Toughened US regulations on online privacy for children take effect Monday, offering new protections amid the growing use of mobile apps and social networks by youngsters.
The new Federal Trade Commission rules are being hailed by some as a milestone, but critics claim they could stifle the growth of child-friendly websites and services.
The rules from the US watchdog, in updating the 1998 Children's Online Privacy Protection Act, include stricter privacy protections for children under 13 by expanding the definition of "personal information" to include geolocation data, as well as photos, videos and audio files.
They also ban "behavioral advertising" directed toward children without parental notice and consent.
This would prevent children from getting "re-targeting" ads, which are based on browsing history.
"This is an important victory for privacy rights on the Internet," said Jeffrey Chester of the Center for Digital Democracy, which spent four years lobbying for the new rules.
"There is no more secret tracking or behavioral tracking," he said. "Online services can't secretly follow a child around the Web and target the child with advertising" based on the youngster's profile.
Nineteen public health, consumer and digital rights groups endorsed the new rules, telling the FTC they are "necessary to protect children and assist parents in light of the growing use of computers, mobile phones, and tablets, the increasing amount of data that is collected through these devices."
Endorsing groups include the American Academy of Child and Adolescent Psychiatry, the Consumers Union and the Center for Science in the Public Interest.
The rules also apply to mobile apps and "plug-ins" similar to the Facebook "like" button used on millions of websites, but with limitations.
Third-party plug-ins will be responsible only where they have "actual knowledge that they are collecting personal information from users of a child-directed site," according to the FTC.
Although the new rules are aimed at protecting children on social media, the biggest social network, Facebook, is mostly unaffected because its policies don't allow children under 13 to join.
Chester said this remains a concern because of Facebook's "sophisticated data tracking" for marketing.
"We don't think COPPA (the new rules) will be enough to protect children from the onslaught of the Facebook business model," he said.
Implementation could lead to some confusion because strict limits apply only when websites are "directed" at children. Some critics claim this could stifle some websites by forcing them to demand age verification.
The Application Developers Alliance, which represents some 20,000 app makers, had asked for a delay in the rules, saying the changes "are so significant and the penalties so severe that, absent delay, many developers and publishers will simply stop publishing, placing their entire business at risk."
Daniel Castro at the Information Technology and Innovation Foundation meanwhile said the new rules are "misguided" and could prevent websites and developers from developing child-friendly services.
"The real problem is that we'll see sites and apps that will either ignore the rule and ignore the age of the user, or if they are directed at children, they will significantly reduce the features. Or they will move to paid models," Castro said.
He added the rules "set a default so high on privacy and so low on functionality that it is crippling the space for children. It locks the child online space into something that is not very usable."
Some say the rules may have little impact because children are often more tech-savvy than their parents and find ways to circumvent controls.
"It's incredibly easy for kids" to get around age verification, said Stanley Holditch, online safety expert at McAfee, which recently released a study showing that 85 percent of US children between 10 and 12 used Facebook.
The study found one in four in that age group said they had cleared their browser history or used private browsing to avoid detection, and 10 percent said they had configured privacy settings to hide content from their parents.
Holditch said it would be "difficult if not impossible for these (social media) companies to comply with these rules" without a draconian system with biometric identifiers or a national database. And he said even companies like Facebook don't have enough personnel to verify the millions of underage children using the site.
To stop geolocation tracking for young children, he said, "they would have to turn off geolocation for everyone," he said.
"There are very real perils out there," Holditch said. "Kids are giving away info without thinking about it. So it is our role as adults is to teach children the perils of the world."
Explore further: Expanding the breadth and impact of cybersecurity and privacy research