Fact Sheet 15:
What Personal Information Should You Give to Merchants?


Send to PrinterSend to Printer

773046000

Copyright © 1994-2015
Privacy Rights Clearinghouse
Posted July 01, 1994
Revised May 01, 2015
  1. Introduction 
  2. Paying by Credit Card or Check (California Only)
  3. Paying by Credit Card: MasterCard and Visa Rules
  4. Merchandise Returns and the Retail Equation
  5. Customer Loyalty Programs
  6. Behavioral Targeting
  7. Mobile Location Analytics
  8. Product Registration Forms
  9. The Future of Consumer Data Gathering
  10. Resources

1. Introduction

When we think about retailers "tracking" our behavior, we are more likely to think of online retailers than traditional "brick and mortar" stores.  Online retailers have the advantage of collecting analytical data through browser cookies, while "brick and mortar" stores do not have that ability.  However, many technological advances now permit "brick and mortar" stores to track their customers in many ways, often without their knowledge.

This fact sheet explains some of the ways that retailers can track you, and how you can protect yourself from such tracking.  We'll examine situations where consumers may be asked to provide information as part of a retail transaction, for example when paying by check or credit card, using a store's loyalty card or returning merchandise.  We'll also look at ways that retailers might collect information without your knowledge, by using sophisticated technology.

Consumers must understand that retailers want to obtain as much information as possible about their customers so they can more precisely market to them.  However, in our "big data" society, where billions of pieces of information easily can be collected and distributed, it’s not necessarily in your best interest to have a lot of their personal data accessible. Seemingly innocuous customer information obtained from consumers can often be combined with data available from other sources to obtain a surprisingly detailed portrait of an individual customer.

We'll start by looking at common ways that retailers collect information at the cash register or at the returns desk, then take a look at how customers are being tracking while moving around a retail store, and finally take a look at how you might be asked for information after you leave the store.

2. Paying by Credit Card or Check (California Only)

Two California laws limit the collection of personal information by merchants when you pay by credit card or check. These laws were enacted to prevent fraud and limit the amount of personal information which can be collected by merchants.

  • When a consumer pays with a credit card, the merchant cannot record any personal information other than what is on the front of the credit card. (California Civil Code § 1747.08).   (Song-Beverly Credit Card Act of 1971)
  • When a consumer pays with a check, the merchant cannot record the credit card number. (California Civil Code § 1725).

2a. Paying by Credit Card:  California State Laws

What personal information can a merchant collect when a consumer pays with a credit card? 

Under the Song-Beverly Credit Card Act:

  • Merchants cannot request or require that the consumer write any personal information, including address and telephone number, on any form associated with the credit card transaction when the consumer uses a credit card to pay for goods or services.
  • Merchants cannot ask the consumer to provide personal information that the merchant then records.
  • Merchants cannot use forms with pre-printed spaces for personal information.

Are there any exceptions?

Yes. A merchant can collect personal information when:

  • The credit card is used as a deposit.                        
  • The credit card is used for a cash advance.
  • The personal information is needed for something incidental but related to the use of the credit card. An example would be the address to which the purchased product is to be shipped.
  • The merchant is required to collect information under a federal law or regulation.
  • The merchant is contractually obligated to provide personal identification information in order to complete the credit card transaction.
  • Merchants can record the cardholder’s driver’s license number or identification card number on any form associated with the transaction if the cardholder pays with a credit card but does not provide the credit card. An example is if you are at a department store and forget your credit card but want to charge something to your account.
  • The card is used to "pay at the pump" for gasoline, limited to Zip Code information which may be used solely for prevention of fraud, theft, or identity theft.

Does the law apply to debit card transactions?

No. The Song-Beverly Credit Card Act only applies to transactions paid for with a true credit card.  It does not apply to a debit card transaction, including one using a Visa or MasterCard branded debit card.  If your card says "Check Card" or "Debit" on the front, it is not a credit card.  It does not matter whether you enter a PIN or whether the transaction is processed through the Visa or MasterCard network.

Does the law prohibit a merchant from asking to show identification when using a credit card?

The Song-Beverly Credit Card Act does not prohibit a California merchant from requiring a consumer who pays for goods or services by credit card to show identification such as a California driver’s license or California ID. If these are not available, another form of photo identification can be required to be shown. But merchants cannot write or record any information from these documents. However, as we explain below, the major credit card company rules provide that merchants cannot make showing identification a condition of credit card acceptance.

Does the law apply to collection of your ZIP code?

In Pineda v. Williams-Sonoma Stores (February 10, 2011), the California Supreme Court ruled  that a merchant may not ask a customer to provide a ZIP code as part of a credit card transaction.  Williams-Sonoma used customer ZIP codes that it collected from customers to obtain their home addresses.  It then used those addresses to send catalogs to customers who had never provided their address to the retailer.  It was able to obtain these addresses through a process known as reverse appending (reverse searches from databases in order to match their customers’ names and ZIP codes with their previously undisclosed addresses).

In a subsequent case, Davis v. Devanlay Retail Group Inc., a federal district court ruled that the permissibility of a retailer’s request for a customer’s personal information depends upon “whether a consumer would perceive the store’s ‘request’ for information as a ‘condition’ of the use of a credit card.”  On May 5, 2015, the case was certified to the California Supreme Court.

Does the law apply to collection of your email address?

Some merchants now offer their customers the option of a paperless or electronic receipt for in-store purchases.  To accomplish this, the merchant may ask a customer for his or her email address at check-out and then email the receipt to the customer.  In Capp v. Nordstrom, one California court has held that this is unlawful under the Song-Beverly Credit Card Act. You can read more about this case here

Does the law apply to online transactions?

In February 2013, the California Supreme Court found in Apple v. Superior Court of Los Angeles that Song-Beverly Credit Card Act protections do not apply to online purchases that are downloaded electronically. At issue was whether the Act prevented online retailers from recording a purchaser's address and telephone number as a requirement for accepting a credit card as payment for a purchase of an item that does not need to be shipped to the purchaser.  You can read an explanation of the Court's decision here

Does the law apply to an online purchase picked up at a retail store?

Many merchants allow customers to order goods online and pick up the merchandise at aretail outlet.  Consumers are often able to save on shipping charges by doing this.  In April 2015 in Ambers v. Beverages & More, Inc., the California Court of Appeals (2nd Appellate District) found that the Song-Beverly Credit Card Act did not apply to an online purchase of merchandise that was picked up at the retail store.

Why do retailers want to collect my ZIP code?

A retailer might want your ZIP code for one of several reasons:

  • Identity verification.  Under the  Song-Beverly Credit Card Act, ZIP Codes may be collected for "pay at the pump" gasoline purchases.
  • Customer demographics.  Sometimes a retailer wants to know where its customers are coming from, which can be helpful when deciding where to open new store locations. 

  • Reverse appending.  Retailers can use your ZIP code in conjunction with the name on your credit card in order to conduct reverse searches in databases to find out your address. This allows the retailer to mail advertising directly to you.   

2b. Paying by Check:  California State Laws

What personal information can a merchant collect when a consumer pays by check?

Merchants who accept a check for goods or services sold or leased at retail cannot:

  • Require a consumer to provide a credit card or record the credit card number in connection with any part of the transaction.
  • Require a consumer to sign a statement agreeing to allow the consumer’s credit card to be charged to cover the amount of the check in case the check bounces.
  • Contact the credit card issuer to find out if the amount of credit available to the consumer will cover the amount of the check.

Are there any exceptions?

Yes. A merchant can request or record a credit card number in connection with payment by check when:

  • A check is used solely to obtain cash.                          
  • A check is used as a deposit.
  • A check is used to make a payment on that credit card account.

The following is also allowed when a merchant accepts a check for goods or services sold or leased at retail:

  • The merchant can request the consumer to voluntarily show a credit card. The only information that the merchant can record is the type of credit card (such as Visa and MasterCard), the issuer and the expiration date. The credit card number cannot be recorded on the check.
  • The merchant asking to see a credit card must inform the consumer that the credit card is not required to write a check. This can be done by either posting a notice that states “Check writing ID: credit card may be requested but not required for purchases,” or by training and requiring the employees to inform the consumer that the credit card does not have to be shown to write a check.
  • The merchant can require the consumer to provide a California driver’s license or a California ID number. Another form of photo identification can be required if these forms of identification are not available. It is not against the law for merchants to write ID numbers on checks.
  • The merchant can  require, verify and record a consumer’s name, address and telephone number.
  • The merchant can require a check guarantee card and record the number, whether or not the check guarantee card is also a credit card.

2c. Compliance and Enforcement

What happens when a merchant breaks the laws described above?

In California, merchants may be fined up to $250 for the first violation and up to $1,000 for each subsequent violation. In addition, the court can order the merchant to stop violating the law. If the merchant violates the law, the consumer can do the following:

  • The consumer who has paid with the check or credit card may sue the merchant in small claims court.
  • If the consumer feels that the merchant has broken the law against many customers, the consumer may want to consult an attorney to bring a class action suit. 
  • Another option is for the consumer to make a complaint to the Attorney General, the District Attorney or the City Attorney. If several complaints are received, they can choose to sue the merchant on behalf of California residents in Superior Court.

2d. Summary of California Merchant Laws

Here is a summary of California laws regarding payments to merchants by credit card and by check:

Any person or business establishment…..

is prohibited from.....

but may require.....

Consequences of violating this prohibition.....

accepting a credit card for the transaction of business

writing or recording personal information on any form used in the transaction. This includes but is not limited to address, telephone number and Social Security number.

showing a California driver's license or ID card [provided the information on these documents is not written or recorded on any form]

civil penalty of up to $250 for the first offense and $1,000 for second or subsequent offense.

Section 1747.08,
California Civil Code

 

accepting a check in payment for goods or services sold or leased at retail

• recording a credit card number;
• requiring that a credit card be shown as a condition of accepting the check (the card can be requested, but not required).

showing a California driver's license or ID card

civil penalty of up to $250 for the first offense and $1,000 for second or subsequent offense.

Section 1725,
California Civil Code

3. Paying by Credit Card:  MasterCard and Visa Rules

Can merchants accepting MasterCard or Visa require customers to show a driver’s license or other identification as a condition of credit card acceptance?

While merchants may ask a customer for identification, in most situations, a merchant may not condition acceptance of a Visa or MasterCard credit card upon the customer presenting identification. In other words, you can refuse to provide identification, and the merchant still must accept your credit card. Many merchants are unaware of this rule or simply choose to ignore it.

Be aware that identification may be required for purposes other than the credit card transaction, for example, when purchasing alcohol, tobacco products, or certain medications. Identification may also be required for unusual transactions flagged during the authorization process. 

Some consumers feel that asking for ID helps protect them from identity theft. But others want to protect their privacy and personal security by not revealing their address, birthdate, and other information contained on their driver’s license to a stranger. 

The MasterCard Rules (December 11, 2014 edition) provides as follows:

5.8.4 Additional Cardholder Identification

A Merchant may request but must not require a Cardholder to provide additional identification information as a condition of Card acceptance, unless such information is required to complete the Transaction, such as for shipping purposes, or the Standards specifically permit or require such information to be collected.

A Merchant in a country or region that supports use of the MasterCard Address Verification Service (AVS) for MasterCard POS Transactions may require the Cardholder’s ZIP or postal code to complete a Cardholder-Activated Terminal (CAT) Transaction, or the Cardholder’s address and ZIP or postal code to complete a mail order, phone order, or e-commerce Transaction.

The Card Acceptance Guidelines for Visa Merchants  (2014 edition, pg. 34) provides as follows:

When should you ask a cardholder for an official government ID? Although Visa rules do not preclude merchants from asking for cardholder ID except in the specific circumstances discussed in this guide, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot as part of their regular card acceptance procedures refuse to complete a purchase transaction because a cardholder refuses to provide ID . It is important that merchants understand that the requesting of a cardholder ID does not change the merchant’s liability for chargebacks. However, it can slow down a sale and annoy the customer. In some cases, it may even deter the use of the Visa card and result in the loss of a potential sale. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures. Laws in several countries also make it illegal for merchants to write a cardholder’s personal information, such as an address or phone number, on a sales receipt.

What should I do if a merchant insists upon seeing my identification?

Unfortunately, the MasterCard and Visa rules are often ignored by retailers. If you feel strongly about not showing identification as a condition of using your Visa or MasterCard credit card, you may wish to print out a copy of the relevant merchant rule (from the pdf links cited above) and ask to speak to a store manager.

MasterCard has an online form for reporting merchant violations of this rule. Go to http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html and check the box: “The merchant/retailer required identification.”

What about American Express and Discover cards?

American Express policy on asking for identification is vague. It requires merchants to "verify that the customer is the card member," but its rules make no direct mention of requiring identification.

Discover's policy states that a store employee who has doubts about the validity of a card should "request and review additional identification" from the customer.

For additional information, please read http://www.creditcards.com/credit-card-news/can-retailers-ask-id-with-credit_card-1282.php.

4. Merchandise Returns and the Retail Equation

Must I allow a merchant to swipe my Driver's License if I want to make a return?

Generally, yes.  While return policies vary from one retailer to another, many retailers require you to present a driver's license (or government-issued ID) when you return or exchange merchandise.  Typically, retailers will swipe your license in a reader that will query a database to look at your return history for patterns of fraud or abuse.  By scanning your license, the retailer can collect any information that is encoded on the license's magnetic stripe or bar code. In most states, this information includes the data printed on the face of your license.

California law specifically allows a retailer to swipe your license "to collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation."  CA Civil Code Section 1798.90.1(a)(1)(D).

Depending upon state law, retailers may be required to post their return policies, but they may not be required to accept merchandise returns. Most retailers post their return policies in their stores, on their Web sites, and/or on their receipts. Much of this is governed by state law. In California, the Attorney General has stated that if a store reports to a central reporting company and uses this as the basis for denying a return, this policy must be prominently posted in the store. http://ag.ca.gov/consumers/general/refund_policies.php

Some retailers manage merchandise return data in-house while others outsource the collection of this data to a company called The Retail Equation.

What is The Retail Equation?

The Retail Equation (formerly known as The Return Exchange) (TRE) (www.theretailequation.com) is contracted by many retailers to gather and store their return information and analyze the data to develop return policies for those retailers. As customers return merchandise, TRE compares variables such as return frequency, dollar amounts and/or time against a set of rules that form the retailer’s return policy.

If you make repeated returns or exchanges to a specific merchant, you may not be able to do so again at a later date. Refused returns generally fall into two categories.

  • First, returns that break the retailer’s basic return policy (such as a return without a receipt, a return after the allowed return period, or multiple returns beyond the quantity of returns allowed by the retailer within a given period).
  • Second, returns that make a consumer’s overall return behavior appear to be return abuse.

TRE states that it does not share its data among retailers. Access to information in their returns database is limited to the consumer, TRE, and the retailer that provided the data to TRE. In other words, TRE does not create a compilation of the shopper’s return activity across all merchants with which that individual shops. If the shopper has returned merchandise to several companies, a merchant will only see the returns for that specific retailer.

TRE does not actually set the return policies for participating retailers. The company gathers and supplies the data that subscribing retailers use to make return authorization decisions, and helps them determine their own return policies.

Can I see the information that The Retail Equation has about me?

Yes.  You can order a copy of your Return Activity Report from TRE. This report is a history of all your return transactions posted in those stores that use TRE. The report lists return activity information including the stores you have returned to and, for each return, the date and time, whether it was with or without a receipt, and the dollar amount. You may obtain a copy of your return activity report by sending an email to: ReturnActivityReport@TheRetailEquation.com. You should include your name and a phone number where TRE can reach you. When TRE calls, the company will ask for your driver’s license number and state, to enable a database search. (TRE states that they prefer to call consumers to avoid sending personal information via e-mail.)  For more information, see http://www.theretailequation.com/Consumers/ReturnActivityReport.aspx.

Can I dispute the information that The Retail Equation has about me?

TRE offers consumers the ability to dispute their Return Activity Report. If a consumer identifies any inaccuracy in his or her information, or if a consumer needs to change information in TRE’s files, the consumer should notify TRE in writing at The Retail Equation, P.O. Box 51373, Irvine, CA 92619-1373 so that they can investigate and update their records. See http://www.theretailequation.com/Consumers/FAQ.

You can read more about merchants' return tracking and TRE at http://www.usatoday.com/story/money/business/2013/08/12/retailers-tracking-customers-returns/2642607/.

5. Customer Loyalty Programs

Supermarkets, drugstores, coffee houses, and other retailers around the country use customer loyalty cards, which may also be called rewards cards, discount cards, or membership cards. Typically, consumers fill out an application to get the card, giving their name, address, e-mail address and sometimes other demographic information such as gender, phone number, birthday, or income. 

When customers show their card at checkout, they may be given a discount for items covered by the card that day. Some cards also accrue points that can be redeemed for various rewards, such as free merchandise, airline miles or cash rebates.

Customer loyalty programs allow the store to keep tabs on what customers buy and how often they shop. Merchants say this allows them to identify their most loyal customers, learn more about their buying habits, and offer such best customers the products and services they demand. However, some consumers and consumer-rights groups claim that the data collected by the stores violates privacy rights and may not even save consumers money.

In May 2015, American Express rolled out a new multi-store loyalty program called Plenti.  Unlike other loyalty programs, Plenti isn't tied to a single retailer.  It's being billed as the first multi-industry reward program. Initial participating retailers include Macys, RiteAid, Exxon-Mobil and other retailers.  Users don't have to have an American Express card. As the number of retailers and other businesses participating in the Plenti program grows, the potential privacy issues are likely to increase.

If you shop in California, the Supermarket Club Card Disclosure Act of 1999 provides you with some some protection.  This law prohibits supermarket club card issuers (1) from requesting driver's license numbers or Social Security numbers, and (2) from selling or sharing personal customer information.  There is, however, a limited exemption for membership card stores.  The law can be read at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1749.60-1749.66.

Do you save money?

By using cards to track purchase histories, stores can segment customers into groups based on how much and how often they purchase. Such information could help stores pinpoint the most desirable — that is, the most profitable customers -- and discriminate against the less profitable ones. Potentially, that could lead to tailoring prices to individual shoppers, much as airlines charge different prices for seats on the same plane.

Some studies have found that stores that use loyalty programs may actually increase the regular prices of items for non-club members making purchases more expensive for all buyers and reducing the margin of card members’ savings to almost nothing.

How can your purchasing history be used?

The data broker Oracle Datalogix claims to have data including almost every U.S. household and more than $1 trillion in consumer transactions.  This data comes primarily from loyalty cards at supermarkets and drug stores. By matching the email addresses or other personal information associated with loyalty cards to information used to establish Facebook accounts, Datalogix is able to track whether consumers purchase a product in a store after seeing a Facebook ad.  Consumers can opt out of all Datalogix-enabled advertising & analytic products at https://www.datalogix.com/privacy/ under the heading "Choice". Look for "If you wish to opt out of all Datalogix-enabled advertising & analytic products, click here."  You can learn more about how Datalogix shares your information by reading https://www.eff.org/deeplinks/2012/09/deep-dive-facebook-and-datalogix-whats-actually-getting-shared-and-how-you-can-opt.

Advertising Age Magazine has developed an interactive graphic that explains how information from a loyalty card purchase is almost instantaneously shared with dozens of other companies.  http://adage.com/article/dataworks/purchase-targeted-ads-data-s/240300/

Members of the Food Marketing Institute (FMI) have developed privacy principles that include allowing customers access to their data, giving them the ability to withdraw, and having all personally identifiable information about them deleted from the database. You can read the FMI guidelines at http://www.fmi.org/docs/policy-statements/consumer-privacy.pdf?sfvrsn=4

What can you do?

Many shoppers appear not to be terribly threatened or concerned that their “club memberships” might lead to compiling of personal information. But if you find the concept troubling, here are steps you can take:

  • Shop elsewhere. Voting with your wallet is always wise. Support stores that don’t use loyalty cards.  In June 2013, the Albertsons, Shaw's, Jewel-Osco, Star Market, and Acme supermarket chains discontinued their loyalty card programs. Conversely, Kroger and Safeway supermarkets and their affiliates are stepping up their efforts to provide more tailored pricing based upon a customer's purchase history.  You can learn more about these trends at http://business.time.com/2013/07/11/a-disloyalty-movement-supermarkets-and-customers-drop-loyalty-card-programs/
  • Try registering with a fictitious name and address. Some consumers have reporting registering with creative names such as “Kroger Shopper” or “Ralph’s Shopper”. If you use this method, be sure that you don’t use your card when making pharmacy purchases, since the store must have a record of your actual identifying information to fill a prescription.
  • If you ask, some stores will give you a loyalty card and allow you to mail in the registration form. Generally, the cards are valid even if you fail to mail in the registration form.
  • Opt out. Refuse to sign up for a card. This option will likely result in your paying higher prices. However, some sympathetic cashiers have been known to scan a “house card” for customers who do not have a card.
  • Seek access to your data. Find out how your store controls information and how you can get access to it. Ask the customer service representative to disclose your personal profile. If you want your profile removed, find out what’s required to do that.

6. Behavioral Targeting

Most consumers are aware that online merchants use various technologies that track their behavior when they shop online.  This practice is known as "behavioral targeting".  We explain how it works at https://www.privacyrights.org/fs/fs18-cyb.htm#BehavioralMarketing.  In addition, some online merchants engage in "dynamic pricing", charging different prices to different consumers for identical goods or services.  We explain dynamic pricing at https://www.privacyrights.org/fs/fs23-shopping.htm#dynamic.

In the past, it was difficult for "brick and mortar" retailers to engage in sophisticated tracking of their customers in the absence of the customer loyalty programs described in the preceding section.  Online retailers have had the advantage of collecting analytical data through browser cookies and other mechanisms, while "brick and mortar" retailers have not had those options available to them.

Many technological advances now permit retailers to track customers without their knowledge.  The extent of such tracking had been a well-kept secret of many retailers.  However, it seems that almost daily there are new revelations of tracking by retailers. 

Perhaps the most shocking example involved Target, which was able to figure out that a teenage girl was pregnant before her father did.  Whenever possible, Target uses a unique ID number (known internally as a Guest ID number) to identify its customers.  Every time you use a credit card or coupon, visit the Target website, open a Target email, call Target customer service, or interact with Target in any way, Target associates this information with your Guest ID number.  By data mining the pregnant teenager's purchase history, Target was able to know that she was pregnant because she purchased various items that were highly predictive of pregnancy.  In addition, Target can link demographic information (such as your age, marital status, number of children, distance from the closest store, and estimated salary) to your Guest ID number.  Target's data mining practices are both a fascinating and frightening story first revealed in this 2012 New York Times Magazine story: http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=all&_r=0

A March 2015 Accenture study concluded that while consumers want a personalized retail experience, they remain divided on retailers’ tactics and the type of personal information they are comfortable sharing.

7. Mobile Location Analytics

Many new technologies are emerging to enable brick and mortar retailers to keep up with their online competitors. Innovative use of video surveillance and signals from mobile devices are rapidly helping to close this information gap. Retailers are rapidly embracing these technologies, which create significant privacy concerns for consumers. Retailers can detect when you look at a product, how long you stay in the store, track your movement through the aisles, and potentially recognize you as a returning customer.  These retail analytics are rapidly changing traditional brick and mortar retail shops into "smart stores".

How are mobile devices used to track you in retail stores?

Most mobile devices (including smartphones and many wearable devices) emit a Wi-Fi MAC Address and a Bluetooth address.  Your MAC address is a unique 12-digit string of letters and numbers assigned to your phone or device. Retailers can use either their existing Wi-Fi or sensors placed throughout the store to detect your device's MAC address.  This practice is known as Mobile Location Analytics (MLA) technology.

iPhones equipped with iOS 7 or later include iBeacon, a microlocation feature that can provide very accurate location information to retailers which may be used to track and target consumers.  iBeacons send out messages to sensors inside your mobile device and are able to track a person's location within 6 meters.  Other store sensors can provide similar tracking infornation for smartphones that do not have iBeacon technology.

New smart LED light fixtures in retail stores can transmit a code to smartphones through phone cameras. These fixtures can pinpoint your location more accurately than other existing location-based technology, with accuracy down to 5 to 10 centimeters. 

Other technologies may also be used to track mobile devices.  Your mobile carrier may use location tracking.  Apps that you download onto your mobile device may use location services for analytics. 

Many consumers are expressing concern over retailers' tracking practices. In response, the retailer Nordstrom discontinued the use of this mobile device tracking technology because of customer complaints.  However, some shopping malls and other retailers continue to use this technology.  

The Future of Privacy Forum (FPF) is working with a group of leading technology companies to develop best practices for retail location analytics. These companies (including Euclid, WirelessWERX, Mexia Interactive and ShopperTrak), generate location reports by recognizing the Wi-Fi or Bluetooth MAC addresses of mobile devices as they interact with store Wi-Fi networks. 

For an interesting discussion of the latest technology related to loyalty programs and in-store purchases, read My Phone at Your Service.  You can learn more about the technical aspects of retail tracking by reading Privacy Trade-offs in Retail Tracking.

How can I prevent a retailer from tracking my mobile device?

To stop your MAC addresses from transmitting, you must either turn your device off or turn off both Wi-Fi and Bluetooth. Be sure to do so before you get close to the store, because the range of the retailer's sensors may extend beyond the store’s physical boundaries.

Remember that if you choose to use a retailer's Wi-Fi network, you will generally have to agree to its Terms and Conditions.  You should be sure to read them before clicking "Accept" so that you can understand how your information may be used.  Be aware that a retailer's Wi-Fi can capture your browser information, the URL of each page you visit, searches, products that you view on websites, and information that you enter into unsecured online forms.

What kinds of data do retail analytics companies collect about shoppers?

According to RetailNext, a company that offers real-time analytics to collect, analyze, and visualize in-store data, the following information may be collected:

  • The location of a smartphone or wireless computing device is collected by observing Wi-Fi or Bluetooth signals broadcast from that device. Individual devices are identified by a unique number (called a “MAC address”.
  • Data from video cameras is used to determine the paths people take through a physical space and to try to ascertain certain qualities about people, like age or gender.
  • When customers use guest Wi-Fi “hotspots” at their locations, registration is sometimes required. Registration data from these services is collected.
  • When customers use guest Wi-Fi “hotspots", information about use of the World Wide Web (non-secure web pages only), which may include browser information, the URL of each page visited, search terms used, products viewed and saved on retail websites, and information entered into online forms.

Can I be tracked as I move from one store to another?

Yes.  You can think of your MAC address as being used in a manner similar to the "cookies" used to track you as you move from one website to another.  Euclid Zero uses retailers' Wi-Fi to track shopper behavior from one store to another. It does this by collecting the MAC address of customers' mobile devices as they passively connect to participating retailers' Wi-Fi networks while shopping.  This data is put into a database that recognizes the MAC address of your device when it goes near any other Euclid customer’s Wi-Fi network.  Euclid then gives the data to the retailer.

Can I opt out of mobile location tracking?

You can opt out of mobile location tracking by companies that have signed on to FPF's MLA Code of Conduct.  Participating companies will no longer associate information about your presence at a venue with a MAC address. These companies will use your MAC address only to maintain the device’s opt-out status.

You may opt out of data collection by RetailNext by visiting their opt out page.

In April 2015, the Federal Trade Commission (FTC) reached a settlement agreement with Nomi Technologies, which had promised that it would provide an in-store mechanism for consumers to opt out of tracking and that consumers would be informed when locations were using Nomi’s tracking services.  The company’s privacy policy “pledged to… always allow consumers to opt out of Nomi’s service on its website, as well as at any retailer using Nomi’s technology.” While the company did provide an opt-out on its website, no such option was available at retailers using the service.

How can facial recognition be used to track you in retail stores?

Video surveillance, typically used to deter shoplifting, can also be used to engage in  facial recognition, whereby the approximate age and gender of a customer may be determined.  This may be used to customize advertising to a customer's demographic.  Video analytics can also ascertain where customers go in a store and which items they pick up.

Facial recognition software can also be used to identify important customers.  NEC's VIP Identification software can monitor data from surveillance cameras and match facial images against a retailer's customer database.  If it spots a match, an alert is sent to store employees.  The system can provide such details as the customer's size, preferences and shopping history. Currently, VIP customers opt in to the system, but it clearly has the potential to identify a broader range of customers.

8. Product Registration Forms

When you purchase an appliance or a consumer electronics product, you’ll likely find a product registration form included among the documents packaged with the product. Typically it’s a folding postcard, with survey questions on one side and a self-mailer on the other.

The first few questions on such registration cards are usually dedicated to the name and address of the individual who purchased the product, as well as specific information about the product — essential data for the purpose of informing the company that the individual now owns one of its products, useful information in case of a product recall.

But often the remainder of the card consists of a survey that asks the purchaser about his/her demographics and lifestyle characteristics, including:

  • How the customer learned of the product and how it will be used.
  • Number of people in the household, the respondent’s date of birth, marital status, and/or occupation.
  • Gender and ages of the children and other adults in the household, as well as family income level.
  • Whether the residence is owned or rented.
  • Types of credit cards used.
  • Leisure-time pursuits such as travel, cooking, sewing, hunting, golf, entering sweepstakes, real estate investing, civic activities, and collectibles.

Clearly, none of this demographics and lifestyle information is necessary to register the product with the company. Yet, usually nowhere on the registration forms is the individual told that providing answers to these questions is optional. Instead, there’s often a warning about the importance of filling out and mailing in the form, with the implication that failure to do so can invalidate the product warranty. In actuality, the consumer needs only to save the receipt to activate the warranty.

What most consumers do not realize is the postcards are not really returned to the company that manufactured the product. Rather, most such forms are mailed to a data aggregation company. Thus, a tremendous amount of highly detailed personal data is collected from unwary consumers who are led to believe that they are taking the important step of registering their product. This information can then be sold to or shared with data brokers and others for marketing and other purposes.

What can you do?

Don’t send in the product registration cards unless you’re comfortable with your personal information being collected and possibly distributed for other purposes such as marketing. Or, fill in only the questions pertaining to your contact information and the product you purchased. If the product has a safety aspect to it that could result in it being recalled someday, you might want to consider the latter approach – providing only your contact information and details about the specific product.

9. The Future of Consumer Data Gathering

As we’ve already seen, merchants are increasingly taking advantage of the power of big data to gather information about their customers. A growing practice among retailers is database marketing. 

In database marketing, merchants build files as they learn more about the customers who shop in their stores. They often enhance data they collect from customers with additional information purchased from other companies. Such data might include estimated income, average ages of family members, hobbies and interests, home ownership or rental, and so on.

They also can use it to market directly to their customers through mailed advertisements, alerting them to sales and special offers. Retailers claim that database marketing helps them improve services to their customers and develop a base of loyal shoppers.

But many consumers are concerned about what is done with the data that is compiled about them. Is it sold to other companies to generate unwanted mail and phone solicitations? Is it possible that this data might be used for purposes unrelated to marketing, such as government surveillance, employment background checks, law enforcement investigations, or insurance company research?

If you want to limit personal information that is collected by merchants, be assertive when asked for information that you do not feel is necessary for the transaction.

  • Ask why the information is required and what will be done with it.
  • Ask what benefit you receive for giving your personal information.
  • Ask to see the company's privacy policy. If the company does not have a policy, encourage management to develop one.
  • Do not provide non-essential information unless you are satisfied with the intended use. Be particularly firm in guarding your Social Security number (SSN). A few organizations have the right to demand it — federal and state revenue departments, motor vehicle officials, and social service agencies that oversee food stamps, child support, Medicare, and Medicaid. You have the right to refuse to give it to most other organizations, such as utilities, health clubs, credit bureaus, insurance companies and video stores. However, if you do refuse, they have the right to deny you service. Often, though, if you press your case and ask to speak to a higher-up, a compromise can be reached that will preserve the privacy of your SSN. See PRC Fact Sheet 10: “My Social Security Number: How Secure Is It?”  
  • Stay up on what the law allows. For instance, credit card industry rules and federal law prohibit merchants from printing more than the last five digits of an account number on a customer receipt. If a merchant is printing too much data on receipts, that may be your first clue that other holes exist in the way that merchant handles security.
  • Contact your state and federal legislators if you feel further legal protection is needed to address the growing practice of consumer data gathering by merchants.

10. Resources

Privacy Rights Clearinghouse Publications

Other Organizations

California Office of the Attorney General
Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244-2550
Telephone: (800) 952-5225 California only
Calls from outside of California: (916) 322-3360.
Web: www.ag.ca.gov

National Association of Attorneys General:
Contact information for state AGs: http://www.naag.org/current-attorneys-general.php

50-state directory of state, county, and city consumer protection offices in The Consumer Action Handbook of the Federal Consumer Information Center: www.consumeraction.gov/state.shtml

CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering). Visit the CASPIAN Web site to learn more about the privacy implications of customer loyalty cards:
www.nocards.org

Consumer Reports' ShopSmart Magazine (March 2013) explains how stores spy on you using spy cams, smartphone tracking, personalized advertising, and return rewards.  http://www.consumerreports.org/cro/2013/03/how-stores-spy-on-you/index.htm


What Personal Information Should You Give to Merchants?

1. Introduction

Merchants, both at retail store locations and online, generally want as much information as possible about their customers so they can more precisely target offers to them. But in our information-centric society, where billions of bits of information can easily be collated and distributed, it’s not necessarily in consumers’ interest to have a lot of their personal data accessible. Seemingly innocuous customer information obtained from consumers at the cash register or online can be combined with data from other sources to obtain a surprisingly detailed portrait of an individual customer. 

Is it possible that in the not-too-distant future an insurance company could check the choices you make at the grocery store and penalize you if you bought, say, cigarettes or high-fat foods? Or, could law-enforcement officials scan store records to see if you acquired materials that could have been used in a crime?

The answer to the second question is “yes”.  The FBI recently was reported to have mined customer data collected by San Francisco-area grocery stores, hoping that sales records of Middle Eastern food would lead to Iranian terrorists. (http://news.cnet.com/8301-13739_3-9812473-46.html)

In this Fact Sheet, we look at common situations where consumers may be compelled, or may volunteer, to provide information as part of a transaction. You can decide if the benefits of giving that information outweigh the risks. If you want to limit your risks, we suggest safeguards you may wish to take. 

2. Paying by Credit Card or Check: What Can Merchants Ask?

Many states have laws that dictate what kind of information merchants can and cannot ask for or write down when a consumer pays with a check or credit card. Those states and their applicable laws are listed at http://www.privacyrights.org/fs/fs15plus.htm .

The remaining information in this section pertains specifically to California, except for the section entitled “Paying by Credit Card -- Merchant Rules,” which applies nationwide.

Two California laws limit the collection of personal information by merchants when you pay by credit card or check. These laws were enacted to prevent fraud and limit the amount of personal information which can be collected by merchants.

  • When a consumer pays with a credit card, the merchant cannot record any personal information other than what is on the front of the credit card. (California Civil Code § 1747.08).
  • When a consumer pays with a check, the merchant cannot record the credit card number. (California Civil Code § 1725).

2a. Paying by Credit Card:  California State Laws

What personal information can’t a merchant collect when a consumer pays with a credit card?

  • Merchants cannot request or require that the consumer write any personal information, including address and telephone number, on any form associated with the credit card transaction when the consumer uses a credit card to pay for goods or services.
  • In addition, the merchant cannot ask the consumer to provide personal information that the merchant then records.
  • Merchants cannot use forms with pre-printed spaces for personal information.

Are there any exceptions?

Yes. A merchant can collect personal information when:

  • The credit card is used as a deposit.                        
  • The credit card is used for a cash advance.
  • The personal information is needed for something incidental but related to the use of the credit card. An example would be the address to which the purchased product is to be shipped.
  • The merchant is required to collect information under a federal law or regulation.

California law does not prohibit a merchant from requiring a consumer who pays for goods or services by credit card to show identification such as a California driver’s license or California ID. If these are not available, another form of photo identification can be required to be shown. But merchants cannot write or record any information from these documents. As we explain in the next section, the major credit card company rules provide that merchants cannot make showing identification a condition of credit card acceptance.

Merchants can record the cardholder’s driver’s license number or identification card number on any form associated with the transaction if the cardholder pays with a credit card but does not provide the credit card. An example is if you are at a department store and forget your credit card but want to charge something to your account.

2b. Paying by Credit Card:  Merchant Rules

Can merchants accepting MasterCard or Visa require customers to show a driver’s license or other identification as a condition of credit card acceptance?

While merchants may ask a customer for identification, in most situations, a merchant may not condition acceptance of a Visa or MasterCard credit card upon the customer presenting identification. In other words, you can refuse to provide identification, and the merchant still must accept your credit card. Many merchants are unaware of this rule.

Be aware that identification may be required for purposes other than the credit card transaction, for example, when purchasing alcohol, tobacco products, or certain medications. Identification may also be required for unusual transactions flagged during the authorization process. 

Some consumers feel that asking for ID helps protect them from identity theft. But others want to protect their privacy and personal security by not revealing their address, birthdate, and other information contained on their driver’s license to a stranger.  If you want merchants to ask for your ID, sign your card and write “Ask for ID” below your signature. Be aware, however, that merchants are not bound to honor that instruction. If you do not want to show ID, simply sign your card and refuse to provide ID if asked.

The MasterCard Merchant Rules Manual provides as follows:

9.11.2 Cardholder Identification
A merchant must not refuse to complete a MasterCard card transaction solely because a cardholder who has complied with the conditions for presentment of a card at the POI [point of interaction] refuses to provide additional identification information, except as specifically permitted or required by the Standards. A merchant may require additional identification from the cardholder if the information is required to complete the transaction, such as for shipping purposes. A merchant in a country or region that supports use of the MasterCard Address Verification Service (AVS) may require the cardholder’s ZIP or postal code to complete a cardholder-activated terminal (CAT) transaction, or the cardholder’s address and ZIP or postal code to complete a mail order, phone order, or e-commerce transaction.
(http://www.mastercard.com/us/wce/PDF/MERC-Entire_Manual.pdf)

MasterCard has an online form for reporting merchant violations of this rule. Go to http://www.mastercard.us/support/merchant-violations.html and check the box: “The merchant/retailer required identification.”

The Rules for Visa Merchants provides:

When should you ask a cardholder for an official government ID? Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures. Laws in several states also make it illegal for merchants to write a cardholder’s personal information, such as an address or phone number, on a sales receipt.
(http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf,
Rules for Visa Merchants, page 29).

Unfortunately, the MasterCard and Visa Merchant Rules are often ignored by retailers. If you feel strongly about not showing identification as a condition of using your Visa or MasterCard credit card, you may wish to print out a copy of the relevant merchant rule (from the pdf links cited above) and ask to speak to a store manager.

2c. Paying by Check:  California State Laws

What personal information can’t a merchant collect when a consumer pays by check?

Merchants who accept a check for goods or services sold or leased at retail  cannot:

  • Require a consumer to provide a credit card or record the credit card number in connection with any part of the transaction.
  • Require a consumer to sign a statement agreeing to allow the consumer’s credit card to be charged to cover the amount of the check in case the check bounces.
  • Contact the credit card issuer to find out if the amount of credit available to the consumer will cover the amount of the check.

Are there any exceptions?

Yes. A merchant can request or record a credit card number in connection with payment by check when:

  • A check is used solely to obtain cash.                          
  • A check is used as a deposit.
  • A check is used to make a payment on that credit card account.

The following is also allowed when a merchant accepts a check for goods or services sold or leased at retail:

  • The merchant can request the consumer to voluntarily show a credit card. The only information that the merchant can record is the type of credit card (such as Visa and MasterCard), the issuer and the expiration date. The credit card number cannot be recorded on the check.
  • The merchant asking to see a credit card must inform the consumer that the credit card is not required to write a check. This can be done by either posting a notice that states “Check writing ID: credit card may be requested but not required for purchases,” or by training and requiring the employees to inform the consumer that the credit card does not have to be shown to write a check.

Further, the merchant can:

  • Require the consumer to provide a California driver’s license or a California ID number. Another form of photo identification can be required if these forms of identification are not available. It is not against the law for merchants to write ID numbers on checks.
  • Require, verify and record a consumer’s name, address and telephone number.
  • Require a check guarantee card and record the number, whether or not the check guarantee card is also a credit card.

2d. Compliance and Enforcement

What happens when a merchant breaks these laws?

In California, merchants may be fined up to $250 for the first violation and up to $1,000 for each subsequent violation. In addition, the court can order the merchant to stop violating the law. If the merchant violates the law, the consumer can do the following:

  • The consumer who has paid with the check or credit card may sue the merchant in small claims court. (In California, a lawsuit may be brought in small claims court for an amount up to $5,000. You can only file two small claims court actions in the state within one year in which you ask for more than $2,500.)
  • If the consumer feels that the merchant has broken the law against many customers, the consumer may want to consult an attorney to bring a class action suit. 
  • Another option is for the consumer to make a complaint to the Attorney General, the District Attorney or the City Attorney. If several complaints are received, they can choose to sue the merchant on behalf of California residents in Superior Court.

2e. Summary of California Merchant Laws

Here is a summary of California laws regarding payments to merchants by credit card and by check:

Any person or business establishment…..

is prohibited from.....

but may require.....

Consequences of violating this prohibition.....

accepting a credit card for the transaction of business

writing or recording personal information on any form used in the transaction. This includes but is not limited to address, telephone number and Social Security number.

showing a California driver's license or ID card [provided the information on these documents is not written or recorded on any form]

civil penalty of up to $250 for the first offense and $1,000 for second or subsequent offense.

Section 1747.08,
California Civil Code

accepting a check in payment for goods or services sold or leased at retail

• recording a credit card number;
• requiring that a credit card be shown as a condition of accepting the check (the card can be requested, but not required).

showing a California driver's license or ID card

civil penalty of up to $250 for the first offense and $1,000 for second or subsequent offense.

Section 1725,
California Civil Code

3. Signature-Capture Devices

What are signature-capture devices?

Signature-capture devices have been widely introduced in recent years by merchants. They are usually located at the cash register and are used when consumers pay by credit card. The signature-capture device records the individual's signature and stores it in a computer system.

According to merchants, signature-capture devices streamline their operations by saving them time and reducing the amount of paper generated. When there is a purchase dispute, it is easier for the merchant to locate the receipt by transaction number, using a computer, than locating the paper copy. Further, merchants point out that signature-capture devices reduce fraud because there is less paper containing sensitive information available for others to obtain. And they say sales clerks are more likely to check the customer's signature.

However, some consumers feel uncomfortable using signature-capture devices. They are concerned about the security of having their signatures stored electronically in a computer system. Would it be possible, for example, for someone to break into the company's computer system, obtain customers' digitized signatures, and then copy them for forgery purposes?

Although we haven’t heard of cases like that, the ingenuity of scam artists is boundless, and we will remain on the lookout. If you experience fraud or any other type of privacy abuse due to signature-capture devices, please let us know.

Are you required to sign a signature-capture pad?

Most merchants do not require that you sign a signature-capture device. However, sales clerks may be trained to encourage you to sign it. If you do not want to use a signature-capture device, you may have to be persistent and talk with a manager.

    4. Customer Loyalty Programs

Grocery stores, drugstores, and other retailers around the country use customer loyalty cards, which may also be called rewards cards, discount cards, or membership cards. Typically, consumers fill out an application to get the card, giving their name, address, and sometimes other information such as gender, phone number, birthday, email address, or income.

Some stores actually require consumers to provide a driver’s license or other identification to prove their identity before issuing a loyalty card. When customers show their card at checkout, they may be  given a discount for items covered by the card that day. Some cards also accrue points that can be redeemed for various rewards, such as airline miles or cash rebates. 

About 40% of food retailers offer loyalty programs, and three-quarters of customers participate, according to the Food Marketing Institute (www.fmi.org/docs/media/bg/loyaltymarketing.pdf). According to a 2004 poll conducted by Boston University’s College of Communication, 86% of American shoppers use some form of store card or discount card, “and the majority of them say the benefits of the card are worth giving up some privacy.”

Customer loyalty programs allow the store to keep tabs on what customers buy and how often they shop. Merchants say this allows them to identify their most loyal customers, learn more about their buying habits, and offer such best customers the products and services they demand. However, some consumers and consumer-rights groups claim that the data collected by the stores violates privacy rights and may not even save consumers money.

Longer-term, those critics say, the effect of this data collection could be even more troubling. Using cards to track purchase histories, stores could segment customers into groups based on how much and how often they purchase. Such information could help stores pinpoint the most desirable — that is, the most profitable customers -- and discriminate against the less profitable. Potentially, that could lead to tailoring prices to individual shoppers, much as airlines charge different prices for seats on the same plane.

Do you save money?

While such tailored pricing may be years away, critics say the loyalty cards already are being used to adjust prices. The result, they say, is that card-carrying consumers really don’t save anything while those who choose not to join card programs pay even higher prices. According to www.consumersaffairs.com, some studies have found that stores that use loyalty programs may actually increase the regular prices of items for non-club members, “making purchases more expensive for all buyers and reducing the margin of card members’ savings to almost nothing. ‘Everyday’ items can be marked up from 28-71% after card programs are introduced.”

Merchants claim that they only analyze aggregate (group) data. However, some critics have questioned whether it isn’t just a matter of time before records of individual consumer preferences are either sold to third parties or made available to investigatory agencies. In fact, some apparently isolated examples of that have occurred.

For example, in a Washington state case a few years ago, a suspected arsonist was arrested after police tracked down a fire-starter unit with a Safeway label attached. Safeway provided police with his purchase history. The charges were later dropped, but the point is that the store gave access to the customer’s personal information to authorities.

And in another case, the U.S. Drug Enforcement Agency subpoenaed records from the customer database of a supermarket chain in the Southwest looking to see if certain individuals had purchased large quantities of plastic bags commonly used in drug transactions. (Robert O’Harrow, “Bargains at a Price: Shoppers’ Privacy,” Washington Post, Dec. 31, 1998, p. A-1.)

In 2005, the drugstore chain CVS disabled a feature on its Web site after it was revealed that unauthorized persons could improperly obtain customer-purchase records by email. The company said the online feature was designed to provide customers with access to their own purchase information of over-the-counter medicines for tax purposes. (See Todd Weiss, “Privacy Fears Prompt CVS to Turn Off Online Service,” ComputerWorld, June 27, 2005.)

And in another case, users of General Nutrition Center’s Gold Card had their personal information posted on a Web site by one of the company executives who was selling the information to a partner company.

Sensitive to such possibilities, some industry groups are seeking to be proactive. For instance, members of the Food Marketing Institute have developed privacy principles that include allowing customers access to their data, giving them the ability to withdraw, and having all personally identifiable information about them deleted from the database. (See the guidelines at www.fmi.org/gr/consumerprivacyprogram.pdf.)

What can you do?

Many shoppers appear not to be terribly threatened or concerned that their “club memberships” might lead to compiling of personal information. But if you find the concept troubling, here are steps you can take:

  • Shop elsewhere. Voting with your wallet is always wise. Support stores that don’t use loyalty cards.
  • Try registering with a fictitious name and address. Some consumers have reporting registering with creative names such as “Kroger Shopper” or “Ralph’s Shopper”. If you use this method, be sure that you don’t use your card when making pharmacy purchases, since the store must have a record of your actual identifying information to fill a prescription.
  • If you ask, some stores will give you a loyalty card and allow you to mail in the registration form. Generally, the cards are valid even if you fail to mail in the registration form.
  • Opt out. Refuse to sign up for a card. This option will likely result in your paying higher prices. However, some sympathetic cashiers have been known to scan a “house card” for customers who do not have a card.
  • Seek access to your data. Find out how your store controls information and how you can get access to it. Ask the customer service representative to disclose your personal profile. If you want your profile removed, find out what’s required to do that.
  • Learn more about loyalty programs. CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) is a leading resource. It’s at www.nocards.org. For the food industry’s perspective, check out the Food Marketing Institute at www.fmi.org .
  • Read also “The Information Marketplace: Merging and Exchanging Consumer Data,” remarks of the Privacy Rights Clearinghouse before the Federal Trade Commission, pp. 5, 9. (www.privacyrights.org/ar/ftc-info_mktpl.htm

5. Product Registration Forms

When you purchase an appliance, like a microwave oven, or a consumer electronics product such as a computer, camera, or CD/stereo system, you’ll likely to find a product registration form included among the documents packaged with the product. Typically it’s a folding postcard, with survey questions on one side and a self-mailer on the other.

The first few questions on such registration cards are usually dedicated to the name and address of the individual who purchased the product, as well as specific information about the product — essential data for the purpose of informing the company that the individual now owns one of its products, useful information in case of a product recall.

But often the remainder of the card consists of a survey that asks the purchaser about his/her demographics and lifestyle characteristics, including:

  • How the customer learned of the product and how it will be used.
  • Number of people in the household, the respondent’s date of birth, marital status, and/or occupation.
  • Gender and ages of the children and other adults in the household, as well as family income level.
  • Whether the residence is owned or rented.
  • Types of credit cards used.
  • Leisure-time pursuits such as travel, cooking, sewing, hunting, golf, entering sweepstakes, real estate investing, civic activities, and collectibles.

Clearly, none of this demographics and lifestyle information is necessary to register the product with the company. Yet, usually nowhere on the registration forms is the individual told that providing answers to these questions is optional. Instead, there’s often a warning about the importance of filling out and mailing in the form, with the implication that failure to do so can invalidate the product warranty. (In actuality, the consumer needs only to save the receipt to activate the warranty.)

What most consumers do not realize is the postcards are not really returned to the company that manufactured the product. Rather, most such forms are mailed to a data aggregation company. Thus, a tremendous amount of highly detailed personal data is collected from unwary consumers who are led to believe that they are taking the important step of registering their product. The opt-out notices on such forms are usually written in vague terms. They are printed in extremely small type, significantly smaller than the remainder of the form. And such notices are usually placed at the end of the survey, not at the top.

The Privacy Rights Clearinghouse believes these so-called registration cards are one of the more deceptive data collection practices in existence today.  See our comments to the FTC at http://www.ftc.gov/bcp/workshops/infomktplace/comments/givens.htm

What can you do?

Don’t send in the product registration cards unless you’re comfortable with your personal information being collected and possibly distributed for other purposes such as marketing. Or, fill in only the questions pertaining to your contact information and the product you purchased. If the product has a safety aspect to it that could result in it being recalled someday, you might want to consider the latter approach – providing only your contact information and details about the specific product.

6. The Future of Consumer Data Gathering

As we’ve seen in this Fact Sheet, merchants are increasingly taking advantage of the power of computers to gather information about their customers. A growing practice among retailers is database marketing. 

In database marketing, merchants build files as they learn more about the customers who shop in their stores. They often enhance data they collect from customers with additional information purchased from other companies. Such data might include estimated income, average ages of family members, hobbies and interests, home ownership or rental, and so on.

They also can use it to market directly to their customers through mailed advertisements, alerting them to sales and special offers. Retailers claim that database marketing helps them improve services to their customers and develop a base of loyal shoppers.

But many consumers are concerned about what is done with the data that is compiled about them. Is it sold to other companies to generate unwanted mail and phone solicitations? See PRC Fact Sheet 4 (“Junk Mail: How did They Get My Address?”) http://www.privacyrights.org/fs/fs4-junk.htm
and Fact Sheet 5 (“Telemarketing: How to Have a Quiet Evening at Home”) http://www.privacyrights.org/fs/fs5-tmkt.htm.

Is it possible that someday this data might be used for purposes unrelated to marketing, such as government surveillance, employment background checks, law enforcement investigations, or insurance company research? While this may sound farfetched to many, no laws prevent these types of uses of marketing data, and as we’ve seen, at least isolated cases exist.

If you want to limit personal information that is collected by merchants, be assertive when asked for information that you do not feel is necessary for the transaction.

  • Ask why the information is required and what will be done with it.
  • Ask what benefit you receive for giving your personal information.
  • Ask to see the company's privacy policy. If the company does not have a policy, encourage management to develop one.
  • Do not provide non-essential information unless you are satisfied with the intended use. Be particularly firm in guarding your Social Security number (SSN). A few organizations have the right to demand it — federal and state revenue departments, motor vehicle officials, and social service agencies that oversee food stamps, child support, Medicare, and Medicaid. You have the right to refuse to give it to most other organizations, such as utilities, health clubs, credit bureaus, insurance companies and video stores. However, if you do refuse, they have the right to deny you service. Often, though, if you press your case and ask to speak to a higher-up, a compromise can be reached that will preserve the privacy of your SSN.

See also Fact Sheet 10 “My Social Security Number: How Secure Is It?” and Fact Sheet 10a “Social Security Numbers: Frequently Asked Questions.”  http://www.privacyrights.org/fs/fs10-ssn.htm  and  http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm

  • Stay up on what the law allows. For instance, credit card industry rules and federal law prohibit merchants from printing more than the last five digits of an account number on a customer receipt. If a merchant is printing too much data on receipts, that may be your first clue that other holes exist in the way that merchant handles security.
  • Obtain the Privacy Rights Clearinghouse’s “wallet card” for consumers stating merchants’ information-gathering limits under California law when a consumers pays by check of credit card. PRC also offers a 5x8-inch “merchant placard” to post next to cash registers to remind clerks and customers of the provisions of those laws. http://www.privacyrights.org/fs/fs15a-cards.htm
  • Contact your state and federal legislators if you feel further legal protection is needed to address the growing practice of consumer data gathering by merchants.

7. Resources

Privacy Rights Clearinghouse Publications

Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.