InformationWeek

The Federal Trade Commission last week filed suit against Toysmart.com Inc., the failed online retailer of children's toys, to block the company from selling its customer data as part of its assets. The lawsuit stems from the fact that Toysmart.com--whose databases include children's names, birth dates, and toy wish lists--had a privacy policy that promised "personal information voluntarily submitted by visitors to our site, such as name, address, billing information, and shopping preferences, is never shared with a third party." The FTC thinks Toysmart.com should live up to its promise. "Even failing dot-coms must abide by their promise to protect the privacy rights of their customers," FTC chairman Robert Pitofsky said in a statement on the case. "The FTC seeks to ensure these promises are kept."

The FTC's action comes at a time when consumers are beginning to worry that online privacy policies--to paraphrase Sam Goldwyn's famous line about verbal contracts--aren't worth the paper they're printed on. In an election year, as politicians sense there are votes to be gained by promising to protect intimate details from online marketers, that may translate into federal action. It may help explain why there are 300 Internet privacy bills floating around Congress, with more expected. Also, a string of hacker attacks and database glitches has raised awareness of just how vulnerable the Internet is. Suddenly, the odds seem good that politicians--both here and overseas--will impose privacy controls on the Internet industry rather than let the industry regulate itself.

July has been a bad month for those who argue for industry self-regulation. Along with Toysmart.com, two other failing Internet companies--Boo.com and CraftShop.com--were discovered trying to sell private customer information such as phone and credit-card numbers, home addresses, and even data on shopping habits. That news prompted Rep. Spencer Bachus, R-Ala., to say he'll introduce legislation that would make it illegal to sell such data to third parties during a bankruptcy. At the same time, an ongoing class-action lawsuit against DoubleClick Inc., aimed at forcing the online advertising company to stop using Web bugs--a widely used and nearly invisible way to track Web surfers--and to let people see and correct the information about them, kept the privacy issue in the forefront. Even America Online came under fire; the online service is the target of a class-action suit that accuses its Netscape subsidiary of using a software program to secretly track downloads of .exe and .zip files. "Netscape is using SmartDownload to eavesdrop," the complaint says.

All these instances are more evidence that in the United States, when it comes to collecting and using customer data, the rule has mostly been: Anything goes. For instance, motor vehicle departments in some states sell drivers' personal data and pictures to businesses. "The default rule in the United States is that when people collect data, except in certain narrow categories, they can use it any way they want," says Maureen Dorney, a partner specializing in intellectual property and technology at the Palo Alto, Calif., law firm Gray Cary Ware & Freidenrich.

The Internet has upped the ante. The flow of data over the Web has made collecting customer information easier and cheaper, and businesses are getting more aggressive about gathering data as market competition gets stiffer and profit margins shrink. Companies analyze clickstreams to measure every move a customer makes, matching that information with sales data and demographics and ultimately pooling terabytes of information into massive data warehouses. Then they use this information to target marketing programs, content, and sales pitches. They share the data with partners; some companies even make money by selling off chunks to others.

Such activities have turned online privacy into an explosive issue, one that many companies may be underestimating. "There are a lot of heads in the sand," says Gary Clayton, founder and CEO of the Privacy Council, a Dallas company created to help businesses improve privacy practices. "Data flows through a company like water flows through pipes. I don't think businesses have really thought about how they manage this data, how it flows throughout the company. They haven't answered the questions: How do you get it, how do you use it, and who has rights to it?"

For the FTC, the suit against Toysmart.com demonstrates not the power of the people, but the problems with online privacy. "The FTC has the ability to take action in this case because Toysmart.com had a privacy policy and violated it," says an FTC spokesman. "But most companies don't have a policy at all, and they're free to do as they see fit with personal data. Our ability to protect the public is not sufficient to deal with the scope of the problem."

Other areas of the world that are more strict about the use of customer data are well aware of those limitations. Earlier this month, the European Parliament voted down the so-called "Safe Harbor Agreement," which would have allowed the export of electronic data on European citizens to the United States. The European Union's 1998 Data Protection Directive requires that European consumers be allowed to access and correct their data and specifically agree to sharing it with others. It also forbids the transfer of data on European citizens to countries that don't meet these standards. The Safe Harbor Agreement, announced May 30 after two years of negotiations with the U.S. Department of Commerce, says U.S. companies that agree to comply with voluntary guidelines would gain "safe harbor" from prosecution for importing data on European consumers. The agreement calls on the Commerce Department to keep a list of safe harbor-eligible companies, the FTC to review complaints, and the Department of Transportation and the FTC to police E-commerce Web sites and brick-and-mortar companies for violations.

The compromise agreement was expected to pass the European Parliament with little opposition until the Committee on Citizens' Freedoms and Rights, Justice, and Home Affairs issued a report in June questioning the FTC's enforcement abilities as "purely discretionary and in practice exercised only occasionally." Instead, the report called for an independent enforcement body like the one in the EU and asked that a provision be included to provide financial compensation to European citizens whose rights were violated.

The Internet privacy debate isn't new, but this year has seen some dramatic developments. In February, DoubleClick faced an organized protest from the Center for Democracy and Technology, which said the online marketing giant was using its relationships with other Internet companies to track the online activities of individuals and then tie them to those individuals' offline activities. That led to an FTC inquiry of DoubleClick's practices. At the same time, DoubleClick admitted it was a defendant in several class-action lawsuits. Also in February, Amazon.com Inc. disclosed that it and its Alexa Internet software subsidiary were facing two privacy-invasion lawsuits and an FTC inquiry.

continued...page 2, 3