Vendors send personal information of Internet shoppers to marketer

WASHINGTON -- Without knowing it, some Internet shoppers are forking over more than cash for their purchases. Several online retailers have been giving their customers' personal information to a marketing company.

Privacy groups called the practice an "unforgivable breach" of confidentiality.

A security and privacy firm that does risk assessments for Internet retailers says that four such sites have forwarded personally identifiable information to the marketing company, Coremetrics, despite the retailers' privacy policies.

A Coremetrics spokesman said that the company is legally bound not to disclose the data to anyone else, but did admit that Coremetrics personnel could access it.

Brett Hurt, Coremetrics' CEO and co-founder, said that they "strongly encourage" all of their clients to disclose their relationship with Coremetrics, and provide a link to Coremetrics' opt-out page. But, "we can't control what our clients do," he said.

When an Internet retailer breaks its own privacy policy, it can bring disaster for the company, including eroded customer confidence and lawsuits from federal regulators.

Two of the retailers, both sportswear vendors, carry the TRUSTe privacy seal, which is meant to indicate a commitment to customer privacy.

"If, in fact, these Web sites are transmitting personal information to third parties that they promised would be kept private, we would consider this an unforgivable breach of privacy," TRUSTe spokesman Dave Steer said Monday. "TRUSTe will be looking into this matter to see if these companies are breaching their privacy statements."

Columbus, Ohio-based Interhack Corp. founder Matt Curtin said he found four sites that forwarded personal information that Coremetrics said it was "contractually bound" to keep private: toy retailer ToysRUs and its baby site BabiesRUs, and sportswear sites Lucy.com and Fusion.com.