ReveNews
Eternal Logins at Online Stores
Bruce Schneier posted an interesting piece on logins that never expire with online stores.
I’ve heard people talk about how merchants try to get the lifetime value of the customer by first getting the customer to register and then sending an never-ending batch of e-mails to get the customer to return. Coupons often come with these e-mails.
Users can unsubscribe from the e-mails but does this take the user out of the merchant’s database? It doesn’t sounds like it.
When a user unsubscribes from our Shopping Wallet, the user is permanantly removed. What’s interesting about this is that we gather almost no personal information about the user (e-mail address and favorite online stores). Schneier points out that merchants save credit card information, address and more. In fairness, while just about every merchant requires customers to register, not all require users to save credit card information.
While I’ve been an evangelist for online shopping (including mocking my family members who would not shop online but would give their credit cards and checks to strangers), in this age of rampant identity theft, we need to question who is saving what information about us.
The login and other info may never expire, but the *credit card* will.
And to his comment:
“I like sites that allow me to make a purchase as a ‘guest’…”
The site still has to capture the data necessary to process the credit card transaction, ship the product, and deal with potential returns. The only difference is that there is a login/password associated with it. I suppose they could regularly purge inactive accounts, but is there any proof that this “problem” has actually led to identity theft?
While I sometimes do use the “guest” method to buy, I also am on the other side of this and can understand whay merchants keep your data forever. In today’s world where you can get sued for sending an email, having a complete histor for every user makes is easier to defend youself.
We keep all a user’s data after they are “removed” because we want to make sure that we can look up their information in case a legal need arises. Merchants can then defend themselves with everything from the date and time of sign-up, to the IP address, use history, and preferences the user selected in case the need arises.
Before CAN SPAM, we might have just wiped the info and forgotten about it, but not now.