Many popular web sites geared toward children still don’t follow federal requirements for privacy, according to an independent study released March 28 by the Annenberg Public Policy Center of the University of Pennsylvania.

Almost half of the 162 sites checked by Annenberg researchers don’t have prominent links to their privacy policy, and one in 10 had no link at all on their home page, contrary to the 1999 regulations designed to protect kids on the web.

The Federal Trade Commission (FTC) wrote the rules for children’s web sites, based on the Children’s Online Privacy Protection Act (COPPA).

“One year after the passage of COPPA, we found more sites skirting the COPPA requirements than following them carefully,” said Joseph Turow, Annenberg professor and author of the study, entitled “Privacy Policies on Children’s Web Sites: Do They Play By the Rules?”

COPPA requires that web sites obtain “verifiable parental consent” before collecting, using, or disclosing any personal information, such as a name or address, from children under 13. Consent can be verified through postal mail or a telephone call. The law also requires a detailed and easy-to-find privacy policy.

The web sites examined by Annenberg researchers were selected in consultation with FTC staff using a list, provided by Nielsen/NetRatings, of 500 web sites that had the highest percentage of two- to 12-year-old visitors. They included sites for video games, snacks, children’s characters, and TV shows.

Common on other web sites, too, the researchers found the privacy policies were difficult to find, read, and understand.

“We found that most of the 90 privacy policies were so long and complex that it took the coders an average of 9.4 minutes to read each policy in search of its COPPA statements,” the report said.

Seventeen of the 162 sites did not post privacy links on their home page—despite FTC requirements—but did collect personal information.

However, a check by eSchool News staff revealed that, between the time the information for the study was collected and the time it was released, two of these 17 sites—NancyDrew.com and PokemonSnap.com—had posted privacy policies on their web pages.

Other sites that did have privacy links did not highlight them as required by law, the report said, and many policies didn’t have all the required statements about how personal information is used or how parents could review or remove their children’s personal information from the site.

COPPA regulations encourage web sites to include certain visual elements—such as highlighting with color or typography—to make links to their privacy policy stand out. Only 44 percent of the sites linked to their privacy policy using a different font, and only 6 percent used a different color, according to the study.

Although COPPA asks web sites to avoid putting their privacy policy at the bottom of the home page in small letters, 60 percent of web sites still did this.

Some proprietors of kids’ web sites have complained that the COPPA requirements are too strict and are burdensome for smaller sites.

“We need to provide fun, educational things for children to do on the internet—that has been our goal,” said Steve Schaffer, chief executive officer of MysteryNet Inc., the company that operates NancyDrew.com.

Three months after COPPA went into effect last year, the FTC reviewed several sites to check for compliance. Of all the sites that collected personal information, about half had “substantial compliance problems,” according to the FTC.

Toby Levine, a senior staff attorney for the FTC, said there is good news and bad news in the Annenberg survey.

The study found that 91 percent of web sites examined do post privacy policies. Levine said that’s a huge increase in the number of web sites that actually posted privacy policies since the FTC’s own examination last year.

“Unfortunately, there are a number of sites that are not doing a good job of informing parents and educators about what their policies are,” Levine added.

The Annenberg study suggested that the FTC should help parents and educators find out easily if a site conforms to COPPA through some sort of seal-of-approval program.

“If there was a model or template that parents could use to compare between sites, it would be much more helpful,” Turow said.

The Entertainment Software Rating Board (ESRB) already operates such a program, called ESRB Privacy Online. Web sites that participate in this program get an ESRB Privacy Online seal of approval logo to place on their web site. The logo links to the site’s privacy policy, which is reviewed by ESRB legal staff to ensure it complies with COPPA and other ESRB requirements, said Claude Noriega, legal counsel at ESRB. Also, ESRB provides web sites with a standard template to use to form their policies.

“Even when information collection does require permission, as COPPA does,” Turow said, “people still need to be able to make decisions based on privacy policies they can understand before their eyes glaze over.”

In most cases, Turow said, the policies were so vague, complex, and confusing that it was as if the sites didn’t want parents or educators to notice their policies. “The complexity of the statements raises the question of whether companies expect or even want parents to read their policies,” he said.

The FTC seeks to educate companies about the requirements of COPPA, Levine said. But a privacy advocate contacted by eSchool News said the agency needs to do more than just educate.

“The Federal Trade Commission needs to enforce the law,” said Andrew Shaen, policy analyst at the Electronic Privacy Information Center. “Obviously, when popular web sites that cater to children under 13 are not following federal privacy laws, something needs to be done.”

Most importantly, the FTC needs to focus enforcement on web sites that receive the most traffic from children 12 and younger, Shaen said: “When you target the largest and most popular web sites, you help the most number of children.”

Shaen also called the study “shallow,” saying, “Surveying privacy policies is different from surveying privacy practices.”

In the near future, the FTC will release “a group of case studies that demonstrate that the law is being enforced,” Levine said. Those who violate COPPA are subject to a penalty of up to $11,000 per violation.

According to COPPA, web sites directed to children 12 and younger must:

  • Provide parents with a notice about the site’s “information practices.”
  • Obtain a parent’s permission before collecting, using, or disclosing personal information from children, with certain limited exceptions.
  • Provide parents with access to their child’s personal information and allow them to review this information and have it deleted.
  • Allow parents to stop more information from being collected or used again.
  • Limit the collection of a child’s personal information to “information that is reasonably necessary for the [online] activity.”
  • Maintain the confidentiality, security, and integrity of information collected from children.

Links:

Privacy Policies on Children’s Websites: Do They Play By the Rules?
http://www.asc.upenn.edu/usr/jturow/release.html

Annenberg Public Policy Center
http://www.appcpenn.org

Federal Trade Commission
http://www.ftc.gov

Electronic Privacy Information Center
http://epic.org

Children’s Online Privacy Protection Act
http://www.kidzprivacy.org

Entertainment Software Rating Board: Privacy Online
http://www.esrb.org/privacy.asp