Amazon is violating its own privacy policy by allowing users to interact with its site insecurely.
Two wrongs do not make a right, but when you can implement a technical measure to protect your users from rogue ex-employees, you should do it. A legal contract does not prevent data loss, it merely allows you to punish the person who stole the data. SSL prevents the data loss in the first place.
What? Unless he is still bound by some Amazon NDA or something, what difference does it make if he violates the policies of someone he no longer works for?
Two wrongs do not make a right, but when you can implement a technical measure to protect your users from rogue ex-employees, you should do it. A legal contract does not prevent data loss, it merely allows you to punish the person who stole the data. SSL prevents the data loss in the first place.