Many popular web sites geared toward children still don’t follow federal requirements for privacy, according to an independent study released March 28 by the Annenberg Public Policy Center of the University of Pennsylvania.
The Federal Trade Commission (FTC) wrote the rules for children’s web sites, based on the Children’s Online Privacy Protection Act (COPPA).
“One year after the passage of COPPA, we found more sites skirting the COPPA requirements than following them carefully,” said Joseph Turow, Annenberg professor and author of the study, entitled “Privacy Policies on Children’s Web Sites: Do They Play By the Rules?”
The web sites examined by Annenberg researchers were selected in consultation with FTC staff using a list, provided by Nielsen/NetRatings, of 500 web sites that had the highest percentage of two- to 12-year-old visitors. They included sites for video games, snacks, children’s characters, and TV shows.
Common on other web sites, too, the researchers found the privacy policies were difficult to find, read, and understand.
“We found that most of the 90 privacy policies were so long and complex that it took the coders an average of 9.4 minutes to read each policy in search of its COPPA statements,” the report said.
Seventeen of the 162 sites did not post privacy links on their home pagedespite FTC requirementsbut did collect personal information.
However, a check by eSchool News staff revealed that, between the time the information for the study was collected and the time it was released, two of these 17 sitesNancyDrew.com and PokemonSnap.comhad posted privacy policies on their web pages.
Other sites that did have privacy links did not highlight them as required by law, the report said, and many policies didn’t have all the required statements about how personal information is used or how parents could review or remove their children’s personal information from the site.
Some proprietors of kids’ web sites have complained that the COPPA requirements are too strict and are burdensome for smaller sites.
“We need to provide fun, educational things for children to do on the internetthat has been our goal,” said Steve Schaffer, chief executive officer of MysteryNet Inc., the company that operates NancyDrew.com.
Three months after COPPA went into effect last year, the FTC reviewed several sites to check for compliance. Of all the sites that collected personal information, about half had “substantial compliance problems,” according to the FTC.
Toby Levine, a senior staff attorney for the FTC, said there is good news and bad news in the Annenberg survey.
The study found that 91 percent of web sites examined do post privacy policies. Levine said that’s a huge increase in the number of web sites that actually posted privacy policies since the FTC’s own examination last year.
“Unfortunately, there are a number of sites that are not doing a good job of informing parents and educators about what their policies are,” Levine added.
The Annenberg study suggested that the FTC should help parents and educators find out easily if a site conforms to COPPA through some sort of seal-of-approval program.
“If there was a model or template that parents could use to compare between sites, it would be much more helpful,” Turow said.
“Even when information collection does require permission, as COPPA does,” Turow said, “people still need to be able to make decisions based on privacy policies they can understand before their eyes glaze over.”
In most cases, Turow said, the policies were so vague, complex, and confusing that it was as if the sites didn’t want parents or educators to notice their policies. “The complexity of the statements raises the question of whether companies expect or even want parents to read their policies,” he said.
The FTC seeks to educate companies about the requirements of COPPA, Levine said. But a privacy advocate contacted by eSchool News said the agency needs to do more than just educate.
“The Federal Trade Commission needs to enforce the law,” said Andrew Shaen, policy analyst at the Electronic Privacy Information Center. “Obviously, when popular web sites that cater to children under 13 are not following federal privacy laws, something needs to be done.”
Most importantly, the FTC needs to focus enforcement on web sites that receive the most traffic from children 12 and younger, Shaen said: “When you target the largest and most popular web sites, you help the most number of children.”
Shaen also called the study “shallow,” saying, “Surveying privacy policies is different from surveying privacy practices.”
In the near future, the FTC will release “a group of case studies that demonstrate that the law is being enforced,” Levine said. Those who violate COPPA are subject to a penalty of up to $11,000 per violation.
According to COPPA, web sites directed to children 12 and younger must:
- Provide parents with a notice about the site’s “information practices.”
- Obtain a parent’s permission before collecting, using, or disclosing personal information from children, with certain limited exceptions.
- Provide parents with access to their child’s personal information and allow them to review this information and have it deleted.
- Allow parents to stop more information from being collected or used again.
- Limit the collection of a child’s personal information to “information that is reasonably necessary for the [online] activity.”
- Maintain the confidentiality, security, and integrity of information collected from children.
Privacy Policies on Children’s Websites: Do They Play By the Rules?
Annenberg Public Policy Center
Federal Trade Commission
Electronic Privacy Information Center
Children’s Online Privacy Protection Act
Entertainment Software Rating Board: Privacy Online