Site   Web

February 11, 2009

Your Privacy Policy: Plan Ahead Or Your Opt-In and Customer Lists May Be In Jeopardy

I talk to clients all the time about not falling into the trap of believing that their privacy policy is really nothing but a lot of fluff, filled with vague, self-serving statements such as “we respect your privacy”. It’s actually way more than that; it’s viewed as an enforceable contract by the Federal Trade Commission (FTC), and as such it may be construed against you and subject you to substantial liability.

It’s critical that you plan ahead… anticipate the future needs of your ecommerce business in terms of your marketing needs and related requirements of collecting, storing, and using information collected from site visitors. Failure to do so may jeopardize your most important assets — your opt-in and customer lists.

The Toysmart Case

Toysmart was an online seller of children’s toys. In 1999, Toysmart’s privacy policy was explicit; it stated unequivocally that the company would not share personal information of customers with any third party. Later, unforeseen difficulties forced Toysmart into bankruptcy under Chapter 11. One of Toysmart’s most valuable assets was its customer list and its associated personal information.

In 2000, when Toysmart attempted to sell its customer list to generate a recovery for its creditors, the FTC filed a “deceptive practice” lawsuit under Section 5 of the FTC Act. In addition, several state attorneys general objected to the sale. The FTC maintained that the sale of the customer list could only be consistent with the established privacy policy, and Toysmart’s privacy policy did not authorize the sale of personal information in the event of bankruptcy.

TIP No. 1: amend your privacy policy to cover transfers as part of any merger, acquisition, or sale of the company and/or its assets, as well as in the unlikely event of insolvency, bankruptcy, or receivership.

The Gateway Learning Corporation Case

Beginning in 2000, Gateway Learning Corporation posted a privacy policy on its website promising, among other things, not to rent consumers’ personal information to others.

In April, 2003, despite these promises, Gateway started renting personal information provided by consumers – including their names, addresses, phone numbers, and age ranges and gender of their children – to target marketers for use in direct mailings and telemarketing calls. Two months later, Gateway amended its privacy policy to permit the sharing of personal information, apparently believing that the amendment would take effect retroactively.

The FTC promptly filed suit against Gateway alleging that Gateway’s renting of personal information collected prior to the privacy policy amendment was unauthorized, and therefore a “deceptive practice” under Section 5 of the FTC Act. In other words, the FTC argued that the amendment was not retroactive.

TIP No.2: ensure that any personal information that is shared with others is authorized by clear privacy policy notices which were in the policy at the time the personal information was collected. Amendments regarding the sharing of personal information are not effective retroactively.


Although your privacy policy may not be an enforceable contract between you and site visitors in the strictest sense, the FTC will enforce your privacy policy against you for purposes of a Section 5 violation, and the FTC is always watching for violations. For this reason, privacy policies should be drafted and frequently reviewed with the lessons of the Toysmart and Gateway Learning cases in mind.

Given the difficulty of amending privacy policies retroactively, particularly regarding the sharing of personal information, it’s highly recommended that you anticipate in advance to the extent it’s possible the privacy disclosures that you might need to make down the road, and add them to your privacy policy now… before its too late.

Here’s a list of a few examples:

  • collection of passive information by cookies and Internet tags;
  • collection of navigational data by log files, server logs, and clickstream data;
  • sharing with service providers such as ISP’s website designers, etc.;
  • sharing with your entity affiliates, (subsidiaries, related entities);
  • sharing with purchasers of your business;
  • sharing with third-party web analytics services such as Google Analytics; and
  • as pointed out in the Toysmart case, sharing in the unlikely event of bankruptcy, or receivership.


The lesson to be learned… if you anticipate these issues now and provide for them, you won’t be jeopardizing your most important assets — your opt-in and customer lists.

Chip Cooper is a leading intellectual property, software, and Internet attorney who’s advised software and online businesses nationwide for 25+ years. Visit Chip’s site and download his FREE newsletter and Special Reports: “Determine Which Legal Documents Your Website Really Needs”, “Draft Your Own Privacy Policy”, and “Write Your Own Website Marketing Copy — Legally”.