Privacy Policy? What Privacy Policy?
As more Web sites hit the skids, customer databases could go to the highest bidder.Christina Wood
These are hard times for Internet commerce sites. Scarcely a day passes without news of a dot com's financial trouble or demise. That isn't upsetting only for workers worried about their jobs or investors who could lose their money. It should be alarming for all of us who do business on the Web.
And it's not just about your money. Sure, your first concern might be to get your cash back if you ordered something from a company that promptly went belly-up. But many of these companies have a commodity that can be as valuable as your cash and that they hold on to long after a sale is completed. That commodity is your personal information--and it can be at serious risk when dot coms die.
Consider the death of Toysmart.com. This toy site ran into serious financial trouble when its majority owner, Disney, backed out. The site ultimately shut down in May and filed for Chapter 11 bankruptcy protection in June.
As part of its reorganization efforts, Toysmart tried to auction off the database of information the company had collected about customers. The database contained addresses, shopping preferences, family profiles with the names and ages of children, and other personal information. The site's privacy policy had promised that customer information would never be shared with third parties. Yet less than one year after the privacy statement was posted, that data was being offered for sale to the highest bidder.
Privacy experts worry that the Toysmart case is only the beginning. "Frankly, we are going to see a lot of dot coms go out of business," says Richard M. Smith, chief technical officer at the Privacy Foundation, a Denver-based group that works on privacy issues involving computer and communications technologies. "We may see a lot more of this kind of thing in the future."
In fact, in a new privacy policy sent recently to its customers, Amazon.com stated that "in the unlikely event" the company were bought, the new owners would "of course" receive shoppers' private information as part of the deal.
In Come the Lawyers
Toysmart's plans set off an interesting legal brouhaha. The Federal Trade Commission, the attorneys general of 40 states, and privacy advocates all stepped in to block the sale.
The Federal Trade Commission proposed a settlement that would have prevented the Waltham, Massachusettsbased toy seller from selling its customer database except as part of the company--and then only to a buyer with a similar business. That wasn't good enough for the state attorneys general, who wanted to hold Toysmart to its promise that the information would never be sold. At press time, the parties were awaiting a judicial decision in the U.S. Bankruptcy Court in Massachusetts.
Considering all the legal powerhouses that have rallied to protect Toysmart customers, it's tempting to assume that you can continue to trust online privacy statements, no matter what happens to the firms you do business with. But that attitude might be taking things too much on faith.
"I don't want to say consumers should not worry. This is not a settled area of the law," says Dana Rosenfeld, assistant director of the Federal Trade Commission's Bureau of Consumer Protection.
Who Can You Trust?
Richard Smith worries about the fate of other cyberlists, particularly those at sites that gather medical or other sensitive data. "What if you get into a situation where you enter your health records at a site? Then a drug company buys that site. What happens to that data then? I'd be a little worried about giving out information--especially health records."
How do you protect yourself? "Anytime consumers choose to do business online, they should check out the viability of the company they plan to do business with," says Brad Maione, a spokesperson for the New York State Attorney General's office.
Unfortunately, keeping track of which Web sites are in financial trouble is a full-time job. In the real world, you lower your risk by doing business at reputable firms with storefronts you can return to. On the Net, you can apply much of the same filtering. If you like to shop at the Gap, Williams-Sonoma, or other large merchants in the real world, visit their sites when you shop online. There are no guarantees--after all Toysmart's biggest investor, Disney, is no fly-by-night operation. But Williams-Sonoma will likely try not to anger online customers it hopes will also visit its brick-and-mortar stores.
When it comes to private information, shopping sites aren't the only online venues you should worry about. If you plan to use the Net to secure insurance, loans, or other stuff that requires you to enter a good deal of personal information, you should do some legwork before you commit to a particular site. Consult the Better Business Bureau and the attorney general's office in the state where the company is based. For more tips, see "Dealing With a Dead Dot-Com."
No amount of research, though, can guarantee that a site won't sell information it promises to keep confidential. For that kind of protection, we may have to wait for legislative action. Both the FTC and the New York State Attorney General's office told me they have proposed legislation to protect consumers' privacy in this sort of situation.I believe that someday we'll have some legal assurance that our private information will remain private. Until that day comes, don't be reckless on the Web. Avoid giving out information. Do business only with outfits you trust. In short, watch your back. It's really all you can do.
Christina Wood is a PC World contributing editor.