Even worse, must your business comply with this law, even if your marketing doesn't target children? Although few would consider this goal controversial, consider the firestorm that has resulted since the law went into effect on April 21. For example, many websites have spent tens and even hundreds of thousands of dollars to set up toll free numbers to get parents' permission for kids to use the site, according to published reports. Others, like Yahoo!, require parents to provide a valid credit card before kids can surf.

Some sites have even shut down entirely, or blocked out kids under 13, rather than spend what they feel COPPA requires. "I am sorry to say, dear friends, that I have had to suspend all mailing list operations as a result of a new online privacy act," announced the website for the popular Thomas the Tank Engine books and television show.

Less dramatically, parents of web savvy kids have been flooded with email demanding that they complete lengthy registration forms in person, by fax or snail mail. COPPA requires such "verifiable parental consent" before a site can collect kids' personal information, such as an email address for a newsletter, or a chat room profile.

COPPA has a simple purpose: parents should approve what kids under 13 can disclose online - before they give that information. Getting a credit card is just one method to be sure that the parent - and not the child - provides the consent.

COPPA also demands that sites post a privacy policy, explaining how any information a child provides will be used. Will it be sold to marketers? Or will it just let kids use features at the site like email, or cookies that will remember user preferences? Although privacy advocates and web trade groups alike have recommended such a policy, voluntarily, after COPPA your site must have one by law.

Despite the FTC's efforts to make it easy for firms and parents to follow the law (see http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm for the FTC''s "how- to" compliance guide), news reports from COPPA's first months suggest that firms have overreacted. But extreme positions may not be surprising because of the ambiguities in the law.

For example, how can a site know if it must comply? Certainly, sites "directed" to children must follow the rules. But the law defines "directed" broadly, so that "general audience" sites may be covered. Even pictures of children on a retailer's site could make it "directed" to children. In addition, any webmasters who "actually know" that children under 13 use the site must follow COPPA's rules, whether the site is intended for children or not. The FTC may presume such knowledge from messages on a website or email questions from children.

COPPA's critics have already questioned whether all this bureaucracy will actually protect children. Everyone knows kids raised on computers who could easily impersonate their parents to appear to give "consent". Many can probably do it online more easily than their parents themselves.

Even worse, COPPA could just encourage children to lie about their age, to get around a burdensome law. As one COPPA critic noted when the law went into effect, "Many children are going to magically have their thirteenth birthdays today."

Will online privacy just become another law we all wink at, like getting cheaper out-of-state auto insurance, or buying in another state to avoid sales taxes? Are 15 year olds - who are more likely to give personal information online to get free gifts, according to a recent Annenberg school study - worthy of less protection?

For all the criticism, COPPA is the law. Under the FTC's broad definitions, almost any business website may have to satisfy COPPA's strict consent and privacy policy requirements. In fact, many sites even compete for consumers by promising more privacy protection than is required, whether by COPPA, the FTC's new privacy rules for financial services firms, or voluntary industry guidelines.

In today's privacy-conscious environment, what business can afford to be accused of a website that doesn't safeguard its customers' privacy?