Connect with Joseph Steinberg
Personal Data


Online Businesses Often Steal And Exploit Customer Data Collected During Canceled Transactions

Online Businesses Often Steal And Exploit Customer Data Collected During Canceled Transactions

Over the past year I have experimented to see how various retailers handle personal information that they collect from customers, especially when such information is collected as part of a purchase made by the customer in what appears, at first glance, to be some “amazing deal.”

As I have warned for decades, just as they are in the physical world, “too good to be true” prices found online are often scams; one should be especially careful when dealing with retailers who advertise such prices but who are also previously unknown to the buyer.

That said, in many cases, online retailers do occasionally offer unusually attractive sale prices for specific goods.

In some cases, legitimately offered “amazing deals” may, in fact, represent win-win situations for both retailers and customers alike – customers are able to purchase a particular item at a cost well below that for which they would normally be able to obtain it on the open market, and retailers are able to obtain, at what often turns out to be a lower cost than would otherwise be possible, what is to them highly valuable detailed customer information about parties that are likely to purchase related products.

At times, however, after I made “great deal” purchases, the retailers cancelled the purchases, providing an explanation that the price at which the item was offered and at which I had purchased it was erroneous – the result of some computer glitch or human error – and that the seller had the right to cancel any purchases made due to a price mistake. Some such cancellations occurred prior to the retailer sending me any email confirmation of the associated transactions, but, in some cases, the retailer cancelled the associated sale after not only confirming by email the purchase, but also after having charged my credit card and waiting for the associated debit to post to my account. In one case, the retailer cancelled the transaction even after shipping the purchased item to me – by notifying the shipping company to return it to the sender.

It should be obvious that retailers have a right to cancel transactions in some circumstances, including in cases of honest mistakes. However, when retailers do make such a cancellation, they should not have a right to keep any of the consideration that they received from the parties who attempted to make the purchase.

Such a statement may seem obvious – obviously, if one cancels a sale they are not entitled to keep the payment made for the purchase.

The reality is, however, that many retailers do, in fact, effectively do just that: unfairly enriching themselves from cancelled transactions. Such businesses allow themselves to maintain and exploit for their own advantage the customer information that they collect during attempted purchases that the businesses refuse to fulfil. Remember, data has value – in fact, as noted above, in some cases the primary reason that retailers offer “great deals” in the first place is to obtain exactly the type of data that the offending retailers are effectively stealing.

The abusive practice of keeping data received as part of cancelled purchases seems widespread. I myself have received, and continue to receive, targeted marketing emails from a significant number of the retailers from whom I attempted to make a purchase, but from who I never successfully completed even a single transaction because the relevant retailers cancelled the only transaction that I ever initiated with them. In none of the cases did I provide my contact information to these retailers other than within the process of (attempting to) make the relevant purchase, nor did I provide my consent to collect the data other than as part of the transaction.

I should also note that in each of the aforementioned cases, I provided my email address to the relevant retailers because those retailers required that I provide it as part of the checkout process to complete a purchase on their websites. While I will leave the legal specifics to attorneys, it seems clear to me as a layman that if I was induced by a party to supply it with my email address under such circumstances, that it has no right to store and use that address to market to me unless it delivers on its “side of the deal.”

While civil suits – perhaps even class action cases – related to the stealing of data in such a fashion might theoretically already be possible under various existing laws, it is likely that those doing the stealing believe that the damage to any individual from such theft is both hard to measure and far to small to lead to any actual claims. As such, it is time that we legislate explicitly both that no entity should be allowed to store and/or utilize any data that it collected as part of a transaction that if it refuses to complete, and that violators will be subject to impactful penalties.

It is impossible to know whether all of the retailers that maintained data after cancelled transactions truly made honest pricing mistakes, or if one or more of them intentionally advertised an “erroneous price” (with the intent to never fulfil any related orders) in order to attract parties who would supply it with valuable data at little to no actual cost. It is clear, however, that if we do not enact legislation to mandate the immediate destruction of any and all data collected under the expectations of a transaction that the data collector cancelled, and to outlaw the use of any collected data until after the collector has fulfilled its obligations to deliver what was purchased and complete the associated transaction, that such scams will proliferate.

The dawn of the AI era has made the need for such legislation even more timely – it is impractical to retroactively undo the knowledge that an AI system has already learned from a specific data element fed to it; as systems advance, and interact with other AI equipped systems, it will become effectively impossible to remove after-the-fact all knowledge that a party derived from stolen data – doing so would, in theory, require that one force all systems involved to unlearn all knowledge that they learned from the point at which that stolen data was first introduced to the first system, and then refeeding all of those systems all of the data that was originally fed into them stolen data was originally fed in refed to those systems; from a practical standpoint, such cannot be done.


Continue Reading

More in CyberSecurity




* indicates required