According to a four-page executive summary of the report the FTC is scheduled to release later today federal officials found that for every 100 commercial Internet sites online, 85 collect personal information about their visitors, usually without giving any notice they are being monitored as they pass through their sites.
Of all sites surveyed, only 14 percent attempt to tell consumers what their privacy policies are. Fewer still - a mere 2 percent - provide a comprehensive policy that outlines what information they gather and what they do with it afterwards. "Effective industry self-regulation with respect to the online collection, use and dissemination of personal information has not yet taken hold," FTC officials wrote. "It is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of privacy principles."
Results at children's sites were arguably worse. According to the March survey, 89 percent of all children's sites collect personally identifiable information - name, address, telephone, even details such as household income and families' personal possessions - from the children themselves.
Yet only 23 percent of sites asked children to get parental permission before submitting the information. Of kids sites surveyed, only 7 percent said they would notify parents of their information practices. Less than 10 percent gave parents control over collection or use of the information.
Privacy advocates said the numbers amount to an indictment of an industry that has spent nearly three years insisting it can regulate its own actions online. The simple notice and consent the FTC looked for in the study "is an incredibly low baseline," said David Banisar, policy counsel to the Electronic Privacy Information Center. "They're starting to wake up, but they haven't quite reached consciousness."
Industry representatives said they need more time. "We clearly want some good controls but our general experience is we tend to get overreaching regulation," said Ed Black, president of the Computer and Communications Industry Association. "Let us keep refining and accelerating what we're doing."
Black's CCIA, together with 11 other industry groups, said yesterday they had produced a self-regulatory framework under which participating Internet sites could let consumers "opt out" of data collection, review personal information collected about them for accuracy, and look to third-party forums to settle disputes. Yet Privacy Times Editor Evan Hendricks said further delay was pointless. "The time has come to stop the charade about self-regulation and begin drafting real, legislation-based privacy protection," he said. "I was trying to tell them last year this was where they should go, but I guess they decided to wait a year."
The FTC said it will make further recommendations for consumers other than children later this summer.
The latest study stands in stark contrast to nearly all previous FTC efforts on online privacy. In a July 31, 1997, letter to Sen. John McCain (Arizona), for instance, officials said that though many Net sites could pose a threat to consumer privacy via aggressive use of "cookies" and other user profiling techniques, industry self-regulation should be given a chance to work.
"We are delighted with the high level of interest in our efforts shown by the industry leaders who submitted commentary and chose to participate in the (June privacy) Workshop," FTC staff wrote then. "Particularly promising are efforts to create interactive technology that permits consumers to automate their preferences, and Web sites to communicate their practices, regarding the collection and use of personal information online."