Sears reacts to privacy issues

Sears Holdings Corpo­ration’s handling of customers’ privacy is under fire, with pri­vacy advocates crying foul and one customer filing a lawsuit.

In one example, the nonprofit group StopBadware last week accused Sears of inadequately disclosing the tracking and data collection software that’s used on the Web site My SHC Com­munity. However, Sears insists that it works hard to describe the tracking aspect to those members asked to participate at this level.

“Becoming a tracked mem­ber of My SHC Community is by invitation only,” said Sears spokesman Chris Brathwaite via e-mail, adding that invitations are generated randomly and kept to a minimum by design. “My SHC Community goes to great lengths to describe the tracking aspect for those mem­bers who receive an invitation.”

Around the same time as allegations were brought against its loyalty community, one of the users of Sears’ ManageMyHome Web site brought a lawsuit against the retailer, alleging that anyone could easily find a customer’s pur­chase history. The lawsuit gained immediate and widespread media coverage, and this ability has since been turned off by Sears.

Brathwaite explained that when users sign up for My SHC Community, the company in­cludes clear notice on the invi­tation, on the first signup page and in a welcome e-mail that is sent to anyone who becomes a member. My SHC Community is an online community that asks members to provide feed­back on offers and their experi­ences so that Sears can build a better shopping experience. In exchange for participating in the community, members have access to free planning and budgeting tools, special forums to express their views and will receive exclusive offers and promo­tions. Members are also eligible to win cash and merchandise via sweepstakes.

StopBadware contends that the prob­lem with the Sears application is that it does not identify itself while running. In addition, the only mention of the soft­ware’s functionality, outside of the pri­vacy policy and user license agreement prior to installation, is one sentence of a six-paragraph introduction to the com­munity, which does not make clear it in­cludes sending personal data to Sears.

With regard to the allegations that ManageMyHome fails to secure private customer information, Brathwaite said: “We take our customers’ privacy very seriously.”

This is why Sears turned off the abil­ity to view a customer’s purchase history on the Web site until it can implement a validation process that will restrict access by unauthorized third parties.

The purchase history functionality was added, Brathwaite said, to provide customers with easy access to useful information about products they have purchased from Sears. This type of in­formation is helpful for working with the tools and information available on the site, which is intended as a home management tool.

The close timing of these two problems “raises the issue of whether or not there is an understanding at the higher levels of Sears of what privacy means today,” said Barry Parr, media analyst at Jupiter Research. “These are the kind of practices you would expect from a com­pany 10 years ago. At this stage of the Internet, they feel like rookie mistakes.”

Jacqueline Klosek, an attorney with Goodwin Procter LLP who specializes in data security and privacy issues, agreed. “These two events happening so close to­gether would, in my view, call for internal auditing,” she said. The question that needs to be investigated is if Sears’ privacy mes­sage is being adequately communicated to all within the company, she cautioned.

Since there is no federal law regulating spyware, it is going to be hard to prove what exactly, if anything, Sears did wrong in the My SHC case. However, the issue will continue to be debated by consumers and the media because, Klosek said, “this is something that consumers can relate to — something being downloaded onto their computer that they didn’t know about.”

There are many smaller companies that make similar software available on their Web sites. Spyware-related lawsuits do occur quite frequently, Klosek con­tinued, since there are several states that regulate this area. In addition, the Federal Trade Commission has said there doesn’t need to be a specific law against spyware, because its general prohibition on unfair and deceptive trade practices covers it.

Data breaches on the Internet, Klosek said, is “something that we’ve been see­ing a lot of in the past few years.” She added, “I feel there is a need for the fed­eral government to be involved” in the regulation of the issue.

Currently, many states have their own statutes regarding data breaches. As a result, when a large company operating across states line has a data breach, it has to go through the laws for all of the states and figure out its burden for each. “This can be a real burden for companies oper­ating across states,” Klosek said.

However, the worst consequence of these cases is often the loss of consumer trust, Klosek concludes.

“When consumers have come to a site and made a purchase with trust, they have little forgiveness” when a company hasn’t protected their data, she said.

Related Posts