CVS Buys Email Addresses

If you’re like me you probably have a half dozen little tags hanging from your keyring so you can get discounts at places like Kroger’s and Border’s Books. These kind of frequent shopper programs are nothing new. They have certainly become more prevalent lately as companies realize how easy it is to track their customers and how valuable that information could be. This too is not thing new. I worked on a web site project in 1997 for a consumer product review magazine. The entire business plan of this magazine’s web site was to allow customer’s to search and compare products and harvest the type of information that people wanted to find. The company died in 2001 when the internet bubble burst before that model had a chance to mature. A decade later it is mainstream.

In the beginning was the punch card. Every time you visit, you get your card punched. When your card is full you get a free whatever. Those same guys started to ask you to put your name and address on the back of the card when you converted this card into a prize. This was to help prevent abuse and it was to collect basic information on who their customers were. Today we have little cards and keyfobs that can be optically scanned to identify the number on the card in an instant.

These little keyfobs come in two forms. The first kind and generally the older model is the keyfob that tracked you anonymously. You probably got the card with very little or no information. You carry the card because when you look at the price label on the shelf there are two prices: one for people with cards and a much higher price for everyone else. The lower price is the price you probably consider normal or its the sale that got you to come into the store in the first place. Every time you use this card the company knows general and anonymous information that can be used to create a model of a shopper like you. This is the critical distinction. They do not care about you per se. They only care that people in a particular zip code who buy winkies also buy Diet Coke. And they know that these same people may show at a few specific stores. When you take this model and statistically compare it to other models you can then start to mine this information and then you can sell this information to your suppliers and advertisers depending on your business model. The customer is happy because they are getting a perceive discount and the company is happy because they are generating another revenue stream.

Some of these same companies may have asked you to fill out an application but that application was not validated or in some cases even required. Some stores may give you a new card anytime you ask or the cashier may scan their own person card just to give you the discount. As a rule, I never give real identifying information if it is not required. I will take their card and their discount. I’m not so paranoid that I pay with cash but I trust that the CISP rules prevent them from tracking me by my credit card.

In the other type of card you have to give your personal information up first and then you will get coupons based on your past purchases. This is preferred by the customer because there is only one price. You have to decide if the discount or benefit is worth the loss of privacy. Depending on the agreement that you sign that company can do pretty much anything they want with the information they collect. Since they are not extending you credit they are not governed by the consumer laws related to credit cards. The benefits can add up. A couple examples of this are Staples and Best Buy. You have to sign up for their points card and then some time later you get a discount on a future purchase. The company now not only has a really good model of your spending habits but they also have your personal information. This is usually name and address but it could include gender, age, and household income. Congratulations you have just been targeted.

So now the companies who started out in the first model are trying to convert to the second model. They may abolish their program and come out with a new program. This happened with my BlockBuster “Gold” card. Or they may give you an incentive to link your card with your personal information. Just today I bought something at CVS. I did not have my card with me and the cashier gladly took a brand new on right off the stack and used it to get my 25% discount on my case of soda. When the receipt printed out I found the most remarkable message. It said that if I wrote down my email address right now and hand it back to the cashier, I would get a $4 coupon in my email. Wow $4 for my email address. That means that it must be work a whole lot more than $4 for CVS to be able to link my anonymous card to an email address that they can use to target me as a consumer. I did not take CVS up on the offer primarily because it wad not my card to begin with. Had I wanted to take advantage, I would have created a throwaway email address just for this purpose just to see what they did with the address. This is not technically spam since I have an existing relationship with this company.

I’m concerned about how easy it is for marketing companies to start collating all this mined information. At least one company is tracking you at the payment method level (ipromise.com) creating a model that spans fast food, groceries, electronics and more. Be very careful giving out your personal information. It may be worth setting up a PO Box just for the junk mail. You should definitely maintain at least one throwaway email address that you can give out and keep separate from your real email address.

Be careful giving out email addresses to even organizations that should be reputable. I recently gave an email address to my child’s teacher for communicating about grades and the like. A few months later I received an email from a company on this email address. It turns out that an employee of this company knew one of the teachers who gladly gave this company the entire student email list. The company was so inept that they sent a 2 MB email to several hundred people with every email address in the TO line. I was easily able to see who of my neighbors was also affected by this breach of trust. I contacted them, the school and the company and tried to set it all right. I luckily could just throw way the email address. For other, their personal email address is now out in the wild. If just one of those recipients was running a system infected with malware (read Windows), then all those email addresses were compromised. Sure enough within a couple of weeks, I began receiving spam to that email address. That email address had only been created for one purpose and had only been given to one teacher. Here we have a clear chain of evidence.

In summary, your personal information is very valuable. Make sure you are getting something of value if you are going to give up information that can readily identify you. This may all be moot soon. What’s next? Bio metrics? Don’t get me started. Who has a larger finger print database? Law enforcement or DIsney World? Disney World now requires a finger print to get into the park.