CDT Analysis of the Federal Trade Commission Report On Online Privacy
The Federal Trade Commission (FTC) recently released its report to Congress on the state of privacy on the Web. The report included a survey of over 1,400 sites and review of nine trade associations’ privacy guidelines finding that:
- only 2% of the survey’s sample had comprehensive privacy policies posted on their Web site and only 14% had notice of any kind;
- a mere 7% of children oriented sites requested parental consent prior to collecting information;
- other sites collecting sensitive information, such as medical and financial oriented sites, were no better at providing notice than the general sample;
- however, the "most popular" sites were far more likely to have some kind of notice and privacy statements; and
- trade association guidelines were clearly lacking in the areas of access, security and compliance mechanisms.
These findings lead the FTC to the conclusion that Congress should enact laws to protect children online.
Such a recommendation does not go far enough. CDT advocates following:
- The FTC should commence regulatory proceedings to establish enforceable rules of the road to protect the privacy of all Americans online. The FTC should immediately take steps to ensure that internationally accepted principles for protecting personal information become the baseline for privacy protection during online activities.
- Although CDT believes that the FTC has this authority under existing law, if it is determined otherwise, Congress should give it such a mandate in a narrowly tailored bill.
With nearly half of the most popular sites (as identified in the FTC report) providing comprehensive policies, the good actors in industry should welcome a move which creates a baseline for compliance, forcing their competitors to pay attention to fair information practices as well; and
The Federal Trade Commission Report "Privacy Online: A Report to Congress" found that, despite increased pressure from the White House to develop meaningful self-regulation and growing public anxiety about privacy on the Internet, companies continue to collect personal information on the World Wide Web providing even a minimum of consumer protection. The report looked only at whether Web sites provided users with notice about how their data was to be used; there was no discussion of whether the stated privacy policies provided adequate protection.
The report broke surveyed sites into six categories: (a) "comprehensive," general-interest sites; (b) health-related sites; (c) retail sites; (d) financial sites; (e) child-oriented sites; and (f) "most popular" sites. The report also discussed nine industry-specific self-regulatory guidelines disseminated by various trade associations.
History and Overview
The report details FTC involvement in the issues surrounding online privacy dating back to 1995, focusing on the growth of the online marketplace and specific concerns over children. It documents the FTC’s process of public hearings, written reports, staff advisory opinions, and monitoring in the area of privacy and reiterates a scaled-back version of the privacy protection practices outlined in the FTC’s December 1996 staff report entitled Consumer Privacy on the Global Information Infrastructure. These five principles, based in international standards of data protection are: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. In 1996, the FTC issued a list of elements necessary to promote privacy on the Web. The recommendations–which were essentially a scaled-back version of previous guidelines –focused on four principles: notice, choice, access, and security.
While most of the FTC’s work has surrounded investigating the problem, the process has positioned the Commission as a source of knowledge and forum for discussion on privacy issues. The FTC’s previous report was a good first step toward protecting privacy in the online environment. This survey examined whether Web sites were taking the first step of posting a policy but did not inquire further.
Survey of Commercial Web Sites
The FTC surveyed 1,402 Web sites, taking 674 sites as a sample. The survey found that a significant number of sites are collecting personally identifiable information (92% of the sites surveyed, although the type of sites surveyed may have artificially increased that percentage). Of these sites almost all (98%) collected email address and 68% collected a name. Two-thirds of the sites that collected a name and/or email address were collecting one or more types of information and almost half were collecting three or more types of information.
Despite the large number of sites collecting information, only 14% had some kind of disclosure of what they were doing with personal data. At the FTC press conference announcing the report, Chairman Robert Pitofsky said that this figure included the most lenient interpretation of notice. By a stricter definition, only 2% had proper privacy notice. The most popular sites were significantly better at giving notice, with 61% giving some kind of disclosure and 44% providing comprehensive notice.
These figures show a clear lack of attention of industry to even the most basic of fair information practices. The gap between the most popular sites and the Internet as a whole is particularly striking, suggesting that the attention on the issue over the past three years has been mostly heard by a select number of big players online. The baselines set by the FTC need to be enforceable in order to create clear consequences for those that do not comply, expanding the discussion of privacy beyond the 111 most popular sites on the Net.
The FTC recommended that Congress develop legislation to require sites that collect: (1) offline contact information, (2) publicly posted information, or (3) information to be disclosed to third-parties from children under 13 obtain prior parental consent. If the information is only used to contact the child in order for them to participate online, such as in a contest, parents should be given notice and the opportunity to remove the online contact information from the database. For children 13 and older, Web sites should notify parents of a collection and allow them the opportunity to remove all information from the database.
While CDT supports the FTC’s effort to establish rules to protect children’s privacy at Web sites targeting children, we believe that the FTC should take the lead in this area. Asking Congress to enact legislation on this issue raises the specter of the incorporation of a host of other concerns for children in the online environment. The FTC is in a position to take action against the bad actors identified in the survey without such Congressional action and the possibility of reviving the debate over the Communications Decency Act. If the FTC does not believe that it has this authority, then Congress should provide it. This request should extend beyond jurisdiction over children allow the FTC the ability to use its expertise in the area of online privacy generally.
Health and Financial Sites
The report also surveyed Web sites targeted at adults. Because of the sensitive nature of the data they collect, the FTC paid special notice to financial and medical Web sites. The report found that despite the fact that an overwhelming percent of health and finance sites were collecting personal information, very few were informing visitors how they use or disclose information. Despite their sensitive status, the medical and financial sites fared no better than the comprehensive survey as a whole -- providing individuals with notice of their data practices at only 14% of health-oriented Web sites and 16% of financially oriented sites. The FTC even included some specific, albeit anonymous, examples of the type of information collection that was occurring at these sites, implying that these types of collections may be particularly objectionable.
Given the relative inaction by industry, it is surprising that the FTC made no recommendations to protect adult’s privacy -- even in industries that collect particularly sensitive personal information such as health. The risks posed by the collection and use of sensitive information argues strongly for more concerted attention and perhaps special protections. Chairman Pitofsky indicated during the press conference announcing the release of the report that the FTC plans to revisit these issues this summer; hopefully this will include a renewed look into the practices of health and financial sites
Industry Association Guidelines
The 1996 FTC report established five basic principles to which data collectors on the Web should adhere: notice (the right of an individual to know how his or her data will be used); choice (the right of an individual to decide about the use and disclosure of personal information); access (the right of the individual to see and correct personal data); integrity (the right of an individual to have his or data secure from unauthorized access and change); and enforcement (a system for an individual to seek redress if another right has been violated). The FTC reviewed nine industry-specific guidelines, comparing them to the five principles outlined in the FTC report to establish an overview of trade associations’ attempts at self-regulation. The FTC found that none of the guidelines adequately address all five important, and generally leave out access and security completely. The report highlights the need for enforcement mechanisms, which it calls an "essential element of effective self-regulation," but which most of the reviewed guidelines lack. This brief review provides concise insight into the inability of industry groups to agree on even the basic privacy protections and develop enforce them.
The FTC report also details two sets of industry guidelines regarding children’s information. The report praised the Children’s Advertising Review Unit of the Better Business Bureau Guidelines for Interactive Media but also noted a lack of adherence in online media. The Direct Market Association’s January 1997 guidelines on
online data collection from or about children are singled out for not requiring notice or parental consent prior to data collection. The DMA has since revised these guidelines although they still do not advocate prior parental consent.
Over the past three years, the Federal Trade Commission has gathered the expertise necessary to set comprehensive guidelines for online privacy. It proved this capability when it issued voluntary guidelines after the Privacy Workshop last year. Although these recommendations were weak compared to previously established fair information practices, they provided a good starting point for FTC enforcement.
Despite this obvious capability, the FTC suggested in its report that Congress take authority to regulate privacy–particularly children’s privacy. CDT interprets current law as granting the FTC regulatory powers to protect kids’ online privacy as part of the prohibition of "unfair and deceptive" trade practices. An FTC-based regulation would be far preferable to a legislative solution because such a move in Congress may reopen the Communications Decency Act debate. Regardless, if it decided that the FTC does not currently have a mandate to protect privacy, Congress should immediately pass a narrow bill to give the FTC authority to establish binding regulations to protect adult and children’s privacy.
Such a move should have the support of major industry players. Nearly half of the most popular sites (as defined by the FTC; see accompanying summary of the report’s methodology) were already cited as providing comprehensive policies. Good actors in the online industry should welcome a move which creates a baseline for data collection since it would force their competitors to follow the same fair practices that they already do.