The Federal Trade Commission, Washington, issued a report to Congress yesterday that said it will ask Congress for authority to impose tough consumer privacy safeguards on Internet sites.
In its report “Privacy Online: Fair Information Practices in the Electronic Marketplace,” the FTC concluded that self-regulation alone has not adequately protected consumer’s online privacy, and that legislation is needed to supplement self-regulatory efforts and guarantee basic consumer protections.
“While the Commission applauds the efforts by the private sector to address the issue of online privacy,” said FTC Chairman Robert Pitofsky. “The survey results show that such efforts have not been enough. As this year's survey makes clear, the number of web sites meeting basic standards of privacy protection is far too low, endangering consumer confidence in this fast-growing, pro-consumer marketplace.”
The Report recommends that Congress enact legislation to ensure a minimum level of privacy protection for online consumers, establishing “basic standards of practice for the collection of information online.” The proposed legislation would require consumer oriented commercial Web sites “that collect personal identifying information from or about consumers online” to “comply with the four widely-accepted fair information practices: ‘Notice, Choice, Access and Security.'”
The recommendations to Congress are supported by the findings of the FTC's 2000 Survey of the most-visited sites on the Internet. The Commission’s survey was based on two target groups: A random sample of all Web sites with at least 39,000 unique monthly visitors and the 100 most popular U.S. commercial Web sites. The results showed that only 20 percent of the random sample sites were found to have implemented all four fair information practices. And among the most popular group, just 42 percent did so. Even when the report looked at the percentage of sites implementing the two critical practices of “Notice” and “Choice,” only 41 percent of the random sample and 60 percent of the most popular sites provided such privacy disclosures.
While the report praises industry efforts to date, it points to survey results showing that the adoption of the industry's self-regulatory enforcement initiatives — online privacy seal programs — have yet to establish a significant presence on the Web.
According to the report, “the survey found that less than one-tenth, or approximately 8 percent, of sites in the random sample, and 45 percent of sites in the most popular group, display a privacy seal.” The report concludes that self-regulatory efforts alone “cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leader1s,” that industry initiatives should continue to play an important role within any statutory structure and “widely-adopted seal programs could be an important component of that effort.”
The decision represents a sharp departure from the agency's previous policy of self-regulation.
The Commission vote to release the report was 3-2, with Commissioner Orson Swindle dissenting, and Commissioner Thomas B. Leary concurring in part and dissenting in part.
Commissioner Swindle called the majority's recommendation “an unwarranted reversal of its earlier acceptance of a self-regulatory approach” despite what he described as “continued, significant progress” in self-regulation. In a 27-page dissent, he warned that “the Privacy Report stands as the majority's 'justification' for [its] recommendation to legislate privacy — a dramatic reversal in position for the Commission and a mandate for the commercial online world to comply with the government's interpretation of all four fair information practice principles.
Commission officials are planning to testify before the Senate Commerce Committee on Thursday.
Many industry groups dispute the FTC’s position and say any effort to give the commission new rule-making authority would be an unwarranted incursion by the government into regulating cyberspace and could discourage the development of many start-up Internet companies.
The Direct Marketing Association, for example, yesterday disputed the FTC recommendation and said a Web survey it conducted in April and May shows that the majority of popular Web sites post privacy policies that help inform individuals about what information is collected and how it is used. The DMA found that 93 percent of these sites posted such policies.
“Clearly, self-regulation has taken hold with lightning speed,” said H. Robert Wientzen, president & chief executive officer, the DMA. “Commercial sites know that consumers are extremely concerned about security on the Internet, and know that it is both a business and consumer imperative to protect individuals' information. In addition, just as important, most businesses inform individuals about their data collection and use practices, and the choice that consumers have to control that information. Our survey shows that most Web sites are, in fact, posting such notices. Furthermore, we are working hard to bring that number to 100 percent.”
The survey was conducted from April 18 through May 12 and the top shopping Web sites, as identified by www.hot100.com, were surveyed. It also analyzed the contents of the site’s privacy policies.
Of the 93 sites that had privacy statements:
95 percent described how data was collected
95 percent explained how the data was used
91 percent notified the consumer if data was transferred to third parties
74 percent offered consumers the opportunity to “opt out” of information transfers
73 percent described data security measures
73 percent offered access to information for correction purposes
While insiders said prospects were not strong for Congress to adopt legislation so late in its session — it does not mean Congress is not interest in passing legislation eventually
A group of nine Democratic senators led by Ernest F. Hollings of South Carolina and John D. Rockefeller of West Virginia are planning to introduce a measure next week that is similar to what the commission has sought. The legislation also contains measures that appeal to Internet companies, most notably a provision that pre-empts all state law on Internet privacy.