The IT Law Wiki


In re GeoCities, FTC Docket No. C-3849 (Feb. 12, 1999) (full-text).

Factual Background[]

GeoCities, headquartered in Santa Monica, California, operated the GeoCities website, a "virtual community" consisting of members' personal home pages organized into themed areas, called neighborhoods. GeoCities had over 2 million members, and industry reports identified it as the third most frequently visited website accessed from consumers' homes.

GeoCities provided numerous services to its members, including free and fee-based personal home pages and free e-mail service. In order to become a member of GeoCities, individuals had to complete an online application form that requests certain personal identifying information. At the time of the investigation, the form designated certain information as mandatory and other information as "optional." The form also asked applicants to select whether they wished to receive specific "special offers" from advertisers, and specific products or services from individual companies.

Through this registration process, GeoCities created a database that included e-mail and postal addresses, member interest areas, and demographics including income, education, gender, marital status and occupation. According to the agency, this information created target markets for advertisers and resulted in disclosure of personal identifying information of children and adults to third-party marketers.

FTC Complaint[]

The FTC's complaint[1] focused on two activities that the agency claimed were deceptive trade practices.

First, it alleged that GeoCities misrepresented "the uses and privacy of the information it collect[ed]" from consumers — namely, that the website had "sold, rented or otherwise marketed and disclosed [personal data] to third parties who have used this information for purposes other than those for which members have given permission," contrary to the website's stated privacy policy.[2]

Second, the complaint alleged that GeoCities made "[m]isrepresentations involving sponsorship" when the site stated that it personally collected and maintained children's personal information for an online club.[3] Instead, the complaint alleged that third parties were collecting and maintaining this personal data from children.[4] The FTC claimed that GeoCities' conduct constituted "unfair or deceptive acts or practices" in violation of Section 5 of the FTC Act.

Consent Order[]

The case quickly settled with the GeoCities Consent Order (Consent Order).[5]

The Consent Order prohibited GeoCities from misrepresenting the purpose for which it collects or uses "personal identifying information"[6] from or about consumers, including children.

The Order required the company to post on its website a clear and prominent Privacy Notice, telling consumers what information is being collected and for what purpose, to whom it will be disclosed, and how consumers can access and remove the information. The Notice, or a clear and prominent hyperlink to the Notice, would have to appear on the website's home page and at each location on the site at which such information is collected.[7]

The Order also prohibited GeoCities from misrepresenting either the identity of a party collecting any "personal identifying information" or the sponsorship of any activity on its website.

To ensure parental control, the Order required GeoCities to obtain parental consent before collecting "personal identifying information" from children 12 and under. The order did not require any particular procedure for obtaining parental consent, allowing for future technological developments, but included a specific procedure that would be deemed to comply with the order. Under that procedure, GeoCities could collect certain "limited screening information" from consumers attempting to register at the site for the purpose of identifying and blocking children 12 and under from registering without their parent's permission. The company would then (a) notify the parents of the child's interest in registering at the site, and (b) obtain a parent's express consent. The order specified several means by which the parent could transmit his/her consent, including a signed statement sent by mail or a credit card authorization.

Under the Order, GeoCities was required to notify its members and provide them with an opportunity to have their information deleted from GeoCities' and any third parties' databases. The settlement required GeoCities to notify the parents of children 12 and under and to delete their information, unless a parent affirmatively consented to its retention and use. GeoCities also would be required to contact third parties to whom it previously disclosed the information and request that those parties delete that information as well.

Finally, the settlement required GeoCities to provide, for five years, a clear and prominent hyperlink within its Privacy Notice directing visitors to the FTC's website[8] to view educational material on consumer privacy. GeoCities also was required to establish an information practices training program for its employees and volunteer community leaders.


The Geocities Consent Order became the blueprint for a series of [[complaints filed against websites that, inter alia, failed to comply with their own posted privacy policies.[9]

In addition, the provisions of the Consent Order relating to the collection and use of information from children formed the basis for the Children's Online Privacy Protection Act of 1998 (COPPA).[10]


  1. Complaint, In re GeoCities (F.T.C. Feb. 5, 1999) (No. C-3850).
  2. See id. ¶¶12-16 (setting forth the alleged misrepresentations involving information collected by Geocities).
  3. Id. ¶¶ 17-20.
  4. Id. ¶19.
  5. Decision and Order, In re Geocities, No. C-3850 (Feb. 5, 1999).
  6. "Personal identifying information" is defined in the Consent Order to include name, physical and e-mail address, phone number, and any other information that by itself or in combination with other information is identifiable to a specific individual.
  7. Id. at Part IV. These requirements reflected the Commission's earlier pronouncement that website privacy policies should reflect the Fair Information Practice Principles, including the Notice/Awareness Principle, the Choice/Consent Principle, and the Access/Participation Principle.
  8. FTC website.
  9. Documents related to these enforcement actions are available here.
  10. Pub. L. No. 105 to 277, Div. C, tit. XIII, § 1301, 112 Stat. 2681-2728 (1998), codified at 15 U.S.C. §§ 6501-06, and its implementing regulations. 16 C.F.R. Part 312 (Apr. 21, 2000).