The Santa Clara-based company has been asked to turn over documents to determine if it complied with the FTC's consumer protection regulation against the use and disclosure of user data, Yahoo! revealed in its annual report filed with the U.S. Securities and Exchange Commission on Thursday.
The investigation may also include the company's subsidiary GeoCities, which helps people set up their own Web sites. GeoCities reached a settlement with the FTC in 1998 agreeing to change the way it collects and distributes information about its customers.
Yahoo!, which runs some of the most visited sites on the Internet, warned any findings that it or any of its subsidiaries failed to comply with its posted privacy policies could result in proceedings by the "FTC or others which could potentially have an adverse effect on our business, results of operations and financial condition."
FTC spokeswoman Claudia Bourne Farrell confirmed that the agency is conducting a "routine inquiry" of Yahoo! to see if it has engaged in unfair or deceptive practices. The company has been cooperating in the inquiry, she said.
A Yahoo! spokeswoman said the investigation was prompted by a report in January from the California HealthCare Foundation's report on health-related Web sites.
The Oakland, California-based nonprofit agency profiled the practices and policies of 21 health-related Internet sites, including Yahoo!, and warned "they have not matured enough to guarantee the quality of the information, protect consumers from product fraud or inappropriate prescribing, or guarantee the privacy of individuals' information."
Yahoo! has its own health information category and also refers users to medical site WebMD through its site, as does No. 2 Web portal Lycos.
Yahoo! said it voluntarily turned over information to the FTC and would defend its privacy practices.
"We take privacy very serious. We are committed to it and we are proud of our record," the company said in a statement.
The FTC scrutiny of Yahoo! is the latest in the increasingly contentious issue of whether Internet companies can implement comprehensive privacy policies and also self-regulate them.
Earlier this year, online advertising firm DoubleClick Inc., generated outrage among privacy advocates after it said it planned to combine online and offline data that it collects on consumers.
Activists worried that DoubleClick would combine online surfing habits cultivated by its ad network with personal information collected by transaction records. DoubleClick's move also prompted an FTC investigation into whether it violated privacy laws, though it has since backed away from its proposal.
So far the Clinton administration has urged U.S. companies to regulate themselves as to how they protect consumer privacy on the Internet, such as under programs run by the Better Business Bureau or Trust-e, which audit companies that volunteer to participate.
But some lawmakers and other government officials believe it increasingly likely that new laws are inevitable.