Some e-commerce sites seem to be having trouble with the definition of the term “third party,” judging from a privacy service provider’s report issued this week. The report stated that Toysrus.com, Babiesrus.com, Lucy.com and Fusion.com are sharing personally identifiable customer information with application services firm Coremetrics in violation of the sites’ privacy policies.
The four sites were named in a press release from Internet privacy service provider Interhack Corp., Columbus, OH, as a result of the firm’s research project on Internet privacy, said founder Matt Curtain.
“We just want to make people aware of this and let everybody make their own decision about what is right,” Curtain said.
The incident resulted in at least two changes in privacy policies, negative media attention and a battle fought via press release between Coremetrics and Interhack.
Interhack’s release states in part, “We reveal how the Coremetrics system can build detailed dossiers of unsuspecting Web surfers that include names, physical addresses, telephone numbers, e-mail addresses and other personally identifiable information.”
In rebuttal, Coremetrics issued its own release calling Interhack’s statements “highly speculative and misleading.”
The whole incident is a case of companies engaging in good business practices being subjected to knee-jerk reactions of privacy advocates, according to Douglas J. Wood, an attorney specializing in advertising and marketing law at Hall Dickler Kent Goldstein & Wood, New York.
“Here you had a group of companies with some common interests who are looking for a third party who can help them analyze admittedly complicated information,” Wood said. “If they all separately invested $1 million and developed the technology to do it themselves, no one would have any problem with that.”
The third party in question, Coremetrics, San Francisco, is an application service provider that provides tracking and analysis services to online retailers.
“The data is still owned by the client, and we provide them with reporting on their data,” said Brett Hurt, CEO of Coremetrics. “We don’t own the data, we can’t share the data.”
Interhack checked the Web sites of all Coremetrics’ clients and named only those claiming that information is not shared with third parties, Curtain said.
“We’ve always strongly encouraged our clients to put a link to our opt-out page as well as fully disclose this information,” Hurt said. “Our clients have been in the process of posting those.”
Hurt said that Coremetrics’ clients are aware of the importance of letting customers know what happens to their personal information.
Until early last week, the four e-tailers’ privacy statements affirmed that customer data were not shared with third parties, even though Coremetrics was collecting encrypted data for analytical purposes.
Sports-related Web retailers Lucy.com and Fusion.com immediately revised their sites’ privacy policies explaining Coremetrics’ data analysis services. Both sites maintain that they never have and never will sell, rent or misuse customer information. Lucy.com also provided a link to Coremetrics’ opt-out page.
At press time, Toys “R” Us had yet to change its privacy policies for its Toysrus.com and Babiesrus.com e-tail sites.
The Lucy.com and Fusion.com sites bear the TRUSTe trustmark. TRUSTe, San Jose, CA, is a privacy group that issues seals to Web sites committed to customer privacy.
The group is looking into the situation to determine whether the sites have violated their contracts with TRUSTe, said Dave Steer, spokesman at TRUSTe. Any changes made to privacy statements must be approved by the organization, he added.
One way around the third-party issue is for online retailers to perform data analysis inhouse.
“Some of the unintended consequences and limitations of the application service provider model, where you’re outsourcing an application elsewhere, are really coming to the fore,” said Matt Cutler, chief e-business intelligence officer and co-founder, NetGenesis, Cambridge, MA.
NetGenesis provides a software solution that allows companies to analyze data without the information leaving the organization, Cutler said.
“The general privacy debate increasingly falls less around the collection of data, though there are issues with that, and more around the transmittal of data and notification thereof,” Cutler said.
