Are Retailers Backsliding in Online Trustability?

The focus on data privacy and security on the web has reached a fever pitch in recent years. As data breaches continue to make headlines, consumers are understandably concerned about the vulnerability of their personal and financial information. Online retailers have an especially high bar when it comes to the protection of credit card data and purchase information, so why did the 2018 OTA Trust Audit show retailers significantly backsliding in privacy and protection rankings? Is the online retail industry stagnant when it comes to consumer protection? What can be done to help?

The Online Trust Alliance (OTA) is a vendor-neutral organization that identifies and promotes security and privacy best practices to help build consumer confidence in the internet. Annually, the organization releases an Online Trust Audit which analyzes over 1,200 websites in a variety of verticals, from smaller online retailers to major sellers like Amazon.com, Apple, Walmart, and Target. As part of the audit, OTA celebrates high achievers that are committed to making ongoing improvements in cybersecurity and privacy. These honorees are listed on the OTA Honor Roll, a published list of organizations that includes many recognizable retailers. While 65 percent of the 500 assessed internet retailers made the Honor Roll, an improvement from 51 percent in the prior audit, other sectors improved even more, leaving retailers in the bottom tier of the overall rankings. Significant improvements were seen in email authentication, but privacy scores dropped significantly, which created the decrease in overall ranking.

The real issue for retailers involves excessive sharing of data with third parties. While at a high level most retailers’ privacy policies stated that they would not share data with third-party vendors, in-depth analysis revealed that nearly all of the retailers analyzed in the audit stated that they shared data with vaguely named entities such as “partners” or “affiliates.” Sharing is rampant for marketing purposes and is the main data driver behind the targeted advertising most online retail shops use today. Shoppers are largely unaware of the data sharing practices of their favorite online stores, making them unlikely to demand greater protections. While trusting a big-name retailer online seems safe, it’s often unknown who else has access to customer data.

In light of the privacy shortcomings highlighted by the OTA Trust Audit, here are some steps retailers can take to provide the best possible protection and foster greater transparency with their customers:

1. Revamp privacy policies. Provide clear and accurate privacy policies that state what data is collected and for what purpose, and then set proper expectations regarding how the data is stored, shared and protected. Any sharing for marketing/advertising purposes or with third-party providers should be disclosed up front. Include an effective date on the policy so users can see when it was issued/updated.
2. Hold third parties accountable. If sharing data with other vendors, retailers should know how third parties are using the data and ensure they’re held to the same standards as the retailer’s own website.
3. Provide access/comparison to previous privacy policies. This is an issue of transparency and allows consumers to see what has changed if they care to explore the differences. Only 1 percent of the audited retailers currently follow this best practice.

Retailers need to stay up-to-date on the latest security and privacy practices when safeguarding customer data. A transparent and clear policy on data sharing will protect the retailer should any unseen breaches occur. For more information on how retailers ranked in the OTA Trust Audit, a full copy of the report is available.

Jeff Wilbur is the technical director of the Online Trust Alliance Initiative at the Internet Society, a company that promotes security and privacy best practices that build consumer confidence on the internet.