Loyalty for data: what do retailers know about you?

Loyalty and reward programs offered by retailers are supposed to be based on mutual benefit. It's in the name. Loyalty for a particular supermarket is rewarded with discounts. Unsurprisingly, to know what deals might lure a customer, retailers employ similar tactics to the tech behemoths. They collect your data.

Every time we swipe a loyalty card, shop online, or give away our data in exchange for a discount, our details are collected, stored, and analyzed to create a better picture of who we are and what we like. As with online services that are marketed as free of charge, we pay for discounts with our data. 

A recent report by engineers at Mackeeper, a cleaning, security, and performance tool for Mac, shows how retailers can use the information on people’s shopping habits to describe most personal interests. Retailers can later exploit that data to offer you products you didn't even know you needed. 

The authors of the study surveyed 2,000 adults on which product they regularly bought, then collated the answers with demographic data to extrapolate what sort of insights can be drawn for this type of information. The study mimics the data collection practices that retailers employ when customers use loyalty or club cards. 

But I doubt people understand how much data is being collected, how it could be used, how it might be sold to other companies, how third parties might have access to it,

Dave Hatter.

For example, a specific time for shopping allows retailers to determine whether a customer is employed. A tendency to choose products on sale may indicate that a person is on a budget or susceptible to discounts. Sex-related purchaces might signal particular interests whereas hair dye point to a particular age.

Similar information coupled with movement tracking and other pieces of information allows retailers to build a convincing profile of a customer and target them with ads. 

Some experts fear that accurate profiles allow traders to have an advantage over unsuspecting customers, nudging them to behave in ways that correspond with the retailers',  rather than shoppers’, interests. 

To find out more about what sort of information supermarkets collect about their customers, how they use it, and what dangers may be hidden from view, CyberNews sat down to talk with Dave Hatter, a cybersecurity expert at the Cincinnati-based cybersecurity company IntrustIT.

Hatter, who is not related to the previously mentioned study, told CyberNews that it is doubtful that people who use loyalty programs are aware of the scale of data collection that retailers take part in. 

"I know some of these companies use third parties to analyze this data. They're selling it to other companies. They're combining it with data from other data brokers and so forth to create a more complete profile," – he explained. 

Hundreds of millions of people around the globe use loyalty programs for discounts every day. Do you think the general population is well informed that they pay for discounts with their data?

I think probably everyone has at least a very high-level understanding that they're exchanging the information about all the stuff they're purchasing with. But I doubt people understand how much data is being collected, how it could be used, how it might be sold to other companies, how third parties might have access to it. I know some of these companies use third parties to analyze this data.

They're selling it to other companies. They're combining it with data from different data brokers and to create a more complete profile. And I would say the average non-technology person probably doesn't understand how much data is being collected and how detailed of a profile is potentially being created about them.

If you look at the privacy policies of different organizations, I'm sure they'll tell you that they're going to collect a ton of information about you, and from their perspective, the more, the better. But why would a store need my driver's license number? What other than to match me up to other data sources that might have that. Why does a store need my age? I understand that once they know my age, they can put me into specific demographic categories.

The data collected, however, is supposed to help provide customers with tailor-made discounts. Do you see potential for misuse of data in this context? 

In my mind, this whole issue cuts both ways. Yes, the more data you give up, the better the store can personalize offers to you. They know what you want. And it can create a lot of conveniences and a lot of personalized offers specifically for you. But of course, all that information paints a very detailed profile for you. And I don't think most consumers consider the flip side.

All that information paints a very detailed profile for you. And I don't think most consumers consider the flip side,

Dave Hatter.

For example, if the privacy policy that you agreed to when you signed the terms and conditions, which I'm sure the vast majority of people don't read, say, we're going to sell your data to third parties. Is it helpful to you that your life insurance company or your health insurance company knows that you go through six gallons of vodka a week or 12 pounds of bacon a week? 

I'm saying, no, it's probably not helpful to you. Now, there may be some mitigating circumstances why you're doing that. Maybe you own a bar, and that vodka is being served to your customers. Can health insurance connect all those dots? I don't know. Can people, companies, organizations, governments draw conclusions about you or at least infer things about you from the things you're buying?

Well, of course, they can. And if they have 50 data points, that's one thing. If they buy data from Facebook, Google data brokers, et cetera, and they have 5,000 data points on you, and they have four- or five years' worth of everything you've ever bought. They're going to know more about you than you do.

They're going to know precisely what you're likely to do next. They're going to know exactly how to convince you to buy certain things. So to me, this cuts both ways. I get the personalization. I'm just saying I don't think the average person who's not in technology realizes how much data is being collected, how that data could be used to influence you to nudge you.

And let's take into account all the continuous data breaches. There are examples of this type of data out there being leaked in the past. Even if you trust any well-known retailer across the globe if they're selling your data to someone else, can you trust them to keep your data safe? Even if they have the best intentions, could someone make a mistake and suddenly now critical data about you shows up. 

With that in mind, it's not that often we hear about large retailers in the context of data collection. However, some of the largest supermarkets have data on hundreds of millions of customers worldwide. Does that mean retailers are somehow better when it comes to data protection compared to large tech companies?

One of the reasons you may not hear too much about it is because these companies probably don't want to make targets of themselves. And the more information they put out there about what they're doing to protect it, unfortunately, gives the bad guys information about how to defeat it. 

I could certainly understand why they might take the silent approach from a security perspective because the less they say, the harder it is for someone to figure out what they're doing and how they might defeat it. 

Going back to one of your earlier points, don't give up real information. Don't give out any more information than you have to. Use a secondary email address. I think people are slowly starting to wake up to the fact that their data is being collected and sold to third parties. I believe they are beginning to wake up, but I know that for a long time, people told me I was nuts about this stuff.

Companies that collect data will tell you that they anonymize the data so that even if it's stolen, bad actors can’t use it against whoever the information is about.

They claim it's anonymized, and I'm not necessarily disputing their claim. However, you can find plenty of studies that show that with as little as four data points, you can generally de-anonymize data and uniquely identify a person. 

I think there's a risk to people. And I think the risk is, again, two-fold. How is your data being accumulated, and how are dossiers or profiles being created about you that are being used in ways you could never possibly anticipate.

Leave a Reply

Your email address will not be published. Required fields are markedmarked