The phones at Surfmonkey.com ring nonstop with thousands of parents calling
each week to give the online playground permission to collect personal
information from their young children.
And each week, a team of about five staffers does little else but deal with
the dizzying avalanche of calls.
The system was developed a few months ago to meet requirements of a tough
new law called the Children's Online Privacy Protection Act (COPPA), which
is set to kick in next month.
"It's pretty cumbersome and costly to set up," said David Smith,
Surfmonkey's chief executive.
Surfmonkey and other children's Web sites could dodge the strict new
standards about to go into effect by not asking children under 13 for their
name, address or other identifiable information, as the law requires
parental consent only if an Internet company is gathering private data from
Despite widespread grousing over the law, however, many companies are
willing to cope with the headaches and high price of complying as long as
they can continue collecting the valuable consumer information used for
pitching products and services to young visitors. Armed with the data,
Internet sites can boost their revenues by selling advertising space to
businesses looking to zero in on a particular market.
"The law is tough for a reason," said Jason Catlett, president of
Junkbusters, a privacy advocacy group based in New Jersey. "The real
question is, why do Web sites need to gather this information from kids?"
The tough privacy protection law passed by Congress in 1998 will take effect next month.
The Federal Trade Commission releases a report saying that 89%
of children's Web sites collect personal details from youngsters, and more
than half provide some disclosure of their practices. But only 23 percent
of the sites advise children to get permission before giving up their name,
address and other personal details.
Congress passes the Children's
Online Privacy Protection Act (COPPA).
The public comment period for the act closes. Some children's sites and
trade groups complain the law will be too cumbersome. Others, such as
education groups, are strong supporters of written consent from parents.
The Center for Media Education publishes findings from a study
showing that many popular children's sites ask very personal information
from young surfers but often don't state how they will use the information.
The FTC unveils tough new rules
for Web sites to come into compliance with the act.
The new law goes into effect.
|Source: CNET research|
While many well-known children's sites, such as Surfmonkey, Disney.com and
Lego.com, already are in compliance, others are still scrambling to meet
the April 21 deadline. Those who ignore the law can expect fines of $11,000
for each violation.
"There are quite a few sites out there that aren't sure how the law affects
them, and they will be awfully surprised when the deadline passes," said
Nancy Savitt, a New York lawyer with the firm Aftab & Savitt, which
represents many Internet companies that cater to children.
Smaller sites that don't have the finances or the staff to deal with the
law are in the greatest danger, she said.
But a new program organized by Savitt's partner, Parry Aftab, could bring
some relief. The program, called WiredKids.org, is set to launch a week from today.
It allows a central registry where a single permission slip can be used for
multiple Web sites.
To join the program, companies pay a yearly fee of anywhere from $10,000 to
$100,000, depending on the size of the organization, Aftab said. WiredKids
will then take care of securing consent from parents who will have to submit a credit card number as identification.
"This would help the mom-and-pop operations come into compliance," she
said, noting that it costs a minimum of $50,000 for a Web site to meet
regulations. "Without a central site registry, the greatest risk our kids
face in connection with the Internet is being denied access."
The privacy act, passed by Congress two years ago, was designed to protect preteens from falling
victim to exploitative practices on the Net.
Studies conducted by the commission and other organizations found that many
Web sites made children answer
very personal questions before allowing them to take part in online games
and contests. Sites asked questions such as where children lived, what kind
of cars their parents drove, and where their parents banked.
Subsequently, Congress passed its law requiring these sites to obtain
"verifiable parental consent," but it left it up to the Federal Trade
Commission to define how that test would be met.
The law applies to all children's Web companies that collect information
about young visitors. It also covers commercial sites that ask consumers
under 13 years old their age, email address and other personal details.
Coming into compliance
For those affected by the new statute, the commission has developed a
"sliding scale" approach allowing Web sites to vary how they meet the
Companies can get permission slips from parents by mail, fax or by having
them call a toll-free number.
At Surfmonkey, an answering service asks parents a series of questions to
secure consent: their full name, email address, and some sort of code word
to identify their children. Afterward, a crew listens to the recording and
puts the information in a databank. For every 10 calls, staffers call
parents back to make sure the information is legitimate. "It's a way to
make sure our system is working," Smith said.
Smith also said his staff has been trained to decipher whether the calls
are, in fact, coming from an adult.
Email consent is allowed for Web sites that collect personal information
only for internal purposes, but only if operators follow up to confirm
parents' identities through either another email or by telephone,
commission officials said.
Information culled from parents cannot be used for marketing purposes,
commission officials added.
"There is always a tension between authenticating someone's identity and
giving information that can be used against a person," Catlett said. "But
in this situation, the parent has the choice to withhold consent."
How the FTC is going to regulate the vast number of Web sites remains
unclear. Most likely, watchdog groups like Junkbusters and WiredKids will
assist by ratting on offenders.
In an ironic twist, Surfmonkey accidentally leaked personal information
about its clients while trying to comply with the privacy protection act.
In January, while trying to inform parents about its new system, Surfmonkey
mistakenly sent notices that contained a list of email addresses for
thousands of children registered with the company. It was a glitch that
angered many parents.
Company executives tried to quell parents' concerns, saying the information
could not end up in the wrong hands because of Surfmonkey's
parent-controlled "cyber friends" list--meaning that a stranger would be
blocked from contacting a child by email because their names would not
appear on the approved list.
More such glitches can be expected, however, as Web companies struggle to
comply with the law before the April deadline, said David Steer of Truste, a
San Francisco Bay area organization that dispenses privacy seals on the
"There are a lot of confused Web sites out there," he said. "Who knows how
this law will play out in the marketplace. We're going to refrain from
saying whether it's a success or not."