E-commerce tracking practices raise privacy questions

With online sales expected to top $100 billion this holiday season, e-commerce companies are increasingly relying on sophisticated software to convert visitors to their websites into customers, preferably repeat ones. Online shopping sites track all manner of info as visitors click around and fill -- or don't fill -- their carts.

Among the information web merchants track are visitors' product searches, the pictures they click on and what items they put into their cart regardless of whether they actually make a purchase. Users who browse a product on an e-commerce site will be served with targeted offers for that same product when they access other sites from Google (GOOG) and Facebook (FB) to their favorite news provider.

Earlier this year, Gizmodo reported that at least 100 websites had embedded code from software company NaviStone that monitors visitors' activity. Four lawsuits have been filed in the last two weeks alleging that NaviStone's technology was being used illegally as a "wiretap." Several privacy law experts reject the claims in the lawsuits because the e-commerce sites consented to the software being used. 

Even so, questions about the tracking of online shoppers are only increasing.

"Websites have legally had a lot of room to collect information about the people who visit," said Peter Swire, professor of law and ethics at Georgia Tech's Scheller College of Business. "The online store can buy software to help it run its website. … As online tracking gets more precise, there have been a lot of privacy concerns about how people's online surfing gets linked to their offline identity."

Added Swire: "In the early days of the internet, people assumed they were anonymous. Today, that's a bad assumption to make."

Brady Cohen's lawsuit alleging mattress maker Casper "wiretapped" visitors to its website using NaviStone software made headlines last week. Now, his lawyers have filed new cases against Walmart's (WMT) outdoor gear company Moosejaw and UK-based menswear retailer Charles Tyrwhitt. The suits accuse these companies of doing the same thing. The lawyers have also have hit Quicken Loans with an identical legal challenge on behalf of Paramus, New Jersey, resident Michael Allen.  

As in his Casper lawsuit, Brady claims he visited Moosejaw's and Charles Trywhitt's sites without making a purchase, unaware that his electronic actions were being monitored in real time in an attempt to learn his personally identifiable information, such as his name and address. He browsed at Moosejaw's site several times over the past six months while shopping for outerwear, and he visited Trywhitt's CTShirts.com site several times over the past two years while shopping for dress shirts.

Allen came to  Quicken Loans on several occasions during the past six months, according to the court filing. He never procured any services from Quicken.

Walmart said it hasn't had a chance to review the allegations in the lawsuit.

"We take claims like this seriously," wrote Randy Hargrove, a spokesman for the Bentonville, Arkansas, company, in an email. "We will look into them and respond appropriately with the court."

Quicken Loans, the second-largest US residential mortgage lender, vehemently denied the  accusations in the case against it, accusing the plaintiff's law firm, Bursor & Fisher of New York, of attempting to "manufacture claims to coerce a settlement."

"Quicken Loans has no intention of settling these meritless claims," the Detroit-based company said. "It is frivolous allegations like these that are clogging the courts and slowing progress on more pressing -- and legitimate -- matters."

When asked to respond, Scott A. Bursor, the lead attorney in the cases, replied "no thanks" in an email.

Charles Trywhitt didn't respond to a request for comment. 

Casper, which likened the allegations against it to extortion, didn't respond to an email seeking a response to the new lawsuits. A spokesman for NaviStone declined to comment on this story.

The suits allege that the sites used NaviStone code that functions as an illegal wiretap to observe the keystrokes, mouse clicks and other electronic communications and get detailed information on visitors' habits. NaviStone, which is a party in the Casper lawsuit, is a defendant in all of the new cases as well. The Cohen lawsuits were filed in federal court in New York, while the Allen case is pending in New Jersey.

Richard Forno, assistant director of the UMBC Center for Cyber Security, noted that researchers have found many companies that use technology like NaviStone's but don't disclose it in their privacy policies.

"It's not surprising that companies are probably violating their own policies because of this," he said. "But then again, who reads the privacy policies? ... People don't even know what privacy policies are sometimes."

Albert Gidari of Stanford Law School's Center for Internet & Society argued in an email that the Cohen and Allen piracy lawsuits are "ill-conceived." But he said the cases might trigger action by the Federal Trade Commission for unfair or deceptive trade practices, which plaintiffs' attorneys "hate because there is no private cause of action for them to bring." That's because the lawyers don't make any money from an FTC action.

  • Jonathan Berr On Twitter»

    Jonathan Berr is an award-winning journalist and podcaster based in New Jersey whose main focus is on business and economic issues.