FTC Asserts Net Privacy Jurisdiction; New Health Data Standards Proposed
Meanwhile, Department of Health and Human Services Secretary Donna Shalala proposed new security standards for maintaining and transmitting health information electronically and called on Congress for new legislation guaranteeing the privacy of medical records.
Regarding the GeoCities settlement, Susan Scott, executive director of nonprofit privacy group TRUSTe, Palo Alto, CA, said she received calls last week from distressed netizens wondering how GeoCities could fail FTC scrutiny if it's a member of TRUSTe. TRUSTe provides electronic stamps of approval to Web sites that meet its information-practices criteria. In July, industry trade group Online Privacy Alliance proposed relying on electronic seals of approval for enforcement of information collection and use policies.
"GeoCities joined TRUSTe after this whole thing came down with the FTC," Scott said. "We feel confident that with our oversight process, we would have caught exactly the type of thing that GeoCities had been accused of."
The FTC complaint cites actions by GeoCities as far back as July 1997. GeoCities joined TRUSTe in April. GeoCities would not comment, citing that it is in a quiet period after its initial public offering on Aug. 11.
The GeoCities lesson, said Scott: "Don't post anything [in a Web-site privacy statement] that you can't back up because you're exposing yourself to huge liability. If there was any question about the FTC having jurisdiction, they do have it and they're not going to shy away from exercising control over the Internet."
Ari Schwartz, policy analyst for the Center for Democracy and Technology, Washington, DC, a civil liberties nonprofit group, called GeoCities' settlement a defining moment for how privacy will be regulated online.
"Privacy advocates have been saying that the FTC has the authority to go after bad actors and set baseline privacy standards," Schwartz said. "They demonstrated that they have the authority to investigate. We hope that in the near future we'll see what the baseline standards will be."
According to the FTC, GeoCities agreed to settle charges that it misrepresented the purposes for which it was collecting personal identifying information from children and adults. GeoCities is a 2 million-member site that provides personal home pages. The FTC alleged that GeoCities released personal identifying information to third parties for ad-targeting purposes beyond what GeoCities' members agreed to. The FTC also charged that GeoCities misrepresented that it ran the GeoKidz Club and contests when the club and contests were run by others who collected data from children.
"GeoCities misled its customers, both children and adults, by not telling the truth about how it was using their personal information," said Jodie Bernstein, director of the FTC's Bureau of Consumer Protection. "This case is a message to all Internet marketers that statements about their information-collection practices must be accurate and complete."
The FTC said GeoCities agreed to post a privacy statement prominently on its Web site that advises visitors of its true information practices. Also under the settlement, GeoCities must get parental permission to collect information from children under 12 and for five years must include a link within its privacy statement to the FTC's Web site at www.ftc.gov.
GeoCities, Santa Monica, CA, denied the FTC's allegations but said it settled the case to resolve the matter quickly, and compliance with the settlement "will not have any material adverse affect on the company's business."
Meanwhile, under the new medical records standards proposed by the Department of Health and Human Services, all health-related companies that maintain or transmit health information electronically will have to maintain "responsible and appropriate safeguards" to ensure the integrity and confidentiality of the information. The safeguards include developing a security plan, training employees and locking access to records.
"Electronic medical records can give us greater efficiency and lower cost, but those benefits must not come at the cost of loss of privacy," Shalala said in a statement. "The proposals we are making today will help protect against one kind of threat -- the vulnerability of information in electronic formats. Now we need to finish the bigger job and create broader legal protections for the privacy of those records."
The new standards were mandated by the Health Insurance Portability Act of 1996. Under the act, Congress has until August 1999 to enact medical-record privacy legislation or Shalala's office will be authorized to implement privacy regulation.