Federal regulators are about to take the biggest steps in more than a decade to protect children online.

The moves come at a time when major corporations, app developers and data miners appear to be collecting information about the online activities of millions of young Internet users without their parents’ awareness, children’s advocates say. Some sites and apps have also collected details like the photographs or codes on mobile devices; the concern is that the information could be used to identify or locate individual children.

These data-gathering practices are currently legal. But the development has so alarmed officials at the Federal Trade Commission that the agency is moving to overhaul rules that many experts say have not kept pace with the explosive growth of the Web and innovations like apps. New rules are expected within weeks.

"Today, almost every child has a computer in his pocket and it’s that much harder for parents to monitor what their kids are doing online, who they are interacting with, and what information they are sharing," says Mary K. Engle, associate director of the advertising practices division at the FTC. "The concern is that a lot of this may be going on without anybody’s knowledge."

But many marketers argue that the FTC’s proposed changes seem so extensive and onerous that they could cause companies to reduce their offerings for children — or abandon developing new child-centric sites or apps altogether.

"Do we need a broad, wholesale change of the law?" says Mike Zaneis, the general counsel for the Interactive Advertising Bureau, an industry association. "The answer is no. It is working very well."

The current federal rule, the Children’s Online Privacy Protection Act of 1998, requires operators of websites to obtain parental consent before they collect personal information like phone numbers or physical addresses from children under 13. But rapid advances in technology have overtaken the rules, privacy advocates say.

Today, many brand-name companies and analytics firms collect, collate and analyze information about a wide range of consumer activities and traits. Some of those techniques could put children at risk, advocates say.

Under the FTC’s proposals, some current online practices, like getting children under 13 to submit photos of themselves, would require parental consent.

Children who visit McDonald’s HappyMeal.com, for instance, can "get in the picture with Ronald McDonald" by uploading photos of themselves and combining them with images of the clown. Children may also "star in a music video" on HappyMeal.com by uploading photos or webcam images and having the site graft their faces onto dancing cartoon bodies.

But according to children’s advocates, McDonald’s stored these images in directories that were publicly available. Anyone with an Internet connection could check out hundreds of photos of young children, a few of whom were pictured in pajamas in their bedrooms, advocates said.

In a related complaint to the FTC last month, a coalition of advocacy groups accused McDonald’s and four other corporations of violating the 1998 law by collecting email addresses without parental consent. HappyMeal.com, the complaint noted, invites children to share their creations on the site by providing the first names and email addresses of their friends.

"When we tell parents about this they are appalled, because basically what it’s doing is going around the parents’ back and taking advantage of kids’ naivete," says Jennifer Harris, the director of marketing initiatives at the Yale Rudd Center for Food Policy and Obesity, a member of the coalition that filed the complaint. "It’s a very unfair and deceptive practice that we don’t think companies should be allowed to do."

Danya Proud, a spokeswoman for McDonald’s, said in an email that the company placed a "high importance" on protecting privacy, including children’s online privacy. She said that McDonald’s had blocked public access to several directories on the site.

Last year, the FTC filed a complaint against W3 Innovations, a developer of popular iPhone and iPod Touch apps like Emily’s Dress Up, which invited children to design outfits and email their comments to a blog. The agency said that the apps violated the children’s privacy rule by collecting the email addresses of tens of thousands of children without their parents’ permission and encouraging those children to post personal information publicly. The company later settled the case, agreeing to pay a penalty of $50,000 and delete personal data it had collected about children.

It is often difficult to know what kind of data is being collected and shared. Industry trade groups say marketers do not knowingly track young children for advertising purposes. But a study last year of 54 websites popular with children, including Disney.go.com, and Nick.com, found that many of the sites used tracking technologies extensively.

"I was surprised to find that pretty much all of the same technologies used to track adults are being used on kids’ websites," said Richard M. Smith, an Internet security expert in Boston who conducted the study at the request of the Center for Digital Democracy, an advocacy group.

Using a software program called Ghostery, which detects and identifies tracking entities on websites, a reporter recently identified seven trackers on Nick.com — including Quantcast, an analytics company that, according to its own marketing material, helps websites "segment out specific audiences you want to sell" to advertisers. Ghostery found 13 trackers on a Disney game page for kids, including AudienceScience, an analytics company that, according to that company’s site, "pioneered the concept of targeting and audience-based marketing."

David Bittler, a spokesman for Nickelodeon, which runs Nick.com, says Viacom, the parent company, does not show targeted ads on Nick.com or other company sites for children under 13. But the sites and their analytics partners may collect data anonymously about users for purposes like improving content. Zenia Mucha, a spokeswoman for Disney, said the company does not show targeted ads on children’s sites and requires its ad partners to do the same.

Another popular children’s site, Webkinz, says openly that its advertising partners may aim at visitors with ads based on the collection of "anonymous data." In its privacy policy, Webkinz describes the practice as "online advanced targeting."

If the FTC carries out its proposed changes, websites and third-party companies would be required to obtain parents’ permission before tracking children around the Web for advertising purposes, even with anonymous customer codes.Some parents say they are trying to teach their children basic online self-defense.

"We don’t give out birth dates to get the free stuff," said Patricia Tay-Weiss, a mother of two young children in Venice, Calif., who runs foreign language classes for elementary school students. "We are teaching our kids to ask ‘What is the company getting from you and what are they going to do with that information?"’

© 2012 The New York Times Company