Japanese ecommerce giant Rakuten has caused outrage after being exposed as selling customer personal information, including names, email addresses and home addresses, to all comers for a trifling ¥10 each.
Rakuten is one of Japan’s largest online retailers, and its largest online mall (Rakuten Ichiba), with annual revenues of some $2.7 billion, and primarily does business as a shopping portal, with individual shops paying fees and commissions to be listed and have access to the company’s ecommerce platform.
The company offers its participating shops the opportunity to buy the personal data of customers (as CSV files) using a handy online form, though without email addresses included.
However, for shops with revenues or orders over a modest amount, simply submitting a form and getting past their “inspection” procedure is enough to get the full addresses. They even offer to “discuss” orders from shops not meeting these criteria.
Since anyone can open a shop with them, and what happens to the data once it is sold is anyone’s guess, it does not appear there are any serious safeguards in place, and indeed this is demonstrated by experiments and anecdotes.
Tests using email addresses created exclusively for the purpose of ordering from them (using Gmail and similar) reveal that the addresses are quickly subjected to a steady torrent of spam entirely unconnected to Rakuten (which is in Japanese and disturbingly sometimes carries the full name of the customer, and so is likely not automatically generated), demonstrating that the problem is far from theoretical.
The wholesale hawking of customer data is likely legal (and presumably “consented” to at some point by the customer), and has been going on for a number of years, though of course no customer would expect this sort of outrageously unethical behaviour from a major Japanese brand.
The actual revenues from these sales are not clear, but with at least 50 million registered users by their own admission, it seems likely to be significant enough to justify the practice in the eyes of an unscrupulous management.
As anyone who has shopped with Rakuten can likely attest, although the prices can be amongst some of the lowest available, the merchants themselves are quite variable in quality, and notably any email address used to order with them is highly likely to be bombarded with spam from both Rakuten and the individual sellers, leaving aside the issue of personal details being sold.
Privacy conscious Japan is unlikely to quickly forgive this, and anything less than an immediate and groveling apology (coupled with a halt to the practice) seems likely to permanently damage the company’s brand, especially considering the mass media is likely to excoriate them for the practice.
Whilst few would care what happens to the company after such a scandal, it does seem possible it will damage overall confidence in online retailers in Japan, and this may be the most damaging effect of the scandal, saving the matter of furnishing spammers with millions of addresses of course…