Amazon and Privacy

26 October 2000
If you own an e-commerce or other type of online business, one of your most valuable assets is the information that you've collected about your customers. Like any business asset, you should use it to help you turn a profit. Caution is in order though unless you're willing to risk having the press mercilessly attacking you. just learned this lesson.

Some will tell you that the Net is like the "Wild West." While it's true in some ways, it's also true that in many ways everybody is watching the Net like a hawk.

While can slide by in a relatively unregulated environment, if you manage a big name website like an or, you're living under a microscope. One false step and the press jabs at you like you're a bull in a bullfight.

Even if you're a lower profile company, you're not off the hook. You still live in a world where negative publicity or even a disapproving customer buzz can cripple your bottom line.

The Amazon Tale

Of course, I've left many of you hanging since I mentioned that the press recently fried Amazon, but didn't tell you why. The "why" is that they changed their privacy policy in a way that made privacy advocates sizzle.

Here's the most controversial part (English translation follows). "As we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets. Also, in the unlikely event that, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets."

Simply, this means that if Amazon sells some or all of its business or goes bankrupt, they can transfer whatever it is that they know about their customers to whomever ends up with their assets. So?

It's never been different. Businesses have been buying and selling business assets, including everything they know about their customers, since the first apple cart business changed hands in some place called the Garden of Eden.

Having said this, I should also point out that it's clearly not PC (as in politically correct not personal computer) view. PC says that your privacy policy should say, "We treasure the trust that you have shown us by giving us your name, telephone number, and mailing and e-mail addresses. Under no circumstances will we ever reveal this information to anyone. Further, we'll never send you an unsolicited e-mail unless we first call you at home during dinner and ask you if that would be okay."

Why is it that PC seems to care less about that really annoying telephone call? Could it be that Net businesses get unfair scrutiny?

I'm a consumer too. I don't really want my name in a database along with a comprehensive list of everything I've bought in every drugstore, record store and bookstore this year either.

Still, since the information is digital now and moves at Net speed, prohibiting its flow may be a bit like making it illegal for water to run downhill.

I'll go out on the not PC limb here. I think that what did was reasonable and responsible. Selling their customer list as a part of some future hypothetical sale of assets is just the way it has always worked and will always work. isn't the evil one here. What they did was fully and frankly disclose a universal business practice. recently ran afoul on this issue when it tried to sell its customer list as a part of a sale of its assets. This, after it had a posted privacy policy that said, "When you register with, you can rest assured that your information will never be shared with a third party." Selling information in the face of this explicit assurance is wrong. (I have my PC moments in this area.)

Post Your Privacy Policy

If you're responsible for a website that collects information about Web surfers, you should prominently post a privacy policy. It should include a clear disclosure of what information you collect, what you do with it, how you keep it secure, how customers can see the information you have, what choices they have about how you can use it, how they can fix incorrect information, and with whom you share the information.

The bad news is that the law is a bit unclear when it comes to where some of the lines are as to how you can legitimately use your customer's information. At the same time, this same uncertainly is the good news.

The political issue of what the law should be is an interesting question, but not the one your business needs to concern itself with today. For now, work with the broad parameters the law gives you and maximize the value of the information assets you possess. Further, you should closely watch the law, and the outside parameters of PC, as they develop, so that you maximize your profit while not finding yourself at the ugly end of bad publicity.

He who walks the fine line just right can win this game as the rules quickly evolve.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at:

If you have any comments, please send them to

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.