Thank you for sharing!

Your article was successfully shared with the contacts you provided.
A newly revised privacy policy posted on the Web site of Internet retail giant Amazon.com Inc. reads like a road map to recent developments in the online privacy arena. Amazon posted the new policy on its Web site Aug. 31 and also e-mailed it to more than 20 million customers. In contrast to the one it replaced, the new notice not only describes with much greater specificity what the company does with customer information, but also addresses issues concerning affiliates and agents, business transfers in the event of bankruptcy, and children. While Amazon asserted that it was seeking to strengthen customer trust, Internet lawyers pointed out that the company also seemed aimed at heading problems off at the pass. As Stuart D. Levi, who leads the Internet and e-commerce practice at Skadden, Arps, Slate, Meagher & Flom LLP, observed, over the last few months, companies have been watching sites get nailed for failing to adhere to their own privacy policies. As an example, he cited the case of Toysmart.com, which declared bankruptcy in July. The Internet toy store found itself being sued by the Federal Trade Commission for putting its customer database on the block. The FTC viewed the action as a violation of the company’s own privacy policy, which declared that such information “is never shared with a third party.” BANKRUPTCY ADDRESSED Not surprisingly, since the first Internet retail bankruptcy happened only this past May, when Craftshop.com filed for Chapter 11 protection, Amazon’s old privacy notice did not explicitly address this possibility. Rather, it declared in a sweeping, somewhat open-ended, statement that Amazon “does not sell, trade, or rent your personal information to others,” although it “may choose to do so in the future with trustworthy third parties.” In its stead, Amazon now lists specific circumstances in which it shares or may share customer information with third parties, including “business transfers.” “In the unlikely event that Amazon.com Inc., or substantially all of its assets are acquired,” the policy states, “customer information will of course be one of the transferred assets.” Charles L. Kerr, of the New York office of Morrison & Foerster LLP, suggested that by this new language, Amazon is recognizing that its former policy “could have been misconstrued to suggest that it would not sell its customer list if it sold all or part of its business, and wisely has modified” the policy to remove any such doubt. Amazon spokeswoman Patty Smith denied that the company was reacting to the Toysmart brouhaha in particular, but stated that with its new policy, Amazon was trying to be “as forward-looking as possible . . . taking into account as many unlikely scenarios as possible.” The privacy notice also includes “affiliated businesses we do not control,” and “agents” among the third parties with which Amazon shares customer data. Stewart A. Baker, a partner with the Washington, D.C., office of Steptoe & Johnson LLP and a member of the privacy board of Internet advertising agency DoubleClick Inc., pointed to “a couple of recent flaps” in which customers were dismayed to discover that certain third parties had access to data provided to sites. The new Amazon language addressing affiliates and agents, Baker surmised, was designed to deal with any criticism to this effect. In changing its policy, however, Amazon has apparently created a small flap of its own. Last week, two privacy watchdog groups, Electronic Privacy Information Center (EPIC) and Junkbusters, announced that in protest of Amazon’s revised privacy standards, they were severing ties with Amazon, which had been distributing their publications through an affiliates program. “We understood that Amazon did not disclose personally identifiable information to Amazon affiliates,” EPIC Executive Director Marc Rotenberg stated in a press release. “And Amazon offered assurances that it would not disclose customer information to third parties,” he added. Now, Rotenberg contended, Amazon has stated that “it could no longer guarantee that it would not disclose customer information to third parties.” Jason Catlett of Junkbusters stated in an open letter to Amazon CEO Jeff Bezos that the company’s new policy was “unacceptably weak.” To the contrary, Smith of Amazon contended, saying that EPIC and Junkbusters have mischaracterized Amazon’s new and former privacy policies. NEW “OPT-OUT” PROVISION Amazon also tweaked its “opt-out” provision. Customers used to have the option to forbid Amazon from selling, renting or trading personal information to any third party by sending an e-mail to [email protected] But never is a long time. Now, Amazon limits the choice to opt out only from promotional offers on behalf of other businesses. Privacy advocates view the change with narrowed eyes. A spokesman for pro-privacy group TRUSTe, Dave Steer, stated in a recent interview with the Associated Press that at the very least, customers should be able to say “No, I’d rather you didn’t share my personal data with a third party.” Terri J. Seligman, a partner at the New York office of Loeb & Loeb LLP, disagreed that the new policy was more restrictive. “I don’t think the notion of choice has been eviscerated by this policy by any means,” she said. She saw the change as more of a clarification than a limitation, and questioned whether customers ever could have effectively opted out of providing personal data to Amazon’s affiliated companies or agents, or in the event of a bankruptcy. By way of example, Seligman pointed to the agents listed in the new policy, who perform functions such as fulfilling orders, delivering packages, processing credit card payments and providing customer service. It would be difficult, if not impossible, to honor a customer’s request to opt out of sharing information with such third parties, she said. As for business transfers, lawyers noted that no court has ruled on whether a privacy policy survives a company’s bankruptcy. If so, said Baker of Steptoe & Johnson, it would be practically the only promise that does. Another new provision of Amazon’s privacy policy, one labeled “Children,” states that the company “does not sell products for purchase by children. We sell children’s products for purchase by adults.” Amazon’s Smith denied that this provision was prompted by the Children’s Online Privacy Protection Act, which went into effect this past April. But Baker stated that companies were anxious to remove themselves from COPPA’s reach, which creates “enormous paperwork hassles” for companies forced to comply with its “elaborate regulations.” COPPA’s regulations are triggered either when a site targets children specifically, or when the company knows that the information it has gathered is about children, he said, adding that Amazon has made it plain that it does neither. MORE HONEST In a press release, Amazon’s Bezos stated that, overall, Amazon wanted its customers “to have as clear a picture as possible of what we’re doing and not doing when it comes to the information they give us.” Stuart Levi of Skadden Arps agreed that the new language was clearer. He described it as more “consumer friendly” because “it put people on notice” as to what Amazon does with information. “It’s honest,” Loeb & Loeb’s Seligman said, “assuming they are abiding by it.” She added, however, that what Amazon had done was not right for everyone. “The more specific you are, the greater the danger that you will violate your own policy,” she said. But she agreed that Amazon’s policy was the type that a company could realistically adhere to, if it had sufficient infrastructure and good communication within the company. Smith said that Amazon was “one of the first if not the only company to proactively notify its customers” that it had revised its privacy policy. An informal survey of some of the larger Web sites and Amazon competitors — e-Bay, CDnow, Yahoo! and America Online — confirmed that none has substantially revised its privacy policy this year, nor do they specifically address what would happen with customer data in the event of bankruptcy. Steptoe’s Baker speculated that we may see more revisions in the near future. “A lot of companies are revisiting their privacy policies in light of recent events,” he said. He added that he “was glad to see” Amazon’s new policy. “The issues it addresses would have come up eventually anyway,” he said. Morrison & Foerster’s Kerr agreed, stating that he thought Amazon’s move to be “pretty smart.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.