Setting up a dotcom is a potentially rewarding, but risky, business. While there is a chance of making millions, the risk of insolvency, at least in the early days, is not far away.

It is not unusual to hear an Internet operator is running short of cash or has gone broke. In the event of an insolvency, the dot- com is wound up and its assets sold to pay investors and creditors.

However, when Internet retailer declared bankruptcy in June, it found it was not in a position to realise all of its assets. While it has been straightforward for to sell its US$lO million inventory of toys and other goods, the firm so far has been unable to dispose of one of its prime assets its customer database.

An action brought, by the United States Federal Trade Commission (FTC) has blocked the sale of this database, which includes 220,000 customer names, addresses and credit-card numbers. The FTC filed an objection in the US District Court in Boston, alleging's site contained a pledge to protect its customers' personal information and shopping preferences, and that the proposed database sale would breach that pledge.

An initial settlement between the FTC and would have allowed the retailer to sell its customer lists under strict conditions as to their future use. However, a federal bankruptcy judge has refused to allow guidelines to be set for their sale until a buyer has been identified, over ruling the settlement.

In the meantime,'s lawyer revealed that although five companies initially expressed an interest in the database, all offers had been withdrawn.

Careful wording of the data- protection policy on's site may have avoided this situation. Under Hong Kong law, the Personal Data (privacy) ordinance permits a Web-site operator to use personal data it collects only for purposes it has revealed to its customers at or before the time the data was collected. This requirement is only satisfied by way of an online data-collection policy.

With many well-known dotcoms running short of cash it is important that web site operators put themselves in a position to fully utilise their assets in times of need. In this regard, operators should, as a matter of course, include in their data-collection policies provisions that allow them to sell their customer database either without restriction or, if this is considered inappropriate, sell it to a related company in the event of the insolvency.

If there is a chance of the data being sold to an overseas company, the policy should take account of Section 33 of the ordinance (which prohibits the transfer of personal data overseas except in limited circumstances). Although this section is not in force, it probably will be brought into operation in the foreseeable future.

Not only would the inclusion of such provisions in a dotcom's data-collection policy help realise assets to payoff creditors in the event of insolvency, it also could help attract new investors. In order to minimise their risk, they would be well advised to check for such provisions as part of their due-diligence exercise.

First published in SCMP Technology Post on 5 September 2000.