Several web sites have had to revamp the way they do business with youngsters as they comply with a new federal privacy law aimed at protecting children online.

Under the law, which took effect April 21, sites that attract children under 13 must get parental permission before collecting personal information from those kids and must disclose how they use the data.

But some sites are finding it easier to stop asking questions or restrict minors from the sites altogether.

“Some businesses are responding out of panic and fear,” said Dennis Lee, training director at IFsec, a N.Y. security firm. “They don’t want to get caught doing the wrong thing.”

A few sites, he said, even joked about moving offshore—”their way of expressing frustration that government is regulating another aspect of the internet.”

The new Children’s Online Privacy Protection Act is meant to protect eMail addresses, school locations, and other data that could expose kids to marketers and molesters. One site that federal regulators found egregious used to ask kids about their allowance and parents’ income to enter a contest, for example.

Sites attracting children under 13 must now obtain parents’ approval. Consent by eMail is often OK, but verification by fax, mail, or a toll-free number is required when companies share data with marketers or post it on their sites. An adult’s credit card number is also acceptable.

“This is the most vulnerable age group,” said Kathryn Montgomery, president and cofounder of the Center for Media Education in Washington. “Kids under the age of 13 are generally not as wary or skeptical or careful.”

The law is expected to impact hundreds of popular internet sites aimed at children, which typically offer online games and entertainment in exchange for personal information valuable to marketers.

Hewlett-Packard removed its “18 and under” option from a web site questionnaire. SurfMonkey.com, aimed at children aged six to 12, contacted all parents to renew consent and developed ways to close inactive accounts.

America Online plans to stop letting children use a membership directory to disclose hobbies and other personal details about themselves. The majority of parents already block that feature, said AOL representative Andrew Weinstein. Fewer than 100,000 families will be affected, he said.

FreeZone.com, which targets eight-to-14-year-olds, already spends $100,000 a year getting parental consent. To comply with the new law, the company has made sure eMail addresses were not accidentally kept without permission, said Ali Pohn, FreeZone managing director. The company also rewrote disclosure notices sent to parents.

Disney Online set up ways to run credit cards without posting charges.

The law should help reputable sites thrive and eliminate ones that exploit kids, said Ken Goldstein, Disney senior vice president.

“This makes it very difficult for less reputable operations to go after that low-hanging fruit,” he said.

Andrew Shen, a policy analyst with the Electronic Privacy Information Center in Washington, called the law a “serious first step” but identified a basic loophole: If sites don’t ask how old users are, then they could ignore the law.

“It’s not going to catch all kids online or prevent all information about kids from getting to where it shouldn’t be,” he said.

Plus, the law cannot prevent a kid from stealing a parent’s credit card to “verify” consent.

“Kids know more about this stuff than we do. So, sure, there are ways around it,” said Mozelle Thompson, a member of the Federal Trade Commission. “But that doesn’t mean you don’t put a few speed bumps in.”

Federal Trade Commission’s privacy initiatives

http://www.ftc.gov/privacy

Center for Media Education

http://www.cme.org

Electronic Privacy Information Center

http://www.epic.org