|
Endnotes
1. In July 1997 the Commission promised that
it would submit this report in June 1998. Commission letter to
Senator John McCain, Chairman, Committee on Commerce, Science and
Transportation, United States Senate (July 31, 1997); Commission
Letter to Representative Thomas Bliley, Chairman, Committee on
Commerce, United States House of Representatives (July 31, 1997)
(hereinafter referred to as "McCain/Bliley letters").
The text of the McCain/Bliley letters may be found on the
Commission's Web site at http://www.ftc.gov/os/9707/privac97.htm .
2. The Commission's Public Workshop on
Consumer Information Privacy ("1997 Workshop"), June 10-13,
1997, also explored the privacy issues raised by computerized
databases that contain consumers' personal identifying
information (also known as "individual reference services"
or "look-up" services), as well as issues relating to
unsolicited commercial e-mail. The workshop transcript may be
found on the Commission's Web site at http://www.ftc.gov/bcp/privacy/wkshp97/index.html .
3. These Commission efforts have served as a
foundation for dialogue among members of the information industry
and online business community, government representatives,
privacy and consumer advocates, and experts in interactive
technology. The Commission and its staff have also issued reports
describing various consumer privacy concerns in the electronic
marketplace. E.g., FTC Report to Congress: Individual
Reference Services, December 1997, available on the
Commission's Web site at http://www.ftc.gov/bcp/privacy/wkshp97/index.html [hereinafter "FTC Report
to Congress/Reference Services"]; FTC Staff Report: Public
Workshop on Consumer Privacy on the Global Information
Infrastructure, December 1996, available at http://www.ftc.gov/reports/privacy/privacy1.htm [hereinafter "FTC Staff
Report"]; FTC Staff Report: Anticipating the 21st
Century: Consumer Protection Policy in the New High-Tech, Global
Marketplace, May 1996, available at http://www.ftc.gov/opp/global.htm . In addition, the Commission presented
testimony on the Implications of Emerging Electronic Payment
Systems on Individual Privacy on September 18, 1997 before the
House Subcommittee on Financial Institutions and Consumer Credit,
Committee on Banking and Financial Services (available at http://www.ftc.gov/os/9709/elecpay.tes.htm ); and on Internet Privacy on March 26,
1998 before the House Subcommittee on Courts and Intellectual
Property, Committee on the Judiciary (available at http://www.ftc.gov/os/9803/privacy.htm ).
4. "Cookie" technology allows a Web
site's server to place information about a consumer's visits to
the site on the consumer's computer in a text file that only the
Web site's server can read. Using cookies a Web site assigns each
consumer a unique identifier (not the actual identity of the
consumer), so that the consumer may be recognized in subsequent
visits to the site. On each return visit, the site can call up
user-specific information, which could include the consumer's
preferences or interests, as indicated by documents the consumer
accessed in prior visits or items the consumer clicked on while
in the site. Web sites can also collect information about
consumers through hidden electronic navigational software that
captures information about site visits, including Web pages
visited and information downloaded, the types of browser used,
and the referring Web sites' Internet addresses. Staff did not
ascertain whether sites in the Commission's online survey use
cookies, or other hidden electronic means, to collect personal
information, but looked instead to sites' information practice
disclosures to reveal such practices. See infra
Section V.A and Appendix A.
5. CommerceNet and Nielsen Media Research, CommerceNet/Nielsen
Media Demographic and Electronic Commerce Study, Spring '97
(March 12, 1997) (defining adults as individuals over 16 years
old), available at http://www.commerce.net/work/pilot/nielsen_96/press_97.html [hereinafter CommerceNet/Nielsen
Demographic Study, Spring '97]; IntelliQuest Communications,
Inc., Worldwide Internet/Online Tracking Service (WWITS TM):
Second Quarter 1997 Study (Sept. 4, 1997), available at http://www.intelliquest.com/about/release32.htm .
6. CommerceNet/Nielsen Demographic Study,
Spring '97.
7. CommerceNet and Nielsen Media Research, CommerceNet/Nielsen
Media Demographic and Electronic Commerce Study, Fall '97 (December
11, 1997), available at http://www.commerce.net/news/press/121197.html [hereafter CommerceNet/Nielsen
Demographic Study, Fall '97]. See also Yankelovich
Partners, 1997 Cybercitizen Report (Mar. 27, 1997) (finding
that 23% of users ordered and paid for a product over the
Internet, i.e., "transacted" business online),
available at http://www.yankelovich.com/pr/970327.htm .
8. Jupiter Communications, 1998 Online
Advertising Report (Aug. 22, 1997) (figure includes
directory listings and classified advertisements), available at http://www.jup.com/digest/082297/advert.shtml .
9. Louis Harris & Associates and Dr. Alan
F. Westin, Commerce, Communication, and Privacy Online, A
National Survey of Computer Users (1997) (hereinafter
referred to as "Westin Survey") at ix.
The Commission recognizes that the
widespread availability of consumers' personal information, and
the privacy concerns raised thereby, are not unique to the
Internet. The Commission has focussed on online privacy for
several reasons. First, interactive media make it possible to
collect, store, aggregate, and disseminate personal information
with speed and efficiency that are unmatched in other contexts.
Second, the fact that the online marketplace is in its infancy
makes it possible to address online privacy issues prospectively.
Finally, and most important, consumers' concerns about their
privacy are significantly heightened in the online environment.
10. Id. at 20-21.
11. Business Week/Harris Poll: Online
Insecurity, Business Week, March 16, 1998, at 102.
12. Privacy & American Business Report, Vol.
4, No. 3 (1997) (reporting on Louis Harris Associates and Alan F.
Westin's National Survey of Computer Users).
13. As the Commission's expertise and
regulatory authority relate to commercial activities, its review
of children's online privacy issues has focused on the
information practices of commercial Web sites. The collection of
information from and about children by non-commercial sites such
as those operated by non-profit and educational entities,
however, raises similar privacy concerns.
14. Interactive Consumers Research Report, Vol.
4, No. 5 at 1, 4, May 1997 (discussing results of FIND/SVP's 1997
American Internet User Survey).
15. Id. at 3. The Find/SVP's survey
regarding children's online activities reports that approximately
57% of households with online children use the Internet for
homework and school-related research (64% with children ages 8 to
11); 51% use it for entertainment or games (78% with children
ages 8 to 11); 45% use it for surfing or browsing (60% with
children ages 8 to 11); 37% use it for e-mail and chat (35% with
children ages 8 to 11); and 43% use it for informal learning (59%
with children ages 8 to 11).
16. Id. at 1, 2. The number of
children online increased nearly five-fold from fall 1995 to
spring 1997. Id. at 1.
17. One source has estimated that, in 1997,
children aged 4 through 12 spent $24.4 billion themselves; and
children aged 2 through 14 may have directly influenced spending
by their parents in an amount as much as $188 billion. James U.
McNeal, Tapping the Three Kids' Markets, American
Demographics, Apr. 1998, at 38, 40.
18. According to one source, most children's
Web sites are targeting children ages 8 to 11. Teens tend to
visit the same sites that adults visit. Robin Raskin, What do
Kids Want?, Family PC Magazine, May 1998, at 17.
19. The types of personal information include
personal identifying information, such as name, e-mail address,
phone number, and home address, as well as other personal
information such as the child's age, gender, hobbies, interests,
favorite foods, games, movies, books, and animated characters. See
infra Section V. C. 1.
20. See FTC Staff Report,
Appendix E.
21. The "Innocent Images" program
focuses on individuals who go online to meet children for the
purpose of engaging in sexual activity or who produce and/or
distribute child pornography online. See 1997 Workshop,
Transcript at 229 (testimony of FBI agent Linda Hooper). See
also Testimony of Louis J. Freeh, Director, Federal Bureau
of Investigation, before the Senate Appropriations Subcommittee
for the Departments of Commerce, Justice, and State, the
Judiciary, and Related Agencies, March 10, 1998, available at http://www.fbi.gov/congress/internet/sac310.htm ; and Testimony of Stephen R. Wiley,
Chief, FBI Violent Crime and Major Offenders Section, before the
House Subcommittee on Crime, Committee on the Judiciary, November
7, 1997, available at http://www.fbi.gov/congress/children/children.htm .
22. 1997 Workshop, Transcript at 192-93 (testimony
of Charlotte Baecher of Consumers Union).
23. Id. at 36-37.
24. Id.
25. Id.
26. Id. at 156 (testimony of Alan
Westin).
27. Fair information practice principles were
first articulated in a comprehensive manner in the United States
Department of Health, Education and Welfare's seminal 1973 report
entitled Records, Computers and the Rights of Citizens (1973)
[hereinafter "HEW Report"]. In the twenty-five years
that have elapsed since the HEW Report, a canon of fair
information practice principles has been developed by a variety
of governmental and inter-governmental agencies. In addition to
the HEW Report, the major reports setting forth the core fair
information practice principles are: The Privacy Protection Study
Commission, Personal Privacy in an Information Society (1977)
[hereinafter "Privacy Protection Study"];
Organization for Economic Cooperation and Development, OECD
Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data (1980) [hereinafter "OECD Guidelines"];
Information Infrastructure Task Force, Information Policy
Committee, Privacy Working Group, Privacy and the National
Information Infrastructure: Principles for Providing and Using
Personal Information (1995) [hereinafter "IITF
Report"]; U.S. Dept. of Commerce, Privacy and the
NII: Safeguarding Telecommunications-Related Personal Information
(1995) [hereinafter "Commerce Report"]; The
European Union Directive on the Protection of Personal Data
(1995) [hereinafter "EU Directive"]; and the
Canadian Standards Association, Model Code for the Protection
of Personal Information: A National Standard of Canada (1996)
[hereinafter "CSA Model Code"]. Other sources
relied upon herein include the FTC Staff Report and FTC
Report to Congress/Reference Services.
28. Such principles can be either procedural or
substantive. Procedural principles address how personal
information is collected and used by governing the methods by
which data collectors and data providers interact. These
principles ensure that consumers have notice of, and consent to,
an entity's information practices. Substantive principles, by
contrast, impose substantive limitations on the collection and
use of personal information, regardless of consumer consent, by
requiring that only certain information be collected and that
such information only be used in certain ways. Most of the
principles discussed below are procedural in nature. One
substantive principle widely adopted by the fair information
practice codes, but not discussed below, is the collection
limitation principle, which states that entities should only
collect personal information necessary for a legitimate business
purpose. See Privacy Protection Study at 513-15;
IITF Report § II.A; CSA Model Code ¶ 4.4.
29. See, e.g., OECD Guidelines,
Explanatory Memorandum ¶ 52; see also FTC
Staff Report at 9.
30. While notice of a Web site's policies with
respect to data integrity and security is critical to making an
informed decision to reveal personal data, such notice is not a
prerequisite to the implementation of security measures. The
implementation of security measures lies solely in the hands of
the entity collecting the information and requires no active
participation from the consumer. Implementation of the principles
of choice and access, by contrast, require consumer involvement
and, therefore, are dependent on notice to be meaningful.
31. OECD Guidelines, Openness
Principle & ¶ 12; FTC Staff Report at 9-10; EU
Directive art. 10; CSA Model Code ¶ 4.8.2.
32. HEW Report at 62; Privacy
Protection Study at 514; OECD Guidelines, Purpose
Specification Principle & ¶ 9; IITF Report
§ II.B.; Commerce Report at 21; EU Directive
art. 10; CSA Model Code ¶ 4.2; FTC Staff
Report at 9-10. The corollary to identifying the purposes
for data collection is that the data not be used for other
purposes without the data subject's consent. See HEW
Report at 61-62; OECD Guidelines, Use Limitation
Principle & ¶ 10 and Explanatory Memorandum
¶ 55; IITF Report § II.D; EU Directive
arts. 6-7; CSA Model Code ¶ 4.5.
33. EU Directive art. 10.
34. Commerce Report at 21.
35. HEW Report at 59; IITF Report
§ II.B; EU Directive art. 10. Several of the fair
information practice codes recognize that a consumer's refusal to
allow the further unrelated use of his or her personal
information, beyond that which is necessary to complete the
transaction at issue, should not form the basis for the denial of
access to the good or service in question. See, e.g., Commerce
Report at 25; CSA Model Code ¶ 4.3.3.
36. Privacy Protection Study at 514; IITF
Report § II.B. As noted in endnote 30, notice of this
type is not a prerequisite to insuring the confidentiality,
integrity, and quality of data. However, when dealing with data
considered by consumers to be particularly sensitive, information
about the steps taken by the data collector is important to the
consumer and may determine whether the consumer is willing to
provide such data.
37. See FTC Staff Report at 9-10.
38. HEW Report at 58; CSA Model
Code ¶ 4.8.2; EU Directive art. 10.
39. HEW Report at 58; EU Directive
art. 10.
40. IITF Report § II.B.
41. Cf. CSA Model Code
¶ 4.8.2 (organizations should make available identity of
individual accountable for organization's policies and to whom
complaints can be forwarded).
42. Virtually every set of fair information
practice principles includes consumer choice or consent as an
essential element. HEW Report at 41, 61; OECD
Guidelines, Collection Limitation Principle & ¶ 7
and Use Limitation Principle & ¶ 10; Commerce
Report at 23-27; EU Directive arts. 7, 14; CSA
Model Code, ¶¶ 4.3, 4.5; see also FTC
Report to Congress/Reference Services at 22-23; FTC
Staff Report at 10-11.
43. As noted in the FTC Staff Report,
commentators have taken different views of the efficacy and
wisdom of opt-in versus opt-out regimes. FTC Staff Report
at 10-11; see also Commerce Report at 24-27 (proposing
opt-in regimes for "sensitive information" and opt-out
regimes for other information).
44. Indeed, technological innovations soon may
allow consumers and collectors of information to engage in "electronic
negotiation" regarding the scope of information disclosure
and use. Such "negotiation" would be based on
electronic matching of pre-programmed consumer preferences with
Web sites' information practices. The World Wide Web Consortium
("W3C") is currently in the final stages of developing
its Platform for Privacy Preferences Project ("P3P"),
which will allow implementation of such technology. Consumers may
have access to P3P by early 1999. For general information on P3P,
see the W3C's Web site ( http://www.w3.org/P3P ).
45. A system requiring consumers to specify
privacy preferences before visiting any Web sites can be built
into Internet browsers. See supra note 44 (discussing
technological developments). The absence of default rules, and
the concomitant requirement that consumers decide how they want
their personal information used, help ensure that consumers in
fact exercise choice.
46. See HEW Report at 41, 59,
63; Privacy Protection Study at 508-13; OECD
Guidelines, Individual Participation Principle &
¶ 13; IITF Report § III.B; EU Directive art.
12; CSA Model Code ¶ 4.9; FTC Report to
Congress/Reference Services at 21-22. See also Fair
Credit Reporting Act ("FCRA") §§ 609-11, 15 U.S.C.
§§ 1681g-1681i (providing for consumer access to, and the
right to correct inaccuracies in, consumer credit reports).
47. See HEW Report at 63; IITF
Report § III.B; CSA Model Code ¶ 4.9; OECD
Guidelines, Individual Participation Principle &
¶ 13 and Explanatory Memorandum ¶ 61; EU
Directive art. 12; see also FTC Report to
Congress/Reference Services at 21-22; FCRA § 611, 15 U.S.C.
§ 1681i.
48. HEW Report at 56-57; Privacy
Protection Study at 521; OECD Guidelines, Data
Quality Principle & ¶ 8 and Explanatory Memorandum
¶ 53; IITF Report § I.C; EU Directive
art. 6; CSA Model Code ¶¶ 4.5.3, 4.6; see
also FCRA §§ 605, 607(b), 15 U.S.C. §§ 1681c,
1681e(b).
49. OECD Guidelines, Security
Safeguards Principle & ¶ 11 and Explanatory Memorandum
¶ 56; IITF Report §§ I.B, II.C; EU
Directive art. 17; CSA Model Code ¶ 4.7; FTC Staff
Report at 12. Physical security measures, such as guards,
alarms, etc., may also be necessary in certain circumstances.
50. In implementing security measures,
companies should be aware that security breaches directed at stored
data -- i.e., information already received by the data
collector -- often constitute greater threats to privacy than
those breaches occurring during the transmission of
sensitive data, such as credit card numbers, over the Internet. See,
e.g., Linda Punch, The Real Internet Security Issue,
Credit Card Management, Dec. 1997, at 65.
51. See HEW Report at 50 (calling for
Code of Fair Information Practices that includes civil and
criminal penalties, the availability of injunctive relief, and
individual rights of action for actual, liquidated, and punitive
damages); OECD Guidelines, Accountability Principle
& ¶14 and Explanatory Memorandum ¶ 62 (accountability
supported by legal sanctions); IITF Report § III.C
("envision[ing] various forms [of redress] including . . .
informal complaint resolution, mediation, arbitration, civil
litigation . . . ."); EU Directive arts. 22-23 (judicial
remedy and compensation).
52. Cf. Privacy Protection Study
at 33 (identifying voluntary compliance, statutorily-created
rights enforceable through individual or government action, and
centralized government mechanisms as means of implementing
compliance).
53. The European Union ("EU") has
recognized that self-regulation may in certain circumstances
constitute "adequate" privacy protection for purposes
of the EU Directive's ban on data transfer to countries lacking
"adequate" safeguards. See EU Directive
art. 25. The EU has noted, however, that non-legal rules such as
industry association guidelines are relevant to the "adequacy"
determination only to the extent they are complied with and that
compliance levels, in turn, are directly related to the
availability of sanctions and/or external verification of
compliance. See European Commission, Directorate General
XV, Working Document: Judging Industry Self-Regulation: When
Does it Make a Meaningful Contribution to the Level of Data
Protection in a Third Country? (1998) available at http://www.europa.eu.int/comm/dg15/en/media/dataprot/wp7.htm [hereinafter "Judging
Industry Self-Regulation"].
54. Discussion Draft: Elements of Effective
Self-Regulation for Protection of Privacy (1998) available
at http://www.ecommerce.gov/staff.htm [hereinafter "Elements of
Effective Self-Regulation"] (identifying consumer
recourse, verification, and consequences as elements of an
effective self-regulatory regime).
55. Id. Commission staff recently
responded to a request from the Direct Marketing Association
("DMA") for an advisory opinion concerning whether the
antitrust laws would permit it to require three things of its
members: (1) to use the DMA's Mail Preference and Telephone
Preference Services to honor consumers' requests to not be
contacted by direct marketers; (2) to disclose to consumers how
members sell or otherwise transfer personal information about
those consumers to others; and (3) to honor consumers' requests
that the members not sell or transfer their personal information.
FTC Bureau of Competition staff advised the DMA of its conclusion
that these requirements, as the DMA described them, would not
harm competition or violate the FTC Act. Letter from Bureau of
Competition Assistant Director to Counsel for the DMA, Sept. 9,
1997, available at http://www.ftc.gov/os/9710/dma.htm .
56. See Elements of Effective Self-Regulation.
57. FTC Report to Congress/Reference
Services at 25-33. It is still too early to assess the
success or efficacy of this plan, because its provisions are not
mandatory on its signatories until the end of the year.
58. There may, alternatively, be a role for
mechanisms to address practices affecting consumers as a group,
such as industry or trade association ethics or screening
committees that can resolve broader disputes.
59. See Elements of Effective Self-Regulation.
60. Several fair information practice codes
suggest compensation for injuries as an important element of fair
information practice. See HEW Report at 50 (calling
for Code of Fair Information Practices that provides for actual,
liquidated, and punitive damages); OECD Guidelines,
Accountability Principle & ¶ 14 and Explanatory
Memorandum ¶ 62 (accountability supported by legal
sanctions); IITF Report § III.C ("envision[ing]
various forms [of redress] including . . . informal complaint
resolution, mediation, arbitration, civil litigation . . .
."); see also Judging Industry Self-Regulation
at 5.
61. HEW Report at 50 (calling for Code
of Fair Information Practices that includes civil and criminal
penalties, the availability of injunctive relief, and individual
rights of action for actual, liquidated, and punitive damages); OECD
Guidelines, Accountability Principle & ¶ 14 and Explanatory
Memorandum ¶ 62 (accountability supported by legal
sanctions); IITF Report § III.C ("envision[ing]
various forms [of redress] including . . . informal complaint
resolution, mediation, arbitration, civil litigation . . .
."); EU Directive arts. 22-23 (judicial remedy and
compensation).
62. Two sectoral privacy acts provide for the
recovery of actual, liquidated, and punitive damages for
violations. See Video Privacy Protection Act of 1988, 18
U.S.C. § 2710(c) (providing for award of actual damages or
liquidated damages of not less than $2,500, punitive damages,
attorney's fees, and equitable relief); Cable Communications
Policy Act of 1984, 47 U.S.C. § 551(f) (providing for
recovery of actual damages or liquidated damages of not less than
$1,000, punitive damages, and attorney's fees).
63. HEW Report at 50; IITF Report
§ III.C (discussing regulatory enforcement and criminal
prosecution as redress options); OECD Guidelines, Explanatory
Memorandum ¶ 62 (referring to accountability supported
by legal sanctions); EU Directive art. 24 (unspecified
sanctions for violations of directive); see also CSA Model
Code ¶ 4.10.3 (discussing regulatory bodies receiving
complaints of violations of fair information practice).
64. IITF Report § III.C (redress
should be appropriate to violation).
65. The Commission's Deception Policy Statement
recognizes that children can be unfairly exploited due to their
age and lack of experience. See Deception Policy
Statement, appended to Cliffdale Associates, Inc.,
103 F.T.C. 110, 179 n.30 (1984), citing Ideal Toy,
64 F.T.C. 297, 310 (1964). For example, the Commission's actions
regarding the marketing of pay-per-call 900 number services to
children recognize children as a vulnerable group in the
marketplace. See Audio Communications, Inc., 114 F.T.C.
414 (1991) (consent order); Teleline, Inc., 114 F.T.C.
399 (1991) (consent order); Phone Programs, Inc., 115 F.T.C.
977 (1992) (consent order); Fone Telecommunications, Inc.,
Docket No. C-3432 (June 14, 1993) (consent order). The Telephone
Disclosure and Dispute Resolution Act of 1992 prohibits
advertising of such services to children under the age of 12,
unless the service is a bona fide educational service. 15 U.S.C.
§§ 5701 et seq.
66. The Federal Educational Rights and Privacy
Act of 1974 (FERPA), gives parents of minor students the right to
inspect, correct, amend, and control the disclosure of
information in education records. 20 U.S.C. § 1232g (1988). The
Department of Health and Human Services Policy for Protection of
Human Research requires parental/guardian written consent for all
DHHS-funded research that involves children as subjects. 45 C.F.R.
§§ 46.401-46.409 (1995). The Telephone Disclosure and Dispute
Resolution Act of 1992 expressly prohibits advertising of pay-per-call
(e.g., 900) services, except bona fide educational
services, to children under 12.
15 U.S.C. §§ 5701 et seq.
(Supp. IV 1992). The Children's Television Act of 1990, among
other things, requires television stations and cable operators to
limit the amount of advertising during children's television
programming. 47 U.S.C. § 303a(b) (Supp. V 1994).
67. See Letter from Jodie Bernstein,
Director, Bureau of Consumer Protection, Federal Trade
Commission, to Center for Media Education, July 15, 1997,
available at http://www.ftc.gov/os/9707/cenmed.htm [hereinafter "staff opinion
letter"]. Commissioner Azcuenaga did not endorse all of the
analyses and conclusions in the staff opinion letter.
68. Providing notice to parents raises some
implementation issues, but where the child and parent have
separate e-mail addresses, notice could be provided to the parent
by e-mail.
69. Mechanisms for obtaining actual or
verifiable parental consent include having the parent: mail or
fax a signed form downloaded from the site; provide a credit card
number; or provide an electronic (digital) signature. An e-mail
message submitted without a digital signature may not be adequate
to assure parental consent, since a site operator has no means of
knowing whether the message is from a parent or a child. This is
particularly true because most children do not currently have
their own e-mail addresses and instead share their parents' e-mail
addresses. While electronic signatures may be the best solution
in the future, they may not be widely available at this point. In
the meantime, children's Web sites may need to adopt traditional
consent mechanisms, such as written consent forms and credit card
numbers.
70. It is safe to assume that simply posting a
privacy policy at a Web site or advising the child to seek
parental permission before providing information online will have
little impact on children. Many children will simply ignore these
statements. Many will lack the sophistication or judgment to
understand a privacy notice or to refrain from providing the
requested information. Many children will be unwilling to wait
for parental consent, and will provide whatever information is
necessary to participate in the site's activity.
71. See supra Section III.A.1.
72. 63 Fed. Reg. 10,916 (1998).
73. The following trade associations and
industry groups filed guidelines and/or principles: The Bankers
Roundtable, Banking Industry Technology Secretariat ("BITS");
Direct Marketing Association ("DMA"); Electronic
Messaging Association ("EMA"); Independent Bankers
Association of America ("IBAA"); Individual Reference
Services Group ("IRSG"); Interactive Services
Association ("ISA"); Magazine Publishers of America
("MPA"); National Association of Federal Credit Unions
("NAFCU"); and Smart Card Forum ("SCF"). The
Council of Better Business Bureaus, Inc.'s Children's Advertising
Review Unit ("CARU") and the DMA also submitted
guidelines addressing marketing to children, which are discussed
in Section IV.B infra.
Numerous individual companies also
filed their own privacy policies. Several other organizations and
individuals also filed comments in response to the notice. Those
filings, which are available for review on the Commission's Web
site at http://www.ftc.gov, are not analyzed herein. The
Commission's purpose in soliciting trade association and
industry group guidelines was to assess industry's
progress towards achieving a self-regulatory regime with respect
to information collection online. While the Commission encourages
individual companies to adopt information practice policies for
the online environment, appreciates all of the submissions it has
received in response to the Notice, and commends those firms that
have developed effective self-regulatory policies, such policies,
as well as the comments of other interested parties, do not
constitute the elements of a self-regulatory system, which was
the focus of the Federal Register Notice.
74. See, e.g., NAFCU cover letter
("NAFCU does recommend that its members post privacy
policies on their Web sites").
75. See ISA, Principles on Notice
and Choice Procedures for Online Information Collection and
Distribution by Online Operators; DMA, Marketing Online:
Privacy Principles and Guidance. The DMA encourages members
to provide notice of, and substantive choice with respect to,
internal secondary uses of information as well (i.e.,
marketing back by the information collector).
76. The NAFCU submission is the only one that
does not address choice.
77. See DMA, Marketing Online:
Privacy Principles and Guidance; MPA submission.
78. See ISA, Principles on Notice
and Choice Procedures for Online Information Collection and
Distribution by Online Operators.
79. See BITS and IBAA, Privacy
Principles (BITS and IBAA each submitted the banking
industry's Privacy Principles independently); SCF, Consumer
Privacy and Smart Cards--A Challenge and an Opportunity;
IRSG, Individual Reference Services Industry Principles.
80. See generally BITS and IBAA, Privacy
Principles; NAFCU, Recommended Privacy Policy; SCF,
Consumer Privacy and Smart Cards--A Challenge and an
Opportunity; IRSG, Individual Reference Services
Industry Principles.
81. See IRSG, Individual Reference
Services Industry Principles; DMA, The Committee on
Ethical Business Practice Procedures for Case Handling.
82. See IRSG, Individual Reference
Services Industry Principles. The IRSG Principles,
which constitute one model for self-regulation, require
independent annual third-party audits, the results of which are
made public, and limit the sharing of information with entities
that do not adhere to the Principles. The DMA has also
announced that, effective July 1999, adherence to certain fair
information practices (notice and opt-out) will be mandatory for
all members. See DMA Ethics and Consumer Affairs
Department, Case Report from the Direct Marketing
Association's Committee on Ethical Business Practice (Sept.-Nov.
1997) at 4.
83. The DMA Committee on Ethical Business
Practice investigates complaints against companies alleged to be
violating DMA's voluntary guidelines. In cases in which a
satisfactory resolution of a complaint is not reached, the name
of the company and the facts of the case are made public. In
addition, the Committee may refer cases to law enforcement
agencies and/or to the DMA's Board of Directors for further
action including censure, suspension and/or expulsion of a member.
This peer review process is non-binding. DMA, The Committee
on Ethical Business Practice Procedures for Case Handling.
84. Both BITS and IBAA submitted BITS's Privacy
Principles Implementation Plan. The BITS plan states that
establishment of a privacy mark may be necessary, calls upon
banks to "apply their own internal process to assure
compliance with the bank's privacy principles," and states
that "[b]reaches of policy will be addressed internally on a
case-by-case basis by each bank." This non-binding reference
to ensuring compliance with policies is the only reference to
enforcement in any of the submitted guidelines, other than the
IRSG Principles and the DMA Committee on Ethical
Business Practice discussed above.
85. CARU was established by the advertising
community as an independent manager of the industry's self-regulatory
programs in 1974. Its main activity is the review and evaluation
of child-directed advertising in all media. Its Board of
Directors consists of representatives from the Council of Better
Business Bureaus, the American Association of Advertising
Agencies, the American Advertising Federation, and the
Association of National Advertisers. CARU is funded directly by
members of the children's advertising industry. The DMA
represents more than 3,600 member companies interested in
database marketing. Its members include catalogers, financial
services, publishers, book and music clubs, retail stores,
industrial manufacturers, and service industries. Copies of both
CARU's and DMA's guidelines are found in Appendix E.
86. The CARU Guidelines address
children under age 12, while the DMA Children's Guidelines
do not provide a definition for the term "children."
87. CARU Guidelines at 1, 3. The CARU
Guidelines do not define "passive tracking."
However, the term refers to information collected by using
navigational software designed to reveal information about the
visitor's experience on the site, such as the pages visited, the
information downloaded, the content viewed, the operating system
used, and the referring site's Internet address.
88. Id. at 4.
89. Id.
90. Id.
91. Id.
92. CARU is one of the few trade groups that
implements a voluntary enforcement mechanism for both its online
privacy guidelines as well as its general media guidelines. In
addition to its own monitoring of advertisers, CARU initiates
investigations upon receipt of a complaint from a consumer or a
company. CARU then seeks the advertiser's compliance with its
guidelines and publishes its case reports. If a company is
uncooperative and the practices are allegedly deceptive or
unfair, CARU refers the matter to the Commission. CARU's
voluntary enforcement
mechanism is modeled on that of
the National Advertising Division (NAD), which is also associated
with the Council of Better Business Bureaus, Inc.
93. Since CARU's founding in 1974, 98% of the
subjects of its investigations have complied with its decisions.
94. The CARU Guidelines apply
generally to marketers of children's products and services. Since
CARU is not a membership organization, however, adherence to its
guidelines is not mandatory. Each of CARU's leading
organizational sponsors has urged its own members to implement
the CARU Guidelines, but these sponsors do not make
adherence mandatory for their members.
95. The DMA Children's Guidelines
suggest that marketers use language such as "Your mom or dad
should say it's okay for you to answer these questions," but
are not explicit with respect to when parental permission should
be sought. DMA Children's Guidelines, Guideline No. 1.
96. DMA Children's Guidelines,
Guideline Nos. 1-2.
97. McCain/Bliley letters. Specifically, the
Commission stated that "[w]e hope to find by March 1, 1998,
that a substantial majority of commercial Web sites are clearly
posting their information practices and privacy policies." Id.
at n.2.
98. The samples for groups A-D were drawn from
a comprehensive list of commercial Web sites provided by the Dun
and Bradstreet Corporation. See Appendix A.
99. The terms "likely to be of interest to
consumers" and "primarily directed to children aged
fifteen or younger" are defined in Appendix A.
100. For a copy of the Survey Forms used by the
surfers, see Appendix C.
101. These figures are based on data supplied by
The Dun & Bradstreet Corporation. Figures do not total 100%.
Approximately 3% of the sites in all the samples are not
classified by size, because sales figures were unavailable. For a
description of the Dun & Bradstreet database used in this
survey, see Appendix A.
102. See Appendix D, Table 1.
103. See Appendix D, Table 1.
104. See Appendix D, Table 1.
105. Company size information was not obtained
for Web sites in this sample.
106. See supra Section II.B.
107. The rates are: 92% of the sites in the
Comprehensive Sample; 88% of the Health Sample sites; 87% of the
Retail Sample sites; 97% of the Financial Sample sites; and 97%
of the Most Popular Sample sites. See Appendix D, Table
3, which also sets forth statistics based upon company size.
108. For purposes of this survey, the provision
of a mechanism for sending e-mail to a site's Webmaster, without
more, was not considered collection of an e-mail address. A
site's invitation to online consumers to "Contact Us"
or "Send Us Your Comments" by e-mail, however, was
deemed to be collection of an e-mail address. When the collection
of an e-mail address is not considered, the number of sites
collecting personal information decreases slightly in all samples.
Thus, 65% of all sites in the Comprehensive Sample collect some
personal information other than an e-mail address; as do 53% of
the sites in the Health Sample; 67% of the sites in the Retail
Sample; 73% of the sites in the Financial Sample; and 94% of the
sites in the Most Popular Sample. See also infra
note 115. Because the survey form did not identify the manner of
e-mail collection, the above statistics exclude all
sites that collect only an e-mail address, including those sites
that ask for it in contexts other than "Contact Us,"
such as on registration forms, etc.
109. For similar information with respect to the
other samples, see Appendix D, Table 5.
110. See Appendix D, Table 4.
111. Id.
112. The Commission cannot report on the number
of companies in the survey that create such profiles, because the
survey concerns Web sites' disclosures, and not actual practices.
113. The numbers for the Health, Retail and
Financial samples are as follows: sites collecting five or more
additional types of information -- 12% (Health), 19% (Retail), 26%
(Financial); sites collecting three or more additional types of
information -- 36% (Health), 60% (Retail), 53% (Financial); sites
collecting at least one additional type of information -- 57% (Health),
76% (Retail), 73% (Financial). See Appendix D, Table 6.
114. See Appendix D, Table 2.
115. See Appendix D, Table 7. The
percentage of disclosures among sites that collect some personal
information other than an e-mail address is slightly higher: 21%
in the Comprehensive Sample; 24% in the Health Sample; 18% in the
Retail Sample; 22% in the Financial Sample; and 74% in the Most
Popular Sample. See also supra note 108.
116. See Appendix D, Table 8.
117. See Appendix D, Table 9.
118. See Appendix D, Table 2.
119. See Appendix D, Table 7.
120. See Appendix D, Table 8.
121. See Appendix D, Table 9. Some
sites post both a Privacy Policy Notice and one or more
Information Practice Statements.
122. See, e.g., Communications Daily (Untitled,
February 10, 1998); Washington Telecom Newswire (Untitled,
February 9, 1998); I. Teinowitz, "FTC Will Survey
Marketer Web Sites for Privacy," Advertising Age (February
1998), available at http://www.adage.com/interactive/articles/19980216/article1.html .
123. See Appendix D, Table 7.
124. Given the small number of sites involved,
statistics based upon company size have not been reported.
125. The rate is 33% (or 31 sites) for the
Comprehensive Sample, 32% (or 6 sites) for the Health Sample, 33%
(or 6 sites) for the Retail Sample, and 35% (or 7 sites) for the
Financial Sample. See Appendix D, Table 10. In
responding to the relevant question on the General Survey Form,
staff counted both statements giving choice regarding internal
uses of the personal information and statements giving choice
about the transfer of the information to third parties as
statements offering consumers choice about how the information
collected will be used. See Appendix C.
126. The rate is 10% (or 9 sites) for the
Comprehensive Sample. See Appendix D, Table 10.
127. The rate is 6% (or 1 site) for the Retail
Sample and 5% (or 1 site) for the Financial Sample. See
Appendix D, Table 10.
128. See Appendix D, Table 11. The rate
for the Health Sample is 32% (or 6 sites) and the rate for the
Retail Sample is 22% (or 4 sites). Statements such as "We
keep this information confidential" were counted as
assertions of non-disclosure to third parties.
129. See Appendix D, Table 11.
Statements indicating that demographic or interest information
may be shared with third parties were counted as assertions of
possible third-party disclosures.
130. See Appendix D, Table 12. When
expressed as a percentage of all sites in a given sample
(and not just those sites that collect personal information and
have an information practice disclosure), the percent of sites
offering choice, access, or security, or addressing disclosures
to third parties, is even lower. Thus, only 5% of all sites in
the Comprehensive Sample, 4% of all sites in the Health and
Retail Samples, and 6% of all sites in the Financial Sample state
that they offer consumers choice; 1% of all sites in the
Comprehensive Sample, 2% of all sites in the Retail Sample and no
sites in the Health and Financial Samples state that they offer
consumers access; 2% of all sites in the Comprehensive Sample, no
sites in the Health Sample, and 1% of all sites in the Retail and
Financial Samples state that they take data security measures; 5%
of all sites in the Comprehensive Sample, 4% of all sites in the
Health Sample, and 3% of all sites in the Retail and Financial
Samples state that they will not disclose any personal
information collected to third parties; and 5% of all sites in
the Comprehensive Sample, 4% of all sites in the Health and
Retail Samples, and 6% of all sites in the Financial Sample state
that they may disclose some or all of the personal information
collected to third parties.
131. See Appendix D, Table 10.
132. Id.
133. Id.
134. See Appendix D, Table 11.
135. Id. Again, the above figures are
significantly lower when expressed as a percentage of all
sites in the Most Popular Sample. Thus, 49% of all sites in the
Most Popular Sample state that they offer consumers choice; 27%
state that they offer consumers access; 12% state that they take
data security measures; 10% state that none of the personal
information collected will be disclosed to third parties; and 56%
state that some or all of the personal information collected may
be disclosed to third parties.
136. See Appendix D, Table 12.
137. See Appendix D, Table 3.
138. See Appendix D, Table 13.
139. As in the General Survey, a mere hyperlink
to a site's Webmaster was not considered collection of an e-mail
address for purposes of this survey. However, hypertext that asks
visitors to "Contact Us" or "Send Us Your Comments"
was included as collection of an e-mail address. See supra
note 108.
140. See Appendix D, Table 5.
141. See Appendix D, Table 6.
142. For instance, in order to register for
certain online activities, some sites require children to
identify their interests such as rollerblading, skateboarding,
ice skating, biking, video games, science, football, soccer, and
computer games. Other sites ask children information about their
favorite television shows, commercials, and musical groups.
143. For example, one site asks children
personal financial questions such as the following:
Do you own mutual funds?
Are your parents currently saving
for your college education?
What do you usually do with gifts
of money?
144. See Appendix D, Table 2. The
higher disclosure rate for the Children's Sample may reflect the
fact that staff publicly disclosed that this sample would be
selected from sites listed in the Yahooligans! Directory.
145. Id.
146. See Appendix D, Table 9.
147. See Appendix D, Table 8.
148. See Appendix D, Table 10.
149. Id.
150. Id.
151. Westin Survey at 3.
152. See Appendix D, Table 13.
153. See Appendix D, Table 11.
154. Id.
155. See Appendix D, Table 13.
156. Id.
157. Id.
158. Id. Examples of opt-out statements
include: "When minors subscribe to the newsletter, they are
asked for their parent's e-mail informing them [sic] their kid
has subscribed to the e-mail and the parent has the option to
discontinue this subscription," and "All parents can
correct or remove any information we receive from a child by
contacting us online, by phone or mail."
159. Westin Survey at 3.
160. Current American privacy law can best be
described as sectoral, consisting of a handful of disparate
statutes directed at specific industries that collect personal
data and none of which specifically covers the collection of
personal information online. See, e.g., Fair Credit
Reporting Act ("FCRA"), 15 U.S.C. §§ 1681 et
seq. (governing consumer credit reports); Electronic
Communications Privacy Act of 1986, 18 U.S.C. §§ 2510 et
seq. (governing electronic mail and voicemail communications);
Cable Communications Policy Act of 1984, 47 U.S.C. § 551 (governing
cable television subscriber information); Right to Financial
Privacy Act of 1978, 12 U.S.C. §§ 3401 et seq. (governing
individual bank records); Video Privacy Protection Act of 1988,
18 U.S.C. § 2710 (governing video rental records); Family
Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g
(governing student records); Communications Act of 1934, as
amended by, Telecommunications Act of 1996, 47 U.S.C.
§ 222 (governing information relating to use of
telecommunication services ["customer proprietary network
information"]); cf. Privacy Act of 1974, 5 U.S.C.
§ 552a (governing data collected by the federal government).
Pursuant to the Supreme Court's decision in United States v.
Miller, 425 U.S. 435 (1976), individuals have no Fourth
Amendment interest in personal information they voluntarily have
conveyed to another. Consequently, any privacy protections for
personal information must be legislatively grounded.
161. 15 U.S.C. §§ 41 et seq.
162. See supra note 67.
163. Parental notice raises some implementation
issues. In those instances where parents and children have
separate e-mail addresses, notice may be provided to parents
electronically. Where verifiable parental consent is required,
sites can simply direct children to download (print) the notice
and consent form and have the parent return the signed form by
regular mail or facsimile.
|
