By Heather Green
Last year, privacy snafus at Internet companies ranging from Amazon.com Inc. (AMZN ) to advertiser DoubleClick Inc. (DCLK ) gave consumers a crash course in the risks of offering up personal information online. The problem? Even though many Net companies posted clearly stated policies limiting how they may use consumer information--including pledges not to sell such data--those policies, as they say, aren't worth the paper they're written on. Online companies can readily change them, and customers can do little to stop them from selling information thought to be confidential.
Now, with dot-coms by the dozens going bankrupt, the problem might become much worse. As they close down, many online sites have discovered that the reams of customer data they hold may be one of few saleable assets. Remember the uproar caused by now-defunct online toy store Toysmart.com last June when it asked a bankruptcy court to approve its plan to auction off its list of 250,000 customers despite pledging never to do so? The sale, although stopped, was perfectly legal under the bankruptcy laws. Privacy advocates fear that such sales by strapped Internet companies could explode.
Already, Voter.com, a defunct political portal, announced plans in March to sell 170,000 e-mail addresses, along with party affiliations and issues of interest to people on the list. And companies are amending their privacy policies. On Apr. 2, eBay Inc. (EBAY ) became the latest high-profile site to claim the right to sell customer data if its assets are sold.
Congress hasn't been blind to the situation. An amendment that is now part of the Senate's version of the Bankruptcy Reform Act, proposed by Senators Patrick Leahy (D-Vt.) and Orrin Hatch (R-Utah), was intended to patch up consumer privacy in bankruptcy cases. But privacy advocates fear it is so watered down that it is unlikely to be effective. Yet a solution to the problem is clear. If legislators really want to protect consumers' privacy, here are some guidelines that need to be included:
-- Give people a choice. If a bankrupt company wants to sell its customers' information, it should be required to alert them. Customers themselves would then be able to decide whether or not they want information passed on to others. Already, many of the largest Internet companies, from Amazon.com to Priceline.com Inc. (PCLN ), have preempted this right. That belies their claims of being hypersensitive to customers' needs--and risks upsetting many who might in fact be happy to receive information from a potential buyer in the same market. But the choice should lie with the consumer, not the company.
-- Name and address only. The information companies can pass along should be limited to mailing-list information such as names and addresses. Ironically, in order to guarantee customer security during online transactions, many Internet companies ask for more info than brick-and-mortar stores do. This can include Social Security and bank account numbers. Nothing now would prevent online retailers from reselling that same data.
The risks of information being misused go well beyond online shopping. Highly sensitive medical information is collected online, while many kids' sites maintain "wish lists" that profile children's names, ages, and tastes. But all consumers--be they parents, patients, or simply avid book buyers--should feel secure that the information they offer up online won't be misused.
Green covers the Internet from New York.