Web Sites grab More Than Cookies From Kids

January 1, 2001       Jeff Berger      

When PBS Kids conducts an online contest, and it is a rare occasion, the organization obtains a verifiable permission slip, nonelectronic, from the parent.

"PBS Kids seeks to provide the tools that caregivers and kids can use to make empowered decisions in regard to their privacy on our Web site. We have a page called ‘Get Your Web License’ that challenges kids, via a game, to think about the decisions that they make while online," said Michelle Miller, manager of the PBS Kids Interactive site.

Many nonprofit Web masters are taking a very cautious approach in presenting content, missions, and interactive pages to both adults and children. Many nonprofits are going out of their way to respect their visitors’ privacy and safeguard the marketing aftermath that can ensue once a visitor surrenders personal information.

At stake, primarily, is image, as visitors to a Web site want to trust the sites they view, especially from a nonprofit.

The privacy conundrum

Web sites all over the Internet, including those of usually altruistic nonprofits, are giving information tracking cookie files to site-visiting children using computers owned by, and identifiable to, parents, schools, and the community. Because of these unsolicited digital tattoos, the unsuspecting child or even adult mostly unwittingly provides marketable personal data that includes, when overlaid with other data sources, name, address, age, email address, and all manner of income and consumer history and preferences.

While this scene is repeated infinite times a day and is a boon to marketers, the bitter aftertaste felt by unknowing consumers of cookies, and fill-in forms is creating an ongoing backlash for privacy rights.

Anyone with an illness or a unique interest or condition might be pinpointed by marketing software programs lurking around the Internet. This has triggered several privacy issue initiatives, such as a joint effort of The Direct Marketing Association (DMA), The Internet Alliance, and the Federal Trade Commission.

This effort is to make Web sites aware of their compliance to the Children’s Online Privacy Protection Act (COPPA), which became effective April 21, 2000. Perhaps a first step towards universal online privacy protection, these rules make Web sites accountable for posting a privacy policy and protecting the privacy rights of children younger than age 13 through tactful use of offered information and with some parental intervention.

Lindy Litrides, senior vice president, relationship marketing at the Arthritis Foundation in Atlanta, is involved in The DMA’s participation with COPPA. "The DMA has also incorporated the substantive content of COPPA into its Guidelines for Ethical Business Practice," Litrides said. "What that means is that it gives The DMA the opportunity to enforce compliance with substantive parts of COPPA with both its members and other companies, as reported by consumers, that may be in violation."

Litrides added: "It’s a form of industry self-regulation. DMA’s Committee on Ethical Business Practice reviews cases of possible violations that are submitted by consumers. If a case can be resolved immediately by a staff member, it will be done. Otherwise, it will be presented to the full committee (approximately 30 people) for review."

Anyone marketing to children younger than age 13 must subscribe to COPPA. The DMA, however, has broadened its guidelines to include all young individuals so that marketers have guidelines to follow in reaching this growing market, she explained.

"Information is maybe rented or exchanged based on the privacy policies of individual sites," said Litrides. "If a company follows regulatory guidelines, then information exchange also follows ethical business practices. If you have good privacy practices, and you follow the regulations, then you are giving consumers notice of what you collect, why you collect it, and how information is used. And, you also give the consumer the opportunity to ‘opt-out’ of the marketing process."

Exemplary site leaders

M. Ford Coch-ran, director, editorial programming, at nationalgeographic.com, said that the site’s initial and ongoing mission of interactivity coincides with the privacy issues. "We made a commitment to build sites for kids – to use the medium to do what other media could not: a firsthand experience. We have taken precautions in regards to kids’ privacy – and we do not want others to exploit our Web site and garner information."

For example, said Cochran, "If you have an open forum board, we only ask children to give their first name and city, and we read contributions before they are posted to edit the content. We cannot even contact the child, as we don’t need to. We go out of our way, as we do not want to collect information from children."

Cochran said, "We knew early on that the FTC was developing guidelines and we contacted them to be sure that we would be in compliance." He said the FTC is using the site as a model for others.

"The discussion boards on our sites are open to adults in real time," said Cochran. "After the posting, we review these boards daily for inappropriate content or for extraneous marketing info such as spam (electronic unsolicited junk messages). Newsletter subscription requests by a visitor, via email, are not re-marketed. It is for the society’s use."

None of the site’s downloads require the visitor to fill out a form. "The goal here is to allow classrooms to share information on projects," he said.

PBS’s Miller explained that when it comes to the history of online legislation, "COPPA offers a much broader range of protection for children: not just targeting online pornography, but covering everything from chat rooms to sweepstakes."

Miller said, "The core of COPPA is a child’s identifiable personal information. We never ask for any personally identifiable information in any configuration that can be pieced together. If a Web developer collects any personally identifiable information from a child, the developer must get verifiable parental written consent, and they must disclose what they will do with that information."

PBS does not run banner ads on the sites targeting children, "but we do have limited, clearly identifiable, sponsorship information," said Miller. "That is important because it helps the visitor distinguish between the content and the commercial sponsor. The second important thing is that our provided links to outside sites all go through a bridge page that signals ‘You are leaving the PBS Kids environments and its policies.’ We also provide a tip: ‘What to know before you go.’ For example, how to behave to protect yourself on the Internet."

Miller said the PBS site does not use targets or cookies, although some cookies can actually help visitors navigate a Web site, and not all cookies store personal information about the visitor.

Shelley Santora Jones, manager of online communications for the World Wildlife Fund, said the organization does not use cookies. "The only time we ask for information is for subscriptions to send for our free email-based newsletters, and for membership. We do not share this information with anybody else. Only the membership information goes into the organization’s database. Each child is counted as a unique user session each time they visit the Web site."

About cookies, Santora Jones said, "There are actually some good uses for them, such as on financial Web sites with account transactions. There is a data mining industry that produces programs designed to track just who is visiting your Web site. However, we do not want visitors to our site to be uncomfortable. So, we do not use these sort of things."

Garth Moore, Web master at the American Society for the Prevention of Cruelty to Animals, said that the organization is building a new kids site called animaland.org, that will be replacing a magazine-type site where children donated – nine times out of 10 via their parents – and, where there was a "secret, members only" club. "We are now opening up a site for the general public and with content that has us disseminating information about all types of living things."

"In terms of our new site," said Moore, "we will protect the privacy of children, while allowing them to participate in our interactive site. We do the same with adults visiting all of our pages. We do trade, for the adults, email and member information with other humane organizations. Donors and visitors can write to us not to do so. This is expressed in the privacy statement. We will follow the FTC guidelines to the letter, and we will even provide a link to the kids’ privacy site at the FTC."

The tandem use of Web site visits coinciding with an email address acquisition from that visitor has become a common practice by many organizations. This calls for a reevaluation of such operations, especially by nonprofits seeking to comply with privacy policies and issues.

Nick Allen, president of donordigital.com, an email and online consulting firm, said, "I do not think it is good practice to resell or trade any email addresses. People are much more sensitive about their email addresses being given out."

Allen, whose firm’s clients he said include Planned Parenthood Federa-tion of America and the Million Man March, said donors generally accept the fact that their names and addresses are rented to, or exchanged with, other organizations doing direct mail fundraising.

"It’s different with email addresses. Individuals expect email privacy, and it is accepted practice not to share email addresses with others unless you have explicitly gotten the individual’s ‘opt-in’ permission."

He advised that at least for now, nonprofits should not share email addresses of their donors or others, even if they share the postal addresses. "That means that organizations that rent their lists need to make sure the email addresses in their files are not rented when the postal addresses are," he said.

"Nonprofits," said Allen, "should post privacy policies on their home pages and on any other pages where visitors give personal information. You can find build-your-own privacy policy using the wizards (programs that guide you step-by-step) that can be found at www.the-dma.org or www.truste.com."

Email marketers tow the line every day between a nonprofit list renter’s needs and the privacy needs of an individual with an email address.

Eric Zilling, co-founder and chief vision officer of Princeton, N.J.-based e-marketing company Impower, said that privacy measures are very important because these are good for both the industry and the consumer. "There is a groundswell of concern by consumers, and our online-based customers are very sensitive as to whether the email lists they are renting were truly gotten by consent of the address owners."

Impower developed an eScore program verification system for Web sites. It uses people who register false names and addresses at any Web site that is capturing email data. That person also cuts and pastes the site’s privacy policy into Impower’s database for reference. "We then have a six-person research team that analyzes the data and assigns a score of one to nine where one is a very positive opt-in site while nine is in the spammer domain."

Zilling admited, "One of the things that is vulnerable here is that registration could be redirected to another site or page, or misrepresented. The way we catch this loophole is that each month we do 100 to 200 email campaigns and then we audit the returns."