When the bubble burst, to use the oft-used metaphor, not only did ‘Net-based companies line up to go out of business but individuals who were visitors to the sites operated by these companies began to face new potential violations of the rights of those visitors.   These issues have implications not only for the potential loss of privacy violations they present to site visitors but issues related to liabilities for site operators as well.  It means that site owners who create privacy policies without a broad vision of where it all can lead may find that it leads to their attorney’s office.

        Let me discuss these issues within the context of 2 “going out of business” matters that have reached the public.  One deals with bankruptcy last year of “” and the other with the ceasing of business operations of “”  There have been other privacy cases going back to the original Federal Trade Commission (FTC) action against GeoCities and including other cases but for the sake of keeping the focus narrow, I wish to restrict this article to a discussion about these 2 cases.  Further, the cases discussed here also present issues about the need for carefully crafting the privacy policy with vision enough to see potential needs perhaps far down the road.  Read “The Need for Vision.”

The Premise

        Initially it should be understood that, except in certain instances, sites are not required to have a privacy policy.  [This is a different issue from membership agreements and you should read the article with that title.] In a more general context, it is worthwhile keeping in mind that in the offline world, most companies do not have “privacy policies” and indeed readily gather, use and market vast customer preference lists that are taken from many sources.  While we all receive tons of junk mail and complain about it, the Internet has presented this issue under the bright light of a new technology.  Thus the notion of privacy has taken on a larger role.  Thus, as a practical business proposition, many sites need such privacy policies so that visitors will be comfortable with the process of registering for whatever the product or service is.  And this is part of the problem for when sites do have and post such privacy policies they are required to live up and adhere to those policies.  Failure to do so can be deemed a “deceptive trade practice” and can subject the site to fines, penalties and the like.  The FTC is generally the governmental body that brings and enforces such actions.

        One of the “instances” I mentioned above deals with sites that cater to and gather information from children.  These sites are regulated under the Children’s Online Privacy Protection Act (COPPA).  The act is very complex in its application and all sites that even remotely fall within its orbit should consult an experienced attorney about how to comply.  Read “The Children’s Online Privacy Protection Act” and “Verifiable Parental Consent Under COPPA” for much more detail about this legislation. ran a site that sold children’s toys. When the site was operational, the site’s privacy policy indicated that it would never share personal information with third parties.  The site collected names and email addresses as well as billing information, shopping preferences and family profiles, both from children 13 and under (and thus were subject to COPPA) as well as from non-“children.”

        When ran into financial trouble, it attempted to sell this extensive database of information. The FTC brought an action alleging that these actions constituted a material change in the site’s previously stated privacy policy. subsequently filed a petition in bankruptcy in May, 2000 and part of the assets of the bankrupt estate were the same database. entered into a Consent Decree with the FTC in which it was agreed among other provisions that:

1. the database of names etc. could not be sold as an asset standing alone but only as an integral part of the business assets as a whole;
2. the only third parties who could purchase the entirety of the site would be a “Qualified Buyer.”  A “Qualified Buyer” was defined as “an entity that …concentrates its business in the family commerce market, involving the areas of education, toys, learning, home and/or instruction, including commerce, content, product and services” and which agreed to be a “successor in interest” for that database.  This latter term meant that the buyer had to agree to abide by Toysmart’s original privacy statement that it offered to visitors (that such information would not be shared) and that if the buyer desired to change that policy, that it first notify all such persons who provided that data and obtain the express, affirmative consent to the new uses…so called “opt-in” marketing; and
3. in the event that such a Qualified Buyer did not come along within a year or unless there was a court-approved reorganization, the entire database must be destroyed and that, irrespective of the other data in the database, all the information collected in violation of COPPA had to be immediately destroyed.
        There were some procedural issues related to this matter which are outside the scope of this article., as part of its winding down of its business, set up an auction for several of the assets of the company including the “ Newsletter subscriber and registrant list.”  That list contained approximately 170,000 individual email address, descriptions of issues of interest as well as, in many instances, zip codes, sex and political party affiliations. Individual names and addresses were not part of the database.

        In this instance, the privacy policy of provided that the list could be sold only to “an entity that will provide ‘personalized political news and information’ to the subscribers.  It stated in part:

“Merger, Acquisition of or by  In the event of a merger or acquisition of or by, your personally identifiable information in’s records will not be used for any purpose other than to provide personalized political news and information without your explicit permission.”
        Additionally, had a license agreement with TRUSTe and as part of any such sale, agreed to send an email to all of the email addresses on its list after a purchaser was identified but before the sale was completed and the list turned over.  Specifically, the statements were:
“That email will detail the “personalized political news and information” which the purchaser will provide to the former subscribers/newsletter recipients and will provide them with an easy way to “opt-out” of the list and two weeks to decide.   Those who choose to “opt-out” will not be included in the list provided to the purchaser of [the database] after the two week notice period has expired.”
        Any deal with a purchaser would have to include representations that the bidder is or will be in the business of providing the above kind of information and will use the database solely for that purpose “(although advertising messages and electronic direct marketing may be sent by the purchaser of the list to subscribers on behalf of other entities as long as those entities do not receive access to the individual email addresses).”

        In sum,’s approach to the initial drafting of their privacy policy seems to me to be an example of a more visionary approach to the use of the information down the road.  It enabled the site to collect relevant information but balanced that with the rights of the visitor who might be concerned with how that information might be used in unrelated ways.  The effect of the Consent Decree in the case was designed to achieve the same results.


        As we all struggle to define who we are in relation to the Internet in the coming years, privacy is always among the top listed concerns of most persons.  These 2 cases present some additional approaches to the problem…one via governmental action and one via private initiative.

        More to come from both arenas I am sure.

© 2001 Ivan Hoffman


This article is not intended as a substitute for legal advice.  The specific facts that apply to your matter may make the outcome different than would be anticipated by you.  You should consult with an attorney familiar with the issues and the laws.
No portion of this article may be copied, retransmitted, reposted, duplicated or otherwise used without the express written approval of the author.



Where Next? 

Ivan Hoffman Attorney At Law || More Internet and Electronic Rights Articles|| More Articles About Privacy ||  Home