Welcome to the December 2022 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.
Here’s what we’re talking about this month:
Know someone who could benefit from proactive privacy protection? Refer them to DeleteMe—they get a 20% discount and you get a $50 Amazon gift card if they sign up.
If you think your friends or family might enjoy learning more about data privacy, feel free to forward them this newsletter.
When, in 2018, a new cafe opened in Providence, Rhode Island, it immediately caused controversy over the way it priced its coffee.
It wasn’t that its prices were too steep. It was that the cafe did not charge some customers at all. Or at least it didn’t accept traditional currencies. Instead, it asked customers for personal data. And the permission to send them information from corporate sponsors.
Some have called this business model “dystopian.” Others applauded the cafe for being “candid” about its data collection practices.
Whatever your opinion, the fact is that most of us trade our data for free coffee/frequent flier points/discounts every day. That is, if we participate in loyalty programs.
There are many reasons why a brand might launch a loyalty program. To encourage repeat purchases, for example. Or promote brand advocacy. However, without a doubt, one of the main reasons for starting a loyalty program is to collect customer data.
When customers sign up for a loyalty program, they immediately share information like their name, gender, age, address, email address, and phone number with the company behind it.
If a loyalty program has an app, brands get more data still, such as device type and identifier, location, and user activity. Some companies also purchase additional customer information from data brokers to get a more accurate picture of who their customers are.
Having access to detailed consumer data means businesses can sell shoppers more stuff through personalized offers.
“This picture of who you are, what your motivations are, who you want to become, can all be used to nudge you to purchase something or even behave in a certain way,” said Campaign group Privacy International in a BBC article.
Many companies also share or sell customer information to other businesses in their group, their own data brokerage subsidiaries, or third parties like data brokers and insurers. There have even been complaints about loyalty programs sharing underage members’ information with partner credit card companies that then send them marketing materials.
Australia’s consumer watchdog estimates that companies with loyalty schemes can generate between $71m and $241m in revenue each year from selling consumer data.
With third-party cookies due to be phased out and consumer privacy a growing issue, loyalty programs are now seen as an alternative way to collect consumer data.
A recent YouGov poll found that almost 9 in 10 Americans are willing to share their personal information with brands in exchange for free products, discounts, and rewards. And about 7 in 10 like it when brands send them personalized deals based on shopping history.
But most customers that join loyalty programs have no idea how much data they end up sharing or what their data is used for.
Not swiping a loyalty card doesn’t necessarily prevent loyalty program members from being tracked, either. Brands typically link payment data with loyalty programs, so shoppers can be tracked based on their credit and debit cards.
All that information collected by loyalty scheme providers has to be stored somewhere. If a data breach happens, consumers’ privacy is at risk.
A recent breach of the IT company SITA compromised loyalty scheme member data at numerous airlines, including Lufthansa, United, and American Airlines.
Although the breach exposed only names, status levels, and account numbers, director of global airline strategy for the fraud prevention company Forter Stuart Barwood said, in an article to Travel Weekly, that hackers would more than likely cross-link the data they stole with other loyalty program breaches. It is estimated that about 1 in 300 loyalty program log-in attempts are account takeover attacks.
After a successful account takeover, hackers can steal rewards or personal information (including financial data—many loyalty programs are linked to debit or credit card information), which they can use themselves (for example, for identity theft) or sell on the dark web for a tidy profit.
Weigh up the pros and cons of joining. Before signing up for another loyalty scheme, make sure the rewards are worth it (they rarely are). Read the privacy policies to better understand what will happen to your personal data once you start engaging with a loyalty program.
Opt out of the sale of your data. Under the California Consumer Privacy Act, California consumers can ask any loyalty program provider to see the personal data they have on them, request for it to be deleted, and opt-out of their data being sold. The CCPA also stipulates that businesses cannot discriminate against customers who exercise their rights under the law.
Use unique passwords. Where a loyalty program/app requires a password, make sure you create one that is unique. Otherwise, a breach at one loyalty scheme provider can jeopardize all your other accounts.
Share minimal information. When applying for a loyalty program, never include your Social Security number or driver’s license. Most loyalty schemes will approve your application even if you leave these spaces blank. Similarly, if you’re downloading a loyalty program app, limit the permissions you give it. Consider also creating an email address just for loyalty schemes.
Watch out for loyalty program phishing emails. Cybercriminals may attempt to steal your loyalty program information through a phishing email, so be wary of any suspicious communications.
Our recent favorites to keep you up to date in today’s digital privacy landscape.
Privacy Policies for IoT Devices Incomprehensible, Finds Mozilla
Mozilla’s recent *Privacy Not Included holiday buyers guide found that privacy policies of IoT devices have gotten more complicated and incomprehensible. For example, Meta Quest Pro’s VR headset has 14 privacy documents that come to 37,700 words—6,747 words longer than Charles Dickens’ novella “A Christmas Carol”—and would take just under five hours to read.
Meta’s New Tool Lets You Delete Your Phone Number and Email
Even if you don’t have an account with Facebook, it probably still has your phone number and email address. Now, the company has a tool that lets you check if they have this information and allows you to delete it. The tool was released by Facebook’s parent company Meta in May 2022 but did not become public knowledge until the end of October when Business Insider ran an article about it.
Some People Are Worried Over the Kids Online Safety Act
As some groups urge for the Kids Online Safety Act (KOSA) to be advanced, others worry that the bill, which is meant to protect children from online harms, would lead to widespread censorship. In addition, it is argued that to verify users’ age, KOSA will necessitate greater data collection, which could have a negative impact on all users’ privacy.
Apple Tracks Users Without Consent, Is Hit With Lawsuit
Apple is collecting user data even when users turn off tracking in Settings. According to two independent researchers, Apple receives detailed information about what users do in first-party apps, as well as data about users’ iPhones. A federal class action lawsuit was filed in November, arguing that Apple violates the California Invasion of Privacy Act.
Here are some of the questions our readers asked us last month.
Q: How to stay safe this holiday season with phishing and other scams?
A: This is a timely question, as consumers are already receiving holiday scam emails.
What’s scary is that cybercriminals’ are changing their tactics to ensure their campaigns bypass email monitoring tools.
Email providers like Google are taking steps to stop these scams, but because they’re “particularly aggressive,” one or two fraudulent emails are likely to slip through the net and trick unsuspecting individuals into providing sensitive information or clicking on a malware-laden link or attachment.
Google has an article on 5 scams to watch out for specifically in the next while.
In general, though, here are some steps you can take to protect yourself against scams, not just this holiday season but year-round:
Q: What do you say to people who say, “I don’t care about privacy because I have nothing to hide?”
A: International expert in privacy and professor of law at the George Washington University Law School, Daniel J. Solove, wrote a comprehensive article on this exact topic in 2011, and it’s still relevant.
The article is well worth a read but is, unfortunately, behind a paywall. For those who are not able to access it, one of the biggest takeaways from it is how widespread the false assumption that privacy is “about hiding bad things” or a “form of secrecy” is.
In reality, privacy abuses by information-gathering programs can hurt you in a number of ways, including:
Ultimately, Solove argues that “privacy is rarely lost in one fell swoop. It is usually eroded over time, little bits dissolving almost imperceptibly until we finally begin to notice how much is gone.” And by that time, it might be too late.
We’d love to hear your thoughts about all things data privacy.
Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).
Share Incognito with friends. If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.
Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito?
That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.
DeleteMe is our premium privacy service that removes you from more than 30 data brokers like Whitepages, Spokeo, BeenVerified, plus many more.
Save 20% on DeleteMe when you use the code DIYPRIVACY.
Our privacy advisors:
Save 20% on any individual and family privacy plan with code: BLOG20