FTC Changes Its Tune

Why the agency no longer supports industry self-regulation for Internet privacy

To obtain data for the report, FTC staff randomly sampled 335 Web sites, ranging from mainstream sites such as borders.com and www.ftd.com, to more specialized sites such as www.limp-bizkit. com and www.vintagemustang.com Surfing surveyors looked for information such as whether sites had posted privacy policies, what type of information the sites collected about their visitors, and whether the sites informed visitors about the collection of personal information. The FTC also compiled survey results from 91 of the 100 busiest Web sites.

The FTC found that between 97 and 99 percent of the sites surveyed “collect an email address or some other type of personal identifying information” from site visitors. The study also revealed that only 20 percent of the randomly sampled sites and 42 percent of the popular sites implemented some or all the FTC’s four principles of fair information practice: providing consumers with notice, choice, access, and security. The FTC also discovered that only 8 percent of the randomly sampled sites and 45 percent of the popular sites have adopted the online industry’s principal proposal for self-regulation, the privacy seal program, which requires sites to implement fair information practices and monitor their own compliance. The survey results have led three of the five FTC commissioners to conclude that “industry efforts alone have not been sufficient [and] cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders.” The FTC has called for federal legislation to protect consumer privacy online.

A number of industry organizations challenged the FTC’s conclusions, saying that the FTC study demonstrates growing industry self-regulation efforts and support for consumer privacy, obviating the need to legislate compliance. Christine Varney, an advisor to the Online Privacy Alliance (OPA) industry group, testified on May 25 before the U.S. Senate Committee on Commerce, Science, and Transportation concerning the FTC’s findings. “The FTC’s conclusion, that privacy on the Internet is inadequate, is not supported by the facts in its report,” Varney said. She added that sweeping regulations would not guarantee consumer privacy protections, but called for government and industry to continue to work together on privacy policies and technology solutions. The Software and Information Industry Association (SIIA) told the U.S. Congress that “the [FTC’s] recommendations would create severe costs and barriers to entry for e-commerce vendors and would destroy the momentum of an industry self-regulation effort that has resulted in 90 percent of Web sites clearly posting privacy policies.”

Daniel J. Weitzner of the World Wide Web Consortium (W3C) testified at the same hearings that both legislation and technology are needed to protect privacy. “We need some kind of legal baseline, a legal framework in which to operate, along with technology tools and responsible industry practices,” Weitzner said. “Web users need more powerful technical tools to give them greater control over their online privacy relationships and greater information about what kinds of relationships they enter into. So much of individual users’ practical privacy rights depend on being able to make individualized choices about what they want done with their personal information in a particular interaction.”

The FTC study is available online at www.ftc.gov/os/2000/05/index.htm#22. New legislation, the Consumer Privacy Protection Act, (106th Cong., 2nd sess., S.2606) was introduced in the Senate on May 23 by Senator Ernest F. Hollings (D-S.C.). — Claudia Willen