Sears Holdings Corporation’s handling of customers’ privacy is under fire, with privacy advocates crying foul and one customer filing a lawsuit.
In one example, the nonprofit group StopBadware last week accused Sears of inadequately disclosing the tracking and data collection software that’s used on the Web site My SHC Community. However, Sears insists that it works hard to describe the tracking aspect to those members asked to participate at this level.
“Becoming a tracked member of My SHC Community is by invitation only,” said Sears spokesman Chris Brathwaite via e-mail, adding that invitations are generated randomly and kept to a minimum by design. “My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation.”
Around the same time as allegations were brought against its loyalty community, one of the users of Sears’ ManageMyHome Web site brought a lawsuit against the retailer, alleging that anyone could easily find a customer’s purchase history. The lawsuit gained immediate and widespread media coverage, and this ability has since been turned off by Sears.
Brathwaite explained that when users sign up for My SHC Community, the company includes clear notice on the invitation, on the first signup page and in a welcome e-mail that is sent to anyone who becomes a member. My SHC Community is an online community that asks members to provide feedback on offers and their experiences so that Sears can build a better shopping experience. In exchange for participating in the community, members have access to free planning and budgeting tools, special forums to express their views and will receive exclusive offers and promotions. Members are also eligible to win cash and merchandise via sweepstakes.
With regard to the allegations that ManageMyHome fails to secure private customer information, Brathwaite said: “We take our customers’ privacy very seriously.”
This is why Sears turned off the ability to view a customer’s purchase history on the Web site until it can implement a validation process that will restrict access by unauthorized third parties.
The purchase history functionality was added, Brathwaite said, to provide customers with easy access to useful information about products they have purchased from Sears. This type of information is helpful for working with the tools and information available on the site, which is intended as a home management tool.
The close timing of these two problems “raises the issue of whether or not there is an understanding at the higher levels of Sears of what privacy means today,” said Barry Parr, media analyst at Jupiter Research. “These are the kind of practices you would expect from a company 10 years ago. At this stage of the Internet, they feel like rookie mistakes.”
Jacqueline Klosek, an attorney with Goodwin Procter LLP who specializes in data security and privacy issues, agreed. “These two events happening so close together would, in my view, call for internal auditing,” she said. The question that needs to be investigated is if Sears’ privacy message is being adequately communicated to all within the company, she cautioned.
Since there is no federal law regulating spyware, it is going to be hard to prove what exactly, if anything, Sears did wrong in the My SHC case. However, the issue will continue to be debated by consumers and the media because, Klosek said, “this is something that consumers can relate to — something being downloaded onto their computer that they didn’t know about.”
There are many smaller companies that make similar software available on their Web sites. Spyware-related lawsuits do occur quite frequently, Klosek continued, since there are several states that regulate this area. In addition, the Federal Trade Commission has said there doesn’t need to be a specific law against spyware, because its general prohibition on unfair and deceptive trade practices covers it.
Data breaches on the Internet, Klosek said, is “something that we’ve been seeing a lot of in the past few years.” She added, “I feel there is a need for the federal government to be involved” in the regulation of the issue.
Currently, many states have their own statutes regarding data breaches. As a result, when a large company operating across states line has a data breach, it has to go through the laws for all of the states and figure out its burden for each. “This can be a real burden for companies operating across states,” Klosek said.
However, the worst consequence of these cases is often the loss of consumer trust, Klosek concludes.
“When consumers have come to a site and made a purchase with trust, they have little forgiveness” when a company hasn’t protected their data, she said.