#PrivacyOfThePeople: End of season sale of your privacy on e-commerce platforms

Anushka Jain, Tejasi Panjiar

IFF-s-Response-to-the-SC-s-Technical-Committee-on-Pegasus-SaveOurPrivacy.png#asset:13703

tl;dr

The e-commerce industry in India is growing at an unprecedented rate. E-commerce platforms such as Amazon, Flipkart, Nykaa, Myntra, Paytm, BookMyShow, etc. facilitate shopping over the internet though their online applications or sites. These platforms have increased their presence and operations in the globally recognised lucrative as well as large Indian market. However, simultaneously, new risks surrounding digital rights of the users, especially the privacy risks associated with these platforms are being revealed. The benefits and advantages of e-commerce platforms that attract buyers and sellers alike, are often made possible by collecting, storing, analysing, exchanging, and selling customer data with third parties. If you have in the past ever shopped from any of these online retail platforms, and intend to do so again, continue reading to understand the implications of data-driven marketing on our right to privacy.

Why should you care?

The online retail business has no doubt changed the landscape for e-commerce in India and worldwide. Unlimited choice, personalised and customised options tailored to our style and needs, escape from the unwanted assistance by the salesperson, no long queues at the billing counter, and easy home delivery without having to expose ourselves to crowded malls. These are just some of the advantages that online shopping has over in-person shopping. However, the positive affordances, primarily the unmatched convenience, often takes away the focus from the negative affordances, such as the misuse of customers’ personal information. What is ironic is that the very convenience that we as customers are so drawn to and routinely rely on, i.e., customised advertising and personalised services, is impossible without tracing, quantifying, and profiling us. When we as shoppers don’t hesitate to give our personal details while signing up, or sometimes even sensitive personal information to avail enticing discounts, these platforms get a free pass to trace our shopping habits, undertake customer profiling, and even discriminate amongst buyers. On one hand we often fall victim, mostly unknowingly, to these marketing gambits putting our digital rights at risk. On the other hand, the impact of the absence of data protection legislation is that as of today for users there exists little meaningful remedy in case of any violation of their digital rights.

Your cart and your privacy are feeling neglected

You pay with your data: The e-commerce industry has always collected data about its customers. Even if it was done by noting down the details of each sale. However, advancement of technology and evolution of the data landscape has led to greater collection, storage, and processing of data. But before we go into how our data is processed and used by e-commerce platforms, let us break down the various kinds of consumer data that businesses collect:

  1. Personal data: This includes personally identifiable information such as name, contact details (email address, phone number), age, gender, etc.
  2. Demographic data: This includes information about the user’s location, accessed through tracking technologies such as a device’s IP address or through app permissions which take user consent for accessing such data.
  3. Engagement/ Interaction data: This includes data about consumers' interaction with the platform’s website and with its social media, data about the number of times a page/ product was viewed, emails inquiries, interaction with paid ads and customer service, etc.
  4. Behavioural data: This includes data about the customers’ experience with the service or product being provided, for instance details regarding purchase histories, free trial sign-ups, logins, deactivations, feature utilisation, qualitative data (e.g., mouse movement), etc.
  5. Attitudinal data: This data encompasses metrics on consumer opinion or satisfaction levels, i.e., information on purchase criteria and product desirability gathered through online reviews, ratings, surveys and more.

It’s data harvesting season: Now that we have understood the various kinds of data such e-commerce platforms collect, let us try to understand how they are able to collect it. With the combined benefits of digitisation of commerce and online transactions, e-commerce platforms are able to harvest an unprecedented volume of data about how consumers shop and engage with brands. These platforms employ complex personalisation formulas which not only access our data, but also draws inferences from our digital footprints on the platform. These platforms collect customer data for several reasons, some which include to provide better customer experience, to improve on their marketing strategies or even to generate revenue. These personalisation formulas evaluate our shopping cart, assess the importance we give to product ratings and reviews, and gauge our reliance on price comparisons on competitive platforms. The formulas also estimate the customer’s socioeconomic status based on the customer’s average spending, price bracket for various categories, and the kind as well as type of products bought. Lastly, an assessment of our product buying cycles, i.e., when we will need to buy a new shampoo, along with the information provided by the formula, allows online retailers to nudge us into buying something through special discounts and appealing ads.

Third-party data sharing woes: Third-party sharing of data has also allowed platforms to analyse our preferences and likings by tracking the advertisements we are clicking on or the recipes we are watching on social media. We’ve all noticed how when we like a certain product on a social networking site like Instagram, we immediately get ads from various e-commerce platforms, promoting that very product on the site. This fast and efficient ad targeting is made possible due to sharing and exchange of user data between various industries. Once captured, the information about users regularly changes hands in a data marketplace of its own.

Data sharing among third-party platforms is facilitated by data brokers (essentially middlemen), who buy sensitive personal information, create profiles, and sell it as a commodity. The practice of persona mapping, further made possible thanks to cutting edge technologies (machine learning and AI), helps data brokers build a 360-degree view of each consumer. This information is immensely valuable not just for e-commerce platforms and social networking sites, but also for advertisers who are willing to pay heavily for it. Once a rich data repository is formed, it allows platforms to target customers with personalized recommendations (microtargeting) and with directed or discriminatory ads.

Profile, discriminate, target: By now we know what data is collected, how it is collected and among whom it is shared. But what happens next is definitely the most scary part. All our interaction with the platforms and on other networking websites (at least for which the platforms possess the data) are broken down to individual data points, which are ultimately converged and analysed to create customer specific profiles. By using various inference techniques, which we mentioned earlier, the platforms classify their users in categories (Political orientation, sexuality, likes, dislikes, etc.). The platforms then use this data to discriminate among customers based on perceived differences. For instance, retailers often offer special discounts to customers who tend to add items to the cart but don’t end up buying it as compared to customers who regularly buy from the platform. This logic draws from the reasoning that customers who are loyal will remain loyal and thus don’t need to be rewarded. Another aspect of retail discrimination is to identify long term, “high value” customers, which the platforms target to gain profits by sending them deals tailored to their preferences and likings. It is worth noting that customer data is not only accessed when something is bought on these platforms, but even when one is surfing on an e-commerce site, their IP address and location information may be accessed by the company.

Heavy discounts on your digital rights

Our privacy concerns in the e-commerce industry arise from the fact that these platforms collect and store a lot of very personal and sensitive data. You can’t buy a product on any of these online platforms without sharing your personal details. This means that no matter how much security is implemented, there will still always be the threat of a significant breach and the loss of such data. In the absence of a data protection law in India, there is no clarity on whether these platforms follow internationally recognised principles of data minimisation, purpose and storage limitation. There are however some relevant laws in India dealing with data protection such as the Information Technology (IT) Act, 2000 and the Indian Contract Act, 1872. Section 43A of the IT Act, 2000 holds a body corporate liable incase of negligence while implementing and maintaining reasonable security practices when possessing, dealing or handling any sensitive personal data. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 also provides reasonable security practices and procedures which must be followed by body corporates while dealing with personal sensitive data. It also holds the body corporate liable to pay the affected person damages/ compensation in case of any breach.

While these legislations are in place, its effectiveness in adequately providing remedy to users may be questioned. Section 43A of the IT Act, 2000 only provides compensation for negligent handling of sensitive data, but doesn’t include provisions for remedy in case personal information is breached. Cyber security threats such as phishing, wherein an individual clicks on an inauthentic link containing malware which exposes their data to the hacker, can also put personal information of customers at risk. Thus, the e-commerce platforms must be subject to high and strict standards with respect to their privacy policy, to ensure that the protection of personal data of site visitors is guaranteed.

Exciting offers coming soon? / Stay tuned to see what’s in store

There is no straight path to data protection and privacy when it comes to the world of e-commerce. Further obstacles are introduced in this path due to the absence of data protection legislation in the country. The incentive to overcome the several complex issues listed in this post is extremely low not only because of a lack of adequate legal safeguards, but also because there is a very strong economic incentive of financial gain. We hope that this post motivates you to debate the importance and primacy we as customers give to convenience over our fundamental right to privacy. Perverse commercial motives that allow online retailers to reap profits at the cost of our privacy must also be questioned, and ultimately put an end to. Strict data privacy regulations must put an obligation on platforms to reveal the data they access, use, re-use, share and/ or sell. A step forward, beyond complete transparency, would be to empower customers with the right to ask for their partial or complete data deletion. Given that this industry is constantly changing, evolving, and developing, we need to update not just our technologies but also our laws and safeguards for data protection to put the power back into the hands of consumers.

Important Documents:

  1. Information Technology (IT) Act, 2000: Link
  2. IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Link
  3. A Public Brief on the Data Protection Bill, 2021 dated July 11, 2022: link

Share Your Support