Archive for the ‘Retail’ Category

27 Mar 2012

Privacy: Not just good business, but good for business


A recently released study has given further evidence to the link between privacy and personal information protection and consumer confidence.

The Edelman study  released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations.  For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information.  An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

It’s hardly surprising that consumers are nervous.  Stories about privacy and security flaws and breaches abound in the media these days.  From flaws in mobile applications, retroactive release of archives for marketing, service amalgamation and data breaches, users are constantly confronted with evidence that their personal information is at risk.  Lack of transparency on the part of organizations and consumer discomfort with cross-border data traffic, outsourcing and cloud storage only further exacerbate the issue.

This challenge to trust appears to correlate to an increased willingness on the part of consumers to invest in their privacy.  Where a 2009 study concluded that consumers were unwilling to pay extra for privacy, recent research from the European Network and Information Security Agency (ENISA) finds that individuals weigh security and privacy considerations as heavily as those relating to a product’s design, style, and physical dimensions. All other things being equal, the study discovered that consumers were willing to pay a higher price in order to protect their privacy. 

Investing in privacy is not the only way that consumer concerns are indicated – the Edelman data also shows nearly 50% of participants either leaving or avoiding companies that have suffered a security breach.  Following a data breach suffered by an organization with whom they’re already involved, up to 70% of those surveyed expressed willingness to terminate a relationship or switch providers. 

Findings like this should be a wake-up call for organizations, an indicator that it is no longer enough to “manage” security and privacy concerns. Instead, privacy and security need to be prioritized and strengthened to the point where they can be made key parts of branding and corporate identity.   Consumer confidence is key, and reliant upon trust. And new evidence increasingly shows that privacy is not only good business – it’s good for business.


14 Nov 2011

Is anything of value ever truly free?


Many people would tend to think of Internet content as being free.

And indeed, we can spend seemingly endless hours reading online news articles and watching Youtube videos, all without handing over a penny.

But is there a cost?

One might say that depends on how much you value your privacy.

One thing beyond dispute however, is the fact that advertisers see immense value in the data trails we create when surfing the web.

Our IP number can reveal the city or region in which we live.

Our web traffic can provide a pretty strong sense of what we’re interested in, particularly if it shows we travel to the same sites regularly or even daily.

All this to say, once a site you visit provides you with a cookie, advertisers follow the trail of crumbs.

In the end, they target and tailor ads to your perceived interests which appear on various sites you visit.

Some may see benefits in this as they’d prefer being offered products and services that do indeed correspond to their interests.

Others may chafe at the thought of being ceaselessly monitored.

For anyone who wants to learn more about behavioural advertising, I invite you to click here to read our latest fact sheet.

And stay tuned. You’ll be hearing more from us on this in the weeks to come in the form of new information for organizations


6 Aug 2010

Something new between us and our Calvins


In a move to monitor inventory in its stores, Wal-Mart will launch an item-level Radio Frequency Identification (RFID) inventory tracking program starting August 1st, 2010.  In its first phase, the system will track individual pairs of jeans, socks and underwear.  The items will be tagged with removable RFID tags that can be read from a distance using hand-held scanners so employees will know what sizes are missing from shelves and what is in the stock room, all in a matter of seconds.  If the program is successful, it will be rolled out at Wal-Mart’s more than 3750 U.S. stores with more products.

The upside of RFID systems have been well-documented –they help retailers better control their inventory and cut costs for consumers,  create efficiencies in our health care system, increase customer convenience (enter the smart coffee mug), and save valuable time for consumers (let’s face it, the ability to push a shopping cart through an RFID reader that instantly calculates your grocery bill without removing a single item from the cart sounds down-right heavenly!).

RFID systems also continue to be rolled out new contexts: we have written about privacy issues surrounding the use of RFID in the workplace, Northern Arizona University is using their RFID enabled student cards to track student lecture attendance,  transportation systems use RFID to monitor traffic flow, our passports are being equipped with RFID chips and our pets are tracked and monitored via RFID implants.

While these systems can be really useful and save us time and money, they also raise some serious privacy concerns.  While the RFID tags in the Wal-Mart example are removable, not all RFID tags are (some are as small as a speck of dust and are virtually invisible).  RFID tags can be tracked and hacked, may not be easy to turn off and can be read at a distance, potentially allowing tags to be read outside the original system for purposes limited only by human ingenuity.

As the tags get cheaper and the size of the tags gets smaller, extending the reach and uses for such systems will likely evolve too. Perhaps most concerning is that RFID systems have the potential to track individuals and could do so without their knowledge or consent.  As a recent article notes:

“Location-aware apps are scary enough, based on GPS with the broad range they offer. But for the most part you still have to sign up for those. RFID is being implemented all around you…it can track infants to senior citizens with Alzheimer’s. In between it can track your clothes, your purchases, your car – even you. RFID is on the verge of tracking us all, cradle to the grave.”

As we and others in a number of jurisdictions continue to wrestle with questions about RFID and privacy, the evolving application of RFID systems serve to highlight the fascinating convergence of emerging technologies and human creativity.


27 Apr 2010

Meet Louise.


Meet Louise.

Louise is a central character in our upcoming Consumer Privacy Consultations – not because of her great hair, but because she’s engaged online the way many Canadians are…she buys clothing and books online, she updates her Facebook profile regularly, she’s got an iPhone.

She’s also our fictional case study for examining how our data travels as we engage with the online world – who’s got our data? What are they doing with it?

Below is just one of several scenarios we’ve developed to help ground our conversations during the consultation process. This one will be used during the Advertising panel this week in Toronto. As you read it, ask yourself:

Is Louise aware of how her information may be used when she searches for and buys materials at online bookstores?

How accurate is the advertising profile developed for Louise, given that she shares the computer with other members of her family including her nine-year-old brother?

How could Louise’s profile information be matched with publicly available information to draw inferences about her? What types of decisions are or could be made based on her profile information?  What are the risks of combining online and offline profiles? Or the risks involved in combining different online profiles, like Louise’s Facebook profile with the profile her favourite online bookstore has of her?

Louise is a stylish 21-year college student who likes to meet people and try new things. She is active online and does everything from buying trendy clothing and concert tickets to keeping up touch with friends through posting updates and photos to her Facebook page.  Now in her final year of college, Louise is starting to look for a job. She is putting herself through school by making jewellery and selling it online. She is also a collector of specialty comic books and belongs to an international network of comic book enthusiasts. Louise also has a younger brother, David, who is nine years old.

Louise bought some designer jeans at a store in her local mall with her credit card. She also had the clerk swipe her loyalty card.

When Louise arrived home, she signed into her new account at the store’s web site to learn more about the clothes she had carried into the changing room but not bought. In her excitement to see the store’s merchandise, she clicked through the site’s lengthy privacy policy.

In looking on the store’s web site for a blouse to go with her new jeans, Louise saw an advertisement for jewellery that really appealed to her, so she followed it. Louise felt comfortable at the small Canadian jewellery site because the style of the site was as though she were visiting a friend’s page.

She also liked the styles of jewellery on the site so she bought a necklace and clicked on the “Like” button to update her friends on her latest purchase. From there, she left the store site and searched for the listing of a concert and bought 2 tickets. After that, she checked the status of the online auction she was participating in to get a new specialty comic book.

After this, Louise updated her Facebook page to let her friends know about her purchases and to see who else would be attending the concert. From Facebook, she checked out her favourite online bookstore where she purchased a book that was recommended to her by another comic book expert.

We’re hoping to generate some discussion around Louise’s activities – join the discussion by commenting on our blog, or jumping into the Twitter-stream on Thursday (hashtag #priv2010). We also invite you to check out the live webcast.


28 Jan 2010

It’s Data Privacy Day 2010: Are you taking the proper steps to ensure that your personal information is safe?


On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – priv.gc.ca and youthprivacy.ca.


2 Dec 2008

Limiting Collection of Driver’s Licence Information


Is there anything more annoying that 100 people ahead of you in line when you are trying to purchase that perfect holiday gift? Well what about while you are in the midst of your harried purchase, being asked to pull out your driver’s licence so the retailer can record the number? Not only can this be annoying, but it might also be a violation of your personal privacy.

The Office of the Privacy Commissioner and the Information and Privacy Commissioners of Alberta and British Columbia recently announced the release of a guide for retailers who make it a practice to collect driver’s licence information and numbers. This guide is meant to help these retailers better protect the privacy of their customers.

In general, privacy legislation (such as the federal Personal Information Protection and Electronic Documents Act, PIPEDA, and Alberta’s and British Columbia’s respective Personal Information Protection Acts) requires an organization to collect, use or disclose personal information for appropriate and reasonable purposes, to limit collection to what is necessary to meet their purposes, and to make sure this information is properly safeguarded.

In practice, retailers often record or photocopy a driver’s licence for a number of purposes, such as to verify an individual’s identity. However, this may be accomplished in a less privacy intrusive manner, such as examining the driver’s licence to confirm information, or in some cases limiting collection to the name and address that appears on the card.

The guide indicates that a driver’s licence contains sensitive information. Recording, scanning or photocopying the card may result in the collection of information such as a photograph, height, physical descriptions and other information – far more detail than what the retailer needs to conduct their business.

There may be some cases where it is ok to record some of this information, for example the collection of limited personal information during a refund or exchange (PIPEDA Case Summary #361). However it may not be reasonable to record driver’s licence numbers for the return of products (Settled Case # 16).

You can always ask for an explanation as to why your driver’s licence information is being collected, especially if it is being photocopied. If you still have concerns whether this collection is appropriate, you can visit the OPC website, refer to this guide or contact the appropriate Privacy Commissioner’s Office for further information.