Surfer Beware III:
Privacy Policies without Privacy Protection

December 1999

Electronic Privacy Information Center

Executive Summary

In this survey the Electronic Privacy Information Center (EPIC) reviewed the privacy practices of the 100 most popular shopping websites on the Internet. We focused on shopping sites because many consumers are now buying online and we wanted to assess whether online merchants are adequately protecting consumer privacy. For all 100 sites, we looked for compliance with "Fair Information Practices" -- a set of principles that provide basic privacy protection. We also looked at whether commercial sites utilized profile-based advertising, and employed cookies in their website operations. Both of these controversial techniques have been the subject of recent investigations. We found that 18 of the top shopping sites did not display a privacy policy, 35 of the sites have profile-based advertisers operating on their pages, and 86 of the e-commerce operations use cookies. Not one of the companies adequately addressed all the elements of Fair Information Practices. We also found that the privacy policies available at many websites are typically confusing, incomplete, and inconsistent. We concluded that the current practices of the online industry provide little meaningful privacy protection for consumers.


1. Introduction

Surfer Beware III is EPIC's third survey of online privacy protections. In 1997, we conducted the first formal review of web site privacy policies and practices. "Surfer Beware: Personal Privacy and the Internet" found that few sites had privacy policies, though anonymity was playing an important role in protecting online privacy. In 1998, we conducted the first evaluation of self-regulation to protect online privacy. "Surfer Beware II: Notice is Not Enough" found that the new members of the Direct Marketing Association failed to follow the organization's own guidelines for privacy protection. In this survey we looked at the privacy policies and practices of the 100 top shopping web sites.1

Privacy remains one of the greatest concerns of online users and will become particularly acute as many users make their first foray into online shopping this holiday season.2 While most online retailers agree that the protection of consumer privacy is important for the future of electronic commerce, much debate has centered on the appropriate approach to protecting consumer privacy online. Businesses in the United States have generally said that industry self-regulation, as opposed to the establishment of legal rights for consumers, will protect online privacy. Even though a survey conducted earlier this year found that less than 10 percent of websites offer a baseline privacy policy, self-regulation continues to govern privacy protection on the web.3

In this survey we looked more closely at the adequacy of privacy practices found on the 100 most popular shopping websites as listed by 100hot.com, which tracks website popularity by the number of times homepages are viewed in a sample of over 100,000 Internet users worldwide. While there are other Internet rating services, we took 100hot.com as a reasonable benchmark (which we also used in the original 1997 survey).4

We evaluated privacy protection with respect to the Fair Information Practices, which are a set of principles that enable individuals to maintain control over personal information held by organizations and tare he basis for many privacy laws in the United States.5 For the purpose of this survey, we looked at several elements of the Fair Information Practices, including the ability to find the privacy policy of an e-commerce site, whether personal information is collected and used with the consent of the consumer, whether the consumer is able to access and correct such information, whether the information is limited to those uses for which the information was given, and whether the purposes for which information will be used are specified.

Profile-based advertising, also known as online profiling, is a technique that marketers use to collect information about online behavior of Internet users and to facilitate targeted advertising.6 Profile-based advertising could easily be considered a form of online surveillance. Profile-based advertising relies on "cookies," identifying tags that are stored on the computer of a person who visits a web site. These cookies are often placed on computers without the knowledge of individuals when banner advertisements appear. Actually clicking on a banner advertisement is not necessary to generate a cookie. In order to track the growth of this advertising model, we recorded the number of sites that use banner advertisements belonging to known profile-based advertisers.

Along with online advertisers, many other sites utilize cookies in the confines of their own sites. Cookies can be used for tracking online behavior within a single site. They are also used for many other purposes such as for common shopping carts that list items to be purchased or for counting the number of unique visitors to a site. While we did not investigate the purpose for all cookies, we did note which sites enable cookies.


2. Methodology and Results

To evaluate websites' privacy standards, our survey examined 1) whether personally identifiable information (PII) was collected; 2) whether a privacy policy was displayed on the website's homepage; 3) whether a privacy policy was displayed on all pages collecting personal information; 4) whether the site was part of a licensing group; 5) whether the site required opt-in consent for all collection and subsequent use of personal information; 6) whether the site allowed users access to view and correct personal information; 7) whether the use of personal information was limited; and 8) whether the privacy policy specified all purposes for which personal information would be used. We also investigated two other questions -- whether advertising networks were presenting banner ads on the sites' pages and whether a site used cookies.

The complete results can be found in the Surfer Beware III Appendix, which follows the text of this report.

We based our evaluations on the information available to the user as stated in the privacy policy or elsewhere on the website.

2.1 Does the site collect personally identifiable information (PII)?

We found that all 100 sites collected personally identifiable information such as name, mailing address, e-mail address, or telephone number. None of the sites required users to disclose personal information when entering or browsing through a site, but all collected such information for purchases or other business transactions.

While it is not surprising that all the sites collected personally identifiable information, it is worth noting that there are many popular websites, such as cnn.com and washingtonpost.com, that do not routinely collect personally identifiable information. Websites that provide news and information generally do not to know who their visitors are. In our 1997 survey we wrote, "We thought the widespread practice of allowing anonymous browsing, even on the most popular web sites, was an important indicator of how privacy is actually protected on the Internet. By avoiding the collection of personal information, websites encourage users to visit sites." In 1997, we also said that in "the physical world, we note that very few stores require the collection of personal information before allowing someone to enter." It appears that commercial activity on the Internet is driving the increased collection of personal data.

2.2 Does the site have a link to a privacy policy on its homepage?

We noted whether a website displayed its privacy policy on its homepage. The homepage is often the first page a user views when entering a website, and the privacy policy should be easily accessible from this location so that users will know how their personal information will be used before they begin shopping for an item.

Fifty-one sites provided a link to the privacy policy on their homepage. Eighteen sites had no privacy policy. We gave sites that lacked a privacy policy a rating of "N/A" (not applicable) for the remainder of the survey questions. We also gave "N/A" ratings to EastBay because the site was continually busy, and when we finally gained access to the site, the page where transactions are completed would not load.

2.3 Does the site have a link to a privacy policy on all pages collecting PII?

We also observed whether a website linked to its privacy policy on all pages that collect PII. It is important for Internet users to know how their personal information is used and to be able to quickly find the policy when they are asked to disclose personal information.

Thirty-five sites displayed a link on all pages that collect personal information.

2.4 Does the site belong to a industry self-regulation program?

We noted whether sites were part of an industry self-regulation program, such as TRUSTe or the Better Business Bureau Online. Twenty sites in the survey were members of these programs. Membership in one of these programs does not assure privacy protection for consumers, but it is an indication of a company's willingness to develop a privacy policy and to learn more about privacy issues.

We plan to evaluate the effectiveness of these programs in the coming year.

2.5 Does the site have an opt-in (consent) for all collection and use of PII?

We also considered whether websites offered an opt-in policy. Such a policy would require a company to gain consumer permission before any collection or use of personal information. Opt-out policies, on the other hand, allow companies to make use of information as they wish unless a consumer notifies the firm that they do not want their personal information collected or used. Consumers favor opt-in policies. By way of example, CDUniverse has an opt-in policy: "If you answered 'Yes' to the question 'May we occasionally send you email promotions,' we keep you up-to-date via email." J.Crew has an opt-out policy: "We occasionally make our customer list available for one-time use by a few carefully screened firms -- should you prefer not to get their mailings, please let us know."

Twenty-four sites solicited "opt-in" consent by consumers before a company's subsequent collection and use of their personal information.

2.6 Does the site allow access to view and correct personal information?

One of the long-standing goals of privacy protection is to ensure that individuals are able to review the information about them that is collected by organizations. The purpose of this is to ensure that information is accurate and complete. It is also to allow individuals to better assess the actual data collection practices of the organizations that collect personal information.

In the access category, we determined whether websites allowed consumers to view and correct their personal information, including their name, mailing address, e-mail address, or telephone number. Many companies also collect more detailed information, such as shopping preferences or purchase history, but do not make this information available to consumers. For example, eBay states in its privacy policy: "We automatically track certain information about you based upon your behavior on our site. We use this information to do internal research on our users' demographics, interests, and behavior to better understand and serve our users." Since many sites do not disclose whether they store information about customer behavior, however, we did not evaluate access with respect to such a criterion.

Thirty-three sites allowed users access to view and correct personal information, such as mailing address, e-mail address, or telephone number.

2.7 Does the site limit use of the information to its original purpose?

We surveyed whether sites limited the use of the personal information to the transaction specified. This is important because most consumers intuitively expect that personal information will be used for a limited purpose. Companies should not use individuals' personal information for purposes unnecessary to complete the original transaction. While the release of non-personal aggregate or summary information about customers may not invade personal privacy, the unrestricted use of personally identifiable information does. We noted that the privacy policy of eToys demonstrated a strong commitment to limiting the use of customer information: "We do not sell, rent, or loan any identifiable information regarding our customers to any third party. Any information you give us is held with the utmost care and security, and will not be used in ways to which you have not consented." This could be in part because Congress enacted the Childrens Online Privacy Protection Act of 1998 and created specific privacy obligations for companies that routinely interact with young people. Lands' End, however, does not limit its use of personal information, as it states in its privacy policy: "We do just one thing with the information you provide that you may not expect. If you purchase a product from us, there is a chance that we will exchange your name with another company whose products and services might interest you." This policy was similar to many others that essentially tell customers personal information will be widely used for whatever purpose the company wishes.

Twenty-one companies appeared to limit the use of personally identifiable information to those required for the transaction.

2.8 Does the site specify the purposes for all information collected?

We included the purpose specification category to show whether sites inform users of every way in which their personal information will be used. We believe that if a company fails to explain the reason that personal information is collected, consumers will be unable to make a meaningful decision about whether to provide personal information. Some sites declare that they reveal information to third parties but are then extremely vague in their explanation of how this information is subsequently used. For example, Garden.com states in its privacy policy: "Garden.com may choose to share select information with [strategic business] partners to enhance the customers' experience. Customers may choose at anytime to be removed from this list… While Garden.com only chooses reputable strategic partners who adhere to similar policies we in no way are responsible for the actions or policies of these partners." On the other hand, Bluemountain.com describes exactly what it will do with personal information: "When you send one of our greetings, we use the information you give us to customize the greeting with your name and the recipient's name and to deliver email notifications to you and the recipient."

Fifty-eight sites specified the purposes for collection and use of personal information.

2.9 Does the site allow profile-based advertising to operate on their pages?

Our research also examined profile-based advertising by surfing with a browser set to warn the user before a cookie is sent. All cookies not coming directly from the site that was being visited, but instead from an advertiser, were noted. Since our search did not visit all the pages within a single site, it is possible that more advertisers were present than were found. We also found a wide variation in whether or not privacy policies mentioned the presence of third-party advertising. Some sites, such as Ticketmaster Online, mention that online advertisers are operating, but mischaracterize what those advertisers do. For example, one company that does profile individuals -- Doubleclick -- operates on the site, but the Ticketmaster privacy policy states: "Your specific user habits within our site will not be disclosed to any third parties." Only one site, Autobytel.com, mentions the advertiser operating on its site by name, links to the advertiser's privacy policy, and provides a way to opt-out of that advertising network.

In total, 35 sites allowed advertising by advertising networks and few mentioned that such advertising was taking place.

2.10 Does the site utilize cookies?

We also noted whether sites were using cookies. Cookies can be used to enhance online shopping by tracking a series of purchases by one customer during a single visit to a website. Without cookies, it would be difficult, but not impossible, to store several purchases in an electronic shopping cart and enable payment. Cookies also provide a technique for merchants and advertises to track consumer preferences and purposes over many visits to many different websites. It is this second use of cookies, sometimes referred to as "tracking" or "profiling," that raises privacy concerns.

While most privacy policies did note the use of cookies, at least one site that claimed not to utilize cookies was actually using them. It is possible that additional sites were using cookies in ways not detailed in their privacy policies. Macys.com's privacy policy includes a mention of cookies: "Although it is not used currently on this website, Macys.com hopes to begin using 'cookie' technology in the future." In the course of purchasing an item, Macys.com did in fact attempt to place cookies on the browser.

Eighty-six of the sites surveyed used cookies. Two sites -- Tower Records and Kenneth Cole -- did not allow users to visit their sites without generating cookies.

2.11 Other Findings

In our survey of the top 100 e-commerce sites, we found privacy policies that were often confusing, incomplete and inconsistent. The wide variation of these policies might frustrate consumers who are trying to determine which websites provide the best privacy protection.

3. Conclusions

Taken as a whole, we found that more sites are posting privacy policies than did when we conducted the first formal review of website policies in 1997. We have also seen the rise of new associations to promote the development of privacy policies and encourage industry awareness of privacy issues. But when we looked closely at these policies, we found that they typically lacked the necessary elements of Fair Information Practices and were unlikely to provide meaningful privacy protection for consumers. The presence of a privacy policy, unfortunately, does not always ensure privacy protection.

At the same time, marketers are using new and more sophisticated techniques to track consumers on the Internet. Profile-based advertising marks a sharp departure from traditional business practices which allowed companies to advertise products and services and still permit consumers to retain some privacy. In the world of radio, television and print advertising, for example, information flowed freely from businesses to consumers but little personally identifiable information was ever collected. In the online world, every consumer inquiry about a product and every ad viewing may quickly become incorporated into a detailed profile that will remain hidden from the consumer.

On balance, we think that consumers are more at risk today than they were in 1997. The profiling is more extensive and the marketing techniques are more intrusive. Anonymity, which remains crucial to privacy on the Internet, is being squeezed out by the rise of electronic commerce. Industry backed self-regulation has done little to protect online privacy. We believe that legally enforceable standards are necessary to ensure compliance with Fair Information Practices. And new techniques for anonymity are necessary to protect online privacy. Until such steps are taken, we have to repeat our advice for the third consecutive year -- "Surfer Beware."

 * Revised 1/10/99

1 "Surfer Beware: Personal Privacy and the Internet," conducted in 1997, looked at the 100 most popular websites. The report is available at http://www.epic.org/reports/surfer-beware.html. "Surfer Beware II: Notice is Not Enough" examined the privacy practices of the members of the Direct Marketing Association in June 1998. It can be found at http://www.epic.org/reports/surfer-beware2.html.

2 Forrester Research conducted a survey of 100,000 Internet users in September 1999 and found that 67 percent were very or extremely concerned about online privacy and an additional 24 percent were somewhat concerned.

3 A study conducted by the Georgetown Internet Privacy Policy Survey in January 1999 (http://www.msb.edu/faculty/culnanm/gippshome.html) found that less than 10 percent (32) of the 361 sites examined addressed the most basic privacy principles.

4 http://100hot.com/help/methodology.html

5 The most robust and comprehensive set of Fair Information Practices are described in the 1980 Organization for Economic Co-operation and Development (OECD) Privacy Guidelines. These can be found at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM

6The National Telecommunications and Information Administration (NTIA) of the Department of Commerce and the Federal Trade Commission recently held a workshop on this topic. EPIC filed a series of comments that are available at http://www.epic.org/privacy/internet/Online_Profiling_Workshop.PDF and http://www.epic.org/privacy/internet/profiling_reply_comment.PDF.

About EPIC

The Electronic Privacy Information Center is a non-profit public interest research organization based in Washington, D.C.
Electronic Privacy Information Center
666 Pennsylvania Ave, SE, Suite 301
Washington, D.C. 20003
+1 (202) 544 9240 (tel)
+1 (202) 547 5482 (fax)


EPIC Privacy Page | EPIC Home Page