New Internet law aims to protect kids.

>When talking about online access to personal information, it’s hard to avoid using Orwellian clichés about Big Brother and the constant specter of being observed. But there are various tools available that allow Web-site operators to gather information about visitors–both voluntarily and involuntarily–that can be very telling about their guests. The irony, at least in the Orwellian context, is that it isn’t the government that’s tracking you through Cyberspace, mapping your route and building a profile, but rather private companies.

Why businesses want to collect personal information is no secret. “Know your market” is virtually a Jeff Harbaugh mantra, and the Internet provides the ways and means to efficiently and inexpensively conduct market research. A quick trip around the ’Net finds that almost every skate-related site asks users for some type of personal information. Most seem to involve registering for giveaway promotions, others have members-only areas that require users to register with the site. Whatever the means of collection, Web-site operators have the necessary tools to create valuable databases on their respective markets.

So what’s the problem? Well, for better or worse, privacy advocates have pushed Congress to limit the collection and use of Internet users’ personal information. The new Children’s Online Privacy Protection Act (COPPA) came into effect on April 21, and has established requirements regarding the online collection and use of information on children under the age of thirteen.

COPPA affects all commercial Web sites that deliberately collect personal information from children under thirteen, as well as sites that incidentally and knowingly collect information from kids under thirteen. Most skate-related sites would fall in the second category, which requires the site operators to have actual knowledge that the information they are collecting originates from kids under thirteen.

In order to comply with COPPA laws, site operators must post links to a page that states the site’s privacy practices. The privacy notice must disclose several items, including the following: name of the operator, contact information, nature of the information the site collects from children, how information is collected (i.e., voluntarily through questionnaires or passively through the use of electronic “cookies”), how the information is used, and if the information is disclosed to third parties. In addition to posting the site’s privacy policy, operators must contact the parents of the youngsters and provide them with the same information that is stated in its privacy notice.

How a site must contact parents depends on how the site will use the information it collects. If the site is going to use the personal information for internal use only, then the operator only has to e-mail the parent to get their consent, and the parent can simply reply to the e-mail. If an operator intends to make the child’s personal information publicly available, or to disclose it to a third party, the verifiable parental consent becomes much more rigorous. Some of the methods listed as acceptable ways of obtaining verifiable parental consent include receiving a signed permission form from the parent, a call from the parent through a toll-free telephone number, or an e-mail accompanied by a digital signature. Moreover, the site must use reasonable methods to verify a parent’s identity, meaning that a site operator must view all verifications carefully to be sure they originated from a child’s parent.

If an operator changes the collection or disclosure practices of a site subject to the COPPA laws, the whole process must be repeated, and new notice and consent forms must be sent to the parents of all under-thirteen users. Eveen those sites with prior authorization must notify parents of the new practices and receive their permission.

As you might imagine, there are penalties for COPPA violations. They range from fines to ceasing operations, though courts have wide latitude in determining what penalties to impose, and the government has been fairly active in its pursuit of violators.

To avoid any possible violations, many site operators have attempted to deny access to children under thirteen. Skateboard.com prohibits kids under the age of fourteen from becoming members or registering their own e-mail account, though they can freely browse the site. And the iFuse.com youth-culture site has gone so far as to ask users if they’re under thirteen in its privacy-practice notice, then restricts those who answer yes from some areas of the site.

Many other sites also choose to limit or deny access to under-thirteen users rather than comply with the new regulations. But in the traffic-hungry world of Web sites, limiting access to this sizable demographic can have its drawbacks. The e-commerce research firm Jupiter Communications (jupitercommunications.com) reports that 11.4-million children under the age of twelve used the Internet in 1999, and expects that number to jump to 24.3-million by 2003. And according to TransWorld SKATEboarding, ten percent of its readership is twelve and under, up from four percent in 1998.

A close evaluation of how your company collects information from its Web-site visitors, and how that information is used, is the first step in deciding how to comply with the new laws. The next step is to decide what changes to make to your Web site’s data-collecting procedures. A good source of information on complying with COPPA can be found at www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm. Taking the time and making the effort to fully comply with the changing landscape of Cyber law will allow your company to take full advantage of the Internet’s unprecedented marketing power while avoiding the legal pitfalls of an evolving technology.

Matthew Miller is an attorney-at-law in Solana Beach, California. He can be reached at: (858) 259-6969.