Surfer Beware III:
Privacy Policies without Privacy Protection
Electronic Privacy Information Center
Surfer Beware III is EPIC's third survey of online privacy protections. In 1997, we conducted the first formal review of web site privacy policies and practices. "Surfer Beware: Personal Privacy and the Internet" found that few sites had privacy policies, though anonymity was playing an important role in protecting online privacy. In 1998, we conducted the first evaluation of self-regulation to protect online privacy. "Surfer Beware II: Notice is Not Enough" found that the new members of the Direct Marketing Association failed to follow the organization's own guidelines for privacy protection. In this survey we looked at the privacy policies and practices of the 100 top shopping web sites.1
In this survey we looked more closely at the adequacy of privacy practices found on the 100 most popular shopping websites as listed by 100hot.com, which tracks website popularity by the number of times homepages are viewed in a sample of over 100,000 Internet users worldwide. While there are other Internet rating services, we took 100hot.com as a reasonable benchmark (which we also used in the original 1997 survey).4
Profile-based advertising, also known as online profiling, is a technique that marketers use to collect information about online behavior of Internet users and to facilitate targeted advertising.6 Profile-based advertising could easily be considered a form of online surveillance. Profile-based advertising relies on "cookies," identifying tags that are stored on the computer of a person who visits a web site. These cookies are often placed on computers without the knowledge of individuals when banner advertisements appear. Actually clicking on a banner advertisement is not necessary to generate a cookie. In order to track the growth of this advertising model, we recorded the number of sites that use banner advertisements belonging to known profile-based advertisers.
Along with online advertisers, many other sites utilize cookies in the confines of their own sites. Cookies can be used for tracking online behavior within a single site. They are also used for many other purposes such as for common shopping carts that list items to be purchased or for counting the number of unique visitors to a site. While we did not investigate the purpose for all cookies, we did note which sites enable cookies.
2. Methodology and Results
The complete results can be found in the Surfer Beware III Appendix, which follows the text of this report.
2.1 Does the site collect personally identifiable information (PII)?
We found that all 100 sites collected personally identifiable information such as name, mailing address, e-mail address, or telephone number. None of the sites required users to disclose personal information when entering or browsing through a site, but all collected such information for purchases or other business transactions.
While it is not surprising that all the sites collected personally identifiable information, it is worth noting that there are many popular websites, such as cnn.com and washingtonpost.com, that do not routinely collect personally identifiable information. Websites that provide news and information generally do not to know who their visitors are. In our 1997 survey we wrote, "We thought the widespread practice of allowing anonymous browsing, even on the most popular web sites, was an important indicator of how privacy is actually protected on the Internet. By avoiding the collection of personal information, websites encourage users to visit sites." In 1997, we also said that in "the physical world, we note that very few stores require the collection of personal information before allowing someone to enter." It appears that commercial activity on the Internet is driving the increased collection of personal data.
Thirty-five sites displayed a link on all pages that collect personal information.
2.4 Does the site belong to a industry self-regulation program?
We plan to evaluate the effectiveness of these programs in the coming year.
2.5 Does the site have an opt-in (consent) for all collection and use of PII?
We also considered whether websites offered an opt-in policy. Such a policy would require a company to gain consumer permission before any collection or use of personal information. Opt-out policies, on the other hand, allow companies to make use of information as they wish unless a consumer notifies the firm that they do not want their personal information collected or used. Consumers favor opt-in policies. By way of example, CDUniverse has an opt-in policy: "If you answered 'Yes' to the question 'May we occasionally send you email promotions,' we keep you up-to-date via email." J.Crew has an opt-out policy: "We occasionally make our customer list available for one-time use by a few carefully screened firms -- should you prefer not to get their mailings, please let us know."
Twenty-four sites solicited "opt-in" consent by consumers before a company's subsequent collection and use of their personal information.
2.6 Does the site allow access to view and correct personal information?
One of the long-standing goals of privacy protection is to ensure that individuals are able to review the information about them that is collected by organizations. The purpose of this is to ensure that information is accurate and complete. It is also to allow individuals to better assess the actual data collection practices of the organizations that collect personal information.
Thirty-three sites allowed users access to view and correct personal information, such as mailing address, e-mail address, or telephone number.
2.7 Does the site limit use of the information to its original purpose?
Twenty-one companies appeared to limit the use of personally identifiable information to those required for the transaction.
2.8 Does the site specify the purposes for all information collected?
Fifty-eight sites specified the purposes for collection and use of personal information.
2.9 Does the site allow profile-based advertising to operate on their pages?
In total, 35 sites allowed advertising by advertising networks and few mentioned that such advertising was taking place.
2.10 Does the site utilize cookies?
Eighty-six of the sites surveyed used cookies. Two sites -- Tower Records and Kenneth Cole -- did not allow users to visit their sites without generating cookies.
2.11 Other Findings
In our survey of the top 100 e-commerce sites, we found privacy policies that were often confusing, incomplete and inconsistent. The wide variation of these policies might frustrate consumers who are trying to determine which websites provide the best privacy protection.
At the same time, marketers are using new and more sophisticated techniques to track consumers on the Internet. Profile-based advertising marks a sharp departure from traditional business practices which allowed companies to advertise products and services and still permit consumers to retain some privacy. In the world of radio, television and print advertising, for example, information flowed freely from businesses to consumers but little personally identifiable information was ever collected. In the online world, every consumer inquiry about a product and every ad viewing may quickly become incorporated into a detailed profile that will remain hidden from the consumer.
On balance, we think that consumers are more at risk today than they were in 1997. The profiling is more extensive and the marketing techniques are more intrusive. Anonymity, which remains crucial to privacy on the Internet, is being squeezed out by the rise of electronic commerce. Industry backed self-regulation has done little to protect online privacy. We believe that legally enforceable standards are necessary to ensure compliance with Fair Information Practices. And new techniques for anonymity are necessary to protect online privacy. Until such steps are taken, we have to repeat our advice for the third consecutive year -- "Surfer Beware."
* Revised 1/10/99
1 "Surfer Beware: Personal Privacy and the Internet," conducted in 1997, looked at the 100 most popular websites. The report is available at http://www.epic.org/reports/surfer-beware.html. "Surfer Beware II: Notice is Not Enough" examined the privacy practices of the members of the Direct Marketing Association in June 1998. It can be found at http://www.epic.org/reports/surfer-beware2.html.
2 Forrester Research conducted a survey of 100,000 Internet users in September 1999 and found that 67 percent were very or extremely concerned about online privacy and an additional 24 percent were somewhat concerned.
5 The most robust and comprehensive set of Fair Information Practices are described in the 1980 Organization for Economic Co-operation and Development (OECD) Privacy Guidelines. These can be found at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM
6The National Telecommunications and Information Administration (NTIA) of the Department of Commerce and the Federal Trade Commission recently held a workshop on this topic. EPIC filed a series of comments that are available at http://www.epic.org/privacy/internet/Online_Profiling_Workshop.PDF and http://www.epic.org/privacy/internet/profiling_reply_comment.PDF.
The Electronic Privacy Information Center is a non-profit public interest research organization based in Washington, D.C.
Electronic Privacy Information Center
666 Pennsylvania Ave, SE, Suite 301
Washington, D.C. 20003
+1 (202) 544 9240 (tel)
+1 (202) 547 5482 (fax)
EPIC Privacy Page | EPIC Home Page