FTC report calls for Net privacy law
Regulators ask Congress for legislation to shield children's online privacy in a report on Net data collection practices.
As first reported by CNET NEWS.COM yesterday, the FTC report denounces the online industry for failing to protect consumers' privacy. Of 1,400 sites examined, just 14 percent informed visitors of their practices for gathering personally identifiable information, according to an agency study that ended in March. Only 28 of the sites posted a "comprehensive" privacy statement.
With children's sites the results were more startling, the FTC said in its report, which is scheduled for release tomorrow.
Eighty-nine percent of children's sites surveyed do collect personal details from youngsters, and more than half provide some disclosure of their practices. But only 23 percent of the sites advised children to get permission before giving up their name, address, and other unique details.
A meager 7 percent promised to notify parents of data collection practices, with fewer than 10 percent of the sites giving parents control over the harnessing and use of their children's data.
As a result, the FTC is setting a precedent by calling for regulation of the Net, a step it has been reluctant to take until now. The agency is recommending that Congress pass a new law to ensure that Web sites and database companies get parental permission before collecting and selling children's personal information.
"In the specific area of children's online privacy, however, the commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children," the executive summary states.
"Such legislation would require Web sites that collect personal identifying information from children to provide actual notice to parents and obtain parental consent," the report continues. "The timing of such notice and consent would vary depending on the age of the child and the nature and uses of information collected."
The FTC indicated after workshops last summer that children's sites would likely be the center of a regulatory crackdown.
The commission has been studying online privacy for three years, and the Commerce Department is set to examine industry practices at the end of the month. These probes are now being fueled by the Clinton administration's call for a July plan to better ensure consumer privacy, a critical key to bolstering electronic commerce.
In an 11th-hour attempt to stave off legislation today, trade groups representing 11,000 companies asked President Clinton to keep supporting voluntary guidelines--not laws--to shield digital privacy. The nine-point privacy protection plan includes the creation of consumer recourse mechanisms, and the firms promised to be in compliance by July 1, 1999.
Other efforts have emerged as well. For example, America Online and Microsoft have pledged not to collect data from preteens without their parents' permission.
The Direct Marketing Association also released a study Monday that purports a better Net privacy track record than the FTC's survey. The DMA concluded that 70 percent of the top 100 children's sites have posted policies regarding their information-gathering practices.
Still, the FTC's report flies in the face of White House hopes of solely relying on industry self-regulation to safeguard privacy.
"The commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has net yet taken hold," the agency states.
"In light of the commission's findings and significant concerns regarding privacy online, it is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles," the FTC added. "The commission is currently considering such incentives and possible courses of action to adequately protect the privacy of online consumers generally?and will make recommendations on this subject this summer."
The FTC's findings were of little surprise to online privacy advocates, who have repeatedly expressed their concerns over information vulnerability. Last June, the Electronic Privacy Information Center released a report outlining many of these issues in conjunction with the FTC workshops.
After reviewing the top 100 Web sites, EPIC found that 49 percent of the sites collected personal information through online registration, mailing lists, surveys, or profiles. However, only 17 sites had posted easily accessible policies explaining how the collected data would be used.
"The Internet is the only electronic medium that doesn't have privacy protections," Dave Banisar, an attorney for EPIC, said today. "Your phone and cable TV records can't be disclosed and neither can your video rental records. In all of those cases, Congress recognized that additional information was being collected because of new technology and stepped in to deal with the privacy problems."
EPIC and the Center for Democracy and Technology (CDT) have proposed setting up a new federal privacy agency to oversee corporate and government data collection practices.
In a preliminary report to Congress last December, the FTC endorsed industry self-regulation to protect consumer privacy online. But in tomorrow's report, the agency says it did not find the critical mass needed to make self-regulation reliable.
And although the FTC set guidelines last July for the collection of data from children--which it said could be considered unfair or deceptive business practice--agency staff didn't recommend enforcement at the time. Since then, the tide has turned.
Following highly publicized privacy breaches by online giants such as America Online, the security of personally identifiable data has rapidly become a hot international issue.
Consumers have expressed fears about sending credit card numbers, their names, Social Security numbers, medical files, and other demographic data over computer networks. Many also are worried about identity theft and other scams, as well as erroneous information appearing in their digital profiles.
Subsequently, the Clinton administration has raised online privacy high on its Internet agenda. Although the White House prefers that regulators keep their hands off the Net, Clinton's senior adviser on high-tech issues, Ira Magaziner, said in April that companies were falling short with the deadline looming for the July 1 report to the president about online privacy.
Federal officials also are scrambling to head of conflicts with the European Union's strict electronic privacy protection law, which goes into effect in October.
For the most part, the industry has used the lull in regulation to get organized and draft plans like the one released today. Companies argue that even in the past two months--since the FTC did its survey--an increasing number of sites have posted privacy policies and promised not to improperly use personally identifiable information.
The database company Lexis-Nexis, for example, is preparing by month's end to let consumers see and make changes to their digital profiles. Two years ago, Lexis-Nexis was held up as the poster child for bad privacy practices when its P-TRAK service briefly allowed customers to obtain sensitive information about others, such as Social Security numbers.
The information technology industry won't stop there. A coalition led by former Federal Trade Commissioner Christine Varney that includes companies such as AOL and Netscape Communications will unveil more programs to secure Net users' private information.
Although the FTC's report is harsh, high-tech trade associations are confident they can rise to the occasion and protect privacy. "The FTC report is the real wake-up call for American industry," Brian O'Shaughnessy, director of public policy for the Interactive Services Association, said today.
"The path for consumer protection is going to be through industry self-governance backed by regulatory initiatives where there are holes; for instance, on the issue of children," he added. "It is now an accelerated period of action and implementation on consumer privacy for the Internet industry, but I don't think time is running out for us."