The Federal Trade Commission's settlement with GeoCities — the first FTC action involving Internet privacy — has garnered much attention as to the agency's involvement with online privacy issues. It also is important because it provides online marketers with insight into what the FTC views as objectionable and acceptable conduct.
GeoCities' Web site consists of members' personal home pages organized into themed areas, including ones designed for children. Children's areas are promoted through contests and other promotional means. To access options at the sites, a user needed to become a member. A membership application required the disclosure of certain identifying information about the user and includes an “optional” section.
GeoCities represented that it would “not share this [optional] information with anyone without your permission, but will use it to gain a better understanding of who is visiting GeoCities.” The optional information requested included highest level of education completed, household income, marital status, occupation and interests. To enter the various contests, GeoCities collected various personal-identifying information.
According to the FTC, through the application process and promotional activities, GeoCities was able to compile significant personal data regarding its users, including children, that it shared with third parties. Moreover, despite the company's express representation that the optional information wouldn't be shared with third parties without the user's consent, the FTC alleged that GeoCities in fact shared it with others without obtaining the requisite consent.
Under the proposed settlement, GeoCities is required to modify its activities regarding data collection of its users. These requirements include prominently placing a truthful privacy notice telling consumers what information is being collected, for what purpose, how consumers can access the information and to whom it will be disclosed. The notice is to be hyperlinked by the following “NOTICE: We collect personal information on this site. To learn more about how we use your information, click here.”
To ensure parental control, GeoCities would have to obtain parental consent before collecting information from children 12 and under, as is required under the industry self-regulatory guidelines. While the FTC agreed to permit other methods to obtain parental consent, it established one method that would be considered acceptable: GeoCities could provide notice to the child to have his parent provide parental consent to register, and/or send a notice to the parent's e-mail address for the purpose of obtaining express parental consent. The notice must provide instructions for the parent to:
* Go to a specific Web site to receive information on GeoCities data collection practices regarding information received from children.
* Provide express parental consent for the collection and use of such information. Until parental consent is obtained, all personal identifying information collected from a child is to be held securely by GeoCities and is not to be disclosed to any third party without the parent's express consent. If express parental consent is not received within 20 days after the collection of the initial information from a child, GeoCities is required to remove that information from its databases, except such screening information necessary to block the child from further attempts to register.
Under the proposed order, GeoCities also is required to notify its members of its data collection activities and provide them with an opportunity to have their information deleted from GeoCities' and any third party's database. This is to ensure that users have clear knowledge of the company's actual data collection practices.
The settlement is important for online marketers, especially those sites aimed at children. The settlement isn't expressly binding on other marketers, and the enforcement aspect was likely triggered by the allegedly false privacy disclosure. However, it provides a road map on the evolving area of Internet privacy, a topic almost certainly headed for statutory or regulatory restrictions.
Online marketers should ensure that access to a truthful privacy notice is contained on their sites where data is collected. The notice should advise users what information is being collected and how it will be used. Marketers who target children should especially take note. Given the lack of existing specific regulatory guidance as to what constitutes parental consent, it would seem that the method described in the settlement should provide a defensible approach toward data collection.