The holidays are upon us, and that means consumers are limbering up their mouse-clicking fingers in preparation to go shopping online. Online shopping is now mainstream and consumers are expected to spend more than £600 billion online this year, up 14% from a year ago. More than three-quarters of mid-sized to large retailers now sell goods and services over the web.
In the wake of the many recent and prominent cyber attacks, it’s reasonable to be concerned about how safe your online shopping experience really is. To check, we analysed a dozen of the UK’s largest online retail sites to evaluate their policies and procedures regarding privacy, security and information sharing. The good news: all have good security practices when conducting transactions. The not-so-good news: password policies, information sharing and general disclosure practices are all over the map.
Here are some things to look for, based upon our research.
Secure browsing
HTTPS is a version of the standard HTTP protocol that adds an extra layer of security by encrypting traffic between your device and the server. Some organizations, including Google and the Electronic Frontier Foundation have been pushing website owners to adopt HTTPS for all communications. In light of that fact, it’s surprising how many of the sites we visited don’t use this more secure standard for casual browsing. To be clear, all employ HTTPS for secure checkout, but several don’t make the switch until the customer logs into an account or heads for the checkout aisle.
There are reasons for this. Not all browsers support HTTPS, so requiring its use for simple viewing may lock some customers out of the site. However, the volume of non-HTTPS-compliant browsers is shrinking and the benefits of secure browsing are compelling enough that it’s worth checking when you visit the site. It’s easy to do; simply look at the URL in the address bar. If you see “http://” or nothing at all before the address, then HTTPS isn’t being used. That means that someone who can tap into your communications can see pages you are viewing or information you’re sending. Pay particular note, if you are accessing a shopping site over a public Wi-Fi network.
Privacy policy
Online retailers are required to post privacy policies by law. However, that doesn’t mean all policies are the same. That’s likely to change next May, when the General Data Protection Regulation goes into effect. Those are the rules that define how organizations operating within the EU must store and protect personal information about EU citizens. Enactment of GDPR should create a more level playing field, but in the meantime there are variances in details about the use of your personal data to look for.
A good privacy policy should be easy to find, easy to navigate and written in clear language. We found considerable variations between retailers in this area. Some bury sections of their policies in dense, nested menus or use legalese like Asda’s “By letting us have any sensitive personal data, you expressly consent to us using and telling others about any of your sensitive personal data so we can provide you with the goods or services requested by you in the way set out in this Privacy Policy.” Huh?
Others take time and care to craft a policy that is visually attractive and easy to navigate. Particularly notable is John Lewis, whose security policy amounts to a mini tutorial on good password practices. It even has advice on malware and phishing protection. Tesco also has an outstanding privacy center, with advice on how to protect against social media scams and even keep your gadgets safe.
Information sharing
Most e-tailers pledge not to use your contact information for anything unrelated to a transaction or a related service. However, some will contact you for market research studies or to get your feedback on their services or the website. Look, in particular, for language like “carefully selected third parties may use the information we collect to inform you about offers, products and services.” This means your contact information is being shared with companies or list services other than the one you’re doing business with, most likely for marketing purposes. Most retailers will let you opt out of such communications, but the responsibility to do so is yours.
A variation on this practice is to share information within a family of companies. For example, Marks and Spencer plc also runs its own bank and energy businesses and shares customer information between them. Retailers must disclose these practices in their privacy statements. If you’re uncomfortable with having a company that sells you clothes also pitch you on mortgages, opt out of the deal.
Speaking of opt out, practices also differ on email contact. Most retailers opt you into their email marketing programs and leave it up to you to withdraw. In some cases, you can opt out at the point of payment or registration, but others require you to go into your personal profile and change your preferences, or to unsubscribe once the pitches start arriving.
Payment information
Policies also differ on retention of credit card information. Some companies keep payment number by default, while others ask your permission. This information should be laid out in the privacy policy or stated on the registration page.
The convenience of saving your credit card on a retailer’s website is undeniable, but there’s also a risk involved, as evidenced by the many breaches of prominent brands. A safer course of action is to use a password manager that also stores payment information so that you can control access to this sensitive information. For one-off transactions with retailers you don’t know very well, we recommend against permitting payment information to be stored at all.
Password policies
Retailers love it when you become a member because it open new avenues to market their goods and services. While there are many benefits to membership, be wary of how much information you give up upon joining. We recommend you limit yourself to providing only that which you would be okay with exposing in the case of a breach.
Pay particular attention to password security. Our research found the greatest variation between websites in that area. For example, BooHoo requires only that passwords be at least five characters, despite the fact that the site offers to store payment information. This is unacceptably weak security, in our view. Most sites specify a minimum of six to eight characters with a combination of upper- and lower-case letters and symbols, which is considerably more secure. A few offer strength meters, which assess the security of your password as you type. The more guidance the site offers the better. No matter what the requirement, use at least an eight-character password and avoid easily guessed substitutions, such a “1” for “l.”
Checkout
All the retailers we visited provide secure checkout using the SSL protocol. Most also list multiple secure certifications on their payments page, such as Verified by Visa, MasterCard Secure Code and American Express SafeKey. The more of these badges you see the better.
Some retailers offer to save your payment information at the point of sale. As noted above, we recommend against this practice. Some also use checkout to try to sign you up for their mailing lists or third party offers. If you already receive enough marketing messages, keep an eye out for this practice, since most retailers automatically opt you in and require you to make the effort to remove your name.
Summary
The profusion of recent security breaches should have every retailer on high alert to safeguard customer information. While all the sites we visited do a good job of covering the basics, we found significant variation in attention to detail. That doesn’t mean the more attentive sites are necessarily more secure, but if given the choice, we prefer to spend our money with companies that give protection of our personal data more than just lip service. Enjoy the online shopping season, but be careful to give up no more information than is really needed.
