Internet privacy for children is controlled by the Children's Online Privacy Protection Act of 1998, codified at 15 U.S.C. § 6501-6506. The law is enforced by the Federal Trade Commission, applying the regulations recorded at 16 C.F.R. § 312.
U.S. law requires special internet privacy protections for children under the age of 13. A web site must make “any reasonable effort… to ensure that before personal information is collected from a child, a parent of the child: a) receives notice of the operator’s personal information collection, use, and disclosure practices; and (b) authorizes any collection, use, and/or disclosure of the personal information” (16 CFR § 312.2). Consent must be collected before personal information is collected.
Violations are deemed “unfair or deceptive practices” and are subject to fines of $11,000 per violation. The FTC has imposed large penalties, numbering $100,000 or even $1 million. The FTC increases penalties if the violations are egregious, involve many children, use the information inappropriately, share the information, or are a large company. For example, in 2003, the FTC issued an $85,000 penalty against Hershey Foods for maintaining a web site that got parental consent only by filling out an online form, with no independent verification that the individual was the parent.