I talk to clients all the time about not falling into the trap of believing that their Privacy Policy is really nothing but a lot of fluff, filled with vague, self serving statements such as "we respect your privacy".

It's actually way more than that; it's viewed as an enforceable contract by the Federal Trade Commission (FTC), and as such it may be construed against you and subject you to substantial liability.

It's critical that you plan ahead a little bit... anticipate the future needs of your ecommerce business in terms of data collection, use and sharing.

If you don't plan ahead and anticipate circumstances where you may need to collect passive information or share personal information of your customers or mailing list, you may end up in a lurch, so to speak. The Toysmart and Gateway Learning cases illustrate what can happen if you don't... and the 2 tips I'll offer below.

Toysmart was an online seller of children's toys. In 1999, Toysmart's privacy policy was explicit; it stated unequivocally that the company would not share personal information of customers with any third party. Later, unforeseen difficulties forced Toysmart into bankruptcy under Chapter 11. One of Toysmart's most valuable assets was its customer list and its associated personal information.

In 2000, when Toysmart attempted to sell its customer list to generate a recovery for its creditors, the FTC filed a "deceptive practice" lawsuit under Section 5 of the FTC Act. In addition, several state attorneys general objected to the sale. The FTC maintained that the sale of the customer list could only be consistent with the established privacy policy, and Toysmart's privacy policy did not authorize the sale of personal information in the event of bankruptcy.

TIP NO. 1: amend your privacy policy to cover not-so-obvious sharing possibilities such as sharing as part of the unlikely event of insolvency, bankruptcy, or receivership.

Beginning in 2000, Gateway Learning Corporation posted a privacy policy on its website promising, among other things, not to rent consumers' personal information to others.

In April, 2003, despite these promises, Gateway started renting personal information provided by consumers - including their names, addresses, phone numbers, and age ranges and gender of their children - to target marketers for use in direct mailings and telemarketing calls. Two months later, Gateway amended its privacy policy to permit the sharing of personal information, apparently believing that the amendment would take effect retroactively.

The FTC promptly filed suit against Gateway alleging that Gateway's renting of personal information collected prior to the privacy policy amendment was unauthorized, and therefore a "deceptive practice" under Section 5 of the FTC Act. In other words, the FTC argued that the amendment was not retroactive.

TIP NO. 2: ensure that any personal information that is shared with others is authorized by clear privacy policy notices which were in the policy at the time the personal information was collected. Amendments regarding the sharing of personal information are not effective retroactively.

Although your privacy policy may not be an enforceable contract between you and site visitors in the strictest sense, the FTC will enforce your privacy policy against you for purposes of a Section 5 violation, and the FTC is always watching for violations. For this reason, privacy policies should be drafted and frequently reviewed with a view to the lessons of the Toysmart and Gateway Learning cases in mind.

Given the difficulty of amending Privacy Policies retroactively, particularly regarding the sharing of personal information, it's highly recommended that you anticipate in advance to the extent it's possible the privacy disclosures that you might need to make down the road, and add them to your Privacy Policy now... before it's too late. Here's a few examples:

• collection of passive information by cookies and Internet tags;
• collection of navigational data by log files, server logs, and clickstream data;
• sharing with service providers such as ISPs, website designers, etc.;
• sharing with your entity affiliates (subsidiaries, related entities);
• sharing with purchasers of your business;
• sharing with third parties in response to legal process;
• sharing with third party web analytics services such as Google Analytics; and
• as pointed out in the Toysmart case, sharing as part of the unlikely event of insolvency, bankruptcy, or receivership.