ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Sale of More.com's customer list raises privacy concerns

Computerworld

(IDG) -- HealthCentral.com this week said it has signed an agreement to purchase the assets of floundering online drugstore More.com -- including its customer list -- and its subsidiary, ComfortLiving.com, for approximately $6 million.

But More.com's decision to sell its customer data has raised concerns among privacy advocates, who say the move seems to violate the company's promise not to do so.

Under the deal, HealthCentral in Emeryville, Calif., will also acquire More.com's Web site, trademark and its affiliate agreement with retail drugstore Phar-Mor. HealthCentral will also buy More.com's home store, ComfortLiving.com, its Web site, inventory and its lease on a warehouse and distribution center in Gaithersburg, Md.

In exchange, San Francisco-based More.com will receive 5 million shares of HealthCentral stock -- worth about $6.25 million at yesterday morning's stock prices -- which it can't sell before March 15, 2001. The deal is expected to close next month.

In effect, More.com is joining the ranks of other dot-coms that have recently gone out of business.

But More.com's decision to sell its customer list -- which also includes information about products and prescriptions customers purchased -- is generating questions among privacy advocates.

More.com's privacy policy, posted at its Web site, reads, "More.com does not give, sell or rent your personal information to third parties for purposes other than fulfilling your request. To better serve you, we use trusted third parties to fulfill and ship your order(s). We also use trusted third-party business partners to distribute our electronic newsletters and send you promotional offers."

"This is another outrageous example of why self-regulation does not work," said Evan Hendricks, editor of the Washington-based "Privacy Times" newsletter. "When you say you will not sell [customer] data, you should not sell [customer] data. But when there is no enforcement by law, an individual has to depend on the good faith of the data keeper."

However, HealthCentral and More.com contend that because HealthCentral is buying More.com's entire business, including its Web site and goodwill -- not just its customer list -- HealthCentral is More.com's "successor-in-interest" and should be treated as the same company, not a third party.

In addition, Frank Newman, More.com's president and CEO, and Joanne Papini, a spokeswoman for HealthCentral, said no changes would be made to More.com's privacy policy unless such changes are posted on HealthCentral's Web site. And before HealthCentral could make additional use of the customer information, those customers would have to give their permission, or opt in, to any new policy.

"HealthCentral has bought More.com's customer list ... its Web site and goodwill," Newman said. "HealthCentral is a qualified buyer in a related market and has agreed to be More.com's successor-in-interest to More.com's protection of consumer information."

Jonathan Moskin, an intellectual property lawyer at Pennie & Edmonds in New York, said that as a general rule, in the bricks-and-mortar world, the assignment of substantially all assets of one company to a new company binds that new company to the obligations of the former company. However, he said he hasn't seen any definitive law regarding online privacy issues.

Hendricks said that if the Federal Trade Commission (FTC) decided More.com had violated its stated policy, the agency could step in and file a complaint in court for unfair and deceptive business practices against the company.

An FTC spokeswoman said she had no comment on the More.com matter. However, this summer the FTC weighed in on a decision by the now-defunct online toy retailer Toysmart.com to sell its customer list after promising customers it wouldn't sell the data to a third party. The FTC said Toysmart could sell its customer list to a "successor" company, which would also be required to buy its Web site, goodwill and business.

But the attorney generals of Massachusetts and 38 other states disagreed with the FTC's decision, saying a successor company is still a third party and continued to block the sale of Toysmart's customer list in bankruptcy court. A bankruptcy court judge has yet to make a final decision on the sale of that data.

Andrew Shen, a policy analyst at the Washington-based Electronic Privacy Information Center, said since HealthCentral is effectively buying More.com's entire business, it's no longer a clear-cut violation of More.com's privacy policy.

So, he said, at the very least, all More.com's customers should be notified about the pending sale of their data to HealthCentral and should be allowed to decide if they want their information sold.

"If the More.com Web site still looks the same after the sale, customers will not know that the business [and their information] has been sold to another company," he said. "So they need to be notified."

But, Shen said, there needs to be clarification about what happens to customer data when one company merges with or is purchased by another company.

He added that the More.com issue was made thornier because in this case, it's not just customers' names, addresses and telephone numbers that will be sold, but also information about their purchases, which includes their prescriptions.

"Anytime you add health information to the mix, [you are entering different territory], he said. "So customers should be able to control what happens to their information."

Meanwhile, Jason Catlett, president of Junkbusters Corp., a privacy advocacy organization in Green Brook, N.J., said it seems "reasonable and appropriate" that HealthCentral acquire More.com's customer list if it is purchasing More.com's entire business, including its obligations to its privacy policy.

Missouri Attorney General Jay Nixon, though, is not so sure and is looking into the proposed sale of More.com's customer list to HealthCentral. In September, Nixon filed a lawsuit against More.com charging that it violated its privacy policy by releasing customer data to a third party.

The lawsuit alleged that More.com released a customer's personal information to a third party after an investigator at the attorney general's office tried unsuccessfully to order contact lenses under an assumed name. The attorney general said the investigator was solicited by Lens Express Inc. in Deerfield Beach, Fla., to buy contact lenses under the assumed name, even though the investigator had never contacted Lens Express. At the time, More.com denied Nixon's allegations, saying its privacy policy states that it uses a third-party fulfillment partner - in this case Lens Express - to fill and ship contact lens orders.

"While we are moving forward in our lawsuit against More.com, we are also looking into the sale of its customer data to HealthCentral," said Nixon's spokesman, Scott Holste.




RELATED STORIES:
FTC commissioner on the Web privacy debate
October 24, 2000
Glitch temporarily exposes some Buy.com customer data
October 17, 2000
Congress won't take up Web privacy until 2001
October 5, 2000
Study: Online privacy fears growing
July 11, 2000
Don't lose any sleep over online privacy -- It's already too late
May 20, 1998

RELATED IDG.net STORIES:
How do you make online-privacy policies stick?
(InfoWorld)
Congress delays Net-privacy legislation until 2001
(InfoWorld)
Online security: Hype or complacency?
(CIO)
What does it take to secure your systems?
(InfoWorld)
Eve.com responds quickly to security hole
(Computerworld)
E-Bay, Amazon, Buy.com hit by attacks
(IDG.net)
EPIC criticizes first release of Carnivore data
(Computerworld)

RELATED SITES:
Buy.com Inc.
Electronic Privacy Information Center

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.