Slashdot Mirror

← Back to Stories (view on slashdot.org)

Toysmart Can Sell Customer Data - With Limitations

Posted by timothy on from the doesn't-information-want-to-be-free?! dept.

jmozena writes "Disney's failed Toysmart.com has gotten the go-ahead from the Federal Trade Commission to sell its customer database as part of a bankruptcy sale, as long as the buyer agrees to abide by Toysmart's privacy policy. The FTC also found that Toysmart violated the Child Online Privacy & Protection Act (COPPA) of 1998 by collecting information from children under 13 without their parents' consent, and is filing a complaint in federal court to get Toysmart to destroy that information before any sale. This is the first time the FTC has filed a complaint under COPPA. The FTC press release is here."

EasyKill adds: "[here] is a link to the zdnet story about the FTC allowing Toysmart to sell some of their customer database, albeit under limited circumstances. I don't think this is a good thing, but it could be worse."grahamwest also points out this CNNfn story on the decision.

You may also be interested in the story emmett posted when the plan to sell this data first came to light, and the followup hemos posted about the involvement of the FTC. For once, I think I (mostly) agree with the FTC.

32 of 58 comments (clear)

  1. Re:Is this only the beginning? by gunner800 · · Score: 2
    The ruling they have made now could only be the beginning of a policy where customer databases are seen as any other form of capital, wich in case of bankrupcy can be sold off.

    Uhm, no. In fact, the FTC has set a very different precedent. The database cannot be simply "sold off" for quick cash, it must be sold as part of the whole company.

    It even makes sense. You send your private data to ToySmart. ToySmart as a whole is sold. Whoever owns ToySmart now has the data.


    My mom is not a Karma whore!

  2. Re:Is this only the beginning? by laborit · · Score: 2

    There's an amusing business model... Internet research companies offer great prizes and incentives in exchange for personal information, which people accept because of their model privacy agreement. Then they "discover" that they don't have enough capital to continue, go bankrupt, and sell their database for pennies to Microsoft/Disney/NikeCorp... which just happens to be the company that spun them off a few months ago.

    - Michael Cohn

    --

    -----
    Go ahead, blame me... I voted for Nader!
  3. The FTC did the Right Thing by dr_hodad · · Score: 3

    While I shouldn't be surprised, it is distressing to see that most of the 4-5 rated posters clearly didn't read the FTC agreement. Ah . . . where to begin?

    Morgaine complains . . .
    If customer data is now deemed to have a direct and independent monetary value rather than merely in association with a product, maybe the coporations that are gathering that data from us ought to be paying for it -- ie. paying us.

    The FTC agreement makes it clear that customer data cannot be sold independently. Rather, it must be sold with the entire company, and then only to an entity that will be continuing the business. If this is a Bad Thing under bankruptcy, then we must also conclude that a healthy company that changes ownership (or for that matter issues stock) must throw away all it's customer data before the sale.

    jesterzog adds . . .
    The problem I have is that Toysmart [is] selling what they shouldn't technically own. As a customer I would never have said that they can give my details to anyone else without my direct consent

    But that's exactly what did when you cashed in that $50 internet coupon

    They had restricted use of [my personal info] for inside purposes only

    Yes, but a change in ownership (of the entire company, which is what the FTC agreement requires) shouldn't mean they can't keep using that info for "inside purposes only".

    Can a company being liquidated sell it's employees home computers because they once did some company-related work on them?

    No, but it can demand a copy of they're work-related files and sell those.

    The bottom line is, the FTC agreement makes perfect sense. While it is foolish to give away your valuable personal info for free, it is disingenuous to recieve compensation in exchange for your info and/or money and then insist that your privacy should be inviolate. (Compensation can take the form of cash, rebates, free shipping, or the ability to read the NYT online.) So do as your mother told you and read the fine print.


    -------
    Dr. Hodad
    Black's Beach Tanning Supply
    La Jolla, California

    --


    -------
    Dr. Hodad
    Black's Beach Tanning Supply
    La Jolla, California
  4. Privacy Complainers by mindstrm · · Score: 2

    All these privacy complainers.

    DO you use AirMiles? IT's sole purpose is to track your movement and purchases.
    Do you use those grocery-store 'customer cards'? Same deal (I *HATE* those things, and almost think there oughtta be a law... you should be able to buy food at a fair price without being tracked)

    American Express charge card? Same deal.
    Credit cards? Same deal.

    Have your name/address published in a phone book? Same deal.

    Give me a break. Your personal information is *everywhere*

    1. Re:Privacy Complainers by sonnerbob · · Score: 2

      Mr. McNeely ... is that you?

      --

      Get Veiled
  5. Re:Selling e-mail addresses by mindstrm · · Score: 2

    It's not *your* email address.
    It's an address that, at the moment, you have access to. You are renting it.

    Another reason for encryption. Really.

    The only email address that I would really consider *mine* is the one on the server I own at the domain I own...

    OTher than that, I'm just 'renting' it.

  6. Secrets by Hard_Code · · Score: 2

    So basically, I can tell someone's secret to other people just as long as I say "But _don't_ tell anyone! Really!"

    Right, soon everyone in the world has the "secret" information.

    --

    It's 10 PM. Do you know if you're un-American?
  7. Re:hmm by Zan+Thrax · · Score: 2

    Even though Disney's intentions were to maintain the privacy, the data would have been sold without restriction. The FTC would have been agreeing to the concept that collected data was saleable.

    Why do you think Disney wanted to do this? I strongly suspect they were hoping to get such a precedent created, and were willing to bury whatever information Toysmart has. Then they can offer Doubleclick or someone with that level of information serious money for their database(s), and do whatever they like with it...

    --

    Intolerant people should be shot.
  8. Re:Fighting spam with disinformation? by Morgaine · · Score: 2

    You write: We have to come up with something better - make spam illegal!

    Wow, yes, that's bound to work, just like it has with drugs and speeding.

    Sorry to burst your bubble, but laws are powerless when enforcement is powerless, and in an international Internet, passing national anti-spam laws is so utterly pointless that it's just funny.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  9. Re:Fighting spam with disinformation? by KevinMS · · Score: 2


    There's a much more elegant and effective way to do it, use sneakemail

    --
    Sneakemail is to spam filters what an ounce of prevention is to a pound of cure.
  10. Ironic name by gilroy · · Score: 3

    Anyone else find it amusing that one of the commissioners involved in this is named "Commissioner Swindle?" :) Although this commish does seem to be on the side of goodness and nice.

    --
    The Mongrel Dogs Who Teach
  11. The really unfortunate thing here... by gilroy · · Score: 2
    ... is that the FTC is conceding that customer contact databases are indeed monetary assets of a company. Sure, they put restrictions on how they can be sold, but those restrictions aren't written up in regulations, much less enshrined in law. I can't see how this action fails to violate the contract between customers and Toysmart. As one of the commissioners said, "'Never' means never".

    I think the only recourse left is, as someone suggested, a class action suit. Toysmart collected that information under a privacy agreement that formed part of the contract between the company and its customers. It is now seeking to violate that contract. Because privacy is a major right, its loss should carry a heavy monetary penalty. In fact, if I were czar, I'd make the customers have first claim as creditors.

    It is another nickle-and-dime dimunition of our rights. And in this bizarre, psuedo-libertarian corporate culture, contract law is the last remaining bulwark. If companies can violate their agreements at whim, we're really living in some capitalist version of oligarchy, no matter what papers we pretend to govern with.

    --
    The Mongrel Dogs Who Teach
  12. Re:Customers getting paid for customer data by Bilbo · · Score: 3
    > maybe the coporations that are gathering that data from us ought to be paying for it -- ie. paying us.

    Well... actually they are paying us... sort of. How do you think all these "free" services exist??? Someone has to pay for the servers and T1 lines and maintenance. You don't think corporations are doing it out of the goodness of their hearts? They surely aren't paying for it from banner adds, since income from banners is plummeting. Secondary income streams are often used to offset the cost of the product or service to make it more attractive to customers.

    --

    --
    Your Servant, B. Baggins
  13. the benefits of this ruling by griffjon · · Score: 2

    Now, wait a minute here. this is a Good Thing. It's a fantastic ruling to be referred to later on--the rights must travel with the data, as is legally enforced (don't make me rant on DRM today!).
    This means that us consumers can use this ruling later on to keep from getting screwed over by many manipulations. It may even be referencable in those wonderful TOSes that can update and change dramatically without any notification, it'll bring back the concept of what was signed (clicked) is what is the law--and those original rights must be propogated in each incarnation of the data.

    It won't end spam, but it will serve as a valuable tool in other circles.

    --
    Returned Peace Corps IT Volunteer
  14. In other news..... by Bill+Daras · · Score: 4

    MIDDLE AMERICA - A record number of parents were found in violation of the Basic Human Responisibility Act which forbids them from using any form of new technology as a babysitter for anyone, especially children under 13.

    When asked for comment, one Diane Whitestreet of Green Meadows, Indiana (not her real name or town) was quoted as saying "I heard about this new Internet thing, and, well, my kids said we just had to have it. So my husband bought a $7,000 Dell for each of our children and for a while, it was great. Between Soccer, Ballet, Gymnastics, Dance and of course, school, we never heard them complain there was nothing to do. If they asked for Mommy or Daddy's credit card, we let them borrow it because it made them happy and happy children are quiet, and less annoying children.

    Then, when I found out these "sites" were actually recording my child's names and adresses for shipping information, I became, well, enraged. That they could hurt them in this way. It is just horrible. I can barely...talk.

    I had mys husband call their company and he said perhaps we should be more careful about how we let our children use our credit cards! How dare they tell me how to raise my children! They are my responsibility!

    So the next thing I did was call our representative and have him pass a bill make sure these terrible things never happen again. Thank God this is a free country and with one phone call I can prevent such things and Protect The Children."

    Mrs. Whitestreet's children are a few years older now, they have gone through a lot since then...two more Dells for each child, four SUVs (only because one broke down, notes Ms. Whitestreet) and in her words "A lot of growing up."

    She counts her blessings even now. "It could have been much worse." she says. "They could have been taking meth, listening to rap and hanging out with those people or even been turned homosexual by one of their recruiters!"

    Mr. and Ms. Whitestreet's have since been sent to prision until their all children turn 18 so that they might have a shot at a normal life with a responsible parent assigned to them by the state.

    This is a work of fiction. However you are blind if you can't see the truth in it!

  15. gimme a fscking break by fluxrad · · Score: 2

    so we've got a company that's going out of business basically saying "oh, and you have to sign this contract before you buy this information!"

    ummm...who the *FUCK* is gonna uphold this contract? The government? That's laugable. Toysmart? Sure, and if a frog had wings he wouldn't bump his ass when he hopped!

    What the government should have done is simply NOT OKed these type of sales. Not only does the current one scare me, but the precedent it sets doesn't exactly bode well for consumers. Oh well - i don't think that will stop me from giving out honest and accurate information in the future. After all, i wouldn't want to lie

    Sincerely,

    Satan McDevil
    666 Antichrist Blvd.
    Pensacola, Fl. 66666
    Turn-on's: Stealing souls, Mayhem, Madness, and furry little puppies
    Turn-offs: Attitude, Sass, Jesus, Sell-outs.
    Has also purchased: Handspring Visor, Sony VAIO products, Propecia, The Switchblade Comb(TM), and G.W. Bush's soul.


    FluX
    After 16 years, MTV has finally completed its deevolution into the shiny things network

    --
    "It is seldom that liberty of any kind is lost all at once." -David Hume
  16. Re:Fighting spam with disinformation? by jonnythan · · Score: 2

    For all you people who apparently didn't get the sarcasm, that "make spam illegal!!" was a joke directed at the people who have these strange knee-jerk reactions to things they want to get rid of.

  17. One good idea by gunner800 · · Score: 2
    I did see one surprisingly intelligent thing in this mess. Part of the settlement is that if the buyer wants to change the privacy policy, it must be done with an opt-in strategy. I'm sick of having to "sign" agreements that are worthless because the other party can change them without notice.

    It would be far beyond the regulartory powers of the FTC, and arguably beyond the legislative powers of Congress, but I would be overjoyed if those damned "subject to change without notice" clauses were ruled unenforceable.


    My mom is not a Karma whore!

  18. Cookie Cutter e-commerce companies by Ratteau · · Score: 4

    After having read a couple books recommended by our CEO (he actually bought about 50 copies of each and handed them out), its sad to see how many companies out there seem to have been thrown together by the exact vision the authors see for e-commerce. The books are the HBS titles netGain and netWorth -- a good read, but only 1 view of the future of the internet. They say the future is in the infomediary, the company that builds a critical mass of users, aggregates data, and allows marketers to send advertisements to a demographic they wish to target. They do not sell the data, they are a middle man, and are supposed to be trusted. I dont know how many startups Ive seen follow almost this exact formula, but they are starting to fail BIGTIME. Tech stocks are doing so poorly that even good ones are suffering just for being in the same industry (but that is another topic). There are going to be more ToySmart stories unless a precedence is set. As I understand it, when a company goes bankrupt, its assets are liquidated to compensate the investors as much as possible. The customer data is indeed their greatest asset, but in my opinion, the investors knew very well the privacy policy when they invested their money and know the risk involved in this industry (and if they didnt, they shouldnt be investing) and in my opinion, should be SOL. However, the law is the law and is rarely compliant with common sense -- any lawyers out there been talking with others and know which way the wind is blowing?

    --
    The ivory tower has never had to reach so h
  19. hmm by nomadic · · Score: 2

    as long as the buyer agrees to abide by Toysmart's privacy policy...

    Which means they can only use it to (according to their website) "personalize" their customers' online experience. Which seems to make it useless to another company. Unless they have a very liberal definition of "personalize".

    Interestingly enough, Disney offered to buy (and bury) the list, but I guess the FTC didn't go for it.

    1. Re:hmm by rjh3 · · Score: 3

      If the FTC had agreed to the original Disney offer a significantly worse precedent would have been set. Even though Disney's intentions were to maintain the privacy, the data would have been sold without restriction. The FTC would have been agreeing to the concept that collected data was saleable.

      Under this agreement they are setting the much tighter terms that data may be sold if and only if the purchaser maintains the same agreement that was in place when the information was gathered. It is a reasonable legal tradeoff. If you make the rules on a sale any harder, the database owners might win the argument on contract violation. The FTC would have been arguing that contract terms get changed in the customer's favor during a bankruptcy.

      This agreement is consistent with how other contracts are handled during a bankruptcy. The ideal is to maintain all contracts unchanged. The ideal is unreachable (since one party is bankrupt) so the bankruptcy court is authorized to make such modifications to contracts as are needed to minimize the deviations. Bankruptcy law establishes which contracts take precedence, who loses first, how parties negotiate over relative importance and value, etc.

      Since the law was written before privacy agreements existed or mattered it was not established that they should be considered like contracts. This sets that precedent.

  20. caveat emptor by Rufus+T.+Firefly · · Score: 4
    Every company's privacy policy is to protect the company, not the consumer.

    The public has voted for convenience over privacy. That's why non-anonymous financial transactions (e.g., credit card purchases) and their associated loss of privacy have succeeded online, whereas anonymous payment schemes -- like prematurely launched DigiCash -- just haven't taken hold. Yet. (I'm hopeful.)

    Any company that states it won't sell personal information is lying. And so what if the company gets fined: your information has already been sold.

    Admiral Yamamoto

  21. Is this only the beginning? by gaijin_ · · Score: 4

    The ruling they have made now could only be the beginning of a policy where customer databases are seen as any other form of capital, wich in case of bankrupcy can be sold off.

    If this stands the next one to go will probably get less restrictions, and the next even less. In the end people could be alowed to sell their databases without any restricitions at all.

    This should be stopped now, or all the "We will not share information"-clauses are without value.

  22. Customers getting paid for customer data by Morgaine · · Score: 4

    If customer data is now deemed to have a direct and independent monetary value rather than merely in association with a product, maybe the coporations that are gathering that data from us ought to be paying for it -- ie. paying us.

    After all, everything's a business. We're not a charity either. :-)

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  23. Fighting spam with disinformation? by Morgaine · · Score: 2

    How about fighting spam with misinformation?

    If huge lists of non-existent addresses are created and then infiltrated into spammers' lists then the proportion of spam that actually gets delivered will go down, the onset of a spam will be easier to detect and to stop, and spammers' efforts will be less effective. Heck, one could even make money from selling them dud data. :-)

    Disinformation could be quite an effective measure here. As you say, it has served others well before. All that's required is a complete lack of morality.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
    1. Re:Fighting spam with disinformation? by jonnythan · · Score: 3

      No, disinformation is a destabilizing technique, not a stabilizing one (terms borrowed from what I know about Cold War nuclear war planning - things like missle buildup and Star Wars were destabilizing, because they just encouraged the USSR to stock _more_ weapons rather out of pure necessity).

      Anyway, if huge lists of non-existant addresses are created, then yes, the actual proportion of spam that gets delievered will go down. However, that just means the spammers will have to amass EVEN BIGGER lists just to get the same number of arriving messages. This will encourage spammers to try even harder than they are now to get mail into our boxes.

      We're never going to get rid of it, and disinformation will not make it go away.

      We have to come up with something better - make spam illegal!

  24. More now than ever before by thesparkle · · Score: 4

    Now, more than ever, should we all make sure we are giving as much inaccurate and incorrect information when filling out online signup forms.

    A policy of disinformation and dishonesty has served some of our finest public and private leaders well. We would do well to heed their example.

  25. Sue Disney by Jeff+Hornby · · Score: 2

    I think that the best thing to do would be for a class-action lawsuit from consumers of ToySmart for breach of contract. After all, not sharing the information could be considered part of the contract.

    The best thing to do would be to start with an injunction against them selling the list.

    And the lawsuit could also name Disney as the owner of ToySmart for not exercising proper governance (corporate governance is a concept that is really ready to be tried in the courts).

    Jeff

    --
    Why doesn't Slashdot ever get slashdotted?
  26. where does it end if not at agreements? by jesterzog · · Score: 4

    This is where I disagree the most.

    From CNNfn:

    "We think it's a fair balance between the needs of creditors and the customers," Toysmart attorney Harry Murphy said of the settlement.

    The problem I have is that Toysmart and various others (with consent of the courts and the FTC) are selling what they shouldn't technically own. As a customer I would never have said that they can give my details to anyone else without my direct consent - irrespective of whatever conditions they put on it. They had restricted use of it for inside purposes only, and that's exactly what the privacy agreement said.

    Creditors made the mistake of investing in Toysmart. They took the risk and it didn't pay off. They shouldn't be compensated by the loss of a third party.

    Physical goods verses information shouldn't be treated differently. Can a company being liquidated sell it's employees home computers because they once did some company-related work on them? If not, how can it sell it's customers details simply because it has restricted access to them for use within the company?

    From memory, one of the problems is that because the company no longer exists, any agreements it had are invalid.. or something like that. (Can anyone elaborate?) Perhaps model privacy agreements of the future should have a clause in them to specify that this can't happen. Otherwise I'll certainly think hard about giving any details away if the practice of selling databases becomes more common.


    ===
  27. But, um, no! by r2ravens · · Score: 2

    Doesn't part of ToySmart's privacy agreement say that only ToySmart will use the data? So, if it sold the data to a second company who had to live with the privacy agreement, IT (the purchasing company) would not be able to use the data since IT is not ToySmart amd only ToySmart can use the data as per the privacy agreement!

    The only way around this is if the provacy statement says "only ToySmart or the company we sell the data too can use the data" which would make it a fairly useless privacy statement.

    --
    War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
  28. Selling e-mail addresses by laborit · · Score: 2

    This brings to mind another scenario I've wondered about for a while... what happens if a company sells its domain name, and you have an e-mail address with them? Suddenly your e-mail is being routed to an owner who has no obligation to give you access, let alone to keep "your" mail private. It doesn't seem like there would be any legal barriers to their destroying or reading your mail. The mapping between a person and an e-mail address seems much fuzzier than the one for your physical address. E-mail may not even have the intended recipient's name on it, so it seems it would be hard to claim that there's any fundamental proof that mail sent to stringofcharacters@anotherstring.tld wasn't meant for whomever owns anotherstring@tld.

    Can this happen? Has this happened? Is there anything that can be done, short of running your own domain and hoping that a company with a similar name doesn't rise to prominence?

    - Michael Cohn

    --

    -----
    Go ahead, blame me... I voted for Nader!
  29. Love the Logic by CoughDropAddict · · Score: 3

    Disney's failed Toysmart.com has gotten the go-ahead from the Federal Trade Commission to sell its customer database as part of a bankruptcy sale, as long as the buyer agrees to abide by Toysmart's privacy policy.

    Flashback to 3rd grade:

    Chris the Coolster: Listen to this cool secret! But you can't tell anyone...

    Lucy the Loser: I won't. You can count on me!

    Later that day...

    Lucy the Newly-Popular: Hey, listen to this! But you can't tell anyone...

    ad infinitum, until the juicy tidbit is common knowledge.

    This also enables easy NDA dodging! All I have to do is have anyone I share secret info with sign the NDA too! Sweet, time to get some ultra-secret specs and start writing some gfx card drivers for X...