In response to a congressional inquiry about its privacy policies, Groupon this week provided more details about how it collects and stores its users' personal data, particularly as it relates to location-based data and opt-in versus opt-out.
"We are committed to explaining our data practices and keeping our explanations current in an environment of rapid technology changes," Groupon general counsel David Schellhase wrote in a letter to Reps. Edward Markey and Joe Barton. "We are also committed to empowering our customers to make choices about the type of information they give us and how we use that information to interact with them."
Markey and Barton penned a letter to Groupon in July after the deals site updated its privacy policy. In a summary of those updates, Groupon said one of the changes clarified that some of its mobile apps might collect geo-location data to offer up nearby offers, but on an opt-in basis. Given the controversy surrounding Apple's iPhone tracking, the congressmen wrote to Groupon and asked for more details.
In his letter, Schellhase said that "Groupon currently does not access location data when the Groupon mobile application is not running." But customers have been asking for this functionality, he said. If a particular business was offering a lunchtime deal and you were walking near that restaurant, for example, Groupon could send you a pop-up notification that provided details.
"We are working to provide this type of functionality in the future," Schellhase continued. The company only put it in its privacy policy because "we wanted to ensure that it reflected those future plans."
The privacy update also broadened Groupon's definition of personal information to include peoples' interests and habits and included more details about how the company collects and uses information.
In its letter, Groupon said it does not collect information about people who simply browse the Groupon site but do not sign up for its services besides the usual, non-identifying data that most Web sites collect (browser, IP address, etc). If you sign up, you have to provide your name and email address and, if you buy something, payment data. Groupon also receives data via social-networking sites like Facebook Connect, but "only if the consumer affirmatively engages in an activity that specifically relates to Groupon." If the company finds public postings about Groupon, it might use the data to respond to a user inquiry or to protect its IP rights.
In terms of its partners, Groupon said it does not share user information with the companies or restaurants offering Groupon deals, only the number of vouchers purchased, unless it's something like a magazine subscription, which requires your address.
Groupon does partner with Expedia on travel deals and Live Nation on concerts, and collects data related to those purchases. It uses Visa-owned CyberSource Corporation to process credit card payments and ExactTarget to deploy daily deals emails. Those partners are banned from using the customer data for their own purposes.
"Groupon routinely monitors the performance and reviews the contracts of its critical service providers to ensure quality and consistency and is not aware of any data breach, other breach of confidentiality or compromise in the security of any of its customers' information entrusted to ExactTarget," the company said.
Earlier this year, a breach at third-party marketer Epsilon exposed the email addresses and names of people associated with a number of tech companies, including Verizon, Best Buy, TiVo, and Target as well as credit-card companies like Chase, Citi, Barclays, and Capital One.
Groupon stressed several times that it is a growing company and is constantly evolving, and Rep. Barton encouraged the company not to lose sight of privacy when making these upgrades.
"Because it is growing at such a fast pace, I fear for the potential misuse of consumers’ personal information as more partnerships are created," Barton said in a statement. "It is vitally important that businesses with online models keep the protection of consumers' data at the top of their list and leave no room for assumptions. Everyone involved in the online industry should take responsibility and be held accountable for the use of consumer data."
Markey, meanwhile, urged Groupon not to "place a discount on privacy."
"Transparent, easily understandable privacy policies and practices are key here, and I will continue to monitor this rapidly developing area of the industry," Markey concluded.