Professor Mary Culnan of Georgetown University's McDonough School of Business conducted two separate sweeps in March to determine whether sites are answering the Clinton administration's call for voluntary action to protect Net users' privacy.
With the explosion in popularity the Web has enjoyed, advocates and lawmakers alike have been grappling over how to give online users rights to shield their personal data and recourse if a site violates their privacy. Compounding the problem is a strict European Union privacy law that clashes with U.S. endorsement of industry self-regulation and threatens to cut off data flow between EU members and the United States.
Privacy advocates are more alarmed that more than 90 percent of the posted policies are not up to par.
"That number is the critical one," said Deirdre Mulligan, a staff attorney at the Center for Democracy and Technology. "Notice is kind of the first step. It doesn't even begin to answer the questions of, 'Do consumers have control over their data? Are there enforceable polices in place? Do consumers have real recourse?'"
Based on fair information guidelines drafted by the FTC, adequate policies must: give consumers notice before collecting data; let visitors opt out of giving up information; give people access to personal information so they can make corrections or delete it; assure that the data is secured; and get consumers' consent before sharing or using data for unintended purposed.
On the other hand, Culnan's criteria were slightly different. For example, she reviewed whether sites listed contact information for potential complaints or contained some information about how consumers could correct inaccurate information but didn't check to see whether sites got consent before sharing data. Her results also didn't specifically identify sites that failed to meet her guidelines.
"It was an incredibly low bar that wasn't even passed," said Jason Catlett, founder of the privacy tools clearinghouse Junkbusters.
The Georgetown study was funded by contributions between $1,000 and $5,000 from America Online, American Express, eBay, IBM, the Direct Marketing Association, Time Warner, BBBOnline, Truste, Microsoft, Media Metrix, the Online Privacy Alliance, and other companies.
The FTC conducted its own privacy survey last year, but the studies were not conducted the same way, so comparisons can't easily be made to the Georgetown results.
"This study is limited to places where the most people go on the Net. There was no way of knowing if our sites overlapped with the FTC's sample," Culnan said today.
The FTC reviewed 1,400 sites in March 1998 and found that just 14 percent informed visitors of their data collection practices.
"Online firms deserve considerable credit for making progress over the last year. There is a remarkable increase in the number of Web sites posting information about their privacy practices," FTC chairman Robert Pitofsky said in a statement today.
The second study was of the Top 100 Web sites by reach, based on figures from Media Metrix. That study was funded by the Online Privacy Alliance, a consortium of companies that is pushing voluntary practices in lieu of laws to protect Net users' personal data.
Varney said she will be sending a letter to sites--even those that aren't members of the Online Privacy Alliance--to encourage them to post better policies that reflect fair information collection practices.
"When you're an [Online Privacy Alliance] member site, what we require is that everybody have privacy policies that are easy to find, read, and use. Most consumers are fairly clued in, and if they care about the information they are about to provide to a vendor, they will look," she added.