This is page 2 of:
Should Retailers Fight For Their Customers’ Privacy? Only If You Like Having Customers
Not only don’t these sellers know they are being sued, but they don’t know—and have no way to know—that their personal information will soon be in some corporate office in Dearborn being poured over by a bunch of high-priced trademark attorneys. Probably not what they thought would happen when they signed up for PayPal or eBay. But, OK. eBay’s privacy policy does say (and it would be true even if it didn’t say) that generally, “We will not otherwise disclose your personal information to law enforcement, other government officials or other third parties without a subpoena, court order or substantially similar legal procedure.”
So there is a subpoena. And that subpoena trumps the privacy policy. So what’s the problem here?
Online merchants, service providers and, indeed, all merchants need to understand who their customers are. Most privacy policies—including those of eBay, PayPal, Google, Amazon, etc., essentially say, “We will protect your privacy but will also comply with subpoenas.” Fine, as far as it goes. But who will fight these subpoenas? In a civil context, it is almost trivial to get a subpoena. All you have to do is file a lawsuit (typically a John Doe lawsuit will do), and then with a few simple steps, you—meaning anyone—has the ability to ask a court for information about your customers.
The problem for retailers is that there is no money to be made in fighting a subpoena. It’s much easier to just pull together the requested documents, and then shoot them over to the lawyers. This is particularly true when the records relate to old transactions or a former customer or where the customer (buyer or seller) is not the one with whom you have a financial relationship.
So for companies like Google or Facebook, where the customer doesn’t pay for the service, is it worth it to them to spend hundreds or thousands of dollars to fight a subpoena for a customer who never pays the company a dime? Probably not. As a compromise, most entities that receive a subpoena do one of two things. Either they simply comply with the subpoena (hey, we are legally protected), or they notify their customer about the subpoena, wait a bit and, if they don’t hear from the customer, then comply.
Neither of these options really respects the privacy of the customer, although the notice provisions help.
I think merchants have a duty to at least try to protect the rights of their customers. The information requested by Ford—or, indeed, by anyone—is not just eBay’s or PayPal’s. It is the customers’ information, and the merchant is acting as a custodian for it. When a merchant sells an item or provides a service, it is also saying that it will protect the information about that transaction consistent with its privacy and security policies. A mere piece of paper (which is all a subpoena is) is not sufficient to overcome the privacy rights of the customer. The customer expects the merchant to fight on his or her behalf—at least a little.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
