Online Privacy's Call to Arms

A salvo against Sears, including a lawsuit, shows just how riled up users are getting about their data being shared without their knowledge

by Catherine Holahan

Web surfers aren't just mad about online privacy violations. They're getting even. Consumers are speaking out publicly against companies they say have gone too far in tracking their Web surfing patterns, creating public relations nightmares. They're also heading for the courts, seeking millions of dollars in damages. Before long, companies will need to pay more than lip service to privacy protection or they may end up being forced to pay up—period.

The latest alleged corporate breach involves Sears Holdings (SHLD), parent of department stores Sears and Kmart. On Jan. 8, the Berkman Center for Internet and Society, a research program at Harvard Law School, released a report accusing Sears of violating the privacy of users of its online community site. To join, customers download a program that tracks their online purchases and other activity. Sears failed to sufficiently explain what the software does, according to the study's authors. "It is pretty clear that they were doing some things that were not adequately disclosed to the users," says John Palfrey, executive director of the Berkman Center.

More Transparency Needed

The report follows a class-action lawsuit filed Jan. 4 in Cook County, Ill., that accuses Sears of exposing its customers to identity-theft risks by sharing individuals' purchase histories to anyone who searched for a particular user's name or address on the Sears ManageMyHome Web site. The suit, filed by New Jersey resident Christine Desantis and on behalf of other Sears customers, seeks $5 million in damages. Sears declined to comment, citing the lawsuit.

The report and lawsuit reflect growing unease over efforts by companies to make use of the mountains of data they collect on customers who use the Web—and the rising stakes for corporations thought to trample consumer rights. Companies are eager to harness information they collect on a person's interests, purchases, and product searches to better tailor their own or partners' advertisements. But when customers believe a company has gone too far, they're fighting back. In December, users of Google's (GOOG) Reader program flooded Web forums with complaints about a new feature that broadcast information about items that users bookmarked for their contacts in a separate Google messaging program. The prior month, more than 50,000 users signed a petition opposing a new ad program on Facebook that shared information about purchases and online activities outside of Facebook (BusinessWeek.com, 11/28/07) with a user's "friends."

Government officials appear to be losing patience, too. The Federal Trade Commission issued recommendations Dec. 20 demanding more transparency (BusinessWeek.com, 12/20/07) from companies that track the Web sites visited by individual computers in order to deliver ads related to a user's past activity. The FTC said it will investigate whether "heightened protections" are needed.

"Fed Up"

The concern over privacy comes as a surprise to at least some Web executives. Consumers had appeared all too willing to sacrifice privacy in exchange for convenient and free ad-supported services. Users post private data on sites such as Facebook and News Corp's (NWS) MySpace, a sign they didn't care who saw what they did on Saturday night or where they did it. Sure, public complaints typically follow particularly egregious violations, such as a mass loss of personal financial data or Internet searches, and an apology and a promise to better protect sensitive information quickly quelled most uprisings. Google has promised to give Reader users better control over who sees their information, but it is still sharing it with contacts.