At least Amazon is being honest. The new policy spells out in more detail than in the past what info Amazon may share with other companies and when. And its mass e-mail is a welcome change from many other commercial Web sites' practice of not bothering to tell customers when they revise their privacy policies.
Still, this change raises a troubling issue that underscores the need for tighter federal privacy rules, especially for Web companies. Many sites post privacy policies that promise they won't share users' personal data with others. But those promises aren't worth the paper they're not written on--and in the face of rising financial pressures, many more Web sites are likely to follow Amazon's lead and decide to back out of them as well.
Why? Under current U.S. law, everything a Web company knows about you can be sold to the highest bidder. Only voluntary privacy policies, designed to put customers at ease, keep them from doing so. But given the worsening financial state of many dot-coms, many will be tempted to amend their policies and sell customer data--or be forced to if they slip into bankruptcy. There are few legal protections against chapter 11 transfers. "Over the next few months, I expect everyone will make this clear," says Tod Cohen, Washington counsel for online auctioneer eBay Inc., which plans to follow suit.
Under Amazon's old policy, customers could send an e-mail to email@example.com asking that data about them not be sold or given to third parties. Those requests will still be honored, and because of an international agreement, European users will still be able to opt out. But new American customers won't. Amazon says such restrictions on data-sharing would impede its budding partnerships with outfits such as toy merchant Toys `R' Us and Drugstore.com.
But the key reason Amazon is retooling its policy, privacy experts say, is to avoid the fallout that snarled Toysmart.com's efforts to sell its customer list after management filed for bankruptcy. Toysmart had promised customers never to share customer info, so the Federal Trade Commission filed suit against the Waltham (Mass.) company in July. The FTC reached a settlement that set curbs on the sale of the data, but a Massachusetts bankruptcy-court judge rejected that deal in August.
Experts say the Toysmart case and Amazon's move highlight two trends: The growing interest in selling consumer data collected online and the legal murkiness of company promises to protect shoppers. "Consumers provide information at their own risk," warns Mark E. Plotkin, a partner at Washington law firm Covington & Burling. The FTC's jurisdiction clearly does not reach into bankruptcy proceedings.
URGENT. It's up to Congress to sort out the competing claims of bankruptcy law, mergers-and-acquisitions law, and privacy rights, online or off. But the urgency is greatest in cyberspace. Trafficking in Web data is far more of a privacy threat because e-companies can gather so much more--and more intimate--information about users than real-world companies can. A bricks-and-mortar bookseller knows what you've bought but not where you browse, while a Web bookseller knows you've scanned reviews of self-help books for HIV sufferers or erotica. "Online is far more intrusive," says Richard M. Smith, chief technical officer at the Privacy Foundation. "These are two different worlds."
Many consumers won't realize the full import of their loss of privacy until after their personal data has been sold and used. That's why Web companies that want to share users' personal data with other companies should be required to seek their consent. Consumers' right to privacy ought to trump creditors' rights to cover their debts.