Analysis of Proposed Consent Order
to Aid Public Comment

The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order from GeoCities, the operator of a Web site on the World Wide Web (“Web”), located at

The proposed consent order has been placed on the public record for sixty (60) days for reception of comments by interested persons. Comments received during this period will become part of the public record. After sixty (60) days, the Commission will again review the agreement and the comments received and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order.

The GeoCities Web site is a “virtual community” consisting of members’ personal home pages organized into 40 themed areas, called “neighborhoods.” One such neighborhood is the “Enchanted Forest,” described as a “community for and by kids.” GeoCities provides numerous services to its members, including free and fee-based personal home pages, free e-mail service, contests, and children’s clubs, among other activities. Persons wishing to become a member of GeoCities must complete an application form. The application form requests certain mandatory personally identifiable information about the applicant and certain other information it designates as “optional.” The form also asks applicants to designate whether they wish to receive specific “special offers” from advertisers, and specific products or services from individual companies.

The Commission’s complaint in this matter alleges that GeoCities engaged in three deceptive practices in connection with its collection and use of personal identifying information from consumers. First, the complaint alleges that GeoCities falsely represented that the personal identifying information it collects through the membership application form is used only to provide members the specific advertising offers and products or services they request. In fact, according to the complaint, that information has been sold, rented or otherwise disclosed to third parties who have used it for purposes other than those for which members have given permission.

Second, the complaint alleges that GeoCities falsely represented that the “optional information” it collects through the application form is not disclosed to third parties without the member’s permission. In fact, the complaint alleges, GeoCities has disclosed this information to third parties who have used it to target advertising back to the member.

The third allegation relates to two specific activities in the Enchanted Forest neighborhood. GeoCities promotes the Official GeoCities’ GeoKidz Club; children wishing to join are required to complete the Membership Request Form that solicits personal identifying information. GeoCities also promotes certain Enchanted Forest contests; children wishing to participate are required to complete an entry form that solicits personal identifying information. The complaint alleges that GeoCities has falsely represented that it collects and maintains the children’s personal identifying information collected through the GeoKidz Club Membership Request Form and the Enchanted Forest Contest Entry form. In fact, the Club and contests are run by third party “community leaders” hosted on the GeoCities Web site, and those third parties actually collect and maintain the children’s information.

Part I of the proposed order prohibits GeoCities from making any misrepresentation about its collection or use of personal identifying information from or about consumers, including what information will be disclosed to third parties and how the information will be used. The order defines “personal identifying information” as including but not limited to, “first and last name, home or other physical address (e.g. school), e-mail address, telephone number, or any information that identifies a specific individual, or any information which when tied to the above becomes identifiable to a specific individual.”

Part II of the proposed order prohibits GeoCities from misrepresenting either the identity of a party collecting any personal identifying information or the sponsorship of any activity on its Web site.

Part III prohibits GeoCities from collecting personal identifying information from any child if GeoCities has actual knowledge that the child does not have a parent’s permission to provide the information. The order defines “child” as ages twelve and under.

Parts IV and V of the order are designed as fencing-in provisions to prevent violations of consumers’ information privacy in the future. Part IV orders GeoCities to post a clear and prominent notice on its Web Site explaining GeoCities’ practices with regard to its collection and use of personal identifying information. The notice must include the following:

(a) what information is being collected; (b) its intended use(s); (c) the third parties to whom it will be disclosed; (d) how the consumer can obtain access to the information; and (e) how the consumer can have the information removed from GeoCities’ databases.

The notice must appear on the Web site’s home page and at each location on the site at which such information is collected, although the collection of so-called “tracking” information need only be disclosed on the home page.

Part IV includes a “safe harbor” provision that deems a specified procedure to be in compliance with this Part. It would allow GeoCities to post a Privacy Notice on its home page along with a clear and prominent hyperlink to that notice at each location on the site at which personal identifying information is collected. The hyperlink would be accompanied by the following statement:

NOTICE:We collect personal information on this site. To learn more about how we use your information click here.

Part V of the proposed order sets forth the principles of parental choice and control. This Part requires GeoCities to implement a procedure to obtain “express parental consent” prior to collecting and using children’s identifying information, a procedure commonly referred to as “opt-in”. The proposed order provides GeoCities with flexibility in designing its procedures, so long as they meet the objective of ensuring prior parental consent. This flexibility reflects the likelihood of future technological developments to facilitate parental consent in the online medium.

In addition, this Part includes a “safe harbor” procedure. Under it, GeoCities may collect certain, limited screening information from prospective site registrants to identify those twelve and under. Prior to collecting any further information, GeoCities will then send the parent an e- mail providing notice of the child’s interest in registering and instructing the parent to go to a specified location on the site to register the child and provide consent to GeoCities’ collection and use of the information. The order provides several means by which GeoCities may obtain express parental consent, including (1) a statement signed by the parent that is mailed or faxed to GeoCities, (2) a credit card authorization, (3) e-mail from the parent with an electronically verifiable signature, (4) a procedure authorized by statute, rule or FTC guideline, or (5) any other procedure that ensures verified parental consent and the parent’s identity. GeoCities must hold secure all screening information and may use it only to provide notice to the child or parent, or to block the child from further attempts to register without parental consent.

Part VI addresses the information that GeoCities previously collected from consumers. It requires GeoCities to notify all such consumers (in the case of children, their parents) and to give them an opportunity to have their information removed from GeoCities’ and third parties’ databases. Those over the age of twelve will be given notice and the opportunity to remove their information (commonly referred to as “opt-out”). For children, GeoCities must remove all such information (including home pages and e-mail accounts) unless a parent grants express consent to its continued retention and use (“opt-in”) GeoCities’ information removal obligations also include the responsibility to contact third parties to whom it previously has disclosed the information and to request that those parties delete that information as well. GeoCities must obtain a statement from all such third parties that they intend to comply with the above requirements, and must cease doing business with any such party that refuses to provide the statement or who GeoCities knows or has reason to know is failing to delete the information upon request. GeoCities must also provide consumers with a reasonable and secure means to access the information that GeoCities previously collected from them.

Part VII permits GeoCities to retain certain personally identifiable information in its “archived database” for the limited purposes of site maintenance, computer file back-up, blocking a child’s attempt to register without parental consent, or to respond to requests for such information from law enforcement agencies or pursuant to judicial process. GeoCities must disclose its retention of information in the archived database in its privacy notice.

Part VIII is a consumer education provision. It requires that for five years GeoCities place a clear and prominent hyperlink within its privacy notice directing visitors to the FTC’s Web site to view educational material on consumer privacy. Currently, the FTC site contains a brochure entitled: “Site-Seeing on the Internet,” which can be found at .

Part IX outlines GeoCities’s recordkeeping requirements under the proposed order. Part

X requires GeoCities to deliver a copy of the order to certain company officers and personnel. Part XI requires GeoCities to establish an "information practices training program" for employees and GeoCities Community Leaders, volunteers who provide a variety of services to GeoCities’ members. The program must include training about GeoCities's privacy policies, information security procedures, and disciplinary procedures for violations of its privacy policies.

Parts XII and XIII require GeoCities to notify the Commission of any change in its corporate structure that might affect compliance with the order; and to file compliance reports with the Commission. Part XIV is a “sunset” provision, dictating that the order will terminate in twenty years absent certain circumstances.

The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the agreement and proposed order or to modify in any way their terms.