- A medical clinic's online
doctor-referral service invites consumers to submit their
name, postal address, e-mail address, insurance company,
any comments concerning their medical problems, and to
indicate whether they wish to receive information on any
of a number of topics, including urinary incontinence,
hypertension, cholesterol, prostate cancer, and diabetes.
The online application for the clinic's health education
membership program asks consumers to submit their name,
address, telephone number, date of birth, marital status,
gender, insurance company, and the date and location of
their last hospitalization. The clinic's Web site says
nothing about how the information consumers provide will
be used or whether it will be made available to third
parties.
- A child-directed site
collects personal information, such as a child's full
name, postal address, e-mail address, gender, and age.
The site also asks a child whether he or she has received
gifts in the form of stocks, cash, savings bonds, mutual
funds, or certificates of deposit; who has given these
gifts; whether monetary gifts were invested in mutual
funds, stocks, or bonds; and whether the child's parents
own mutual funds. Elsewhere on the site, contest winners'
full name, age, city, state and zip code are posted. The
Web site does not tell children to ask their parents for
permission before providing personal information and does
not appear to take any steps to involve parents. Further,
the site says nothing about whether the information is
disclosed to third parties.
* * *
The World Wide Web is an exciting
new marketplace for consumers. It offers easy access to a broad
array of goods, services, and information, but also serves as a
source of vast amounts of personal information about consumers,
including children. While the online consumer market is growing
exponentially, there are also indications that consumers are wary
of participating in it because of concerns about how their
personal information is used. As the above examples show, these
concerns are real, for both adults and children.
The Commission has been involved
in addressing online privacy issues for almost as long as there
has been an online marketplace and has held a series of workshops
and hearings on such issues. Throughout, the Commission's goal
has been to encourage and facilitate effective self-regulation as
the preferred approach to protecting consumer privacy online.
These efforts have been based on the belief that greater
protection of personal privacy on the Web will not only protect
consumers, but also increase consumer confidence and ultimately
their participation in the online marketplace. In this report,
the Commission summarizes widely-accepted principles regarding
information collection, use, and dissemination; describes the
current state of information collection and privacy protection
online; and assesses the extent of industry's self-regulatory
response.
Government studies in the United
States and abroad have recognized certain core principles of fair
information practice. These principles are widely accepted as
essential to ensuring that the collection, use, and dissemination
of personal information are conducted fairly and in a manner
consistent with consumer privacy interests. These core principles
require that consumers be given notice of an entity's
information practices; that consumers be given choice
with respect to the use and dissemination of information
collected from or about them; that consumers be given access
to information about them collected and stored by an entity; and
that the data collector take appropriate steps to ensure the security
and integrity of any information collected. Moreover, it is
widely recognized that fair information practice codes or
guidelines should contain enforcement mechanisms to ensure
compliance with these core principles. With respect to the
collection of information from children, a wide variety of public
policies recognize the important supervisory role of parents in
commercial transactions involving their children. Parental
control is also the touchstone for application of fair
information practice policies to the collection of information
from children.
The Commission solicited industry
association fair information practice guidelines to assess their
conformity with these core principles. This assessment shows that
industry association guidelines generally encourage members to
provide notice of their information practices and some choice
with respect thereto, but fail to provide for access and security
or for enforcement mechanisms.
The Commission also examined the
practices of commercial sites on the World Wide Web. The
Commission's survey of over 1,400 Web sites reveals that
industry's efforts to encourage voluntary adoption of the most
basic fair information practice principle -- notice -- have
fallen far short of what is needed to protect consumers. The
Commission's survey shows that the vast majority of Web sites --
upward of 85% -- collect personal information from consumers. Few
of the sites -- only 14% in the Commission's random sample of
commercial Web sites -- provide any notice with respect to their
information practices, and fewer still -- approximately 2% --
provide notice by means of a comprehensive privacy policy. The
results with respect to the collection of information from
children are also troubling. Eighty-nine percent of children's
sites surveyed collect personal information from children.
While 54% of children's sites provide some form of disclosure of
their information practices, few sites take any steps to provide
for meaningful parental involvement in the process. Only 23% of
sites even tell children to seek parental permission before
providing personal information, fewer still (7%) say they will
notify parents of their information practices, and less than 10%
provide for parental control over the collection and/or use of
information from children. The Commission's examination of
industry guidelines and actual online practices reveals that
effective industry self-regulation with respect to the online
collection, use, and dissemination of personal information has
not yet taken hold.
In light of the Commission's
findings and significant consumer concerns regarding privacy
online, it is evident that substantially greater incentives are
needed to spur self-regulation and ensure widespread
implementation of basic privacy principles. The Commission is
currently considering such incentives and possible courses of
action to adequately protect the privacy of online consumers
generally. The Commission will make its recommendations on this
subject this summer.
In the specific area of children's
online privacy, however, the Commission now recommends that
Congress develop legislation placing parents in control of the
online collection and use of personal information from their
children. Such legislation would require Web sites that collect
personal identifying information from children to provide actual
notice to parents and obtain parental consent. The timing of such
notice and consent would vary depending on the age of the child,
and the nature and uses of the information collected. Such
legislation would protect children and ensure that parents have
knowledge of, and control over, the collection of information
from their children.
The development of the online
marketplace is at a critical juncture. If growing consumer
concerns about online privacy are not addressed, electronic
commerce will not reach its full potential. To date, industry has
had only limited success in implementing fair information
practices and adopting self-regulatory regimes with respect to
the online collection, use, and dissemination of personal
information. Accordingly, the Commission now recommends
legislation to protect children online and this summer will
recommend an appropriate response to protect the privacy of all
online consumers.
This report to Congress provides
an assessment of the effectiveness of self-regulation as a means
of protecting consumer privacy on the World Wide Web ("the
Web").(1) It is based on a comprehensive online survey of the
information practices of commercial Web sites, including sites
directed to children, conducted in March 1998; an examination of
current industry guidelines governing information practices
online; and the record developed in Commission hearings and
workshops held since 1995.
Part II of the report provides a
brief history of the Commission's work in the area of online
privacy, and a summary of the privacy concerns raised by the new
online marketplace. Part III describes what have come to be
recognized as the core principles of privacy-protective
information practices. Part IV then compares current industry
guidelines with these generally accepted principles, and Part V
presents the findings of the Commission's survey of Web sites.
Part VI sets forth the Commission's conclusions.
|
