Rakuten Inc., operator of the online retail site Rakuten-ichiba, has been selling customers' credit card numbers and e-mail addresses–at a charge of 10 yen per name–to retailers selling items to those people, it was learned Friday.

Companies that bought the numbers include Joshin Denki Co., an electrical appliance store based in Naniwa Ward, Osaka, that is listed on the First Section of the Tokyo Stock Exchange.

Rakuten said it had not acted improperly because it makes clear in its privacy policy that the personal data of customers who make purchases may be provided to retailers that appear on the site.

But Rakuten announced in 2005 that the company would stop providing customers' credit card numbers and e-mail addresses to companies after an incident came to light in which the firm was linked to the leak of a large amount of customer information.

Rakuten customers have already expressed anger toward the firm, saying the company breached its earlier promise. Some expressed fears that their personal information may end up in the wrong hands.

In May 2005, a former employee of a company that sold products on the Rakuten-ichiba site stole about 36,000 items of personal data, including credit card numbers, from Rakuten. In August, Rakuten announced it would provide companies selling items on the site with only customers' name, address, and phone number–which are needed by the companies so they can send items out. It said it would refrain from providing credit card numbers or e-mail addresses.

But sources said Rakuten has continued providing credit card numbers and e-mail addresses to companies in exceptional cases.

Rakuten, based in Shinagawa Ward, Tokyo, confirmed it has been providing the credit card numbers and e-mail addresses of customers, together with their names, addresses and phone numbers, as encoded data to the companies. Rakuten added that the personal information provided includes not only that of customers, but also of people who made inquiries about products and those who applied for giveaways.

A Rakuten spokesman said: "The companies we provide information to meet certain conditions, such as receiving 1,000 orders or more per month from customers via the site. We examine all firms before deciding who should be eligible."

However, the spokesman said Rakuten would not disclose the number of the companies it is providing customer information to or the name of the companies.

A Joshin Denki spokesman said: "We've been purchasing credit card numbers because we can save on commission if we make settlements directly with customers. We're handling the information with the utmost caution and swear we've never resold the information."

The Personal Information Protection Law stipulates that companies handling personal information should not provide the information to a third party without first obtaining consent from the person.

Rakuten's public relations office said the company had not acted improperly because the company stipulated in the privacy policy that appears on its Web site that it will provide the personal information of users to companies that provide goods and services to the users as far as the information is necessary to complete a transaction.

But the Economy, Trade and Industry Ministry's Information Economy Division said, "[Companies should] avoid handling information in a way that might mislead customers."

A 32-year-old company employee in Chiba Prefecture said an e-mail account he has only used for shopping at Rakuten-ichiba has been sent spam that included his name.

Rakuten's public relations office said: "We haven't received any reports that e-mail addresses provided to the companies have been sent to third parties. We're now investigating the reason why some users have received spam." As of Thursday, 27,500 companies had joined the Rakuten-ichiba site. The site registered combined sales of about 92 billion yen in 2008.

Masao Horibe, professor emeritus at Hitotsubashi University, said: "Even though Rakuten has placed an explanatory note [about passing on personal information] on its privacy policy statement, the company has announced in the past that it would not provide such information to companies. Therefore, this is against the spirit of the Personal Information Protection Law, which requires companies to make sufficient efforts to inform users [that their personal information may be shared]."

"Rakuten should draw up a system that would allow it to obtain agreements from customers before using their personal information, such as asking them to give their permission via the Web site," he added.

Source:  Daily Yomiuri Online