Moving to protect children from the often sneaky data-gathering tactics of online marketers, the Federal Trade Commission on Wednesday unveiled privacy rules requiring Internet sites that collect such information to first obtain permission from parents.
The rules, which take effect April 21, delineate for the first time what the government will require of Internet companies to comply with the Children's Online Privacy Protection Act, which was enacted last year.
The most stringent new rules are aimed at sites that not only collect data from children but sell or share the information with other companies. Such sites will be required to use printed forms, credit card accounts, toll-free phone numbers or other FTC-approved means to verify parental permission before collecting data.
But almost any Web site that caters to children under 13 will be affected by the new regulations. Even sites that don't collect marketing data but allow children to enter contests or sign up for newsletters will be required to send parents notice via e-mail.
Companies that violate the rules face civil penalties, including fines of up to $11,000 per infraction.
Experts said abuses are still bound to occur because of the FTC's limited ability to monitor the millions of exchanges of data that take place between individuals and companies on the Internet every day.
And despite the strict requirements for parental verification, even FTC officials acknowledge that companies can't always be sure they are receiving permission from a parent.
"It's not a perfect fix," said Toby Levin, an attorney in the consumer protection department at the FTC. "A child could still take his parent's credit card or dial a toll-free number. But we think these rules go a long way toward giving parents tools to have control over their children's information."
The rules are the culmination of years of debate over how to protect children from online marketers who extract information ranging from birth dates to e-mail addresses to family spending habits.
Until now, the government could do little to control such data gathering unless it could catch marketers deceiving consumers by collecting information under false pretenses.
Earlier this year, for example, the FTC settled a suit against a financial company accused of falsely claiming that information it was gathering from children would remain private.
The agency alleged that Liberty Financial Cos. had used prizes and contests to entice children to disclose on a Web site not only their names and addresses, but everything from stocks they had received as gifts to their weekly allowances.
In the face of such abuses, efforts to safeguard children have become one of the few areas of the Internet privacy battlefield where there is broad agreement among government officials, industry leaders and activists.
"The FTC has done an admirable job," said Deirdre Mulligan, staff counsel of the Center for Democracy and Technology in Washington. "There are still opportunities for kids to put themselves in harm's way, but [the rules] protect kids' privacy without overwhelming their opportunity to participate on the Net."
There are hundreds of Web sites that cater to children, run by companies ranging from tiny start-ups to Walt Disney Co. Until recently, many of them collected data while providing little notice that they were doing so or information on how the data might be used.
A government study in March 1998 that surveyed 212 commercial children's sites found that 89% collected personal information from children, but only 24% posted privacy policies and just 1% required parental consent.
Under the FTC's new rules, all commercial children's Web sites are required to post, in a "clear and prominent" way, privacy policies explaining what kind of data they collect and how they are used. There is no such requirement for adult sites.
Any company that collects data from children is required to obtain parental consent. But the means by which they must do so depend on how the companies plan to use the data.
Companies that share data with other firms face the highest requirements and must use what the FTC called "more reliable" methods of parental verification, such as obtaining a printed form with a parent's signature. Many sites have been reluctant to take these steps because they are cumbersome and costly.
But firms that use the data only internally can obtain verification via e-mail, as long as a follow-up confirmation notice is sent to parents by e-mail, telephone or letter. This exception is scheduled to expire in two years, by which time FTC officials hope new verification technologies, such as digital signatures, will be more widespread.
There are also cases when no parental consent is required. Sites don't have to obtain parental permission, for instance, to respond to one-time requests for information such as homework help. Sites can also enter children into contests or let them subscribe to online newsletters as long as parents are given notice by e-mail and are able to prevent further use of the child's information.
More information about the rules is available on the FTC's Web site at http://www.ftc.gov.