What price privacy when dotcoms go down?

Customer lists can be worth big money. Lawyer CAROLINE BEAUMONT* examines what protection the privacy laws afford consumers.

In May, United States-based Toysmart ceased business and began soliciting bids for its assets, including details of about 250,000 customers.

While this was not prohibited by US law, Toysmart had promised customers it would never sell their names or personal information - an agreement it was now suggesting would be dishonoured.

Its decision drew protests from internet privacy advocates who said that if Toysmart was to proceed it would be a dangerous precedent and enable other failing dotcoms to sell their customer lists for cash.

In the face of fierce criticism, Toysmart did temporarily remove its customer list from the sale of assets, citing a lack of acceptable offers.

In the meantime, Toysmart's parent company, Disney, had also offered $50,000 for the information with a promise to destroy it.

A similar situation occurred in Britain in June, when Boo.com's liquidation saga ended after net fashion retailer Fashionmall.com bought the brand and website (as well as the customer list) for an undisclosed sum.

Once again, Boo.com had been trying to sell its customer information, including home and e-mail addresses, telephone numbers and family profiles.

So how does this situation relate to personal information a customer may give New Zealand e-commerce organisations such as internet service providers, retailers and other web-based merchants?

In most cases, internet users will find privacy statements or policies displayed on the websites they visit. These statements outline how each company proposes to protect and deal with personal information relating to browsers and customers alike. This is particularly so where the proposed use goes further than permitted by the 12 information privacy principles in the Privacy Act 1993.

Internet companies ("agencies," for the purposes of the Privacy Act) can collect, hold, use and disclose personal information provided to them by individuals. They can do this as long as the individual is clearly made aware how the recipient company proposes it will be done - for instance, by sharing it with their related companies, associates, agents, employees and the like.

Principles 8 and 11 of the Privacy Act are vitally important here, because they state that personal information collected by an agency for one purpose cannot be used for another purpose or disclosed (sold) unless the agency reasonably believes that the information is publicly available or it has the consent of the individual concerned.

On that basis, an online retailer, as an agency, cannot on-sell "non-public" personal information to, say, a direct marketing company without the consent of the individual that information concerns.

If a retailer is sold "as a going concern," then the retailer can, as part of the sale process, disclose personal information it has gathered about its customers to a new operator or owner whose identity is unknown to the customer.

This type of disclosure is actually consistent with the Privacy Principles.

The information is gathered for the purposes of a business activity and the purpose stays the same when it is only the owner of the business that has changed.

But the story might be a bit different if the customer list is sold as a standalone asset - as might happen in a "fire sale" by a liquidator. It would be hard to characterise this as a "going concern" and the individuals on the customer list would be required to give their consent.

Businesses must plan carefully how customer lists - which can be significant and valuable assets in their own right - might be used.

The other side of the coin is that, in practice, if a customer wishes to access and use the services of any online retailer, he or she must provide certain personal details before the retailer will allow transactions to proceed.

A customer does not have much opportunity to renegotiate the terms of any privacy policy or "use of website" terms and conditions at any stage. It is very much a "take it or leave it" philosophy.

But the internet provides choice and a business that does not meet the basic needs of its customers - responsiveness, security and privacy - is not going to last. Consumer trust is now as valuable an asset as customer details.

*Caroline Beaumont is a senior solicitor in the Russell McVeagh Technology Group.