Black Friday and Cyber Monday (BFCM) is quite the big deal every year, with thousands of retailers offering special pricing and consumers spending billions of dollars to snatch up those savings. In fact, in 2020, Cyber Monday sales reached $10.8 billion, with approximately 186 million shoppers purchasing goods during Cyber Week. However, BFCM shopping can also lead to negative privacy consequences for consumers such as being signed up for annoying and unwanted marketing communications, having your data shared or sold, being subject to a data breach due to lax privacy and security controls, and safety issues due to creepy tech products. In this article, we will discuss the privacy issues that you should be aware of when shopping during BFCM (whether online or in a store), as well as tips on actions that you can take to protect your data and privacy.
Table of Contents
Privacy risks when shopping in a physical store
Video surveillance cameras
If you choose to shop in a physical store during BFCM, the first privacy issue that you should be aware of is the fact that most stores have video surveillance cameras which record what customers do in those stores. The most obvious privacy risk of these video cameras is that they record everything that you do at the store, which may later be used for legal purposes, such as prosecution for theft and can even end up on the Internet. However, what most consumers do not realize is that these cameras can also record other data such as what you purchased, how much you paid, what card you used, what items you looked at and even your facial expressions and ethnicity. Stores do not provide a way for shoppers to opt out of being recorded via video surveillance cameras, leaving you at risk of privacy violations.
The second risk that you should consider when shopping in a physical store is facial recognition. Many stores use facial recognition technology to determine whether a previous shoplifter is trying to gain access to the store as well as to determine who an alleged shoplifter is so that information could be reported to the police. However, facial recognition technology comes with a lot of risks. For example, facial recognition technology is notoriously bad at identifying certain groups of people and can even misidentify someone and prevent them from entering a store or, worse, be arrested for a crime that they did not commit.
Providing your email or phone number and loyalty cards
The final issue that you should be aware of when shopping in a physical store is providing your email address or phone number or signing up for a loyalty card when checking out. It is so common to ask customers for an email or phone number during checking out that most customers just provide that information in the rush of getting out of the store.
Privacy risks when shopping online
If you choose to shop online instead of in a physical store (because who wants to wait hours in line for a new TV?), there are still quite a few privacy risks to be aware of and to avoid.
Cookies, pixels and tracking
First, when you go onto a retailer’s website, you should be aware of the fact that many of these websites track your activity using pixels and cookies, which are small files that are placed on your device. Cookies and pixels are used to determine your activity such as what websites you visited, what links you clicked on, what advertisements you liked, and what items you are likely to purchase in the future. Since cookies and pixels track all of your activity online, being tracked can also mean that your sensitive data such as health data can be shared with advertisers. If you do not want to be tracked by cookies or pixels, there are a couple of steps that you can take:
- If the website offers a cookie consent banner that allows you to opt in or opt out of cookies, select the “no” or “decline all” option;
- Select your browser settings to decline all cookies and pixels and prevent tracking. You can view instructions on how to do that on every browser here.
- You can also use a privacy-focused browser such as Brave that automatically blocks all trackers, cookies, fingerprinting and more.
Collection, sharing and selling of your data
When you shop online, it makes sense that you would have to provide some data in order to make a purchase and that the data has to be shared with certain third parties. For example, if you purchase that new pair of shoes, your address will be shared with the shipping provider (e.g. FedEx or USPS) for you to receive your purchase. While this type of practice is expected, you should be aware of the fact that many retailers collect more data than what is needed, share it with third parties that do not actually need to receive that data to make a purchase (e.g. marketing companies), and can even sell your data to data brokers.
Data brokers are companies that make money by collecting your personal information and then selling it to other parties. This purchase and sale of personal information can cause a lot of headaches such as endless spam emails and texts, data breaches, identity theft and even fraud. In addition, data brokers may even sell data to law enforcement and government agencies, allowing governments to, for example, spy on individuals who violated lockdown orders by visiting events in person.
Marketing emails and text messages
Another very common but potentially privacy-infringing aspect of making purchases online is providing your email address and phone number in the checkout process. While many consumers assume that the point of providing this information is to be able to receive updates regarding your order, most consumers do not realize the fact that this information frequently ends up on marketing lists, causing spam emails and calls and is retained for a period of time much longer than it took you to receive your purchased items.
If you are not interested in signing up for email newsletters or marketing text messages, the best practice is to avoid providing this information altogether. However, if you are required to provide this information to place your order, make sure that you do the following:
- Unselect any options that sign you up for email or text message marketing (a lot of companies pre-select this in advance and you will need to unselect it to stop your information from being used);
- Know your rights. Most consumers have the right to opt out of email marketing and text messages. For example, the CAN-SPAM Act requires companies to provide individuals residing in the United States with an easy way to opt out of email marketing while GDPR provides individuals in the European Union with the right to withdraw their consent for direct marketing at any time. If you receive unwanted marketing emails or text messages, make sure that you exercise your right to opt out;
- Use a special email to determine who shares or sells your data to marketers. For example, if you are shopping at Walmart during Black Friday or Cyber Monday, change the email that you provide to the company from firstname.lastname@example.org to email@example.com. You will still receive the emails but will be able to tell which company has shared or sold your data to others.
Creating an account
The fourth privacy risk that you should be aware of when shopping online during BFCM is creating an online account with a retailer. Online accounts track all of your information such as your purchasers, the items that you returned, your refund and cancellation requests and may even track the products that you have viewed on that website. Online accounts also store potentially sensitive data such as your address or credit card and billing information.
While data in accounts can be a treasure trove of information for data brokers and advertisers, it can also put you at risk of a data breach if the company does not properly secure that data. For example, in 2014, during the breach of Target’s systems, cybercriminals were able to steal the personal and financial information of as many as 110 million Target customers. Breached data can end up being sold on the dark web to other criminals and individuals attempting to commit identity theft and fraud. The average cost of identity theft for a victim is $1,100, with the total cost of identity theft in 2020 being $56 billion (not to mention the countless hours that you will need to spend changing all of your accounts and information).
The best practice to protect your privacy and personal information is to not create accounts with retailers. However, if you would like to create an account, follow the below tips to protect yourself:
- Use a different password for each account that you create;
- Make sure that your passwords are difficult to guess and meet security criteria;
- Delete your payment information after making your purchase;
- Delete your account if you do not plan on making purchases from the retailer again in the near future.
Using a credit card
It is common knowledge that you need to use a card or some type of payment method to make a purchase online. However, you should be aware that credit card data can be breached, which can lead to fraudulent charges and even identity theft. However, there are some simple steps that you can take to protect your payment information online:
- Shop only on reputable websites. There are a variety of scam websites that deceive shoppers into providing their credit card information by using fake online stores, website URLs that are deceptively similar to legitimate retailers, and tactics such as urgency and emotional language to trick you into making a purchase. Make sure to check the URL of any website that you visit, visit websites that are secure (using https in the URL), and confirm the company’s name on the website;
- Type out your credit card number every time and do not allow the credit card number to be stored on the website;
- Consider using an online payment system such as ApplePay, PayPal, or Samsung Pay – these systems prevent the retailer from viewing or gaining access to your credit card information;
- Check with your credit card company to see if they offer temporary one-time card numbers that you can use for each purchase. While this may be more time consuming, it will prevent that card from being charged again and is very useful at preventing long term subscriptions that are difficult or nearly impossible to cancel.
Think before you buy: wearable devices
Devices that are constantly worn by consumers such as FitBit, the Apple Watch, SmartGoogles, and HeartGuide are becoming increasingly popular, with predictions stating that more than a quarter of the US population will use wearable devices in 2023. However, wearable devices collect a lot of data such as heart rate, your activity levels, how you sleep, glucose levels, menstruation history, and more. In addition, this sensitive data can be shared with advertisers and even sold, causing privacy issues and harms. Due to the sensitive nature of the data being collected, if you are choosing to purchase a wearable device, you should ensure that you take the following precautions:
- Select a wearable device that offers maximum privacy protections and is provided by a reputable company. For example, you can use Mozilla’s Privacy Not Included list to see which products collect the most data, how companies use that data, how you can control your data and other information such as whether the company has been subject to a data breach in the past;
- Make sure to check and adjust the default privacy settings on the device. Most companies enable the sharing of data with advertisers and marketers by default so you will need to check the settings on the device and adjust them to opt out of the sharing or selling of your data;
- Keep the device software updated with the latest firmware and software. These updates help ensure that the device is secure against the latest cyber threats and can help prevent your data from being breached;
- Enable security features such as two-factor authentication that require you to provide additional verification (such as a code sent to your phone) prior to being logged in to your account or device and to view your data;
Think before you buy: other electronic devices
There is nothing more iconically Black Friday or Cyber Monday than purchasing a new TV, smart doorbell or assistant system such as the Amazon Alexa. However, just like with everything else, you should be aware of the fact that these electronic devices collect a lot of personal information such as what is said in your home, who comes to your home and when, what shows you watch, what music you listen to and other information that can provide easy access to your daily routines and activities to threat actors.
For example, multiple users of smart baby monitors have reported that the monitor was hacked, allowing strangers to speak to their child. In addition, two men were recently indicted for hacking into Ring cameras, calling the police and stating that people were shooting guns or holding others hostage in homes, which can place the homeowner in a very dangerous situation. In fact, other homeowners have reported that their smart home devices were hacked, turning up the heat in their homes, warning them of a missile attack, and even telling them that through their Nest camera that their baby will be kidnapped.
When it comes to smart home devices, you should really consider whether the device and all of its features are truly necessary for your home and are worth the privacy risks. Make sure to thoroughly research the devices that you are considering, including reading their Privacy Policies, checking the device settings and seeing whether the companies providing the device have been subject to data breaches or have committed privacy infringements in the past.
Know your rights
Finally, whether shopping online or in a store, you should know that, depending upon where you reside, you may have privacy rights that you can exercise to gain more control over your information and your privacy. Privacy rights can include:
- Deletion of your personal information;
- Obtaining a copy of your personal information;
- Opting out of targeted advertising;
- Opting out of direct marketing;
- Opting out of sales of your personal information;
- The ability to withdraw your consent to the processing of your personal information;
- Correction of your personal information.
Make sure to exercise caution whenever making purchases, whether online or in a store. Happy Black Friday/Cyber Monday shopping!