Shopping and Personal Data in the Era of E-commerce Giants

If you've been searching for an online store selling fashion, cosmetics, or even home accessories in the past few months, you've likely encountered one of the foreign internet giants. Several online retailers of immense proportions have entered the CEE e-commerce markets. While their presence in the domestic market may promise a new, potentially broader selection of very affordable goods for the customers in CEE region, it also raises concerns for many regarding the security of personal data.

The issue of data leakage from global e-commerce platforms is significant, and there have been several historical cases where sensitive data of e-shop users fell into the wrong hands. In the eBay incident of 2014, hackers gained access to the customer account database and stole the data of over 145 million users. A year earlier, Target faced a similar situation, with over 110 million customers' information, including payment card details, being stolen.

The leak of approximately 750,000 user data records following the hacker attack on Mall.cz in 2017 likely had the most significant impact in the Czech environment.

However, it's not only hackers who may pose a threat; the retailer itself can also be a concern. From a current perspective, the misuse of millions of customers' data by the Chinese marketplace Pinduoduo for its own benefit serves as a warning sign. In fact, the Pinduoduo mobile app was found to contain malware, allowing the company to track its customers and competitors.

Similar allegations have been made in relation to the Chinese giant Temu.

So, what exactly are the risks of online shopping?

Security Risks in Online Shopping

When making online purchases, consumers are required to provide a range of personal information, including payment cards, address, or contact details. The information obtained through e-commerce can then become a valuable target for cybercriminals who use it for various nefarious purposes such as identity theft, fraud, or extortion. As ordinary users, we have limited options to defend against this kind of danger. The quality of server security primarily lies with individual merchants, and attackers sometimes manage to exploit vulnerabilities even in the most reputable e-shops. Protecting ourselves against such risks is more or less limited to visiting brick-and-mortar shops.

However, with the proliferation of e-commerce giants, we are also witnessing the emergence of a new phenomenon - the misuse of user data directly by the online store itself, where collected data is resold or used for unfair business practices. Therefore, we must carefully choose where we make our purchases.

At the same time, all major e-shops are often connected to dozens of external services, typically for data collection for web analytics, personalization, marketing campaigns, or internal process automation.

So, if the retailer itself seems trustworthy, is that where the danger lies?

Collecting Data Safely and Without Malicious Intent

It all depends on the e-shop you interact with. Some retailers thoroughly vet their outsourced service providers to ensure that their customers' data is not misused. Let's take an example of what data is processed by such external services and how it is used.

For example, in the case of a personalization service, the "data tree" is first split upon arrival to the users, who choose whether to accept or reject cookies or accept them in a limited scope.

Additionally, such a service typically collects data about the user's actual behavior on the website, such as the time spent browsing a page or a specific part of a page, mouse movements, or the actual navigation through the e-shop.

Your data is also collected by the web browser you use to search. Typically, this includes the IP address, the type, make, and model of the device you are using at the time, or the device's resolution and audio settings. However, all of this data remains anonymous; it's only general information that can be used as a substitute for cookies to "identify" the customer using a device fingerprint. In this case, you do not have to worry about personal data leakage; on the contrary, the anonymous data about your visit helps to enhance your shopping experience.

The difference arises when you log in to your user profile on a particular e-shop. In this case, the e-shop will, of course, identify you based on the previously filled-in data and can offer you goods even more accurately according to your last visit or purchase history. However, to create an account, you must agree to the use of the data you fill in the contact form on the e-shop. The credibility of such shopping is enhanced by the fact that it is conducted at well-known and verified e-shops in the EU or other developed countries where data protection is a high priority. Such e-shops cannot afford to accept, for example, an external service that could misuse their customers' personal data. Typically in the EU, the collection of personal data is strictly regulated and, above all, controlled. Therefore, there should be no danger when shopping at such verified and well-known e-shops.

Nevertheless, we should remain as cautious as possible when making our choices.

Michal Krňák, Business Development Manager, Zoe.ai

Zoe.ai is a start-up under the Lundegaard consulting and technology company, focusing on developing a technological personalization tool that can monitor and collect data about people's behavior on websites or mobile sites and recommend products tailored to specific visitors. The tool largely employs elements of artificial intelligence, such as machine learning. They mainly specialize in big e-commerce players. Thus, their clients include Heureka, Pilulka.cz, CityZen, Allegria-Firma na zážitky, Decodoma, or Astratex.