ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Sale of's customer list raises privacy concerns


(IDG) -- this week said it has signed an agreement to purchase the assets of floundering online drugstore -- including its customer list -- and its subsidiary,, for approximately $6 million.

But's decision to sell its customer data has raised concerns among privacy advocates, who say the move seems to violate the company's promise not to do so.

Under the deal, HealthCentral in Emeryville, Calif., will also acquire's Web site, trademark and its affiliate agreement with retail drugstore Phar-Mor. HealthCentral will also buy's home store,, its Web site, inventory and its lease on a warehouse and distribution center in Gaithersburg, Md.

In exchange, San Francisco-based will receive 5 million shares of HealthCentral stock -- worth about $6.25 million at yesterday morning's stock prices -- which it can't sell before March 15, 2001. The deal is expected to close next month.

In effect, is joining the ranks of other dot-coms that have recently gone out of business.

But's decision to sell its customer list -- which also includes information about products and prescriptions customers purchased -- is generating questions among privacy advocates.'s privacy policy, posted at its Web site, reads, " does not give, sell or rent your personal information to third parties for purposes other than fulfilling your request. To better serve you, we use trusted third parties to fulfill and ship your order(s). We also use trusted third-party business partners to distribute our electronic newsletters and send you promotional offers."

"This is another outrageous example of why self-regulation does not work," said Evan Hendricks, editor of the Washington-based "Privacy Times" newsletter. "When you say you will not sell [customer] data, you should not sell [customer] data. But when there is no enforcement by law, an individual has to depend on the good faith of the data keeper."

However, HealthCentral and contend that because HealthCentral is buying's entire business, including its Web site and goodwill -- not just its customer list -- HealthCentral is's "successor-in-interest" and should be treated as the same company, not a third party.

In addition, Frank Newman,'s president and CEO, and Joanne Papini, a spokeswoman for HealthCentral, said no changes would be made to's privacy policy unless such changes are posted on HealthCentral's Web site. And before HealthCentral could make additional use of the customer information, those customers would have to give their permission, or opt in, to any new policy.

"HealthCentral has bought's customer list ... its Web site and goodwill," Newman said. "HealthCentral is a qualified buyer in a related market and has agreed to be's successor-in-interest to's protection of consumer information."

Jonathan Moskin, an intellectual property lawyer at Pennie & Edmonds in New York, said that as a general rule, in the bricks-and-mortar world, the assignment of substantially all assets of one company to a new company binds that new company to the obligations of the former company. However, he said he hasn't seen any definitive law regarding online privacy issues.

Hendricks said that if the Federal Trade Commission (FTC) decided had violated its stated policy, the agency could step in and file a complaint in court for unfair and deceptive business practices against the company.

An FTC spokeswoman said she had no comment on the matter. However, this summer the FTC weighed in on a decision by the now-defunct online toy retailer to sell its customer list after promising customers it wouldn't sell the data to a third party. The FTC said Toysmart could sell its customer list to a "successor" company, which would also be required to buy its Web site, goodwill and business.

But the attorney generals of Massachusetts and 38 other states disagreed with the FTC's decision, saying a successor company is still a third party and continued to block the sale of Toysmart's customer list in bankruptcy court. A bankruptcy court judge has yet to make a final decision on the sale of that data.

Andrew Shen, a policy analyst at the Washington-based Electronic Privacy Information Center, said since HealthCentral is effectively buying's entire business, it's no longer a clear-cut violation of's privacy policy.

So, he said, at the very least, all's customers should be notified about the pending sale of their data to HealthCentral and should be allowed to decide if they want their information sold.

"If the Web site still looks the same after the sale, customers will not know that the business [and their information] has been sold to another company," he said. "So they need to be notified."

But, Shen said, there needs to be clarification about what happens to customer data when one company merges with or is purchased by another company.

He added that the issue was made thornier because in this case, it's not just customers' names, addresses and telephone numbers that will be sold, but also information about their purchases, which includes their prescriptions.

"Anytime you add health information to the mix, [you are entering different territory], he said. "So customers should be able to control what happens to their information."

Meanwhile, Jason Catlett, president of Junkbusters Corp., a privacy advocacy organization in Green Brook, N.J., said it seems "reasonable and appropriate" that HealthCentral acquire's customer list if it is purchasing's entire business, including its obligations to its privacy policy.

Missouri Attorney General Jay Nixon, though, is not so sure and is looking into the proposed sale of's customer list to HealthCentral. In September, Nixon filed a lawsuit against charging that it violated its privacy policy by releasing customer data to a third party.

The lawsuit alleged that released a customer's personal information to a third party after an investigator at the attorney general's office tried unsuccessfully to order contact lenses under an assumed name. The attorney general said the investigator was solicited by Lens Express Inc. in Deerfield Beach, Fla., to buy contact lenses under the assumed name, even though the investigator had never contacted Lens Express. At the time, denied Nixon's allegations, saying its privacy policy states that it uses a third-party fulfillment partner - in this case Lens Express - to fill and ship contact lens orders.

"While we are moving forward in our lawsuit against, we are also looking into the sale of its customer data to HealthCentral," said Nixon's spokesman, Scott Holste.

FTC commissioner on the Web privacy debate
October 24, 2000
Glitch temporarily exposes some customer data
October 17, 2000
Congress won't take up Web privacy until 2001
October 5, 2000
Study: Online privacy fears growing
July 11, 2000
Don't lose any sleep over online privacy -- It's already too late
May 20, 1998

How do you make online-privacy policies stick?
Congress delays Net-privacy legislation until 2001
Online security: Hype or complacency?
What does it take to secure your systems?
(InfoWorld) responds quickly to security hole
E-Bay, Amazon, hit by attacks
EPIC criticizes first release of Carnivore data

Electronic Privacy Information Center

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.