Amazon.com and Privacy

  Background and recent news

This page contains the primary source documents on the campaign in reverse chronological order. For background and recent news on this campaign please go to our news page instead.

For details of the complaint against Amazon over chidren's privacy, see the paragraph on our news page. (2003/4/22)

  Letter 2002/10/8 to State Attorneys General

Glenn Kaplan, Assistant Attorney General
Pamela Kogut, Assistant Attorney General
Consumer Protection and Antitrust Division
Office of the Attorney General
Commonwealth of Massachusetts
One Ashburton Place
Boston MA 02108-1698

Dear Assistant Attorneys General Kaplan and Kogut:

This open letter comments on the recent undertakings of Amazon.com regarding customer information. We urge further action from State consumer protection officials because we consider that Amazon's policy and practices are still an ongoing threat to the privacy and intellectual freedom of millions of consumers in the United States.

We commend you and your colleagues from the 12 states for undertaking discussions with the company about its change of privacy policy in August 2000. Amazon.com was widely and harshly criticized for this. Our organizations so deplored the change that we severed our business relationships with the company, forgoing revenue. We attempted to persuade them to reform their information practices and to undertake to return to the their promise never to sell personal information. They have repeatedly and consistently refused our requests. (Copies of the relevant letters are available at http://www.junkbusters.com/amazon.html on the Web.)

As a general principle, bookstores should not be selling dossiers on their customers' reading habits; such dossiers should be carefully restricted. In recent years, access to book sales records has been a matter of significant public concern. In a recent case involving law enforcement access to book lists, the Colorado Supreme Court ruled that a release of book records would violate readers' First Amendment rights, and that the state would have to demonstrate a compelling state interest to obtain book sales records. (Tattered Cover, Inc. v. City of Thornton, http://www.cobar.org/CFwebFiles/Content/dspOpinion.cfm?OpinionID=560).

Patrons of libraries are covered by privacy laws or regulations in all states. Additionally, the American Library Association has a strong tradition of protecting individuals' choices in reading, having adopted protections for patron privacy as early as 1939. (1939 Code of Ethics for Librarians, ALA, at http://www.ala.org/alaorg/oif/1939code.html.) Librarians have even developed technical methods to shield circulation records from exposure. Circulation systems expunge all record of a book being borrowed as soon as the patron returns it.

Amazon has attempted to reserve and reclaim a right to sell records that enjoy strong protections in other contexts. A transfer of this information impinges on intellectual freedom, and could subject readers to stigma for their book choices. Amazon actually can put its customers at greater risk than physical-world bookstores or libraries, in that the company can use cookies and personalization technology to track not only book purchases but also book browsing.

We commend you for negotiating a greater level of openness from Amazon.com in their information collection, sharing, and enhancement activities. These practices are opaque to the user, and knowledge of them will give customers a greater appreciation of the risks involved in shopping at Amazon.com.

However, it is unclear whether your negotiations have resulted in any rectification of what we regard as the three principal inadequacies in Amazon's information policy and practices: its option to sell its customer database wholesale; its refusal to give its customers the right to see all the data it accumulates about them; and its refusal to delete records of past book purchases. Here we explain these deficiencies in detail and recommend four actions for you or any other consumer protection officials to take.

Certainly the company itself regards the negotiated changes as immaterial. Amazon VP and Associate General Counsel David A. Zapolsky began his letter of September 23rd to you and your colleagues by saying Amazon is ``not making any material changes in our policies and practices regarding customer information this time...'' and that the company would merely ``expand some of the examples provided in the Notice, as well as clarify some of the provisions that may have been misunderstood in the past.''

A footnote in the letter gives new language regarding the wholesale database sale, which may seem to be a concession, but which we consider is distracting from the central change: that Amazon decided to let itself sell its customer database as part of a business unit, having previously undertaken to some customers never to sell their information. We have flagged <<thus>> a clause that is to be added. ``As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets <<but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise)>>. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.''

Amazon's pre-existing Privacy Notice (its policy before August 2000) stated in question and answer format: ``Will Amazon.com disclose the information it collects to outside parties?" Amazon.com does not sell, trade, or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.com.''

Amazon promised customers never to sell their information; now it is saying that it may do so, recently adding the "clarification" that the buyer will be subject to the same promises that it originally made, and then abrogated. This is plainly hypocrisy. We also believe that it constitutes an unfair and deceptive trade practice under federal and state law. Our first recommendation is that your require Amazon to undertake to obtain customers' consent prior before transferring personal information in these circumstances.

Our second recommendation is that you require Amazon to offer its customers the option to delete the record of specific purchases. Some former customers of Amazon, including ourselves, no longer trust the company to do what it says, and would like to be able to remove the risk of Amazon making an undesired disclosure. To specify the functionality more precisely, the information systems should provide customers the option to to dissociate their identity from any or all transactions recorded by Amazon. Several limitations are appropriate, such as during a reasonable period to allow for returns, chargebacks, and so forth. This might be 90 days, extended as appropriate if money is owed, for example.

As we have stated in previous correspondence with the company, it is not even necessary to delete the data about particular sales; it would suffice to dissociate the purchases and profiles from personally identifying information. Nor is any very burdensome action such as erasing backup tapes required; the standard applicable here is whether the information would be available in the routine course of business.

Although an Amazon official told us in 2000 that such a feature might be considered for the year 2001, Amazon still refuses to allow deletions, and has recently been making preposterous excuses. Amazon spokeswoman Patty Smith was quoted by the the Seattle Post-Intelligencer September 27th, 2002: ``"Customers can't delete records, for tax and business reasons.'' We have asked her which taxation authority Amazon believes requires records of the specific titles purchased by customers; we have yet to receive a reply. The phrase "for business reasons" seems to mean "because we don't want to."

Our third recommendation concerns access by individuals to their records. Your negotiation of a greater level of openness from Amazon.com is commendable, but the level of transparency considered adequate by international privacy standards goes beyond disclosing the nature of information shared; it includes identification of the specific organizations involved and access by the individual to all data concerning him or her. Amazon currently provides partial but not complete access, particularly on information that Amazon obtains about the consumer from other sources. Amazon should commit to providing complete access, with possible limited exceptions for ongoing investigations of fraud.

Our long-standing demands to Amazon on access and deletion have for years been required under the laws of several countries in which Amazon operates, including the United Kingdom and Germany. Amazon.com's treatment of its American customers as second-hand citizens can be seen easily by examing the privacy policy of amazon.co.uk. This policy resembles Amazon.com's pre-2000 policy: it still has a "never" option to preclude the sale of personal information, and contains no language concerning wholesale transfers. If Amazon believed they could get away with such a change under European privacy and fair trading laws, they would probably have attempted to do so in the two years that they have had to harmonize their American and European policies. The UK privacy policy makes it clear that the personal data is controlled and processed by Amazon's computer systems in the US, but that they intend to comply with the higher privacy standards required by UK law. ("Any personal information provided or to be gathered by Amazon.co.uk is controlled primarily by Amazon.com Int'l Sales, Inc. of 1200 12th Avenue South, Suite 1200, Seattle WA USA 98144 and secondarily by Amazon.co.uk Ltd of Patriot Court, 1-9 The Grove, Slough, Berkshire, England SL1 1QP..." "Any transfer of personal information outside of the European Economic Area is done in circumstances ensuring that the information is processed only in accordance with this Privacy Policy and the UK's Data Protection Act.") We find it repugnant that Amazon has made a willful and deliberate choice to deprive its American customers of the control over their personal information that are legally guaranteed rights for its customers elsewhere.

Our fourth recommendation is that Amazon be required to submit to an independent audit to determine its compliance with its privacy policy. This is necessary because the company's actions have shown that it should not be trusted. In May 2001 staff of the Federal Trade Commission concluded that Amazon and its Alexa division had likely deceived its customers, but the FTC declined to act further. Amazon should undergo an on-site audit by a competent and independent firm to determine whether its actual past conduct (rather than just its own descriptions of its practices) conformed with the various versions of its privacy policies. The auditor's report should be made public.

In conclusion, we commend you for investigating Amazon, and hope that you act further on the four recommendations we described above.

Very respectfully

Jason Catlett
President
Junkbusters Corp.

Chris Hoofnagle
Legislative Counsel
Electronic Privacy Information Center

Copies to:

Steve Sakamoto-Wengel
Assistant Attorney General
State of Maryland

Noreen Matts
Assistant Attorney General
State of Arizona

Tracy Sonneborn
Assistant Attorney General
State of Michigan

Gary Hawes
Assistant Attorney General
State of Connecticut

Bennett Rushkoff
Senior Counsel
Office of Corporation Counsel
District of Columbia

Julie Brill
Assistant Attorney General
State of Vermont

Linda Conti
Assistant Attorney General
State of Maine

Drew Lianopoulos
Assistant Attorney General
State of Oregon

Lucian D. Geise
Assistant Attorney General
State of Tennessee

Harriet Worley
Assistant Attorney General
State of North Carolina

M. Kristin Spath
Senior Assistant Attorney General
State of New Hampshire

Jack Norris Jr.
Assistant Attorney General
State of Florida

Christopher Petrie
Senior Assistant Attorney General
State of Wyoming

Stephen H. Levins
Acting Executive Director
Office of Consumer Protection
State of Hawaii

Howard Beales
Director, Bureau of Consumer Protection
Federal Trade Commission

  Reply from Massachussetts AG's office

The Massachussetts AG's office replied the same day. Here is our summary of the major points of the letter:

1. Amazon will not sell customer data as a standalone asset. The company will only sell it if the entire business is transferred.
2. Amazon would need affirmative consent before transferring the information from customers who used "never@amazon.com."
3. Information transferred to a new company would be subject to Amazon's prior privacy policies.
4. Access and deletion requirements are useful consumer tools, but not justified under US law.
5. An audit is unnecessary, as Amazon was forthcoming and cooperative throughout the investigation.
6. The Attorneys General would like a response from Amazon on the access, deletion, and audit issues that we raised.

  Letter 2001/5/30 to Muris

Dear Chairman-designee Muris

My organization joins other groups in their letter today urging you to make consumer privacy a priority of your tenure at the Commission. In addition, my organization asks that the Commission take certain immediate action to protect the privacy of more than 26 million customers of Amazon.com, Inc.

FTC staff recently concluded that Amazon and its Alexa division had likely deceived its customers. In a separate matter a few days earlier, staff also concluded, based on representations from the company, that it was not guilty of deception in its change of privacy policy in 2000. Given that the company has been deceptive, the FTC and consumers should not rely on its representations, which may also have been deceptive. We ask the Commission to require Amazon to undergo an on-site audit by a competent and independent firm to determine whether its actual past conduct (rather than just its own descriptions of its practices) conformed with the various versions of its privacy policies. The auditor's report should be made public. We also ask that the company be required to obey the request of any customer to see all information held by Amazon about him or her, and to delete the information if desired. Although Amazon never offered such a service, and indeed has repeatedly refused our repeated requests to do so, such a step is appropriate because the company has behaved deceptively in the past, and consumers can no longer rely on its representations to keep their personal information private.

This is only one of many actions that we believe are necessary to give the American public confidence that they can participate in ecommerce without losing control of their personal data. Without the ability to inspect one's personal data, it is impossible to verify that all information maintained was collected with consent. Without this and the ability to delete, the idea of "choice" is essentially meaningless, since consumers are irrevocably committing to an unknown outcome. We urge you to begin your tenure with a signal to businesses that you will strive for high standards of fairness in their handling of consumers' personal information, and hope that you will work with consumer and business groups towards this goal.

Very respectfully

Jason Catlett
President
Junkbusters Corp.

  Announcement 2001/1/30 of protest trinkets

Senior Amazon.com executives and employees today received samples of ``protest trinkets'' that will be used in privacy rights activists' continuing campaign against the company's unfair information practices. At issue is Amazon.com's refusal to delete the personal data of customers who requested this after the company changed its privacy policy. (2001/1/30)

The protest trinkets are erasers with messages printed on them. CEO and founder Jeff Bezos was sent a small model marked "I will erase a customer's personal data if asked." Chief Information Officer Richard Dalzell was sent a mid-sized model reading "Personal data is not our exclusive property. It is held in trust according to the person's wishes." Chief Financial Officer Warren Jenson was sent a large model that reads: "I feel uncomfortable working for a company that doesn't respect its customers' privacy enough to delete their personal data if they want. Tomorrow I will look for a new job."

Junkbusters President Jason Catlett commented on why he devised the protest trinkets. ``Over twenty million online shoppers are being held as virtual hostages in Amazon's data warehouse. We did not give our names to Amazon so we could become part of the company's assets; we just wanted our books delivered. We are human beings, not chattels, and we have a right to privacy. We have a right to control the information that companies store about us. Amazon.com is abusing those rights. They should expect growing resistance--both from within and from without--to their claim to own their customers' information forever.''

  Letter 2000/12/6 from Davies to UK Commissioner

Dear Ms France

I received Tuesday 5 December a fax transmission of a letter from Amazon.co.uk which they claim to have mailed on 22 November but which did not reach me.

Even assuming that the letter had been sent the day it was dated, this far exceeds the time allowed to respond to my access request of 14 September. I do intend to proceed with my access request directly with them. Meanwhile I ask you to consider what action your office should take against the company for its failure. I would appreciate being advised of any action.

In the letter the company claims to have discussed the question of the international transfer of personal data with your office, and that your staff indicated it was "comfortable" with it. Could you please tell me, for the public record, whether in fact your office did make such an indication. If you are not able to determine this easily, please tell me whether you now believe that the measures that Amazon.co.uk claims as constituting consent for international transfers are adequate. I maintain that they are not.

Sincerely

Simon Davies
Director
Privacy International

  Letter 2000/12/5 from Davies to Amazon

Managing director
Amazon.co.uk

Dear Mr Frazier

I received yesterday (Tuesday 4 December) a fax transmission of your letter dated 22 November, which had not previously reached me.

Even assuming that the letter was sent on this date, Amazon.co.uk far exceeded the time allowed to respond to my access request of 14 September, placing Amazon.co.uk in breach of UK law. I attach a copy of a letter to the UK Data Protection Commissioner noting this fact.

I do intend to proceed with my request, and plan to assemble the identifying information requested in your letter in the near future. Please confirm by email to me that if I respond with this identifying information, you will provide me with all the data held in databases controlled by Amazon in all countries, and further that upon my future request, all that information will be destroyed within a reasonable period of time. I am concerned by the statement made by Amazon spokeswoman Patty Smith to the Associated Press Monday that deletion is "impractical" because the company "needs records for auditing purposes." ( http://dailynews.yahoo.com/h/ap/20001204/tc/amazon_privacy_1.html ) Please state for the public record that you do not consider complying with this requirement of UK data protection law impractical and that you fully expect being able to comply within the allocated time. If deletion would cause Amazon to violate any accounting requirements, then the public, investors, and financial regulators should know this. If it does not, then I suggest an explanation of Ms Smith's remarks would be in order.

You will note in the attached letter that I have asked the UK Data Protection Commissioner whether her office is, as you indicated to me, "comfortable" with Amazon.co.uk's international transfers of personal data. I will write to you again on this topic after she has responded.

In your letter you repeatedly described the transfers as "limited." In what sense are they limited? Please circumscribe precisely what information is transfered outside the UK and what remains.

Sincerely

Simon Davies
Director
Privacy International

  Open letter 2000/12/4 from Junkbusters To Jeff Bezos

Dear Sir

This letter explains why my organization is escalating its campaign against Amazon.com's unfair information practices and unacceptably weak privacy policy. I have been in dialog for more than ten weeks with Amazon staff, but have received no commitment regarding any of the three demands given in my letter of September 14. Here is a summary of Amazon's position contrasted with our demands.

1. On disclosure of personal information to parties other than Amazon

   Amazon has deceived its customers who emailed never@amazon.com; they would have assumed that their personal information would never be disclosed or traded by Amazon, whereas Amazon's new privacy policy states that such disclosures and trading occurs. Amazon also maintains that it may in future decide to sell information about customers on an opt-out basis, where the level of notice is unspecified: possibly an email, possibly putting up a revised privacy policy. Further, if an an acquisition or bankruptcy occurred under the current policy, the information could be sold without even an opportunity to opt out.

   Amazon's current position is not only bad for privacy, it is inconsistent with its previous representations. To remedy both faults, Amazon should commit to never disclosing information about a customer without affirmative consent (opt-in), with very limited exceptions such as a court order. In the case of an acquisition, notice and opt-out would be acceptable. In a bankruptcy the question is moot.

2. On access by customers to information Amazon holds about them

   Amazon currently provides partial but not complete access, particularly on information that Amazon obtains about the consumer from other sources. Further, those sources are not even identified, and the nature of the information is not even described in general terms.

   Amazon should commit to providing complete access, with possible limited exceptions for ongoing investigations of fraud.

3. On deletion, Amazon is refusing customer requests to dissociate their identity from their past purchasing information. Amazon says it will not consider providing this feature until the year 2001, but even then it makes no commitment. Amazon says it wants to retain the information in order to make its fraud-detection systems more effective.

   Amazon's position here, that customer data is its exclusive property to retain indefinitely for its own enrichment against the will of the person concerned, is intolerably arrogant.

   Amazon should provide the option for a customer to dissociate their identity from any or all transactions recorded by Amazon. Several limitations are appropriate, such as during a reasonable period to allow for returns, chargebacks, and so forth. This might be 90 days, extended as appropriate if money is owed, for example.

   As I stated in my previous letter, it is not even necessary to delete the data about particular sales; it would suffice to dissociate the purchases and profiles from personally identifying information. Nor is any very burdensome action such as erasing backup tapes required; the standard applicable here is whether the information would be available in the routine course of business.

Our demands on access and deletion are required under the laws of several countries in which Amazon operates, including the United Kingdom and Germany. Given that the computer systems are the same, I find it repugnant that Amazon has made a willful and deliberate choice to deprive its American customers of the control over their personal information that are legally guaranteed rights for its customers elsewhere. It is shameful that Amazon has weakened its privacy policy in the US but not other countries that have strong privacy law. Amazon has made a clumsy attempt to enrich itself at the cost of its customers' privacy.

I urge you to announce a commitment to giving all Amazon customers worldwide the highest standards of protection for their personal information, specifically including the three demands listed above.

Sincerely

Jason Catlett
President
Junkbusters Corp.

  Letter 2000/12/4 to Federal Trade Commission

Jodie Z. Bernstein, Director
Federal Trade Commission

Dear Ms. Bernstein:

We ask the Commission to investigate whether Amazon has deceived consumers in its representations about privacy, particularly regarding the circumstances under which information about customers and their purchases might be sold or otherwise disclosed. We also believe that the Commission should compel Amazon to offer a specific remedy to customers who may have been deceived.

1. In the course of using Amazon's website, customers may reveal personal information such as their name, address, credit card information, persons to whom their purchases have been shipped, content of product reviews, personal description and photograph, financial information, and their Social Security and driver's license numbers.
2. Amazon's computers automatically collect information on customers e-mail address, browser type, operating system, computer platform, purchase history, and the products they search for and view.
3. In an earlier version of its privacy policy, Amazon stated that it did not disclose personal information to others, and specifically that it would in effect guarantee that this would never occur if customers took certain steps. Amazon [gave this answer in its privacy policy, included in a submission] to the FTC on June 11, 1999 in response to the question "Will Amazon.com disclose the information it collects to outside parties?" (The use of the term "disclose" in the question here is significant.):

   Amazon.com does not sell, trade, or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.com. (If you use more than one e-mail address to shop with us, send this message from each e-mail account you use.) Also, Amazon.com may provide aggregate statistics about our customers, sales, traffic patterns, and related site information to reputable third-party vendors, but these statistics will include no personally identifying information.

   http://www.ftc.gov/privacy/comments/amazoncom.htm (visited Dec. 3, 2000)
4. No mention was made in the Amazon response of any disclosure other than in this paragraph. Any reasonable person reading this would have concluded from the Question and Answer that Amazon does not disclose their personal information. Further, consumers who use the never@amazon.com facility (hereafter called the "Never Sayers") would assume that they could prevent disclosures permanently.
5. Customers may have been deceived, because later versions of the privacy policy revealed that Amazon does disclose personal information. For example, the current version of its privacy policy states that it does "release account and other personal information" in a variety of circumstances, including "exchanging information with other companies and organizations for fraud protection and credit risk reduction."
6. In the revised version of its privacy policy issued August 31 set out the following paragraph (hereafter called the "Wholesale Exception Clause").

   As we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.

7. This statement is directly contradicted by the following representation on a page soliciting customers to volunteer items for purchase by others as a gift.

   Providing an address will help us ensure that your stuff goes to the right place. And whether you or someone else buys an item off your Wish List, you needn't worry about privacy--we'll never reveal this address to anyone.

   https://www.amazon.com/exec/obidos/handle-buy-box=B00004U8H4/102-3965197-9406505
8. Amazon's use of the word "never" is plainly deceptive. "Never reveal" means the same as never disclose. Its new privacy policy attempts to wash away the commitments that were elsewhere made to its customers.
9. Another similar instance of this is evident in its email notice to customers of the Wholesale Exception Clause above, which Amazon seems to believe allows it to abrogate its responsibilities to the Never Sayers [according to following paragraph] in the pre-August 31 policy.
10. Amazon's policy changes have prompted public concern, national news coverage and several organizations have discontinued their affiliations with Amazon.
11. Following the revision of the Amazon privacy policy, Junkbusters Corp. President Jason Catlett attempted to persuade Amazon to amend their practices and policy, but it has refused to make any changes. (A copy of Catlett's open letter to Amazon and a redacted statement by Amazon of its position are included as Appendices B and C.)
12. Following the revision of the Amazon privacy policy, the Electronic Privacy Information Center (EPIC) ended a four-year affiliation with the company. Mr. Marc Rotenberg, Executive Director of EPIC, stated on September 13, 2000, ``Because of this decision, and in the absence of legal or technical means to assure privacy for Amazon customers, we have decided that we can no longer continue our relationship with Amazon.'' (A copy of Mr. Rotenberg's letter is included as Appendix D).
13. Amazon has revised its privacy policy to the detriment of customers. A consumer reading Amazon's prior statement could reasonably conclude that his or her personal information would not be transferred to third parties.
14. Amazon has revised its privacy policy to the detriment of the family, friends, and colleagues of Amazon customers, as Amazon now possesses detailed information resulting from gift orders processed, including personal preferences, interests, and private activities.
15. Amazon's current statement regarding Conditions of Use, Notices, and Revisions allows the company to further revise its privacy policy at any time in the future it wishes, regardless of whether there is any harm or detriment to consumers.

    If you choose to visit Amazon.com, your visit and any dispute over privacy is subject to this Notice and our Conditions of Use, including limitations on damages, arbitration of disputes, and application of the law of the state of Washington. If you have any concern about privacy at Amazon.com, please send us a thorough description to terms@amazon.com, and we will try to resolve it. Our business changes constantly. This Notice and the Conditions of Use will change also, and use of information that we gather now is subject to the Privacy Notice in effect at the time of use. We may e-mail periodic reminders of our notices and conditions, unless you have instructed us not to, but you should check our Web site frequently to see recent changes.

    http://www.amazon.com/exec/obidos/tg/browse/-/468496/002-4947192-6451209 (visited Dec. 2, 2000)
16. Amazon should not be permitted to continue to benefit from a deception.

Remedies

We urge the FTC to investigate whether the privacy policy changes constitute deceptive or unfair trade practice under Section 5 of the FTC Act. Further, we believe that the following remedies are necessary and appropriate:

1. Amazon should be prohibited from disclosing any information about any Never Sayer, even those who continue to purchase from Amazon after receiving the email of the Wholesale Exception Clause. The customer may not have read or understood the lengthy and complex legal language [of the revised privacy policy referred to] in the email notification, and it is unfair to place the burden of doing so on the customer. To allow Amazon to unilaterally withdraw such an important representation would be to condone a massive bait and switch tactic. Only if the customer deliberately consents to a specific request by Amazon for permission to disclose should Amazon be permitted to do so.
2. Each Amazon customer should be given the option to require Amazon to delete her personal information. Jason Catlett has requested this option, but Amazon has repeatedly refused him. Therefore we are also asking the Commission to compel Amazon to offer this option.
3. Amazon should also be required to inform Never Sayers precisely what information about them has been disclosed, to which parties, and for what purposes. In the case of what Amazon calls "exchanging information," the customer should be offered access to all information about the customer that was returned to Amazon about him or her. (A limited exemption might be made in the case of a pending criminal investigation.)
4. We request that the FTC compel Amazon to treat consumer information in a matter consistent with at least the following elements of Fair Information Practices: First, consumers should be able to easily obtain access to Amazon's policies on information use. Second, Amazon must gain consent from consumers before it uses consumers information. Third, consumers should have access to their information stored by Amazon. Last, Amazon should store consumer information securely.

Sincerely yours,

Jason Catlett, President, Junkbusters
Marc Rotenberg, Executive Director, EPIC

  Letter 12/4 from Privacy International to UK Data Protection Commissioner

Dear Ms France

This letter asks you to commence proceedings to halt Amazon.co.uk's processing operations in the UK until it complies with UK data protection law. The company is presently in wilful violation of several requirements of the Act, and should not be permitted to continue operating unlawfully.

On 14 September I wrote to the Managing Director of Amazon.co.uk 1) requesting access to all information relating to me that Amazon holds, 2) declaring my intention to then demand that Amazon then delete that information, and 3) objecting to the transfer of the data to the US. His office acknowledged receipt of the letter on 27 October, but I have to date received no further reply. Amazon has far exceeded the maximum time allowed to comply with an access request.

Furthermore, in separate correspondence with Jason Catlett Amazon has indicated that a deletion function "is not something that our systems were designed to accommodate easily" and has refused to do so for him, saying that the information must remain in order to make its fraud-detection systems more effective.

This company is plainly unable and unwilling to meet its responsibilities under UK data protection law.

I ask you to issue an order prohibiting Amazon.co.uk from processing data and from effecting any transfer of personal data from the UK to the US. Only after the company demonstrates its willingness and capacity to operate legally should these prohibitions be removed.

Sincerely

Simon Davies

Director
Privacy International

  Letter 11/27 from Amazon to Junkbusters

These comments from Paul Misener, VP, Global Public Policy, Amazon.com have been included at his request. Material at the beginning and the end of the letter that relates to another matter have been redacted.

[...]

During our meeting, you asked why we did not state in our revised privacy notice that Amazon.com would never sell customer information without the customer's consent. Our response, as you may remember, was that our privacy notice clearly says that; "Information about our customers is an important part of our business, and we are not in the business of selling it to others." The privacy notice goes on to list the limited ways in which customer information might be shared with another party, concluding with the statement: "With Your Consent: Other than as set out above, you will receive notice when information about you might go to third parties, and you will have an opportunity to choose not to share the information."

We believe the privacy notice is clear and addresses your concerns already. Our formulation focuses on the transfer of information, rather than the less precise concept of "selling" information, but the basic idea is the same. Subject to the limited circumstances set forth in our privacy notice in which information about customers might be shared (e.g., acquisition of an entire business unit; new transactions with co-branded stores), Amazon.com will never sell the information we collect from customers without their consent. We are currently planning to add a short Q&A section to our privacy notice next year to correct the most common misperceptions of our privacy notice, and we will be sure to include this point.

Customer access to information was another issue you raised during our meeting, and you asked us to describe some specifics about access that Amazon.com offers. In fact, Amazon.com is an industry leader in providing customers access to information they generate when shopping at Amazon.com. The privacy notice itself contains links to five different areas of our Web site where a customer can view and edit information about their shopping habits and account details. And clicking on any one of those links in turn provides a very large menu of choices designed to give our customers maximum access and control over the information relevant to their Amazon.com shopping experience. Thus, clicking on the "Your Account" or "Account Maintenance" links gives the customer the following options for viewing and editing information: "See the status of all your orders," "Cancel orders that have not yet entered the shipping process," "Edit the shipping options and addresses on unshipped orders," "Add or edit gift packaging on unshipped orders," "View your Auctions & zShops Account," "View your orders with one of our trusted partners" (with direct links to the Web sites for Drugstore.com, Audible.com, Greenlight.com, and Ofoto.com), "View items ordered" within a choice of time periods, "Access or change your 1-Click settings" (which provides customers with the option to turn the feature off as well as change the default credit card and address information), "Manage your address book" (which permits customers to view and change their own address or other shipping addresses that they use), "Change your name, email address or password," "Edit or delete a credit card," "View balance/claim Gift Certificate," "View your check balance," "Update your communication preferences," "Manage your New for You Email" (which permits customers to opt into or out of receiving various types of email notifications), "Manage your Delivers" (similar), "Manage your Alerts" (similar), "Manage your Special Occasion Reminders" (which allows customers to have Amazon.com remind them of birthdays and the like), "Manage your available-to-order notifications (for out-of-stock or not yet released items)," "Delete your Wishlist," "Manage your About You Area," "Manage your Favorite Areas," "Edit your Favorite People," "Rate or exclude your Past Purchases," "Refer-a-Friend," and "View your Seller Account" (for items being sold in Auctions and zShops). Note that the "Customer Communications Preferences" option allows each customer to customize the types of email communications they receive from Amazon.com; instead of offering one choice that affects all types of email, this feature permits customers to specify which types of communications they wish to receive from Amazon.com, if any, as well as what format they receive. Finally, other areas of the Amazon.com store permit customers to create, view, and edit Wishlists, Auctions and person-to-person bidding and vendor account information, information that they volunteer for the "About You" area of the Web site, the product reviews they submit for other visitors to read, and, in the recently added "Page You Made" feature, a list of product detail pages viewed by the customer during a continuous visit to Amazon.com. In our recommendations section, we also now provide customers with the past purchase information that indicates why certain products are recommended, as well as a way for customers to change that information if they wish. I encourage you to explore these options for customer access and control of information at Amazon.com. We've found that customers want and appreciate the access to information that Amazon.com provides, and we hope you will feel the same way.

The last issue you raised was deletion of customer information. As we discussed at the meeting, this function is not something that our systems were designed to accommodate easily, in large part because requests to delete customer information are so rare. Currently, when customers ask us to close their accounts, we suppress their information in our systems so that it is no longer accessible to or viewable by the customer or, of course, by any other Amazon.com visitor. Closed accounts also are partially obscured from access by customer service and other Amazon.com personnel (though it is still possible for internal personnel to obtain records, including billing address and shipping address information) for individual past transactions. If a customer specifically asks us to delete a credit card number from our systems, we will do so upon verification of identity by the requesting party. This is done manually and is very time consuming.

Plainly, this is more than U.S. law requires and, in our experience, more than most customers expect. We currently are exploring the feasibility of enhancing our "suppress" capability so as to render certain types of customer information for closed accounts even less accessible to people inside the company in the ordinary course of business. (The difficulty of doing this is in part due to the need to retain transaction information and to prevent and detect fraud.) Given the heavy demand for IT resources during the holiday retail season, however, we will not be able to complete this assessment this year, and even next year this project will require significant time and thought. We are interested in hearing your views about how best to implement a procedure that will satisfy privacy concerns while still permitting us to retain appropriate business and financial records, [...]

  Open Letter 9/13 to Amazon

Mr Jeff Bezos
Chief Executive Officer
Amazon.com

Dear Sir

I write to tell you why I have become so disappointed with Amazon.com's privacy policy that I am canceling my account and am terminating the participation of Junkbusters Corp. in Amazon's affiliate program. This letter also details several specific changes to Amazon's practices that would have to be made before I or my organization could recommend anyone buy from Amazon.

As you know, Amazon has for years offered its customers an option to send email to never@amazon.com requesting that personal information about them and their purchases never be sold. This option does not appear in the new privacy policy. Amazon has effectively shifted the burden to the customer to constantly monitor Amazon's privacy policy for changes, and to object if they notice a substantial one. This is unacceptably burdensome. Furthermore, the Amazon's policy merely states that it does not currently "sell, trade or rent" personal information, which excludes disclosures that are made without payment to Amazon. This should be broadened to standard of the 1980 OECD guidelines: ``Personal data should not be disclosed made available... except: with the consent of the data subject, or by the authority of law.''

Finding Amazon's new terms unacceptable, I emailed customer service a request to terminate my account and to destroy all information relating to me. They sent me the following reply, which I find even more unacceptable: ``Please note that we cannot totally remove account information from our system, as it is part of our business transaction records.'' This is nonsense from a technological, business, and legal viewpoint. Amazon should be deeply embarrassed that it has attempted to dismiss with such a weak and contemptible excuse the wishes of a customer to control his own data. Amazon is required by law in many jurisdictions in which it operates to delete personal information on request of customers, and it is shameful that Amazon does not offer this routinely to its American customers, who do not have such a right guaranteed by law. From the perspective of your information systems, it is not even necessary to delete the data about particular sales; it suffices to dissociate the purchases and profiles from personally identifying information. Nor is any very burdensome action such as erasing backup tapes required; the standard applicable here is whether the information would be available in the routine course of business, and in particular, the course of business of any company to which Amazon might sell its database.

At the time Amazon weakened its privacy policy this month it disclosed that it buys information about its customers from other unnamed parties. I asked to see the information Amazon has obtained about me; this request was ignored. Also ignored was my request to see the information that Amazon stores and infers by itself. Again, this is required by law in many countries, and Amazon should offer this option to American customers. I am not the only U.S. customer to want this: John McCain specifically discussed Amazon in recent Senate hearings, and surveys show that an overwhelming majority of Americans want this right. The ability is especially topical with the recent revelation that Amazon is experimenting with offering different prices on the same items: if I am to be charged a different price than someone else, I want at least to know on what basis the price discrimination is taking place.

In summary, Amazon's current privacy policy is unacceptably weak. The fact that the policies of many of its competitors are worse is no excuse, because Amazon's leadership position means that it directly affects a very large number of individuals as well as prevailing industry standards. The changes required are (1) to undertake to disclose information about the customer only with the customer's affirmative consent or as required by law, (2) to provide each customer on request with all information held by Amazon about the customer, and (3) to delete all personal information held about the customer on request. In general, Amazon's policies and practices for its American customers should be raised to the standards set by the OECD in 1980.

Sincerely

Jason Catlett
Junkbusters Corp.

  Letter 9/14 from Simon Davies to Amazon.co.uk

Mr Steve Frazier
Managing director
Amazon.co.uk

Dear Sir

I write as Director of Privacy International to object to the transfer of personal information about Amazon.co.uk's customers to jurisdictions outside Europe. I am also, as an individual customer, requesting access to all information relating to me that Amazon holds in all jurisdictions.

My attention was recently drawn to the following clause in Amazon.co.uk's terms of service.

Please note that the information you enter will be transferred outside the European Economic Area for the purposes of processing by Amazon.co.uk and its affiliates and in order to maintain customer accounts for you at other Amazon Web sites. By submitting your order, you consent to this transfer.

I do not consent to this transfer. You will be aware that European Data Protection law specifically limits such transfers to jurisdictions that do not have adequate legal protection. Your policy failed to disclose the specific jurisdiction, but I understand that data is transferred to the United States, which lacks adequate legal protection, and where typical business practices show a wanton disregard for privacy. I believe that your current practices constitute unfair processing under the terms of the UK Data Protection Act of 1998. I am therefore writing to the UK Data Protection Commissioner requesting an investigation of Amazon.co.uk's practices, and asking her to issue an interim order prohibiting these transfers. I also consider the contract to be unfair and intend to refer it to the Unfair Contracts Division of the Office of Fair Trading.

As a former Amazon.co.uk customer, I am also requesting a copy of all the information that Amazon.co.uk holds relating to me. This includes, but is not limited to: records of book titles purchase; clickstream data such as URLs viewed, IP addresses, cookies, timestamps; search queries; items placed in shopping carts but removed prior to checkout; data purchased by Amazon from other sources or gathered from public records; demographic and psychographic data; any estimates of propensity to purchase particular products; any information relating to credit risk; estimates of lifetime value; any clustering or segmentation data; any estimates of price elasticity; and any other information associated with me individually.

Amazon.co.uk's privacy policy does not discuss access, but Amazon.co.uk is required by law in the UK to provide it. After Amazon has complied with my request I intend to require that the information be destroyed. I am unhappy that my personal information has been surreptitiously sent to a jurisdiction where it is not legally protected.

Amazon's substandard practices set a poor example for an industry leader, and bring disrepute to electronic commerce in the eyes of online customers.

Sincerely

Simon Davies

Director
Privacy International

  Sample email for customers to send to Amazon

If you want to send Amazon a message, you might consider something like these three questions:

1. Can you guarantee me that you will never disclose information about me without my my prior express consent?
2. Will you always show me all the information you have about me if I ask?
3. Will you destroy all the information you hold about me within a reasonable time if I ask?

  Rebuttal of Amazon's canned response to concerned customers

Junkbusters President Jason Catlett wrote the following rebuttal of the response below.

In a form letter to concerned customers, Amazon claims that their new policy is "in some ways more restrictive" than the old one. This ignores two important facts: there is no longer an option to say "never sell information about me", and the new policy could be replaced at any time by an even newer policy that allows it to disclose information, without obtaining its customers' consent. Instead of its statement that "Amazon.com is not in the business of selling customer information," a more honest summary would be "Amazon.com is not currently in the business of selling customer information, but we reserve the right to get into that in the future. We own the data we have about you, we won't show it to you, we won't delete it even if you ask, and we don't have to ask you if we decide to start selling it."

  Amazon's canned response to concerned customers

Thank you for contacting Amazon.com with your concerns about our new Privacy Notice. I am very sorry if recent news reports have caused any alarm, and I hope that I can clear up any misunderstandings.

Contrary to some recent reports in the news media, Amazon.com is not in the business of selling customer information. We never have been.

In fact, our new policy is in some ways more restrictive than our old one, which indicated that we "may" sell or rent information in the future. Under the new policy, we specify that we *will not* disclose customer information to third parties except in certain limited circumstances, one of which is the unlikely possibility that a part of our business is acquired by or merged with another company.

Furthermore, the new privacy notice makes clear that we only share information with affiliated companies if a customer chooses to enter into a transaction with one of these companies, such as Greenlight or, in the near future, ToysRUs.com, with whom we will be operating a co-branded toy store. If you choose not to do business with these stores, then these companies will not have access to any of your account information. If you do choose to shop at one of these stores, the only information we will share is information regarding your transactions with that store; these companies will never have access to information about your other purchases at Amazon.com.

Privacy is as important to us as it is to our customers. Under the express terms of this new Privacy Notice, we are confirming that we are not in the business of selling customer information. By posting the new policy, our hope was to reassure customers by specifying in greater detail the limited occasions in which any of their information might be shared.

I hope that I have been able to allay your concerns. Please let us know if you have any further questions. We value your business and look forward to serving you again.

  Independent analysts comment on Amazon's move

Movie critic Roger Ebert severely criticized Amazon: ``Forgive me for my naivete, but I think of Amazon as a bookstore, not a database. ... What a kick in the face.''

Internet marketing guru Jim Sterne wrote a "translation" of Amazon's notice to its customers. The following excerpt is taken from an article in Computerworld.

Date: Mon, 4 Sep 2000 18:50:31 -0700 (PDT)
From: Amazon.com Legal Notices <legalnotices-b@bounces.amazon.com>
Subject: Update to privacy policy
To: jsterne@targeting.com

Dear Customer,

Ooo - how cold and remote. Whatever happened to that great personalization?

We have just updated Amazon.com's privacy policy and, because privacy is important, we wanted to e-mail you proactively in this case and not just update the policy on our site, as is the common Web practice.

Translation: The information we're collecting about you is valuable and we wanted to be able to say, "Hey, we were up front about it!"

Thanks for being a customer and allowing us to continue to earn your trust.

Translation: Thank you for allowing us to earn some money on the side off of the information we've collected about you.

To read the updated Privacy Notice, visit: http://www.amazon.com/privacy-notice

Translation: No way are we going to publish this heretical manifestation of our brazenness in full view.

Please keep in mind that this updated policy applies only to the amazon.com Web site (and not amazon.co.uk, amazon.de, or amazon.fr).

Translation: What we're going to do to you is *illegal* over there!

Thanks again for shopping at Amazon.com.

Like sheep to the slaughter.

Sincerely,
Amazon.com

PS: We hope you appreciated receiving this message. However, if you'd rather not receive any future notices of this sort from Amazon.com, please send an e-mail message to nolegalnotices@amazon.com.

Translation: We'd rather not have to tell you about other devious things we have planned.

Please be aware that even if you choose not to receive these updates, they will still cover your use of Amazon.com.

Translation: You have sold your data soul to us and your ASCII is ours!

Please note that this message was sent to the following e-mail address: jsterne@targeting.com

Translation: We know where you live.

Sterne is not the only analyst to remark on the audacity of Amazon's move. Ecommerce Times wrote:

The fact is, the new policy does a lot more than put Amazon's customers on notice. It shifts the balance by taking control of information from the individual and giving it to Amazon.

A good cross-section of public sentiment on the topic can be found on the discussion boards on CNET News.com.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/amazon.html