Also, your "lawyers" are wrong in this case, as you are violating U.S Consumer protection laws under the database privacy section of FTC Online Merchant laws. If you gather information from a customer, you are not allowed to release that information in any form to anyone, except registered business offiliates and for advertising purposes, with proper identification shields. If you are hosting outside of the U.S, it may not necessarily be illegal, however it is in incredibly poor taste.
While I don't agree with the release of customer information in the manner of the OP, can you provide a link to an authoritative source for the laws you cite? I ask because I don't believe your characterization of the law is correct, at least on a federal level, in the United States, with regard to non-financial information.