VI. Conclusions

• A medical clinic's online doctor-referral service invites consumers to submit their name, postal address, e-mail address, insurance company, any comments concerning their medical problems, and to indicate whether they wish to receive information on any of a number of topics, including urinary incontinence, hypertension, cholesterol, prostate cancer, and diabetes. The online application for the clinic's health education membership program asks consumers to submit their name, address, telephone number, date of birth, marital status, gender, insurance company, and the date and location of their last hospitalization. The clinic's Web site says nothing about how the information consumers provide will be used or whether it will be made available to third parties.

• An automobile dealership's Web site offers help to consumers in rebuilding their credit ratings. To take advantage of this offer, consumers are urged to provide their name, address, Social Security number, and telephone number through the Web site's online information form. The Web site says nothing about how the information provided will be used or whether it will be made available to third parties.

• A mortgage company operates an online prequalification service for home loans. The online application form requires that each potential borrower provide his or her name, Social Security number, home and business telephone numbers, e-mail address, previous address, type of loan sought, current and former employer's name and address, length of employment, income, sources of funds to be applied toward closing, and approximate total in savings. The online form also requires the borrower to provide information about his or her credit history, including credit card, car loans, child support and other indebtedness, and to state whether he or she has ever filed for bankruptcy. The application form requires the borrower to agree that the mortgage company may disclose his or her "credit experiences" to third parties, but the Web site says nothing else about how the mortgage company might use all of the information provided or whether that information will be made available to third parties.

• A child-directed site collects personal information, such as a child's full name, postal address, e-mail address, gender, and age. The Web site also asks a child extensive personal finance questions, such as whether a child has received gifts in the form of stocks, cash, savings bonds, mutual funds, or certificates of deposit; who has given a child these gifts; whether a child puts monetary gifts into mutual funds, stocks or bonds; and whether a child's parents own mutual funds. Elsewhere on the Web site, contest winners' full names, age, city, state, and zip code are posted. The Web site does not tell children to ask their parents for permission before providing personal information and does not appear to take any steps to involve parents. Further, the Web site says nothing about whether the information is disclosed to third parties.

• Another child-directed site collects personal information to register for a chat room, including a child's full name, e-mail address, city, state, gender, age, and hobbies. The Web site has a lotto contest that asks for a child's full name and e-mail address. Lotto contest winners' full names are posted on the site. For children who wish to find an electronic pen pal, the site offers a bulletin board service that posts messages, including children's e-mail addresses. While the Web site says it asks children to post messages if they are looking for a pen pal, in fact, anyone of any age can visit this bulletin board and contact a child directly. The site also has an area where children can submit stories online. The Web site posts the stories along with children's full names, ages, and e-mail addresses. The Web site does not tell children to ask their parents for permission before providing personal information and does not say that it takes steps to involve parents. The Web site says nothing about whether the information is disclosed to third parties.

* * *

The practices of these Web sites demonstrate the real need for implementing the basic fair information practices described in this report. The World Wide Web provides a host of opportunities for businesses to gather a vast array of personal information from and about consumers, including children. The online environment and the advent of the computer age also provide unprecedented opportunities for the compilation, analysis, and dissemination of such information. While American businesses have always collected some information from consumers in order to facilitate transactions, the Internet allows for the efficient, inexpensive collection of a vast amount of information. It is the prevalence, ease, and relative low cost of such information collection that distinguishes the online environment from more traditional means of commerce and information collection and thus raises consumer concerns.

The federal government currently has limited authority over the collection and dissemination of personal data collected online.⁽¹⁶⁰⁾ The Federal Trade Commission Act (the "FTC Act" or "Act")⁽¹⁶¹⁾ prohibits unfair and deceptive practices in and affecting commerce. The Act authorizes the Commission to seek injunctive and other equitable relief, including redress, for violations of the Act, and provides a basis for government enforcement of certain fair information practices. For instance, failure to comply with stated information practices may constitute a deceptive practice in certain circumstances, and the Commission would have authority to pursue the remedies available under the Act for such violations. Furthermore, in certain circumstances, information practices may be inherently deceptive or unfair, regardless of whether the entity has publicly adopted any fair information practice policies. As discussed above, Commission staff has issued an opinion letter addressing the possible unfairness inherent in collecting certain personal identifying information from children online and transferring it to third parties without obtaining prior parental consent.⁽¹⁶²⁾ However, as a general matter, the Commission lacks authority to require firms to adopt information practice policies.

The Commission has encouraged industry to address consumer concerns regarding online privacy through self-regulation. The Internet is a rapidly changing marketplace. Effective self-regulation remains desirable because it allows firms to respond quickly to technological changes and employ new technologies to protect consumer privacy. Accordingly, a private-sector response to consumer concerns that incorporates widely-accepted fair information practices and provides for effective enforcement mechanisms could afford consumers adequate privacy protection. To date, however, the Commission has not seen an effective self-regulatory system emerge.

As evidenced by the Commission's survey results, and despite the Commission's three-year privacy initiative supporting a self-regulatory response to consumers' privacy concerns, the vast majority of online businesses have yet to adopt even the most fundamental fair information practice (notice/awareness). Moreover, the trade association guidelines submitted to the Commission do not reflect industry acceptance of the basic fair information practice principles. In addition, the guidelines, with limited exception, contain none of the enforcement mechanisms needed for an effective self-regulatory regime. In light of the lack of notice regarding information practices on the World Wide Web and the lack of current industry guidelines adequate to establish an effective self-regulatory regime, the question is what additional incentives are required in order to encourage effective self-regulatory efforts by industry. The Commission currently is considering this question in light of the survey results, monitoring self-regulation efforts since the survey was completed, and assessing the utility and effectiveness of different courses of action. This summer, the Commission will make recommendations on actions it deems necessary to protect online consumers generally.

In the specific area of children's online privacy, however, the Commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children. Such legislation would set out the basic standards of practice governing the online collection and use of information from children. All commercial Web sites directed to children would be required to comply with these standards.

In making this recommendation, the Commission has drawn on its extensive experience in addressing business practices affecting children, as well as its three-year study of online privacy issues. The Commission has already taken some steps, particularly the release of the staff opinion letter, to address online information practices involving children that may violate Section 5 of the Federal Trade Commission Act. Moreover, the Commission has recognized a growing consensus reflected in consumer survey evidence and some industry self-regulatory guidelines that parental involvement is necessary in the collection and use of information from children. Nonetheless, Section 5 may only have application to some but not all of the practices that raise concern about the online collection and use of information from children. The Commission does not believe, for example, that Section 5 necessarily authorizes it to require parental notice and involvement across the board for all commercial Web sites engaged in information collection from children. Accordingly, the Commission concludes that as a matter of policy additional steps should now be taken to ensure adequate online privacy protections for children.

Children's privacy legislation also would recognize that a marketer's responsibilities vary with the age of the child from whom personal information is sought. In a commercial context, Congress and industry self-regulatory bodies traditionally have distinguished between children aged 12 and under, who are particularly vulnerable to overreaching by marketers, and children over the age of 12, for whom strong, but more flexible protections may be appropriate. In each case, the goal of legislative requirements should be to recognize the parents' role with respect to information collection from children.

Accordingly, the Commission recommends that Congress develop legislation to require commercial Web sites that collect personal identifying information from children 12 and under to provide actual notice to the parent and obtain parental consent as follows:

• Where the personal identifying information would enable someone to contact a child offline, the company must obtain prior parental consent, regardless of the intended use of the information (opt-in);
• Where the personal identifying information is publicly posted or disclosed to third parties, the company must obtain prior parental consent (opt-in);
• Where collection of an e-mail address is necessary for a child's participation at a site, such as to notify contest winners, the company must provide notice to parents and an opportunity to remove the e-mail address from the site's database (opt-out).

Where the personal identifying information is collected from children over 12, the Commission recommends that:

• Web sites must provide parents with notice of the collection of such information and an opportunity to remove the information from the site's database (opt-out).⁽¹⁶³⁾

The development of the online marketplace is at a critical juncture. If growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential. To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information. Accordingly, the Commission now recommends legislation to protect children online and this summer will recommend an appropriate response to protect the privacy of all online consumers.