May 2000

The FTC's First Internet Privacy Enforcement Action

The Federal Trade Commission brought its first enforcement action targeted at the privacy practices of a website in 1998. GeoCities was accused of deceptive trade practices in its collection and use of personal information gathered from website visitors. At issue was a privacy policy that GeoCities posted but purportedly did not follow. This article discusses how the consent order reached with GeoCities can provide a model for acceptable information collection practices, and suggests that the consent order is relevant even to companies that do not currently post a privacy policy on their websites.

The 1998 Federal Trade Commission action against GeoCities, a popular and frequently visited website, was its first warning to companies that fail to adequately disclose their online information practices. The FTC's more recent action against Liberty Financial Companies attests to the FTC's continued interest in online privacy.

GeoCities was the first FTC enforcement action to protect privacy on the Internet. The FTC charged GeoCities with deceptive practices with respect to its collection and use of personally identifying information, which includes a person's name, postal or e-mail address, phone number or any other information that alone, or in combination with other information, can be used to identify a person individually.

The FTC's complaint alleged that GeoCities violated the Federal Trade Commission Act by impliedly or expressly misrepresenting how personally identifying information collected online would be used. The FTC also alleged that GeoGities falsely or misleadingly represented that it was collecting and maintaining such information from children when the information in fact was collected directly by third parties hosted on GeoCities' site.

The FTC's action against GeoCities is important because the proposed consent order in the case establishes objective benchmarks by which a company's online privacy practices can be evaluated. The consent order also establishes "safe harbor" provisions with respect to the location and content of a company's privacy policy. Although these safe harbors are not the only means of ensuring the adequacy of a company's practices, they are a useful model in creating a privacy policy the FTC will consider sufficient. The order's safe harbor provisions concerning the collection of personally identifying information from children anticipated the enactment of the Children's Online Privacy Protection Act (COPPA). The FTC's detailed regulations promulgated under COPPA became effective April 21, 2000 and require careful review by companies that collect information from children online.

Companies that post a privacy policy on their website should compare their policies to the GeoCities consent order and consider modifying their practices in light of its safe harbors. Companies that do not post a privacy policy, but collect and use personally identifying information without disclosing their practices, should not assume that the action against GeoCities is without relevance. The rigorous disclosure requirements imposed on GeoCities (including disclosure of "tracking" information and of backup archival copies) may signal that the FTC considers nondisclosure of certain information collection practices inherently misleading.

Indeed, the FTC's June 1998 report to Congress, Privacy Online: A Report to Congress (http://www.ftc.gov/reports/privacy3/index.htm) suggests that a company's decision not to post an online privacy policy may not insulate it from a charge of unfair or deceptive practices. Although the report notes that the FTC lacks authority to require the posting of privacy policies, it indicates that in certain circumstances practices may be inherently deceptive or unfair, whether or not the entity has publicly adopted fair information practices. It may be telling that the FTC's report considered online information practice statements to include those that "arguably raised an inference of at least one potential use" (such as "Click here to be on our mailing list"). (Report at 20.) This suggests that a statement about the use of collected information might be sufficient in some circumstances to trigger an obligation to disclose privacy practices fully.

It is possible, of course, that the strict disclosure standards imposed on GeoCities are more punitive than remedial and should not be read to have general application. The more cautious view, however, is that the FTC's action is relevant to companies that collect information online, whether or not they have an explicit privacy policy, particularly if their online practices suggest that information is collected for one purpose but is also used for other undisclosed purposes. For companies whose business operations involve Europe, adequate disclosure is especially important in view of the European Union's Directive on Privacy Protection. The directive establishes minimum standards for the collection and use of personally identifying information in the European Union, and prohibits the transfer of this information to countries whose privacy standards are deemed inadequate. A discussion of the directive and its implications for electronic commerce can be found at http://www.perkinscoie.com.

The consent order requires GeoCities to provide a clear and prominent notice to consumers about its collection and use of personally identifying information on its home page and at each location on the website where such information is collected. The order also requires GeoCities to provide "reasonable" means by which the information already collected can be removed from the databases of GeoCities or certain third parties.

The notice must fully disclose the company's practices, including what information is collected, its intended uses, and the third parties to whom the information will be disclosed (disclosure is defined broadly to include making information publicly available by any means including public posting on or through home pages, e-mail services, message boards or chat rooms). Although the privacy notice need not appear at locations where only "tracking" information is collected, the fact that information is collected must be disclosed.

The notice requirement will be met if: 1) a clear and prominent hyperlink labeled "PRIVACY NOTICE" (directly linking to the privacy notice screen) is posted on the website's home page; 2) the privacy notice screen clearly and prominently discloses the company's practices with respect to the collection and use of personally identifying information (followed on the same screen by a button that must be clicked to make it disappear); and 3) a clear and prominent hyperlink appears on the initial screen at which the information is collected, accompanied by the following statement in bold: "NOTICE: We collect personal information on this site. To learn how we use your information, click here."

Some archived database information may be retained for site maintenance, computer file backup, preventing children from registering without parental consent, responding to inquiries from law enforcement agencies, or pursuant to judicial process. Even the retention of information for these limited purposes must be disclosed in the privacy notice.

In addition, GeoCities must contact certain third parties and obtain their agreement to stop using or disclosing this information and to remove it from their databases if requested to do so. GeoCities must stop doing business with these third parties if they fail to agree, or if GeoCities knows or should know they are failing to remove information from their databases upon request.

The consent order requires GeoCities to establish an "information practices training program" for employees and volunteers involved in collecting or disclosing personally identifying information, including training in GeoCities' privacy policy, security measures to protect the information, and penalties for violation of the policy. Company officers, directors, managers, agents, and representatives involved in handling such information must receive a copy of the consent order.

The action against GeoCities was the FTC's first signal that disclosure of company practices with respect to the online collection and use of personally identifying information may no longer be truly optional. Although some industry analysts may speculate that not having a privacy policy is safer than having a misleading one, it is uncertain whether companies can take comfort in having no privacy policy if they collect information from online visitors, especially if their practices can be viewed as misleading. Given the FTC's recent activity, companies would be well advised to evaluate the costs and benefits of accommodating their practices to its basic standards. If a greater showing of industry self-regulation is not forthcoming, the GeoCities consent order may become the model for broader privacy regulation in the private sector.

Copyright © 1998 by The Bureau of National Affairs, Inc., Washington, D.C. This material is intended for educational purposes only and should not be construed as legal advice or opinions on specific facts.

Back to table of contents >>