Many Web sites will pay high price for children's data

The phones at Surfmonkey.com ring nonstop with thousands of parents calling each week to give the online playground permission to collect personal information from their young children.

And each week, a team of about five staffers does little else but deal with the dizzying avalanche of calls.

The system was developed a few months ago to meet requirements of a tough new law called the Children's Online Privacy Protection Act (COPPA), which is set to kick in next month.

"It's pretty cumbersome and costly to set up," said David Smith, Surfmonkey's chief executive.

Surfmonkey and other children's Web sites could dodge the strict new standards about to go into effect by not asking children under 13 for their name, address or other identifiable information, as the law requires parental consent only if an Internet company is gathering private data from children.

Despite widespread grousing over the law, however, many companies are willing to cope with the headaches and high price of complying as long as they can continue collecting the valuable consumer information used for pitching products and services to young visitors. Armed with the data, Internet sites can boost their revenues by selling advertising space to businesses looking to zero in on a particular market.

"The law is tough for a reason," said Jason Catlett, president of Junkbusters, a privacy advocacy group based in New Jersey. "The real question is, why do Web sites need to gather this information from kids?"

COPPA's path The tough privacy protection law passed by Congress in 1998 will take effect next month.

June 1998 The Federal Trade Commission releases a report saying that 89% of children's Web sites collect personal details from youngsters, and more than half provide some disclosure of their practices. But only 23 percent of the sites advise children to get permission before giving up their name, address and other personal details.

October 1998 Congress passes the Children's Online Privacy Protection Act (COPPA).

June 1999 The public comment period for the act closes. Some children's sites and trade groups complain the law will be too cumbersome. Others, such as education groups, are strong supporters of written consent from parents.

July 1999 The Center for Media Education publishes findings from a study showing that many popular children's sites ask very personal information from young surfers but often don't state how they will use the information.

October 1999 The FTC unveils tough new rules for Web sites to come into compliance with the act.

April 2000 The new law goes into effect.

Source: CNET research

While many well-known children's sites, such as Surfmonkey, Disney.com and Lego.com, already are in compliance, others are still scrambling to meet the April 21 deadline. Those who ignore the law can expect fines of $11,000 for each violation.

"There are quite a few sites out there that aren't sure how the law affects them, and they will be awfully surprised when the deadline passes," said Nancy Savitt, a New York lawyer with the firm Aftab & Savitt, which represents many Internet companies that cater to children.

Smaller sites that don't have the finances or the staff to deal with the law are in the greatest danger, she said.

But a new program organized by Savitt's partner, Parry Aftab, could bring some relief. The program, called WiredKids.org, is set to launch a week from today. It allows a central registry where a single permission slip can be used for multiple Web sites.

To join the program, companies pay a yearly fee of anywhere from $10,000 to $100,000, depending on the size of the organization, Aftab said. WiredKids will then take care of securing consent from parents who will have to submit a credit card number as identification.

"This would help the mom-and-pop operations come into compliance," she said, noting that it costs a minimum of $50,000 for a Web site to meet regulations. "Without a central site registry, the greatest risk our kids face in connection with the Internet is being denied access."

The privacy act, passed by Congress two years ago, was designed to protect preteens from falling victim to exploitative practices on the Net.

Studies conducted by the commission and other organizations found that many Web sites made children answer very personal questions before allowing them to take part in online games and contests. Sites asked questions such as where children lived, what kind of cars their parents drove, and where their parents banked.

Subsequently, Congress passed its law requiring these sites to obtain "verifiable parental consent," but it left it up to the Federal Trade Commission to define how that test would be met.

The law applies to all children's Web companies that collect information about young visitors. It also covers commercial sites that ask consumers under 13 years old their age, email address and other personal details.

Coming into compliance
For those affected by the new statute, the commission has developed a "sliding scale" approach allowing Web sites to vary how they meet the requirements.

Companies can get permission slips from parents by mail, fax or by having them call a toll-free number.

At Surfmonkey, an answering service asks parents a series of questions to secure consent: their full name, email address, and some sort of code word to identify their children. Afterward, a crew listens to the recording and puts the information in a databank. For every 10 calls, staffers call parents back to make sure the information is legitimate. "It's a way to make sure our system is working," Smith said.

Smith also said his staff has been trained to decipher whether the calls are, in fact, coming from an adult.

Email consent is allowed for Web sites that collect personal information only for internal purposes, but only if operators follow up to confirm parents' identities through either another email or by telephone, commission officials said.

Information culled from parents cannot be used for marketing purposes, commission officials added.

"There is always a tension between authenticating someone's identity and giving information that can be used against a person," Catlett said. "But in this situation, the parent has the choice to withhold consent."

How the FTC is going to regulate the vast number of Web sites remains unclear. Most likely, watchdog groups like Junkbusters and WiredKids will assist by ratting on offenders.

In an ironic twist, Surfmonkey accidentally leaked personal information about its clients while trying to comply with the privacy protection act.

In January, while trying to inform parents about its new system, Surfmonkey mistakenly sent notices that contained a list of email addresses for thousands of children registered with the company. It was a glitch that angered many parents.

Company executives tried to quell parents' concerns, saying the information could not end up in the wrong hands because of Surfmonkey's parent-controlled "cyber friends" list--meaning that a stranger would be blocked from contacting a child by email because their names would not appear on the approved list.

More such glitches can be expected, however, as Web companies struggle to comply with the law before the April deadline, said David Steer of Truste, a San Francisco Bay area organization that dispenses privacy seals on the Internet.

"There are a lot of confused Web sites out there," he said. "Who knows how this law will play out in the marketplace. We're going to refrain from saying whether it's a success or not."