One of the priorities for Gartner's forthcoming IT Security Summit in Washington, D.C. is privacy. According to a recent Gartner release, "The need for privacy management is increasing and U.S. businesses must implement more robust customer privacy policies now or face government intervention and severe customer backlash."

Reading that release was the second time in as many hours that I had noted the term "robust" attached to the issue of customer privacy. The first was during a discussion with TRUSTe executive director Fran Maier regarding her position on the recent practices of online merchant batteries.com.

The batteries.com Web site is one of many sites that bear the TRUSTe trustmark. This imprimatur is designed to assure customers that a merchant has taken and deployed sufficient measures and policies to ensure that customer privacy will be protected when a customer engages in a transaction with that merchant, that the merchant has sufficiently disclosed how a customer's personal information might be used, and that the customer will, to some degree, be empowered with control over the sharing of that information.

[an error occurred while processing this directive]

In the context of my conversation with Maier, the term "robust" was used to refer to the extent to which a merchant is responsible for notifying customers that their personal information is to be shared with a third party, and the default business process that ensues should the success of that notification be unknown. Maier spoke with me on a hypothetical basis since TRUSTe had not yet launched an official investigation into batteries.com's potential violation of the watchdog's policies.

So, how might batteries.com have crossed the line?

For several years now, I've been conducting an experiment with many of the online and brick n' mortar merchants with whom I do business. To each merchant, I have supplied a home address with a unique apartment number in addition to my street address. I live in a single-family home with only one mailbox, so the apartment number is treated as extraneous information by the mail carrier. But for me, these apartment numbers create a tracking system for how my personal information is being used. If anything shows up in my mailbox with an apartment number on it, I can tell whose database was responsible for generating the mailing label.

Recently, about one year after buying a battery for my cordless phone from batteries.com, I received a copy of Men's Journal addressed to the same apartment number to which I had assigned batteries.com. (For the record, I found the magazine to be an enjoyable read. But I had to separate my feelings for the publication from my concern that my personal information had apparently been shared without my permission.) Before discussing the matter with Maier at TRUSTe, I contacted Eric Tobias, marketing vice president of Technuity, the parent company of batteries.com.

Tobias admitted that his company had furnished to Men's Journal "the names and addresses of 10,000 to 15,000 of batteries.com's best customers for the purposes of gifting those customers with a full, no-strings-attached, one-year subscription to the publication." Tobias said that his company "drafted a contract with Men's Journal that allows the magazine's publishers to do no more with that information than send the targeted customers each issue for the duration of a year and, thereafter, to offer the 'subscriber' the option to renew."

Given that batteries.com's privacy policy makes no disclosure of this practice, I asked Tobias whether he thought that the practice constituted a violation of my privacy. Tobias referred me to the fourth point on batteries.com's privacy policy, which states that "By displaying the TRUSTe trustmark, this Web site has agreed to notify you of : With whom the information may be shared." According to Tobias, "we satisfied that part of our commitment by sending an e-mail to each customer targeted for the promotion. Tobias said "the e-mail gave recipients two weeks to opt out of the promotion. If the customer opted out, as only a very small percentage of customers did, the information would not have been shared."

I also asked Tobias if he consulted TRUSTe before batteries.com engaged in the Men's Journal promotion. He didn't. "When I think of the relationship we have with TRUSTe," Tobias responded, "that's not what comes to mind. If I felt like I could pick up the phone and call TRUSTe and have them walk me through that, I might have done that, but that's not my experience."

What's wrong with this picture? Almost one year after not hearing from the company and having forgotten they even existed, I receive an e-mail with "A Thank You for David from Batteries.com." (Let's forget for a minute that I missed the opportunity to opt out of the promotion because I probably deleted the e-mail as spam.) The non-batteries.com Web page to which this e-mail directed me in order to opt out asks me to input my personal information but has no link to a privacy policy or assurances as to how that information will be used.

Refusing to comment specifically on batteries.com's case until an investigation was completed, TRUSTe's Maier said that "when a merchant is preparing to engage in a new practice that can affect its customers' privacy, the burden is on that merchant to pursue a robust notification process. A single e-mail with an opportunity to opt out does not constitute a robust notification process. If a merchant approaches us for advice on how to handle a situation like [this], the first thing we would do is tell them to make the e-mail an opt-in. This way, the default business process--should the notification fail for any reason-- is to not share the information." Contrary to what Tobias thought, TRUSTe provides consultative input at no charge to companies large and small.

Upon further review, TRUSTe's account team issued the following statement regarding batteries.com.

• This is all detailed in Schedule A of our License Agreement.
• Notification of Changes to Users - Batteries.com did not notify users of the change in practice regarding sharing data with third parties per TRUSTe's notification of changes requirement.
• Choice - users were not provided an opportunity to opt-out of having their data shared under the new practice. The e-mail they sent to users did not provide sufficient choice since users were not notified of the change in privacy practice. In addition, it was promotional rather than a "service" message. And they still didn't do #4 (change privacy policy)
• Obtaining TRUSTe approval of the change in use of personal information as required by the [TRUSTe] license agreement. They should have contacted us and we would have helped.
• Treat information in accordance with privacy statement in effect at the time of collection as required by the license agreement. The new practice was not disclosed in their privacy statement. They were not following their own privacy statement.
• [Batteries.com] is under TRUSTe [the older] License Agreement version 7.0. [However] the latest agreement would not have lessened the requirements outlined above.

Did batteries.com violate my privacy? If you stick to TRUSTe's test --- the tests it uses to determine whether a merchant's site can continue to use its seal of approval --- the answer is yes. I would have to agree, even though I appreciated getting the free subscription to a nice publication.

But, if you ask Tobias, the answer is no. "We take our customers' privacy very seriously," said Tobias. "Internally, we debated whether this was a good idea or not, and we felt that if we did it and had a contract with Men's Journal, that we were still doing all we can to look out for our customers' privacy. We're always looking for ways to differentiate ourselves from our competition and we thought that doing something nice for our customers like this was one such measure." Rhetorically, Tobias asked how else an online merchant could achieve any differentiation.

My answer? Robustly speaking, online merchants can err on the side of caution instead of "differentiation." They can start by protecting their customers' privacy (which, these days, is different enough for me). Otherwise, as Gartner says, expect government intervention and customer backlash. Neither is good for business and, while I can't speak for the former, I can speak for the latter. I never asked for Men's Journal, I certainly don't want to be badgered by renewal notices, and I won't be buying any more batteries from batteries.com.

Did batteries.com cross the privacy line? Use TalkBack to let your fellow ZDNet readers know what you think. Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

[an error occurred while processing this directive]

[an error occurred while processing this directive]