Complain about a product or service

CVS Customers' Purchases Exposed on Company Website

By Martin H. Bosworth
ConsumerAffairs.com

June 29, 2005

• Internet Providers Admit to Monitoring Customers' Web Surfing • Big Brother Hitching A Ride in California? • GAO: Government Can Do More to Protect Personal Data • US Search Agrees to Stop Selling Private Credit Data • TSA Site Left Passenger Data Exposed To ID Theft • Connecticut Governor Wants 'Opt Out' For Online Directories • Verizon Gave Customer Data To Government Without Court Orders • House Democrats Probe Warrantless Surveillance --- • More Privacy News ...

If you purchased something at CVS within the last six months and used an ExtraCare "rewards card" to get a discount, you had best hope it wasn't anything you wanted kept private. Until just recently, anyone with a minimal amount of information could access your ExtraCare spending records from the CVS Web site and track all of your purchases.

"Condoms, feminine products…you can see purchases of all the fun stuff," said Katherine Albrecht, founder of the nonprofit group Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) in an interview with ConsumerAffairs.com.

According to Albrecht, anyone who gets access to an ExtraCare card number, a cardholder's ZIP code, and the first three letters of their last name could log on to the CVS Web site and request an e-mail containing that cardholder's buying history.

CVS originally instituted the program to allow buyers of over-the-counter medicines to qualify their purchases for Flexible Spending Accounts (FSA)'s. However, all users of the ExtraCare cards were logged and tracked on the site, even if they didn't purchase over-the-counter medication or use FSA's.

Upon hearing of the program, Albrecht asked a reporter colleague, Jack Neff, to shop at a CVS and purchase "some really embarrassing things."

"In 24 hours," she told him, "I'll be able to tell you what you bought."

She logged on to the CVS Web site using Neff's information, and requested that a list of his purchases be sent to a temporary e-mail address she'd established for the test. Sure enough, within 24 hours, she received listings of everything he'd bought.

CVS has temporarily shut down the Web site access until "stronger privacy safeguards" are in place, but Albrecht questions "why CVS has the data in the first place."

There's "no consumer value" in maintaining records of buyers' purchases, unless it's to track them for specialized advertising offers or to sell their information to other marketers.

"If you want an FSA account, set it up with your employer. That gives people the option to 'opt in,'" Albrecht said.

CVS did not immediately return requests for comment.

Customers may still be able to access the information by calling customer service, and the Web service itself may be put back in service once "safeguards" are put in place.

Although this is not a case of identity theft in the classic sense -- no buyers' prescription information or Social Security numbers were made available, nor was any data actually stolen -- it is a clear example of how information gathering and selling can be embarrassing to consumers who aren't aware of the risks.

Even something as seemingly beneficial as a supermarket discount card can be used to "profile" a shopper and set them up to be targeted for marketing offers, or have their information shared without their knowledge or consent.

According to a 2003 survey conducted by retail consultant WSJ and noted by business Web magazine Retail Traffic, 82 percent of American consumers participate in at least one retail loyalty program. More than half of adults participate in supermarket loyalty programs.

Of those, 84 percent say they try to use a program every time they shop.

WSL says young people ages 18 to 35 and mature consumers over the age of 55 are more likely to sign up for a Kroger, Barnes & Noble or CVS card to save money.

These two markets are the gold standard for retail and marketing initiatives, and can be much more easily targeted if vendors have access to their profiles and buying histories.

"People don't understand that these records stretch back for years", said Albrecht. "You should have the right to call CVS and say 'No, no, delete my records.'"

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |