In June 1998, the Federal Trade Commission presented this report to Congress. It was based upon its examination of the information practices of over 1400 commercial sites on the World Wide Web, and assessed private industry’s efforts to implement self-regulatory programs to protect consumers’ online privacy. The Report included an analysis of 212 sites directed to children.
Although the Commission had encouraged industry to address consumer concerns regarding online privacy through self-regulation, the Commission did not find an effective self-regulatory system. The survey results found that the vast majority of online businesses had yet to adopt even the most fundamental fair information practice (notice/awareness). Moreover, trade association guidelines submitted to the Commission did not reflect industry acceptance of the basic fair information practice principles, nor contain with limited exception the enforcement mechanisms needed for an effective self-regulatory regime.
The Report identified the core principles of privacy protection common to the government reports, guidelines, and model codes that had emerged as of that time:
- (1) Notice — data collectors must disclose their information practices before collecting personal information from consumers;
- (2) Choice — consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided;
- (3) Access — consumers should be able to view and contest the accuracy and completeness of data collected about them; and
- (4) Security — data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.
It also identified (5) Enforcement — the use of a reliable mechanism to impose sanctions for noncompliance with these fair information practice principles — as a critical ingredient in any governmental or self-regulatory program to ensure privacy online.
The Report assessed the information practices of commercial websites and the existing self-regulatory efforts in light of these fair information practice principles and concluded that an effective self-regulatory system had not yet taken hold. The Commission deferred judgment on the need for legislation to protect the online privacy of consumers generally, and instead urged industry to focus on the development of broad-based and effective self-regulatory programs.
The Commission concluded that greater incentives were needed to encourage self-regulation and ensure widespread implementation of the basic privacy principles. In the specific area of children's online privacy, the Commission recommended that Congress develop legislation placing parents in control of the online collection and use of personal information from their children.