Subj: Online Privacy: Perspectives of Progressive Policy Institute From: Shane Ham, Policy Analyst, Progressive Policy Institute, 202-608- 1284, sham@dlcppi.org To: Internet Caucus Advisory Committee In a high profile case last summer, the Federal Trade Commission (FTC), which is authorized to take legal action against companies for “deceptive” practices, did just that against the Internet company GeoCities, which used personal information gathered from its members for purposes other than those it disclosed. Specifically, the FTC charged GeoCities with falsely representing that the personally identifiable records it collects through its membership application form are used only to provide members the specific advertising offers and products or services they request. The FTC further charged that GeoCities falsely represented that “optional,” more detailed personal information collected through the application form is not disclosed to third parties without the members’ permission. In the end, a settlement required GeoCities to post and comply with a more explicitly detailed privacy policy for its members, including greater protection for children under the age of 12, requiring some form of parental consent before children are allowed to give out any personal information. The basic consumer protection statute enforced by the FTC—Section 5(a) of the FTC Act—declares unlawful any “unfair or deceptive acts or practices” that affect commerce.[6] Under that statute, the FTC has clear authority to take action against any U.S. Internet site, if, as GeoCities did, it departs from its posted privacy policies, because that amounts to a “deceptive” practice. But federal authority and consumer recourse mechanisms stand on considerably shakier ground when a company doesn’t technically deceive consumers for the simple reason that it doesn’t disclose any sort of privacy policy at all. For the FTC to go after those sorts of Web sites, Congress would need to define what “unfair” practices are in the area of online consumer privacy protection. Unfair practices are currently defined to mean those that “cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” [Note 7] The FTC reported to Congress in June 1998 that while the vast majority of Web sites of all types collect some sort of personal information—such as name, e- mail address, postal address, phone number, fax number, credit card number, social security number, demographic information, or personal interests—a mere 14 percent of a comprehensive sample of sites openly disclosed some sort of privacy policy or information practice statement. [Note 8] However, close to three out of four of the most popular sites in the survey disclosed either a privacy policy or an information practice statement, or both. And in the year since the FTC’s study, industry-led initiatives encouraging companies to adhere to higher privacy standards have gained momentum. Presumably, the next FTC-sponsored study, which is to be conducted through Georgetown University, will find some level of improvement in the past year. But the 1998 FTC study’s findings nonetheless underscore an important point about an entirely industry-led approach to privacy concerns: there will always be some companies who choose not to participate in self-regulatory systems. --------------------------- FOOTNOTES: [Note 7] (15 U.S.C. Sec. 45(n)). [Note 8] Federal Trade Commission, “Privacy Online: A Report to Congress,” June 1998.