New legislation that went into effect in the U.S. Friday to protect children's privacy on the Web is already running into difficulties.
A plan by The Walt Disney Co. to use parents' credit-card numbers to verify that their children can use services on Disney's network of Web sites was criticized Friday by a major credit-card company. Meanwhile, an online advocacy group said the scheme is too costly for Web sites and only encourages children to lie about their ages.
Called the Children's Online Privacy Protection Act (COPPA), the new legislation aims to prevent personal information from being collected online from children younger than 13 years old without their parents' consent. COPPA requires Web sites aimed at child visitors to post a privacy policy spelling out what information they will collect from children. The act also requires that the sites get "verifiable parental consent" before children can use online chat rooms or submit information about themselves.
Go.com, Disney's Internet unit, said it will require parents to submit their credit-card numbers as a way of authorizing their children to use services on the entertainment giant's Web sites. The company has used an e-mail verification system since early last year, but credit-card numbers provide the most certain means of identification, said Michelle Bergman, a spokeswoman for Go.Com, in a phone interview.
The credit-card system will be used on all of Disney's online sites, including Go.com, Disney.com, ESPN.com, ABCNEWS.com and ABC.com. Disney said it won't put a charge on credit cards, only validate them to ensure that the card number is genuine.
But therein lies a problem. When COPPA was being drawn up, credit-card companies made it clear that they don't want their cards used for identification purposes unless a monetary transaction is made, said Loren Thompson, an attorney at the U.S. Federal Trade Commission (FTC), which is overseeing COPPA's implementation.
"They thought it could compromise their security and lead to more credit-card fraud," Thompson said.
William Binzel, a spokesman for credit-card company MasterCard International Inc., declined to comment on how such fraud could be carried out, but he insisted that credit cards can't be "validated" as Disney suggested in cases of tiny or nonexistent sums.
"Credit cards were never intended to be used as an age verification mechanism and are ill-suited for that purpose," Binzel said in a phone interview. "You can't process a transaction at a zero-dollar value; the transaction will be rejected."
Disney is "aware of the credit-card companies' concerns" but maintains that its system will work, Bergman said. She declined to comment further.
The FTC suggested using credit cards as one way to obtain parental permission for a child to use services on a Web site — but only in cases where a transaction is being made, Thompson said. The FTC also suggested setting up toll-free numbers that parents can call and conducting a fairly lengthy e-mail exchange in which a Web site operator can establish if it is communicating with an adult.
Neither of those mechanisms is perfect, Thompson acknowledged, and the U.S. government is exploring other technologies, including digital signatures, in search of a more reliable system.
Meanwhile, one advocacy group was highly critical of COPPA.
"This legislation is a logistical nightmare," Jennifer Widstrom, director of EmailAbuse.org, a nonprofit group that fights spam, said in a statement issued Friday. "Companies will have to devote excessive, costly resources to comply with this legislation, while indirectly encouraging children to lie about their age. Many children are going to magically have their 13th birthdays today."
Conforming with COPPA will cost Web site operators between $60,000 and $100,000 per year, primarily in paying additional staff to handle registration systems, estimated Parry Aftab, a children's Internet lawyer and author of The Parents Guide to Protecting Your Children in Cyberspace.
Aftab described COPPA as "great legislation" and said it will go a long way toward protecting the privacy rights of children online. Many sites already are going above and beyond the requirements in COPPA because it makes their sites more attractive to parents and therefore to advertisers, she said.
"The real (advantage) is having sites inform parents what they're doing with information they're collecting, and getting parents involved whenever children are doing high-risk activities on the Internet," Aftab said.
However, the legislation also highlights the difficulties of building any system that requires people to be positively identified over the Internet. Like the FTC, Aftab said the system will work more effectively when digital signature usage becomes widespread.
She also said parts of the COPPA legislation are highly ambiguous, adding that some Web sites have found it very confusing.
"A lot of people think the law applies to children's sites only, but it doesn't," she said.
COPPA applies to all commercial Web sites and online services directed at children under 13, as well as general audience sites that know they are collecting personal information from a child.