Privacy Policies Must Cover All BasesNew complexities online have made consumer privacy a trickier business, and Internet companies have recently been given harsh lessons on a simple theme: "Never" really does mean never, even in Internet time. Customer data can be valuable, and in recent cases, companies that promised to keep that information private have found that changed circumstances made those promises difficult to keep.
But when Toysmart went belly-up in May, the company began to take bids on its assets, including its customer database. After a Federal Trade Commission lawsuit charging deceptive practices and intervention by numerous states' attorneys general, the database remains unsold, losing more value as time passes, and Toysmart's creditors remain unsatisfied.
The Texas attorney general recently encountered a similar scenario with Living.com, a Web furniture store that closed several weeks ago. After the attorney general sued to prevent the sale of Living.com's customer information, the company agreed to destroy all of its customers' financial records, and also agreed that if the customers' names and e-mail addresses were sold to a third party, each customer would be given notice of the sale and an opportunity to opt out of the database.
• Avoid extreme representations. Toysmart used the word "never" without meaning it. That's what triggered the FTC suit. In the absence of legislation to the contrary, there is no need to be so extreme, and Internet businesses can reserve some flexibility for themselves in their privacy policies.
The revised Amazon policy is one example; not only does the policy now explicitly tell customers that their information may be transferred as assets if Amazon is acquired, it also makes clear that Amazon may share data with its growing list of partners and affiliates. Keep in mind, however, that Amazon is not a member of TrustE or any other privacy seal-of-approval program, and if it were, would have been required, at a minimum, to give customers the opportunity to opt out of the sharing of data with third parties.
• Avoid vagueness. The policy should give customers fair and clear guidance on the uses to which their personal information can be put. If business partners or affiliates exist or are envisioned, then the policy should attempt to set forth as many of these data-sharing situations as possible.
Toys 'R' Us claims its relationship with CoreMetrics is over, but questions, as well as the lawsuits, remain: Is confidentiality of data compromised when it is outsourced for processing, even if the recipient promises to use the data for internal purposes only? What happens when the partnerships and working relationships get one more step removed, and the information is shared with a partner or affiliate that shares it with a related third party?
• What's for sale? The FTC's proposed settlement with toysmart.com was rejected by the bankruptcy court, which decided the issue was not ripe until a specific purchaser of the database was identified. Therefore, the guidance that it can provide for future cases is minimal, but it should be noted that the commission favored a sale of the customer database along with the entire company to a parceling off of the data. In the event of liquidation or another sale of assets, it seems fewer red flags are raised if the data are transferred as part of an entire business.
• Who's in? It is always preferable to give customers choice. Most of the attorneys general who intervened in the Toysmart case urged the court to require opt-in consent after any transfer of Toysmart's data; that is, the acquiring company would have to obtain the affirmative consent of every customer to have their personal information transferred and maintained by the acquiring business.
Several attorneys general took the position that opt-out permission was sufficient. Either way, businesses should realize the importance of choice whenever a transfer of personal data is made.
• Unless your old customers affirmatively agree to any new policy, they cannot be assumed to be covered by it. Thus, following any change in policy, you'll be in a two-bucket boat -- you'll have an old "bucket" of customer data for those who provided their information while the old policy was in effect. And you'll have a new bucket containing customer information acquired post-policy-change.
• Marc Roth is an attorney with Brown Raysman Millstein Felder & Steiner LLP. Reach him at firstname.lastname@example.org. Peter Scher, an associate with the firm, assisted with the preparation of this article.