- Paying by Credit Card or Check (California Only)
- Paying by Credit Card: MasterCard and Visa Rules
- Merchandise Returns and the Retail Equation
- Customer Loyalty and Rewards Programs
- Behavioral Targeting
- Mobile Location Analytics
- Product Registration Forms
Retailers want to obtain as much information as possible about their customers so they can more precisely market to them. However, in our "big data" society, where billions of pieces of information easily can be collected and distributed, it’s not necessarily in your best interest to have a lot of your personal data accessible. Seemingly innocuous customer information obtained from consumers can often be combined with data available from other sources to obtain a surprisingly detailed portrait of an individual customer.
In this guide, we'll explain some of the ways that retailers track shoppers, and how you can protect yourself from such tracking. We'll examine situations where shoppers may be asked to provide information as part of a retail transaction, for example when paying by check or credit card, using a store's loyalty card or returning merchandise. We'll also look at ways that retailers might collect information without your knowledge, by using sophisticated technology.
We'll start by looking at common ways that retailers collect information at the cash register or at the returns desk, then take a look at how shoppers are being tracked while moving around a retail store, and finally take a look at how you might be asked for information after you leave the store.
Two California laws limit the collection of personal information in stores when you pay by credit card or check. These laws were enacted to prevent fraud and limit the amount of personal information which can be collected by merchants.
- When a consumer pays with a credit card, the merchant cannot record any personal information other than what is on the front of the credit card. (California Civil Code § 1747.08) (Song-Beverly Credit Card Act of 1971)
- When a consumer pays with a check, the merchant cannot record the credit card number. (California Civil Code § 1725)
What personal information can a merchant collect when a shopper pays with a credit card?
Under the Song-Beverly Credit Card Act:
- Merchants cannot request or require that the consumer write any personal information, including address and telephone number, on any form associated with the credit card transaction when the consumer uses a credit card to pay for goods or services.
- Merchants cannot ask the consumer to provide personal information that the merchant then records.
- Merchants cannot use forms with pre-printed spaces for personal information.
Are there any exceptions?
Yes. A merchant can collect personal information when:
- The credit card is used as a deposit.
- The credit card is used for a cash advance.
- The personal information is needed for something incidental but related to the use of the credit card. An example would be the address to which the purchased product is to be shipped.
- The merchant is required to collect information under a federal law or regulation.
- The merchant is contractually obligated to provide personal identification information in order to complete the credit card transaction.
- Merchants can record the cardholder’s driver’s license number or identification card number on any form associated with the transaction if the cardholder pays with a credit card but does not provide the credit card. An example is if you are at a department store and forget your credit card but want to charge something to your account.
- The card is used to "pay at the pump" for gasoline, limited to zip Code information which may be used solely for prevention of fraud, theft, or identity theft.
Does the law prohibit a merchant from asking to show identification when using a credit card?
The Song-Beverly Credit Card Act does not prohibit a California merchant from requiring a consumer who pays for goods or services by credit card to show identification such as a California driver’s license or California ID. If these are not available, another form of photo identification can be required to be shown. But merchants cannot write or record any information from these documents. However, as we explain below, the major credit card company rules provide that merchants cannot make showing identification a condition of credit card acceptance.
Does the law prohibit a merchant from asking for your zip code?
In Pineda v. Williams-Sonoma Stores, the California Supreme Court ruled that a merchant may not ask a customer to provide a zip code as part of a credit card transaction. Williams-Sonoma used customer zip codes that it collected from customers to obtain their home addresses. It then used those addresses to send catalogs to customers who had never provided their address to the retailer. It was able to obtain these addresses through a process known as reverse appending (reverse searches from databases in order to match their customers’ names and zip codes with their previously undisclosed addresses).
Exception: When "paying at the pump" for gasoline, your zip code can be collected. It may be used solely for prevention of fraud, theft, or identity theft.
What personal information can a merchant collect when a shopper pays by check?
Merchants who accept a check for goods or services sold or leased at retail cannot:
- Require a consumer to provide a credit card or record the credit card number in connection with any part of the transaction.
- Require a consumer to sign a statement agreeing to allow the consumer’s credit card to be charged to cover the amount of the check in case the check bounces.
- Contact the credit card issuer to find out if the amount of credit available to the consumer will cover the amount of the check.
Are there any exceptions?
Yes. A merchant can request or record a credit card number in connection with payment by check when:
- A check is used solely to obtain cash.
- A check is used as a deposit.
- A check is used to make a payment on that credit card account.
What happens when a merchant breaks the laws described above?
While merchants may ask a shopper for identification, in most situations, a merchant may not condition acceptance of a Visa or MasterCard credit card upon the customer presenting identification. In other words, you can refuse to provide identification, and the merchant still must accept your credit card. Many merchants are unaware of this rule or simply choose to ignore it.
Be aware that identification may be required for purposes other than the credit card transaction, for example, when purchasing alcohol, tobacco products, or certain medications. Identification may also be required for unusual transactions flagged during the authorization process.
Some shoppers feel that asking for ID helps protect them from identity theft. But others want to protect their privacy and personal security by not revealing their address, birth date, and other information contained on their driver’s license to a stranger.
The MasterCard Rules (November 15, 2016 edition) provide as follows:
5.10.4 Additional Cardholder Identification
A Merchant may request but must not require a Cardholder to provide additional identification information as a condition of Card acceptance, unless such information is required to complete the Transaction, such as for shipping purposes, or the Standards specifically permit or require such information to be collected.
A Merchant in a country or region that supports use of the MasterCard Address Verification Service (AVS) for MasterCard POS Transactions may require the Cardholder’s ZIP or postal code to complete a Cardholder-Activated Terminal (CAT) Transaction, or the Cardholder’s address and ZIP or postal code to complete a mail order, phone order, or e-commerce Transaction.
The Visa Core Rules (April 22, 2017 edition) provide as follows:
22.214.171.124 Cardholder Identification
A Merchant may request Cardholder identification in a Face-to-Face Environment. If the name on the identification does not match the name on the Card, the Merchant may decide whether to accept the Card. If the Cardholder does not have or is unwilling to present Cardholder identification, the Merchant must honor the Card.
What should I do if a merchant insists upon seeing my identification?
Unfortunately, the MasterCard and Visa rules are often ignored by retailers. If you feel strongly about not showing identification as a condition of using your Visa or MasterCard credit card, you may wish to print out a copy of the relevant merchant rule (from the links cited above) and ask to speak to a store manager.
Must I allow a store to swipe my driver's license if I want to make a return?
Generally, yes. While return policies vary from one retailer to another, many retailers require you to present a driver's license (or government-issued ID) when you return or exchange merchandise. Typically, retailers will swipe your license in a reader that will query a database to look at your return history for patterns of fraud or abuse. By scanning your license, the retailer can collect any information that is encoded on the license's magnetic stripe or bar code. In most states, this information includes the data printed on the face of your license.
California law specifically allows a retailer to swipe your license "to collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation." CA Civil Code Section 1798.90.1(a)(1)(D).
Some retailers manage merchandise return data in-house while others outsource the collection of this data to a company called The Retail Equation.
What is The Retail Equation?
The Retail Equation (formerly known as The Return Exchange) (TRE) is contracted by many retailers to gather and store their return information and analyze the data to develop return policies for those retailers. As customers return merchandise, TRE compares variables such as return frequency, dollar amounts and/or time against a set of rules that form the retailer’s return policy.
TRE states that it does not share its data among retailers. Access to information in their returns database is limited to the consumer, TRE, and the retailer that provided the data to TRE. In other words, TRE does not create a compilation of the shopper’s return activity across all merchants with which that individual shops. If the shopper has returned merchandise to several companies, a merchant will only see the returns for that specific retailer.
TRE does not actually set the return policies for participating retailers. The company gathers and supplies the data that subscribing retailers use to make return authorization decisions, and helps them determine their own return policies.
Can I see the information that The Retail Equation has about me?
Yes. You can order a copy of your Return Activity Report from TRE. This report is a history of all your return transactions posted in those stores that use TRE. The report lists return activity information including the stores you have returned to and, for each return, the date and time, whether it was with or without a receipt, and the dollar amount. You may obtain a copy of your return activity report by sending an email to: ReturnActivityReport@TheRetailEquation.com. You should include your name and a phone number where TRE can reach you. When TRE calls, the company will ask for your driver’s license number and state, to enable a database search.
Can I dispute the information that The Retail Equation has about me?
TRE offers consumers the ability to dispute their Return Activity Report. If a consumer identifies any inaccuracy in his or her information, or if a consumer needs to change information in TRE’s files, the consumer should notify TRE in writing at The Retail Equation, P.O. Box 51373, Irvine, CA 92619-1373 so that they can investigate and update their records.
Supermarkets, drugstores, coffee houses, and other retailers around the country use customer loyalty cards, which may also be called rewards cards, discount cards, or membership cards. Typically, shoppers fill out an application to get the card, giving their name, address, email address and sometimes other demographic information such as gender, phone number, birthday, or income.
When customers show their card at checkout, they may be given a discount for items covered by the card that day. Some cards also accrue points that can be redeemed for various rewards, such as free merchandise, airline miles or cash rebates.
These programs allow the store to keep tabs on what customers buy and how often they shop. Merchants say this allows them to identify their most loyal customers, learn more about their buying habits, and offer such best customers the products and services they demand. However, some consumers and consumer-rights groups claim that the data collected by the stores violates privacy rights and may not even save consumers money.
If you shop in California, the Supermarket Club Card Disclosure Act of 1999 provides you with some protection. This law prohibits supermarket club card issuers (1) from requesting driver's license numbers or Social Security numbers, and (2) from selling or sharing personal customer information. The law defines supermarket very broadly -- as "any retailer that sells food items". There is, however, a limited exemption for membership card stores, such as Costco and Sam's Club.
How can your purchasing history be used?
Advertising Age Magazine has developed an interactive graphic that explains how information from a loyalty card purchase is almost instantaneously shared with dozens of other companies.
Members of the Food Marketing Institute (FMI) have developed privacy principles that include allowing customers access to their data, giving them the ability to withdraw, and having all personally identifiable information about them deleted from the database.
The data broker Oracle Datalogix claims to have data including almost every U.S. household and more than $1 trillion in consumer transactions. This data comes primarily from loyalty cards at supermarkets and drug stores. By matching the email addresses or other personal information associated with loyalty cards to information used to establish Facebook accounts, Datalogix is able to track whether consumers purchase a product in a store after seeing a Facebook ad. Consumers can opt out of Datalogix-enabled advertising and analytic products by downloading Oracle's opt-out cookie.
What can you do?
Many shoppers appear not to be terribly threatened or concerned that their “club memberships” might lead to compiling of personal information. But if you find the concept troubling, here are steps you can take:
- Shop elsewhere. Voting with your wallet is always wise. Support stores that don’t use loyalty cards.
- Try registering with a fictitious name and address. Some consumers have reported registering with creative names such as “Kroger Shopper” or “Ralph’s Shopper.” If you use this method, be sure that you don’t use your card when making pharmacy purchases, since the store must have a record of your actual identifying information to fill a prescription.
- If you ask, some stores will give you a loyalty card and allow you to mail in the registration form. Generally, the cards are valid even if you fail to mail in the registration form.
- Opt out. Refuse to sign up for a card. This option will likely result in you paying higher prices. However, some sympathetic cashiers have been known to scan a “house card” for customers who do not have a card.
- Seek access to your data. Find out how your store controls information and how you can get access to it. Ask the customer service representative to disclose your personal profile. If you want your profile removed, find out what’s required to do that.
Most consumers are aware that online merchants use various technologies that track their behavior when they shop online. This practice is known as "behavioral targeting." In addition, some online merchants engage in "dynamic pricing", charging different prices to different consumers for identical goods or services.
In the past, it was difficult for brick and mortar retail stores to engage in sophisticated tracking of their customers in the absence of the customer loyalty programs described in the preceding section. Online retailers have had the advantage of collecting analytical data through browser cookies and other mechanisms, while "brick and mortar" retailers have not had those options available to them.
Many technological advances now permit stores to track shoppers without their knowledge. The extent of such tracking had been a well-kept secret of many retailers. However, it seems that almost daily there are new revelations of tracking by retailers.
Perhaps the most shocking example involved Target, which was able to figure out that a teenage girl was pregnant before her father did. Whenever possible, Target uses a unique ID number (known internally as a Guest ID number) to identify its customers. Every time you use a credit card or coupon, visit the Target website, open a Target email, call Target customer service, or interact with Target in any way, Target associates this information with your Guest ID number. By data mining the pregnant teenager's purchase history, Target was able to know that she was pregnant because she purchased various items that were highly predictive of pregnancy. In addition, Target can link demographic information (such as your age, marital status, number of children, distance from the closest store, and estimated salary) to your Guest ID number. Target's data mining practices are both a fascinating and frightening story first revealed in a 2012 New York Times Magazine story.
Many new technologies are emerging to enable brick and mortar retailers to keep up with their online competitors. Innovative use of video surveillance and signals from mobile devices are rapidly helping to close this information gap. Retail stores are rapidly embracing these technologies, which create significant privacy concerns for shoppers. Retailers can detect when you look at a product, how long you stay in the store, track your movement through the aisles, and potentially recognize you as a returning customer. These retail analytics are rapidly changing traditional brick and mortar retail shops into "smart stores." Even shopping malls are following you when you shop.
How are mobile devices used to track you in retail stores?
Most mobile devices (including smartphones and many wearable devices) emit a Wi-Fi MAC Address and a Bluetooth address. Your MAC address is a unique 12-digit string of letters and numbers assigned to your phone or device. Retailers can use either their existing Wi-Fi or sensors placed throughout the store to detect your device's MAC address. This practice is known as Mobile Location Analytics (MLA) technology.
How can I prevent a store from tracking my mobile device?
To stop your MAC addresses from transmitting, you must either turn your device off or turn off both Wi-Fi and Bluetooth. Be sure to do so before you get close to the store, because the range of the retailer's sensors may extend beyond the store’s physical boundaries.
Remember that if you choose to use a retailer's Wi-Fi network, you will generally have to agree to its Terms and Conditions. You should be sure to read them before clicking "Accept" so that you can understand how your information may be used. Be aware that a retailer's Wi-Fi can capture your browser information, the URL of each page you visit, searches, products that you view on websites, and information that you enter into unsecured online forms.
What kinds of data do retail analytics companies collect about shoppers?
According to RetailNext, a company that offers real-time analytics to collect, analyze, and visualize in-store data, the following information may be collected:
- The location of a smartphone or wireless computing device is collected by observing Wi-Fi or Bluetooth signals broadcast from that device. Individual devices are identified by a unique number (called a “MAC address.")
- Data from video cameras is used to determine the paths people take through a physical space and to try to ascertain certain qualities about people, like age or gender.
- When customers use guest Wi-Fi “hotspots” at their locations, registration is sometimes required. Registration data from these services is collected.
- When customers use guest Wi-Fi hotspots, information about use of non-secure websites may include browser information, the URL of each page visited, search terms used, products viewed and saved on retail websites, and information entered into online forms.
How can facial recognition be used to track you in retail stores?
Video surveillance, typically used to deter shoplifting, can also be used to engage in facial recognition, whereby the approximate age and gender of a customer may be determined. This may be used to customize advertising to a customer's demographic. Video analytics can also ascertain where customers go in a store and which items they pick up. Facial recognition software programs continue to be adapted for retail environments.
When you purchase an appliance or a consumer electronics product, you’ll likely find a product registration form included among the documents packaged with the product. The first few questions on such registration cards are usually dedicated to the name and address of the individual who purchased the product, as well as specific information about the product — essential data for the purpose of informing the company that the individual now owns one of its products, useful information in case of a product recall.
But often the remainder of the card consists of a survey that asks the purchaser about his/her demographics and lifestyle characteristics. None of this information is necessary to register the product with the company.
What most consumers do not realize is the postcards are not really returned to the company that manufactured the product. Rather, most such forms are mailed to a data aggregation company. Thus, a tremendous amount of highly detailed personal data is collected from unwary consumers who are led to believe that they are taking the important step of registering their product. This information can then be sold to or shared with data brokers and others for marketing and other purposes.
What can you do?
Don’t send in the product registration cards unless you’re comfortable with your personal information being collected and possibly distributed for other purposes such as marketing. Or, fill in only the questions pertaining to your contact information and the product you purchased. If the product has a safety aspect to it that could result in it being recalled someday, you might want to consider the latter approach – providing only your contact information and details about the specific product.
California Office of the Attorney General
Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244-2550
Telephone: (800) 952-5225 California only
Calls from outside of California: (916) 322-3360.
National Association of Attorneys General provides contact information for state AGs.
50-state directory of state, county, and city consumer protection offices in The Consumer Action Handbook of the Federal Consumer Information Center.
Consumer Reports' ShopSmart Magazine (March 2013) explains how stores spy on you using spy cams, smartphone tracking, and personalized advertising.