The Electronic Privacy Information Center (EPIC) was established in 1994. EPIC strives to educate consumers on current privacy issues relating to the Internet. It produces reports conducts litigation, sponsors conferences, and publishes the EPIC Alert.21 EPIC believes that “online profiling is a serious threat to privacy because it happens so invisibly and information given to online companies can be used for a variety of purposes.”22
In trying to educate consumers, EPIC published three reports. The first, in June 1997, was entitled “Surfer Beware: Personal Privacy and the Internet”. This report reviewed the Internet privacy policies of 100 of the most frequently visited Web sites. The report found that only 17 of the sites had explicit privacy policies and none of the sites met the basic standards for privacy protection.23
The second report was published in June 1998, entitled “Surfer Beware II: Notice Is Not Enough.” This report conducted the first evaluation of self-regulation to protect online privacy of 76 new members of the Direct Marketing Association (DMA). Forty of the 76 new members had Web sites and only 8 of the 40 had any form of a privacy policy. Of the sites that had privacy policies, only three had privacy policies that satisfied the DMA’s requirements. None of the sites allowed individuals to gain access to their own information.24
The third report was published in December 1999, entitled “Surfer Beware III: Privacy Policies With Out Privacy Protection”. This report reviewed the privacy practices of 100 of the most popular shopping Web sites to see if they complied with the set of principles recommended in the Privacy and the National Information Infrastructure Report on basic privacy protection, whether they used cookies, and if they used profiled-based advertising. The report found that 18 of the sites did not display a privacy policy, 35 of the sites used profile-based advertising and 86 of the sites used cookies. Not one of the sites adequately addressed all of the elements of the Principles and many of the sites’ privacy policies were confusing, incomplete and inconsistent.25
David Sobel, General Counsel for EPIC believes that Internet users should not have to depend on the various privacy policies of every Web site. The government needs to establish basic guidelines and ground rules that apply from one site to another.26