2013-07-08



Checkout? No, data grab.

I was in Meijer the other day to do my weekly grocery shopping. Meijer is a Michigan-based big-box retailer, whose stores were the country’s first supercenters. For those who have not been to a Meijer, therefore, it is similar in concept to Arkansas-based Wal-Mart or Minnesota-based Target. The cashier saw me glancing at a brochure at the checkout and volunteered information about their mPerks program (mperks.meijer.com).

This is the newest way to use coupons. No longer does the consumer have to go through the laborious process of clipping them; simply bring in your cell phone and redeem them. Sounds great, doesn’t it? All the convenience modern technology has to offer. And though that was one piece of information the cashier did not volunteer, all the surveillance.

If , as Supreme Court Justice Louis Brandeis asserted in 1928, people have “the right to be let alone” (Everett-Church, 2009), consumers should question the degree to which retailers agree with him; they should be thinking very carefully about what rights they might be surrendering when they enter a retailer’s brick and mortar establishment, use its mobile applications like mPerks, or visit that chain’s website.

Retailers stress customer service: Sears, in its mission statement, speaks of trust (Sears mission statement, n.d.); Walmart speaks of saving their customers money and making their lives better (Walmart mission statement, n.d.); and Target speaks of “exceptional guest experiences” (Target mission statement, n.d.). Meijer stresses “core values” which begin with customers “meeting their needs and exceeding their expectations” (Meijer Core Values, n.d.). One wonders how many customers have the expectation of being surveilled?

Consumers are becoming increasingly aware of the degree to which their private information has become a commodity; they would not be wrong to assume that retailers feel the one right consumers absolutely do not have once inside a store or on a website, is the right to be “let alone.”

Consumers might think their buying habits were their own affair as well: Who’s business is it but theirs what they buy, and where? (Kabay & Takacs, 2009). But profiling is not just for criminals, and most consumers likely fail to realize that retailers engage in widespread profiling of their customers (Kabay & Takacs, 2009).

Privacy laws agree with Justice Brandeis and assert that people have some control over information about ourselves (Judy et al, 2009) but we live in the Information Age and information is an increasingly valuable commodity. One business writer used another name for our era: “the era of Big Data” (Matthews, 2012). It is hardly surprising then that consumers find themselves part of a big box “data grab” (Hill, 2012).

Add to this competitive and technologically enhanced environment that in the United States the private sector has generally regulated itself (Judy et al, 2009), and you have a recipe for disaster: Whatever nice things a company’s mission statement might say about customers it must be remembered that corporate entities answers solely to stockholders who want to make a profit.

In their 2010 report, the Federal Trade Commission (2010), found that some companies use consumer information in an “irresponsible or even reckless manner” (p. i). The result is that the old Roman expression, caveat emptor (“let the buyer beware”) has more relevance than ever.

The Data Grab and its Consequences: Gathering Data from Brick and Mortar Stores

The moment they walk into a Walmart or a Meijer store, customers are greeted. And shopping is likely to become more intrusive, not less. Every shopper is likely aware of price scanners and even phones that can be picked up by a customer to request assistance in a department, but retailers are always seeking to be more proactive in their approach.

It was reported last year that a newly developed software from the Netherlands will give retailers the ability to use cameras that recognize a shopper’s behavior in a store. Customers who look like they need help will be singled out for approach by a retail associate (Ingersoll, 2012). Meijer reassuringly promises customers that it “will not link security camera information to other information we’ve collected unless there is a security need” (Meijer privacy policy, 2010).

But being observed in a store by greeters, targeted for help by behavioral software, or tracked by ceiling-mounted security cameras (which could utilize facial recognition software), is only the tip of the surveillance iceberg. None of the big box retailers detailed in this report (Meijer, Walmart, Target, and Sears) admit to using facial recognition or behavioral software (a form of biometric identification) but Target, in contrast to Meijer, alerts consumers that they do “use in-store cameras, primarily for security purposes, and also for operational purposes, such as measuring traffic patterns and tracking in-stock levels” (Target privacy policy, 2013), though Walmart was sued in 2009 for putting a surveillance camera in a unisex bathroom used by both employees and customers (Zetter, 2009).

Yet stock levels could as easily be tracked at the POS (point of sale) level of store operations, and would impact consumer privacy less. Walmart, like Meijer, goes a step farther than Target, promising that their cameras will not be used to establish the identity of a customer (Walmart privacy policy, 2012) but such concerns are real.

The Federal Trade Commission (FTC) sought public feedback on the subject of facial recognition software as far back as 2011 (Federal Trade Commission, 2011) and a letter from several members of congress to the FTC in January 2012, expressed concerns that some companies were already employing it unbeknownst to consumers (Barton et al, 2012).

In their report, the Federal Trade Commission (2012) concluded that while the potential for abuse is very real, the relative newness of the technology offers the opportunity to ensure that as the industry grows it does so in a way that benefits both business and consumer (p. 21).

As it happens, consumers surrender a great deal of privacy when they do business with any retailer. Walmart, for example, reveals that they gather data from sales transactions, customer service transactions (exchanges and returns), from visitors to their websites by way of cookies and information gathered from devices and from video cameras mounted in their stores (Walmart privacy policy, 2012). Meijer informs customers that they gather information “on this website and through our various promotional programs including, but not limited to, mPerks, text alerts, voice messaging alerts, email messaging couponing, and postal mailers (“Promotional Programs”) (Meijer privacy policy, 2010).

Some retailers now routinely ask customers for their zip codes when they make a purchase. With mPerks you must enter your telephone number to use your virtual coupons. While a zip code is no doubt helpful information for a retailer and no great threat to a consumer, it still represents a degree of intrusion. Some customers decline to volunteer even this much information.

Consumers have to expect to give out more or less personal information depending on what they are buying. If they are purchasing alcohol, for example, they will be required by law to provide proof of age in the form of a valid ID or drivers license. The same might apply to certain pharmacy transactions (e.g. pseudoephedrine), or when purchasing a hunting or fishing license.

Gathering Data from Mobile Apps

Use of mobile devices only serves to expose consumers to more information gathering, not less, and retailers are helpful in providing Wi-Fi for “savvy” (or unwary?) customers (Albright, 2011). Mobile apps like mPerks are a special concern and their use has prompted calls for federal regulation (Johnson, 2013).

Walmart’s mobile applications automatically collect data about the consumer’s device, and if they use it search for a store, their location (Walmart privacy policy, 2012). But that is a rather basic usage of a mobile app compared to what both Walmart and Target are now doing.

These retailers’ apps can now tell customers where to find what they are looking for, down to the aisle number; they can also potentially tell the retailer where the customer is (Yu, 2012). Walmart’s mobile and digital head calls this bringing the online store to the store, a tactic not to be despised because about 1 in 5 sales are lost due to the inability of the shopper to find the item they’re searching for (Yu, 2012).

These apps may allow consumers to shop more efficiently in a brick and mortar environment, but they also allow the retailer to track the consumer much more efficiently. Just as consumers value the commodities provided by retailers, retailers value the commodity provided by consumers: information (Himma, 2006).

Gathering Data from Websites

As a society, we have not yet arrived at the point portrayed in Steven Spielberg’s 2002 film Minority Report where, upon walking into a retailer, big billboards greet consumers by name and in a voice impossible to ignore tells them what they need to buy next, but thanks to facial recognition software, a family walking into a car dealer, for example, could see monitors suddenly flash ads for minivans (Plant, 2012). The underlying technology exists already in the form of online behavioral (OBA) or interest-based advertising (IBA) (Federal Trade Commission, 2009; Understanding online advertising, n.d.).

This predictive technology allows retailers to populate their websites (or in-store monitors) with customer-specific, or targeted ads; in other words, ads for products tailored to their interest based on data previously gathered about their likes and buying habits (Understanding online advertising, n.d.).

The online data gathered comes from what are known as cookies, and among that disturbing quantity of data is knowledge of the consumer’s whereabouts. It is not without reason that in 2009 the FTC published a staff report to address privacy concerns with regards this new technology (Federal Trade Commission, 2009).

Meijer (Meijer privacy policy, 2010), Walmart (Walmart privacy policy, 2012), Target (Target privacy policy, 2013), and Sears (Sears privacy policy, 2012), will learn, through employment of cookies, which browser a consumer is using, the operating system their computer uses, their Internet Protocol address, or IP address (which tells retailers roughly where they are located), and even the address of the referring website (Walmart privacy policy, 2012).

A cookie is a small text file that, having been placed on a hard drive, marks you as you, functions as a “weak form of authentication”(Ghosh, Baumgarten, Hadley, & Lovaas, 2009). A cookie may sound harmless (it is certainly made to sound harmless) but what consumers are doing by allowing cookies is giving somebody else the right to store something on their property (e.g. hard drive), and not only that, but something that will identify their computer (and them personally) if they visit the retailer’s website again (Judy, David, Hayes, Ritter, & Rotenberg, 2009). Because cookies impact privacy rights and utilize the website user’s rights to physical objects (e.g. their own hard drives), cookies are ethically problematic (Himma, 2006).

Meijer (Meijer privacy policy, 2010), Walmart (Walmart privacy policy, 2012), Target (Target privacy policy, 2013), and Sears (Sears privacy policy, 2012), all also employ web beacons (also known as ‘web bugs’ or ‘pixel tags’), which are small (1×1 gif) graphics files placed on a website (Everett-Church, 2006). These are intentionally invisible to the naked eye (Everett-Church, 2006) and their purpose is to recognize cookies (Judy et al, 2009).

Beacons allow companies to track “exact Internet usage and surfing patterns” (Judy et al, 2009, p. 69-15) and since they can be present even in advertisements, these big box retailers will know if a consumer visited other websites that have, for example, Walmart ads present.

Walmart informs its customers that beacons tell them when a webpage is accessed, when an email is opened and gives them information about the overall effectiveness of their websites (Walmart privacy policy, 2012), but it also tells Walmart (and other retailers using this technology) where the consumer has been before visiting Walmart, information a consumer might say is none of their business. Meijer says “the information we collect helps us better manage the Site, provides ease of use of the Site for you, and provides more effective marketing to you” (Meijer privacy policy, 2010), but it does more than that. And it is not only these retailers collecting consumer data by these means but their third-party service providers.

It is reasonable to assume that most people would probably decline having Walmart place a tracking device of plastic or metal on their person (for the record, there is no evidence Walmart does this), and they should at least be aware of what they are surrendering when they submit to placement of a tracking device composed of data. Privacy threats are a genuine concern, both for corporations and consumers and questions of “how much is enough?” are more relevant than ever.

Consumers do not give up their rights when they walk into a store or visit a website and corporations should take care that they do not make the assumption, pointed to by Himma (2006), that website visitors who do not refuse cookies consent to them. As Himma argued, giving a robber money as the alternative to being shot does not imply consent to give the robber money (Himma, 2006).

By the same token, consumers are not consenting to the gathering and use of their private information by walking through the doors of a brick and mortar retailer, whatever Target might claim to the contrary in its privacy policy (2013): “By interacting with Target, you consent to our use of information that is collected or submitted as described in this privacy policy”(Target privacy policy revisions, para. 1) Meijer likewise states ((Meijer privacy policy, 2010), that “by using our Site or participating in mPerks, or our email messaging, text alerts, or voice messaging alerts programs, you consent to Meijer’s collection and use of your personal information as set forth in this privacy policy.”

If you don’t agree, they say, don’t shop at Meijer. It’s as simple as that. What was all that great stuff they said about customers in their core values again?

The bottom line is that consumers should enjoy a reasonable expectation that their private information remains their property unless and until they consent to give it to, or share it with, another.

A Question of Consent

Unfortunately for retailers, what they might be (and are) doing to siphon more information from consumers is bigger news than the steps they might be (and are) taking to safeguard that information. For example, Business Insider marked New Year 2013 with a piece entitled “12 sneaky ways that big retailers track your every move” (Lutz & McConnell, 2013) and it hardly speaks well of retailers that the Harvard Business Review a year earlier could speak of retailers “fighting” customers’ anonymity (Plant, 2012).

Consumers want their anonymity intact and protected, not fought. The Harvard Business Review cites the example given above of a family presented with minivan ads as a form of “soft surveillance” but retailers need to understand that consumers might see it not as soft but as underhanded, and indeed, retail executives are warned that they need to know “how invasive the company can be” in a particular location, and how such efforts might “affect its relationship with customers” (Plant 2012).

Companies should be aware that the question “how invasive can we be?” is less conducive to good relations with consumers than “how protective of our customers rights can we be?” In this vein, it is worth noting that the Sears privacy policy mentions the word “consent” only once, with regards to information collected about children (Sears privacy policy, 2012), while in Walmart’s policy the word appears a dozen times (Walmart privacy policy, 2012). Target also mentions consent just once, only to inform visitors that by interacting with Target they have given their consent (Target privacy policy, 2013).

Recommendations for a Better Consumer Environment

Posting privacy policies is only a necessary first step. When visiting the websites of Sears, Walmart, or Target, a consumer will find no prominent link indicating where these policies are to be found. Nor will a customer find any reference to their privacy rights posted at the entrances of any of these stores. The Sears privacy policy (Sears Privacy Policy, 2012) fails to make even a mention of their brick and mortar locations and what information might be gathered there, or how it might be used.

Consumers want to know and retailers ought to be more forthcoming about data gathering. Transparency is at least as valuable a commodity in post-Bush America as information and a display of open-handedness is more likely to attract customers than drive them away. The FTC’s 2010 staff report urges companies to address transparency concerns, stressing the importance of detailing changes to privacy policies rather than simply updating them (Federal Trade Commission, 2010).

The concept of consent has not gone unnoticed: Consumer education was another recommendation advanced by the FTC, in order to inform consumers not only what information is collected and how it is used, but informing them as to their available choices (Federal Trade Commission, 2010). Walmart (Walmart privacy policy, 2010) and Target (Target privacy policy, 2013) relegate the topic of choice to fourth place in their list of headings while Sears barely discusses it at all (Sears privacy policy, 2012).

Privacy policies should be shorter, more concise, and follow a standardized format, making consumer comparisons easier (Federal Trade Commission, 2010). By way of comparison, the privacy policies of the four corporations examined in this article take up many pages and though they discuss many of the same topics (information collected, how it is used, shared, etc) they do not follow the same format (Sears privacy policy, 2012; Target privacy policy, 2013; Walmart privacy policy, 2012; Meijer privacy policy, 2010).

Retailers would do well to begin their privacy policies with a solemn guarantee of what they will not do to infringe upon the privacy rights of consumers, rather than with a discussion of what information will be collected. Consumers want to know, for example, that they will not be followed by “trackers” who will follow them as they shop, be subject to use of facial recognition software, or to use mobile apps to track their movement through stores and malls (Lutz & McConnell, 2013). The same concerns apply to browsing history.

Many of these technologies are not discussed in the existing privacy policies of Meijer, Walmart, Target, and Sears. But failure to address them is no assurance that they are not currently being, or will not in the future, be employed. A clear-cut, unequivocal rejection will serve better than silence; consumers know these technologies are out there and so they should be discussed. Each concern should be addressed in detail, removing the need for uncertainty and fear at the outset.

Sears ran afoul of the FTC in 2009 when it was found to have provided insufficient information in a disclosure to consumers voluntarily participating in a study (Yan, 2010). It is with good reason that Part IV of the FTC’s 2009 staff letter provided principles for self-regulation (Federal Trade Commission, 2009). The FTC’s first point related to the need for transparency and called for not only a clear statement of intent by retailers but an opportunity for consumers to not simply opt out of OBA but to decide whether they wish to participate in the first place (Federal Trade Commission, 2009). It should not be assumed that failure to say “no” represents consent.

The FTC also decreed that retailers, before they employ previously collected data, obtain new consent when policy changes might put the information to uses different than originally agreed to (Federal Trade Commission, 2009). Sears may or may not have learned from their previous troubles: the current Sears privacy policy (2012) informs consumers that “Your continued use of this Site after we post a revised Privacy Policy signifies your acceptance of the revised Privacy Policy” (Will I Receive Notice of Changes to the Privacy Policy?, para. 1), which does not seem to meet the FTC’s demand for “affirmative express consent” (Federal Trade Commission, 2009) according to Himma’s definition of consent (Himma, 2006).

Mobile apps could also be made more consumer friendly and less privacy intrusive. The Federal Trade Commission (2013) observed that operating system providers currently offer app developers “substantial amounts” of user data (pp. i-ii). The FTC recommended that users be given the opportunity to grant their affirmative express consent and to have knowledge of the types of data apps they have downloaded access. It was also recommended that apps have a Do Not Track (DNT) mechanism, which would allow users to prevent tracking by, say, Walmart or their third party affiliates (Federal Trade Commission, 2013).

The FTC urged expeditious adaption of their recommendations (Federal Trade Commission, 2013). For our purposes here, this also means that if they are not now engaging in such tracking, all three companies examined, Walmart, Sears, and Target, should assure consumers via their privacy policies of that fact and make a full disclosure of their mobile apps’ capabilities.

Retailers will benefit from actively cultivating trust more than by simply promising it and the FTC’s repeated calls for transparency are well-noted. There are certainly consumers who will consent to share information when it is asked for if there are benefits to doing so (Kooser, n.d.). Customer loyalty programs like Meijer’s mPerks demonstrate this: In exchange for discounts and special offers, a retailer gains useful insight into a consumer’s buying habits. Requesting, rather than requiring, consumers to share data would provide retailers with useful information about consumers while reducing privacy concerns and the risk of lawsuits and/or regulatory penalties.

In the end, it all comes down to the consumer and what the consumer is willing to tolerate in terms of intrusion into their privacy. But first the consumer must be aware of the existence and then the extent of this intrusion. Only then will informed choices be possible, and only then can retailers be informed by the people they claim to serve, what will and will not be tolerated in a free and open society.

References

Albright, M. (2011, January 11). Retailers seek to enhance shopping experience through gadgets. Tampa Bay Times. Retrieved from http://www.tampabay.com/news/business/retail/retailers-seek-to-enhance-shopping-experience-through-gadgets/1144841

Barton, J., Farenthold, B., Grijalva, R., Burgess, M., Markey, E., & Chabot, S. (2012, January 31). United States Congress. Letter to the Federal Trade Commission. Retrieved from http://markey.house.gov/sites/markey.house.gov/files/documents/2012_0131%20Letter%20to%20Jon%20Leibowitz.pdf

Everett-Church, R. (2006). Privacy law and the Internet. In H. Bidgoli (Ed.), Handbook of information security, volume 2. New York, NY: John Wiley & Sons.

Federal Trade Commission. (2009). FTC Staff Report: Self-regulatory principles for online behavioral advertising. Retrieved from http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf

Federal Trade Commission. (2010). FTC Staff Report: Protecting consumer privacy in an era of rapid change. Retrieved from http://www.ftc.gov/os/2010/12/101201privacyreport

Federal Trade Commission. (2011, December 23). FTC Seeks Public Comments on Facial Recognition Technology. Retrieved from http://ftc.gov/opa/2011/12/facefacts.shtm

Federal Trade Commission. (2012). FTC Staff Report: Facing facts: Best practices for common uses of facial recognition technologies. Retrieved from http://www.ftc.gov/os/2012/10/121022facialtechrpt.pdf

Federal Trade Commission. (2013). FTC Staff Report: Mobile privacy disclosures: Building trust through transparency. Retrieved from http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf

Ghosh, A.K., Baumgarten, K., Hadley, J. & Lovaas, S. (2009). Web-based vulnerabilities. In Bosworth, et al., (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Hill, K. (2012, February 16). How Target figured out a teen girl was pregnant before her father did. Forbes Magazine. Retrieved from http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

Himma, K.E. (2006). Legal, social and ethical issues of the Internet. In H. Bidgoli (Ed.), Handbook of information security, volume 2. New York, NY: John Wiley & Sons.

Ingersoll, G. (2012, October 22). Retailers may start targeting customers with new surveillance technology. Business Insider. Retrieved from http://www.businessinsider.com/new-surveillance-tech-analyzes-shopper-behavior-to-improve-customer-service-2012-10

Johnson, J.A. (2013). Retailers can protect themselves by protecting consumer privacy. Retail Law Strategist, 13(1), 1-4.

Judy, H.L., David, S.L., Hayes, B.S., Ritter, J.B., & Rotenberg, M. (2009). Privacy in cyberspace: U.S. and European perspectives. In Bosworth, et al., (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Kabay, M.E., Takacs, N. (2009). E-mail and internet use policies. In Bosworth, et al., (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

Kooser, A. (n.d.). About the ethical & practical aspects of using customer loyalty cards. The Houston Chronicle.

Retrieved from http://smallbusiness.chron.com/ethical-practical-aspects-using-customer-loyalty-cards-3287.html

Matthews, C. (2012, August 31). Future of retail: How companies can employ big data to create a better shopping experience. Time Magazine. Retrieved from http://business.time.com/2012/08/31/future-of-retail-how-companies-can-employ-big-data-to-create-a-better-shopping-experience/

Meijer core values (n.d.). Meijer.com. Retrieved from http://www.meijer.com/content/corporate.jsp?pageName=our_values

Meijer privacy policy (2010). Meijer.com. Retrieved from http://www.meijer.com/Privacy___Security.cms

Plant, R. (2012, August 28). Retailers turn to ‘soft surveillance’ to fight customer anonymity. Harvard Business Review. Retrieved from http://blogs.hbr.org/cs/2012/08/retailers_turn_to_soft_surveil.html

Sears mission statement. (n.d.). About.com. Retrieved from http://retailindustry.about.com/od/retailbestpractices/ig/Company-Mission-Statements/Sears-Holdings-Mission-Statement.htm

Sears privacy policy. (2012, August 23). Sears.com. Retrieved from http://www.sears.com/csprivacy/nb-100000000022508

Target mission statement. (n.d.). Target.com. Retrieved from https://corporate.target.com/about/mission-values

Target privacy policy. (2013). Target.com. Retrieved from http://www.target.com/spot/privacy-policy#InfoCollected

Understanding online advertising. (n.d.). NetworkAdvertising.org. Retrieved from http://www.networkadvertising.org/understanding-online-advertising

Yan, F. (2010). The death of the privacy policy?: Effective privacy disclosures after in re Sears. Berkeley Technology Law Journal, 25(1), 671-700.

Yu, R. (2012, August 28). Retailers introduce indoor navigation in apps. USA Today. Retrieved from http://usatoday30.usatoday.com/tech/news/story/2012-08-27/big-retailer-mobile-apps/57381210/1

Walmart mission statement. (n.d.). About.com. Retrieved from http://retailindustry.about.com/od/retailbestpractices/ig/Company-Mission-Statements/Wal-Mart-Mission-Statement.htm

Walmart privacy policy. (2012, April 26). WalMart.com. Retrieved from http://corporate.walmart.com/privacy-security/walmart-privacy-policy

Zetter, K. (2009, December 28). Walmart sued over surveillance camera in bathroom. Wired.com. Retrieved from http://www.wired.com/threatlevel/2009/12/walmart-sued/

Image from JSOnline

[Updated 7.8.2013 9:51 am to correct Arkansas rather than Georgia as Walmart's home base]

Big Box Retailers Grab Big Data – What You Need to Know When You Shop was written by Hrafnkell Haraldsson for PoliticusUSA.

© PoliticusUSA, Jul. 8th, 2013 — All Rights Reserved

Show more