Follow-up: Build-A-Bear says it will take privacy suggestions to heart

In response to my earlier post about the way Build-A-Bear entices children and parents to give up personal data, the company says it will take my suggestions to heart and review them with its privacy committee.

Follow-up:  Build-A-Bear says it will take privacy suggestions to heart
There were lots of reactions to my last post about Build-A-Bear luring kids and parents into divulging personal information they might otherwise, in other contexts, guard more closely. While some responses channeled Scott McNealy, most seemed to get that my beef was not with the fact of the data collection, or the uses set forth in Build-A-Bear's privacy policy, but with doing it in what amounts to a wolf-in-sheep's-clothing manner. Here's a sampling of the subsequent discussion:

  • Cory Doctorow called the practice "private information seduction."
  • The Consumerist agreed it "seem[ed] sort of...sinister."
  • Skippy dot net reacted similarly to his in-store experience at Build-A-Bear.
  • Andrew at Changing Way quipped that "the Bear can be more seductive than the Beacon."
  • Curmudgeon-in-Training pointed out that "kids, and parents, are getting numb to this disclosure of very personal info for the most mundane of reasons."
  • Izzy Neis (who blogs about "Online Communities, Entertainment, Kid Empowerment, and Media Safety") worried that "people forget about the kind of information they share about their kids."
  • And Security Hitman observed that "corporations are setting an early expectation with young children that giving out personally information is okay. "

Follow-up:  Build-A-Bear says it will take privacy suggestions to heart
The good news is that shortly after posting my piece I heard from Dave Finnegan, Build-A-Bear's "Chief InBearmation Officer." Kitschy executive designations aside, you've got to be impressed by a company that responds so quickly, directly, and receptively to criticism; I am, anyway. Dave had no problem with my posting our email exchange in its entirety, and you'll find it after the jump. The upshot is I gave him several suggestions as to how I thought the situation could be improved, and he told me they "will definitely take [my] suggestions to heart," and "will review this information with [their] privacy committee." So, the company gets big points in my book for listening and responding to the conversation, and will earn bigger points still if the next time a birthday party brings me Build-A-Bear's way, I join my son at the in-store kiosks and see my suggestions have been implemented. I'll certainly let you know if that happens.

(Images by sarae, CC Attribution-No Derivs 2.0)

Received 1/23/08, 9:08 p.m.:

Hi Denise,

I read your ZDNet blog and wanted to drop you an email. As a father, I am sensitive to protecting children’s information and I am personally committed to ensuring that Build-A-Bear Workshop adheres to the highest standards of privacy and protection of our guests data.

To participate in the bear-making process, create a birth certificate or bring a friend on line at our Guests do not need to opt in or give us any identifiable information. However, if they wish to share their information, we will register their friend in our Find-A-Bear® ID program so they can hopefully be reunited if it’s ever lost and returned to us. We are proud to say thousands of furry friends have been returned to their owners through this program. In order to receive any marketing materials such as email and direct mail, Guests have to explicitly opt in. Only when they opt in to these preferences do we send them things such as special offers, emails about fun in-store happenings and birthday cards for their furry friends. Guests can choose at any time to opt out of receiving this communication.

We truly value the privacy of our Guests and are committed to protecting any information they choose to share with us. We never sell or share personal information and always ensure that we are in full compliance with data protection laws and COPPA (Children's Online Privacy Protection Act) requirements.

I value your feedback and hope that you will feel free to contact me in the future with any other suggestions or questions you may have.

Sincerely, Dave

Dave Finnegan Chief InBearmation Officer

Sent 1/24/08, 10:10 a.m.:

Hi Dave,

Thanks for writing, it's good to know you're listening. It's also good to hear Build-A-Bear strives to be a good corporate citizen with the data it collects; your privacy policy indicates as much.

The creepiness I experienced was not at the collection of the data or what the company would do with it. It was the fact that opting in or out of providing personal information seems fuzzy (no beary pun intended) when it comes to your in-store setup. Of course, no one *has* to get a birth certificate, but realistically the process is arranged so kids certainly want to, and might well insist on it (especially those old and/or sophisticated enough to understand the Build-A-Bearville connection). When they sit down to do so, lots of information is requested, your privacy policy is not conspicuously presented (if at all? I saw nothing other than the printed flyer customers receive after the fact), and the "skip" options are also easy to miss. And even if the privacy policy and "skip" options were prominent, this would make negligible difference in the case of children old enough to wander over to the computers by themselves and start filling in fields.

As you probably know, "verifiable parental consent" is required under COPPA concerning the collection and use of information from kids under 13. So, I'm thinking you might want to run the following suggestions by your legal department and see if they concur. First, it would be good if your privacy policy and a "click ok to proceed" box were the first thing parents saw at the beginning of the data entry process. (This is good not just for the parents but for your company; having them complete a click-through is a far more "verifiable" means of consent than your current system.) Second, there should be some effort to ensure that parents are actually involved and giving their consent; I saw plenty of sub-13 year olds solo at the terminals while mom and dad were elsewhere in the store. Third, it would help if you made the "skip" option more prominent, and also provided some clarification along the way about what information is "necessary" for what purpose.

Thanks again for following up. I'd appreciate hearing back should the company decide to take any of my suggestions to heart (ack -- the beary puns are tough to avoid!). I'd also like to publish our email exchange as a follow-up to my post if you have no objection.

-- ---------------------------------- Denise M. Howell

Received 1/24/08, 9:08 p.m.:

Hi Denise -

Thank you for your detailed observations about our Name Me application. We always invite our Guests to let us know how we are doing, and it is always helpful to hear this feedback firsthand. It is clear you are as concerned about privacy protection as we are as a company, and we will definitely take your suggestions to heart. We will review this information with our privacy committee, and welcome any other suggestions you have. Again, please feel free to contact me directly anytime.

Thank you again for the interest in this very important topic. We would welcome your posting our email conversation on your blog.