Last Friday, an important law came into effect in the United States. Finally, and despite much complaining from many online businesses, the US government has enacted the Children's Online Privacy Protection Act (COPPA). It restricts businesses from gathering personal information on the Internet from children under 13 years old - the most vulnerable Web users.
From now on, marketeers must obtain parental permission either by e-mail, fax, phone call or from an adult using a credit card to verify identity. Although regulators realise the law isn't perfect and that some kids will get around it, it does at least, and at last, place responsibility and liability on the shoulders of companies that target children online. This is an industry that has, for the most part, exploited children's willingness to fill in forms and offer up details for marketers.
Until now companies were supposed to self-regulate. In particular, they were directed to do so or be liable to federal regulation after the US Federal Trade Commission (FTC) published a damning report in 1998 on privacy on the Internet. Although the Commission had serious concerns about how information was gathered from adults without a clear indication of what it would be used for, it was appalled when it examined the kind of information sites were soliciting from children.
The report, which took three years to compile, examined 1,400 sites. In general, only 14 per cent informed visitors of their information-gathering policy. Only 28 sites bothered to include a detailed privacy statement. And of 212 sites for children, 89 per cent asked young Web surfers to divulge personal information. Less than a quarter of the sites (23 per cent) recommended children to get parental consent before filling in such details. And only 7 per cent said the site would tell parents that such information had been requested.
Sites gathering information from children were asking for names, addresses and phone numbers in many cases. One company detailed in the report even asked for the amount children received weekly for their allowance and asked kids to give an estimate of how much money their parents earned.
Other sites asked for details on parents' cars and where parents banked. Offering up such information then allowed children to enter a contest. Until now, this was a typical ruse: offer kids access to online games, playrooms, chat areas or contests in return for surrendering such details.
As a result of the report, the FTC asked the US Congress to pass laws to protect, at the very least, children's privacy online. Congress responded surprisingly quickly - the report was released in June 1998 and a law had been passed by Congress by August. But because it had to go through a period of public comment and consideration, the Children's Online Privacy Protection Act only became law last Friday.
Lest you think that companies in the meantime had begun to improve their attitudes of their own volition, another report issued in mid-1999 by the respected Centre for Media Education confirmed that online companies were still gathering highly personal information from young children.
Companies are now liable for fines of $11,000 for each violation. Many reputable companies such as Disney and Surfmonkey.com have been quick to put in place the needed infrastructure to handle the requirements of the new law.
Surfmonkey.com, for example, has had a phone-in system working for months in anticipation of the Act. But some companies have actually threatened to take their operations offshore, to avoid the US law.
Of course, companies always have the option of simply not gathering information from children under 13. But a measure of just how valuable marketers believe information to be on children's likes and dislikes, hobbies and interests is evident in that many companies are willing to take on the extra costs for compliance with the law rather than losing this information stream.
In the Republic and Europe, the Data Protection Act is supposed to shield both adults and children from the arbitrary collection, storage and use of personal information. For example, we are supposed to give our permission for the kind of data-gathering done on websites.
But the reality is that some information is often gathered anyway, without a website visitor's knowledge (in the case of the unseen culling of information obtained from the electronic "footprint`' Web users leave behind as they travel across the Net). Ironically, it seems to me that European sites also are less likely to have basics such as privacy statements because the issue is not flagged so prominently here as it has been in the US.
In addition, the Data Protection regulations don't appear to restrict anyone from gathering information from children if the children themselves offer that information to marketers. That means that European children are now protected in the US but not here, even though our data privacy laws theoretically are much stronger.
Surely this is a situation which should be addressed at European level. But it also needs to be tackled within Irish law, especially as we move towards an e-business economy. A light regulatory approach towards business can and should be coupled with firm protections for the personal privacy that can be so easily exploited by the Web - especially in the case of young children.
klillington@irish-times.ie
