FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE:
A REPORT TO CONGRESS

The online consumer marketplace is growing at an exponential rate. At the same time, technology has enhanced the capacity of online companies to collect, store, transfer, and analyze vast amounts of data from and about the consumers who visit their Web sites. This in- crease in the collection and use of data has raised public awareness and consumer concerns about online privacy. To ensure consumer confidence in this new marketplace and its continued growth, consumer concerns about privacy must be addressed.

The Federal Trade Commission has been studying online privacy issues since 1995. This is the Commission's third report to Congress examining the state of online privacy and the efficacy of industry self-regulation. It presents the results of the Commission's 2000 Online Privacy Survey (the "Survey"), which reviewed the nature and substance of U.S. commercial Web sites' privacy disclosures, and assesses the effectiveness of self-regulation. The Report also considers the recommendations of the Commission-appointed Advisory Committee on Online Access and Security. Finally, the Report sets forth the Commission's conclusion that legislation is necessary to ensure further implementation of fair information practices online and recommends the framework for such legislation.

In its 1998 report, Privacy Online: A Report to Congress ("1998 Report"), the Commission described the widely-accepted fair information practice principles of Notice, Choice, Access, and Security. The Commission also identified Enforcement - the use of a reliable mechanism to provide sanctions for noncompliance - as a critical component of any governmental or self-regulatory program to protect privacy online. In addition, the 1998 Report presented the results of the Commission's first online privacy survey of commercial Web sites. While almost all Web sites (92% of the comprehensive random sample) were collecting great amounts of personal information from consumers, few (14%) disclosed anything at all about their information practices.

Last year, Georgetown University Professor Mary Culnan conducted a survey of a random sample drawn from the most-heavily trafficked sites on the World Wide Web and a surveyof the busiest 100 sites. The former, known as the Georgetown Internet Privacy Policy Survey, found significant improvement in the frequency of privacy disclosures, but also that only 10% of the sites posted disclosures that even touched on all four fair information practice principles. Based in part on these results, a majority of the Commission recommended in its1999 report to Congress, Self-Regulation and Privacy Online, that self-regulation be given more time, but called for further industry efforts to implement the fair information practice principles.

In February and March 2000, the Commission conducted another survey of commercial sites' information practices, using a list of the busiest U.S. commercial sites on the World Wide Web. Two groups of sites were studied: (1) a random sample of 335 Web sites (the "Random Sample") and (2) 91 of the 100 busiest sites (the "Most Popular Group"). As was true in 1998, the 2000 Survey results show that Web sites collect a vast amount of personal information from and about consumers. Almost all sites (97% in the Random Sample, and 99% in the Most Popular Group) collect an email address or some other type of personal identifying information. The 2000 Survey results show that there has been continued improvement in the percent of Web sites that post at least one privacy disclosure (88% in the Random Sample and 100% in the Most Popular Group). The Commission's 2000 Survey went beyond the mere counting of disclosures, however, and analyzed the nature and substance of these privacy disclosures in light of the fair information practice principles of Notice, Choice, Access, and Security. It found that only 20% of Web sites in the Random Sample that collect personal identifying information implement, at least in part, all four fair information practice principles (42% in the Most Popular Group). While these numbers are higher than similar figures obtained in Professor Culnan's studies, the percentage of Web sites that state they are providing protection in the core areas remains low. Further, recognizing the complexity of implementing Access and Security as discussed in the Advisory Committee report, the Commission also examined the data to determine whether Web sites are implementing Notice and Choice only. The data showed that only 41% of sites in the Random Sample and 60% of sites in the Most Popular Group meet the basic Notice and Choice standards.

The 2000 Survey also examined the extent to which industry's primary self-regulatory enforcement initiatives - online privacy seal programs - have been adopted. These programs, which require companies to implement certain fair information practices and monitor their compliance, promise an efficient way to implement privacy protection. However, the 2000 Survey revealed that although the number of sites enrolled in these programs has increased over the past year, the seal programs have yet to establish a significant presence on the Web. The Survey found that less than one-tenth, or approximately 8%, of sites in the Random Sample, and 45% of sites in the Most Popular Group, display a privacy seal.

Based on the past years of work addressing Internet privacy issues, including examination of prior surveys and workshops with consumers and industry, it is evident that online privacy continues to present an enormous public policy challenge. The Commission applauds the significant efforts of the private sector and commends industry leaders in developing self-regulatory initiatives. The 2000 Survey, however, demonstrates that industry efforts alone have not been sufficient. Because self-regulatory initiatives to date fall far short of broad-based implementation of effective self-regulatory programs, the Commission has concluded that such efforts alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders. While there will continue to be a major role for industry self- regulation in the future, the Commission recommends that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online.

The legislation recommended by the Commission would set forth a basic level of privacy protection for consumer-oriented commercial Web sites. It would establish basic standards of practice for the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act.

Consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with the four widely accepted fair information practices:

(1) Notice - Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site.

(2) Choice - Web sites would be required to offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities).

(3) Access - Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information.

(4) Security - Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers.

As noted above, industry self-regulatory programs would continue to play an essential role under such a statutory structure, as they have in other contexts. The Commission hopes and expects that industry and consumers would participate actively in developing regulations under the new legislation and that industry would continue its self-regulatory initiatives. The Commission also recognizes that effective and widely adopted seal programs could be an important component of that effort.

For all of these reasons, the Commission believes that its proposed legislation, in conjunction with self-regulation, will ensure important protections for consumer privacy at a critical time in the development of the online marketplace. Without such protections, electronic commerce will not reach its full potential and consumers will not gain the confidence they need in order to participate fully in the electronic marketplace.

Copyright © 2004 Dale A. Herbeck
Last update: 19 January 2004