Accordingly, you wish to heed the admonitions that if a company fails to update its policy to reflect its new practices, it may expose itself to lawsuits and regulatory actions.
Amazon's new policy also permitted it to share user data with its growing list of partners and affiliates while providing its users with little control over such data sharing. Amazon posted conspicuous notices of the policy change on the Amazon site and went so far as to e-mail each registered user about the policy changes.
Amazon, more than likely, was responding to a Federal Trade Commission lawsuit against Toysmart.com earlier this year when the failed site attempted to sell its users' names, personal data and usage patterns as business assets in its bankruptcy case. While Amazon may have expected some approval for taking the proactive step of modifying its policy to accord with the evolution of its business model and for making such change public, it instead was excoriated for its actions.
Two privacy watchdog groups, the Electronic Privacy Information Center and Junkbusters, have recently taken Amazon to task for not allowing its users to expressly consent to or opt out of its new policy and for reneging on its original promise that it would never sell, trade or rent personally identifiable consumer data.
They further chastised Amazon for removing the option previously provided to users to bar prospective transfers of their data to third parties.
EPIC and Junkbusters have requested that the FTC, and some international enforcement agencies, investigate Amazon for what they claim is tantamount to a massive bait-and-switch tactic.
This may create technological nightmares; you no longer will be able to treat all of your user data the same, but considering the alternative, it may be a small price to pay.
Letting user data slosh from one bucket to another may expose you to risk; keeping the contents of the buckets separate will help ensure that you use your customers' personal data only in the manner consented to.
• Maintain consistency in the use of your customers' data. When Amazon changed its policy to allow its user information to be deemed a business asset, one could argue that it was only clarifying what is regarded as acceptable general business practice -- that in the unlikely event it were to be acquired, Amazon, like any other business, would have to transfer whatever could be deemed an asset.
However, when Amazon also changed its policy to allow for transfer of user data to its "trusted partners," all semblance of from the old policy to the new policy disappeared. Without overwhelming reasons to make such an about-face, it may be best to stick with the policies to which your company initially committed.
Business realities may require certain changes in the use of your customers' data, but undoing the trust that has built up between your customers and you may require more modest and incremental changes than initially desired. Where reputation is everything online, it is best to balance the benefits of information flow and user personalization against users' very real expectations of privacy.
• Marc Roth is an attorney at Brown Raysman Millstein Felder & Steiner LLP. Jonas Kant, an associate at the firm, assisted in the preparation of this article. Reach Roth at email@example.com.