1. In July 1997 the Commission promised that it would submit this report in June 1998. Commission letter to Senator John McCain, Chairman, Committee on Commerce, Science and Transportation, United States Senate (July 31, 1997); Commission Letter to Representative Thomas Bliley, Chairman, Committee on Commerce, United States House of Representatives (July 31, 1997) (hereinafter referred to as "McCain/Bliley letters"). The text of the McCain/Bliley letters may be found on the Commission's Web site at http://www.ftc.gov/os/9707/privac97.htm .
2. The Commission's Public Workshop on Consumer Information Privacy ("1997 Workshop"), June 10-13, 1997, also explored the privacy issues raised by computerized databases that contain consumers' personal identifying information (also known as "individual reference services" or "look-up" services), as well as issues relating to unsolicited commercial e-mail. The workshop transcript may be found on the Commission's Web site at http://www.ftc.gov/bcp/privacy/wkshp97/index.html .
3. These Commission efforts have served as a foundation for dialogue among members of the information industry and online business community, government representatives, privacy and consumer advocates, and experts in interactive technology. The Commission and its staff have also issued reports describing various consumer privacy concerns in the electronic marketplace. E.g., FTC Report to Congress: Individual Reference Services, December 1997, available on the Commission's Web site at http://www.ftc.gov/bcp/privacy/wkshp97/index.html [hereinafter "FTC Report to Congress/Reference Services"]; FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure, December 1996, available at http://www.ftc.gov/reports/privacy/privacy1.htm [hereinafter "FTC Staff Report"]; FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace, May 1996, available at http://www.ftc.gov/opp/global.htm . In addition, the Commission presented testimony on the Implications of Emerging Electronic Payment Systems on Individual Privacy on September 18, 1997 before the House Subcommittee on Financial Institutions and Consumer Credit, Committee on Banking and Financial Services (available at http://www.ftc.gov/os/9709/elecpay.tes.htm ); and on Internet Privacy on March 26, 1998 before the House Subcommittee on Courts and Intellectual Property, Committee on the Judiciary (available at http://www.ftc.gov/os/9803/privacy.htm ).
4. "Cookie" technology allows a Web site's server to place information about a consumer's visits to the site on the consumer's computer in a text file that only the Web site's server can read. Using cookies a Web site assigns each consumer a unique identifier (not the actual identity of the consumer), so that the consumer may be recognized in subsequent visits to the site. On each return visit, the site can call up user-specific information, which could include the consumer's preferences or interests, as indicated by documents the consumer accessed in prior visits or items the consumer clicked on while in the site. Web sites can also collect information about consumers through hidden electronic navigational software that captures information about site visits, including Web pages visited and information downloaded, the types of browser used, and the referring Web sites' Internet addresses. Staff did not ascertain whether sites in the Commission's online survey use cookies, or other hidden electronic means, to collect personal information, but looked instead to sites' information practice disclosures to reveal such practices. See infra Section V.A and Appendix A.
5. CommerceNet and Nielsen Media Research, CommerceNet/Nielsen Media Demographic and Electronic Commerce Study, Spring '97 (March 12, 1997) (defining adults as individuals over 16 years old), available at http://www.commerce.net/work/pilot/nielsen_96/press_97.html [hereinafter CommerceNet/Nielsen Demographic Study, Spring '97]; IntelliQuest Communications, Inc., Worldwide Internet/Online Tracking Service (WWITS TM): Second Quarter 1997 Study (Sept. 4, 1997), available at http://www.intelliquest.com/about/release32.htm .
6. CommerceNet/Nielsen Demographic Study, Spring '97.
7. CommerceNet and Nielsen Media Research, CommerceNet/Nielsen Media Demographic and Electronic Commerce Study, Fall '97 (December 11, 1997), available at http://www.commerce.net/news/press/121197.html [hereafter CommerceNet/Nielsen Demographic Study, Fall '97]. See also Yankelovich Partners, 1997 Cybercitizen Report (Mar. 27, 1997) (finding that 23% of users ordered and paid for a product over the Internet, i.e., "transacted" business online), available at http://www.yankelovich.com/pr/970327.htm .
8. Jupiter Communications, 1998 Online Advertising Report (Aug. 22, 1997) (figure includes directory listings and classified advertisements), available at http://www.jup.com/digest/082297/advert.shtml .
9. Louis Harris & Associates and Dr. Alan F. Westin, Commerce, Communication, and Privacy Online, A National Survey of Computer Users (1997) (hereinafter referred to as "Westin Survey") at ix.
The Commission recognizes that the widespread availability of consumers' personal information, and the privacy concerns raised thereby, are not unique to the Internet. The Commission has focussed on online privacy for several reasons. First, interactive media make it possible to collect, store, aggregate, and disseminate personal information with speed and efficiency that are unmatched in other contexts. Second, the fact that the online marketplace is in its infancy makes it possible to address online privacy issues prospectively. Finally, and most important, consumers' concerns about their privacy are significantly heightened in the online environment.
10. Id. at 20-21.
11. Business Week/Harris Poll: Online Insecurity, Business Week, March 16, 1998, at 102.
12. Privacy & American Business Report, Vol. 4, No. 3 (1997) (reporting on Louis Harris Associates and Alan F. Westin's National Survey of Computer Users).
13. As the Commission's expertise and regulatory authority relate to commercial activities, its review of children's online privacy issues has focused on the information practices of commercial Web sites. The collection of information from and about children by non-commercial sites such as those operated by non-profit and educational entities, however, raises similar privacy concerns.
14. Interactive Consumers Research Report, Vol. 4, No. 5 at 1, 4, May 1997 (discussing results of FIND/SVP's 1997 American Internet User Survey).
15. Id. at 3. The Find/SVP's survey regarding children's online activities reports that approximately 57% of households with online children use the Internet for homework and school-related research (64% with children ages 8 to 11); 51% use it for entertainment or games (78% with children ages 8 to 11); 45% use it for surfing or browsing (60% with children ages 8 to 11); 37% use it for e-mail and chat (35% with children ages 8 to 11); and 43% use it for informal learning (59% with children ages 8 to 11).
16. Id. at 1, 2. The number of children online increased nearly five-fold from fall 1995 to spring 1997. Id. at 1.
17. One source has estimated that, in 1997, children aged 4 through 12 spent $24.4 billion themselves; and children aged 2 through 14 may have directly influenced spending by their parents in an amount as much as $188 billion. James U. McNeal, Tapping the Three Kids' Markets, American Demographics, Apr. 1998, at 38, 40.
18. According to one source, most children's Web sites are targeting children ages 8 to 11. Teens tend to visit the same sites that adults visit. Robin Raskin, What do Kids Want?, Family PC Magazine, May 1998, at 17.
19. The types of personal information include personal identifying information, such as name, e-mail address, phone number, and home address, as well as other personal information such as the child's age, gender, hobbies, interests, favorite foods, games, movies, books, and animated characters. See infra Section V. C. 1.
20. See FTC Staff Report, Appendix E.
21. The "Innocent Images" program focuses on individuals who go online to meet children for the purpose of engaging in sexual activity or who produce and/or distribute child pornography online. See 1997 Workshop, Transcript at 229 (testimony of FBI agent Linda Hooper). See also Testimony of Louis J. Freeh, Director, Federal Bureau of Investigation, before the Senate Appropriations Subcommittee for the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies, March 10, 1998, available at http://www.fbi.gov/congress/internet/sac310.htm ; and Testimony of Stephen R. Wiley, Chief, FBI Violent Crime and Major Offenders Section, before the House Subcommittee on Crime, Committee on the Judiciary, November 7, 1997, available at http://www.fbi.gov/congress/children/children.htm .
22. 1997 Workshop, Transcript at 192-93 (testimony of Charlotte Baecher of Consumers Union).
23. Id. at 36-37.
24. Id.
25. Id.
26. Id. at 156 (testimony of Alan Westin).
27. Fair information practice principles were first articulated in a comprehensive manner in the United States Department of Health, Education and Welfare's seminal 1973 report entitled Records, Computers and the Rights of Citizens (1973) [hereinafter "HEW Report"]. In the twenty-five years that have elapsed since the HEW Report, a canon of fair information practice principles has been developed by a variety of governmental and inter-governmental agencies. In addition to the HEW Report, the major reports setting forth the core fair information practice principles are: The Privacy Protection Study Commission, Personal Privacy in an Information Society (1977) [hereinafter "Privacy Protection Study"]; Organization for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) [hereinafter "OECD Guidelines"]; Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (1995) [hereinafter "IITF Report"]; U.S. Dept. of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995) [hereinafter "Commerce Report"]; The European Union Directive on the Protection of Personal Data (1995) [hereinafter "EU Directive"]; and the Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada (1996) [hereinafter "CSA Model Code"]. Other sources relied upon herein include the FTC Staff Report and FTC Report to Congress/Reference Services.
28. Such principles can be either procedural or substantive. Procedural principles address how personal information is collected and used by governing the methods by which data collectors and data providers interact. These principles ensure that consumers have notice of, and consent to, an entity's information practices. Substantive principles, by contrast, impose substantive limitations on the collection and use of personal information, regardless of consumer consent, by requiring that only certain information be collected and that such information only be used in certain ways. Most of the principles discussed below are procedural in nature. One substantive principle widely adopted by the fair information practice codes, but not discussed below, is the collection limitation principle, which states that entities should only collect personal information necessary for a legitimate business purpose. See Privacy Protection Study at 513-15; IITF Report § II.A; CSA Model Code ¶ 4.4.
29. See, e.g., OECD Guidelines, Explanatory Memorandum ¶ 52; see also FTC Staff Report at 9.
30. While notice of a Web site's policies with respect to data integrity and security is critical to making an informed decision to reveal personal data, such notice is not a prerequisite to the implementation of security measures. The implementation of security measures lies solely in the hands of the entity collecting the information and requires no active participation from the consumer. Implementation of the principles of choice and access, by contrast, require consumer involvement and, therefore, are dependent on notice to be meaningful.
31. OECD Guidelines, Openness Principle & ¶ 12; FTC Staff Report at 9-10; EU Directive art. 10; CSA Model Code ¶ 4.8.2.
32. HEW Report at 62; Privacy Protection Study at 514; OECD Guidelines, Purpose Specification Principle & ¶ 9; IITF Report § II.B.; Commerce Report at 21; EU Directive art. 10; CSA Model Code ¶ 4.2; FTC Staff Report at 9-10. The corollary to identifying the purposes for data collection is that the data not be used for other purposes without the data subject's consent. See HEW Report at 61-62; OECD Guidelines, Use Limitation Principle & ¶ 10 and Explanatory Memorandum ¶ 55; IITF Report § II.D; EU Directive arts. 6-7; CSA Model Code ¶ 4.5.
33. EU Directive art. 10.
34. Commerce Report at 21.
35. HEW Report at 59; IITF Report § II.B; EU Directive art. 10. Several of the fair information practice codes recognize that a consumer's refusal to allow the further unrelated use of his or her personal information, beyond that which is necessary to complete the transaction at issue, should not form the basis for the denial of access to the good or service in question. See, e.g., Commerce Report at 25; CSA Model Code ¶ 4.3.3.
36. Privacy Protection Study at 514; IITF Report § II.B. As noted in endnote 30, notice of this type is not a prerequisite to insuring the confidentiality, integrity, and quality of data. However, when dealing with data considered by consumers to be particularly sensitive, information about the steps taken by the data collector is important to the consumer and may determine whether the consumer is willing to provide such data.
37. See FTC Staff Report at 9-10.
38. HEW Report at 58; CSA Model Code ¶ 4.8.2; EU Directive art. 10.
39. HEW Report at 58; EU Directive art. 10.
40. IITF Report § II.B.
41. Cf. CSA Model Code ¶ 4.8.2 (organizations should make available identity of individual accountable for organization's policies and to whom complaints can be forwarded).
42. Virtually every set of fair information practice principles includes consumer choice or consent as an essential element. HEW Report at 41, 61; OECD Guidelines, Collection Limitation Principle & ¶ 7 and Use Limitation Principle & ¶ 10; Commerce Report at 23-27; EU Directive arts. 7, 14; CSA Model Code, ¶¶ 4.3, 4.5; see also FTC Report to Congress/Reference Services at 22-23; FTC Staff Report at 10-11.
43. As noted in the FTC Staff Report, commentators have taken different views of the efficacy and wisdom of opt-in versus opt-out regimes. FTC Staff Report at 10-11; see also Commerce Report at 24-27 (proposing opt-in regimes for "sensitive information" and opt-out regimes for other information).
44. Indeed, technological innovations soon may allow consumers and collectors of information to engage in "electronic negotiation" regarding the scope of information disclosure and use. Such "negotiation" would be based on electronic matching of pre-programmed consumer preferences with Web sites' information practices. The World Wide Web Consortium ("W3C") is currently in the final stages of developing its Platform for Privacy Preferences Project ("P3P"), which will allow implementation of such technology. Consumers may have access to P3P by early 1999. For general information on P3P, see the W3C's Web site ( http://www.w3.org/P3P ).
45. A system requiring consumers to specify privacy preferences before visiting any Web sites can be built into Internet browsers. See supra note 44 (discussing technological developments). The absence of default rules, and the concomitant requirement that consumers decide how they want their personal information used, help ensure that consumers in fact exercise choice.
46. See HEW Report at 41, 59, 63; Privacy Protection Study at 508-13; OECD Guidelines, Individual Participation Principle & ¶ 13; IITF Report § III.B; EU Directive art. 12; CSA Model Code ¶ 4.9; FTC Report to Congress/Reference Services at 21-22. See also Fair Credit Reporting Act ("FCRA") §§ 609-11, 15 U.S.C. §§ 1681g-1681i (providing for consumer access to, and the right to correct inaccuracies in, consumer credit reports).
47. See HEW Report at 63; IITF Report § III.B; CSA Model Code ¶ 4.9; OECD Guidelines, Individual Participation Principle & ¶ 13 and Explanatory Memorandum ¶ 61; EU Directive art. 12; see also FTC Report to Congress/Reference Services at 21-22; FCRA § 611, 15 U.S.C. § 1681i.
48. HEW Report at 56-57; Privacy Protection Study at 521; OECD Guidelines, Data Quality Principle & ¶ 8 and Explanatory Memorandum ¶ 53; IITF Report § I.C; EU Directive art. 6; CSA Model Code ¶¶ 4.5.3, 4.6; see also FCRA §§ 605, 607(b), 15 U.S.C. §§ 1681c, 1681e(b).
49. OECD Guidelines, Security Safeguards Principle & ¶ 11 and Explanatory Memorandum ¶ 56; IITF Report §§ I.B, II.C; EU Directive art. 17; CSA Model Code ¶ 4.7; FTC Staff Report at 12. Physical security measures, such as guards, alarms, etc., may also be necessary in certain circumstances.
50. In implementing security measures, companies should be aware that security breaches directed at stored data -- i.e., information already received by the data collector -- often constitute greater threats to privacy than those breaches occurring during the transmission of sensitive data, such as credit card numbers, over the Internet. See, e.g., Linda Punch, The Real Internet Security Issue, Credit Card Management, Dec. 1997, at 65.
51. See HEW Report at 50 (calling for Code of Fair Information Practices that includes civil and criminal penalties, the availability of injunctive relief, and individual rights of action for actual, liquidated, and punitive damages); OECD Guidelines, Accountability Principle & ¶14 and Explanatory Memorandum ¶ 62 (accountability supported by legal sanctions); IITF Report § III.C ("envision[ing] various forms [of redress] including . . . informal complaint resolution, mediation, arbitration, civil litigation . . . ."); EU Directive arts. 22-23 (judicial remedy and compensation).
52. Cf. Privacy Protection Study at 33 (identifying voluntary compliance, statutorily-created rights enforceable through individual or government action, and centralized government mechanisms as means of implementing compliance).
53. The European Union ("EU") has recognized that self-regulation may in certain circumstances constitute "adequate" privacy protection for purposes of the EU Directive's ban on data transfer to countries lacking "adequate" safeguards. See EU Directive art. 25. The EU has noted, however, that non-legal rules such as industry association guidelines are relevant to the "adequacy" determination only to the extent they are complied with and that compliance levels, in turn, are directly related to the availability of sanctions and/or external verification of compliance. See European Commission, Directorate General XV, Working Document: Judging Industry Self-Regulation: When Does it Make a Meaningful Contribution to the Level of Data Protection in a Third Country? (1998) available at http://www.europa.eu.int/comm/dg15/en/media/dataprot/wp7.htm [hereinafter "Judging Industry Self-Regulation"].
54. Discussion Draft: Elements of Effective Self-Regulation for Protection of Privacy (1998) available at http://www.ecommerce.gov/staff.htm [hereinafter "Elements of Effective Self-Regulation"] (identifying consumer recourse, verification, and consequences as elements of an effective self-regulatory regime).
55. Id. Commission staff recently responded to a request from the Direct Marketing Association ("DMA") for an advisory opinion concerning whether the antitrust laws would permit it to require three things of its members: (1) to use the DMA's Mail Preference and Telephone Preference Services to honor consumers' requests to not be contacted by direct marketers; (2) to disclose to consumers how members sell or otherwise transfer personal information about those consumers to others; and (3) to honor consumers' requests that the members not sell or transfer their personal information. FTC Bureau of Competition staff advised the DMA of its conclusion that these requirements, as the DMA described them, would not harm competition or violate the FTC Act. Letter from Bureau of Competition Assistant Director to Counsel for the DMA, Sept. 9, 1997, available at http://www.ftc.gov/os/9710/dma.htm .
56. See Elements of Effective Self-Regulation.
57. FTC Report to Congress/Reference Services at 25-33. It is still too early to assess the success or efficacy of this plan, because its provisions are not mandatory on its signatories until the end of the year.
58. There may, alternatively, be a role for mechanisms to address practices affecting consumers as a group, such as industry or trade association ethics or screening committees that can resolve broader disputes.
59. See Elements of Effective Self-Regulation.
60. Several fair information practice codes suggest compensation for injuries as an important element of fair information practice. See HEW Report at 50 (calling for Code of Fair Information Practices that provides for actual, liquidated, and punitive damages); OECD Guidelines, Accountability Principle & ¶ 14 and Explanatory Memorandum ¶ 62 (accountability supported by legal sanctions); IITF Report § III.C ("envision[ing] various forms [of redress] including . . . informal complaint resolution, mediation, arbitration, civil litigation . . . ."); see also Judging Industry Self-Regulation at 5.
61. HEW Report at 50 (calling for Code of Fair Information Practices that includes civil and criminal penalties, the availability of injunctive relief, and individual rights of action for actual, liquidated, and punitive damages); OECD Guidelines, Accountability Principle & ¶ 14 and Explanatory Memorandum ¶ 62 (accountability supported by legal sanctions); IITF Report § III.C ("envision[ing] various forms [of redress] including . . . informal complaint resolution, mediation, arbitration, civil litigation . . . ."); EU Directive arts. 22-23 (judicial remedy and compensation).
62. Two sectoral privacy acts provide for the recovery of actual, liquidated, and punitive damages for violations. See Video Privacy Protection Act of 1988, 18 U.S.C. § 2710(c) (providing for award of actual damages or liquidated damages of not less than $2,500, punitive damages, attorney's fees, and equitable relief); Cable Communications Policy Act of 1984, 47 U.S.C. § 551(f) (providing for recovery of actual damages or liquidated damages of not less than $1,000, punitive damages, and attorney's fees).
63. HEW Report at 50; IITF Report § III.C (discussing regulatory enforcement and criminal prosecution as redress options); OECD Guidelines, Explanatory Memorandum ¶ 62 (referring to accountability supported by legal sanctions); EU Directive art. 24 (unspecified sanctions for violations of directive); see also CSA Model Code ¶ 4.10.3 (discussing regulatory bodies receiving complaints of violations of fair information practice).
64. IITF Report § III.C (redress should be appropriate to violation).
65. The Commission's Deception Policy Statement recognizes that children can be unfairly exploited due to their age and lack of experience. See Deception Policy Statement, appended to Cliffdale Associates, Inc., 103 F.T.C. 110, 179 n.30 (1984), citing Ideal Toy, 64 F.T.C. 297, 310 (1964). For example, the Commission's actions regarding the marketing of pay-per-call 900 number services to children recognize children as a vulnerable group in the marketplace. See Audio Communications, Inc., 114 F.T.C. 414 (1991) (consent order); Teleline, Inc., 114 F.T.C. 399 (1991) (consent order); Phone Programs, Inc., 115 F.T.C. 977 (1992) (consent order); Fone Telecommunications, Inc., Docket No. C-3432 (June 14, 1993) (consent order). The Telephone Disclosure and Dispute Resolution Act of 1992 prohibits advertising of such services to children under the age of 12, unless the service is a bona fide educational service. 15 U.S.C. §§ 5701 et seq.
66. The Federal Educational Rights and Privacy Act of 1974 (FERPA), gives parents of minor students the right to inspect, correct, amend, and control the disclosure of information in education records. 20 U.S.C. § 1232g (1988). The Department of Health and Human Services Policy for Protection of Human Research requires parental/guardian written consent for all DHHS-funded research that involves children as subjects. 45 C.F.R. §§ 46.401-46.409 (1995). The Telephone Disclosure and Dispute Resolution Act of 1992 expressly prohibits advertising of pay-per-call (e.g., 900) services, except bona fide educational services, to children under 12.
15 U.S.C. §§ 5701 et seq. (Supp. IV 1992). The Children's Television Act of 1990, among other things, requires television stations and cable operators to limit the amount of advertising during children's television programming. 47 U.S.C. § 303a(b) (Supp. V 1994).
67. See Letter from Jodie Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, to Center for Media Education, July 15, 1997, available at http://www.ftc.gov/os/9707/cenmed.htm [hereinafter "staff opinion letter"]. Commissioner Azcuenaga did not endorse all of the analyses and conclusions in the staff opinion letter.
68. Providing notice to parents raises some implementation issues, but where the child and parent have separate e-mail addresses, notice could be provided to the parent by e-mail.
69. Mechanisms for obtaining actual or verifiable parental consent include having the parent: mail or fax a signed form downloaded from the site; provide a credit card number; or provide an electronic (digital) signature. An e-mail message submitted without a digital signature may not be adequate to assure parental consent, since a site operator has no means of knowing whether the message is from a parent or a child. This is particularly true because most children do not currently have their own e-mail addresses and instead share their parents' e-mail addresses. While electronic signatures may be the best solution in the future, they may not be widely available at this point. In the meantime, children's Web sites may need to adopt traditional consent mechanisms, such as written consent forms and credit card numbers.
70. It is safe to assume that simply posting a privacy policy at a Web site or advising the child to seek parental permission before providing information online will have little impact on children. Many children will simply ignore these statements. Many will lack the sophistication or judgment to understand a privacy notice or to refrain from providing the requested information. Many children will be unwilling to wait for parental consent, and will provide whatever information is necessary to participate in the site's activity.
71. See supra Section III.A.1.
72. 63 Fed. Reg. 10,916 (1998).
73. The following trade associations and industry groups filed guidelines and/or principles: The Bankers Roundtable, Banking Industry Technology Secretariat ("BITS"); Direct Marketing Association ("DMA"); Electronic Messaging Association ("EMA"); Independent Bankers Association of America ("IBAA"); Individual Reference Services Group ("IRSG"); Interactive Services Association ("ISA"); Magazine Publishers of America ("MPA"); National Association of Federal Credit Unions ("NAFCU"); and Smart Card Forum ("SCF"). The Council of Better Business Bureaus, Inc.'s Children's Advertising Review Unit ("CARU") and the DMA also submitted guidelines addressing marketing to children, which are discussed in Section IV.B infra.
Numerous individual companies also filed their own privacy policies. Several other organizations and individuals also filed comments in response to the notice. Those filings, which are available for review on the Commission's Web site at http://www.ftc.gov, are not analyzed herein. The Commission's purpose in soliciting trade association and industry group guidelines was to assess industry's progress towards achieving a self-regulatory regime with respect to information collection online. While the Commission encourages individual companies to adopt information practice policies for the online environment, appreciates all of the submissions it has received in response to the Notice, and commends those firms that have developed effective self-regulatory policies, such policies, as well as the comments of other interested parties, do not constitute the elements of a self-regulatory system, which was the focus of the Federal Register Notice.
74. See, e.g., NAFCU cover letter ("NAFCU does recommend that its members post privacy policies on their Web sites").
75. See ISA, Principles on Notice and Choice Procedures for Online Information Collection and Distribution by Online Operators; DMA, Marketing Online: Privacy Principles and Guidance. The DMA encourages members to provide notice of, and substantive choice with respect to, internal secondary uses of information as well (i.e., marketing back by the information collector).
76. The NAFCU submission is the only one that does not address choice.
77. See DMA, Marketing Online: Privacy Principles and Guidance; MPA submission.
78. See ISA, Principles on Notice and Choice Procedures for Online Information Collection and Distribution by Online Operators.
79. See BITS and IBAA, Privacy Principles (BITS and IBAA each submitted the banking industry's Privacy Principles independently); SCF, Consumer Privacy and Smart Cards--A Challenge and an Opportunity; IRSG, Individual Reference Services Industry Principles.
80. See generally BITS and IBAA, Privacy Principles; NAFCU, Recommended Privacy Policy; SCF, Consumer Privacy and Smart Cards--A Challenge and an Opportunity; IRSG, Individual Reference Services Industry Principles.
81. See IRSG, Individual Reference Services Industry Principles; DMA, The Committee on Ethical Business Practice Procedures for Case Handling.
82. See IRSG, Individual Reference Services Industry Principles. The IRSG Principles, which constitute one model for self-regulation, require independent annual third-party audits, the results of which are made public, and limit the sharing of information with entities that do not adhere to the Principles. The DMA has also announced that, effective July 1999, adherence to certain fair information practices (notice and opt-out) will be mandatory for all members. See DMA Ethics and Consumer Affairs Department, Case Report from the Direct Marketing Association's Committee on Ethical Business Practice (Sept.-Nov. 1997) at 4.
83. The DMA Committee on Ethical Business Practice investigates complaints against companies alleged to be violating DMA's voluntary guidelines. In cases in which a satisfactory resolution of a complaint is not reached, the name of the company and the facts of the case are made public. In addition, the Committee may refer cases to law enforcement agencies and/or to the DMA's Board of Directors for further action including censure, suspension and/or expulsion of a member. This peer review process is non-binding. DMA, The Committee on Ethical Business Practice Procedures for Case Handling.
84. Both BITS and IBAA submitted BITS's Privacy Principles Implementation Plan. The BITS plan states that establishment of a privacy mark may be necessary, calls upon banks to "apply their own internal process to assure compliance with the bank's privacy principles," and states that "[b]reaches of policy will be addressed internally on a case-by-case basis by each bank." This non-binding reference to ensuring compliance with policies is the only reference to enforcement in any of the submitted guidelines, other than the IRSG Principles and the DMA Committee on Ethical Business Practice discussed above.
85. CARU was established by the advertising community as an independent manager of the industry's self-regulatory programs in 1974. Its main activity is the review and evaluation of child-directed advertising in all media. Its Board of Directors consists of representatives from the Council of Better Business Bureaus, the American Association of Advertising Agencies, the American Advertising Federation, and the Association of National Advertisers. CARU is funded directly by members of the children's advertising industry. The DMA represents more than 3,600 member companies interested in database marketing. Its members include catalogers, financial services, publishers, book and music clubs, retail stores, industrial manufacturers, and service industries. Copies of both CARU's and DMA's guidelines are found in Appendix E.
86. The CARU Guidelines address children under age 12, while the DMA Children's Guidelines do not provide a definition for the term "children."
87. CARU Guidelines at 1, 3. The CARU Guidelines do not define "passive tracking." However, the term refers to information collected by using navigational software designed to reveal information about the visitor's experience on the site, such as the pages visited, the information downloaded, the content viewed, the operating system used, and the referring site's Internet address.
88. Id. at 4.
89. Id.
90. Id.
91. Id.
92. CARU is one of the few trade groups that implements a voluntary enforcement mechanism for both its online privacy guidelines as well as its general media guidelines. In addition to its own monitoring of advertisers, CARU initiates investigations upon receipt of a complaint from a consumer or a company. CARU then seeks the advertiser's compliance with its guidelines and publishes its case reports. If a company is uncooperative and the practices are allegedly deceptive or unfair, CARU refers the matter to the Commission. CARU's voluntary enforcement
mechanism is modeled on that of the National Advertising Division (NAD), which is also associated with the Council of Better Business Bureaus, Inc.
93. Since CARU's founding in 1974, 98% of the subjects of its investigations have complied with its decisions.
94. The CARU Guidelines apply generally to marketers of children's products and services. Since CARU is not a membership organization, however, adherence to its guidelines is not mandatory. Each of CARU's leading organizational sponsors has urged its own members to implement the CARU Guidelines, but these sponsors do not make adherence mandatory for their members.
95. The DMA Children's Guidelines suggest that marketers use language such as "Your mom or dad should say it's okay for you to answer these questions," but are not explicit with respect to when parental permission should be sought. DMA Children's Guidelines, Guideline No. 1.
96. DMA Children's Guidelines, Guideline Nos. 1-2.
97. McCain/Bliley letters. Specifically, the Commission stated that "[w]e hope to find by March 1, 1998, that a substantial majority of commercial Web sites are clearly posting their information practices and privacy policies." Id. at n.2.
98. The samples for groups A-D were drawn from a comprehensive list of commercial Web sites provided by the Dun and Bradstreet Corporation. See Appendix A.
99. The terms "likely to be of interest to consumers" and "primarily directed to children aged fifteen or younger" are defined in Appendix A.
100. For a copy of the Survey Forms used by the surfers, see Appendix C.
101. These figures are based on data supplied by The Dun & Bradstreet Corporation. Figures do not total 100%. Approximately 3% of the sites in all the samples are not classified by size, because sales figures were unavailable. For a description of the Dun & Bradstreet database used in this survey, see Appendix A.
102. See Appendix D, Table 1.
103. See Appendix D, Table 1.
104. See Appendix D, Table 1.
105. Company size information was not obtained for Web sites in this sample.
106. See supra Section II.B.
107. The rates are: 92% of the sites in the Comprehensive Sample; 88% of the Health Sample sites; 87% of the Retail Sample sites; 97% of the Financial Sample sites; and 97% of the Most Popular Sample sites. See Appendix D, Table 3, which also sets forth statistics based upon company size.
108. For purposes of this survey, the provision of a mechanism for sending e-mail to a site's Webmaster, without more, was not considered collection of an e-mail address. A site's invitation to online consumers to "Contact Us" or "Send Us Your Comments" by e-mail, however, was deemed to be collection of an e-mail address. When the collection of an e-mail address is not considered, the number of sites collecting personal information decreases slightly in all samples. Thus, 65% of all sites in the Comprehensive Sample collect some personal information other than an e-mail address; as do 53% of the sites in the Health Sample; 67% of the sites in the Retail Sample; 73% of the sites in the Financial Sample; and 94% of the sites in the Most Popular Sample. See also infra note 115. Because the survey form did not identify the manner of e-mail collection, the above statistics exclude all sites that collect only an e-mail address, including those sites that ask for it in contexts other than "Contact Us," such as on registration forms, etc.
109. For similar information with respect to the other samples, see Appendix D, Table 5.
110. See Appendix D, Table 4.
111. Id.
112. The Commission cannot report on the number of companies in the survey that create such profiles, because the survey concerns Web sites' disclosures, and not actual practices.
113. The numbers for the Health, Retail and Financial samples are as follows: sites collecting five or more additional types of information -- 12% (Health), 19% (Retail), 26% (Financial); sites collecting three or more additional types of information -- 36% (Health), 60% (Retail), 53% (Financial); sites collecting at least one additional type of information -- 57% (Health), 76% (Retail), 73% (Financial). See Appendix D, Table 6.
114. See Appendix D, Table 2.
115. See Appendix D, Table 7. The percentage of disclosures among sites that collect some personal information other than an e-mail address is slightly higher: 21% in the Comprehensive Sample; 24% in the Health Sample; 18% in the Retail Sample; 22% in the Financial Sample; and 74% in the Most Popular Sample. See also supra note 108.
116. See Appendix D, Table 8.
117. See Appendix D, Table 9.
118. See Appendix D, Table 2.
119. See Appendix D, Table 7.
120. See Appendix D, Table 8.
121. See Appendix D, Table 9. Some sites post both a Privacy Policy Notice and one or more Information Practice Statements.
122. See, e.g., Communications Daily (Untitled, February 10, 1998); Washington Telecom Newswire (Untitled, February 9, 1998); I. Teinowitz, "FTC Will Survey Marketer Web Sites for Privacy," Advertising Age (February 1998), available at http://www.adage.com/interactive/articles/19980216/article1.html .
123. See Appendix D, Table 7.
124. Given the small number of sites involved, statistics based upon company size have not been reported.
125. The rate is 33% (or 31 sites) for the Comprehensive Sample, 32% (or 6 sites) for the Health Sample, 33% (or 6 sites) for the Retail Sample, and 35% (or 7 sites) for the Financial Sample. See Appendix D, Table 10. In responding to the relevant question on the General Survey Form, staff counted both statements giving choice regarding internal uses of the personal information and statements giving choice about the transfer of the information to third parties as statements offering consumers choice about how the information collected will be used. See Appendix C.
126. The rate is 10% (or 9 sites) for the Comprehensive Sample. See Appendix D, Table 10.
127. The rate is 6% (or 1 site) for the Retail Sample and 5% (or 1 site) for the Financial Sample. See Appendix D, Table 10.
128. See Appendix D, Table 11. The rate for the Health Sample is 32% (or 6 sites) and the rate for the Retail Sample is 22% (or 4 sites). Statements such as "We keep this information confidential" were counted as assertions of non-disclosure to third parties.
129. See Appendix D, Table 11. Statements indicating that demographic or interest information may be shared with third parties were counted as assertions of possible third-party disclosures.
130. See Appendix D, Table 12. When expressed as a percentage of all sites in a given sample (and not just those sites that collect personal information and have an information practice disclosure), the percent of sites offering choice, access, or security, or addressing disclosures to third parties, is even lower. Thus, only 5% of all sites in the Comprehensive Sample, 4% of all sites in the Health and Retail Samples, and 6% of all sites in the Financial Sample state that they offer consumers choice; 1% of all sites in the Comprehensive Sample, 2% of all sites in the Retail Sample and no sites in the Health and Financial Samples state that they offer consumers access; 2% of all sites in the Comprehensive Sample, no sites in the Health Sample, and 1% of all sites in the Retail and Financial Samples state that they take data security measures; 5% of all sites in the Comprehensive Sample, 4% of all sites in the Health Sample, and 3% of all sites in the Retail and Financial Samples state that they will not disclose any personal information collected to third parties; and 5% of all sites in the Comprehensive Sample, 4% of all sites in the Health and Retail Samples, and 6% of all sites in the Financial Sample state that they may disclose some or all of the personal information collected to third parties.
131. See Appendix D, Table 10.
132. Id.
133. Id.
134. See Appendix D, Table 11.
135. Id. Again, the above figures are significantly lower when expressed as a percentage of all sites in the Most Popular Sample. Thus, 49% of all sites in the Most Popular Sample state that they offer consumers choice; 27% state that they offer consumers access; 12% state that they take data security measures; 10% state that none of the personal information collected will be disclosed to third parties; and 56% state that some or all of the personal information collected may be disclosed to third parties.
136. See Appendix D, Table 12.
137. See Appendix D, Table 3.
138. See Appendix D, Table 13.
139. As in the General Survey, a mere hyperlink to a site's Webmaster was not considered collection of an e-mail address for purposes of this survey. However, hypertext that asks visitors to "Contact Us" or "Send Us Your Comments" was included as collection of an e-mail address. See supra note 108.
140. See Appendix D, Table 5.
141. See Appendix D, Table 6.
142. For instance, in order to register for certain online activities, some sites require children to identify their interests such as rollerblading, skateboarding, ice skating, biking, video games, science, football, soccer, and computer games. Other sites ask children information about their favorite television shows, commercials, and musical groups.
143. For example, one site asks children personal financial questions such as the following:
Do you own mutual funds?
Are your parents currently saving for your college education?
What do you usually do with gifts of money?
144. See Appendix D, Table 2. The higher disclosure rate for the Children's Sample may reflect the fact that staff publicly disclosed that this sample would be selected from sites listed in the Yahooligans! Directory.
145. Id.
146. See Appendix D, Table 9.
147. See Appendix D, Table 8.
148. See Appendix D, Table 10.
149. Id.
150. Id.
151. Westin Survey at 3.
152. See Appendix D, Table 13.
153. See Appendix D, Table 11.
154. Id.
155. See Appendix D, Table 13.
156. Id.
157. Id.
158. Id. Examples of opt-out statements include: "When minors subscribe to the newsletter, they are asked for their parent's e-mail informing them [sic] their kid has subscribed to the e-mail and the parent has the option to discontinue this subscription," and "All parents can correct or remove any information we receive from a child by contacting us online, by phone or mail."
159. Westin Survey at 3.
160. Current American privacy law can best be described as sectoral, consisting of a handful of disparate statutes directed at specific industries that collect personal data and none of which specifically covers the collection of personal information online. See, e.g., Fair Credit Reporting Act ("FCRA"), 15 U.S.C. §§ 1681 et seq. (governing consumer credit reports); Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510 et seq. (governing electronic mail and voicemail communications); Cable Communications Policy Act of 1984, 47 U.S.C. § 551 (governing cable television subscriber information); Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401 et seq. (governing individual bank records); Video Privacy Protection Act of 1988, 18 U.S.C. § 2710 (governing video rental records); Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g (governing student records); Communications Act of 1934, as amended by, Telecommunications Act of 1996, 47 U.S.C. § 222 (governing information relating to use of telecommunication services ["customer proprietary network information"]); cf. Privacy Act of 1974, 5 U.S.C. § 552a (governing data collected by the federal government). Pursuant to the Supreme Court's decision in United States v. Miller, 425 U.S. 435 (1976), individuals have no Fourth Amendment interest in personal information they voluntarily have conveyed to another. Consequently, any privacy protections for personal information must be legislatively grounded.
161. 15 U.S.C. §§ 41 et seq.
162. See supra note 67.
163. Parental notice raises some implementation issues. In those instances where parents and children have separate e-mail addresses, notice may be provided to parents electronically. Where verifiable parental consent is required, sites can simply direct children to download (print) the notice and consent form and have the parent return the signed form by regular mail or facsimile.