Fact Sheet 23:
Online Shopping Tips:
E-Commerce and You
Send to Printer
Privacy Rights Clearinghouse
- Shop at Secure Web Sites
- Research the Web Site before You Order
- Read the Web Site's Privacy and Security Policies
- Be Aware of Cookies and Behavioral Marketing
- What's Safest: Credit Cards, Debit Cards, Cash, or Checks?
- Never Give Out Your Social Security Number
- Disclose Only the Bare Facts When You Order
- Keep Your Password Private
- Check the Web Site Address
- Don't Fall for "Phishing" Messages
- Always Print or Save Copies of Your Orders
- Shop with Companies Located in the United States
- Pay Attention to Shipping Facts
- Learn the Merchant's Cancellation, Return and Complaint-Handling Policies
- Use Shopper's Intuition
- Be Wary of Identity Theft
- Consider Using Single-use Card Numbers
- Be Cautious with Electronic Signatures
- Know How Online Auctions Operate
- Understand Your Responsibility for Sales and Use Taxes Online
- Be Aware of Dynamic Pricing
- Additional Resources
By just clicking a mouse or touching a screen, shoppers can buy nearly any product online -- from groceries to cars, from insurance policies to home loans. The world of electronic commerce, also known as e-commerce, enables consumers to shop at thousands of online stores and pay for their purchases without leaving the comfort of home. For many, the Internet has taken the place of Saturday afternoon window shopping at the mall. Consumers expect merchants to not only make their products available online, but to make payments a simple and secure process. However, the same things can go wrong shopping online as in the real world. Sometimes it is simply a case of a computer glitch or poor customer service. Other times, shoppers are cheated by clever scam artists.
Just as shoppers should take measures to protect themselves in brick-and-mortar stores — such as protecting their PIN numbers when checking out and not leaving purses unattended — online shoppers also need to take sensible precautions. This guide offers advice on how to make your online shopping experiences enjoyable and safe.
How can you tell if a Web site is secure? Secure sites use encryption technology to transfer information from your computer to the online merchant's computer. Encryption scrambles the information you send, such as your credit card number, in order to prevent computer hackers from obtaining it en route. The only people who can unscramble the code are those with legitimate access privileges. Here's how you can tell when you are dealing with a secure site:
- If you look at the top of your screen where the Web site address is displayed (the "address bar"), you should see https://. The "s" that is displayed after "http" indicates that Web site is secure. Often, you do not see the "s" until you actually move to the order page on the Web site.
- Another way to determine if a Web site is secure is to look for a closed padlock displayed on the address bar of your screen. If that lock is open, you should assume it is not a secure site.
Of course, transmitting your data over secure channels is of little value to you if the merchant stores the data unscrambled. You should try to find out if the merchant stores the data in encrypted form. If a hacker is able to intrude, it cannot obtain your credit data and other personal information. Be sure to read the merchant's privacy and security policies to learn how it safeguards your personal data on its computers. (See tip 4 below.)
Do business with companies you already know. If the company is unfamiliar, do your homework before buying their products. If you decide to buy something from an unknown company, start out with an inexpensive order to learn if the company is trustworthy.
Reliable companies should advertise their physical business address and at least one phone number, either customer service or an order line. Call the phone number and ask questions to determine if the business is legitimate. Even if you call after hours, many companies have a "live" answering service, especially if they don't want to miss orders. Ask how the merchant handles returned merchandise and complaints. Find out if it offers full refunds or only store credits.
You can also research a company through the Better Business Bureau (see listing below), or a government consumer protection agency like the district attorney's office or the Attorney General. Perhaps friends or family members who live in the city listed can verify the validity of the company. Remember, anyone can create a Web site.
Look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices, such as TRUSTe (www.truste.org), Verisign (www.verisign.com), or BBBonline (www.bbbonline.org).
Given all of these uncertainties, you will want to think about the sensitivity of the data that is being compiled about you when you shop online. We cannot prescribe the best approach to take. Each consumer has a different interpretation of what is considered “sensitive.”
Online merchants as well as other sites watch our shopping and surfing habits by using "cookies," an online tracking system that attaches pieces of code to our Internet browsers to track which sites we visit as we search the Web.
Privacy advocates worry that as more and more data is compiled about us — without our knowledge or active consent — it will be combined to reveal a detailed profile, even our actual identities. This data is often collected to market goods and services to us, encouraging us to buy them. There are a number of companies that specialize in targeted online advertising called "behavioral marketing." Companies say consumers benefit by being exposed to more targeted advertising and that online merchants can make more money more efficiently by targeting the right shoppers.
For example, you might buy a book on golf from Amazon, visit the Professional Golfer's Association site, purchase golf shoes at Zappos, and search online for golf courses near your home. When you do, a cookie or your computer's Internet Protocol (IP) address could be used to generate golf-related ads. When you open the USA Today site to read the morning news, you may see an ad offering you a new set of clubs at a discount. When you go back to Amazon later that day you might be offered a biography of Tiger Woods.
What if your behavioral marketing profile is shared with others, without your permission? You might not care if a drug company shares your prescription drug information with a coupon service to save you money. But what if that same information were obtained by your employer, resulting in more expensive health insurance coverage?
6. What's Safest: Credit Cards, Debit Cards, Cash, or Checks?
The safest way to shop on the Internet is with a credit card. In the event something goes wrong, you are protected under the federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you are only responsible for the first $50 in charges. You are rarely asked to pay this charge. For more information on credit card consumer protections, see http://www.privacyrights.org/fs/fs32-paperplastic.htm#3
Make sure your credit card is a true credit card and not a debit card, a check card, or an ATM card. As with checks, a debit card exposes your bank account to thieves. Your checking account could be wiped out in minutes. Further, debit and ATM cards are not protected by federal law to the extent that credit cards are.
The “Restore Online Shoppers’ Confidence Act” (P.L. 111-345) (signed December 29, 2010) makes it illegal for a company that sells goods or services online to give a consumer’s credit card number (or other financial account number) to a third-party for sales purposes. This practice is known as “data passing.” The Act prohibits a third-party seller from charging a consumer for any good or service, unless the seller (1) clearly and conspicuously discloses the material offer terms and that the third-party seller is not affiliated with the initial merchant and (2) receives express consent for the charge from the consumer. The third-party seller must obtain the full financial account number directly from the consumer. The initial online seller may not transfer a consumer’s financial account number to a third-party seller.
The Act also regulates “negative option” plans. A consumer must give express, informed consent before being charged for goods or services sold online through “negative option” marketing, such as “free trials” that the consumer must cancel in order to avoid being charged. Companies that use negative option plans must (1) clearly and conspicuously disclose the material terms of the transaction before obtaining the consumer’s billing information, (2) obtain a consumer’s express consent before charging the consumer, and (3) provide a simple mechanism to stop any recurring charges.
Online shopping by check leaves you vulnerable to bank fraud. And sending a cashier's check or money order doesn't give you any protection if you have problems with the purchase.
Never pay for online purchases by using a money transfer service. You could be transferring cash to a fraudster. Scammers will ask consumers to send them payment using a money transfer service such as Western Union or MoneyGram because they can get your cash fast and it’s difficult to trace. Legitimate sellers normally do not ask consumers to send payment that way. Money transfer services should only be used to send money to people that you know well, not to unknown sellers of merchandise online. Watch the Consumer Federation of America’s video about this at http://www.youtube.com/watch?v=R2ylW85g1So.
Providing your Social Security number is not a requirement for placing an order at an online shopping site. There is no need for the merchant to ask for it. Giving out your Social Security number could lead to having your identity stolen. (See PRC Fact Sheet 17a, "Identity Theft: What to Do if It Happens to You".)
When placing an order, there is certain information that you must provide to the web merchant such as your name and address. Often, a merchant will try to obtain more information about you. They may ask questions about your leisure lifestyle or annual income. This information is used to target you for marketing purposes. It can lead to "spam" or even direct mail and telephone solicitations.
Don't answer any question you feel is not required to process your order. Often, the web site will mark which questions need to be answered with an asterisk (*). Should a company require information you are not comfortable sharing, leave the site and find a different company for the product you seek.
Many online shopping sites require the shopper to log-in before placing or viewing an order. The shopper is usually required to provide a username and a password.
Never reveal your password to anyone. When selecting a password, do not use commonly known information, such as your birthdate, mother's maiden name, or numbers from your driver's license or Social Security number. Do not reuse the same password for other sites, particularly sites associated with sensitive information. The best password has at least eight characters and includes numbers and letters. Read our Alert "10 Rules for Creating a Hacker Resistant Password" to help you choose a safer password.
The address bar at the top of your device's screen contains the web site address (also called the URL, or Uniform Resource Locator). By checking that address, you can make sure that you are dealing with the correct company.
Don’t click on any link embedded within a potentially suspicious email. Instead, start a new Internet session by typing in the link’s URL into the address bar and pressing “Enter” to be sure you are directed to a legitimate Web site.
Identity thieves send massive numbers of emails to Internet users that ask them to update the account information for their banks, credit cards, online payment service, or popular shopping sites. The email may state that your account information has expired, been compromised or lost and that you need to immediately resend it to the company.
Some emails sent as part of such “phishing” expeditions often contain links to official-looking Web pages. Other times the emails ask the consumer to download and submit an electronic form.
Remember, legitimate businesses don’t ask for sensitive information via email. Don’t respond to any request for financial information that comes to you in an email. Again, don’t click on any link embedded within a suspicious email, and always call the retailer or financial institution to verify your account status before divulging any information.
For more information on phishing, visit www.antiphishing.org, and www.onguardonline.gov.
After placing an order online, you should receive a confirmation page that reviews your entire order. It should include the costs of the order, your customer information, product information, and the confirmation number.
We recommend you print out or save a copy of the Web page(s) describing the item you ordered as well as the page showing company name, postal address, phone number, and legal terms, including return policy. Keep it for your own records for at least the period covered by the return/warranty policy.
Often you will also receive a confirmation message that is e-mailed to you by the merchant. Be sure to save and/or print this message as well as any other e-mail correspondence with the company.
When you shop within the U.S., you are protected by state and federal consumer laws. You might not get the same protection if you place an order with a company located in another country.
Under the law, a company must ship your order within the time stated in its ad. If no time frame is stated, the merchant must ship the product in 30 days or give you an "Option Notice." This gives you an opportunity to cancel the order and receive a prompt refund, or agree to the delay.
Here are key shipping questions to ask:
- Does the site tell you if there are geographic or other restrictions for delivery?
- Are there choices for shipping?
- Who pays the shipping cost?
- What does the site say about shipping insurance?
- What are the shipping and handling fees, and are they reasonable?
Even under the best of circumstances, shoppers sometimes need to return merchandise. Check the Web site for cancellation and return policies. Be sure to check for the following:
- Who pays for shipping?
- Is there a time limit or other restrictions to the return or cancellation?
- Is there a restocking charge if you need to cancel or return the order?
- Do you get a store credit, or will the company fully refund your charges to your credit card? If the merchant only offers store credits, find out the time restriction for using this credit
- Does the merchant post a phone number and/or e-mail address for complaints?
- How long has the company been in business?
- Will they still be around when you need them?
- Is there an easy, local way for you to get repairs or service?
- Is there a warranty on the product, and who honors that guarantee?
- What are the limits, and under what circumstances can you exercise your warranty rights?
Don't expect less customer service just because a company operates over the Internet. This is especially important if you are buying something that may need to be cleaned or serviced on occasion.
Look at the site with a critical eye. And heed the old adage, "If it looks too good to be true, it probably is." If any of these questions trigger a warning bell in your head, you will be wise to find another online merchant:
- Are there extraordinary claims that you question?
- Do the company's prices seem unusually low?
- Does it look like the merchant is an amateur?
- Are there a lot of spelling or grammar errors?
- Does the company's phone go unanswered.
- The use of a post office box might not send up a red flag, but a merchant who does not also provide the company's physical address might be cause for concern.
As online shopping becomes more common, there will be more cases of identity theft committed over the Internet. Imposters are likely to obtain their victims' identifying information using low-tech means like dumpster diving, mail theft, or workplace access to SSNs. But they are increasingly using the Web to apply for new credit cards and to purchase goods and services in their victims' names.
The same advice for avoiding low-tech identity theft applies to shopping on the Internet. Many are mentioned in the above tips. Most important: Be aware of who you are buying from. And use true credit cards for purchases, not debit cards.
We recommend that you check your credit card bills carefully for several months after purchasing on the Internet. Look for purchases you did not make. If you find some, immediately contact the credit card company and file a dispute claim.
Order your credit reports at least once a year and check for accounts that have been opened without your permission. (See PRC Fact Sheet 17a , "Identity Theft: What to Do if It Happens to You".
Consumers using some brands of credit cards can get “virtual credit cards,” or single-use card numbers, that can be used at an online store. Virtual credit cards use a randomly generated substitute account number in place of your actual credit card number. They can also be used to buy goods and services over the phone and through the mail but can’t be used for in-store purchases that require a traditional plastic card.
With this free service, you never need to give out your real credit card number online. Among the card companies offering it are Citibank and Bank of America. Citibank calls their virtual credit card offering a Virtual Account Number while Bank of America calls it ShopSafe. You can configure the expiration date and the maximum amount allowed for a virtual credit card. Once used, the card is tied to the merchant where it was used, and cannot be used elsewhere.
A federal law enables shoppers to verify online purchases with merchants using an electronic signature. Usually, this process is nothing more than clicking on a box that says you accept the terms of the order.
The Electronic Signatures in Global and National Commerce Act, also known as the E-Sign Act, is a complex law. It states that electronic signatures and electronic records used in interstate and foreign commerce will not be denied validity just because they are in electronic form. Further, the law says that online purchases do not need to be accompanied by the more traditional handwritten signature on a paper document.
Consumer advocates opposed the law because it lacks important safeguard against fraud. For example, the law does not require online merchants to comply with such standards as message integrity (security and accuracy in transmission), privacy of customer data, and authentication of sender.
The faults of the E-Sign Act require you to shop cautiously on the Internet. The tips offered in this guide will help you make sure the online companies you choose are secure and honest.
Online auctions connect buyers and sellers, allowing them to communicate in a bidding process over items for sale. Many people are drawn to online auction sites because they allow you to buy items at discounted prices. And they offer a chance to sell some of your unneeded or unwanted possessions to raise extra money. For the most part, online auction sites are a safe way to exchange goods. But it makes sense to be cautious and aware.
Once a consumer has agreed to a price with a seller, the buyer and seller arrange for payment and delivery of the product. Successful bidders can usually choose among several payment options, such as credit card, online payment service, debit card, personal check, cashier's check, money order, or escrow service.
If a seller requests payment in cash by private courier, or by check or money order through an overnight delivery service, you have a right to be suspicious. This could signal an attempt to commit fraud by taking your money without delivering the merchandise.
It always makes sense to pay by credit card because you'll have an option to seek a credit from the credit card issuer (also known as a "chargeback") if the product isn't delivered or isn't what you ordered. For more information on credit card consumer protections see www.privacyrights.org/fs/fs32-paperplastic.htm#3
To protect both buyers and sellers, some auction sites prohibit the use of wire transfers as a payment method. The Federal Trade Commission recommends that buyers do not pay by wire transfer because if something goes wrong, you are left with no refund and no recourse.
Another popular way to pay at auctions is with online payment services, such as PayPal. In this scenario, the buyer and seller set up accounts that allow them to make or accept payments. Buyers provide payment information, like bank account or credit card numbers, and sellers give information about where payments should be deposited. Some online payment services offer protection if the seller doesn't ship the goods.
Sellers can be scammed too. Fake check scams are the most common problem, although they can be avoided by not accepting checks, especially cashier's or certified checks, as payment, and by waiting to ship the goods until you get your payment in a reliable form.
If a buyer offers you a cashier's (or certified) check for more than the amount of the item, and asks you to wire them the excess amount, don't do it. This it is a classic example of a fake check scam.
If you encounter a problem with a buyer or seller at an online auction site, such as eBay, it's important to report the problem to the site right away. You are probably not the only person being taken advantage of and you could help shut down illegal or unethical sellers by alerting the site to the problem. For more information on online auctions, see www.consumer-action.org/news/articles/internet_commerce_issue_spring_2008/#Topic_07
Generally Internet shopping is sales tax free, but there's a catch. If an online merchant has a physical presence in your state, it is required to charge you sales tax. In most states, consumers are required to pay tax on online purchases, even if the store doesn't collect it. Most states call this a "use tax". You are generally required to pay the use tax if you have goods shipped to you. Many state income tax forms now collect use tax.
Some online retailers use dynamic pricing to engage in price discrimination by charging different prices to different consumers for identical goods or services. When you purchase goods or services online, you may be paying a higher or lower price than another online customer buying the same item from the same site at the same time. While online shopping enables consumers to easily compare prices, it also allows businesses to collect detailed information about a customer's purchasing history and preferences. Online stores can use that information to customize the prices they charge you.
Amazon.com began experimenting with dynamic pricing in 2000. Different customers were offered different prices for the same product. Depending upon a consumer’s purchase history and other information, Amazon might offer different prices matched to a customer’s perceived willingness to pay a higher or lower price than the standard price.
In 2005, the University of Pennsylvania's Annenberg Public Policy Center published “Open to Exploitation: American Shoppers Online and Offline” (http://www.annenbergpublicpolicycenter.org/Downloads/Information_And_Society/Turow_APPC_Report_WEB_FINAL.pdf) The Annenberg study documented how most consumers who use the Internet are unaware how vulnerable they are to abuse by marketers and how the information that they provide can be used to exploit them. Researchers conducted a survey and found that about 2/3 of those surveyed did not know that it is legal "for an online store to charge different people different prices at the same time of day." The study also identified instances of dynamic pricing online. For example, one photography site charged different prices for the same camera depending upon whether online shoppers had previously visited a price-comparison site.
In 2010, the Wall Street Journal reported on a company that helps a major credit card issuer determine what deals to offer customers when they visit the issuer’s site. The offer changed based upon information gleaned from the user’s computer, rather than their credit-rating or other information provided by the customer. More recently, the same bank was reported to offer different car loan rates to users using different browsers. (http://consumerist.com/2010/11/01/capital-one-made-me-different-loan-offers-depending-on-which-browser-i-used/).
While dynamic pricing has existed for a long time for time-sensitive products such as airline tickets, hotel room reservations, and rental cars, it’s difficult to justify the use of dynamic pricing for goods and services that are not of a time-sensitive nature.
Online merchants can easily implement dynamic pricing by placing cookies on a customer’s computer which will track the user’s past interactions with the site. By using this information, sites can customize their interactions based on your past activities. Online stores can read the cookies on your browser to determine what products or services you searched for and bought and how much you paid for them. This information helps them to predict how much you might be willing to pay for a product or service. In addition, click-stream technology allows a site to trace the path that a user follows as they view different pages on the site.
Some online stores may also consider other factors when determining pricing. For example, merchants might charge higher prices to customers who make repeated returns or demand extra service.
There are several ways that you may be able to defeat dynamic pricing. Obviously, do not log in to a site before you obtain a price quote. Be sure to clear the cookies from your browser before you visit a site. Visit sites from different browsers (Internet Explorer, Firefox, and others). Utilize price comparison sites that check prices from multiple vendors. Finally, if you do log in to a site, try leaving items in your shopping cart for a few days, to see if the merchant offers any discounts.
Listed below are Web sites that provide additional information about shopping online.
|www.bbb.org and www.bbbonline.org||The Better Business Bureau certifies web merchants with a privacy seal of approval. You can research merchants through the BBB and also report e-commerce fraud problems at these sites.|
|www.fda.gov/ForConsumers/ProtectYourself/default.htm||Created by the U.S. Food and Drug Administration to provide shopping tips for buying online prescriptions and over-the-counter drugs on the web.|
|http://www.consumer.ftc.gov/articles/0020-shopping-online||The Federal Trade Commission guides for online shopping and E-payments.|
|http://publications.usa.gov/epublications/internet-auction/internet_auctions.htm||The Federal Trade Commission's tips on Internet auctions.|
|www.ic3.gov||The FBI's Internet Fraud Complaint Center allows you to report suspected cases of Internet and e-commerce fraud.|
|www.lookstoogoodtobetrue.com||Federal law enforcement and industry task force helps prevent consumers from becoming victims of an Internet fraud schemes.
|www.onguardonline.gov||FTC, other federal agencies, and the technology industry offer advice on identity theft, phishing, spyware, spam, online shopping and more.|
|www.safeshopping.org||Online shopping tips provided by the American Bar Association.|
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.