EPIC Logo

Surfer Beware II:
Notice Is Not Enough

June 1998

Electronic Privacy Information Center
www.epic.org

Summary

In an effort to assess the effectiveness of self-regulation to protect personal privacy, the Electronic Privacy Information Center (EPIC) surveyed the privacy policies of 76 new members of the Direct Marketing Association (DMA). We chose the DMA because it has been a leading proponent of self-regulation and because it has undertaken a number of efforts to encourage privacy protection through self-regulation. These included a policy announced in October 1997 that the DMA would require future members to post a privacy policy and provide an opt-out capability. Of the 76 new members we examined, only 40 had Web sites and of these, only eight sites had any form of privacy policy. We examined these policies and found that only three of the new members have privacy policies that satisfied the DMA's requirements set out in October 1997. None of the sites examined allowed individuals to gain access to their own information. We concluded that the DMA's efforts to promote privacy practices is having little impact on its new members, even after repeated assurances from the DMA that this approach is effective.

1. Introduction

Last year, the EPIC undertook the first comprehensive review of Internet privacy policies. Our "Surfer Beware" report reviewed 100 of the most frequently visited Web sites on the Internet.1 We checked whether sites collected personal information, had established privacy policies, made use of cookies, and allowed users to visit without disclosing their identities. We found that few Web sites (only 17 of our sample) had explicit privacy policies and none of the top 100 Web sites met basic standards for privacy protection. However, we found that anonymity continues to play an important role in online privacy, with many sites allowing users to access Web services without disclosing personal data. EPIC recommended that sites continue to support anonymity while developing policies and practices to protect information privacy.

Since the release of "Surfer Beware," other similar studies have been undertaken and new industry efforts to promote self-regulation have been pursued.2 Earlier this month, the Federal Trade Commission (FTC) released its report on online privacy, Privacy Online: A Report to Congress.3 Surveying over 1,400 Web sites, the Commission reported that upwards of 85 percent of Web sites collect personal information, while only 14 percent provide any notice about their information practices. The Commission concluded that "substantially greater incentives are needed to spur self-regulation." It will recommend an appropriate response to protect online consumer privacy later this summer.

This report examines the online privacy practices of new members of the Direct Marketing Association (DMA). As the largest trade association for businesses interested in database marketing, the DMA has been a staunch supporter of self-regulation. The DMA has taken a number of steps to promote self-regulation and has also opposed privacy legislation.

The following sections describe the motivation, methodology and results of EPIC's report. The report concludes by recommending legislation through enforceable Fair Information Practice (FIP) principles.

2. History and Motivation

As the largest trade association for businesses interested in database marketing, the DMA has been a staunch supporter of self-regulation. In October 1997, DMA president and CEO H. Robert Wientzen announced that the DMA would require its members to provide adequate notice and opt-out capabilities.4 The Privacy Action section of the DMA Web site encourages members to prominently display a privacy policy page on their own Web sites as well as participate in the DMA "Mail Preference Service" and "Telephone Preference Service." The DMA will also help members generate customized privacy policy pages which members can easily download and post on their own sites.5

The DMA has said that it believes that these efforts are sufficient to preclude the need for privacy legislation. In response to the recent FTC privacy report, Patricia Faley, DMA's Vice President of Consumer Affairs, wrote:

While we've seen progress in posting privacy policies since the Federal Trade Commission held its hearings on privacy last June, we clearly still have a way to go. The Direct Marketing Association will continue its business education efforts to ensure that all DMA members, and indeed all marketers, do the right thing and post privacy policies. Business has been receptive to this message because it makes good business sense, and our research shows the trendline is going in the right direction.6

However, the findings of our study indicate that the DMA has been unable to "ensure that all DMA members... post privacy policies," and that businesses have not been receptive to its message.

3. Methodology

While the DMA does not make a list of its members publicly available, its Web site contains a list of its newest members.7 On June 15, 1998, EPIC reviewed a list of the DMA's new member companies (those having joined since May 1998). By searching for each company's Web site using the Alta Vista search engine, EPIC was able to locate 40 company Web sites out of the 76 companies which were listed.8

The sites were reviewed to see how they collect personal information. In this study, collection of information ranged from having a simple hyperlink to the company's e-mail to more complicated registration, purchase, and contact forms. A simple hyperlink to a company's e-mail address was considered to be a form of collection of personal information since a list of return e-mail addresses can be collected and aggregated in this fashion. It is important to note that Web site cookie practices were not included in this study. Rather than exploring the question of whether Web sites surreptitiously collect personal information through cookies, this report focused on the collection of personal information which was apparent to the user. While a user may knowingly release personal information to a Web site, he or she should still retain certain rights concerning that information, such as the right to inspect and correct data, to seek redress, and to receive damages.

Next, the sites were searched for privacy statements, notices, or policies. First, the home page itself was searched for such a notice. If no notice was found, customer agreement and similar pages were also searched. If a site had a search engine, the keyword "privacy" was entered into the search engine. Because privacy policies should be prominently displayed and easily found, such methods were deemed sufficient.

3.1 Adequacy of Privacy Policies

In his announcement at the 80th Annual Conference & Exhibition in October 1997, DMA president and CEO H. Robert Wientzen stated that by July 1, 1999:

...all DMA members -- as a condition of membership -- will honor the principles of notice, opt-out, and the use of suppression and the Mail Preference Service and Telephone Preference Service.9

While these requirements would probably not satisfy traditional Fair Information Practices, we decided to use the DMA's own criteria to determine the adequacy of the policy practices of its new members.10 That is, a Web site employing only proper notice and opt-out options was classified as having an adequate privacy policy. Specifically, if a Web site had some sort of privacy policy or statement, that notice was examined for three important criteria:

  1. Web site stated why the information was being collected;
  2. Web site stated how the information would be used; and
  3. Web site provided opt-out options.

If a policy notice failed to meet these three criteria, it was classified as inadequate.

3.2 Secondary Uses

The privacy policies were examined to determine whether collecting organizations would use information for secondary uses such as marketing and/or distribution to third parties.

3.3 Access to Personal Information

Each Web site was examined to determine whether it was possible for users to access information the site collected about them. Additionally, privacy policies were examined for the existence of opt-in or opt-out privacy options.

4. Results

All 40 Web sites examined collected personal information in some form or another. Seventy-eight percent (31 sites) of the sites collected personal information through registration, application, request, feedback, contact, and other similar forms.11 The remaining 22 percent collected personal information only through hyperlinks to their e-mail addresses.

Only 20 percent (eight sites) of the sites had any semblance of a privacy notice. Of these eight sites, only four (10 percent of the total) had specifically "advertised" privacy policy pages or statements. Three sites had "security and privacy" statements which focused on the security of transactions rather than the use of collected information. And the remaining site only had a small sentence relating to privacy. The specific privacy notices and other data of these sites are found in Appendix.

EPIC concluded that three of the eight privacy notices satisfied the DMA's own requirements as defined in Section 3.1. While three of the privacy notices explicitly restricted the collection of personal information to the primary use, two of the notices stated intentions to use collected personal information for further marketing and distribution. While none of the Web sites seemed to allow users to access their own information, three of the privacy notices also had e-mail opt-out options if users did not wish to have further contact with the company. All sites could be accessed knowingly without disclosing personal information. However, because cookie practices were not explored, it is unknown whether personal information collected by tracking click streams was performed at these sites.

5. Conclusions

In our survey we found that only a handful of new DMA members have privacy policies that satisfy the DMA's own requirements.

We recommend that the DMA establish much clearer privacy guidelines for new members at the time of entry into the association, including an acceptable privacy policy that -- at a minimum -- complies with the DMA's own requirements. Allowing organizations that lack adequate privacy polices to join the DMA sends the wrong message about the association's commitment to privacy.

More generally, we believe that the DMA's inability to make self-regulation work to protect privacy is a clear indication of the need for legislation. Absent enforceable safeguards that apply to all DMA members and provide some assurance of privacy, we can only say to those who visit Internet sites operated by members of the Direct Marking Association, "Surfer Beware."

6. Endnotes

1"Surfer Beware", www.epic.org/reports/surfer-beware.html

2"A Delicate Balance: The Privacy and Access of Practices Federal Government of World Wide Web Sites", August 1997, ombwatch.org/ombw/info/balance .html

3"Privacy Online: A Report to Congress", www.ftc.gov/privacy/reports.htm

4"DMA to Make Privacy Compliance Mandatory", October 7, 1997, www.dmnews.com

5The DMA Web page can be found at www.the-dma.org. The DMA privacy policy page service can be found at www.the-dma.org/pan7/dm ers7c1-policy.shtml

6"The DMA Responds to FTC Online Privacy Report", www.the-dma.org/texis/scripts/news/newspaper/+swwBmXehdW1wwwr/disp layArticle.html

7"New Member Companies May 1998", www.the-dma.org/ membership2/mem-companies2b.shtml

8Alta Vista Search Engine, www.altavista.digital.com

9"DMA to Make Privacy Compliance Mandatory", October 7, 1997, www.dmnews.com

10"Guidelines on the Protection of Privacy and Transborder Flows of Personal Data", http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM.

The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data describe the basic principles necessary for the protection of privacy and individual liberties as:

11Five of these sites employed manual forms that needed to be printed out rather than digitally submitted.

12Edison Enterprises does have a notice concerning cookies.

7. Appendix

This section contains the data compiled on new DMA members since May 1998 which were found to have Web sites.

7.1 Privacy Policies, Statements, and Notices

In this section we present the excerpts of privacy policies, statements, and notices of the eight DMA Web sites found to have such sections. For each notice, we provide an analysis of its adequacy.

7.1.1 Privacy Sentences

The following companies offer a simple sentences concerning the consumer's privacy concerns upon releasing personal information.

Acorn Information Service:

  • Your responses will remain anonymous.
    •

    7.1.2 Security and Privacy Statements Focused on Security

    The following companies offer detailed security and privacy statements on their Web sites. However, the information provided by these pages focus on the security of transmitting information rather than the use of collected personal information.

    Carfax, Inc.:

  • The information we collect is used purely to process your orders -- we use the e-mail address to deliver your report and use the credit card information only to process the transaction. Carfax will not pass along your personal information to any other organization for any purpose.
    •

    Dextor Sport Science:

  • All DSS Store customers will enjoy the same security and privacy as our customers shopping by telephone.
    •

    Intelitech:

  • Finally all information that you supply whether through a secure form or through a standard HTML form is maintained by Intelitech exclusively for the purpose of processing your orders and as legally required for tax obligations. Intelitech does not make any information available to anyone else, or even use it itself for any other purposes.
    •

    7.1.3 Privacy Policy Pages or Statements

    The following companies provide complete policy pages or statements.

    HealthWatcher System:

  • This site collects no personally identifying information about you except when you specifically and knowingly provide it.

    HealthWatchers System may use your personal identifying information for HealthWatchers promotional and marketing purposes only. We do not rent or sell our e-mail addresses. You have the ability to stop your information being used for marketing and promotional purposes by sending an e-mail request to HealthWatchers System at privacy@healthwacthers.com.

    The HealthWatchers System Web site places a "cookie" in the browser file of your computer. The "cookie" itself does not contain any personally identifying information except your ShopperID number.

    Please read more about "cookies".

    •

    Post Communications:

  • Post Communications' Policy on Privacy
    At its core definition, Relationship Marketing is a dialogue built about trust and fair exchange of value. To practice relationship marketing in the age of the Internet requires that the foundation include not only trust and mutual benefit, but privacy and security as well. In this medium, where data can easily flow from one database to another, this is even more critical. Post believes that every company has an obligation to honor and respect the privacy of its customers. The Post Online Relationship Marketing Solution is specifically designed with built-in best practices of privacy and security. To that end, Post has developed the following privacy best practices:

    1. Access to privacy policy
      For every client program implemented, Post will ensure that there is an easy to find, easy to read, easy to understand privacy policy.

    2. Value for Value
      Post will maintain a sharp focus on ensuring that when a customer provides information , he or she will receive a valuable and relevant communication in return.

    3. Customer Control
      On every client program, Post will include a provision for each and every customer to voluntarily choose what information to provide, whether or not to participate in the program and the ability to subscribe or unsubscribe at any time.

    4. Disclosure
      Post will ensure that client programs have built-in mechanism to disclose data sharing practices and an easy method for customers to specify whether or not personal information can be shared.

    EPIC NOTE: While this privacy policy seems adequate for "client programs" the policy does not adequately address information collection practices at the Web site itself.

    •

    ProMark One:

  • Privacy Policy Statement
    For each visitor to our Web page, our server does not automatically recognize any information regarding the domain or e-mail address. We collect the e-mail address of those who communicate with us via e-mail and information volunteered by the consumer. This information is used by us to contact consumers for marketing purposes. If you supply us with your postal address or phone number on-line, you may receive marketing-related mailings or telephone contact. If you do not want to receive e-mail, mailings, or telephone calls from us in the future, please send an e-mail to us by pressing the envelope icon above and let us know.
    •

    The Parable Group, Inc.:

  • For each visitor to our Web page, our Web server automatically recognizes the consumer’s domain name and e-mail address (where possible). We collect the domain name and e-mail address (where possible) of visitors to our Web page, the e-mail addresses of those who communicate with us via e-mail and information volunteered by the consumer, such as survey information and/or site registrations.

    The information we collect is used to improve the content of our Web page, used to notify consumers about updates to our Web site and used by us to contact consumers for marketing purposes.

    If you do not want to receive e-mail from us in the future, please let us know by sending e-mail to us at the above address and telling us that you do not want to receive e-mail from our company.

    If you supply us with your postal address on-line you may receive periodic mailings from us with information on new products and services or upcoming events. If you do not wish to receive such mailings, please let us know by sending e-mail to us at the above address. Also you may receive mailings from other reputable companies. You can, however, have your name put on our do-not-share list by sending e-mail to us at the above address. Please provide us with your exact name and address. We will be sure your name is removed from the list we share with other organizations.

    Persons who supply us with their telephone numbers on-line may receive telephone contact from us with information regarding orders they have placed on-line. Please provide us with your correct phone number. We will be sure your name is removed from the list we share with other organizations.

    •

    7.2 Company Data

    This section presents the data collected on Web sites of DMA members. If the "Collection of PII (Personally Identifiable Information)" of a site is something other than "hyperlink e-mail," this merely indicates that the sites uses at least some other means to collect additional information. That is, an entry in this column does not mean that the site only collects PII for such purposes. It may be possible that such sites collect PII for additional purposes as well. The adequacy of privacy practices are determined using the policy excerpts in Section 7.1 and the criteria of Section 3.1.

    Company Name
    Web site
    Collection
    of
    PII
    Privacy Practice & Adequacy
    Secondary Use
    Access to
    PII
    Acorn Information Service
    www.acornis.com
    contact/support
    (name, address, etc)
    sentence
    INADEQUATE
    unknown
    no
    Alamo Direct
    www.alamodirect.com
    hyperlink e-mail
    none
    unknown
    no
    American Arbitration Assocation
    www.adr.org
    customer service
    (name, address, etc)
    none
    unknown
    no
    American Marketing & Communications Corp.
    www.americanmarketing.com
    registration form
    (name, address, etc)
    none
    unknown
    no
    Assist Cornerstone Technoogies
    www.assistintl.com
    hyperlink e-mail
    none
    unknown
    no
    Bay Networks
    www.baynetworks.com
    contact form
    (name, address, etc)
    none
    unknown
    no
    Capital & Commmercial Ventures
    www.ccv-products.com
    feedback form
    (name, address, etc)
    none
    unknown
    no
    Carfax, Inc.
    www.carfax.com
    car report
    (e-mail, etc)
    security/privacy
    INADEQUATE
    restricted to primary use
    no
    Coastal Printing & Graphics
    www.coastalprinting.com
    catalog request
    (name, address, etc)
    none
    unknown
    no
    Color Communications, Inc.
    www.ccicolor.com
    hyperlink e-mail
    none
    unknown
    no
    DBA
    www.dbaint.com
    hyperlink e-mail
    none
    unknown
    no
    Dexter Sport Science
    www.dsportscience.com
    catalog request
    (name, address, etc)
    security/privacy
    INADEQUATE
    unknown
    no
    Edison Enterprises
    www.edisonenterprises.com (www.scc.com)
    print out enrollment form
    none12
    unknown
    no
    EXAMCO, Inc
    www.examco.com
    registration form
    (name, phone, etc)
    none
    unknown
    no
    GMAC Mortgage Corp.
    www.gmacmortgage.com
    proposal/comment
    (name, address, etc)
    none
    unknown
    no
    GreenPoint Mortgage Corp.
    www.truenodoc.com
    application form
    (name, address, etc)
    none
    unknown
    no
    HealthWatchers System
    www.healthwatchers.com
    register/catalog
    (name, e-mail, etc)
    policy page
    ADEQUATE
    restricted to primary use
    e-mail opt-out option
    Holland Mark Martin Edmund
    www.hmm.com
    application form
    (name, address, etc)
    none
    unknown
    no
    Holldon Telemanagement Group
    www.holldon.com
    hyperlink e-mail
    none
    unknown
    no
    Intelitech
    www.intelitech.com
    registration form
    (name, address, etc)
    security/privacy
    INADEQUATE
    restricted to primary use
    no
    ITI Technologies, Inc.
    microimg.com/iti/
    hyperlink e-mail
    none
    unknown
    no
    Kenneth Cole Productions
    www.kencole.com
    catalog form
    (name, address, etc)
    none
    unknown
    no
    Lawyers Weekly Publications
    www.lawyersweekly.com
    registration form
    (name, address, etc)
    none
    unknown
    no
    Le Club des Createurs de Beaute
    www.createurs-de-beaute.com
    contact form
    (name, address, etc)
    none
    unknown
    no
    Logos Corp.
    www.logos-usa.com
    hyperlink e-mail
    none
    unknown
    no
    Management Recruiters of New Providence
    www.mrinp.com
    hyperlink e-mail
    none
    unknown
    no
    Medicode, Inc.
    www.medicode.com
    hyperlink e-mail
    none
    unknown
    no
    Nation Association of Home Builders
    www.nahb.com
    print out registration form
    none
    unknown
    no
    National Council on Compensation Insurance
    www.ncci.com
    print out order form
    none
    unknown
    no
    Opera World
    www.operaworld.com
    catalog request
    (name, address, etc)
    none
    unknown
    no
    Pegasus Systems, Inc.
    pegasus.thisco.com
    print out request form
    none
    unknown
    no
    Pilgrim Baxter & Associates, Ltd.
    www.pbhgfunds.com
    print out application form
    none
    unknown
    no
    Post Communications
    www.postdirect.com
    hyperlink e-mail
    policy page
    INADEQUATE
    unknown
    no
    Prime Response, Inc.
    www.prime-response.com
    feedback form
    (name, address, etc)
    none
    unknown
    no
    ProMark One
    www.promarkone.com
    hyperlink e-mail
    (name, info)
    statement
    ADEQUATE
    marketing
    e-mail opt-out option
    Richardson Electronics
    www.rell.com
    purchase order
    (name, phone, etc)
    none
    unknown
    no
    Society for Human Resource Management
    www.shrm.org
    application form
    (name, address, etc)
    none
    unknown
    no
    The Parable Group, Inc.
    www.parable.com
    registration form
    (name, address, etc)
    policy page
    ADEQUATE
    marketing & distribution
    e-mail opt-out option
    TMA, Inc.
    www.tmai.com
    support/literature
    (name, address, etc)
    none
    unknown
    no
    Verbatim Corp.
    www.verbatimcorp.com
    hyperlink e-mail
    none
    unknown
    no

    About EPIC

    The Electronic Privacy Information Center is a non-profit public interest research organization based in Washington, D.C.

    Electronic Privacy Information Center
    1718 Connecticut Avenue, NW, Suite 200
    Washington, D.C. 20009
    +1 (202) 483 1140 (tel)
    +1 (202) 483 1248 (fax)
    http://www.epic.org

     


    EPIC Privacy Page
    EPIC Home Page