Businesses gather more information than they need from consumers

by David Lazarus, Los Angeles Times

loyalty_cards_ccMoira Hahn, like many consumers, always took it for granted that businesses wanted as much of her personal information as they could get.

She didn’t really start thinking about how such practices could come back to bite her until she became one of the millions of Target customers recently warned that her sensitive data could be in the hands of hackers.

Credit and debit card numbers of as many as 110 million Target shoppers, along with their names, addresses and other info, were jeopardized after the company’s databases were accessed after Thanksgiving by identity thieves.

So it was with a considerably bruised sense of privacy that Hahn, 57, of Long Beach, was asked by a Rite Aid drugstore the other day to part with her name, address and other info if she wanted to pay a reasonable price for cold medicine.

“I’m furious,” she told me. “I don’t want these corporations tracking me, mining my data and leaking my information all over the universe.”

Rite Aid is by no means alone in trying to collect reams of information about its customers. Almost all businesses and organizations have similar practices.

They often combine their own databases with information purchased from so-called data brokers to amass detailed files on people that can be used for marketing purposes or possibly sold to other companies for their own solicitations.

I wrote on Tuesday about the need to make credit and debit cards more secure. It’s similarly clear that strong rules should be enacted for collection and use of people’s personal data.

“Businesses aren’t protecting information the way it needs to be protected,” said Stan Stahl, president of the Los Angeles branch of the Information Systems Security Assn., a tech-security trade group.

He said a benefit of such extensive — and intrusive — information-gathering is that businesses have a better sense of what specific customers may want. He said his wife is glad to receive coupons for Pavilions supermarket based on her past shopping trips.

“On the downside,” Stahl said, “companies are collecting more information than they need. This is information that they may not even use now but will instead maybe use at some point down the road. It’s too much.”

That’s the thing: How much is enough? Obviously businesses require certain information from customers to process non-cash transactions.

But when even the most routine retail experience turns into a data grab, consumers have every reason to wonder why so much information is being sought — and how it’s going to be used.

Ashley Flower, a Rite Aid spokeswoman, said the company seeks the name, mailing address, email address and phone number of people enrolling in the company’s rewards program to contact customers “who are open to receiving communication from us.”

Ah, but are they? It seems fair to assume that no one would willingly part with their personal info if they weren’t being offered something attractive in return — in this case, a discounted price for everyday purchases.

You could say that no one forces people to join rewards programs, so people like Hahn have no right to complain. But the upshot is that people who care about their privacy end up paying higher prices than people who don’t.

That’s a form of retail extortion: Cough up your confidential info or pay more money.

I asked Flower why Rite Aid doesn’t just offer lower prices to everyone. Clearly the company isn’t losing money even with the discounted prices.

Flower said Rite Aid’s wellness+ program, like all such rewards plans, is designed to get people to shop more at the company’s stores.

“Customer participation in the program is required to allow us to identify their spending and reward them for their business,” she said. “Requiring the card to enjoy our discounted prices allows us to ensure customers are using their card with every transaction in order to fully realize their earned rewards.”