Many popular web sites geared toward children still don’t follow federal requirements for privacy, according to an independent study released March 28 by the Annenberg Public Policy Center of the University of Pennsylvania.

Almost half the 162 sites checked by Annenberg researchers don’t have prominent links to their privacy policies, and one in 10 had no link at all on their home page, contrary to the 1999 regulations designed to protect kids on the web.

The Federal Trade Commission (FTC) wrote the rules for children’s web sites, based on the Children’s Online Privacy Protection Act (COPPA).

“One year after the passage of COPPA, we found more sites skirting the COPPA requirements than following them carefully,” said Joseph Turow, Annenberg professor and author of the study, titled “Privacy Policies on Children’s Web Sites: Do They Play by the Rules?”

COPPA requires that web sites obtain “verifiable parental consent” before collecting, using, or disclosing any personal information, such as a name or address, from children under 13. Consent can be verified through postal mail or a telephone call. The law also requires a detailed and easy-to-find privacy policy.

The web sites examined by Annenberg researchers were selected in consultation with FTC staff using a list, provided by Nielsen/NetRatings, of 500 web sites that had the highest percentage of 2- to 12-year-old visitors. They included sites for video games, snacks, children’s characters, and TV shows.

Common on other web sites, too, the researchers found the privacy policies were difficult to find, read, and understand.

“We found that most of the 90 privacy policies were so long and complex that it took the coders an average of 9.4 minutes to read each policy in search of its COPPA statements,” the report said.

Seventeen of the 162 sites did not post privacy links on their home pages—despite FTC requirements—but did collect personal information.

However, a check by eSchool News staff revealed that, between the time the information for the study was collected and the time it was released, two of these 17 sites—NancyDrew.com and PokemonSnap.com—had posted privacy policies on their web pages.

Other sites that did have privacy links did not highlight them as required by law, the report said, and many policies didn’t have all the required statements about how personal information is used or how parents could review or remove their children’s personal information from the site.

COPPA regulations encourage web sites to include certain visual elements—such as highlighting with color or typography—to make links to their privacy policies stand out. Only 44 percent of the sites linked to their privacy policies using a different font, and only 6 percent used a different color, according to the study.

Although COPPA asks web sites to avoid putting their privacy policies at the bottom of the home pages in small letters, 60 percent of web sites still did this.

Some proprietors of kids’ web sites have complained that the COPPA requirements are too strict and are burdensome for smaller sites.

“We need to provide fun, educational things for children to do on the internet—that has been our goal,” said Steve Schaffer, chief executive officer of MysteryNet Inc., the company that operates NancyDrew.com.

Three months after COPPA went into effect last year, the FTC reviewed several sites to check for compliance. Of all the sites that collected personal information, about half had “substantial compliance problems,” according to the FTC.

Toby Levine, a senior staff attorney for the FTC, said there is good news and bad news in the Annenberg survey.

The study found that 91 percent of web sites examined do post privacy policies. Levine said that’s a huge increase in the number of web sites that posted privacy policies since the FTC’s examination last year.

“Unfortunately, there are a number of sites that are not doing a good job of informing parents and educators about what their policies are,” Levine said, adding that those who violate COPPA are subject to a penalty of up to $11,000 per violation.

Links:

Privacy Policies on Children’s Web Sites: Do They Play By the Rules?
http://www.asc.upenn.edu/usr/jturow/release.html

Annenberg Public Policy Center
http://www.appcpenn.org

Federal Trade Commission
http://www.ftc.gov