In a controversial report to Congress which may begin a new era of Internet regulation, a sharply divided Federal Trade Commission concluded earlier this week that "self-regulation" of Internet privacy is not working and that broad new federal Internet privacy laws are needed to protect consumers on Internet websites. The FTC's report instantly revived the Internet privacy debate in Washington.

In its report, the FTC confirmed that privacy is a serious public policy problem, with the vast majority of Internet users either "concerned" or "very concerned" about online privacy abuses.

In its annual survey of online privacy practices, the FTC found that 97% of randomly-selected web sites collect personally-identifying data (such as an e-mail address), but only 62% of those sites posted a privacy policy, and only 20% posted privacy policies which addressed all four of the widely-accepted "Fair Information Practice Principles." The Fair Information Practice Principles are:

• notifying consumers about a website's information collection, use, and disclosure;
• allowing consumers to choose to either opt-in or opt-out of secondary uses or disclosures of personal information;
• providing consumers with access to ensure the accuracy and completeness of personal data; and
• safeguarding the security and integrity of the data.

The FTC further found that 57% of its random sample of web sites allowed third parties to place cookies on the computers of web site visitors, and only 8% of the random sample displayed a seal of approval from a self-regulatory privacy seal program. The FTC also complained about online privacy policies which are unclear, ambiguous, subject to change without notice, or which display misleading "pre-checked" consent boxes.

The FTC concluded: "Ongoing consumer concerns regarding privacy online and the limited success of self-regulatory efforts to date make it time for government to act to protect consumers' privacy on the Internet." The FTC recommended a new federal law requiring all consumer-oriented web sites which collect personally-identifying information to adopt privacy policies which comply with all four Fair Information Practice Principles. Under current federal law, only web sites which collect personal information from children under 13 are subject to mandatory privacy protections. The children's online privacy rules are summarized in our February 11, 2000 Internet Alert.

The two dissenting FTC Commissioners immediately condemned the report's logic and pointed to recent improvements in self-regulatory efforts. Although the Federal Communications Commission has so far declined to regulate the Internet, FCC Chairman William Kennard reiterated his view that self-regulation should be given more time. Commerce Secretary William Daley also questioned the need for new privacy laws.

Several online privacy bills quickly emerged on Capitol Hill: One proposal favored by privacy advocates would require web sites to obtain affirmative "opt-in" consent before collecting or disclosing any personally-identifiable information. A less stringent proposal would require web sites to permit Internet users to "opt-out" of the sale or disclosure of personal information. A possible compromise bill would require web sites to post privacy notices but would not mandate any specific privacy safeguards.

The FTC's report ensures that online privacy will remain a hotly-debated election year issue, with aggressive lobbying by privacy advocates and Internet interests. Only one thing is certain -- the outcome of the current debate will directly affect consumer-oriented Internet companies and will shape the future of Internet marketing.