With these fair information practice principles and industry guidelines as background, the Commission conducted a survey of commercial sites on the World Wide Web. In July 1997, the Commission set out the objective of this survey: to determine whether self-regulation is an effective means of protecting consumer privacy on the Web. The Commission stated that it would measure the effectiveness of self-regulation by determining how many commercial Web sites are providing notice of their information practices and offering consumers choice regarding the collection and use of their personal information online.(97) To that end, in March 1998 Commission staff conducted an online survey of 1,402 commercial Web sites, including 212 sites directed to children.
The survey consists of six samples -- group A, drawn from all commercial U.S. sites "likely to be of interest to consumers;" groups B, C, and D, drawn from all such sites in the health, retail, and financial sectors, respectively;(98) group E, drawn from all commercial U.S. sites "primarily directed to children aged fifteen or younger;" and group F, which includes the most popular U.S. commercial sites.(99) There are 674 sites in the Comprehensive Sample (group A), 137 sites in the Health Sample (group B), 142 sites in the Retail Sample (group C), 125 sites in the Financial Sample (group D), 212 sites in the Children's Sample (group E), and 111 sites in the Most Popular Sample (group F). A detailed methodology describing the survey sample selection, data collection, and validation procedures is included in Appendix A. A list of the sites included in each sample is included in Appendix C.
Forty Commission staff members [hereinafter "surfers"] surveyed the sites in each of the samples in the two-week period from March 9-20, 1998. Once a surfer concluded that a site qualified for inclusion in one of the samples (i.e., it was "likely to be of interest to consumers" or was "primarily directed to children aged fifteen or younger"), the surfer searched the site to determine whether it collects personal information from online consumers and, if so, to ascertain the kinds of information it collects and whether it discloses its information practices.(100) In the case of sites directed to children, personal information collected on a payment form was deemed to be collected from adults; all other personal information sought by children's sites was considered to be collected from children.
For purposes of this survey, "personal information" was defined to include two broad information categories: information that can be used to identify consumers, such as name, postal or e-mail address ("personal identifying information"); and demographic and preference information (such as age, gender, income level, hobbies, or interests) that can be used either in aggregate, non-identifying form for purposes such as market analysis, or in conjunction with personal identifying information to create detailed personal profiles of consumers.
To determine whether Web sites are giving consumers notice of their information practices and offering consumers choice, Commission staff searched Web sites for information practice disclosures. Such disclosures might be found in a "Privacy Policy Notice," defined as a comprehensive description of a site's information practices that is located in one place on the site and may be reached by clicking on an icon or hyperlink. Disclosures might also take the form of a discrete "Information Practice Statement," defined as a statement that describes a particular use or practice regarding consumers' personal information, or regarding a choice offered to consumers about their personal information, that might appear in diverse locations on the site. Examples of such disclosures include statements such as the following:
Staff also counted as an Information Practice Statement any disclosure that did not explicitly state how the personal information collected might be used, but nevertheless arguably raised an inference of at least one potential use. Statements such as "Click here to be on our mailing list" were, therefore, included as Information Practice Statements. Sites in the Children's Sample were analyzed to determine the nature of information collected from children and the extent of notice and/or choice offered to parents. Copies of the survey instructions and survey forms are included in Appendices B and C, respectively. The survey results are set forth in the survey forms included in Appendix C and in the tables included in Appendix D.
This section of the report describes the survey results for all sites other than those directed to children. It describes the types of companies whose sites are in each of the four random samples and in the sample of the most popular sites on the Web; the types of personal information collected by these sites; and the frequency and nature of information practice disclosures within each of these samples.
1. Web Sites
The Comprehensive Sample (Sample A) includes 674 Web sites, and the types of companies included range broadly across the entire spectrum of the American economy. Bookstores, travel agencies and hardware stores, radio and television stations, manufacturers of foods and home health care products, clothing and sports equipment retailers, computer and software developers, online newspapers and magazines, auto dealerships and law firms, and sellers of all manner of other consumer goods and services are included in the Comprehensive Sample. Approximately 37% of the sites in the Comprehensive Sample are operated by small companies (annual sales less than $500,000.00), 40% by medium-sized companies (annual sales exceeding $500,000.00 but less than $10 million), and 20% by large companies (annual sales exceeding $10 million).(101)
The Health, Retail, and Financial Samples (Samples B, C, and D, respectively) are random samples of over 100 sites drawn from industry sectors in which consumers may have heightened concerns for privacy due to the types of personal information such Web sites are likely to collect: health-related sites may collect sensitive medical information; retail sites often collect credit card numbers; and sites offering financial services often collect account and asset-related information.
The Health Sample (Sample B) includes 137 sites operated by drug manufacturers, doctor's offices, hospitals, outpatient clinics, health maintenance organizations, manufacturers and retailers of health care products and non-prescription drugs, sellers of nutritional supplements, weight loss centers, substance abuse treatment centers, and health information and referral services. Small, medium, and large businesses are nearly equally represented in the Health Sample (32% small; 35% medium-sized; and 31% large).(102)
The Retail and Financial Samples (Samples C and D) are similarly diverse. The range of consumer goods and services sold by the companies represented in the Retail Sample (Sample C) mirrors the variety found in the Comprehensive Sample. Sellers of photographic equipment, automobiles, cigars, jewelry, clothing, computers and software, fine art, collectibles, books, housewares and sheet music are represented, as are magazines, restaurants, sporting goods stores, and pharmacies. Forty percent of the 142 companies in the Retail Sample are small, 37% medium-sized, and 21% large.(103) The Financial Sample (Sample D) includes 125 sites operated by banks, credit unions, mortgage companies, real estate agencies, security and stock brokerages, investment and asset management firms, venture capital firms, investment counselors, stock exchanges, student loan services, and investment newsletters. Eighteen percent of the sites in the Financial Sample are associated with small companies, 41% with medium-sized companies, and 39% with large companies.(104)
The Most Popular Sample (Sample F) includes 111 of the most popular sites on the Web. Companies represented in this sample include search engines, Internet service providers, electronic mail services, software and computer companies, news and information companies, online directories, entertainment companies, and retailers of consumer goods.(105)
2. Personal Information Collection
As noted above, in the three years since the Commission's first workshop on online privacy issues, there has been substantial survey research indicating that consumers are concerned that commercial Web sites are collecting a great quantity of personal information online and that this practice might infringe on consumers' privacy.(106) The Commission's own survey findings demonstrate that, indeed, a significant amount of personal information is being collected from online consumers.
As the findings on information collection are consistent across all four random samples and the Most Popular Sample, they are discussed together here. Almost all of the sites in these samples -- between 87% and 97% -- collect at least one type of personal information from online consumers.(107) The vast majority of sites in all samples collect several types of personal information. Figure 1 shows the percent of sites in the Comprehensive Sample that collect personal information; Figure 1A provides this information for all of the random samples and the Most Popular Sample.
These Web sites collect a remarkable variety of personal information, including name, e-mail address,(108) postal address, telephone number, fax number, credit card number, Social Security number, age or date of birth, gender, education, occupation, income, hobbies, interests, and the type of hardware or software used by the online consumer. Figure 2 shows the percent of sites in the Comprehensive Sample that collect each type of personal information.(109)
The number of sites in each sample that collect personal identifying information, such as name, e-mail or postal address, credit card number or Social Security number, is also worthy of note.(110) All of the sites in the Health, Retail, and Most Popular Samples that collect personal information, and all but one of such sites in each of the Comprehensive and Financial Samples, collect at least one item of personal identifying information.(111) All of these sites, therefore, are capable of creating personal profiles of online consumers by tying any demographic or interest information they collect to personal identifying information.(112)
Indeed, many of the sites that collect a consumer's name or e-mail address also collect other types of information about the consumer. For example, of those sites in the Comprehensive Sample that collect a consumer's name and/or e-mail address, 14% collect five or more additional types of personal information, 48% collect three or more additional types of personal information, and 66% collect at least one other type of personal information. The numbers in the Most Popular Sample are significantly higher. Of those sites in the Most Popular Sample that collect a consumer's name and/or e-mail address, 48% collect five or more additional types of personal information, 74% collect three or more additional types of personal information, and 90% collect at least one additional type of personal information.(113) (Figure 3)
a. Random Samples
In contrast to the number of sites that collect personal information, the number of sites in the random samples that have any type of information practice disclosure, i.e., either a Privacy Policy Notice or an Information Practice Statement, is extremely low. This result is consistent across all four of these samples. Only 14% of all sites in the Comprehensive Sample, 14% of all sites in the Health Sample, 13% of all sites in the Retail Sample, and 16% of all sites in the Financial Sample post any disclosure.(114) (Figure 4)
Among sites in the random samples that collect personal information, the disclosure rate is equally low. Of these sites, only 15% in the Comprehensive Sample, 16% in the Health Sample, 15% in the Retail Sample, and 17% in the Financial Sample have any information practice disclosure.(115) Only 2% of the sites that collect personal information in each of these samples have a Privacy Policy Notice.(116) Of sites that collect personal information, 14% in the Comprehensive Sample, 16% in the Health Sample, 13% in the Retail Sample, and 15% in the Financial Sample have at least one Information Practice Statement.(117)
b. Most Popular Sample
The disclosure rate is much higher in the Most Popular Sample (Sample F). Seventy-one percent of all sites have some type of information practice disclosure (either a Privacy Policy Notice or an Information Practice Statement),(118) and 73% of sites that collect personal information have such a disclosure.(119) Of the sites in this sample that collect personal information, 44% have a Privacy Policy Notice,(120) and 61% have at least one Information Practice Statement.(121) The higher disclosure rate for the Most Popular Sample demonstrates that providing notice to consumers is feasible. (Figure 4A) The higher disclosure rate may be attributable not only to these companies' awareness of online privacy issues, but also to the fact that, of all the sites surveyed for this report, only companies in this sample were on notice that their sites would all be included in the survey, as a result of both press reports and public statements by Commission staff.(122) However, despite this clear public notice, over one-quarter of these sites still failed to post an information practice disclosure.(Figure 5)
a. Random Samples
As noted above, the disclosure rate for the Comprehensive, Health, Retail, and Financial Samples is very low, ranging between 13% and 16% of all sites. The following discussion of the substance of those disclosures pertains only to those sites in each sample that both collect personal information and have at least one information practice disclosure: 94 sites in the Comprehensive Sample; 19 sites in the Health Sample; 18 sites in the Retail Sample; and 20 sites in the Financial Sample.(123) The small sample size makes it difficult to draw conclusions regarding the nature of disclosures and, therefore, the analysis should be read with the small number of relevant sites in mind.(124)
Roughly one-third of the sites in each of these samples that have at least one information practice disclosure state that they give consumers choice about how the personal information they collect will be used.(125) The percent of sites offering consumers access to their personal information and/or an opportunity to correct any inaccuracies in that information is much lower, ranging from 0% in the Health and Financial Samples to 17% (or 3 sites) in the Retail Sample.(126) The percent of sites that state that they take steps to provide security for the personal information collected after they receive it ranges from 0% in the Health Sample to 15% (or 14 sites) in the Comprehensive Sample.(127)
Staff also gathered data regarding the number of sites whose disclosures address the issue of the potential transfer of personal information to third parties. The percent of sites stating that none of the personal information they collect will be disclosed to third parties ranges from 20% (or 4 sites) in the Financial Sample to 33% (or 31 sites) in the Comprehensive Sample.(128) Twenty-six percent (or 5 sites) of the sites with some information practice disclosure in the Health Sample, 33% (or 6 sites) in the Retail Sample, 36% (or 34 sites) in the Comprehensive Sample, and 40% (or 8 sites) in the Financial Sample state that at least some of the personal information collected may be released to third parties.(129) Only a single site that collects personal information in the Comprehensive Sample -- and none of the sites in the other random samples -- states that it provides choice, access, and security and addresses the issue of third-party disclosures.(130)
b. Most Popular Sample
The disclosure rate for the most frequently trafficked sites on the Web is, as noted above, significantly higher than the rates for the four random samples. Of the sites in this sample that both collect personal information and have at least one information practice disclosure, 68% (or 54 sites) state that they give consumers choice about how the personal information collected will be used,(131) 38% (or 30 sites) state that they provide consumers access to their personal information and/or an opportunity to correct any inaccuracies in that information,(132) and 16% (or 13 sites) state that they take steps to provide security for the personal information collected after they receive it.(133)
Fourteen percent (or 11 sites) of the sites in this sample that collect personal information and have an information practice disclosure say that none of the personal information they collect will be disclosed to third parties.(134) Seventy-eight percent (or 62 sites) of these sites state that at least some of the personal information collected may be released to third parties.(135) Six percent (or 5 sites) of these sites say that they provide consumers choice, access, and security, and address the issue of third-party disclosures.(136)
1. Personal Information Collection from Children
Commission staff surveyed Web sites in this Sample to ascertain whether they collect personal information from children online, and, if so, to identify the types of information they collect. Staff found that 89% of the 212 sites collect one or more types of personal information from children (a rate comparable to all of the other samples)(137) and that 88% collect at least one type of personal identifying information as well.(138) (Figure 6) Personal information collected from children includes a wide array of identifying information such as name, e-mail address,(139) postal address, telephone number, and Social Security number, as well as other personal information like age or date of birth, gender, education, interests, and hobbies.(140) (Figure 7)
Often the sites that collect personal identifying information also collect several other types of information, enabling them to form a detailed profile of a child. In fact, of the sites that collect a child's name and/or e-mail address, 21% collect five or more additional types of personal information, 48% collect three or more additional types of personal information, and 77% collect one or more additional types of personal information from children.(141) (Figure 8)
Web sites use a variety of techniques to solicit personal information from children. For example, some sites require children to answer questions about their interests in order to register or to become eligible to win prizes.(142) In other cases a site may use "imaginary" characters to request information from children, have children sign a "guest book," solicit information to create home pages for children, invite children to participate in chat and electronic pen pal programs, require children to register with the site for updates and information, and offer prizes and other incentives for completing surveys and polls. Some sites use detailed questionnaires, soliciting information about children's age, gender, geographic location, and even personal finances.(143)
While it was not possible to determine all the purposes for which personal information collected from children is used, many uses were apparent simply from visiting sites. Surfers found, for example, that some sites collect e-mail addresses to send children newsletters and notices about online contests and chances to win prizes on the site. Other sites collect personal information from children to notify them of contest results and to ask children for feedback about the site.
2. Frequency of Disclosures
The percentage of children's sites providing some degree of disclosure about their collection and use of information was significantly higher than that for all samples other than the Most Popular Sample.(144) Fifty-four percent of all sites in the Children's Sample have some kind of information practice disclosure, either a comprehensive Privacy Policy Notice or at least one Information Practice Statement, or both.(145) (Figure 9)
As noted above with respect to the general samples, staff applied a very broad definition of what constitutes an Information Practice Statement. Any statement that describes a particular use or practice regarding consumers' personal information and/or a choice offered to consumers about their personal information was considered an Information Practice Statement. Examples from the Children's Sample include statements such as:
Of sites that collect personal information from children, 50% have at least one Information Practice Statement.(146)
Although a majority of children's sites have some statement about one or more of their information practice(s), the number of children's sites that have a Privacy Policy Notice is much lower. Twenty-four percent of the sites that collect personal information from children post a Privacy Policy Notice.(147) (Figure 10)
3. Nature of Disclosures
The following discussion of the nature of disclosures by sites in the Children's Sample applies only to those sites that both collect personal information from children and have at least one information practice disclosure (109 sites). Thirty-nine percent (or 43 sites) of these sites say that they provide children or their parents with choices about how their personal information will be used.(148) Only 12% (or 13 sites) of these sites say that they offer access to this personal information or an opportunity to correct inaccuracies.(149) The percentage of sites that state they take steps to provide security for personal information after they receive it is lower still -- 8% (or 9 sites).(150) Only 12% (or 13 sites) say they will notify parents of their information practices. Of the sites that collect personal information from children and have at least one information practice disclosure, no site's information practice disclosure discusses the full range of fair information practice principles -- choice, access, security and parental notice.(Figure 11)
The survey also shows that numerous sites disclose children's personal information to third parties. There are two ways that sites disclose personal information to third parties: (1) sites may display children's personal information in areas accessible to anyone online; or (2) sites may sell or rent children's personal information to others. In either case, the release of children's personal identifying information to third parties is of concern, because it creates a risk of injury to or exploitation of children so identified. As described earlier, 97% of parents are concerned about whether their children's personal information is shared with third parties.(151) Despite parents' concern, staff found sites, for example, that display color photographs of young children with their full names and ages, as well as sites that facilitate public disclosure of children's e-mail addresses in bulletin boards, chat rooms, "art galleries," and on children's home pages.
Of those sites that collect personal information from children and have an information practice disclosure, 82% have some kind of disclosure stating whether or not children's information will be publicly posted or otherwise shared with third parties.(152) Only 33% have an information practice disclosure stating that none of the information will be released to third parties.(153) Forty-nine percent say that the information may be released to third parties.(154)
4. Parental Involvement
The role of parents in protecting their children's privacy is fundamental to the implementation of the fair information practice principles described in this report, and is the principle touchstone of both the staff opinion letter and the CARU guidelines. The survey percentages were low with regard to parental control over the collection and use of information. Only 23% (or 48 sites) of all the sites in the Children's Sample take the first step of telling children to ask their parents for permission before providing information to the site.(155) Less than 8% of the sites say they notify parents of their information practices.(156) Only 1% (or 3 sites) require parental consent to the collection and use of information before the information is collected or used (opt-in)(157) and only 8% (or 17 sites) say that parents can ask that personal information collected from children be deleted or not used in the future (opt-out).(158) (Figure 12)
The results reveal a very low level of compliance with the basic parental control principles contained in the staff opinion letter and the CARU guidelines more than seven months after these documents were released. First, the results demonstrate that a significant percentage of sites continue to collect a vast array of personal information from children, in sharp contrast to parents' preferences.(159) Second, despite the fact that Commission staff publicly disclosed that the Children's Sample would be selected from sites listed in the Yahooligans! Directory, nearly half of the sample failed to post any kind of information practice disclosure. Finally, very few sites tell children to ask their parents for permission before providing personal information, and fewer still notify parents of their information practices or appear to take any steps to involve parents.
