The maker of the Hooked on Phonics learning system yesterday settled a Federal Trade Commission complaint that the company rented out data about its customers to outside marketers despite promising to keep the information private.
The FTC said that Gateway Learning Corp., of Santa Ana, Calif., provided marketers with information that included names, addresses, phone numbers and the ages and sexes of children of families who bought the program, which is used to help children learn to read.
The company agreed to pay a fine of $4,600, the amount it earned in leasing the data.
The case arose from a July 2003 Washington Post story identifying Gateway as one of several companies renting or selling customer data in violation of their privacy policies. In Gateway's case, it rented the information for $95 per 1,000 names.
"It's simple: If you collect information and promise not to share, you can't share unless the consumer agrees," said J. Howard Beales III, head of the FTC's consumer protection bureau.
The case highlights the enormous value of personal information for marketing purposes, and the tension posed by privacy concerns. Instead of customer data being used only to seek renewed business, the lists themselves can generate income.
Assisted by list managers and brokers, firms also are constantly searching for ways to refine customer lists to better target consumers who might be interested in certain products or information.
Those lists make up a multimillion-dollar annual marketplace of information trading hands, often through classified advertisements in marketing industry publications. Some charities, political organizations and other nonprofits also exchange member information. Even voter registration lists have been sold.
In one celebrated case, once high-flying eToys.com was allowed to sell its customer data as an asset when it went into bankruptcy.
Many companies have privacy policies that forbid selling or renting their customers' information, or that allow trading of data but give consumers the chance to "opt out" and have their names removed from lists.
The Direct Marketing Association, the industry's largest trade group, also operates an opt-out service that consumers can contact. All its members are supposed to honor the list.
But privacy advocates argue that the opt-out system is subject to abuse, especially as lists trade hands more and more times.
But he said that by simply going after companies for violating their own policies, the FTC is in effect pushing companies to have the fewest restrictions possible without alienating potential customers.
"The obvious encouragement here is to not make promises," Hoofnagle said. "We think that approach is somewhat inflexible."
He added that his organization has seen big retailers "race to the bottom" of the privacy scale, informing their customers of new policies that allow for more data sharing rather than less.
Hoofnagle said the FTC should create a base-line set of rules on sharing data, but he acknowledged that the agency might need specific authority from Congress to do so.