New complexities online have made consumer privacy a trickier business, and Internet companies have recently been given harsh lessons on a simple theme: “Never” really does mean never, even in Internet time. Customer data can be valuable, and in recent cases, companies that promised to keep that information private have found that changed circumstances made those promises difficult to keep.
The best known of these cautionary tales is toysmart.com, a failed retailer of children’s toys. Toysmart.com had represented on its Web site that customers’ personal information, such as names, addresses, billing information and shopping preferences, would be used only to personalize the customers’ online experience, even going so far as to include the following boast in its privacy policy: “When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.”
But when Toysmart went belly-up in May, the company began to take bids on its assets, including its customer database. After a Federal Trade Commission lawsuit charging deceptive practices and intervention by numerous states’ attorneys general, the database remains unsold, losing more value as time passes, and Toysmart’s creditors remain unsatisfied.
The Texas attorney general recently encountered a similar scenario with Living.com, a Web furniture store that closed several weeks ago. After the attorney general sued to prevent the sale of Living.com’s customer information, the company agreed to destroy all of its customers’ financial records, and also agreed that if the customers’ names and e-mail addresses were sold to a third party, each customer would be given notice of the sale and an opportunity to opt out of the database.
Bankruptcy is not the only business circumstance leading companies to run afoul of their stated privacy policies. Two separate class actions were filed against Toys ‘R’ Us on Aug. 2 alleging that its online subsidiary, toysrus.com, shared data collected from its Web site with market research company CoreMetrics, despite assurances to customers that their personal information was kept “completely confidential.” In Missouri, a health e-tailer called More.com was sued by that state’s attorney general, accused of violating its privacy policy by sharing customer data with third parties.
Perhaps in response to the difficulties some of these companies encountered, Amazon.com recently revised its privacy policy to clarify, among other things, that “in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.” The new policy also makes it clear that Amazon.com may share customer data with its growing list of partners and affiliates, and that customers have little choice in the matter.
Amazon has taken heat for its revised policy that lessens customer privacy, but as Toysmart and other cases have shown, the consequences of an inflexible privacy policy may be severe enough that companies should consider whether they are roping themselves into a corner. So, here are some things careful marketing professionals and other e-professionals should think about when implementing online privacy practices and policies:
• Avoid extreme representations. Toysmart used the word “never” without meaning it. That’s what triggered the FTC suit. In the absence of legislation to the contrary, there is no need to be so extreme, and Internet businesses can reserve some flexibility for themselves in their privacy policies.
The revised Amazon policy is one example; not only does the policy now explicitly tell customers that their information may be transferred as assets if Amazon is acquired, it also makes clear that Amazon may share data with its growing list of partners and affiliates. Keep in mind, however, that Amazon is not a member of TrustE or any other privacy seal-of-approval program, and if it were, would have been required, at a minimum, to give customers the opportunity to opt out of the sharing of data with third parties.
Another development in this regard is a report that bankrupt online news site APBnews.com was trying to auction its customer data base in much the same way that toysmart.com did. Unlike Toysmart, however, APBnews.com did not represent in its privacy policy that it would never share or sell the information it collected.
• Avoid vagueness. The policy should give customers fair and clear guidance on the uses to which their personal information can be put. If business partners or affiliates exist or are envisioned, then the policy should attempt to set forth as many of these data-sharing situations as possible.
Toys ‘R’ Us claims its relationship with CoreMetrics is over, but questions, as well as the lawsuits, remain: Is confidentiality of data compromised when it is outsourced for processing, even if the recipient promises to use the data for internal purposes only? What happens when the partnerships and working relationships get one more step removed, and the information is shared with a partner or affiliate that shares it with a related third party?
• Who’s buying? If you plan to provide or sell your customer data to a third party, is that other company sufficiently related or similar to your own to pass the FTC’s scrutiny? Unless your privacy policy indicates that you can disseminate information willy-nilly, it appears the FTC is going to expect you to keep the data “in the family,” so to speak.
• What’s for sale? The FTC’s proposed settlement with toysmart.com was rejected by the bankruptcy court, which decided the issue was not ripe until a specific purchaser of the database was identified. Therefore, the guidance that it can provide for future cases is minimal, but it should be noted that the commission favored a sale of the customer database along with the entire company to a parceling off of the data. In the event of liquidation or another sale of assets, it seems fewer red flags are raised if the data are transferred as part of an entire business.
• Who’s in? It is always preferable to give customers choice. Most of the attorneys general who intervened in the Toysmart case urged the court to require opt-in consent after any transfer of Toysmart’s data; that is, the acquiring company would have to obtain the affirmative consent of every customer to have their personal information transferred and maintained by the acquiring business.
Several attorneys general took the position that opt-out permission was sufficient. Either way, businesses should realize the importance of choice whenever a transfer of personal data is made.
• How do I change my privacy policy? If you want to modify your privacy policy to give you more latitude with respect to how you use your personal data, keep in mind that changes to your privacy policy are not retroactive.
• Unless your old customers affirmatively agree to any new policy, they cannot be assumed to be covered by it. Thus, following any change in policy, you’ll be in a two-bucket boat — you’ll have an old “bucket” of customer data for those who provided their information while the old policy was in effect. And you’ll have a new bucket containing customer information acquired post-policy-change.
• Marc Roth is an attorney with Brown Raysman Millstein Felder & Steiner LLP. Reach him at [email protected]. Peter Scher, an associate with the firm, assisted with the preparation of this article.