Like the Communications Decency Act (CDA) before it, the Children's Online Protection Act (COPA) is unlikely to withstand Constitutional scrutiny. Although the Appellate Court has not officially ruled on COPA, the CDA was struck down by the Supreme Court 9-0. The CDA was found to undermine the free speech of adults in an effort to protect children on the Internet. Likewise, many feel that COPA seems overly broad in its reach and overly difficult in its implementation. During COPA's appeal last November, the three-judge panel that heard oral arguments posed several questions pertaining to community standards, which are at the heart of the law. Judge Leonard I. Garth asked the lawyer representing the Department of Justice what set of values would be used in evaluating what content should be restricted. Garth stated, "It seems to me that in terms of the World Wide Web, what the statute contemplates is that we would be remitted to the most severe, conservative community standards, perhaps those in Iran or Iraq where exposure of a woman's face is deemed to be inappropriate." Given the global nature of the medium and the vast number of diverse communities – whether defined by geographic proximity, political affiliation or religious beliefs – establishing one set of standards that could be used to assess adult-oriented content is impractical and undesirable. Moreover, this objection was not the only one raised by the judging panel. Judge Theodore A. McKee pointed out that, under the law, Web sites with material considered harmful to minors should restrict access by using credit-card gateways or other age verification mechanisms, thereby forcing adults to identify themselves. Both objections make it unlikely that COPA will survive as a law.

State legislatures have not been silent on the topic of children's online safety and have actively proposed many laws related to Internet governance in general. Last summer, for example, a US District Court blocked a Michigan law pertaining to people who disseminate obscene material to children online. The court found that user empowerment tools, such as filtering and blocking technologies, offered an alternative to placing limits on free speech, just as the Supreme Court had found in overturning the CDA.

Government-Mandated Filtering in Schools and Libraries

Although the court has not directly ruled on Internet filtering, in part, the Supreme Court found the CDA unconstitutional because blocking technologies are a less restrictive means to protect minors from content that is potentially harmful to their well-being. Despite the likely demise of COPA as a valid law, the threat of sexually explicit and other content believed to be inappropriate still remains a hot topic among parents and educators as well as legislators. Last year, Congress responded to this parental concern, seizing upon extensive media coverage of children's online safety fueled by the Columbine shootings, and proposed a number of national legislative solutions. Most of the proposed legislation require schools, libraries and other places where there are computers bought with public funds to install blocking and filtering technologies. Though language in one of the bills was dropped last fall, Congress is still sorting through what it will do with the other proposed legislation. Also, on the state level, Arizona and South Dakota have passed similar laws, and in January 2000, a South Carolina senator introduced legislation that would hold libraries criminally liable for failing to block children from accessing pornography online.

1999 Proposed Legislation Requiring Filtering and Blocking on Computers

Although there are important contextual differences in what these bills require, all of these attempt to mandate use of filters on computers purchased with public funds:

• The Juvenile Justice Reform Act of 1999 (McCollum, R-FL)
• The Istook Amendment in the Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 2000 (Porter, R-IL)
• Child Protection Act of 1999 (Istook, R-OK)
• Children's Internet Protection Act (McCain, R-AZ)
• Children's' Internet Protection Act (Franks, R-NJ)
• Neighborhood Children's Internet Protection Act (Santorum, R-PA)

Overall, the American Library Association, educators, and civil liberties groups object to government-mandated filtering, preferring that individual schools be allowed to decide what their students view online and that librarians be encouraged to guide their patrons to worthwhile content. Also, many believe that it is important for communities to discuss and debate what role information technologies will play in educational and public settings overall. It is through this exchange of ideas that people will become engaged in the use and benefits of the electronic resources rather than merely reacting to sensationalized reports that evoke fear. Moreover, many educators and librarians find it particularly unsettling that some of the proposed legislation ties their use of filters to funding. All schools and libraries who receive the Internet subsidy known as the E-rate would be required to install blocking tools on their computers.

Libraries and schools have responded to the possibility of government regulation, and the filtering controversy more generally, in a number of ways. Some schools that have been working with commercial filtering programs are finding that the settings can be overly restrictive, making it difficult for students to conduct research online. As mentioned in the "Filtering on Home PCs" section, many of the software programs are embedded with political and cultural bias, eliminating access to information that some teachers want their students to see and evaluate. In this light, filters become blocks not only to "objectionable" sites but to the educational process as well. And, apart from the possible loss of government subsidies, libraries also face the threat of lawsuits. Unable to appease free-speech advocates and conservative family groups both, a library in Hudsonville, Michigan, chose to discontinue offering Internet access to its patrons. In sharp contrast, The Kids' Path Web program created by the Los Angeles library system took an alternate approach. The program designates computers either for adults' or children's use. This program, which is endorsed by the ACLU, employs content filtering only on the children's computers, leaving the other computers able to access all content available on the Internet. Future proposed legislation may try a similar approach, requiring some percentage of computers to use filters and allowing each school and library to decide what constitutes a filter.

When crossing national boundaries, the challenge of legally preventing children from being exposed to "adult" content only promises to get more complicated given the global reach of the Internet. For example:

• The Australian government passed the Broadcasting Services Amendment (Online Services) Bill 1999, which has a goal similar to COPA of protecting children from objectionable material. This law, which went into effect on January 1, 2000, requires Australian Internet service providers to remove objectionable material from Australian Web sites. The bill also proposes that the Internet industry develop the necessary "codes of practice" to block access to objectionable sites coming from servers maintained in other countries.
• England has launched an initiative to protect children from the harmful effects of the Internet. Unlike COPA or the Australian law, England is currently focusing on education and software filters rather than legal remedies. Schools throughout England have been given "Superhighway Safety packs" which include advice on software filters and children's computer use. Also, the Internet Watch Foundation, a coalition of British ISP's, is expanding its focus on child pornography to include hate speech as well.
• Perhaps the most hotly debated international event involving children's online safety and filtering was the Internet Content Summit hosted in Munich in September 1999. The Bertelsmann Foundation, a German nonprofit organization hosting the event in conjunction with the Internet Content Rating for Europe project, released "Memorandum on Self-Regulation of the Internet." The document recommends strategies for self-rating and filtering of Web sites. Many groups – from education, child advocacy, privacy and civil liberties organizations – strongly objected to the recommendations, fearing that they would lead to government regulation and the setting of national standards. As was raised during the COPA appeal, national standards are antithetical to safeguarding diversity and allowing individual families to be free to decide what they will and will not allow. (www.stiftung.bertelsmann.de/internetcontent/english/content/c2000.htm)

Alcohol Advertising to Minors

In September 1999, the Federal Trade Commission issued a report, "Self-Regulation in the Alcohol Industry," in response to the Congressional Committees on Appropriations' request that the Commission examine the effectiveness of the alcohol industry's voluntary guidelines for advertising and marketing to underage audiences. In this report, in addition to reviewing industry codes and best practices, the Commission discusses online advertising with respect to young people, citing that the beverage alcohol industry has created over 100 commercial Web sites to promote their products. In an effort to reflect the popularity of the Internet, the Beer Institute in 1997 and the Distilled Spirits Council of the United States in 1998 modified their codes to address issues arising in the new online environment. According to the FTC's report, many of these Web sites post age reminders and offer links to parental filtering software. Some sites make an effort to limit content such as chat rooms, contests and cartoons, which appeal to youth. (www.ftc.gov/reports/alcohol/alcoholreport.htm#bOnline Advertising)

In November 1999, the Center for Media Education (CME) released a report contending that software filters, the very solution to which alcohol Web sites are linking, fail to protect children from Web site marketing and selling of alcohol- and tobacco-related products. "Youth Access to Alcohol and Tobacco Web Marketing: The Filtering and Rating Debate" builds on the work CME did in their 1997 study that examined online advertising of both alcohol and tobacco. Then, as now, there has been very little tobacco advertising on the Web, consequently, there has been little federal activity in this area. The Food and Drug Administration for the last few years has been focused on cigarette advertising in traditional media and has been hesitant to pursue anything related solely to the Internet.

It is unlikely that there will be government action in the area of alcohol and tobacco advertising online in the near future. More likely, sites promoting these products will be included in more general efforts that target sexually explicit Web sites along with other adult fare. Nevertheless, parents and educators will have to contend with the accessibility of online areas where drinking and smoking are discussed and promoted. Some believe that making these areas off-limits, may make them more desirable and interesting, especially among teenagers.

Children's Online Privacy Protection Act

Though conventional wisdom has instructed parents to teach their children "Don't talk to strangers," the electronic availability of children's personally identifiable information is now unprecedented and of national concern. Passed on April 27, 1998, the Children's Online Privacy Protection Act (COPPA) seeks to increase parental involvement in commercial activities related to children under 13.

The major components of the law are:

1. The law applies to operators of a commercial Web site or an online service directed to children under 13 that collects personal information from children or operators of a general audience Web site that have actual knowledge that they collect personal information from children.

2. A privacy notice must be posted on the homepage and wherever information is collected. The notice must be clear, prominent, clearly written and understandable.

3. Before collecting, using or disclosing personal information from a child, an operator must obtain verifiable parental consent from the child's parent. Until April 2002, the FTC will use a sliding scale approach to parental consent in which the required method of consent will vary based on how the operator uses the child's personal information.

4. Schools can act as parents' agents or as intermediaries between Web sites and parents in the notice and consent process.

5. Although not explicitly stated in the regulations, companies may collect and use children's information in the aggregate as information in this form is not covered under the law.

Once Congress laid out the general principles of the law governing online data collection from children, it charged the FTC with promulgating an initial rulemaking to sort out how the law would be implemented. In a 4-0 decision, the Commission issued its final rulemaking in October 1999. The rulemaking delineates what commercial Web site operators must do to adhere to the law by the time the law takes effect in April 2000.

The law is the result of three years of information-gathering workshops held at the FTC, investigative research of online practices by the Commission and independent groups, and high visibility news stories featuring specific examples of questionable data collection practices. It is noteworthy that: 1) the first federal action in the area of privacy and electronic commerce was on behalf of children; and 2) this action occurred in three years.

The most controversial section of the COPPA requires Web sites targeted at children under 13 to obtain verifiable parental consent before collecting personal information from them. The controversy settled on the definition of verifiable and how that might change with innovation in technology. In an effort to respond to the dynamic nature of the Web and to allow for new developments, the FTC adopted a sliding scale approach. In the FTC's memorandum, "How to Comply With The Children's Online Privacy Protection Rule," which presents a straight-forward description of the law's applicability and implementation, the sliding scale is described in the following terms:

• If the operator uses the information for internal purposes, operators may use e-mail to get parental consent. When operators want to disclose a child's personal information to third parties or make it publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent. These include getting a signed form from the parent via postal mail or facsimile; accepting and verifying a credit card number; taking calls from parents through a toll-free telephone number staffed by trained personnel; e-mail accompanied by digital signature; e-mail accompanied by a PIN or password obtained through one of the verification methods above.

Although the core questions that lie at the center of the children's privacy debate will not change – do young people have the right to explore information and entertainment resources online without divulging who they are and what rights do their parents have? – the way children access and use electronic resources may change dramatically by April 2002, when the FTC will reevaluate the sliding scale. It is not insignificant, for example, that both the House and the Senate passed controversial legislation in 1999 that would provide electronic signatures with the same legal validity as traditional paper signatures.

During a July 1999 workshop held by the FTC, industry representatives, child advocacy organizations and companies working to promote electronic commerce all provided commentary that led to these regulations, paying the greatest attention to the requirements of parental permission. Consumer and child advocates contend that the only way currently to verify that parents have agreed to release their child's data is to obtain a traditional signature – either through postal mail, via fax or to speak with a parent by telephone. This is what is known as the "print and send" model because it often requires children to print a permission form that their parents can read, sign and then send land-based mail to the Web site operator. Industry representatives, on the other hand, argue that this is both too cumbersome for parents and too costly to operate. They fear that overly burdensome requirements will have a chilling effect on children's use and parents' appreciation of the online medium. And for their part, companies working to develop mechanisms that may facilitate electronic commerce are interested in promoting tools, such as digital signatures, public key encryption and other identity-authenticating technologies. In settling on a sliding-scale approach, the Commission was trying to reflect the complexity of data collection and use as it exists today, while allowing for change in the future. The FTC cannot predict what technological developments will shape children's online experiences during the first two years of the law's implementation.

In addition to enforcing the COPPA, the FTC currently has jurisdiction to adjudicate cases involving individual companies regarding fraudulent, unfair and deceptive practices. To date, the Commission has been asked to respond to several complaints involving specific companies' Web practices. The first was a complaint filed by the Center for Media Education against KidsCom; and most recently, the Commission settled with Liberty Financial Companies, Inc., the operator of the Young Investor Web site. In addition to these government regulations, companies belonging to the Better Business Bureaus, also must comply with the Children's Advertising Review Unit's guidelines. As explained below, these guidelines are the standard in industry self-regulation for all media.

Although some of the most active users of the Internet are adolescents and older teens, anyone over 13 falls beyond the COPPA's reach. There is little likelihood that Congress will pass a bill that targets teens, specifically; the FTC and consumer advocates agree that adolescents and other age-specific youth groups will not be the subject of future legislation. Policymakers and industry representatives acknowledge that teens are developmentally different from younger children, and teens have informational rights distinct from their parents so requiring parental permission prior to collecting data from a 15-year old, for example, is an untenable approach.

Future Privacy Protections

The tenor surrounding legislative activity is such that the passage of a general privacy bill, including teenagers and adults, is by no means guaranteed in the near term. However, in February 2000, federal lawmakers formed a Senate Democratic Privacy Task Force and a bipartisan Congressional Privacy Caucus comprised of members from both houses dedicated to privacy issues. Senator Robert Torricelli (D-NJ) has proposed a bill that would control how companies employ "cookies" – digital identification tags that sit on a computer user's hard drive used by Web sites to track personal information. Unwilling to wait for broad-based legislation, privacy and consumer groups have been diligent in exposing objectionable commercial practices. One of the recent controversies involved New York-based DoubleClick, a company that places advertising banners on thousands of Web sites and tracks users who view these ads. DoubleClick's plan to add people's names and addresses to its tracking program met with tremendous criticism, prompting one advocacy group, the Electronic Privacy Information Center (EPIC), to file a complaint with the FTC. Additionally, according to "Surfer Beware III: Privacy Policies Without Privacy Protections," a December 1999 study released by EPIC, the top 100 e-commerce sites violate fair information practices. Moreover, a number of innovations within the marketplace of e-commerce have captured the attention of the FTC. Several months ago, the Commission and the Department of Commerce held a workshop to examine business practices on the Web aimed at tracking Internet users' Web surfing habits. Some Web companies are using various online tracking tools – referred to as "Web bugs," or simply data-profiling devices – to track the online buying habits of individuals. Privacy advocates have been critical of many major e-mail programs that employ cookies, technological innovations such as a cursor made by Comet Systems and Alexa, a data-collection software used by Amazon.com, just to name a few, because of their ability to gather information from unwitting computer users.

Industry Self-Regulation

Several industry trade associations have tried to educate their members about privacy, encouraging them to implement data collection and use policies as a part of good business practices. By and large, though, these efforts have lacked the force of a national law, and are nowhere near the comprehensiveness offered by the European Union's privacy directive. With respect to children, the Children's Advertising Review Unit (CARU), has established self-regulatory guidelines for advertising to children on the Internet. Some of these guidelines mirror those found in the COPPA, giving them greater force than they otherwise would have.

Children's Advertising Review Unit Guidelines

Established in 1974 by the National Advertising Review Council, the Children's Advertising Review Unit (CARU) is a division within the Council of Better Business Bureaus. Its purpose is to promote responsible children's advertising. It is best known for its self-regulatory guidelines pertaining to advertising to children that were first published in 1975 and have been updated in subsequent years as marketing practices have changed. The most significant revision in the last few years has been the extension of the guiding principles to new media, giving particular attention to the unique challenges of online data collection. CARU has both an academic and a business advisory board.

Because the guidelines cover a wide range of advertising practices – product presentations and claims, premiums, promotions and sweepstakes, and 900 teleprograms, to name a few – the majority of the guidelines were not affected when CARU reissued them to incorporate online technologies. The section of the guidelines pertaining to interactive electronic media, however, did undergo revisions. This section pertains to advertising directed at children under 13 – the same age limit for the COPPA – whereas the other sections in the CARU guidelines cover advertising aimed at children under 12.

Not surprisingly, CARU has been extremely active in the children's privacy debate over the last few years. Most recently, at the July 1999 FTC Workshop, CARU provided descriptions of the working relationship it has with many companies operating children's Web sites. Of the approximately 150 sites that CARU was advising at that time, nearly three-fourths were using an e-mail mechanism for obtaining parental consent. Most of these sites were offering a service such as an e-mail newsletter or a contest. A much smaller portion of the companies was striving to achieve a more rigorous parental permission standard because of the greater interactivity that their sites provided young people. Most children's sites do not offer real-time chat, bulletin boards, pen pal features and other activities that bring children into contact with people they cannot see. Nevertheless, children and teens long to communicate with friends and would-be friends in new technological ways, ensuring that these activities will become increasingly common.

There are a number of specific CARU guidelines pertaining to interactive electronic media. Briefly, the ones that cover data collection read as follows:

1. Before asking children for personally identifiable information about themselves or others, advertisers should remind children to ask a parent for permission to answer the information gathering questions (e.g., "You must ask your Mom or Dad if you can answer these questions").
2. The advertiser should disclose, in language easily understood by a child, why the information is being requested (e.g., "We'll use your name and e-mail to enter you in this contest and also add it to our mailing list.") and whether the information is intended to be shared, sold or distributed outside of the collecting advertiser company.
3. If information is collected from children through passive means (e.g., navigational tracking tools, browser files, etc.) this should be disclosed to the child and the parent along with what information is being collected.
4. Advertisers should encourage the child to use an alias (e.g., "Bookworm", "Skater", etc.), first name, nickname, initials, or other alternative to full names or screen names which correspond with an e-mail address for any activities which will involve public posting.
5. If the information is optional, and not required to engage in an activity, that fact should be clearly disclosed in language easily understood by a child (e.g., "You don't have to answer to play the game"). The advertiser should clearly disclose what use it will make of this information, if provided, as in #2 above, and should not require a child to disclose more personal information than is reasonably necessary to participate in the online activity (e.g., play a game, enter a contest, etc.).
6. The interactivity of the medium offers the opportunity to communicate with children through electronic mail. While this is part of the appeal of the medium, it creates the potential for a child to receive unmanageable amounts of unsolicited e-mail. If an advertiser communicates with a child by e-mail, there should be an opportunity with each mailing for the child or parent to choose by return e-mail to discontinue receiving mailings.

CARU has reported that it is satisfied with the industry's response to its guidelines. CARU claims that companies' Web sites are posting privacy policies and are establishing mechanisms to obtain parental consent before collecting personally identifiable information. Nevertheless, just as the FTC will continue to adjudicate specific cases when companies are believed to be in violation of Commission rules, CARU will pursue companies that are blatantly disregarding its rules. For example, CARU worked with the Chuckecheese and Roaring Mouse Entertainment Web sites to bring them in compliance with the guidelines last summer.

CARU's satisfaction with industry privacy practices should not be mistaken for an overall improvement in the level of commercialism in children's lives, however. It is true that some companies are adopting policies to keep parents better informed and children's information better protected but these "voluntary" policies are the result of federal agency involvement and public criticism. Despite these policies, young people on the Web are still subjected to dizzying amounts of commercial content unparalleled in other media.

Industry Trade Associations

Both the Better Business Bureaus' online effort known as BBBOnLine and the Direct Marketing Association (DMA) have adopted comprehensive programs to encourage their members to comply with privacy standards. In March 1999, BBBOnLine began giving qualified companies an electronic privacy seal for their Web site verifying that they adhere to their stated practices about what information they collect from consumers and how it is used. In December, they accepted comments to its proposed code of online business practices. In July 1999, the DMA's "Privacy Promise to American Consumers" took effect, requiring all DMA members to adhere to certain privacy practices. All sites not directly targeting children under 13, which fall under CARU's jurisdiction, such as teen sites and sites that appeal to both adults and children will be subject to these more general industry standards. The Association of National Advertisers, Inc. and the American Association of Advertising Agencies have also been active in the areas of online advertising and have participated, often along with the DMA and the BBB, in discussions involving data collection and electronic commerce.

Despite industry initiatives, some believe that the marketplace alone may not be able to achieve the Internet's potential to serve children. As the roles of traditional gatekeepers, such as librarians, parents and teachers, change, so too has the need for digital literacy among children. Ultimately, we must place children at the center of our discussions around media, and ask who we want children to be and how technologies may help.