Dressed up like digital candy stores, Web sites have enticed children to reveal private details about themselves and their families, such as whether mom and dad play the stock market, the Federal Trade Commission said today.
As first reported by CNET NEWS.COM Tuesday, the FTC's report reprimands the online industry--especially child-oriented sites--for gathering sensitive identification, financial, and medical data from consumers, then failing to disclose how the information will be used or whether it will be shared with others.
Of 1,400 sites examined by the agency in March, just 14 percent informed visitors of their information-collection practices. Only 28 sites posted a "comprehensive" privacy statement, the agency said.
With children's sites the results were more startling, the FTC report states.
More coverage on CNET Radio
A meager 7 percent promised to notify parents of data collection practices, with fewer than 10 percent of the sites giving parents control over the harnessing and use of their children's data.
As a result, the FTC is setting a precedent by calling for regulation of the Net, a step it has been reluctant to take until now, and a step the industry still is hoping to avoid.
The FTC indicated after workshops last summer that children's sites would likely be the center of a regulatory crackdown. Today, FTC chairman Robert Pitofsky said that children are not "miniature adults" and are not "fair game" when it comes to marketing.
"We recognize there has been some [industry] movement since March and I'm sure the numbers are a little better today," Pitofsky said today. "Regrettably, those companies are the exception rather than the rule."
The agency is recommending that Congress pass a new law that Web sites and database companies must get parental permission before collecting personal information from children under 12. For teenagers, sites should have to at least inform parents they are collecting information and give them the chance to refuse participation, the agency recommends.
"The commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children," the report states.
FTC staff reviewed numerous sites that collected children's names, postal and email addresses, gender, and age. For example, one site asked young visitors whether they had ever received stocks, bonds, and cash, and who had given them the gifts. Visitors also were asked if their parents had any investments. The contest-related site then posted winners' full names and addresses on the site, but didn't get parental permission to reveal a child's physical location and profile to the online world.
Pitofsky called the findings "disappointing" and noted that "we were not hard graders."
Groups such as the Center for Media Education decried Web sites' tactics in 1996. A CME report showed that sites used colorful and interactive games, contests, and free merchandise to entice children to forfeit personal information.
The commission has been studying online privacy for three years, and the Commerce Department is set to examine industry practices on July 23 and 24. Commerce also will release a white paper about online privacy tomorrow, dubbed "The Elements of Effective Self-Regulation."
These probes also have been fueled by the Clinton administration's call for a July plan to better ensure consumer privacy, a critical key to bolstering electronic commerce.
In an 11th-hour attempt to stave off legislation yesterday, trade groups representing more than 11,000 companies asked President Clinton to keep supporting voluntary guidelines--not laws--to shield digital privacy. The nine-point privacy protection plan includes the creation of consumer recourse mechanisms, and the firms promised to be in compliance by July 1, 1999.
The Direct Marketing Association (DMA) also released a study Monday that touts a better Net privacy track record than the FTC's survey. The DMA concluded that 70 percent of the top 100 children's sites have posted policies regarding their information-gathering practices.
"The DMA does not support legislation with regard to children online because what parents really want is support in the form of education and tools, not government intervention, to help them control their children's experiences online," Patricia Faley, the DMA's vice president of ethics and consumer affairs, said in a statement.
"The Direct Marketing Association will continue its business education efforts to ensure that all DMA members, and indeed all marketers, do the right thing and post privacy policies now," she added.
Still, the FTC's report flies in the face of White House hopes of solely relying on industry self-regulation to safeguard privacy.
For instance, a majority of the 404 health, retail, and financial Web sites surveyed collected sensitive information. Yet just between 13 percent and 16 percent of the sites disclosed what would be done with the data.
"The commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold," the agency states.
"In light of the commission's findings and significant concerns regarding privacy online, it is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles," the FTC added. "The commission is currently considering such incentives and possible courses of action to adequately protect the privacy of online consumers generally?and will make recommendations on this subject this summer."
The agency's report states that the best information-collection policies must include: notice of practices; a choice to opt out; getting consent to share the data with third parties; access for users to their data to make changes; security for the integrity of the data; and some sort of redress for consumers if the policy is violated.
The FTC's findings were of little surprise to online privacy advocates, who have repeatedly expressed their concerns over information vulnerability. Last June, the Electronic Privacy Information Center (EPIC) released a report outlining many of these issues in conjunction with the FTC workshops.
After reviewing the top 100 Web sites, EPIC found that 49 percent of the sites collected personal information through online registration, mailing lists, surveys, or profiles. However, only 17 sites had posted easily accessible policies explaining how the collected data would be used.
"The Internet is the only electronic medium that doesn't have privacy protections," said Dave Banisar, an attorney for EPIC. "Your phone and cable TV records can't be disclosed and neither can your video rental records. In all of those cases, Congress recognized that additional information was being collected because of new technology and stepped in to deal with the privacy problems."
EPIC and the Center for Democracy and Technology have proposed setting up a new federal privacy agency to oversee corporate and government data collection practices.
"We think it is time for the FTC to start taking action--pertaining to both adults' and children's information," Ari Schwartz, policy analyst for the CDT, said today.
"What the report shows in regards to [adults'] medical and financial information is just as striking as what they've found with children," he said. "If they don't think they have the authority then they should ask Congress for it."
In a preliminary report to Congress last December, the FTC endorsed industry self-regulation to protect consumer privacy online. But in its report today the agency didn't find the critical mass needed to rely on self-regulation.
Although the FTC set guidelines last July for the collection of data from children--which it said could be considered unfair or deceptive business practice--agency staff didn't recommend enforcement at the time. Since then, the tide has turned.
Following highly publicized privacy breaches by online giants such as AOL, the security of personally identifiable data has rapidly become a hot international issue.
Consumers have expressed fears about sending credit card numbers, their names, Social Security numbers, medical files, and other demographic data over computer networks. Many also are worried about identity theft and other scams, as well as erroneous information appearing in their digital profiles.
Subsequently, the Clinton administration has raised online privacy high on its Internet agenda. Although the White House prefers that regulators keep their hands off the Net, Clinton's senior adviser on high-tech issues, Ira Magaziner, said in April that companies were falling short with the deadline looming for the July 1 report to the president about online privacy.
Federal officials also are scrambling to head off conflicts with the European Union's strict electronic privacy protection law, which goes into effect in October.
For the most part, the industry has used the lull in regulation to get organized and draft plans like the one released yesterday. Companies argue that even in the past two months--since the FTC did its survey--an increasing number of sites have posted privacy policies and promised not to improperly use personally identifiable information.
The database company Lexis-Nexis, for example, is preparing by month's end to let consumers see and make changes to their digital profiles. Two years ago, Lexis-Nexis was held up as the poster child for bad privacy practices when its P-Trak service briefly allowed customers to obtain sensitive information about others, such as Social Security numbers.
The information technology industry won't stop there. Former FTC commissioner Christine Varney is working with a slew of companies such as AOL and Netscape Communications to come up with more programs and private-sector enforcement mechanisms to secure Net users' information.
"A lot of the really big companies are there," Varney said today. "We need to get the vast middle of the group to have privacy policies, put them up, and adhere to them. The question is can we get it done in the remaining weeks and months before the government decides it needs to take some [regulatory] action."
Many in the industry have questioned who would enforce an online privacy law and whether it is feasible for companies to get parental permission before collecting data from children. The FTC has the expertise in consumer protection to oversee enforcement, perhaps making it more effective than new legislation, Varney said.
"Still, the devils are in the details, which is why people are skeptical about Congress's ability to do this," she added.
"Today's report, however, makes it clear that the industry, as a whole, still has a long way to go," George Vradenburg, senior vice president of AOL, said in a statement. "We hope that Web sites will use this report as a catalyst to post privacy policies, give consumers the tools they need to make informed privacy choices, and stop the collection of personal information about children without parental consent."
Others agreed that FTC's report is a call for immediate action. "The FTC report is the real wake-up call for American industry," said Brian O'Shaughnessy, director of public policy for the Interactive Services Association.
"The path for consumer protection is going to be through industry self-governance backed by regulatory initiatives where there are holes; for instance, on the issue of children," he added. "It is now an accelerated period of action and implementation on consumer privacy for the Internet industry, but I don't think time is running out for us."