9823015
B251544

UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION

COMMISSIONERS:
Robert Pitofsky, Chairman
Sheila F. Anthony
Mozelle W. Thompson
Orson Swindle

In the Matter of

GEOCITIES, a corporation.

DOCKET NO. C-3850

DECISION AND ORDER

The Federal Trade Commission having initiated an investigation of certain acts and practices of the respondent named in the caption hereof, and the respondent having been furnished thereafter with a copy of a draft of complaint which the Bureau of Consumer Protection proposed to present to the Commission for its consideration and which, if issued by the Commission, would charge respondent with violation of the Federal Trade Commission Act; and

The respondent, its attorneys, and counsel for Federal Trade Commission having thereafter executed an agreement containing a consent order, an admission by the respondent of all the jurisdictional facts set forth in the aforesaid draft of complaint, a statement that the signing of said agreement is for settlement purposes only and does not constitute an admission by respondent that the law has been violated as alleged in such complaint, or that the facts as alleged in such complaint, other than jurisdictional facts, are true and waivers and other provisions as required by the Commission's Rules; and

The Commission having considered the matter and having determined that it had reason to believe that the respondent has violated the said Act, and that complaint should issue stating its charges in that respect, and having thereupon accepted the executed consent agreement and placed such agreement on the public record for a period of sixty (60) days, and having duly considered the comments filed thereafter by interested persons pursuant to § 2.34 of its Rules, now in further conformity with the procedure prescribed in § 2.34 of its Rules, the Commission hereby issues its complaint, makes the following jurisdictional findings and enters the following order:

1. Respondent GeoCities, is a corporation organized, existing, and doing business under and by virtue of the laws of the State of California, with its office or principal place of business located at 1918 Main Street, Suite 300, Santa Monica, California 90405.

2. The Federal Trade Commission has jurisdiction of the subject matter of this proceeding and of the respondent, and the proceeding is in the proceeding is in the public interest.

ORDER

DEFINITIONS

For purposes of this order, the following definitions shall apply:

1. "Child" or "children" shall mean a person of age twelve (12) or under.

2. "Parents" or "parental" shall mean a legal guardian, including, but not limited to, a biological or adoptive parent.

3. "Personal identifying information" shall include, but is not limited to, first and last name, home or other physical address (e.g., school), e-mail address, telephone number, or any information that identifies a specific individual, or any information which when tied to the above becomes identifiable to a specific individual.

4. "Disclosure" or "disclosed to third party(ies)" shall mean (a) the release of information in personally identifiable form to any other individual, firm, or organization for any purpose or (b) making publicly available such information by any means including, but not limited to, public posting on or through home pages, pen pal services, e-mail services, message boards, or chat rooms.

5. "Clear(ly) and prominent(ly)" shall mean in a type size and location that are not obscured by any distracting elements and are sufficiently noticeable for an ordinary consumer to read and comprehend, and in a typeface that contrasts with the background against which it appears.

6. "Archived" database shall mean respondent's off-site "back-up" computer tapes containing member profile information and GeoCities Web site information.

7. "Electronically verifiable signature" shall mean a digital signature or other electronic means that ensures a valid consent by requiring: (1) authentication (guarantee that the message has come from the person who claims to have sent it); (2) integrity (proof that the message contents have not been altered, deliberately or accidentally, during transmission); and (3) non-repudiation (certainty that the sender of the message cannot later deny sending it).

8. "Express parental consent" shall mean a parent's affirmative agreement that is obtained by any of the following means: (1) a signed statement transmitted by postal mail or facsimile; (2) authorizing a charge to a credit card via a secure server; (3) e-mail accompanied by an electronically verifiable signature; (4) a procedure that is specifically authorized by statute, regulation, or guideline issued by the Commission; or (5) such other procedure that ensures verified parental consent and ensures the identity of the parent, such as the use of a reliable certifying authority.

9. Unless otherwise specified, "respondent" shall mean GeoCities, its successors and assigns and its officers, agents, representatives, and employees.

10. "Commerce" shall mean as defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.

I.

IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with any online collection of personal identifying information from consumers, in or affecting commerce, shall not make any misrepresentation, in any manner, expressly or by implication, about its collection or use of such information from or about consumers, including, but not limited to, what information will be disclosed to third parties and how the information will be used.

II.

IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with any online collection of personal identifying information from consumers, in or affecting commerce, shall not misrepresent, in any manner, expressly or by implication, the identity of the party collecting any such information or the sponsorship of any activity on its Web site.

III.

IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online collection of personal identifying information from children, in or affecting commerce, shall not collect personal identifying information from any child if respondent has actual knowledge that such child does not have his or her parent's permission to provide the information to respondent. Respondent shall not be deemed to have actual knowledge if the child has falsely represented that (s)he is not a child and respondent does not knowingly possess information that such representation is false.

IV.

IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online collection of personal identifying information, in or affecting commerce, shall provide clear and prominent notice to consumers, including the parents of children, with respect to respondent's practices with regard to its collection and use of personal identifying information. Such notice shall include, but is not limited to, disclosure of:

A. what information is being collected (e.g., "name," "home address," "e-mail address," "age," "interests");

B. its intended use(s);

C. the third parties to whom it will be disclosed (e.g., "advertisers of consumer products," mailing list companies," "the general public");

D. the consumer's ability to obtain access to or directly access such information and the means by which (s)he may do so;

E. the consumer's ability to remove directly or have the information removed from respondent's databases and the means by which (s)he may do so; and

F. the procedures to delete personal identifying information from respondent's databases and any limitations related to such deletion.

Such notice shall appear on the home page of respondent's Web site(s) and at each location on the site(s) at which such information is collected.

Provided that, respondent shall not be required to include the notice at the locations at which information is collected if such information is limited to tracking information and the collection of such information is described in the notice required by this Part.

Provided further that, for purposes of this Part, compliance with all of the following shall be deemed adequate notice: (a) placement of a clear and prominent hyperlink or button labeled PRIVACY NOTICE on the home page(s), which directly links to the privacy notice screen(s); (b) placement of the information required in this Part clearly and prominently on the privacy notice screen(s), followed on the same screen(s) with a button that must be clicked on to make it disappear; and (c) at each location on the site at which any personal identifying information is collected, placement of a clear and prominent hyperlink on the initial screen on which the collection takes place, which links directly to the privacy notice and which is accompanied by the following statement in bold typeface:

NOTICE: We collect personal information on this site. To learn more about how we use your information click here.

V.

IT IS FURTHER ORDERED that respondent, directly or through any corporation, subsidiary, division, or other device, in connection with the online collection of personal identifying information from children, in or affecting commerce, shall maintain a procedure by which it obtains express parental consent prior to collecting and using such information.

Provided that, respondent may implement the following screening procedure that shall be deemed to be in compliance with this Part. Respondent shall collect and retain certain personal identifying information from a child, including birth date and the child's and parent's e-mail addresses (hereafter "screening information"), enabling respondent to identify the site visitor as a child and to block the child's attempt to register with respondent without express parental consent. If respondent elects to have the child register with it, respondent shall: (1) give notice to the child to have his/her parent provide express parental consent to register; and/or (2) send a notice to the parent's e-mail address for the purpose of obtaining express parental consent. The notice to the child or parent shall provide instructions for the parent to: (1) go to a specific URL on the Web site to receive information on respondent's practices regarding its collection and use of personal identifying information from children and (2) provide express parental consent for the collection and use of such information. Respondent's collection of screening information shall be by a manner that discourages children from providing personal identifying information in addition to the screening information. All personal identifying information collected from a child shall be held by respondent in a secure manner and shall not be used in any manner other than to effectuate the notice to the child or parent, or to block the child from further attempts to register or otherwise provide personal identifying information to respondent without express parental consent. The personal identifying information collected shall not be disclosed to any third party prior to the receipt of express parental consent. If express parental consent is not received by twenty (20) days after respondent's collection of the information from the child, respondent shall remove all such personal identifying information from its databases, except such screening information necessary to block the child from further attempts to register or otherwise provide personal identifying information to respondent without express parental consent.

VI.

Nothing in this order shall prohibit respondent from collecting personal identifying information from children or from using such information, as specifically permitted in the Children's Online Privacy Protection Act of 1998 (without regard to the effective date of the Act) or as such Act may hereafter be amended; regulations or guides promulgated by the Commission; or self-regulatory guidelines approved by the Commission pursuant to the Act.

VII.

IT IS FURTHER ORDERED that respondent GeoCities, and its successors and assigns, shall provide a reasonable means for consumers, including the parents of children, to obtain removal of their or their children's personal identifying information collected and retained by respondent and/or disclosed to third parties, prior to the date of service of this order, as follows:

A. Respondent shall provide a clear and prominent notice to each consumer over the age of twelve (12) from whom it collected personal identifying information and disclosed that information to CMG Information Services, Inc., describing such consumer's options as stated in Part VII.C and the manner in which (s)he may exercise them.

B. Respondent shall provide a clear and prominent notice to the parent of each child from whom it collected personal identifying information prior to May 20, 1998, describing the parent's options as stated in Part VII.C and the manner in which (s)he may exercise them.

C. Respondent shall provide the notice within thirty (30) days after the date of service of this order by e-mail, postal mail, or facsimile. Notice to the parent of a child may be to the e-mail address of the parent and, if not known by respondent, to the e-mail address of the child. The notice shall include the following information:

1. the information that was collected (e.g., "name," "home address," "e-mail address," "age," "interests"); its use(s) and/or intended use(s); and the third parties to whom it was or will be disclosed (e.g., "advertisers of consumer products," "mailing list companies," "the general public") and with respect to children, that the child's personal identifying information may have been made public through various means, such as by publicly posting on the child's personal home page or disclosure by the child through the use of an e-mail account;

2. the consumer's and childs parents right to obtain access to such information and the means by which (s)he may do so;

3. the consumer's and childs parent's right to have the information removed from respondent's or a third party's databases and the means by which (s)he may do so;

4. a statement that childrens information will not be disclosed to third parties, including public posting, without express parental consent to the disclosure or public posting;

5. the means by which express parental consent may be communicated to the respondent permitting disclosure to third parties of a child's information; and

6. a statement that the failure of a consumer over the age of twelve (12) to request removal of the information from respondent's databases will be deemed as approval to its continued retention and/or disclosure to third parties by respondent.

D. Respondent shall provide to consumers, including the parents of children, a reasonable and secure means to request access to or directly access their or their childrens personal identifying information. Such means may include direct access through password protected personal profile, return e-mail bearing an electronically verifiable signature, postal mail, or facsimile.

E. Respondent shall provide to consumers, including the parents of children, a reasonable means to request removal of their or their childrens personal identifying information from respondent's and/or the applicable third party's databases or an assurance that such information has been removed. Such means may include e-mail, postal mail, or facsimile.

F. The failure of a consumer over the age of twelve (12) to request the actions specified above within twenty (20) days after his/her receipt of the notice required in Part VII.A shall be deemed to be consent to the information's continued retention and use by respondent and any third party.

G. Respondent shall provide to the parent of a child a reasonable means to communicate express parental consent to the retention and/or disclosure to third parties of his/her child's personal identifying information. Respondent shall not use any such information or disclose it to any third party unless and until it receives express parental consent.

H. If, in response to the notice required in Part VII.A, respondent has received a request by a consumer over the age of twelve (12) that respondent should remove from its databases the consumer's personal identifying information or has not received the express consent of a parent of a child to the continued retention and/or disclosure to third parties of a child's personal identifying information by respondent within twenty (20) days after the parent's receipt of the notice required in Part VII.B, respondent shall within ten (10) days:

1. Discontinue its retention and/or disclosure to third parties of such information, including but not limited to (a) removing from its databases all such information, (b) removing all personal home pages created by the child, and (c) terminating all e-mail accounts for the child; and

2. Contact all third parties to whom respondent has disclosed the information, requesting that they discontinue using or disclosing that information to other third parties, and remove the information from their databases.

With respect to any consumer over the age of twelve (12) or any parent of a child who has consented to respondent's continued retention and use of personal identifying information pursuant to this Part, such consumer's or parent's continuing right to obtain access to his/her or a child's personal identifying information or removal of such information from respondent's databases shall be as specified in the notice required by Part IV of this order.

I. Within thirty (30) days after the date of service of this order, respondent shall obtain from a responsible official of each third party to whom it has disclosed personal identifying information and from each GeoCities Community Leader a statement stating that (s)he has been advised of the terms of this order and of respondent's obligations under this Part, and that (s)he agrees, upon notification from respondent, to discontinue using or disclosing a consumer's or child's personal identifying information to other third parties and to remove any such information from its databases.

J. As may be permitted by law, respondent shall cease to do business with any third party that fails within thirty (30) days of the date of service of this order to provide the statement set forth in Part VII.I or whom respondent knows or has reason to know has failed at any time to (a) discontinue using or disclosing a child's personal identifying information to other third parties, or (b) remove any such information from their databases. With respect to any GeoCities Community Leader, the respondent shall cease the Community Leader status of any person who fails to provide the statement set forth in Part VII.I or whom respondent knows or has reason to know has failed at any time to (a) discontinue using or disclosing a child's personal identifying information to other third parties, or (b) remove any such information from their databases.

For purposes of this Part: "third party(ies)" shall mean each GeoCities Community Leader, CMG Information Services, Inc., Surplus Software, Inc. (Surplus Direct/Egghead Computer), Sage Enterprises, Inc. (GeoPlanet/Planetall), Netopia, Inc. (Netopia), and InfoBeat/Mercury Mail (InfoBeat).

VIII.

IT IS FURTHER ORDERED that for the purposes of this order, respondent shall not be required to remove personal identifying information from its archived database if such information is retained solely for the purposes of Web site system maintenance, computer file back-up, to block a child's attempt to register with or otherwise provide personal identifying information to respondent without express parental consent, or to respond to requests for such information from law enforcement agencies or pursuant to judicial process. Except as necessary to respond to requests from law enforcement agencies or pursuant to judicial process, respondent shall not disclose to any third party any information retained in its archived database. In any notice required by this order, respondent shall include information, clearly and prominently, about its policies for retaining information in its archived database.

IX.

IT IS FURTHER ORDERED that for five (5) years after the date of this order, respondent GeoCities, and its successors and assigns, shall place a clear and prominent hyperlink within its privacy statement which states as follows in bold typeface:

NOTICE: Click here for important information about safe surfing from the Federal Trade Commission.

The hyperlink shall directly link to a hyperlink/URL to be provided to respondent by the Commission. The Commission may change the hyperlink/URL upon thirty (30) days prior written notice to respondent.

X.

IT IS FURTHER ORDERED that respondent GeoCities, and its successors and assigns, shall maintain and upon request make available to the Federal Trade Commission for inspection and copying the following:

A. For five (5) years after the last date of dissemination of a notice required by this order, a print or electronic copy in HTML format of all documents relating to compliance with Parts IV through IX of this order, including, but not limited to, a sample copy of every information collection form, Web page, screen, or document containing any representation regarding respondent's information collection and use practices, the notice required by Parts IV, V, and VII, any communication to third parties required by Part VII, and every Web page or screen linking to the Federal Trade Commission Web site. Each Web page copy shall be accompanied by the URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting information on the World Wide Web; and

Provided that, after creation of any Web page or screen in compliance with this order, respondent shall not be required to retain a print or electronic copy of any amended Web page or screen to the extent that the amendment does not affect respondent's compliance obligations under this order.

B. For five (5) years after the last collection of personal identifying information from a child, all materials evidencing the express parental consent given to respondent.

XI.

IT IS FURTHER ORDERED that respondent GeoCities, and its successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of this order. Respondent shall deliver this order to current personnel within thirty (30) days after the date of service of this order, and to future personnel within thirty (30) days after the person assumes such position or responsibilities.

XII.

IT IS FURTHER ORDERED that respondent GeoCities, and its successors and assigns, shall establish an "information practices training program" for any employee or GeoCities Community Leader engaged in the collection or disclosure to third parties of consumers' personal identifying information. The program shall include training about respondent's privacy policies, information security procedures, and disciplinary procedures for violations of its privacy policies. Respondent shall provide each such current employee and GeoCities Community Leader with information practices training materials within thirty (30) days after the date of service of this order, and each such future employee or GeoCities Community Leader such materials and training within thirty (30) days after (s)he assumes his/her position or responsibilities.

XIII.

IT IS FURTHER ORDERED that respondent GeoCities, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.

XIV.

IT IS FURTHER ORDERED that respondent GeoCities, and its successors and assigns, shall, within sixty (60) days after service of this order, and at such other times as the Federal Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order.

XV.

This order will terminate on February 5, 2019, or twenty (20) years from the most recent date that the United States or the Federal Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:

A. Any Part in this order that terminates in less than twenty (20) years;

B. This order's application to any respondent that is not named as a defendant in such complaint; and

C. This order if such complaint is filed after the order has terminated pursuant to this Part.

Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

By the Commission.

Donald S. Clark
Secretary

ISSUED: February 5, 1999

SEAL