|
Throughout the series of Commission
workshops on online privacy issues, the online industry has
asserted that self-regulation is a more efficient and effective
means of creating online privacy protections than government
regulation. To gauge the status and effectiveness of current self-regulatory
efforts, on March 5, 1998 the Commission published a Federal
Register Notice (the "Notice") requesting that
trade associations and industry groups voluntarily submit copies
of their online information practice guidelines and principles.(72) Nine
industry-specific guidelines were submitted.(73) Copies
of these guidelines are included in Appendix E. The guidelines do
not address all of the core fair information practice principles
discussed above, but all encourage companies to provide notice of
at least some of their information practices, and most encourage
choice with respect to the disclosure of personal information to
third parties. For the most part, the submitted guidelines do not
address access or security. Most importantly, very few provide
any kind of enforcement mechanism, an essential element of
effective self-regulation.
All of the guidelines submitted encourage
member companies to provide at least some notice of their
information practices. The extent of the suggested notice ranges
from a general recommendation to post a privacy policy on Web
sites,(74) to
more specific exhortations to provide notice with respect to the
nature of information collected, how it is collected, its
intended uses, the nature and purposes of any intended
disclosures to third parties, and the mechanism to opt-out of any
third-party disclosure.(75) None
of the guidelines discusses the need to provide notice about
access or security.
Most of the guidelines suggest that member
companies provide some degree of choice with respect to the use
of personal information.(76) Here
too there is a range in what is suggested by the guidelines. Some
guidelines suggest giving consumers choice with respect to most
secondary uses of their information, both external (i.e.,
disclosure to third parties) and internal (i.e.,
marketing back to the consumer);(77) others
suggest giving consumers a choice solely with respect to external
uses.(78) All of
the guidelines speak of choice in terms of opt-out options for
the consumer; none adopts an opt-in regime for adult consumers.
Several of the industry guidelines address
consumer access to information by providing generally that
procedures should be established to ensure accuracy of the
information, including allowing consumers access to, and the
opportunity to correct, information collected about them.(79) Other
guidelines fail to make any reference to the access principle.
Only the banking and financial industry
association guidelines, and the individual reference services
guidelines, make any reference to security issues. These
guidelines call generally for appropriate security procedures,
including the limitation of employee access to data.(80)
With limited exception,(81) the
submitted guidelines contain no enforcement mechanisms. Only one
of the guidelines conditions further membership and information
sharing on adherence to the guidelines.(82) One
other set of guidelines provides for peer review of alleged
violations, but it is not binding.(83) All of
the other guidelines and policies submitted are merely
exhortatory.(84) As
discussed above, the absence of enforcement mechanisms
significantly weakens the effectiveness of industry-promulgated
guidelines as a self-regulatory tool. This is especially true if
member companies fail to voluntarily adhere to suggested policies.
The Commission received two sets of
guidelines regarding collection and use of information from
children in response to its March 1998 Notice: the Children's
Advertising Review Unit of the Council of Better Business
Bureaus, Inc.'s ("CARU") Guidelines for Interactive
Electronic Media ("CARU Guidelines") and
the Direct Marketing Association's ("DMA") Online
Data Collection from or about Children ("DMA
Children's Guidelines").(85) Both
guidelines address younger children.(86)
The CARU Guidelines, issued in
April 1997, are consistent with the principles outlined in the
staff opinion letter described above. They require that
advertisers make "reasonable efforts" to provide notice
and choice to parents when information is collected from children
online, including the collection of information through "passive
tracking."(87) In all
cases, the notice must specify the means by which parents can
correct or remove the information collected from a company's
database.(88) The
guidelines require prior parental consent (opt-in) to the
collection of personal identifying information from children
under the following circumstances: (1) when the information would
enable the recipient to contact the child offline, regardless of
the intended use; (2) when the information would be publicly
posted so as to enable others to communicate directly with the
child online; and (3) when the information would be shared with
third parties.(89) Under
other circumstances, such as the collection for internal use of
an e-mail address, first name, or hometown, the site must provide
notice to the parent and an opportunity to opt-out.(90) If a
site collects only anonymous or aggregate information, the
guidelines require notice of the intended uses of the
information, but not parental consent.(91)
In addition, CARU has an enforcement
mechanism in place to promote compliance with its online privacy
guidelines,(92) and
has achieved a remarkably high level of compliance under this
mechanism in the offline media over a long period of time.(93) While
CARU has worked to encourage Web sites to adhere to its privacy
guidelines with respect to the collection of personal information
from children online, to date it has not achieved the same
widespread adherence it has achieved in other media.(94)
The DMA Children's Guidelines,
which were adopted in January 1997, do not conform to the
principles set forth in the staff opinion letter. The DMA is
working now, however, to strengthen and refine its children's
guidelines. The current DMA Children's Guidelines urge
marketers to: (1) take into account a child's age, knowledge,
sophistication, and maturity when collecting information; (2)
encourage young children to obtain their parents' permission;(95) and (3)
support parental control over the collection of data from
children through notice and opt-out.(96) These
guidelines do not call for actual notice to parents or
for prior parental consent, even where the information is
disclosed to third parties or otherwise made publicly available.
|
