Businesses gather more information than they need from consumers

Moira Hahn, like many consumers, always took it for granted that businesses wanted as much of her personal information as they could get.

She didn’t really start thinking about how such practices could come back to bite her until she became one of the millions of Target customers recently warned that her sensitive data could be in the hands of hackers.


Credit and debit card numbers of as many as 110 million Target shoppers, along with their names, addresses and other info, were jeopardized after the company’s databases were accessed after Thanksgiving by identity thieves.

So it was with a considerably bruised sense of privacy that Hahn, 57, of Long Beach, was asked by a Rite Aid drugstore the other day to part with her name, address and other info if she wanted to pay a reasonable price for cold medicine.


“I’m furious,” she told me. “I don’t want these corporations tracking me, mining my data and leaking my information all over the universe.”

Rite Aid is by no means alone in trying to collect reams of information about its customers. Almost all businesses and organizations have similar practices.

They often combine their own databases with information purchased from so-called data brokers to amass detailed files on people that can be used for marketing purposes or possibly sold to other companies for their own solicitations.

I wrote on Tuesday about the need to make credit and debit cards more secure. It’s similarly clear that strong rules should be enacted for collection and use of people’s personal data.


“Businesses aren’t protecting information the way it needs to be protected,” said Stan Stahl, president of the Los Angeles branch of the Information Systems Security Assn., a tech-security trade group.

He said a benefit of such extensive — and intrusive — information-gathering is that businesses have a better sense of what specific customers may want. He said his wife is glad to receive coupons for Pavilions supermarket based on her past shopping trips.

“On the downside,” Stahl said, “companies are collecting more information than they need. This is information that they may not even use now but will instead maybe use at some point down the road. It’s too much.”

That’s the thing: How much is enough? Obviously businesses require certain information from customers to process non-cash transactions.


But when even the most routine retail experience turns into a data grab, consumers have every reason to wonder why so much information is being sought — and how it’s going to be used.

Ashley Flower, a Rite Aid spokeswoman, said the company seeks the name, mailing address, email address and phone number of people enrolling in the company’s rewards program to contact customers “who are open to receiving communication from us.”

Ah, but are they? It seems fair to assume that no one would willingly part with their personal info if they weren’t being offered something attractive in return — in this case, a discounted price for everyday purchases.

You could say that no one forces people to join rewards programs, so people like Hahn have no right to complain. But the upshot is that people who care about their privacy end up paying higher prices than people who don’t.

That’s a form of retail extortion: Cough up your confidential info or pay more money.

I asked Flower why Rite Aid doesn’t just offer lower prices to everyone. Clearly the company isn’t losing money even with the discounted prices.

Flower said Rite Aid’s wellness+ program, like all such rewards plans, is designed to get people to shop more at the company’s stores.

“Customer participation in the program is required to allow us to identify their spending and reward them for their business,” she said. “Requiring the card to enjoy our discounted prices allows us to ensure customers are using their card with every transaction in order to fully realize their earned rewards.”

Did you catch that bit about “identify their spending”? That’s data gathering. And that’s valuable.

That other bit about “requiring the card to enjoy our discounted prices” ensures that Rite Aid will be able to look over your shoulder any time you buy something.

I recently opened my first Apple account so I could access the company’s App Store. I was astonished that a condition of my signing up for a purely digital relationship was to give Apple my home address.

Does Apple need it for me to download apps? Of course not. Does it want my home address so it can know much more about me than I’d care to impart? Big time.

The company’s privacy policy says: “Apple and its affiliates may share this personal information with each other.” It also says that what I give them may be combined with data from other sources “to provide and improve our products, services, content and advertising.”

That’s not evil. Nor is it unusual. But it’s too much.

Cold case

Speaking of information gone astray, Richard Rorex’s wife died of cardiac arrest at St. Mary Medical Center in Apple Valley in September. Two months later, she received a letter from the hospital requesting a donation.

“That was just cold,” Rorex, 77, told me. “They should have known that she wasn’t going to respond.”

Earlier this month, a grieving father in Illinois received a letter from OfficeMax addressed to his name, plus “daughter killed in car crash.”

Mistakes happen. But when data mining results in such offensive marketing pitches, it seems clear that the system is broken.

“We absolutely apologize,” Randy Bevilacqua, a spokesman for St. Mary Medical Center, said after being informed of the fundraising letter sent to a dead patient. “That shouldn’t happen, obviously.”

But it does. And it’s wrong.

David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to