The Electronic Privacy Information Center (EPIC) has warned holiday shoppers that their privacy may be at risk if they buy gifts online. EPIC’s latest report, Surfer beware III: Privacy Policies Without Privacy Protection, is based on a survey of 100 popular shopping web sites. EPIC inspected these sites for compliance with the Fair Information Handling Practices, the de facto standard for privacy protection.

The survey also examined whether these sites were using profile- based advertising and whether they issued customers with cookies. Its findings were disturbing. According to EPIC, 18 of the top 100 shopping sites had no privacy policy at all. Another 35 used profile-based advertising and a whopping 87 used cookies. EPIC says not one of the companies adequately addressed all the elements of the Fair Information Handling Practices. Finally, it complained, the privacy policies that are posted are usually confusing, inconsistent and incomplete.

On balance, we think that consumers are more at risk today than they were in 1997, when we first examined privacy practices on the web, said executive director Marc Rotenberg. The profiling is more extensive and the marketing techniques are more intrusive. Anonymity, which remains crucial to privacy on the internet, is being squeezed out by the rise of electronic commerce. The bottom line, he believes, is that industry self- regulation has failed. The industry has proved that it cannot enforce adequate minimum standards for the protection of consumer privacy. Legally enforceable standards of privacy are necessary to enforce the Fair Information practices, Rotenberg concluded. New techniques for anonymity are necessary to protect online privacy.

Jason Catlett, president of Junkbusters Inc, was even more outspoken. The stated policies of most big shopping sites run the gamut from bad to atrocious, he said. People should have the right to buy without being tracked and without having their information sold.

What about industry associations like TrustE, which were formed to enforce industry self-regulation of standards? As the holiday shopping season cranked into gear, TrustE issued six basic guidelines to consumers to help them protect their privacy. The first of these guidelines was: Look for the Web site’s privacy statement and read it thoroughly. EPIC says that’s not going to help. When we looked closely at these policies, we found that they typically lacked the necessary elements of Fair Information Practices and were unlikely to provide meaningful privacy protection for consumers, the report notes. The presence of a privacy policy, unfortunately, does not always ensure privacy protection… Industry-backed self-regulation has done little to protect online privacy.

The retailers have always complained that a legislated solution would be expensive and unwieldy, and that it is unnecessary. Unless they raise their own standards, however, the passage of US privacy laws may be inevitable.