Those lists make up a multimillion-dollar annual marketplace of information trading hands, often through classified advertisements in marketing industry publications. Some charities, political organizations and other nonprofits also exchange member information. Even voter registration lists have been sold.
In one celebrated case, once high-flying eToys.com was allowed to sell its customer data as an asset when it went into bankruptcy.
Many companies have privacy policies that forbid selling or renting their customers' information, or that allow trading of data but give consumers the chance to "opt out" and have their names removed from lists.
The Direct Marketing Association, the industry's largest trade group, also operates an opt-out service that consumers can contact. All its members are supposed to honor the list.
But privacy advocates argue that the opt-out system is subject to abuse, especially as lists trade hands more and more times.
Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center, said yesterday's FTC action is important because it will "solidify the privacy policy as a contract that is not supposed to change materially without consumer consent."
But he said that by simply going after companies for violating their own policies, the FTC is in effect pushing companies to have the fewest restrictions possible without alienating potential customers.
"The obvious encouragement here is to not make promises," Hoofnagle said. "We think that approach is somewhat inflexible."
He added that his organization has seen big retailers "race to the bottom" of the privacy scale, informing their customers of new policies that allow for more data sharing rather than less.
Hoofnagle said the FTC should create a base-line set of rules on sharing data, but he acknowledged that the agency might need specific authority from Congress to do so.
