SAN FRANCISCO (04/21/2000) - New legislation that went into effect in the U.S. today to protect children's privacy on the Web is already running into difficulties.
A plan by The Walt Disney Co. to use parents' credit card numbers to verify that their children can use services on Disney's network of Web sites was criticized today by one major credit card company. Meanwhile, an online advocacy group said the scheme is too costly for Web sites and only encourages children to lie about their ages.
Go.com, Disney's Internet unit, said today it will require parents to submit their credit card numbers as a way of authorizing their children to use services on the entertainment giant's Web sites. The company has used an e-mail verification system since early last year, but credit card numbers provide the most certain means of identification, said Michelle Bergman, a spokeswoman for Go.Com, in a phone interview today.
The credit card system will be used on all Disney's online sites, including Go.com, Disney.com, ESPN.com, ABCNEWS.com and ABC.com. Disney said it won't put a charge on credit cards, only validate them to ensure that the card number is genuine.
But therein lies a problem. When COPPA was being drawn up, credit card companies made it clear that they don't want their cards used for identification purposes unless a monetary transaction is made, said Loren Thompson, an attorney with the U.S. Federal Trade Commission (FTC), which is overseeing COPPA's implementation.
"They thought it could compromise their security and lead to more credit card fraud," Thompson said.
William Binzel, a spokesman for credit card company MasterCard International Inc., declined to comment on how such fraud could be carried out, but he insisted that credit cards can't be "validated" as Disney suggested in cases of tiny or nonexistent sums.
"Credit cards were never intended to be used as an age verification mechanism and are ill-suited for that purpose," Binzel said in a phone interview today.
"You can't process a transaction at a zero-dollar value, the transaction will be rejected."
Disney is "aware of the credit card companies' concerns" but maintains that its system will work, Bergman said. She declined to comment further.
The FTC suggested using credit cards as one way to obtain parental permission for a child to use services on a Web site -- but only in cases where a transaction is being made, Thompson said. The FTC also suggested setting up toll-free numbers that parents can call, and conducting a fairly lengthy e-mail exchange in which a Web site operator can establish if they are communicating with an adult.
Neither of those mechanisms are perfect, Thompson admitted, and the U.S. government is exploring other technologies including digital signatures in search of a more reliable system.
Meanwhile, one advocacy group was highly critical of COPPA.
"This legislation is a logistical nightmare," Jennifer Widstrom, director of EmailAbuse.org, a nonprofit group that fights spam, said in a statement issued today. "Companies will have to devote excessive, costly resources to comply with this legislation, while indirectly encouraging children to lie about their age. Many children are going to magically have their thirteenth birthdays today."
Conforming with COPPA will cost Web site operators between US$60,000 and $100,000 per year, primarily in paying additional staff to handle registration systems, estimated Parry Aftab, a children's Internet lawyer and author of "The Parents Guide to Protecting Your Children in Cyberspace."
Aftab described COPPA as "great legislation" and said it will go a long way towards protecting the privacy rights of children online. Many sites already are going above and beyond the requirements in COPPA because it makes their sites more attractive to parents and therefore to advertisers, she said.
"The real (advantage) is having sites inform parents what they're doing with information they're collecting, and getting parents involved whenever children are doing high-risk activities on the Internet," Aftab said.
However, the legislation also highlights the difficulties of building any system that requires people to be positively identified over the Internet. Like the FTC, Aftab said the system will work more effectively when digital signature usage becomes widespread.
She also believes that parts of the COPPA legislation are highly ambiguous, and said some Web sites have found it very confusing.
"A lot of people think the law applies to children's sites only, but it doesn't," she said.
COPPA applies to all commercial Web sites and online services directed at children under 13, as well as general audience sites which know they are collecting personal information from a child.
More information about COPPA is available through the FTC's Web site at http://www.ftc.gov/. Disney, in Burbank, California, is at +1-818-560-1000, and on the Web at http://www.disney.com/. MasterCard, in Purchase, New York, is on the Web at http://www.mastercard.com, and at +1-914-249-2000.