Kathie Florsheim is a committed environmentalist with a hybrid car and a set of rain-collection barrels outside her East Providence home.
So when the ink in her Canon printer recently ran out, she immediately thought to recycle it, just like she does her light bulbs, batteries, and kitchen waste — which she feeds to the red wiggler worms who fertilize her vegetable garden.
But what Florsheim learned on Canon’s website stopped her in her tracks. To send her clunky, foot-long cartridge back to Canon for recycling, she would have to submit her name, home address, telephone number, and e-mail address.
Florsheim very much wanted to keep the cartridge out of a landfill but not at the expense of her privacy. So she fired off an e-mail to me calling Canon’s demand for personal data “a cynical and frankly smarmy way of extracting valuable information from people who give a damn about the environment.”
Canon, one of the world’s largest corporations, with more than $30 billion in annual sales (cameras, photocopiers, medical imaging) and almost 200,000 employees, touts its record of environmentalism on its website. It has collected almost 400,000 tons of cartridges since 1990, and reuses everything — iron, copper, aluminum, plastic.
Consumers like Florsheim pay nothing to have their cartridges shipped to Canon’s recycling center in Virginia. But Florsheim frets that once you fill out the online form, a digital version of you belongs to Canon, maybe forever, in its already vast store of data.
Do you want to be there?
I’ve been reading up on online consumer privacy and listening to experts. I think what’s going on with the likes of Canon is scary.
The company is not alone, of course. Most big retailers do it. Technology allows them to sweep up a gargantuan amount of information — think of trillions of digital bits — and crunch it into strategies for increasing sales by targeting potential customers based on demographics. It’s hard to imagine the clock getting turned back on this one.
“Data harvesting, data aggregation, predictive modelling — call it what you want, but it all can get very creepy, very fast,” said Preston Leonard, a Boston lawyer who has been involved in privacy cases. “Before you know it, these companies can know way too much for comfort.”
The Federal Trade Commission is supposed to protect the privacy of consumers. But the FTC can do only what Congress authorizes it to do — and that’s not much— compared with Europe, where online consumers have an enforceable “right to be forgotten.”
In fact, the spectre of European-like laws is the FTC’s most effective tool in cajoling retailers into at least acknowledging privacy concerns, as in “do this voluntarily or Congress might force you to do it as a matter of law.”
“There’s no overarching legal privacy requirements at the federal level,” said Mark Eichorn, an FTC assistant director for privacy and identity protection. “We talk in terms of recommendations and best practices.”
Some states, including Massachusetts, have stepped into the void. Brick-and-mortar retailers here, for instance, are prohibited by law from asking consumers for their ZIP codes during credit card transactions because retailers were using that information to flood households with junk mail.
Many big retailers have responded to the FTC’s proddings by posting privacy statements — or annually mailing them to you — telling you how personal data are collected and used. The FTC is now pushing retailers to voluntarily go further by giving consumers a simple “do not track” option that would prevent companies from harvesting their personal data.
Is it OK then for Canon to ask Florsheim for personal information?
“Companies should limit data [collecting] to the kind of information they actually need to carry out the transaction,” said Eichorn, who refused to discuss Canon’s case specifically.
I wanted to talk to Canon about why it needs the kind of information it asked of Florsheim. I spent three days calling and e-mailing the company’s American headquarters on Long Island. I left a dozen detailed messages. What did I get back? Nothing. No call, no e-mail. It seems Canon likes to take information but not give it.
Canon’s 10-page privacy statement is not exactly consumer-friendly. After I read it a few times, I realized Canon (and its corporate peers) doesn’t only collect and use the information you willingly provide by filling out a form. It goes well beyond that by employing “data collection technologies,” including “web beacons, cookies, and embedded web links” to get information you most definitely are not offering.
“Cookies” might be a familiar term to some consumers — files created by websites on your computer that recognize and track you — but what about “web beacons” and “embedded web links”?
These data collection technologies record and store just about everything about you online: type of browser used, access times, address of the website that sent you, Internet Protocol address, unique device identifier, geolocation, and clickstream behavior, such as the pages you view and the links you click, according to the Canon privacy statement.
“Companies study your search history and your click behavior,” said Brian Kilcourse, who heads a California research firm specializing in the behavior of retailers. “That’s how they know to interrupt you with a particular pop-up advertisement.”
Even your friends aren’t safe. When you e-mail a Canon newsletter or other electronic communication to friends, Canon collects your friends’ contact information.
Canon lists 11 uses of your information, including some you would expect, like communicating with you about a specific transaction and delivering your products. Fine. But others sound like things I don’t want to be a part of, such as having Canon use me to “perform research and analysis about usage and potential interest in our products, services and content.”
Credit card and other financial information? Canon uses it to process payment, of course, but also when “otherwise needed to manage our business.” Pretty open-ended, no?
Canon says it shares its (your) information with its business partners, including “automated data processors,” which is data crunching.
Kilcourse said Canon has plenty of company in the race to build ever-larger stores of digital data. “It’s just what they do,” he said.
And Preston warned that “it’s increasingly difficult to function in modern society without putting a lot of personal and financial information through the Internet. Try functioning without a debit or credit card or using the Internet or a smartphone; it’s not feasible.”
Florsheim, a professional photographer whose work has been collected by some top-ranked museums, doesn’t want to return to horse-and-buggy days. But she’s pretty finicky about giving out personal data.
She eventually walked into a Staples store with her cartridge. They accepted it with only one question: Did she want a recycling credit on her Rewards card? No, she didn’t.
“I don’t have a Rewards card because I don’t want them to have my personal information,” she said. “I don’t want anyone to monetize my personal information.”Sean P. Murphy can be reached firstname.lastname@example.org. Follow him on Twitter@spmurphyboston.