GeoCities Settles Case Over Online Privacy

In a groundbreaking case that strikes at the heart of consumers’ growing fears about online privacy, GeoCities settled government charges Thursday that it collected personal information about its customers, including children, then sold the data to marketers in violation of its own stated privacy policies.

The case marks the first time government regulators have formally accused any site on the Internet, let alone one as popular as GeoCities with its 2 million members, of such deception. It comes at a time when electronic privacy is emerging as one of consumers’ greatest concerns about the burgeoning Internet, which offers powerful new ways for companies to assemble, buy and sell detailed statistical profiles of users.

FTC officials said the case marks the beginning of a vigorous push into this new, digital realm of consumer protection.

“This is an example of the kinds of actions we look to bring in the future,” said Toby Levin, an attorney in the commission’s bureau of consumer protection. “We would hope this sends a message to Web sites about being truthful about their information practices.”

GeoCities executives denied the FTC allegations, saying the company “believes that it has acted fairly with its customers” and agreed to the settlement “in order to resolve the matter in an expeditious manner.”

Thomas Evans, chief executive of GeoCities, acknowledged that some data were sold to other companies but said: “We think we made it clear to customers how that information could be used. The FTC disagreed, so we revamped our privacy policy to be at the highest level of compliance.”

Santa Monica-based GeoCities has built one of the 10 most popular sites on the Web by helping users erect their own Web pages and grouping them in “cities” organized by theme.

GeoCities’ shares plunged $7 to close at $38.50 on Nasdaq on Thursday, just two days after the company’s stock soared following an initial public offering in which it raised $80.8 million.

Under the terms of a 20-year consent order, GeoCities will be required to spell out what information it collects, how it is used and to whom it will be disclosed. The agreement also requires the company to obtain parental permission before collecting information from children under 13. If GeoCities fails to abide by these terms, the company faces civil penalties up to $11,000 for each infraction, FTC officials said.

Privacy advocates pointed out that those penalties are relatively mild and that enforcement will continue to be a problem simply because of the vastness of the Internet. But they praised the FTC for taking action at a time when consumers are increasingly being plied to disclose their names, ages, interests, income levels and other personal information over the Net.

“This is a new area of law and you expect the first enforcement steps to be tentative,” said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington. “But I think it’s a significant step for the FTC and makes it clear that the government has an important role to play in protecting privacy.”

The FTC’s allegations against GeoCities center on detailed information the company collects from its users, including children, as they fill out an online registration form. Collecting such data is not illegal, but the FTC accused GeoCities of misleading consumers about what would be done with their data.

Part of GeoCities’ application form, for instance, pledged that the company “will not share this information with anyone without your permission, but will use it to gain a better understanding of who is visiting GeoCities.” But FTC officials say the company sold that data to other Internet companies and marketing firms anyway.

Evans admitted the data were sold but stressed that it was never used and was destroyed after the FTC first approached the company last fall.

The FTC also accused GeoCities of misleading customers in other ways. A service for children called the “GeoKidz Club,” for instance, appeared to be operated by the company and used contests and other means to encourage children to supply personal information. But FTC officials said the club was actually run by one of GeoCities’ members, and that the company did not have control of the data collected there. GeoCities counts about 50,000 children under age 13 among its members.

Levin, who declined to say what prompted the investigation, said GeoCities cooperated with the investigation and that its revamped privacy policy is a model that all Web sites would do well to emulate.

Indeed, GeoCities’ Web site now includes a comprehensive privacy policy. But as often is the case, the policy is displayed on a separate page and it’s up to users to find it and read it. GeoCities has agreed to honor any requests from members who want their personal data removed from its databases, Levin said.

But Thursday’s FTC action aside, privacy experts caution that such conflicts are bound to proliferate, because the Net, with its combination of one-on-one interaction and global reach, makes it so easy to build statistical profiles of consumers and is such a tempting marketing tool.

Recent surveys by the FTC and others have shown that consumers are increasingly concerned that their anonymity is being rapidly eroded in the digital age. The issue has become a heated one in Washington, where Vice President Al Gore recently called for legislation protecting children, and the chairman of the FTC testified that his agency is dismayed by the failure of most online companies to even state their privacy policies.

Hoping to dissuade lawmakers from passing stiff new laws, industry giants including Microsoft Corp. and America Online recently formed the Online Privacy Alliance to establish privacy guidelines and put pressure on Internet companies to comply.