Web site operators must get parents’ permission in most cases before they can collect personal information from children, according to new rules issued by the Federal Trade Commission (FTC) Oct. 20. The rules, which will go into effect April 21, 2000, mark the FTC’s final compliance with the Children’s Online Privacy Protection Act (COPPA) passed by Congress last year.

The rules are expected to have a dramatic impact on hundreds of popular internet sites aimed at children, which typically offer online games and entertainment in exchange for personal information valuable to marketers.

“There’s a real problem out there,” said FTC Chairman Robert Pitofsky. “We’re going to give the industry six months to get its act together to make changes. After that, we’ll monitor these web sites, and we’ll take enforcement action.”

The rules culminate a year of debate over how COPPA should be enforced. The law requires all web sites that gather information from children 12 and under to get “verifiable parental consent.” But Congress left it up to the FTC to decide how.

Several companies had lobbied for eMail sent from a parent as sufficient proof of consent. eMail is the most convenient and immediate method for granting permission, and web site operators argued that other methods would be too costly for small companies to implement. But privacy advocates countered that eMail would be too easy to forge, especially for kids who often know more about technology than their parents.

The FTC’s rules, which were passed unanimously by the commission, will put a “sliding scale” in place that will give web site operators flexibility in how they comply with the law, based on the type of information they gather from children and how they plan to use it.

Web sites that let children participate in chat rooms or share personal information with other companies must get a parent’s permission through mailed or faxed paperwork, calls to a toll-free number, use of a credit card, or by eMail using tamper-resistant digital signature technology.

But for internal uses of information, sites will be permitted to use eMail, “as long as additional steps are taken to ensure that the parent is providing consent,” the rules state. “Such steps could include sending a confirmatory eMail to the parent following receipt of consent, or … confirming the parent’s consent by letter or telephone call.”

After two years, the sliding scale will expire in favor of more secure electronic forms of consent, the FTC said.

For computer use in schools, the rules will let teachers act as parents’ intermediaries. The rules also lay out some exceptions in which sites won’t have to get permission to collect a child’s name or eMail address, such as if a site responds to a child’s question by eMail or offers one-time homework help, or if a child enters a contest or subscribes to an online newsletter.

Pitofsky said the new rules will achieve “one of the commission’s top goals—protecting children’s privacy online.

“The rule meets the mandate of the statute,” he continued. “It puts parents in control over the information collected from their children online and is flexible enough to accommodate the many business practices and technological changes occurring on the internet.”

For the most part, experts from both sides of the issue seem to agree. “The FTC did a good, balanced job,” said Ron Plesser, an attorney with the Direct Marketing Association and other online marketing groups. “Everything’s a compromise—it’s not great for industry, but it resolves some major concerns.”

And Jason Catlett of Junkbusters Corp., a New Jersey-based privacy group that has frequently sparred with the FTC on privacy issues, praised the agency for a “remarkably good job.”

Parry Aftab, a lawyer who represents several children’s web sites, told the New York Times she was happy to see that the FTC recognized the need to give companies two years to change their eMail verification systems. But she said the more cumbersome rules—such as the one regarding permission for children to join chat rooms—will be difficult for small companies to implement.

The new rules highlight the need for central registries for children and their parents to use for giving consent to participating web sites, Aftab told the Times: “The third-party stuff is going to be very complicated. Without central registries, the small sites won’t be able to survive.”

Federal Trade Commission

Direct Marketing Association

Junkbusters Corp.