FTC to slam Net sites on privacy
Regulators are expected to drub most of the online industry in a report to Congress for not adequately protecting consumers' privacy.
More important, sources told CNET NEWS.COM, the agency will take a firm stance on children's online privacy, asking legislators for a system to ensure that companies don't collect and sell minors' personal information without parental permission. The FTC has held summer workshops for the last three years to examine the data collection practices of Web sites and database companies.
The agency has never lobbied for new laws to shield privacy among Internet users. But the anticipated recommendations to Congress this week will be a clear call for action, according to sources within the FTC and advocates who worked closely with the agency on the report.
Despite a recent string of child-oriented privacy initiatives by online heavyweights such as America Online and Microsoft, the FTC's evaluation will come down hard on the entire industry. Concerns have arisen over companies that obtain information from children without their parents' knowledge.
The FTC's report strikes at the heart of international struggle to address online privacy, an issue directly tied to the success of electronic commerce. Consumers have expressed fears about sending credit card numbers over computer networks and are concerned about identity theft and other scams, which can be perpetrated once their unique data falls into the wrong hands.
"American industry is going to get an 'F' in terms of protecting consumer privacy," said Jeff Chester, executive director of the Center for Media Education, which has pushed for regulation in this area. "The FTC did a serious, methodically sound study, which I think indicates that privacy online is at risk. [Regulators] will recommend to Congress that more is needed to heighten children's privacy protections."
Consumer advocates who testified before the FTC last June said companies often fail to inform Net users when they obtain and sell lists that include such information as names, addresses, Social Security numbers, employment histories or buying habits.
 More coverage on CNET Radio |
In a preliminary report to Congress last December, the FTC endorsed industry self-regulation, not legislation, to protect consumer privacy online. But a critical mass is needed for self-regulation to work.
Apparently, the FTC's completed study of the issue found that private sector efforts are not broad enough.
"From everything I heard, the results are not going to be favorable," said Paola Benassi of TRUSTe, a nonprofit organization that licenses "trustmarks" that help sites to inform visitors of their privacy practices.
The FTC already has drawn guidelines for the collection of data from children. In a letter released last July, agency staff said sites must obtain parental permission before distributing private data about a child and that, before gathering the information, sites should clearly disclose to parents how it will be used.
Violation of the guidelines could be deemed an unfair and deceptive practice, prompting the FTC to investigate, the agency staff letter stated. The letter didn't recommend enforcement at the time, but that could change this week.
The commission conducted its audit of 1,400 Web sites in March in preparation for its report. The industry argues that it has become more active since then, both in terms of posting privacy policies on Web sites and in working behind the scenes to create an industry position on privacy legislation.
Critics think otherwise. The nonprofit Center for Democracy and Technology said in a statement today that it "expects that the FTC report will find that few Web sites are providing consumers with information about their use of personal information."
"Industry efforts at self-regulation have failed to provide pervasive, meaningful privacy protections," the center added in its statement. "Despite FTC staff guidance and industry guidelines, Web sites directed at children continue to collect data from children and disclose it to third parties without parental involvement. The report is likely to recommend increased government action to protect children's privacy."
Perhaps in anticipation of the FTC action, the Direct Marketing Association released a study yesterday concluding that 70 percent of the top 100 children's sites have posted policies regarding their information-gathering practices. The association said it will contact sites that didn't post a privacy statement and has made available a Privacy Policy Generator sites can use.
"This scan that we did shows that businesses are very responsive and will move in this direction," Connie Heatley, senior vice president of the marketing association said today. "A privacy law will not be enforceable. I don't believe the government could police the existing Web sites, let alone the thousands of sites that are created every day."
Children's sites also agree that the industry self-regulation and education is still the best course.
KidsCom, for example, changed its practices last year after coming under fire for blending advertisements with content and allegedly not disclosing how data collected from children would be used. Now the site prominently labels all advertising and posts a data collection policy.
Still, even KidsCom worries that regulation could be inevitable. "KidsCom made a huge effort to create [labels] the whole industry can adopt," Jorian Clarke, president of Circle 1 Network and publisher of KidsCom, said today. Nevertheless, "some of the children's Web sites have not moved as fast as we would like to adopt these practices.
"If people don't take [our advice] seriously, then there has to be a louder call for action," she added. "This FTC report may be that louder call to action."
Online privacy tops the Clinton administration's Internet agenda. The Commerce Department will hold a conference, tentatively set for June 23 to 24, to evaluate Net sites' policies and actions. President Clinton's senior adviser on Internet issues, Ira Magaziner, is holding ongoing meetings to deal with the European Union's strict electronic privacy protection law, which goes into effect in October and now conflicts with U.S. practices.
Magaziner has said that efforts are falling short with the deadline looming for the July 1 progress report to Clinton. In addition, Vice President Al Gore is pushing an electronic bill of rights to ensure privacy.
Many support the administration's push. Esther Dyson, a member of the Electronic Frontier Foundation's board and informal adviser to TRUSTe, predicted in her influential newsletter this month that the FTC and Commerce Department would not issue glowing reviews of the Net's privacy protection record. "The reports will probably contain news of inadequacies coupled with many promised remedies," she wrote.
Dyson said now is the time for industry to act, but she cautioned against regulation, which can be difficult to enforce.
"Be patient for a couple more months without relaxing the public pressure," she advised. "If you must 'do something,' focus on disclosure and rules concerning kids and medical information. You could also do something about tightening the rules for protection of personal data collected by the government--or reduce the amount collected overall."
Other privacy advocates contend that goodwill and industry auditing are no guarantee that private data will not be abused. "If it's just a bunch of digital fine print, that doesn't provide any assurance to users," said Marc Rotenberg director of the Electronic Privacy Information Center.
Reporter Tim Clark contributed to this report.