The Children's Online Privacy Protection Act (COPPA), which went into effect April 21, 2000, requires sites that collect information from children to get parental permission first--sometimes via phone, mail or fax.
In a one-year review of the law, Internet watchdog group the Center for Media Education (CME) found that although the act has changed the way sites do business with children, many are still breaking the law, some of them unwittingly.
"CME found that COPPA has brought about significant changes in Web sites' business practices in data collection," the group's report said. "Despite these positive changes, however, CME's survey also found the industry is clearly not doing all it can to comply with the new privacy provisions, and in some cases, may be violating both the spirit and the letter of the law."
On Thursday, the FTC said it had reached a settlement with three companies that broke that law, requiring them to pay a total of $100,000 in penalties and delete all personal information they've collected since April 21, 2000.
The companies include Monarch Services and Girls Live, operators of Girlslife.com; Nolan Quan, publishers of Bigmailbox.com; and LookSmart, which operates Insidetheweb.com.
The FTC said the sites did not get permission from parents before collecting children's information. Furthermore, the sites did not post COPPA-compliant privacy policies. The sites also are required to post a link to an FTC site about COPPA for five years.
The FTC cracked down on the first COPPA violator last July, when it reached a settlement with now-defunct Toysmart.com on similar charges.
The CME study found that more sites are posting privacy policies but most do not have a "clear and prominent" link to those policies, as required under COPPA. In addition, CME said a majority of sites that collect information don't get parental permission before doing so. The study also found that some sites don't consider that certain features, including forums or e-mail, could be considered data collection mechanisms requiring COPPA consent.
The study praised the new creative collection schemes being adopted by some companies, including anonymous registration, which lets sites gather aggregate data without personally identifying each child.
But CME urged the FTC to more actively enforce the law and issue a simplified guide to COPPA compliance. It also called on the Department of Education to encourage more familiarity with some of the privacy pitfalls children face when surfing the Web.
"New studies should look at how parents and teachers, the ones with the most responsibility for guiding children online, understand and interact with COPPA provisions," the study said.