The Candid Voice in Retail Technology: Objective Insights, Pragmatic Advice

Should You Care about Google's Security Gaffe?

Lately when I use Google, a message appears: “We’re changing our privacy policy and terms. This stuff matters. Learn more/Dismiss.” There’s an inherent irony in that little statement, given the news about Google’s recent security gaffe. Last week, a Stanford University research paper uncovered how Google works around the Apple Safari browser’s “do not track” feature with its “Doubleclick” ad network (there’s another irony in that: Google has its roots as the search engine used by This is a big deal because Safari is the browser used on iPhones. Google responded very quickly to the revelation, calling the problem a “temporary communication link between Safari browsers and Google servers.” Rachel Whetstone, senior vice president of communications and public policy at Google, assured the world that, “it’s important to stress that, just as on other browsers, these advertising cookies (used in Safari) do not collect personal information.” Apple had a different response. Company spokesman Bill Evans said, “we are working to put a stop to it.”

The question is, should you care? Perhaps, like many people you subscribe to Sun Microsystems (now part of Oracle) founder Scott McNealy’s famous admonition that “you have zero privacy anyway… get over it.” However, to the extent that the Internet and mobile computing are fast becoming extensions of businesses worldwide, there is a reason to pay attention to this and similar privacy issues with the big portals and social networks such as Facebook. That reason is that the U.S. Federal government is interested, too.

Congressional Ire

News networks reported on February 18 that Congressmen Edward Markey and Joe Barton (co-chairmen of the Bi-partisan Congressional Privacy Caucus) and Cliff Sterns (chairman of the Subcommittee on Oversight & Investigations) have asked the Federal Trade Commission to investigate whether Google’s gaffe violates a recent settlement that prohibited the company from “future privacy misrepresentations.” Sen. Jay Rockefeller (D-WV) chimed in as well: “This practice may have violated the company’s own stated privacy practices… I fully intend to look into this matter and determine the extent to which this practice was used by Google and other third parties to circumvent consumer choice.”

The Congressional Privacy Caucus has been in the news a lot lately. Specifically, the caucus has urged Congress to amend the Children’s Online Privacy Protection Act of 1998 to “extend, enhance, and revise the provisions relating to collection, use, and disclosure of personal information of children and to establish certain other protections for personal information of children and minors.” And in January, the caucus also wrote a letter the chairman of the Federal Trade Commission (FTC) urging oversight of emerging facial recognition technologies. The letter stated: “Currently, there are a number of companies that have implemented both facial recognition and facial detection technologies for the stated purpose of enhancing the user experience. We are deeply concerned about how the use of these technologies impact the level of protection for consumers’ personal information.”

A much broader bill called the Kerry-McCain Commercial Privacy Bill of Rights Act of 2011 seeks to impose new rules on companies that gather personal data, including offering people access to data about them, or the ability to block the information from being used or distributed. The Kerry-McCain bill, along with several other privacy-related proposals, was referred to committee last year.

It’s fairly common knowledge that Congressional caucuses and committees issue all kinds of statements and recommendations, and that most of those never translate into laws or regulations, But as the capabilities of consumer-focused technologies advance, so does the din of rhetoric coming from legislative bodies. And even if governments choose not to proactively address consumer privacy issues on the Internet, the courts might. For example, last week in the state of Illinois, a man file a class action suit against Google for the Safari gaffe.

The FTC under the Obama administration has indicated that privacy enforcement efforts will focus on companies that do not adequately make consumers aware of their data collection practices, even if they do not involve personally identifiable information or create a financial risk to individuals. The Administration plans to release a consumer bill of rights soon, which according to U.S. Deputy Chief Technology Officer Daniel Weitzner will be “voluntary but enforceable.”

Retail’s Response?

The two top Retail trade groups in the U.S., RILA (Retail Industry Leaders Association) and the NRF (National Retail Federation), both are focusing on governmental response to privacy concerns. RILA’s website states the organization’s overall position:

  • Self-regulation continues to be the most appropriate and effective framework for protecting consumers’ privacy.
  • FTC, Commerce and Congress must be cautious and include flexibility in any new framework that might be adopted down the road. Then as technology advances, companies can more easily adapt as opposed to having to deal with rigid government standards that can’t be changed quickly to reflect consumers’ evolving wants and needs and improvements in technology.
  • Simplicity, reliability, and universality for all stakeholders

Last April, the NRF spoke out about the Kerry-McCain bill: “Privacy legislation introduced in the Senate this week is overly broad and could subject consumers to a blizzard of privacy notices that would do little to prevent identity theft or address other serious privacy concerns….” And in a February 2012 Policy Council Issue Summary, the NRF stated its position about current proposed legislation:

“NRF remains engaged in this issue to protect retailers’ relationships with their customers and promote growth and innovation in the retail industry. Online merchants have been specifically targeted by some of the proposals but, onerous as they are, the spill-over to brick and mortar merchants would be even worse… NRF opposes granting the FTC APA rulemaking authority to unilaterally expand the definition of personal information or responsibilities of companies after a breach.”

In other words, both trade organizations are opposed to government imposition of tough regulations. The obvious problem with that is that if consumers get riled up enough about this stuff, government may act without much regard for the trade associations’ concerns.

This Stuff Matters

Since first studying the joint issues of data security and consumer privacy, RSR has observed that consumer privacy affects the perception of the retailer’s Brand, and therefore should be addressed proactively. Simple case in point: in my family, we had an occasion to buy lots of new baby products. We shopped one store in particular, but quickly discovered that the retailer has sold our name to a list. We stopped shopping there (but we’re still getting a ridiculous number of catalogs in the mail). Internet portals basically do the same thing, but in real time, and so the need to be proactive is even more important.

Whatever the solution to protecting information about individual browsing and shopping patterns, lifestyle information, and payment data is (whether it’s ultimately technology-based, contractually mandated, or legislated), “this stuff matters”, just as the Google pop-up window says on my browser. Retailers should get involved with the trade organizations and government representatives to help ensure that the ultimate solution is something the industry can live with while still being respectful of consumer’s right to privacy.

You must be a member and logged in to view comments

Articles & Opinions February 21, 2012