- A medical clinic's online doctor-referral service invites consumers to submit their name, postal address, e-mail address, insurance company, any comments concerning their medical problems, and to indicate whether they wish to receive information on any of a number of topics, including urinary incontinence, hypertension, cholesterol, prostate cancer, and diabetes. The online application for the clinic's health education membership program asks consumers to submit their name, address, telephone number, date of birth, marital status, gender, insurance company, and the date and location of their last hospitalization. The clinic's Web site says nothing about how the information consumers provide will be used or whether it will be made available to third parties.
- A child-directed site collects personal information, such as a child's full name, postal address, e-mail address, gender, and age. The site also asks a child whether he or she has received gifts in the form of stocks, cash, savings bonds, mutual funds, or certificates of deposit; who has given these gifts; whether monetary gifts were invested in mutual funds, stocks, or bonds; and whether the child's parents own mutual funds. Elsewhere on the site, contest winners' full name, age, city, state and zip code are posted. The Web site does not tell children to ask their parents for permission before providing personal information and does not appear to take any steps to involve parents. Further, the site says nothing about whether the information is disclosed to third parties.
The World Wide Web is an exciting new marketplace for consumers. It offers easy access to a broad array of goods, services, and information, but also serves as a source of vast amounts of personal information about consumers, including children. While the online consumer market is growing exponentially, there are also indications that consumers are wary of participating in it because of concerns about how their personal information is used. As the above examples show, these concerns are real, for both adults and children.
The Commission has been involved in addressing online privacy issues for almost as long as there has been an online marketplace and has held a series of workshops and hearings on such issues. Throughout, the Commission's goal has been to encourage and facilitate effective self-regulation as the preferred approach to protecting consumer privacy online. These efforts have been based on the belief that greater protection of personal privacy on the Web will not only protect consumers, but also increase consumer confidence and ultimately their participation in the online marketplace. In this report, the Commission summarizes widely-accepted principles regarding information collection, use, and dissemination; describes the current state of information collection and privacy protection online; and assesses the extent of industry's self-regulatory response.
Government studies in the United States and abroad have recognized certain core principles of fair information practice. These principles are widely accepted as essential to ensuring that the collection, use, and dissemination of personal information are conducted fairly and in a manner consistent with consumer privacy interests. These core principles require that consumers be given notice of an entity's information practices; that consumers be given choice with respect to the use and dissemination of information collected from or about them; that consumers be given access to information about them collected and stored by an entity; and that the data collector take appropriate steps to ensure the security and integrity of any information collected. Moreover, it is widely recognized that fair information practice codes or guidelines should contain enforcement mechanisms to ensure compliance with these core principles. With respect to the collection of information from children, a wide variety of public policies recognize the important supervisory role of parents in commercial transactions involving their children. Parental control is also the touchstone for application of fair information practice policies to the collection of information from children.
The Commission solicited industry association fair information practice guidelines to assess their conformity with these core principles. This assessment shows that industry association guidelines generally encourage members to provide notice of their information practices and some choice with respect thereto, but fail to provide for access and security or for enforcement mechanisms.
In light of the Commission's findings and significant consumer concerns regarding privacy online, it is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles. The Commission is currently considering such incentives and possible courses of action to adequately protect the privacy of online consumers generally. The Commission will make its recommendations on this subject this summer.
In the specific area of children's online privacy, however, the Commission now recommends that Congress develop legislation placing parents in control of the online collection and use of personal information from their children. Such legislation would require Web sites that collect personal identifying information from children to provide actual notice to parents and obtain parental consent. The timing of such notice and consent would vary depending on the age of the child, and the nature and uses of the information collected. Such legislation would protect children and ensure that parents have knowledge of, and control over, the collection of information from their children.
The development of the online marketplace is at a critical juncture. If growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential. To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information. Accordingly, the Commission now recommends legislation to protect children online and this summer will recommend an appropriate response to protect the privacy of all online consumers.
This report to Congress provides an assessment of the effectiveness of self-regulation as a means of protecting consumer privacy on the World Wide Web ("the Web").(1) It is based on a comprehensive online survey of the information practices of commercial Web sites, including sites directed to children, conducted in March 1998; an examination of current industry guidelines governing information practices online; and the record developed in Commission hearings and workshops held since 1995.
Part II of the report provides a brief history of the Commission's work in the area of online privacy, and a summary of the privacy concerns raised by the new online marketplace. Part III describes what have come to be recognized as the core principles of privacy-protective information practices. Part IV then compares current industry guidelines with these generally accepted principles, and Part V presents the findings of the Commission's survey of Web sites. Part VI sets forth the Commission's conclusions.