- A medical clinic's online
doctor-referral service invites consumers to submit their
name, postal address, e-mail address, insurance company,
any comments concerning their medical problems, and to
indicate whether they wish to receive information on any
of a number of topics, including urinary incontinence,
hypertension, cholesterol, prostate cancer, and diabetes.
The online application for the clinic's health education
membership program asks consumers to submit their name,
address, telephone number, date of birth, marital status,
gender, insurance company, and the date and location of
their last hospitalization. The clinic's Web site says
nothing about how the information consumers provide will
be used or whether it will be made available to third
parties.
- An automobile dealership's
Web site offers help to consumers in rebuilding their
credit ratings. To take advantage of this offer,
consumers are urged to provide their name, address,
Social Security number, and telephone number through the
Web site's online information form. The Web site says
nothing about how the information provided will be used
or whether it will be made available to third parties.
- A mortgage company operates
an online prequalification service for home loans. The
online application form requires that each potential
borrower provide his or her name, Social Security number,
home and business telephone numbers, e-mail address,
previous address, type of loan sought, current and former
employer's name and address, length of employment,
income, sources of funds to be applied toward closing,
and approximate total in savings. The online form also
requires the borrower to provide information about his or
her credit history, including credit card, car loans,
child support and other indebtedness, and to state
whether he or she has ever filed for bankruptcy. The
application form requires the borrower to agree that the
mortgage company may disclose his or her "credit
experiences" to third parties, but the Web site says
nothing else about how the mortgage company might use all
of the information provided or whether that information
will be made available to third parties.
- A child-directed site
collects personal information, such as a child's full
name, postal address, e-mail address, gender, and age.
The Web site also asks a child extensive personal finance
questions, such as whether a child has received gifts in
the form of stocks, cash, savings bonds, mutual funds, or
certificates of deposit; who has given a child these
gifts; whether a child puts monetary gifts into mutual
funds, stocks or bonds; and whether a child's parents own
mutual funds. Elsewhere on the Web site, contest winners'
full names, age, city, state, and zip code are posted.
The Web site does not tell children to ask their parents
for permission before providing personal information and
does not appear to take any steps to involve parents.
Further, the Web site says nothing about whether the
information is disclosed to third parties.
- Another child-directed site
collects personal information to register for a chat
room, including a child's full name, e-mail address,
city, state, gender, age, and hobbies. The Web site has a
lotto contest that asks for a child's full name and e-mail
address. Lotto contest winners' full names are posted on
the site. For children who wish to find an electronic pen
pal, the site offers a bulletin board service that posts
messages, including children's e-mail addresses. While
the Web site says it asks children to post
messages if they are looking for a pen pal, in fact,
anyone of any age can visit this bulletin board and
contact a child directly. The site also has an area where
children can submit stories online. The Web site posts
the stories along with children's full names, ages, and e-mail
addresses. The Web site does not tell children to ask
their parents for permission before providing personal
information and does not say that it takes steps to
involve parents. The Web site says nothing about whether
the information is disclosed to third parties.
* * *
The practices of
these Web sites demonstrate the real need for implementing the
basic fair information practices described in this report. The
World Wide Web provides a host of opportunities for businesses to
gather a vast array of personal information from and about
consumers, including children. The online environment and the
advent of the computer age also provide unprecedented
opportunities for the compilation, analysis, and dissemination of
such information. While American businesses have always collected
some information from consumers in order to facilitate
transactions, the Internet allows for the efficient, inexpensive
collection of a vast amount of information. It is the prevalence,
ease, and relative low cost of such information collection that
distinguishes the online environment from more traditional means
of commerce and information collection and thus raises consumer
concerns.
The federal government currently
has limited authority over the collection and dissemination of
personal data collected online.(160) The Federal Trade Commission Act (the "FTC Act"
or "Act")(161) prohibits unfair and deceptive practices in and
affecting commerce. The Act authorizes the Commission to seek
injunctive and other equitable relief, including redress, for
violations of the Act, and provides a basis for government
enforcement of certain fair information practices. For instance,
failure to comply with stated information practices may
constitute a deceptive practice in certain circumstances, and the
Commission would have authority to pursue the remedies available
under the Act for such violations. Furthermore, in certain
circumstances, information practices may be inherently deceptive
or unfair, regardless of whether the entity has publicly adopted
any fair information practice policies. As discussed above,
Commission staff has issued an opinion letter addressing the
possible unfairness inherent in collecting certain personal
identifying information from children online and transferring it
to third parties without obtaining prior parental
consent.(162) However, as a general matter, the Commission lacks
authority to require firms to adopt information practice policies.
The Commission has encouraged
industry to address consumer concerns regarding online privacy
through self-regulation. The Internet is a rapidly changing
marketplace. Effective self-regulation remains desirable because
it allows firms to respond quickly to technological changes and
employ new technologies to protect consumer privacy. Accordingly,
a private-sector response to consumer concerns that incorporates
widely-accepted fair information practices and provides for
effective enforcement mechanisms could afford consumers adequate
privacy protection. To date, however, the Commission has not seen
an effective self-regulatory system emerge.
As evidenced by the Commission's
survey results, and despite the Commission's three-year privacy
initiative supporting a self-regulatory response to consumers'
privacy concerns, the vast majority of online businesses have yet
to adopt even the most fundamental fair information practice (notice/awareness).
Moreover, the trade association guidelines submitted to the
Commission do not reflect industry acceptance of the basic fair
information practice principles. In addition, the guidelines,
with limited exception, contain none of the enforcement
mechanisms needed for an effective self-regulatory regime. In
light of the lack of notice regarding information practices on
the World Wide Web and the lack of current industry guidelines
adequate to establish an effective self-regulatory regime, the
question is what additional incentives are required in order to
encourage effective self-regulatory efforts by industry. The
Commission currently is considering this question in light of the
survey results, monitoring self-regulation efforts since the
survey was completed, and assessing the utility and effectiveness
of different courses of action. This summer, the Commission will
make recommendations on actions it deems necessary to protect
online consumers generally.
In the specific area of children's
online privacy, however, the Commission now recommends that
Congress develop legislation placing parents in control of the
online collection and use of personal information from their
children. Such legislation would set out the basic standards of
practice governing the online collection and use of information
from children. All commercial Web sites directed to children
would be required to comply with these standards.
In making this recommendation, the
Commission has drawn on its extensive experience in addressing
business practices affecting children, as well as its three-year
study of online privacy issues. The Commission has already taken
some steps, particularly the release of the staff opinion letter,
to address online information practices involving children that
may violate Section 5 of the Federal Trade Commission Act.
Moreover, the Commission has recognized a growing consensus
reflected in consumer survey evidence and some industry self-regulatory
guidelines that parental involvement is necessary in the
collection and use of information from children. Nonetheless,
Section 5 may only have application to some but not all of the
practices that raise concern about the online collection and use
of information from children. The Commission does not believe,
for example, that Section 5 necessarily authorizes it to require
parental notice and involvement across the board for all
commercial Web sites engaged in information collection from
children. Accordingly, the Commission concludes that as a matter
of policy additional steps should now be taken to ensure adequate
online privacy protections for children.
Children's privacy legislation
also would recognize that a marketer's responsibilities vary with
the age of the child from whom personal information is sought. In
a commercial context, Congress and industry self-regulatory
bodies traditionally have distinguished between children aged 12
and under, who are particularly vulnerable to overreaching by
marketers, and children over the age of 12, for whom strong, but
more flexible protections may be appropriate. In each case, the
goal of legislative requirements should be to recognize the
parents' role with respect to information collection from
children.
Accordingly, the Commission
recommends that Congress develop legislation to require
commercial Web sites that collect personal identifying
information from children 12 and under to provide actual notice
to the parent and obtain parental consent as follows:
- Where the personal
identifying information would enable someone to contact a
child offline, the company must obtain prior
parental consent, regardless of the intended use of
the information (opt-in);
- Where the personal
identifying information is publicly posted or
disclosed to third parties, the company must
obtain prior parental consent (opt-in);
- Where collection of an e-mail
address is necessary for a child's participation at a
site, such as to notify contest winners, the company must
provide notice to parents and an opportunity to
remove the e-mail address from the site's database (opt-out).
Where the personal identifying
information is collected from children over 12, the Commission
recommends that:
- Web sites must provide
parents with notice of the collection of such information
and an opportunity to remove the information from the
site's database (opt-out).(163)
The development of the online
marketplace is at a critical juncture. If growing consumer
concerns about online privacy are not addressed, electronic
commerce will not reach its full potential. To date, industry has
had only limited success in implementing fair information
practices and adopting self-regulatory regimes with respect to
the online collection, use, and dissemination of personal
information. Accordingly, the Commission now recommends
legislation to protect children online and this summer will
recommend an appropriate response to protect the privacy of all
online consumers.
|
