PI complains to UK regulator on EBay practices on customer data retention

31/08/2006

29th August 2006

Mr Richard Thomas
Information Commissioner
Wycliffe House
Water Lane, Wilmslow
Cheshire SK9 5AF
GB

Dear Mr Thomas,

I am writing with regard to ebay.co.uk (eBay (UK) Ltd) and to request that you investigate an apparent wholesale breach by that company of the Fifth and Sixth Principles of the Data Protection Act, and a possible breach of the First Principle. This complaint is made on the basis of information supplied to Privacy International by a number of concerned eBay members, and is supported by our own research.

Summary of complaint

This complaint alleges that eBay has obstructed the ability its members to delete (remove) their account with the company. In creating this systemic obstruction eBay has denied its members a core right under the Act, and has therefore engaged in unfair processing of personal data.

Background

eBay has become one of the Internet's most successful brand names. eBay operates online sale and auction services in 33 countries and claims a worldwide customer base of more than 180 million people, with more than ten million registered users in the UK.1 eBay UK was launched in 1999 and by 2004, gross merchandise volume (GMV), the value of all successfully closed listings on eBay.co.uk, reached more than two billion pounds. eBay.co.uk has reported year-over-year GMV growth of 94%.

Internet users are able to freely browse the eBay site, but are required to register if they wish to sell or bid. Registration involves the collection of a range of personal information, including phone number, date of birth, address and mandatory bank account information.

Customers choose to delete online accounts for a range of reasons. Many people wish to reduce the amount of personal information held by companies and thus reduce the risk of unlawful use or disclosure of data. The decision by eBay to frustrate this action effectively prevents all but the most diligent and persevering customers from deleting their personal information from the site.

The existence of a deletion facility is particularly relevant to eBay customers. eBay's privacy policy states "Further, we can (and you authorise us to) disclose your User ID, name, address, telephone number, email address, and company name to eBay VeRO Programme participants under a confidentiality agreement as we in our sole discretion believe necessary or appropriate in connection with an investigation of fraud, intellectual property infringement or other unlawful activity."

The VeRO Programme has membership of around 10,000 organisations and individuals.4 We believe this blanket provision in eBay's terms & conditions is disproportionate and possibly insecure, and we ask that you also investigate the nature of this relationship and the scale of disclosures of personal information to the Programme's members.

The size of eBay's customer base is a key element of the company's market value. Maintaining the growth of that customer base is therefore a core indicator of eBay's financial worth. Obstructing the removal of accounts has the effect, intentional or otherwise, of artificially inflating the customer base at the expense of data protection rights.

Complaint in detail

Most online organisations include the "delete account" function as a default part of the account management page. This is seen as being important both to Best Practice and to legal compliance. No such facility has been enabled by ebay.co.uk.

Having registered with eBay to research this complaint, we visited the "My Account" section of the site. This contains four sub-sections: personal information, addresses, preferences, feedback and subscriptions. None of these sections contains a facility to delete an account.

We visited the site's "help" section, clicked "using my eBay", and then proceeded to "Managing your account". This too contained no information on account deletion.

We then conducted a series of site searches, using such keywords as "remove" and "delete", but these searches resulted in query returns covering many pages. Assessment of these hundreds of search returns was impractical, if not impossible.

It was only by chance that we checked the site's privacy policy, which states "Upon your written request, we will deactivate your account, contact information, and financial information from our active databases. To make this request, please contact Customer Support."

The "customer support" phrase links to eBay's "contact us" page. However this page is of no practical use to anyone wanting to delete an account. The page contains a single option checkbox list for the following categories:

• Listing Policy Breaches Report a breach of an eBay listing policy or a prohibited item
• Buying and Finding Ask about searching, bidding, paying for an item, or dispute resolution
• Account Security Report fake eBay emails, unauthorized account activity, or other safety concerns
• My Account - Registration/Password Ask about My eBay and changing your contact information
• Selling and Managing Your Item Ask about photos, fees, tools, Shops, unpaid items or problems Complaint from Privacy International regarding eBay (UK) 4 with a buyer
• Suspension Ask about a suspended account, notices you've received from eBay, or sign-in problems
• Feedback Ask about eBay's Feedback system, or about feedback you've left or received

Related:
PI report on online privacy -- Dumb Design or Dirty Tricks?