Last March the Federal Trade Commission reviewed 1,400 Web sites and found that just 14 percent informed visitors of their information-collection practices. Only 28 sites posted a "comprehensive" privacy statement.
In a report to Congress that followed, the agency called for a law to protect young surfers' personal data. The Children's Online Privacy Protection Act subsequently was passed.
Still, FTC chairman Robert Pitofsky testified before the House telecommunications subcommittee that if more Net sites didn't clean up their act--disclosing what data they collect and whom they share it with--he would recommend a comprehensive privacy bill that applied to people of all ages. Before Pitofsky takes the plunge, however, he wants one more industry check-up.
"In July the chairman was up on the Hill saying that, by the end of 1998, if there wasn't progress, that he would recommend legislation," FTC spokeswoman Victoria Streitfeld said today. "He and the commission feel that there needs to be another benchmark before he carried forth on his legislation. He'd rather have industry regulate this than government."
The FTC's follow-up sweep is scheduled to take place next month, and will be conducted by Professor Mary Culnan of Georgetown University's McDonough School of Business. A team of MBA candidates will surf 300 Net sites--half will be the Web's most popular locations and the other 150 will be randomly selected using a traditional survey process.
"We're going to get a sense of trends since last year," Culnan said. "We're looking for both privacy policies, comprehensive lists of the site's information practices that can be found in a single place, and privacy statements placed throughout a site where information is collected."
Although the FTC has not yet implemented the Children's Online Privacy Protection Act, its latest study will not address sites targeted at minors age 12 and under.
A broad consortium of more than 70 Net companies with privacy policies tried to light a fire under stragglers today. Ever since the FTC issue its report last year, the Online Privacy Alliance (OPA) has been working to get wider adoption of standards outlined in its self-regulatory guidelines.
The OPA represents significant online players, but the group's membership is only a drop in the bucket given the seemingly infinite number of sites on the Web. And there are still gaps when it comes to enforcement of the alliance's voluntary principles.
For example, the Better Business Bureau Online's privacy protection program, which is seen as a critical OPA enforcement mechanism, won't launch until March. Once its program is in place, BBBOnline will hand out a privacy "seal" to sites that meet its scrutiny, and will revoke the seal if a site violates its data collection and privacy standards.
Despite industry efforts, the government still could pass legislation to protect online users' data.
"For such programs to be meaningful, an effective enforcement mechanism is crucial," Pitofsky told the House subcommittee. "Moreover, it will be difficult for self-regulatory programs to govern all or even most commercial Web sites."
The new survey results have to be better, Pitofsky said at a Washington luncheon of media and advertising executives last week. "If [the results] are disappointing, I think Congress is going to act on that."
U.S. Web operators are being pressured internationally as well.
The most critical issue is settling a conflict over the European Union's strict privacy directive, which went into effect in October and is expected to be adopted by all 15 members of the union. The EU law will give citizens new control over their computerized personal data, and will prevent firms from exchanging the information with countries that do not provide "adequate" protection, such as letting people "opt out" and making clear who else will have access to the data.