What Policy Does FTC Really
Set in Its GeoCities Decision?
By Robert Gellman
The Federal Trade Commission's first Internet privacy enforcement action against GeoCities offers clues about future privacy activities from the FTC. The decision, made public last month, also has implications for the way U.S. businesses and government agencies will be able to tout the effectiveness of self-regulatory policies to European regulators.
Let's begin with the facts. GeoCities operates a popular Internet all-in-one “supersite” that provides many services, including free and fee-based personal home pages. GeoCities asks each new customer to provide personal information, some mandatory and some optional. Applicants can choose how this information will be used and disclosed. A central feature of the FTC case was the way GeoCities actually used the information in contrast with what it told users.
The complaint alleged that GeoCities misrepresented itself by saying the personal information would only be used to provide advertising offers, products and services that members requested. The FTC alleged that GeoCities disclosed the information to third parties who used it in ways inconsistent with the choices expressed by the GeoCities members.
The FTC also charged that GeoCities engaged in deceptive practices relating to collecting personal information from children. The charge was that GeoCities told customers it operated the kids club, but the club was actually run by third-party “community leaders.”
In the usual fashion for consent decrees, the complaint and the settlement came at the same time. Under the settlement, GeoCities agreed to post a clear privacy notice telling consumers the details of its information collection, disclosure and removal process. GeoCities also agreed to obtain parental consent before collecting information from children 12 and under.
As is also standard with consent agreements, GeoCities changed its practices but it did not admit that it violated the law or that any of the facts in the complaint were true. The Wall Street Journal quoted one of GeoCities' lawyers, Ron Plesser, as saying, “We are not required to admit guilt, and I don't think that we are guilty.”
It is notable, however, that the FTC used some rather sharp words in its press release, stating that GeoCities misled its customers by not telling the truth. The FTC got mostly good marks from privacy advocates for bringing the action, but not everyone thought the settlement went far enough in providing actual remedies for aggrieved customers.
For its first Internet privacy case, the FTC carefully selected a case involving both misrepresentation and deceptive practices. When administrative powers are exercised for the first time, the target often is someone whose conduct is indefensible. It brings to mind one of the first data export prohibitions brought by the British Data Protection Registrar. He targeted an American marketer accused of mail fraud. The American business establishment was not likely to defend someone like that. Even aside from the facts of the case, the FTC was in a strong position. GeoCities was in the midst of an initial stock offering at the time of investigation, and its stock took a big hit when the settlement
was announced.
It remains to be seen what the FTC will do next. It is likely to sue others who it catches saying one thing and doing another. Those are “easy” cases. But will the FTC bring actions against companies that do not have a privacy policy at all? What will the FTC do when a company writes an artfully worded disclosure statement reserving the right to use and disclose customer data as it pleases and then buries the statement deep in a disclosure notice that most customers will never see? Will the FTC sue a company that doesn't give consumers access to its records or the ability to correct them? Will the FTC seek real remedies for individual consumers?
Until there's more evidence of aggressive FTC enforcement, the answers to these questions will remain unknown. The FTC has limited privacy enforcement resources and limited jurisdiction. The agency may force a few companies to stop lying and to comply with stated policies. However, getting companies to comply with fair information practices in the first place may be beyond the FTC's ability or interest.
What are the implications for European regulators? They can expect to hear about the GeoCities case as “proof” that FTC enforcement is meaningful. However, the American business community will be hard pressed to have things both ways. The FTC cannot be promoted as an effective privacy enforcement mechanism if targeted companies are “not guilty” of any violations. You cannot tout enforcement as effective if it only results in actions against the “innocent.”
Even worse, GeoCities was a member of two leading privacy self-regulatory groups, the Online Privacy Alliance and TRUSTe. Ouch! The case could be cited as evidence that self-regulation does not work, but that conclusion is a bit premature. The violations occurred before GeoCities joined these groups. Still, the executive director of TRUSTe was quoted as saying the case was “our nightmare” and “this is exactly what we don't want happening.”
The GeoCities case may have a perverse effect as well. It may give companies a reason to avoid making any privacy promises at all. No U.S. law requires an Internet privacy disclosure statement. The FTC may not have the ability to pressure companies to address privacy in the first place. Those companies that do are more likely to make vague promises so they cannot be challenged.
Still, the FTC's action in GeoCities is welcome. The agency produced a result in its first case that is useful to both privacy advocates and business alike. On the broader issue of the FTC's general effectiveness as a privacy enforcer, however, the jury is
still out.
Robert Gellman is a Washington -based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected].
