ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Online child privacy act proves problematic for sites

April 25, 2000
Web posted at: 10:32 a.m. EDT (1432 GMT)

(IDG) -- New legislation that went into effect in the U.S. on Friday to protect children's privacy on the Web is already running into difficulties.

A plan by The Walt Disney Co. to use parents' credit card numbers to verify that their children can use services on Disney's network of Web sites was criticized by one major credit card company. Meanwhile, an online advocacy group said the scheme is too costly for Web sites and only encourages children to lie about their ages.

Called the Children's Online Privacy Protection Act (COPPA), the new legislation aims to prevent personal information from being collected online from children younger than 13 years old without their parents' consent. COPPA requires Web sites aimed at child visitors to post a privacy policy spelling out what information they will collect from children. The act also requires the sites to get "verifiable parental consent" before children can use online chat rooms or submit other information about themselves on Web sites.

  MESSAGE BOARD, Disney's Internet unit, said it will require parents to submit their credit card numbers as a way of authorizing their children to use services on the entertainment giant's Web sites. The company has used an e-mail verification system since early last year, but credit card numbers provide the most certain means of identification, said Michelle Bergman, a spokeswoman for Go.Com, in a phone interview Friday.

The credit card system will be used on all Disney's online sites, including,,, and Disney said it won't put a charge on credit cards, only validate them to ensure that the card number is genuine.

But therein lies a problem. When COPPA was being drawn up, credit card companies made it clear that they don't want their cards used for identification purposes unless a monetary transaction is made, said Loren Thompson, an attorney with the U.S. Federal Trade Commission (FTC), which is overseeing COPPA's implementation.

"They thought it could compromise their security and lead to more credit card fraud," Thompson said.

  Make your PC work harder with these tips
  Download free PC software fast
  TechInformer: The Thinking Internaut's Guide to the Tech Industry's products pages
  Reviews & in-depth info at
  E-BusinessWorld's Windows software page
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletters
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

William Binzel, a spokesman for credit card company MasterCard International, declined to comment on how such fraud could be carried out, but he insisted that credit cards can't be "validated" as Disney suggested in cases of tiny or nonexistent sums.

"Credit cards were never intended to be used as an age verification mechanism and are ill-suited for that purpose," Binzel said in a phone interview Friday. "You can't process a transaction at a zero-dollar value, the transaction will be rejected."

Disney is "aware of the credit card companies' concerns" but maintains that its system will work, Bergman said. She declined to comment further.

The FTC suggested using credit cards as one way to obtain parental permission for a child to use services on a Web site -- but only in cases where a transaction is being made, Thompson said. The FTC also suggested setting up toll-free numbers that parents can call, and conducting a fairly lengthy e-mail exchange in which a Web site operator can establish if they are communicating with an adult.

Neither of those mechanisms are perfect, Thompson admitted, and the U.S. government is exploring other technologies including digital signatures in search of a more reliable system.

Meanwhile, one advocacy group was highly critical of COPPA.

"This legislation is a logistical nightmare," Jennifer Widstrom, director of, a nonprofit group that fights spam, said in a statement issued Friday. "Companies will have to devote excessive, costly resources to comply with this legislation, while indirectly encouraging children to lie about their age. Many children are going to magically have their thirteenth birthdays today."

Conforming with COPPA will cost Web site operators between $60,000 and $100,000 per year, primarily in paying additional staff to handle registration systems, estimated Parry Aftab, a children's Internet lawyer and author of "The Parents Guide to Protecting Your Children in Cyberspace."

Aftab described COPPA as "great legislation" and said it will go a long way towards protecting the privacy rights of children online. Many sites are going above and beyond the requirements in COPPA because it makes their sites more attractive to parents, and therefore to advertisers, she said.

"The real (advantage) is having sites inform parents what they're doing with information they're collecting, and getting parents involved whenever children are doing high-risk activities on the Internet," Aftab said.

However, the legislation also highlights the difficulties of building any system that requires people to be positively identified over the Internet. Like the FTC, Aftab said the system will work more effectively when digital signature usage becomes widespread.

She also believes that parts of the COPPA legislation are highly ambiguous, and said some Web sites have found it very confusing.

"A lot of people think the law applies to children's sites only, but it doesn't," she said.

COPPA applies to all commercial Web sites and online services directed at children under 13, as well as general audience sites which know they are collecting personal information from a child.

FTC official: Net privacy violators not immune
April 10, 2000
EU vote on privacy agreement due this week
March 28, 2000
Internet crime report irks privacy groups
March 13, 2000
The coming privacy divide
February 24, 2000
U.S., EU to meet on data privacy
January 18, 2000

Children's privacy law to take effect Friday
Privacy policies spread, but privacy doesn't
(PC World Online)
Geeks, spies debate Web privacy
(PC World Online)
Microsoft backs P3P Net privacy standard
FTC official: U.S. privacy violators not immune
Can Zero-Knowledge hush up the Net?
(The Industry Standard)
FTC committee debates online access, security
(PC World Online)

Federal Trade Commission
Go Network

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.