In what he called the largest breach of privacy in Internet history, the New York State Attorney General, Eliot Spitzer, has forced Datran Media, a New York City-based online marketing firm to pay $1.1 million in penalties, disgorgements, and costs.
The settlement follows a six-month investigation into whether the five-year-old company, which lists Cingular, America Online, British Airways, Overstock, Nielsen, Orbitz, and AARP among its clients, improperly obtained personal information on more than 6 million American consumers.
The company was accused of obtaining personal data such as email addresses and other information from a company that pledged not to sell its customers’ information.
The Attorney General’s Office is continuing its investigation of Gratis.
Datran spokesman Mark Naples said that Datran was essentially left holding the bag after Gratis changed its policy and worked with the Attorney General to resolve the matter.
“We may sell the personal information that you supply to us, and we may work with other businesses to bring select retail opportunities to our users,” says Datran’s privacy policy. “Additionally, Datran Media purchases and manages email lists generated by affiliate web sites and organizations.”
Datran, which mines customer data and demographics on behalf of its clients, said it discontinued using the files supplied by Gratis in the first half of 2005 and updated its policy at that time.
The AG’s investigation revealed that Datran obtained the largest cache of consumer information from Gratis Internet, a company that has a published policy of not sharing, selling, giving, or lending customer information “for any reason.”
Full Knowledge
Despite the stated policy, Datran bought 7 million consumer files from Gratis and sent millions of unsolicited emails to the listed consumers. The AG’s office said Datran did this with full knowledge of Gratis’ assurances to consumers who gave the company their personal information.
“A privacy policy is more than an empty promise,” said Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group. “Companies must be held to their word.”
As part of its agreement, Datran must destroy files obtained from Gratis.
Datran promises its customers “ironclad” relationships with ISPs guaranteeing that their customers’ mail will be successfully delivered.
The company claims that it is recognized as an industry leader in pioneering CAN-SPAM compliance. The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003 bans deceptive online marketing and spells out penalties for spammers.
Fraud Counterattack
The New York Attorney General’s Office announced that the Internet had the dubious honor of topping the annual Top Ten list of New YorkState consumer complaints to his office.
In 2005, the Internet beat out perennial complaint magnets such as the automobile industry—which includes used car dealers, body shops, and mechanics—ID theft, home repair, and landlord/tenant cases.
The Datran case is part of a concerted effort by law enforcement and the high-tech industry to go after those responsible for email abuse and outright online fraud.
Two weeks ago America Online became the first portal company to file civil lawsuits against three gangs that the company believed obtained the private identity information of unsuspecting customers through online subterfuge, a process called phishing (see AOL Reels in Phishers).
AOL Reels in PhishersThe suit was filed against three phishing gangs in Germany, Romania, and the United States. Phishing gangs set up email lures to lead web surfers to sites that look like of those of trusted firms such as banks, only to fraudulently acquire private information such as credit card numbers and passwords from them.
That information is then either sold or used to fleece the unsuspecting web surfers.