October 8, 2002

Glenn Kaplan, Assistant Attorney General
Pamela Kogut, Assistant Attorney General
Consumer Protection and Antitrust Division
Office of the Attorney General
Commonwealth of Massachusetts
One Ashburton Place
Boston, MA  02108-1698

Dear Assistant Attorneys General Kaplan and Kogut:

This open letter comments on the recent undertakings of Amazon.com regarding customer information. We urge further action from consumer protection officials because we consider that Amazon's policy and practices are still an ongoing threat to the privacy and intellectual freedom of millions of consumers in the United States.

We commend you and your colleagues from the 12 states for undertaking discussions with the company about its change of privacy policy in August 2000. Amazon.com was widely and harshly criticized for this. Our organizations so deplored the change that we severed our business relationships with the company, forgoing revenue. We have attempted to persuade them to reform their information practices and to return to their promise never to sell personal information, but they have repeatedly and consistently refused our requests. [1]

As a general principle, bookstores should not be selling dossiers on their customers' reading habits; such dossiers should be carefully restricted. In recent years, access to book sales records has been a matter of significant public concern.  In a recent case involving law enforcement access to book lists, the Colorado Supreme Court ruled that a release of book records would violate readers' First Amendment rights, and that the state would have to demonstrate a compelling state interest to obtain book sales records. [2]

Patrons of libraries are covered by privacy laws or regulations in all states.  Additionally, the American Library Association has a strong tradition of protecting individuals' choices in reading, having adopted protections for patron privacy as early as 1939. [3] Librarians have even developed technical methods to shield circulation records from exposure.  Some electronic circulation systems expunge all record of a book being borrowed as soon as the patron returns it.

Amazon has attempted to reserve and reclaim a right to sell records that enjoy strong protections in other contexts. A transfer of this information impinges on intellectual freedom, and could subject readers to stigma for their book choices.  Amazon actually can put its customers at greater risk than offline bookstores or libraries, in that the company can use cookies and personalization technology to track not only book purchases but also book browsing.

We commend you for negotiating a greater level of openness from Amazon.com in their information collection, sharing, and enhancement activities. These practices are opaque to the user, and knowledge of them will give customers a greater appreciation of the risks involved in shopping at Amazon.com.

However, it is unclear whether your negotiations have resulted in any rectification of what we regard as the three principal inadequacies in Amazon's information policy and practices: its option to sell its customer database wholesale; its refusal to give its customers the right to see all the data it accumulates about them; and its refusal to delete records of past book purchases. Here we explain these deficiencies in detail and recommend four actions for you or any other consumer protection officials to take.

Certainly the company itself regards the negotiated changes as immaterial. Amazon VP and Associate General Counsel David A. Zapolsky began his letter of September 23rd to you and your colleagues by stating that Amazon is "not making any material changes in our policies and practices regarding customer information this time..." and that the company would merely "expand some of the examples provided in the Notice, as well as clarify some of the provisions that may have been misunderstood in the past."

A footnote in the letter gives new language regarding the wholesale database sale, which may seem to be a concession, but which we consider to be distracting from the central change: that Amazon decided to let itself sell its customer database as part of a business unit, having previously promised never to sell their information. We have flagged <<thus>> a clause that is to be added. "As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets <<but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise)>>. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets."

Amazon's pre-existing Privacy Notice (its policy before August 2000) stated in question and answer format: "Will Amazon.com disclose the information it collects to outside parties? Amazon.com does not sell, trade, or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.com."

Amazon promised never to sell customer information; now it is saying that it may do so, recently adding the "clarification" that the buyer will be subject to the same promises that it originally made, and then abrogated. This is plainly hypocrisy. We also believe that it constitutes an unfair and deceptive trade practice under federal and state law. Our first recommendation is that you require Amazon to obtain customers' consent prior to transferring personal information in these circumstances.

Our second recommendation is that you require Amazon to offer its customers the option to delete the record of specific purchases. Some former customers of Amazon, including ourselves, no longer trust the company to do what it says, and would like to be able to remove the risk of Amazon making an undesired disclosure. To specify the functionality more precisely, the information systems should provide customers the option to dissociate their identity from any or all transactions recorded by Amazon. Several limitations are appropriate, such as during a reasonable period to allow for returns, chargebacks, and so forth. This might be 90 days, extended as appropriate if money is owed, for example.

As we have stated in previous correspondence with the company, it is not even necessary to delete the data about particular sales; it would suffice to dissociate the purchases and profiles from personally identifying information. Nor is any very burdensome action such as erasing backup tapes required; the standard applicable here is whether the information would be available in the routine course of business.

Although an Amazon official told us in 2000 that such a feature might be considered for the year 2001, Amazon still refuses to allow deletions, and has recently been making preposterous excuses. Amazon spokeswoman Patty Smith was quoted by the Seattle Post-Intelligencer September 27th, 2002: "Customers can't delete records, for tax and business reasons." We have asked her which taxation authority Amazon believes requires records of the specific titles purchased by customers; we have yet to receive a reply. The phrase "for business reasons" seems to mean "because we don't want to."

Our third recommendation concerns access by individuals to their records. Your negotiation of a greater level of openness from Amazon.com is commendable, but the level of transparency considered adequate by international privacy standards goes beyond disclosing the nature of information shared; it includes identification of the specific organizations involved and access by the individual to all data concerning him or her. Amazon currently provides partial but not complete access, particularly on information that Amazon obtains about the consumer from other sources. Amazon should commit to providing complete access, with possible limited exceptions for ongoing investigations of fraud.

Our long-standing demands to Amazon on access and deletion have for years been required under the laws of several countries in which Amazon operates, including the United Kingdom and Germany.

Amazon.com's treatment of its American customers as second-hand citizens can be seen easily by examining the privacy policy of amazon.co.uk.

This policy resembles Amazon.com's pre-2000 policy: it still has a "never" option to preclude the sale of personal information, and contains no language concerning wholesale transfers. If Amazon believed they could get away with such a change under European privacy and fair trading laws, they would probably have attempted to do so in the two years that they have had to harmonize their American and European policies.

The UK privacy policy makes it clear that the personal data is controlled and processed by Amazon's computer systems in the US, but that they intend to comply with the higher privacy standards required by UK law. [4]   We find it repugnant that Amazon has made a willful and deliberate choice to deprive its American customers of the control over their personal information that are legally guaranteed rights for its customers elsewhere.

Our fourth recommendation is that Amazon be required to submit to an independent audit to determine its compliance with its privacy policy. This is necessary because the company's actions have shown that it should not be trusted. In May 2001, staff of the Federal Trade Commission concluded that Amazon and its Alexa division had likely deceived its customers, but the FTC declined to act further. Amazon should undergo an on-site audit by a competent and independent firm to determine whether its actual past conduct (rather than just its own descriptions of its practices) conformed with the various versions of its privacy policies. The auditor's report should be made public.

In conclusion, we commend you for investigating Amazon, and hope that you act further on the four recommendations we have described above.


Very respectfully,

 

Jason Catlett
President
Junkbusters Corp.

 

Chris Hoofnagle
Legislative Counsel
Electronic Privacy Information Center

Cc:     
Steve Sakamoto-Wengel
Assistant Attorney General
State of Maryland

Noreen Matts
Assistant Attorney General
State of Arizona

Tracy Sonneborn
Assistant Attorney General
State of Michigan

Gary Hawes
Assistant Attorney General
State of Connecticut

Bennett Rushkoff
Senior Counsel
Office of Corporation Counsel
District of Columbia

Julie Brill
Assistant Attorney General
State of Vermont

Linda Conti
Assistant Attorney General
State of Maine

Drew Lianopoulos
Assistant Attorney General
State of Oregon

Lucian D. Geise
Assistant Attorney General
State of Tennessee

Harriet Worley
Assistant Attorney General
State of North Carolina

M. Kristin Spath
Senior Assistant Attorney General
State of New Hampshire

Jack Norris Jr.
Assistant Attorney General
State of Florida

Christopher Petrie
Senior Assistant Attorney General
State of Wyoming

Stephen H. Levins
Acting Executive Director
Office of Consumer Protection



[1] Copies of the relevant letters are available at http://www.junkbusters.com/amazon.html on the Web.

[2] Tattered Cover, Inc. v. City of Thornton, No. 01SA205, http://www.cobar.org/CFwebFiles/Content/dspOpinion.cfm?OpinionID=560.

[3] 1939 Code of Ethics for Librarians, ALA, at http://www.ala.org/alaorg/oif/1939code.html.

[4] "Any personal information provided or to be gathered by Amazon.co.uk is controlled primarily by Amazon.com Int'l Sales, Inc. of 1200 12th Avenue South, Suite 1200, Seattle WA USA 98144 and secondarily by Amazon.co.uk Ltd of Patriot Court, 1-9 The Grove, Slough, Berkshire, England SL1 1QP."  "Any transfer of personal information outside of the European Economic Area is done in circumstances ensuring that the information is processed only in accordance with this Privacy Policy and the UK's Data Protection Act."