At least three companies that have recently failed, Boo.com, Toysmart and CraftShop.com, have either sold or are trying to sell highly sought-after customer data that could include information such as phone and credit card numbers, home addresses, and even statistics on shopping habits.
The practice has raised the hackles of some privacy watchdogs and possibly thousands of consumers who assumed the data would not be transferred.
"It is inappropriate and potentially illegal to sell customer information when it was collected under the assumption that it wouldn't be shared," said Truste spokesman Dave Steer. "It's an invasion of privacy and if not handled swiftly could happen again and again."
Truste is a Net privacy program that is a sort of Good Housekeeping Seal of Approval for the Web. Boo.com and Toysmart are among the more than 2,000 sites to receive the Truste "seal," meaning they met certain criteria for safeguarding their customers' privacy.
When Fashionmall.com purchased some of the assets of Boo.com this month, it specifically noted that it had acquired data on Boo.com's 350,000 customers. CraftShop, since filing for Chapter 11 bankruptcy in May, is actively seeking a buyer for its customers' personal information that it had promised "to never disclose...Ever."
Toysmart, meanwhile, advertised the sale of its customer list and database in The Wall Street Journal last month after ceasing operations. The company overseeing the sale of Toysmart's assets, the Recovery Group, said several interested parties have bid on the customer information.
A final sale will depend on settling the question of whether a sale violates Toysmart's privacy agreement. A disagreement among Toysmart's creditors has led to the case being turned over to a federal bankruptcy judge, said Stephen Gray, the Recovery Group's managing director.
"A federal judge (Carol Kenner), will probably decide whether the information can be sold," Gray said.
Companies on the Internet are not alone in collecting data about customers or turning it over to new owners following bankruptcies or mergers. For example, it is routine for banks and hospitals to transfer intimate consumer or patient data following an acquisition.
However, the assurance of privacy on the Net is particularly troubling for many consumers, because they have only a vague notion about the wealth of information that can be gathered, analyzed and transmitted to third parties.
Privacy in the fine print
In response, the industry has sought to temper consumer fears by posting detailed explanations about the information being collected and how it is used. Privacy agreements are now standard on most e-tailing sites, with varying degrees of actual privacy depending on the wording.
Some companies say they are being careful to honor the letter of the privacy agreement. For example, privately held CraftShop is selling customer information along with the actual name of the site, noting that it does not constitute a transfer of information to a "third party."
"CraftShop promised that it wouldn't release the names without approval," Mackey said. "So we just can't take the names and sell them to anyone interested. We couldn't deal them independently. (The company name and customer list) had to go together."
While such a transfer may be perfectly legal, some privacy advocates find that to be little solace.
Such a sale is taking advantage of a loophole, according to Andrew Shen, policy analyst with the Electronic Privacy and Information Center (EPIC), a privacy watchdog group based in Washington, D.C.
"This is why the (Federal Trade Commission) act is not a sufficient manner in which to protect privacy," Shen said. "We need stronger laws to prevent the exchange of customer information when companies merge or are sold."
Among the provisions of the FTC act is a section that prohibits unfair or deceptive business practices. That's the section the FTC is using to make inquiries into the Toysmart sale, Steer said. Truste contacted the FTC after learning the e-tailer was planning to sell its customer list.
Gray confirmed that the FTC has contacted Recovery Group about the sale.
Legislation at work
The FTC has acted before to protect consumer privacy on the Web. In 1998, the FTC forced GeoCities to post a notice on privacy after determining the community site misled customers when it asked them to provide personal information it eventually shared with marketing firms.
Shen said lawmakers should bar bankrupt companies from selling customer data to pay their creditors or for any other reason.
"A lot of these companies are going to go belly-up," he said. "And one of the things these companies are going to sell is personal data. Quite clearly there should be legal prohibitions on doing that."
Congress is moving to create more safeguards. Sen. Fritz Hollings, D-S.C., has sponsored legislation that, among other things, would prevent creditors from including customer information among a failed company's assets. It would also make it illegal to share customer information without the customer's prior consent.
In Toysmart's privacy statement, the company stated that "personal information," such as "name, address, billing information and shopping preferences, is never shared with a third party."
CraftShop's was even more detailed: "We will hold your secure online shopping information in the strictest confidence," the agreement said. "We will never release it to any person or any company for any purpose. We do not sell, rent or lend any part of our mailing list."
London-based Boo.com's privacy agreement was unavailable, but Fashionmall chief executive Ben Narasin said that Boo.com did have one and that it stood up to strict European privacy laws. Narasin said he intended to send email to all the customers on the Boo.com list to get their permission to continue sending them information.
All three companies say their efforts are aimed at paying creditors. Fire sales of Net companies aren't particularly lucrative; the assets can make 10 cents on the dollar, according to some bankruptcy attorneys. Customer lists are considered among the most valued assets of any technology company.
However companies decide to handle the data about their customers, it is generally believed that the courts will make the final decision.
"Its one thing for a private company to have to decide, but man, there's a lot of money in public companies," Mackey said. "And believe me, there's going to be a race to the lawyers."