|
With these fair information
practice principles and industry guidelines as background, the
Commission conducted a survey of commercial sites on the World
Wide Web. In July 1997, the Commission set out the objective of
this survey: to determine whether self-regulation is an effective
means of protecting consumer privacy on the Web. The Commission
stated that it would measure the effectiveness of self-regulation
by determining how many commercial Web sites are providing notice
of their information practices and offering consumers choice
regarding the collection and use of their personal information
online.(97) To that end, in March 1998 Commission staff
conducted an online survey of 1,402 commercial Web sites,
including 212 sites directed to children.
The survey consists of six samples
-- group A, drawn from all commercial U.S. sites "likely to
be of interest to consumers;" groups B, C, and D, drawn from
all such sites in the health, retail, and financial sectors,
respectively;(98) group E, drawn from all commercial U.S. sites
"primarily directed to children aged fifteen or younger;"
and group F, which includes the most popular U.S. commercial
sites.(99) There are 674 sites in the Comprehensive Sample (group
A), 137 sites in the Health Sample (group B), 142 sites in the
Retail Sample (group C), 125 sites in the Financial Sample (group
D), 212 sites in the Children's Sample (group E), and 111 sites
in the Most Popular Sample (group F). A detailed methodology
describing the survey sample selection, data collection, and
validation procedures is included in Appendix A. A list of the
sites included in each sample is included in Appendix C.
Forty Commission staff members [hereinafter
"surfers"] surveyed the sites in each of the samples in
the two-week period from March 9-20, 1998. Once a surfer
concluded that a site qualified for inclusion in one of the
samples (i.e., it was "likely to be of interest to
consumers" or was "primarily directed to children aged
fifteen or younger"), the surfer searched the site to
determine whether it collects personal information from online
consumers and, if so, to ascertain the kinds of information it
collects and whether it discloses its information practices.(100) In the case of sites directed to children, personal
information collected on a payment form was deemed to be
collected from adults; all other personal information sought by
children's sites was considered to be collected from children.
For purposes of this survey,
"personal information" was defined to include two broad
information categories: information that can be used to identify
consumers, such as name, postal or e-mail address ("personal
identifying information"); and demographic and preference
information (such as age, gender, income level, hobbies, or
interests) that can be used either in aggregate, non-identifying
form for purposes such as market analysis, or in conjunction with
personal identifying information to create detailed personal
profiles of consumers.
To determine whether Web sites are
giving consumers notice of their information practices and
offering consumers choice, Commission staff searched Web sites
for information practice disclosures. Such disclosures might be
found in a "Privacy Policy Notice," defined as a
comprehensive description of a site's information practices that
is located in one place on the site and may be reached by
clicking on an icon or hyperlink. Disclosures might also take the
form of a discrete "Information Practice Statement,"
defined as a statement that describes a particular use or
practice regarding consumers' personal information, or regarding
a choice offered to consumers about their personal information,
that might appear in diverse locations on the site. Examples of
such disclosures include statements such as the following:
- We keep all the information
you provide us confidential.
- We will only use the
information you provide us to process your order.
- We [will, sometimes, never]
share your information with third parties.
Staff also counted as an
Information Practice Statement any disclosure that did not
explicitly state how the personal information collected might be
used, but nevertheless arguably raised an inference of at least
one potential use. Statements such as "Click here to be on
our mailing list" were, therefore, included as Information
Practice Statements. Sites in the Children's Sample were analyzed
to determine the nature of information collected from children
and the extent of notice and/or choice offered to parents. Copies
of the survey instructions and survey forms are included in
Appendices B and C, respectively. The survey results are set
forth in the survey forms included in Appendix C and in the
tables included in Appendix D.
This section of the report
describes the survey results for all sites other than those
directed to children. It describes the types of companies whose
sites are in each of the four random samples and in the sample of
the most popular sites on the Web; the types of personal
information collected by these sites; and the frequency and
nature of information practice disclosures within each of these
samples.
The Comprehensive Sample (Sample A)
includes 674 Web sites, and the types of companies included range
broadly across the entire spectrum of the American economy.
Bookstores, travel agencies and hardware stores, radio and
television stations, manufacturers of foods and home health care
products, clothing and sports equipment retailers, computer and
software developers, online newspapers and magazines, auto
dealerships and law firms, and sellers of all manner of other
consumer goods and services are included in the Comprehensive
Sample. Approximately 37% of the sites in the Comprehensive
Sample are operated by small companies (annual sales less than $500,000.00),
40% by medium-sized companies (annual sales exceeding $500,000.00
but less than $10 million), and 20% by large companies (annual
sales exceeding $10 million).(101)
The Health, Retail, and Financial
Samples (Samples B, C, and D, respectively) are random samples of
over 100 sites drawn from industry sectors in which consumers may
have heightened concerns for privacy due to the types of personal
information such Web sites are likely to collect: health-related
sites may collect sensitive medical information; retail sites
often collect credit card numbers; and sites offering financial
services often collect account and asset-related information.
The Health Sample (Sample B)
includes 137 sites operated by drug manufacturers, doctor's
offices, hospitals, outpatient clinics, health maintenance
organizations, manufacturers and retailers of health care
products and non-prescription drugs, sellers of nutritional
supplements, weight loss centers, substance abuse treatment
centers, and health information and referral services. Small,
medium, and large businesses are nearly equally represented in
the Health Sample (32% small; 35% medium-sized; and 31% large).(102)
The Retail and Financial Samples (Samples
C and D) are similarly diverse. The range of consumer goods and
services sold by the companies represented in the Retail Sample (Sample
C) mirrors the variety found in the Comprehensive Sample. Sellers
of photographic equipment, automobiles, cigars, jewelry,
clothing, computers and software, fine art, collectibles, books,
housewares and sheet music are represented, as are magazines,
restaurants, sporting goods stores, and pharmacies. Forty percent
of the 142 companies in the Retail Sample are small, 37% medium-sized,
and 21% large.(103) The Financial Sample (Sample D) includes 125 sites
operated by banks, credit unions, mortgage companies, real estate
agencies, security and stock brokerages, investment and asset
management firms, venture capital firms, investment counselors,
stock exchanges, student loan services, and investment
newsletters. Eighteen percent of the sites in the Financial
Sample are associated with small companies, 41% with medium-sized
companies, and 39% with large companies.(104)
The Most Popular Sample (Sample F)
includes 111 of the most popular sites on the Web. Companies
represented in this sample include search engines, Internet
service providers, electronic mail services, software and
computer companies, news and information companies, online
directories, entertainment companies, and retailers of consumer
goods.(105)
As noted above, in the three years
since the Commission's first workshop on online privacy issues,
there has been substantial survey research indicating that
consumers are concerned that commercial Web sites are collecting
a great quantity of personal information online and that this
practice might infringe on consumers' privacy.(106) The Commission's own survey findings demonstrate
that, indeed, a significant amount of personal information is
being collected from online consumers.
As the findings on information
collection are consistent across all four random samples and the
Most Popular Sample, they are discussed together here. Almost all
of the sites in these samples -- between 87% and 97% -- collect
at least one type of personal information from online consumers.(107) The vast majority of sites in all samples collect
several types of personal information. Figure 1 shows the percent of sites in the Comprehensive
Sample that collect personal information; Figure 1A provides this information for all of the random
samples and the Most Popular Sample.
These Web sites collect a
remarkable variety of personal information, including name, e-mail
address,(108) postal address, telephone number, fax number,
credit card number, Social Security number, age or date of birth,
gender, education, occupation, income, hobbies, interests, and
the type of hardware or software used by the online consumer. Figure 2 shows the percent of sites in the Comprehensive
Sample that collect each type of personal information.(109)
The number of sites
in each sample that collect personal identifying information,
such as name, e-mail or postal address, credit card number or
Social Security number, is also worthy of note.(110) All of the sites in the Health, Retail, and Most
Popular Samples that collect personal information, and all but
one of such sites in each of the Comprehensive and Financial
Samples, collect at least one item of personal identifying
information.(111) All of these sites, therefore, are capable of
creating personal profiles of online consumers by tying any
demographic or interest information they collect to personal
identifying information.(112)
Indeed, many of the sites that
collect a consumer's name or e-mail address also collect other
types of information about the consumer. For example, of those
sites in the Comprehensive Sample that collect a consumer's name
and/or e-mail address, 14% collect five or more additional types
of personal information, 48% collect three or more additional
types of personal information, and 66% collect at least one other
type of personal information. The numbers in the Most Popular
Sample are significantly higher. Of those sites in the Most
Popular Sample that collect a consumer's name and/or e-mail
address, 48% collect five or more additional types of personal
information, 74% collect three or more additional types of
personal information, and 90% collect at least one additional
type of personal information.(113) (Figure 3)
In contrast to the number of sites
that collect personal information, the number of sites in the
random samples that have any type of information practice
disclosure, i.e., either a Privacy Policy Notice or an
Information Practice Statement, is extremely low. This result is
consistent across all four of these samples. Only 14% of all
sites in the Comprehensive Sample, 14% of all sites in the Health
Sample, 13% of all sites in the Retail Sample, and 16% of all
sites in the Financial Sample post any disclosure.(114) (Figure 4)
Among sites in the random samples
that collect personal information, the disclosure rate is equally
low. Of these sites, only 15% in the Comprehensive Sample, 16% in
the Health Sample, 15% in the Retail Sample, and 17% in the
Financial Sample have any information practice disclosure.(115) Only 2% of the sites that collect personal
information in each of these samples have a Privacy Policy Notice.(116) Of sites that collect personal information, 14% in
the Comprehensive Sample, 16% in the Health Sample, 13% in the
Retail Sample, and 15% in the Financial Sample have at least one
Information Practice Statement.(117)
The disclosure rate
is much higher in the Most Popular Sample (Sample F). Seventy-one
percent of all sites have some type of information practice
disclosure (either a Privacy Policy Notice or an Information
Practice Statement),(118) and 73% of sites that collect personal information
have such a disclosure.(119) Of the sites in this sample that collect personal
information, 44% have a Privacy Policy Notice,(120) and 61% have at least one Information Practice
Statement.(121) The higher disclosure rate for the Most Popular
Sample demonstrates that providing notice to consumers is
feasible. (Figure 4A) The higher disclosure rate may be attributable not
only to these companies' awareness of online privacy issues, but
also to the fact that, of all the sites surveyed for this report,
only companies in this sample were on notice that their sites
would all be included in the survey, as a result of both
press reports and public statements by Commission staff.(122) However, despite this clear public notice, over one-quarter
of these sites still failed to post an information practice
disclosure.(Figure 5)
As noted above, the disclosure
rate for the Comprehensive, Health, Retail, and Financial Samples
is very low, ranging between 13% and 16% of all sites. The
following discussion of the substance of those disclosures
pertains only to those sites in each sample that both collect
personal information and have at least one information
practice disclosure: 94 sites in the Comprehensive Sample; 19
sites in the Health Sample; 18 sites in the Retail Sample; and 20
sites in the Financial Sample.(123) The small sample size makes it difficult to draw
conclusions regarding the nature of disclosures and, therefore,
the analysis should be read with the small number of relevant
sites in mind.(124)
Roughly one-third of the sites in
each of these samples that have at least one information practice
disclosure state that they give consumers choice about how the
personal information they collect will be used.(125) The percent of sites offering consumers access to
their personal information and/or an opportunity to correct any
inaccuracies in that information is much lower, ranging from 0%
in the Health and Financial Samples to 17% (or 3 sites) in the
Retail Sample.(126) The percent of sites that state that they take
steps to provide security for the personal information collected
after they receive it ranges from 0% in the Health Sample to 15%
(or 14 sites) in the Comprehensive Sample.(127)
Staff also gathered data regarding
the number of sites whose disclosures address the issue of the
potential transfer of personal information to third parties. The
percent of sites stating that none of the personal information
they collect will be disclosed to third parties ranges from 20% (or
4 sites) in the Financial Sample to 33% (or 31 sites) in the
Comprehensive Sample.(128) Twenty-six percent (or 5 sites) of the sites with
some information practice disclosure in the Health Sample, 33% (or
6 sites) in the Retail Sample, 36% (or 34 sites) in the
Comprehensive Sample, and 40% (or 8 sites) in the Financial
Sample state that at least some of the personal information
collected may be released to third parties.(129) Only a single site that collects personal
information in the Comprehensive Sample -- and none of the sites
in the other random samples -- states that it provides choice,
access, and security and addresses the issue of third-party
disclosures.(130)
The disclosure rate for the most
frequently trafficked sites on the Web is, as noted above,
significantly higher than the rates for the four random samples.
Of the sites in this sample that both collect personal
information and have at least one information practice
disclosure, 68% (or 54 sites) state that they give consumers
choice about how the personal information collected will be used,(131) 38% (or 30 sites) state that they provide consumers
access to their personal information and/or an opportunity to
correct any inaccuracies in that information,(132) and 16% (or 13 sites) state that they take steps to
provide security for the personal information collected after
they receive it.(133)
Fourteen percent (or 11 sites) of
the sites in this sample that collect personal information and
have an information practice disclosure say that none of the
personal information they collect will be disclosed to third
parties.(134) Seventy-eight percent (or 62 sites) of these sites
state that at least some of the personal information collected
may be released to third parties.(135) Six percent (or 5 sites) of these sites say that
they provide consumers choice, access, and security, and address
the issue of third-party disclosures.(136)
Commission staff surveyed Web
sites in this Sample to ascertain whether they collect personal
information from children online, and, if so, to identify the
types of information they collect. Staff found that 89% of the
212 sites collect one or more types of personal information from
children (a rate comparable to all of the other samples)(137) and that 88% collect at least one type of personal
identifying information as well.(138) (Figure 6) Personal information collected from children
includes a wide array of identifying information such as name, e-mail
address,(139) postal address, telephone number, and Social
Security number, as well as other personal information like age
or date of birth, gender, education, interests, and hobbies.(140) (Figure 7)
Often the sites that
collect personal identifying information also collect several
other types of information, enabling them to form a detailed
profile of a child. In fact, of the sites that collect a child's
name and/or e-mail address, 21% collect five or more additional
types of personal information, 48% collect three or more
additional types of personal information, and 77% collect one or
more additional types of personal information from children.(141) (Figure 8)
Web sites use a
variety of techniques to solicit personal information from
children. For example, some sites require children to answer
questions about their interests in order to register or to become
eligible to win prizes.(142) In other cases a site may use "imaginary"
characters to request information from children, have children
sign a "guest book," solicit information to create home
pages for children, invite children to participate in chat and
electronic pen pal programs, require children to register with
the site for updates and information, and offer prizes and other
incentives for completing surveys and polls. Some sites use
detailed questionnaires, soliciting information about children's
age, gender, geographic location, and even personal finances.(143)
While it was not possible to
determine all the purposes for which personal information
collected from children is used, many uses were apparent simply
from visiting sites. Surfers found, for example, that some sites
collect e-mail addresses to send children newsletters and notices
about online contests and chances to win prizes on the site.
Other sites collect personal information from children to notify
them of contest results and to ask children for feedback about
the site.
The percentage of children's sites
providing some degree of disclosure about their collection and
use of information was significantly higher than that for all
samples other than the Most Popular Sample.(144) Fifty-four percent of all sites in the Children's
Sample have some kind of information practice disclosure, either
a comprehensive Privacy Policy Notice or at least one Information
Practice Statement, or both.(145) (Figure 9)
As noted above with respect to the
general samples, staff applied a very broad definition of what
constitutes an Information Practice Statement. Any statement that
describes a particular use or practice regarding consumers'
personal information and/or a choice offered to consumers about
their personal information was considered an Information Practice
Statement. Examples from the Children's Sample include statements
such as:
- Kids, get your parents'
permission before you give out information online;
- We reserve the right to do
whatever we want with the information we collect, and
- Click here if you want to be
on our mailing list.
Of sites that collect personal
information from children, 50% have at least one Information
Practice Statement.(146)
Although a majority of children's
sites have some statement about one or more of their information
practice(s), the number of children's sites that have a Privacy
Policy Notice is much lower. Twenty-four percent of the sites
that collect personal information from children post a Privacy
Policy Notice.(147) (Figure 10)
The following discussion of the
nature of disclosures by sites in the Children's Sample applies
only to those sites that both collect personal information from
children and have at least one information practice disclosure (109
sites). Thirty-nine percent (or 43 sites) of these sites say that
they provide children or their parents with choices about how
their personal information will be used.(148) Only 12% (or 13 sites) of these sites say that they
offer access to this personal information or an opportunity to
correct inaccuracies.(149) The percentage of sites that state they take steps
to provide security for personal information after they receive
it is lower still -- 8% (or 9 sites).(150) Only 12% (or 13 sites) say they will notify parents
of their information practices. Of the sites that collect
personal information from children and have at least one
information practice disclosure, no site's information practice
disclosure discusses the full range of fair information practice
principles -- choice, access, security and parental
notice.(Figure 11)
The survey also shows
that numerous sites disclose children's personal information to
third parties. There are two ways that sites disclose personal
information to third parties: (1) sites may display children's
personal information in areas accessible to anyone online; or (2)
sites may sell or rent children's personal information to others.
In either case, the release of children's personal identifying
information to third parties is of concern, because it creates a
risk of injury to or exploitation of children so identified. As
described earlier, 97% of parents are concerned about whether
their children's personal information is shared with third
parties.(151) Despite parents' concern, staff found sites, for
example, that display color photographs of young children with
their full names and ages, as well as sites that facilitate
public disclosure of children's e-mail addresses in bulletin
boards, chat rooms, "art galleries," and on children's
home pages.
Of those sites that collect
personal information from children and have an information
practice disclosure, 82% have some kind of disclosure stating
whether or not children's information will be publicly posted or
otherwise shared with third parties.(152) Only 33% have an information practice disclosure
stating that none of the information will be released to
third parties.(153) Forty-nine percent say that the information may
be released to third parties.(154)
The role of parents in protecting
their children's privacy is fundamental to the implementation of
the fair information practice principles described in this
report, and is the principle touchstone of both the staff opinion
letter and the CARU guidelines. The survey percentages were low
with regard to parental control over the collection and use of
information. Only 23% (or 48 sites) of all the sites in the
Children's Sample take the first step of telling children to ask
their parents for permission before providing information to the
site.(155) Less than 8% of the sites say they notify parents
of their information practices.(156) Only 1% (or 3 sites) require parental consent to
the collection and use of information before the
information is collected or used (opt-in)(157) and only 8% (or 17 sites) say that parents can ask
that personal information collected from children be deleted or
not used in the future (opt-out).(158) (Figure 12)
The results reveal a
very low level of compliance with the basic parental control
principles contained in the staff opinion letter and the CARU
guidelines more than seven months after these documents were
released. First, the results demonstrate that a significant
percentage of sites continue to collect a vast array of personal
information from children, in sharp contrast to parents'
preferences.(159) Second, despite the fact that Commission staff
publicly disclosed that the Children's Sample would be selected
from sites listed in the Yahooligans! Directory, nearly half of
the sample failed to post any kind of information practice
disclosure. Finally, very few sites tell children to ask their
parents for permission before providing personal information, and
fewer still notify parents of their information practices or
appear to take any steps to involve parents.
|
