The Clinton administration and the information industry have been fighting an uphill battle to get their privacy house in order, but the most recent signs are that, even if an occasional battle can be called a victory, they are losing the war. At stake is whether companies that have staked out a presence on the Internet can be trusted to regulate their behavior in such a way as to preserve the privacy of consumers and to protect the integrity of personal information collected at Web sites. While the administration and its commercial allies have talked a good game, the proof that self-regulation is the answer to consumer worries about privacy has not been forthcoming. The report issued by the Federal Trade Commission (FTC) on online privacy, and especially online privacy for children, may be the stake through the heart of online self-regulation.
Children on the Web
The FTC report on online privacy, focusing particularly on Web sites catering to children, surveyed more than 1,400 Web sites and concluded that Congress should pass legislation protecting the privacy of children. The report noted that, "despite the commission's three-year privacy initiative supporting a self-regulatory response to consumers' privacy concerns, the vast majority of online businesses have yet to adopt even the most fundamental fair information practices. Moreover, the trade association guidelines submitted to the commission do not reflect industry acceptance of the basic fair information practice principles. In addition, the guidelines, with limited exception,
contain none of the enforcement mechanisms needed for an effective self-regulatory regime. In light of the lack of notice regarding information practices on the World Wide Web and the lack of current industry guidelines adequate to establish an effective self-regulatory regime, the question is what additional incentives are required in order to encourage effective self-regulatory efforts by industry." The report added that, "in the specific area of children's online privacy, however, the commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children. Such legislation would set out the basic standards of practice governing the online collection and use of information from children. All commercial Web sites directed to children would be required to comply with these standards."
The report recommended several specific items that legislation should include. For the collection of personally identifying information from children under 12:
Where personally identifying information would enable someone to contact a child offline, the company must obtain prior parental consent, regardless of the intended use of the information (opt-in).
Where the personally identifying information is publicly posted or disclosed to third parties, the company must obtain prior parental consent (opt-in).
Where collection of an e-mail address is necessary for a child's participation at a site, such as to notify contest winners, the company must provide notice to parents and an opportunity to remove the e-mail address from the site's database (opt-out).
For personally identifying information collected from children over 12, the commission recommended that:
Web sites must provide parents with notice of the collection of such information and an opportunity to remove the information from the site's database (opt-out).
Given the fact that many commercial Web site operators knew the FTC was monitoring Web site privacy policies, the commission's survey found privacy practices on the Web to be abysmal. Of 674 commercial sites surveyed, 92 percent collected personal information but only 14 percent provided any notice about information practices and only 2 percent had a comprehensive policy. The commission reviewed 212 children's sites, and 89 percent collected personal information. Fifty-four of those sites provided some form of disclosure describing their information practices, but only 23 percent told children to seek parental permission before providing information, and fewer than 8 percent indicated they would notify parents about their information practices. Fewer than 10 percent offered some form of parental control over the collection or