Federal regulators are about to take the biggest steps in more than a decade to protect children online.
The moves come at a time when major corporations, app developers and data miners appear to be collecting information about the online activities of millions of young Internet users without their parents' awareness, children's advocates say. Some sites and apps have also collected details like children's photographs or locations of mobile devices; the concern is that the information could be used to identify or locate individual children.
These data-gathering practices are legal. But the development has so alarmed officials at the Federal Trade Commission that the agency is moving to overhaul rules that many experts say have not kept pace with the explosive growth of the Web and innovations like mobile apps. New rules are expected within weeks.
"Today, almost every child has a computer in his pocket and it's that much harder for parents to monitor what their kids are doing online, who they are interacting with, and what information they are sharing," says Mary K. Engle, associate director of the advertising practices division at the F.T.C. "The concern is that a lot of this may be going on without anybody's knowledge."
The proposed changes could greatly increase the need for children's sites to obtain parental permission for some practices that are now popular -- like using cookies to track users' activities around the Web over time. Marketers argue that the rule should not be changed so extensively, lest it cause companies to reduce their offerings for children.
"Do we need a broad, wholesale change of the law?" says Mike Zaneis, the general counsel for the Interactive Advertising Bureau, an industry association. "The answer is no. It is working very well."
The current federal rule, the Children's Online Privacy Protection Act of 1998, requires operators of children's Web sites to obtain parental consent before they collect personal information like phone numbers or physical addresses from children under 13. But rapid advances in technology have overtaken the rules, privacy advocates say.
Today, many brand-name companies and analytics firms collect, collate and analyze information about a wide range of consumer activities and traits. Some of those techniques could put children at risk, advocates say.
Under the F.T.C.'s proposals, some current online practices, like getting children under 13 to submit photos of themselves, would require parental consent.
Children who visit McDonald's HappyMeal.com, for instance, can "get in the picture with Ronald McDonald" by uploading photos of themselves and combining them with images of the clown. Children may also "star in a music video" on the site by uploading photos or webcam images and having it graft their faces onto dancing cartoon bodies.
But according to children's advocates, McDonald's stored these images in directories that were publicly available. Anyone with an Internet connection could check out hundreds of photos of young children, a few of whom were pictured in pajamas in their bedrooms, advocates said.
In a related complaint to the F.T.C. last month, a coalition of advocacy groups accused McDonald's and four other corporations of violating the 1998 law by collecting e-mail addresses without parental consent. HappyMeal.com, the complaint noted, invites children to share their creations on the site by providing the first names and e-mail addresses of their friends.
"When we tell parents about this they are appalled, because basically what it's doing is going around the parents' back and taking advantage of kids' naïveté," says Jennifer Harris, the director of marketing initiatives at the Yale Rudd Center for Food Policy and Obesity, a member of the coalition that filed the complaint. "It's a very unfair and deceptive practice that we don't think companies should be allowed to do."
Danya Proud, a spokeswoman for McDonald's, said in an e-mail that the company placed a "high importance" on protecting privacy, including children's online privacy. She said that McDonald's had blocked public access to several directories on the site.
Last year, the F.T.C. filed a complaint against W3 Innovations, a developer of popular iPhone and iPod Touch apps like Emily's Dress Up, which invited children to design outfits and e-mail their comments to a blog. The agency said that the apps violated the children's privacy rule by collecting the e-mail addresses of tens of thousands of children without their parents' permission and encouraging those children to post personal information publicly. The company later settled the case, agreeing to pay a penalty of $50,000 and delete personal data it had collected about children.
It is often difficult to know what kind of data is being collected and shared. Industry trade groups say marketers do not knowingly track young children for advertising purposes. But a study last year of 54 Web sites popular with children, including Disney.go.com and Nick.com, found that many used tracking technologies extensively.
"I was surprised to find that pretty much all of the same technologies used to track adults are being used on kids' Web sites," said Richard M. Smith, an Internet security expert in Boston who conducted the study at the request of the Center for Digital Democracy, an advocacy group.
Using a software program called Ghostery, which detects and identifies tracking entities on Web sites, a New York Times reporter recently identified seven trackers on Nick.com -- including Quantcast, an analytics company that, according to its own marketing material, helps Web sites "segment out specific audiences you want to sell" to advertisers.
Ghostery found 13 trackers on a Disney game page for kids, including AudienceScience, an analytics company that, according to that company's site, "pioneered the concept of targeting and audience-based marketing."
David Bittler, a spokesman for Nickelodeon, which runs Nick.com, says Viacom, the parent company, does not show targeted ads on Nick.com or other company sites for children under 13. But the sites and their analytics partners may collect data anonymously about users for purposes like improving content. Zenia Mucha, a spokeswoman for Disney, said the company does not show targeted ads to children and requires its ad partners to do the same.
If the F.T.C. carries out its proposed changes, children's Web sites would be required to obtain parents' permission before tracking children around the Web for advertising purposes, even with anonymous customer codes.
Some parents say they are trying to teach their children basic online self-defense. "We don't give out birth dates to get the free stuff," said Patricia Tay-Weiss, a mother of two young children in Venice, Calif., who runs foreign language classes for elementary school students. "We are teaching our kids to ask, 'What is the company getting from you and what are they going to do with that information?' "interact
This article originally appeared in The New York Times.