The Web sites of 100 financial institutions will come under scrutiny this month as the Federal Trade Commission scours the Internet for corporate privacy policies.
The audit, which the FTC is calling a "sweep," aims to gauge how well American industry is policing itself in maintaining privacy standards on the Internet. The Clinton administration has urged all companies doing business on the Web to post statements about how they use information gathered from customers.
Throughout March, FTC workers will view 1,200 Web sites-belonging to financial institutions and other types of companies-to see how many comply. On June 1, the agency will deliver a report card to Congress, which will determine whether legislation is needed to protect consumer privacy.
FTC officials are calling the survey a test of self-regulation on the Internet.
"If we wait a year or two for self-regulation and it doesn't happen, I'm prepared to predict in the strongest terms right now that legislation will happen, and it will happen very promptly," said Robert Pitofsky, chairman of the Federal Trade Commission.
Mr. Pitofsky spoke Wednesday at an Internet privacy conference sponsored by the McGraw-Hill Companies. At the same event, Ira C. Magaziner, senior adviser to the President for policy development, advocated a "seal of approval" for Web sites that comply with certain privacy standards.
Mr. Magaziner said the administration wanted industry to set up and oversee such a system. "There are tens of thousands of Web sites that form every week around the world," he said. "We couldn't enforce all the regulations, even if we made them."
In July 1997, the administration announced its goals for privacy on the Internet. One was that "a substantial majority" of Web sites post privacy policies by March 1, 1998, said David Medine, associate director for credit practices at the FTC's Bureau of Consumer Protection.
With that deadline passed, FTC workers are now "slaving over computers" to judge compliance, Mr. Medine said.
Among the nonfinancial Web sites being scrutinized, 200 are targeted to children; 100 belong to companies in the health care industry; 100 are from retail companies; and 100 are "top sites on the Net generally," Mr. Medine said. Other sites will be chosen randomly from names listed in a Dun & Bradstreet directory.
"We're looking throughout the site to see if there's a description of the company's information practices," Mr. Medine said. "It doesn't have to be called a privacy policy-just something that explains how any information you input would be used."
No company will be penalized for the absence of a privacy policy. But if Congress determines that not enough companies have taken action, it is likely to compel them to do so, FTC officials say.
The American Bankers Association, the Consumer Bankers Association, and other trade organizations have been sending out samples of Internet privacy policies, and urging members to develop their own.
"We have warned banks for a while that this was coming," said John J. Byrne, the ABA's senior counsel and compliance manager for regulatory and trust affairs. "We're trying to raise awareness and serve as a clearing house."
The ABA held a conference call in January to discuss privacy policies. Of 85 banks represented, half said they already had posted one, "which is more than it would have been six months ago," Mr. Byrne said.
Mr. Byrne cited Chase Manhattan Corp. and Norwest Corp. as examples of institutions with model privacy policies. American Express Co.'s policy was also commended at the McGraw-Hill conference.
Chase, for instance, refers to its "customer information principles" on the home page of its Web site. Visitors who click on that icon can read five principles that Chase says "affirm our long-standing commitment to confidentiality."
Mr. Byrne said developing a policy should not pose a challenge for banks, since most have already laid out the basic tenets in their codes of conduct. When bankers say they are confused, "we tell them to take what is in their code of conduct and put that on a separate page" on their Web site, Mr. Byrne said.
Joe Belew, president of the Consumer Bankers Association, said his group has "been putting the word out" about the audit, but is "unclear" how many members have complied. Some bankers are debating how prominently a privacy policy should be placed on a Web site, he said.
"I think the FTC and the administration are to be commended for taking a wait-and-see attitude," Mr. Belew said. "This is a very difficult area to regulate."
Though banks and other companies seem to be paying more attention to on- line security, many consumers are still reluctant to use the Internet for business purposes. People say they fear the theft of a credit card number, or the unauthorized dissemination of personal information.
A Business Week/Louis Harris survey released Wednesday found that 78% of people who go on-line said they would use the Internet more if they felt the privacy of their personal information and communications were protected.
