Toys ‘R’ Us Sued for Net Privacy Violations

Toysrus.com violated its own privacy policy by providing marketers access to its customer data, according to a charge leveled against the online toy seller in a class action suit filed July 28th in a San Francisco federal court.

Notably, the plaintiffs are not Toysrus.com’s only accusers. Interhack, a Columbus, Ohio, developer of online security and privacy tools, recently accused Toysrus.com, Lucy.com and Fusion.com of sharing personal information with online market research firm Coremetrics.

According to the class action complaint, Toysrus.com “has implemented a sophisticated and covert scheme to wrongfully intercept, transmit, record and compile” personal information.

Tracking Behavior

At the heart of the issue is whether consumers are specifically told that their personal information — including names, addresses, browser history and order details — is being transmitted directly to Coremetrics.

The privacy policy posted at Toysrus.com alludes to the sharing of data with third parties by saying that consumers’ data may be shared with “trusted service providers who provide specific services” and that the company may “also use a service provider to assist us in aggregating guest information.”

However, the policy specifically states that the accumulated information will not be used to identify an individual guest, and that the company does not “sell or rent personally identifiable information.”

A Customer Shopping Dossier

Paul Graves, Technical Manager for Interhack, told the E-Commerce Times that he believes Toysrus.com violated its customers’ trust. According to Graves, while it did tell customers that their information might be shared with a third party, Toysrus.com does not tell them who the third party is or provide a way for them to opt-out of this third party data collection.

The real problem, according to Graves, is not that Coremetrics is collecting data from Toysrus.com customers, but that the company is collecting data from a variety of sites. That means that Coremetrics could — through the use of a cookie that is placed on users’ hard drives every time they visit a Coremetrics customer — aggregate information from a variety of merchants to develop a complete shopping dossier on a consumer.

Graves added that while there was no indication that Coremetrics was linking data, “There is a potential of abuse of someone breaking into their system or walking out with data.” By performing a simple query, Graves said, someone could use the Coremetrics cookie to link data about shoppers from a variety of merchants.

The personal information is being transmitted to Coremetrics via a variety of measures, including “cookies” and encrypted messages sent when shoppers purchase something at Toysrus.com or its subsidiary site, Babiesrus.com. Graves believes the solution is as simple as doing away with the Coremetrics cookie and using only merchant cookies that cannot be linked.

No Harm, No Foul

In response to Interhack’s accusations, Coremetrics issued a statement on its Web site saying that there “is no reporting of user-browsing behavior across unrelated merchant sites” and that each merchant receives reports based only on consumers’ behavior at their site.

Coremetrics also said that it “strongly encourages” all of its clients “to disclose their consumer data collection practices and link directly to the opt-out form.”

Another merchant fingered by Interhack for sharing data with Coremetrics, Lucy.com, has changed its privacy policy to include a link to the Coremetrics opt-out page.