Federal regulations aimed at protecting children's online privacy take effect this month, forcing Web sites that cater to kids younger than age 13 to get parental permission before they collect personal information about children who visit them online.
The sites must state in plain language what information they're gathering, and what they plan to do with it.
But the regulations -- the first Internet privacy rules overseen by a federal agency, in this case, the Federal Trade Commission -- are going into effect at a time of heightened public concern about secret poaching of personal data on the Internet. And even as regulators move to bring the industry into compliance, they acknowledge that new technologies and practices could soon stretch the limits of these new rules.
In addition to the provisions forcing privacy disclosures and parental control, the Children's Online Privacy Protection Act, which goes into effect April 21, says Web sites must state whether any data gathered on a child will be shared with advertisers. It also must provide company contacts so that parents can review what information the site might have collected on their child.
The Children's Advertising Review Unit, a trade group whose members include some of the largest advertisers to children, has been tracking ads aimed at kids in all media for 26 years. It suggested a version of the Internet rules in 1996, and that standard became the framework for the new regulations. But much has changed since 1996, experts say.
For instance, the rules make only a general reference to "cookies," the digital tags placed on a user's computer that can enable advertisers to track a child's Web visits from site to site.
Since the regulations were signed into law in October, a public firestorm has arisen over how cookies are used by Net advertising firms.
The issue developed after online ad firm DoubleClick Inc. revealed then withdrew plans to link information on surfing habits to information that could identify computer users. The children's privacy rules require that sites disclose when they link cookies with personal information without trying to restrict their use.
"Given the unspeakable pace of technological change, that implementation of the act [relating to cookies] might be revisited," said Elizabeth Lascoutx, director of the Children's Advertising Review Unit and vice president of the Council of Better Business Bureaus.
Of equal concern, experts say, is the move into wireless Internet technology. Some say technologies being developed would allow advertisers to direct messages to mobile computer users via Internet-linked cell phones or personal digital assistants based on users' locations and cell phone numbers.
In other words, software could be designed to automatically e-mail or call kids on their cell phones with an ad when they walk past a store for instance, sending along a few seconds of a new hit song along with a dollar-off digital coupon for a CD. Increasingly, children between the ages of 10 and 16 are carrying cellphones, experts say.
Andrew Shen, policy analyst for the Electronic Privacy Information Center, a Washington privacy-rights group, isn't sure the new privacy regulations could hold off such an effort.
"The question is, should we allow this to happen in any situation?" Shen asked. "If I were a parent, I'd be uncomfortable with someone else other than me knowing where my kid is all the time."
While saying that existing rules will help parents avoid abuse of their kids, Lascoutx readily acknowledges that wireless Internet and other new technology present challenges.
"Convergence is my nightmare," she explained. "I don't know how any of these things are going to be monitored, and I don't know how anybody's going to enforce monitoring."
The FTC has established a phase-in period during which the new rules will be implemented on a "sliding scale" under which "the required method of consent will vary based on how the operator uses the child's personal information."
Companies that share the information with outside marketers will be judged on a more rigid scale of compliance, the FTC says, while those whose data collection is for internal use have until April 2002 to comply unless complaints are made against them.
Last year, a study commissioned by the Children's Advertising Review Unit found that while most sites aimed at children collect data, 73 percent failed to post privacy policies. Since then, several companies with much vested in their Web operations have very publicly moved to at least meet the rules.
For instance, Walt Disney Co.'s Go Network and other Disney-owned sites, popular among children, have been in compliance with the rules, and have said they will increase their security by April 21 by insisting on proof of parental consent by requiring a credit card, said Larry Shapiro, the network's executive vice president of corporate development.
The FTC has said it will enforce regulations through active monitoring and by following up on complaints.
While declining to specify how tightly the rules will be monitored, Barbara Anthony, the FTC's Northeast regional director, said the broad-based support for the rules makes "one hopeful there will be implementation and compliance."
Lascoutx said she expects the rules to be enforced "quite closely," noting that changes requested by the group involving traditional kids' advertising have been followed in about 98 percent of cases. She said traditionally responsible companies including Hasbro and Disney have been quick to comply.
"The virtual companies who don't have a history in marketing to children, they're the ones who have to be brought along," she said. And the message that really hits home with them is: "That e-commerce can be brought to a halt if you don't."
Meanwhile, she and others say it is up to parents to make children aware of the dangers they might face if they lie about their age to thwart the protections.
What are the rules intended to prevent?
The biggest concern is that gathering personal information about a child will allow a pedophile in a chat room to locate the child. The rules also are aimed at preventing children from being "micro-targeted with ads that will give undue power to the ad message."
Such concerns take on a new perspective in light of Internet advertisers' plans for wireless data. Already, the leading online ad firms, noting estimates that wireless devices will outnumber PCs in several years, are expressing new eagerness to target mobile users.