Industry Association Guidelines
Throughout the series of Commission workshops on online privacy issues, the online industry has asserted that self-regulation is a more efficient and effective means of creating online privacy protections than government regulation. To gauge the status and effectiveness of current self-regulatory efforts, on March 5, 1998 the Commission published a Federal Register Notice (the "Notice") requesting that trade associations and industry groups voluntarily submit copies of their online information practice guidelines and principles.(72) Nine industry-specific guidelines were submitted.(73) Copies of these guidelines are included in Appendix E. The guidelines do not address all of the core fair information practice principles discussed above, but all encourage companies to provide notice of at least some of their information practices, and most encourage choice with respect to the disclosure of personal information to third parties. For the most part, the submitted guidelines do not address access or security. Most importantly, very few provide any kind of enforcement mechanism, an essential element of effective self-regulation.
A. Industry Association Guidelines
Most of the guidelines suggest that member companies provide some degree of choice with respect to the use of personal information.(76) Here too there is a range in what is suggested by the guidelines. Some guidelines suggest giving consumers choice with respect to most secondary uses of their information, both external (i.e., disclosure to third parties) and internal (i.e., marketing back to the consumer);(77) others suggest giving consumers a choice solely with respect to external uses.(78) All of the guidelines speak of choice in terms of opt-out options for the consumer; none adopts an opt-in regime for adult consumers.
Several of the industry guidelines address consumer access to information by providing generally that procedures should be established to ensure accuracy of the information, including allowing consumers access to, and the opportunity to correct, information collected about them.(79) Other guidelines fail to make any reference to the access principle.
Only the banking and financial industry association guidelines, and the individual reference services guidelines, make any reference to security issues. These guidelines call generally for appropriate security procedures, including the limitation of employee access to data.(80)
With limited exception,(81) the submitted guidelines contain no enforcement mechanisms. Only one of the guidelines conditions further membership and information sharing on adherence to the guidelines.(82) One other set of guidelines provides for peer review of alleged violations, but it is not binding.(83) All of the other guidelines and policies submitted are merely exhortatory.(84) As discussed above, the absence of enforcement mechanisms significantly weakens the effectiveness of industry-promulgated guidelines as a self-regulatory tool. This is especially true if member companies fail to voluntarily adhere to suggested policies.
B. Guidelines Regarding Children's Information
The Commission received two sets of guidelines regarding collection and use of information from children in response to its March 1998 Notice: the Children's Advertising Review Unit of the Council of Better Business Bureaus, Inc.'s ("CARU") Guidelines for Interactive Electronic Media ("CARU Guidelines") and the Direct Marketing Association's ("DMA") Online Data Collection from or about Children ("DMA Children's Guidelines").(85) Both guidelines address younger children.(86)
The CARU Guidelines, issued in April 1997, are consistent with the principles outlined in the staff opinion letter described above. They require that advertisers make "reasonable efforts" to provide notice and choice to parents when information is collected from children online, including the collection of information through "passive tracking."(87) In all cases, the notice must specify the means by which parents can correct or remove the information collected from a company's database.(88) The guidelines require prior parental consent (opt-in) to the collection of personal identifying information from children under the following circumstances: (1) when the information would enable the recipient to contact the child offline, regardless of the intended use; (2) when the information would be publicly posted so as to enable others to communicate directly with the child online; and (3) when the information would be shared with third parties.(89) Under other circumstances, such as the collection for internal use of an e-mail address, first name, or hometown, the site must provide notice to the parent and an opportunity to opt-out.(90) If a site collects only anonymous or aggregate information, the guidelines require notice of the intended uses of the information, but not parental consent.(91)
In addition, CARU has an enforcement mechanism in place to promote compliance with its online privacy guidelines,(92) and has achieved a remarkably high level of compliance under this mechanism in the offline media over a long period of time.(93) While CARU has worked to encourage Web sites to adhere to its privacy guidelines with respect to the collection of personal information from children online, to date it has not achieved the same widespread adherence it has achieved in other media.(94)
The DMA Children's Guidelines, which were adopted in January 1997, do not conform to the principles set forth in the staff opinion letter. The DMA is working now, however, to strengthen and refine its children's guidelines. The current DMA Children's Guidelines urge marketers to: (1) take into account a child's age, knowledge, sophistication, and maturity when collecting information; (2) encourage young children to obtain their parents' permission;(95) and (3) support parental control over the collection of data from children through notice and opt-out.(96) These guidelines do not call for actual notice to parents or for prior parental consent, even where the information is disclosed to third parties or otherwise made publicly available.