Study: Data privacy policies fall short

Professor Mary Culnan of Georgetown University's McDonough School of Business conducted two separate sweeps in March to determine whether sites are answering the Clinton administration's call for voluntary action to protect Net users' privacy.

Culnan's Georgetown Internet Privacy Policy Survey examined 364 ".com" sites that were randomly selected from the 7,500 most-visited Web sites.

Ninety-three percent of the 364 sites did collect personally identifiable information, which could include names, phone numbers, and home and email addresses as well as financial or demographic data. Although 65.7 percent of the sites have privacy policies or give notice that personal information has been securely transmitted, only 9.5 percent of the sites had an "adequate" privacy policy, the study found.

With the explosion in popularity the Web has enjoyed, advocates and lawmakers alike have been grappling over how to give online users rights to shield their personal data and recourse if a site violates their privacy. Compounding the problem is a strict European Union privacy law that clashes with U.S. endorsement of industry self-regulation and threatens to cut off data flow between EU members and the United States.

"I think 65 percent is a good number, but it's not the end. We want to get to 99.9 percent," said former Federal Trade Commission and Online Privacy Alliance spokeswoman Christine Varney.

Privacy advocates are more alarmed that more than 90 percent of the posted policies are not up to par.

"That number is the critical one," said Deirdre Mulligan, a staff attorney at the Center for Democracy and Technology. "Notice is kind of the first step. It doesn't even begin to answer the questions of, 'Do consumers have control over their data? Are there enforceable polices in place? Do consumers have real recourse?'"

Based on fair information guidelines drafted by the FTC, adequate policies must: give consumers notice before collecting data; let visitors opt out of giving up information; give people access to personal information so they can make corrections or delete it; assure that the data is secured; and get consumers' consent before sharing or using data for unintended purposed.

On the other hand, Culnan's criteria were slightly different. For example, she reviewed whether sites listed contact information for potential complaints or contained some information about how consumers could correct inaccurate information but didn't check to see whether sites got consent before sharing data. Her results also didn't specifically identify sites that failed to meet her guidelines.

"It was an incredibly low bar that wasn't even passed," said Jason Catlett, founder of the privacy tools clearinghouse Junkbusters.

"A very large fraction of companies still aren't taking token steps toward protecting privacy," Catlett added. "And posting a privacy policy doesn't mean your privacy is protected."

The Georgetown study was funded by contributions between $1,000 and $5,000 from America Online, American Express, eBay, IBM, the Direct Marketing Association, Time Warner, BBBOnline, Truste, Microsoft, Media Metrix, the Online Privacy Alliance, and other companies.

The FTC conducted its own privacy survey last year, but the studies were not conducted the same way, so comparisons can't easily be made to the Georgetown results.

"This study is limited to places where the most people go on the Net. There was no way of knowing if our sites overlapped with the FTC's sample," Culnan said today.

The FTC reviewed 1,400 sites in March 1998 and found that just 14 percent informed visitors of their data collection practices.

"Online firms deserve considerable credit for making progress over the last year. There is a remarkable increase in the number of Web sites posting information about their privacy practices," FTC chairman Robert Pitofsky said in a statement today.

Added FTC commissioner Mozelle Thompson in a statement: "I am concerned that the study indicates less than ten percent of the surveyed sites contain all the policy elements that would satisfy the privacy policy principles long discussed by industry and the FTC. Accordingly, industry still has a way to go to ensure that consumer privacy is not just about quantity of sites, but also about quality of consumer protection."

The second study was of the Top 100 Web sites by reach, based on figures from Media Metrix. That study was funded by the Online Privacy Alliance, a consortium of companies that is pushing voluntary practices in lieu of laws to protect Net users' personal data.

The results were much better among the Top 100 sites: 94 percent posted a privacy policy, which is up from 71 percent from last year based on a similar study conducted by the FTC. Most of the Top 100 sites also are members of the Online Privacy Alliance and have pledged to post policies and be audited for compliance by seal programs such as Truste and BBBOnline.

Varney said she will be sending a letter to sites--even those that aren't members of the Online Privacy Alliance--to encourage them to post better policies that reflect fair information collection practices.

"When you're an [Online Privacy Alliance] member site, what we require is that everybody have privacy policies that are easy to find, read, and use. Most consumers are fairly clued in, and if they care about the information they are about to provide to a vendor, they will look," she added.