. Furthermore, Bokram says, Girls' Life shifted to fax-only change-of-address forms, intending to limit the information requests to adults. In the end, however, these measures did not meet guidelines.

Willing to Settle

Both Web operators settled their cases with the FTC to avoid costly litigation. Under the settlements, the Web operators must delete all personally identifying information collected from children online since the rule went into effect. The operators must also agree to comply with the COPPA rule in all future information collecting transactions.

While operators of the sites charged in the FTC's first-round clamp down on children's online privacy raise concern over the enforcement of COPPA, proponents claim that the new law has already done a great deal in furthering online privacy.

The FTC reports that the number of children's Web sites that have posted a privacy warning since the rule was applied increased from 24 percent in 1998 to 91 percent currently. A study by the Center for Media Education notes that privacy policies are not being posted in a "clear and prominent" manner, however, indicating either a general lack of compliance or a need for a clarification of the rules.

"We think there has been a lot of progress and we are not disheartened by a lack of compliance," Levin says. "Regulations need time to take effect."