Last year, CartManager International, a provider of online shopping cart and checkout software, sold personal information on 1 million customers to a third party for $US9,000. The data included names, credit card numbers, phone numbers and dollar amounts of purchases. Not only were those customers not CartManager's to begin with but selling their information violated the privacy policies of many of the merchants from which CartManager had obtained the information.

It was not a wise move.

Angry customers (who had been solicited by the company that bought their personal data) complained to the merchants that used CartManager on their websites. The merchants, in turn, complained to the Federal Trade Commission, claiming CartManager had violated their privacy policies. "It's simple," reads a privacy policy on a website operated by one merchant using CartManager. "We don't sell, trade, or lend any information on our customers or visitors to anyone." The Federal Trade Commission charged CartManager with an unfair practice levying a fine of $US9,000-equal to the amount the company had received from selling the information.

The size of the monetary penalty should fool no one. The real damage has been to CartManager's reputation. "This happened almost a year ago, and it still hangs out there in articles," laments Justin Hill, head of sales for CartManager. "It's hard for it to go away."

Truer words were never spoken. The issue of data privacy is not going away for any business or organization that stores, uses or sells personal data on customers or members. Recent publicity about personal data stolen or hacked from Bank of America, ChoicePoint and even the United States Air Force has only heightened the public's concern over the security and privacy of information they provide to businesses.

This mounting concern is now affecting the future of online e-commerce. Even online banking-until this year the fastest growing segment of online activity since 2000-is not immune. The percentage of Americans using online banking services has stalled at 39 percent after a period of blistering growth, according to an August 2005 survey conducted by the market research firm Ipsos Group. The primary reason: 73 percent of consumers say they are avoiding online banking because they are concerned that banks do a poor job of protecting their privacy, including selling personal information to other businesses, Ipsos reports. Although e-commerce is still increasing (holiday online shopping increase by 30 percent last year), 54 percent of consumers said they have curtailed online shopping because of privacy fears, according to a 2005 survey conducted by Javelin Strategy & Research. That concern translates into a loss of $US5.5 billion of annual online revenue, Javelin reported.

Faced with this backlash, state and federal regulatory agencies are beginning to respond. California has already passed strong privacy legislation that requires financial institutions to obtain permission from customers before sharing personal information with nonaffiliated companies. Another California law requires other businesses to report to customers if they share personal information with nonaffiliated companies. Twenty-one states have passed laws that require companies to contact customers if a security breach occurs. On a national level, more than a dozen data security bills have been introduced in Congress this year. They vary in severity, the strictest requiring all companies to notify consumers whenever there is a data breach and give those consumers the ability to see and correct information collected about them. Experts say some kind of legislation on data security and privacy will almost certainly be passed this year.

"There will be legislation to tighten up privacy," says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. "And if not legislation, there will be more regulation."