In re GeoCities, FTC Docket No. C-3849 (Feb. 12, 1999) (full-text).
Factual Background Edit
GeoCities, headquartered in Santa Monica, California, operated the GeoCities website, a "virtual community" consisting of members' personal home pages organized into themed areas, called neighborhoods. GeoCities had over 2 million members, and industry reports identified it as the third most frequently visited website accessed from consumers' homes.
GeoCities provided numerous services to its members, including free and fee-based personal home pages and free e-mail service. In order to become a member of GeoCities, individuals had to complete an online application form that requests certain personal identifying information. At the time of the investigation, the form designated certain information as mandatory and other information as "optional." The form also asked applicants to select whether they wished to receive specific "special offers" from advertisers, and specific products or services from individual companies.
Through this registration process, GeoCities created a database that included e-mail and postal addresses, member interest areas, and demographics including income, education, gender, marital status and occupation. According to the agency, this information created target markets for advertisers and resulted in disclosure of personal identifying information of children and adults to third-party marketers.
FTC Complaint Edit
Second, the complaint alleged that GeoCities made "[m]isrepresentations involving sponsorship" when the site stated that it personally collected and maintained children's personal information for an online club. Instead, the complaint alleged that third parties were collecting and maintaining this personal data from children. The FTC claimed that GeoCities' conduct constituted "unfair or deceptive acts or practices" in violation of Section 5 of the FTC Act.
Consent Order Edit
The case quickly settled with the GeoCities Consent Order (Consent Order).
The Order required the company to post on its website a clear and prominent Privacy Notice, telling consumers what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information. The Notice, or a clear and prominent hyperlink to the Notice, would have to appear on the website's home page and at each location on the site at which such information is collected.
To ensure parental control, the Order required GeoCities to obtain parental consent before collecting "personal identifying information" from children 12 and under. The order did not require any particular procedure for obtaining parental consent, allowing for future technological developments, but included a specific procedure that would be deemed to comply with the order. Under that procedure, GeoCities could collect certain "limited screening information" from consumers attempting to register at the site for the purpose of identifying and blocking children 12 and under from registering without their parent's permission. The company would then (a) notify the parents of the child's interest in registering at the site, and (b) obtain a parent's express consent. The order specified several means by which the parent could transmit his/her consent, including a signed statement sent by mail or a credit card authorization.
Under the Order, GeoCities was required to notify its members and provide them with an opportunity to have their information deleted from GeoCities' and any third parties' databases. The settlement required GeoCities to notify the parents of children 12 and under and to delete their information, unless a parent affirmatively consented to its retention and use. GeoCities also would be required to contact third parties to whom it previously disclosed the information and request that those parties delete that information as well.
Finally, the settlement required GeoCities to provide, for five years, a clear and prominent hyperlink within its Privacy Notice directing visitors to the FTC's website to view educational material on consumer privacy. GeoCities also was required to establish an information practices training program for its employees and volunteer community leaders.
- ↑ Complaint, In re GeoCities (F.T.C. Feb. 5, 1999) (No. C-3850).
- ↑ See id. ¶¶12-16 (setting forth the alleged misrepresentations involving information collected by Geocities).
- ↑ Id. ¶¶ 17-20.
- ↑ Id. ¶19.
- ↑ Decision and Order, In re Geocities, No. C-3850 (Feb. 5, 1999).
- ↑ "Personal identifying information" is defined in the Consent Order to include name, physical and e-mail address, phone number, and any other information that by itself or in combination with other information is identifiable to a specific individual.
- ↑ Id. at Part IV. These requirements reflected the Commission's earlier pronouncement that website privacy policies should reflect the Fair Information Practice Principles, including the Notice/Awareness Principle, the Choice/Consent Principle, and the Access/Participation Principle.
- ↑ FTC website.
- ↑ Documents related to these enforcement actions are available here.
- ↑ Pub. L. No. 105 to 277, Div. C, tit. XIII, § 1301, 112 Stat. 2681-2728 (1998), codified at 15 U.S.C. §§ 6501-06, and its implementing regulations. 16 C.F.R. Part 312 (Apr. 21, 2000).