Toysrus.com drops tracking service amid pressure
After being accused of releasing personal customer data, the online toy store stops using a controversial marketing service.
Following two class-action lawsuits filed against Toysrus.com, the site posted a revised privacy policy late last week to address its relationship with Coremetrics, a 5-month-old marketing company that analyses customer habits on the Web.
"For a short period of time, we had a trial arrangement with a service called Coremetrics to assist us in evaluating information about how visitors use our site," Toysrus.com's policy read. "This trial arrangement is no longer in effect."
While companies have long gathered data on their own customers without raising the ire of consumer advocates, the Coremetrics controversy points to growing concerns over companies that outsource the collection of customer data. Privacy advocates argue that having third parties perform those services conflict with companies' promises not to share data with outsiders, even if the information collected is intended for internal use only.
Representatives at Toysrus.com were not immediately available for comment. In the past, the company has said it used the data internally, and that Coremetrics was not authorized to release it to third parties.
The move follows a class-action lawsuit filed against Toys "R" Us in the U.S. District Court of San Francisco earlier this month. The suit alleges that online subsidiary Toysrus.com let Coremetrics build personal profiles of its consumers despite a privacy policy that claims personal information is kept "completely confidential." Plaintiffs are looking to recover damages for customers who made purchases from the site.
A similar suit was filed in a New Jersey court the same week.
The two filings are the result of a report earlier this month from security consulting group Interhack, which outlined the problem at Toysrus.com and several other online stores, including Lucy.com and Fusion.com. The report said Toysrus.com and others were sending personal data to San Francisco-based Coremetrics despite policies promising they would not share such information with third parties.
Coremetrics uses technology such as Web bugs and cookies--or tiny digital identifying tags that track visitors' whereabouts online--to compile information about online shoppers. For example, its technology can record when a consumer adds a product to his or her shopping cart then takes it out. With this information, online stores could potentially send an email to the consumer offering a discount on the product he or she decided against.
Using JavaScript, Coremetrics can also extract personally identifiable information such as names, addresses and phone numbers from online forms filled out during the checkout process.
"Coremetrics has the ability to build these detailed dossiers on online users," said Matt Curtin, a security consultant with Interhack.
"The biggest problem is that we don't know what's happening with the data," Curtin said. "When the info gets sent to Coremetrics--a company we know nothing about--we have to trust that it won't be abused or stolen. What happens if a court issues a subpoena for it?"
While many online companies have access to this type of information about their customers, most do not send it to an outside company such as Coremetrics. The biggest danger, privacy advocates say, lies in Coremetrics' ability to combine customer profiles across all of its clients' sites, including Wal-Mart.com, Mall.com and Lucy.com. Critics of Coremetrics also say its expansive database of customer information is the perfect target for hackers.
Coremetrics, which launched in March and has more than 40 clients, said it does not have rights to data collected.
"Interhack's report was about technical possibilities, it's not based on reality," said Brett Hurt, chief executive officer of Coremetrics.
"Technically we could combine the data, but legally we don't have the right to do that," Hurt said. "It's not in our business model and (our customers) would not approve of marrying the data with their competitors'."
Hurt said the company gives online marketers "high-value information" such as the effectiveness of advertising and merchandising efforts. Boosting the company's privacy profile, David Farber, one of the initial members of the Electronic Frontier Foundation, sits on CoreMetric's board of advisers.
But some still see dangers within the service.
"The problem with Coremetrics is that they have an enormous database that contains not only the person's name and address, but the person's purchase and transactional history as well as everything he's done on any of the partner sites," said a source familiar with the company.
"Would you opt in for this program? Because the only way to opt out (of Web bugs) is to pull down the tags," the source said.
Coremetrics is not the only company attempting to analyze such detailed data for Internet stores. Tealeaf, Digital Archeology, Web Side Story and Clickstream are just a few of the competitors in this market.
Toysrus.com's revised privacy policy lets customers know how to opt out of Coremetrics' cookies that may have been placed on their computers after April 24, when their partnership began.
The online store has caused some financial strife for its parent company, retail chain Toys "R" Us. The Paramus, N.J., company said today that fiscal second-quarter profit fell 75 percent on declining sales in its U.S. stores and a loss at its Internet division.
But the company said Toysrus.com's agreement last week with Amazon.com should help reduce Internet losses.