Watch CBS News

Retail Versus Privacy: New Questions

This column was written by Evan Schuman, the editor of, a site that tracks retail technology, e-commerce and security issues. Retail Realities will appear each Friday. Evan can be reached at e-mail and on Twitter.

By the end of August, Wal-Mart will unveil a radically changed privacy policy, one that envisions a merged channel world, where consumers are as likely to use their phone and laptop to interact with Wal-Mart as much as they would walk into a store or speak with a call center. The policy talks about data not merely from a payment security and a purchase history perspective, but also from a security camera's and cellphone's perspective.

"Our goal is to have it be completely comprehensive, for both online and offline," said Zoe Strickland, the Wal-Mart VP who serves as the chain's Chief Privacy Officer. "We need to govern all the different ways that we collect and use information. Privacy is not just about using the Web site. It's everything that happens when you're interacting with the company."

Some have recently argued that retailers need to show consumers what is in their CRM files, if those merchants truly want to gain the consumer's trust. Although Wal-Mart is far from offering to do that, the new policy-to take effect Aug. 23-does offer a way for consumers to request to examine the information Wal-Mart has about them, but the policy puts very little pressure on the chain itself to deliver.

"Contact us at the E-mail or postal address listed in the `Contact Us' section of this policy," said the new document. "Please include your current contact information, the information you are interested in accessing, and your requested changes. We will provide you the information requested if reasonably available, or will describe the types of information we typically collect."

Although it's not much, it does go a little farther than most other retailers have gone. Still, it will be interesting to see what information Wal-Mart will end choosing to part with.

One of the most hard-fought privacy issues has been where it is at any moment. Wal-Mart has not set any privacy limits of that capability yet, waiting to see where other major chains draw the line in the proverbial privacy sand.

Much of the new policy deals with restrictions on use of personally-identifiable data, with few stated limits on data collected that is not associated with a consumer's name, above and beyond limits that are forced on Wal-Mart, such as privacy laws involving prescription drugs and handling of payment card data.

The policy also clarifies that data will only be given to Wal-Mart's partners and suppliers when there's a need to know, but it doesn't address the reverse situation, where Wal-Mart's partners have the information first and then provide Wal-Mart with only parts of that information. Can a supplier or a partner be made to comply to Wal-Mart's rules, when those suppliers also work for many other national retailers?

"Whether we get the data first or they get the data first, they're going to have to abide by our security concerns," Strickland said. The supplier data issue is only to get worse in the coming year as mobile companies work more closely with all of the major retail chains.

Strickland-who is Wal-Mart's first Chief Privacy Officer-said she is also closely watching "the tension between the personalization goal-which is just a goal" and Wal-Mart's efforts to protect consumer privacy at various levels. The eternal question: As consumers opt-in so they can take advantage of personalization and convenience, will they ever be able to regain control of that data?

As technology advances, that question becomes simultaneously more complicated and more essential. Consider the unusual case of a Pennsylvania kiosk company that sold its system to the state government to offer self-service in its liquor stores. (Pennsylvania only allows liquor sales through its own stores.)

The legal problem: Making sure that customers are of legal age to purchase alcohol. The technology response: scan a customer's photo driver's license, do a scan of the customer's face to use biometrics to compare that face to the one on the driver's license and then, as a nice touch, force the customer to submit to a kiosk-administered breathalyzer to make sure that they're not already drunk. That brings up the privacy problem: What happens to that data after the sale is made (or is sometimes not made)?

The driver's license scan captures a lot of personal information (weight, height, eye color, home address, etc.) and that information can be married to the scanned facial image. How would you like to have to answer in a job interview for having tried to buy alcohol when you were already drunk? Will those breathalyzer results-perhaps matched with parking lot security camera records of you driving away five minutes later-be shared with police, another government agency? What about a judge considering a custody case?
For that matter, why not an insurance company considering you for car insurance or, for that matter, life insurance?

Once that data gets collected, who is to say where it will end up?

By Evan Schuman
Special to

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.