Close ☰
Menu ☰

Retailers’ privacy policies ‘in urgent need of an overhaul’

Posted on: Friday 27th of January 2012

Phew! It has taken us six months but we got there in the end. Today (27 January), in the lead up to Data Protection Day (28th January) we’ve published new research assessing the privacy policies of the UK’s top 100 online retailers – the sector where many consumers most commonly experience the benefits and pitfalls of e-commerce.

We don’t think anyone has ever done this before and now we’ve got to the end, we’re not surprised. The project kicked off in the summer of 2011 when we started to think through an objective assessment of the state of the nation in terms of the relationship between companies and their customers.

Our first task was to find a sensible group of companies to assess and although we wanted to include many many more companies, we had to start somewhere and the top 100 etailers was a good place. But getting the assessment framework right took us three months of testing, re-testing and re-assessment. In the end, the actual data collection and analysis took us just two weeks – the last two weeks of December. So our research is as fresh as it could be.

We found enormous variation in the customer friendliness of their privacy policies and about half are in urgent need of overhaul – especially in light of the new Data Protection legislation announced this week. None have yet implemented new European ‘cookie laws’ which come into force in the UK in May 2012.

However, we’d like to reflect on some of the broader issues the research process revealed.

1. What policy or process is a customer actually following?

We agonised over this last summer. In the end we plumped for the purist approach – the privacy policy is what sets the guidance over the retailers’ principles. Yet when we got to the end and were checking the results it was clear that principle and practice vary.

Here’s Ikea’s contradiction – the policy states your personal information will be used to send you information. Yet if you register for an account, you actually have to opt in to get information from Ikea. There’s definitely another even longer piece of work to assess these retailers for their terms and conditions as well.

We conclude that as it is so hard for we “experts” to work out what is happening to personal data, it makes it impossible for the customer.

2. The retailers themselves aren’t geared up to deal with comments about privacy.

We wanted to check the factual accuracy of our analysis with each and every retailer so we created and sent to them a ‘data checking sheet’. We know we got some stuff wrong (by accident, of course) but to date only one retailer has got back to us with substantial comments. That company, Virgin Atlantic, stands out because it was one of only eight companies that gave an email address that went to the “privacy team”. Many retailers direct queries to customer services but quite a few have a “fill in this form” process which doesn’t obviously handle general queries. But some are even worse for basic customer care. Try finding a human being to contact on, for example, the Amazon or Apple websites. We despair.

3. The law is difficult to implement.

No one has yet managed to comply with the so-called cookie law. In our minds, the law is definitely trying to do the right thing – get the data sharing relationship between two parties clear. But in practice, it is not stacking up – you can’t really expect a casual user to know what they are signing up to by accepting cookies (and indeed, do you need a cookie to remember that someone has not ticked a box??). Though the best retailers (well done Schuh) do their best to explain it, it still requires some basic understanding of technology which shouldn’t be necessary. But retailers who hide behind the “it’s too difficult” argument really do run the risk of alienating savvy customers.

4. Obfuscation is the name of the game.

Overall, we came away with a sense that many major retailers are simply confused about what they are trying to do. On the one hand they want to protect this (your) valuable data but on the other, they tend to use mealy-mouthed phrases like “we may pass on your details to selected third parties”. Tesco is a case in point. Tesco explictly states they will not pass on details to third parties. However, what Tesco hides is that when you sign up for an account, you are automatically signed up to third party mailings …. managed by Tesco! So yes your data is not shared but you may still get mailings that you don’t want. The point here is that a good data sharing relationship would make this clear. Instead we get the impression that companies are in a mode of seeing what they can get away with.

We’d love to extend our research – both in breadth (other sectors) and depth (terms and conditions, newsletter sign ups, managing accounts etc). So if you’ve got any thoughts, do get in touch.

Ctrl-Shift’s Report ‘How customer friendly are retailers’ privacy policies? is freely available from our website here and summarises the detailed findings.

Ctrl-Shift’s Privacy Report Data Set (£2450+VAT) collates all top 100 retailers’ privacy policies (as of December 2011), provides a detailed scoring and commentary on each policy and ranks how each company scores on ten different criteria. This is available here.