FTC Strengthens Rules to Restrict Use of Children's Information by Web Sites

By GREG MILLER

Oct. 21, 1999 12 AM PT

TIMES STAFF WRITER

Moving to protect children from the often sneaky data-gathering tactics of online marketers, the Federal Trade Commission on Wednesday unveiled new privacy rules requiring Internet sites that collect such information to first obtain parental permission.

The rules, which take effect April 21, delineate for the first time what the government will require of Internet companies to comply with the Children’s Online Privacy Protection Act, which was enacted last year.

The most stringent new rules are aimed at sites that not only collect data from children but sell or share the information with other companies. They will be required to use signed forms, credit card numbers or other FTC-approved means to verify parental permission before collecting data.

But almost any Web site that caters to children under 13 will be affected by the new regulations. Even sites that don’t collect marketing data but allow children to enter contests or sign up for newsletters will be required to send parents notice via e-mail.

Companies that violate the rules face civil penalties, including fines up to $11,000 per infraction.

Experts said abuses are still bound to occur because of the FTC’s limited ability to monitor the millions of exchanges of data that take place between individuals and companies on the Internet every day.

And despite the strict requirements for parental verification, even FTC officials acknowledge that companies can’t always be sure they are receiving permission from a parent.

“It’s not a perfect fix,” said Toby Levin, an attorney in the department of consumer protection at the FTC. “A child could still take his parent’s credit card or dial a toll-free number. But we think these rules go a long way toward giving parents tools to have control over their children’s information.”

The rules are the culmination of years of debate over how to protect children from online marketers who extract information ranging from birth dates to e-mail addresses to family spending habits.

The new rules were greeted with support from industry leaders as well as privacy advocates.

“The FTC has done an admirable job,” said Deirdre Mulligan, staff counsel of the Center for Democracy and Technology in Washington. “There are still opportunities for kids to put themselves in harm’s way, but [the rules] protect kids’ privacy without overwhelming their opportunity to participate on the Net.”

The rules and the law they are based on were triggered by growing concern in recent years about the proliferation of children’s Web sites that collect data while often providing little notice that they are doing so or information on how it might be used.

A government study in March 1998 that surveyed 212 commercial children’s sites found that 89% collected personal information from children, but only 24% posted privacy policies and just 1% required parental consent.

Under the FTC’s new rules, all commercial children’s Web sites are required to post, in a “clear and prominent” way, privacy policies explaining what kind of data they collect and how it is used. There is no such requirement for adult sites.

Any company that collects data from children is required to obtain parental consent. Companies that share data with other organizations are required to use what the FTC called “more reliable” methods, such as signed forms. But firms that use the data only internally can obtain verification via e-mail.

That exception is scheduled to expire in two years, by which time FTC officials hope new verification technologies, such as digital signatures, will be more widespread.

Sites don’t have to obtain parental permission to respond to one-time requests from children for information, such as homework help, as long as the company deletes any information collected from the child afterward.

More information about the rules is available on the FTC’s Web site, at https://www.ftc.gov.