What if your refrigerator knew too much?

More specifically, what if the company that made your refrigerator knew too much, automatically sucking in data about food purchases you make?

And what if that company, in a move originally designed to foster commerce, passed along that information to a business partner—say, an online grocery supplier—which concluded by the amount of beer you were chilling that you have a drinking problem?

Such data-mining techniques are beginning to generate privacy concerns, as technology that collects and analyzes information not only proliferates but becomes capable of revealing a larger picture.

The potential for such a privacy problem is causing some companies to reassess their businesses. For instance, buyers of new homes in the planned community of Playa Vista in South- ern California were supposed to get Whirlpool refrigerators that would allow them to surf the Web. No longer. Whirlpool now has postponed plans—announced in 1999—to release a set of appliances that can be controlled over the Internet.

True, part of the reason is that the broadband connection the appliances require is still not widely available, says Whirlpool spokesman Tom Kline. Plus, Whirlpool is concerned about the energy required to fire up their new models, as consumption is a big issue in California. But also driving the decision to postpone is a concern for privacy: What if an outsider breaks into your network and downloads your meal plans? What if he or she turns on your oven?

"It's fine to be able to turn on your oven from the office, but you don't want somebody else doing it," Kline says.

Whirlpool, along with IBM, instead will pursue pilot tests that will attempt to resolve security and privacy issues. These same data-mining techniques that would allow the FBI and the CIA to track terrorists also enable someone to surmise that you, the owner of the Whirlpool refrigerator with the large supply of beer, are an alcoholic.

"There's a big fear of somebody trying to put all this data together," says Mike Gotta, senior vice president of Meta Group, an industry analyst firm. "There's concern about the potential to do harm."

Even companies that mine data to improve customer service can easily blunder if they haven't thought through all the ways the data can be reused. Companies that allow others to handle key functions such as direct e-mail are on particularly dangerous ground, as they may inadvertently hand over sensitive customer data to a partner with different privacy policies and technical capabilities.

After the drugmaker Eli Lilly & Co. last year accidentally disclosed the e-mail addresses of more than 600 people taking the anti-depressant Prozac—resulting in an investigation by, and subsequent settlement with, the Federal Trade Commission—Gotta says the Meta Group received a flurry of calls from panicked businesses.

"I had one pharmaceutical company—a highly distributed global organization with hundreds of Web sites," Gotta says. "They didn't know which Web sites were up or what data they were collecting. Some clever programmer had put on a form to ask for customers' Social Security numbers, but he didn't know why. It just seemed like a good idea. These are the subtle things'' that must be addressed.

Scores of privacy bills are in the pipeline in Congress and state legislatures. States and even counties have passed legislation, creating predicaments for companies that already are grappling with disparate regulations set by foreign governments. In September, Wells Fargo Bank and the Bank of America sued Daly City and San Mateo County in California for requiring banks to get explicit permission from customers before sharing information, laws that are more restrictive than the National Bank Act.

One federal bill, the Consumer Privacy Protection Act of 2002, would preempt state and local laws. So far, though, the bill is less stringent in other areas. It would not give customers the right to sue for violations or require companies to disclose to customers exactly what they are collecting or to whom it is given.

Many businesses oppose full disclosure because it is expensive. Unfortunately for businesses, the dearth of privacy laws means that public perception may well slow adoption of any Internet-connected product. The public often assumes the worst.