American internet companies routinely invade their customers’ privacy, collecting personal information through web sites without disclosing the uses to which the information will be put. Worse, many such sites target children, a Federal Trade Commission report has found. Some publish childrens’ identifying details and street addresses on the web, without parental knowledge or consent. So much had been leaked that when the FTC’s much-anticipated Report on Consumers’ Online Privacy finally hit the table this morning, it contained few surprises. Even so, the picture it painted of online privacy in America was unremittingly bleak. In a March, 1998 survey of 1,400 internet sites, the FTC found that only two% of consumer sites provided a comprehensive privacy policy. Of 212 sites targeted at children, 89% collect personal information but only 23% tell kids to ask for their parents’ permission before giving that information. Fewer than eight% notify parents and fewer than ten% give parents any control over information their kids have already disclosed. Appalled by their findings, FTC officials have recommended legislation to protect the privacy of children using the web. They want to require opt-in consent by parents for kids’ offline contact details and for third party disclosure of any information, and opt-out consent even for email addresses. They say industry calls for self-governance have demonstrably failed to meet community standards. The report points out that there are five basic aspects to online privacy: notice of information collection; choice about whether or not to disclose; access to databases; integrity or security of information and enforcement or redress. Even where notice is being provided, as with companies which do publish their privacy policy onsite, four other equally important aspects are being neglected. The Direct Marketing Association contests the FTC figures. Each month it conducts its own survey, though only of Hot100 sites, and it says that more companies posted privacy policies in May than did in January. This is due in no small part to pressure from DMA president and CEO H. Robert Wientzen, who calls top sites personally and urges them to develop a policy. The FTC’s associate director for credit practices, David Medine, says: Clearly things are improving. The question is, have they improved enough? Certainly for children the answer is no. We will be revisiting the issue of legislation to protect adults as well. He says that given the DMA’s intensive and targeted campaign, the fact that 30 of the top 100 sites still have not published privacy policies is very disturbing indeed. But DMA members and the industry at large do not want legislation, which they say may unjustly restrict their ability to exploit new technologies. Before the ink had dried, the FTC’s findings were hailed by McGraw-Hill, the Interactive Services Association, AOL, HP and Disney’s Buena Vista Group. Its conclusions were not. Most industry players accepted the need for legislation to protect children, but said self-regulation would be good enough for adults. All parties emphasized that if followed by the rest of the industry, their own sterling information-handling practices should eliminate the need for new laws. Others disagree. There obviously should be legislation and not just for children. Everyone deserves a level of protection, says David Banisar, senior counsel for the Electronic Privacy Information Center (EPIC) in Washington, DC. He agrees that the FTC’s findings demonstrate that self-regulation does not work. Industry is clearly not interested in privacy, he says. The trouble is that in a lot of cases, the privacy policies they do have are garbage. Notice is not privacy. The announcement that you are being ‘surveilled’ and there’s not a blind thing you can do about does not contribute one iota to protection of your privacy. The argument must be settled soon. On October 28, the EU directive limiting transborder information flow to nations with ‘adequate’ privacy protection kicks in (CI No 3,411). On current form, US privacy practices are unlikely to be deemed ‘adequate’. It should be clear to everyone by now that the US is not well situated to comply with the directive, EPIC’s Banisar explains. People seem to have expended most of their energy lobbying the EU not to enforce the directive. Failing the adequacy test means having to obtain permission for every transborder exchange of personal information, with no guarantee that permission will be obtained. If that happens, the same US information brokers that oppose a legislated solution will be the big losers. Time and money will go to waste. Can this disaster be averted? That’s the $64,000 question, admits the FTC’s Medina. We’ll have to wait till October to find that out. We have been having ongoing dialog with the EU representatives and we share their concerns. Whether we have met the standards for adequacy remains to be seen. The clock is ticking.
