If you buy a defective product and something goes wrong, it's usually the manufacturer of the product -- not the hapless user -- who faces legal liability.

But when it comes to email spam, the message from New York's intrepid Attorney General Eliot Spitzer is clear: Knowingly buy a crappy email list and you could be in big trouble!

Last month, Spitzer announced the settlement of a lawsuit against Datran Media, an email and Internet marketing company. Datran had been charged with unfair and deceptive trade practices for sending email advertisements to recipients whose email addresses had been bought, in violation of a privacy policy, from another firm called Gratis Internet.

Gratis Internet, which operates a number of websites where it collects email addresses by offering to give away iPods and other goodies, had a privacy policy that promised plainly that it would never sell or rent the email addresses that it collected. It then, according to Attorney General Spitzer, proceeded to do sell or rent the email addresses it collected.

Predictably, Datran defended itself by saying that it had no way of knowing that the email addresses it bought from Gratis were the product of any misdeeds of Gratis, and that it shouldn't be held accountable for any of its vendors' crimes. But Spitzer argues that if Datran had made even a cursory inquiry into the source of the email addresses, the problem would have been apparent.

In fact, according to Spitzer, his office's investigation ''revealed that Datran knew of Gratis' promise to consumers when it purchased the consumer lists. But after obtaining these lists, Datran sent millions of unsolicited emails to the listed consumers.''

Thus, Datran settled the case, paid $1.1 Million in penalties, agreed to destroy the email lists, and -- in a provision near and dear to my heart -- agreed to hire a chief privacy officer to oversee the company's future behavior.

Being held accountable for buying illegally obtained material is neither a new concept, nor should its application to this scenario be considered surprising. People have been prosecuted for receiving stolen goods for decades.

Most people with IQs higher than houseplants know that if somebody is selling a real Rolex wristwatch on a street corner for $50, the watch is so 'hot' it would burn a hole through your wrist.

I have no doubt that if Gratis employees or executives had gone out of their way to be more stealthy in disguising the nature of the company's data gathering practices, or if Datran had a more credible claim to having been hoodwinked, the story for Datran would be very different.

So if you can get pinched for buying goods that 'fell off the back of the truck', why not face liability for receiving data that you knew, or had reason to know, was obtained through improper means?

That is the core of Spitzer's case against Datran, and it is the $1.1 million lesson that Datran learned.

But how does a business know if the database of email addresses that it's buying is 'hot' or otherwise legally suspect? The answer is simple: due diligence.

One of the roles of a privacy officer is to look askance at every deal and, in an updated version of Deep Throat's' exhortation to Watergate sleuths Woodward and Bernstein: ''Follow the data''.

In the case of Datran's purchase of lists from Gratis, the entire investigation could have been conducted during the first meeting between the salesperson from Gratis and the buyers at Datran.

It would have consisted of three simple steps:

  • Step One: Ask Gratis salespeople where they get their email addresses. The answer? They collect them at sites like FreeiPods.com.
  • Step Two: Look at that web page and read what the privacy policy says about the data collected at the site. The result, according to Spitzer: ''We will never give out, sell or lend your name or information to anyone.'' (It should be noted that Gratis has since revised its privacy policy to remove any claims about not selling data.)
  • Step Three: Throw the salespeople out of the office, making sure the door doesn't hit them in the kiester on the way out.

    If there's one thing I've learned over the last decade of dealing with spam and email marketing issues, it's that there are a lot of sleazebags in the industry. But the problem is that it can be hard to tell who the sleaziest players are without doing a little research.

    Fortunately, there are amazingly detailed resources on the Internet, including the Registry of Known Spam Operations (ROKSO) list operated by SpamHaus.org, that make it easy to peer into the past behavior of email marketers.

    And when you're as brazen as Gratis is accused of being, the investigation need go no farther than a few clicks on the company's web page.

    While some in the database marketing industry may be appalled to learn that people like Spitzer expect them to act like responsible fiduciaries for their company and do basic due diligence, none of this should come as a surprise. Indeed, smart privacy officers have been doing due diligence on email marketers, mailing lists, and service providers for years.

    Sniffing out suspicious email list practices is just one of the many critical functions served by privacy officers -- and one of the many areas of potential disaster that you can look forward to if your company is foolish enough to venture into these waters without a privacy officer on the command deck.