Executive Summary

* * *

The World Wide Web is an exciting new marketplace for consumers. It offers easy access to a broad array of goods, services, and information, but also serves as a source of vast amounts of personal information about consumers, including children. While the online consumer market is growing exponentially, there are also indications that consumers are wary of participating in it because of concerns about how their personal information is used. As the above examples show, these concerns are real, for both adults and children.

The Commission has been involved in addressing online privacy issues for almost as long as there has been an online marketplace and has held a series of workshops and hearings on such issues. Throughout, the Commission's goal has been to encourage and facilitate effective self-regulation as the preferred approach to protecting consumer privacy online. These efforts have been based on the belief that greater protection of personal privacy on the Web will not only protect consumers, but also increase consumer confidence and ultimately their participation in the online marketplace. In this report, the Commission summarizes widely-accepted principles regarding information collection, use, and dissemination; describes the current state of information collection and privacy protection online; and assesses the extent of industry's self-regulatory response.

Government studies in the United States and abroad have recognized certain core principles of fair information practice. These principles are widely accepted as essential to ensuring that the collection, use, and dissemination of personal information are conducted fairly and in a manner consistent with consumer privacy interests. These core principles require that consumers be given notice of an entity's information practices; that consumers be given choice with respect to the use and dissemination of information collected from or about them; that consumers be given access to information about them collected and stored by an entity; and that the data collector take appropriate steps to ensure the security and integrity of any information collected. Moreover, it is widely recognized that fair information practice codes or guidelines should contain enforcement mechanisms to ensure compliance with these core principles. With respect to the collection of information from children, a wide variety of public policies recognize the important supervisory role of parents in commercial transactions involving their children. Parental control is also the touchstone for application of fair information practice policies to the collection of information from children.

The Commission solicited industry association fair information practice guidelines to assess their conformity with these core principles. This assessment shows that industry association guidelines generally encourage members to provide notice of their information practices and some choice with respect thereto, but fail to provide for access and security or for enforcement mechanisms.

The Commission also examined the practices of commercial sites on the World Wide Web. The Commission's survey of over 1,400 Web sites reveals that industry's efforts to encourage voluntary adoption of the most basic fair information practice principle -- notice -- have fallen far short of what is needed to protect consumers. The Commission's survey shows that the vast majority of Web sites -- upward of 85% -- collect personal information from consumers. Few of the sites -- only 14% in the Commission's random sample of commercial Web sites -- provide any notice with respect to their information practices, and fewer still -- approximately 2% -- provide notice by means of a comprehensive privacy policy. The results with respect to the collection of information from children are also troubling. Eighty-nine percent of children's sites surveyed collect personal information from children. While 54% of children's sites provide some form of disclosure of their information practices, few sites take any steps to provide for meaningful parental involvement in the process. Only 23% of sites even tell children to seek parental permission before providing personal information, fewer still (7%) say they will notify parents of their information practices, and less than 10% provide for parental control over the collection and/or use of information from children. The Commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold.

In light of the Commission's findings and significant consumer concerns regarding privacy online, it is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles. The Commission is currently considering such incentives and possible courses of action to adequately protect the privacy of online consumers generally. The Commission will make its recommendations on this subject this summer.

In the specific area of children's online privacy, however, the Commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children. Such legislation would require Web sites that collect personal identifying information from children to provide actual notice to parents and obtain parental consent. The timing of such notice and consent would vary depending on the age of the child, and the nature and uses of the information collected. Such legislation would protect children and ensure that parents have knowledge of, and control over, the collection of information from their children.

The development of the online marketplace is at a critical juncture. If growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential. To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information. Accordingly, the Commission now recommends legislation to protect children online and this summer will recommend an appropriate response to protect the privacy of all online consumers.

I. Introduction

This report to Congress provides an assessment of the effectiveness of self-regulation as a means of protecting consumer privacy on the World Wide Web ("the Web").(1) It is based on a comprehensive online survey of the information practices of commercial Web sites, including sites directed to children, conducted in March 1998; an examination of current industry guidelines governing information practices online; and the record developed in Commission hearings and workshops held since 1995.

Part II of the report provides a brief history of the Commission's work in the area of online privacy, and a summary of the privacy concerns raised by the new online marketplace. Part III describes what have come to be recognized as the core principles of privacy-protective information practices. Part IV then compares current industry guidelines with these generally accepted principles, and Part V presents the findings of the Commission's survey of Web sites. Part VI sets forth the Commission's conclusions.