Notably, the plaintiffs are not Toysrus.com’s only accusers. Interhack, a Columbus, Ohio, developer of online security and privacy tools, recently accused Toysrus.com, Lucy.com and Fusion.com of sharing personal information with online market research firm Coremetrics.
According to the class action complaint, Toysrus.com “has implemented a sophisticated and covert scheme to wrongfully intercept, transmit, record and compile” personal information.
At the heart of the issue is whether consumers are specifically told that their personal information — including names, addresses, browser history and order details — is being transmitted directly to Coremetrics.
However, the policy specifically states that the accumulated information will not be used to identify an individual guest, and that the company does not “sell or rent personally identifiable information.”
A Customer Shopping Dossier
Paul Graves, Technical Manager for Interhack, told the E-Commerce Times that he believes Toysrus.com violated its customers’ trust. According to Graves, while it did tell customers that their information might be shared with a third party, Toysrus.com does not tell them who the third party is or provide a way for them to opt-out of this third party data collection.
The real problem, according to Graves, is not that Coremetrics is collecting data from Toysrus.com customers, but that the company is collecting data from a variety of sites. That means that Coremetrics could — through the use of a cookie that is placed on users’ hard drives every time they visit a Coremetrics customer — aggregate information from a variety of merchants to develop a complete shopping dossier on a consumer.
Graves added that while there was no indication that Coremetrics was linking data, “There is a potential of abuse of someone breaking into their system or walking out with data.” By performing a simple query, Graves said, someone could use the Coremetrics cookie to link data about shoppers from a variety of merchants.
The personal information is being transmitted to Coremetrics via a variety of measures, including “cookies” and encrypted messages sent when shoppers purchase something at Toysrus.com or its subsidiary site, Babiesrus.com. Graves believes the solution is as simple as doing away with the Coremetrics cookie and using only merchant cookies that cannot be linked.
No Harm, No Foul
In response to Interhack’s accusations, Coremetrics issued a statement on its Web site saying that there “is no reporting of user-browsing behavior across unrelated merchant sites” and that each merchant receives reports based only on consumers’ behavior at their site.
Coremetrics also said that it “strongly encourages” all of its clients “to disclose their consumer data collection practices and link directly to the opt-out form.”