Washington -- The confidential records of millions of on-line shoppers could soon be available to the highest bidder as troubled dot-coms scramble to raise cash.
Think of names, birthdays and shopping preferences being sold at auction.
Eager to put a stop to the practice and send a message to the industry, the U.S. Federal Trade Commission this past week took the unprecedented step of suing Massachusetts-based Toysmart.com Inc. -- which filed for Chapter 11 bankruptcy protection earlier this month -- for breaking a pledge "never" to sell its customer files.
Privacy and bankruptcy experts alike applauded the FTC's swift action. But they warned that the on-line toy retailer may be just one of dozens of cash-strapped Internet companies that could soon be forced by creditors or investors to sell off their customer files.
The case has also rekindled a heated debate about whether tougher privacy laws are needed to protect on-line shoppers -- both in Canada and the United States.
"Most of these companies can't reorganize because they have no assets and no cash", said Keith Shapiro, president of the American Bankruptcy Institute and a Chicago bankruptcy lawyer. "Selling their list is the last hope for many of these companies."
A rash of Internet bankruptcies and reorganizations has put bankruptcy and consumer protection laws on a collision course, Mr. Shapiro said. Unheard of just six months ago, hardly a day goes by now without the announcement of another high-profile dot-com facing bankruptcy or financial reorganization, he said.
"The tension here is not between regulators and dot-coms. It's between creditors and consumers", he said.
Nor are Canadian consumers -- many of whom use U.S. Web services -- immune to the growing threat posed by financially strapped Internet companies.
Canada's answer to the problem has been to pass a new privacy law, which is due to take effect in January.
The law is a good "first step" because it provides some basic privacy standards, said privacy advocate David Jones, president of Electronic Frontier Canada and a professor of computer science at McMaster University. But it may be of limited value for those who shop in the United States, he warned.
"With more e-commerce done by American dot-coms, Canadians are at the mercy of the American system", he said.
Canada is "ahead of the curve" compared with the United States on privacy legislation, but not by much, Mr. Jones noted. "The law that has been passed doesn't have a lot of teeth", he said.
Regulators, lawyers and privacy experts have yet to come to terms with how to get companies to live up to the privacy policies prominently displayed on their Web sites. Do promises last forever, even after bankruptcy or a buyout?
Toysmart, a former on-line success story partly owned by Disney Co., had promised that information "would never be shared with a third party" when it asked families to reveal childrens' names, birthdays and toy wish lists. "Your information is safe with us!" the company pledged on its Web site.
But in June, after suspending operations and in the midst of bankruptcy proceedings, the two-year-old company put its databases and customer files up for sale.
"In the PC economy, information is gold", noted David Steer, spokesman for Trust-E, a privacy self-regulation group based in San Jose, Calif. "That has to be safeguarded in these mergers, acquisitions and bankruptcies."
Trust-E, worried that Toysmart would sully the industry's image, said it alerted the FTC last month about the imminent sale of the company's databases.
(Neither Toysmart nor its liquidator could be reached for comment, despite repeated attempts to contact them by e-mail and telephone.)
Mr. Steer said the case does not suggest a need for stricter laws. Just the opposite. He said the FTC is applying an old statute on deceptive trade practices to pursue Toysmart, and it will now be up to the bankruptcy courts to sort out the rights of creditors and consumers.
"The laws that are on the books prevented this from happening", he said.
But Mr. Steer said the case will cause a lot of companies to go back and "have a long, hard look at the promises they have made". Companies that breach those commitments give the rest of the industry a bad name, he said.
He added that the 2,000-member Trust-E requires that its members give their customers "full control over personal information". The Toysmart case proves the system is working, he said.
But already, some members of Congress are calling for tougher laws. Spencer Bachus, a Republican congressman from Alabama, recently introduced a bill to make it illegal to break privacy policies.
"Putting a customer's privacy up for sale -- after specifically pledging not to do so -- is sleazy and unethical, and it ought to be illegal", Mr. Bauchus said. "I intend to make it so."
The FTC, which is seeking an injunction against Toysmart to block the sale of its databases, has not proposed regulation. It's also trying to negotiate a settlement with the company.
"Even failing dot-coms must abide by their promise to protect the privacy rights of their customers", said FTC chairman Robert Pitofsky. "The FTC seeks to ensure that promises are kept."