How Do The Privacy Policies of Amazon and JD.com Differ?

Weitao Gong

Abstract

With the advent of the Internet, online shopping has become a popular shopping method. However, when shopping online, aside from the web server, which is the e-commerce company itself, third-party websites will also interact with online consumers. This has raised strong privacy concerns. Amazon is the largest e-commerce company in the U.S., and Amazon clearly notifies its users of the existence of third-party websites in its privacy notice. However, JD.com (“JD”), one of the two largest e-commerce companies in China, has not mentioned third-party websites in its privacy policy. This difference may hypothetically result in Amazon emphasizing user experience more and offering better personalized recommendations, while JD may emphasize and protect users’ privacy more. To examine the hypothesis, this Article conducts a series of mock online shopping processes and uses Linux software “mitmproxy” to unravel, collect, and compare the data of third-party websites that connect to the webpages of the two e-commerce companies.

Introduction

In the privacy policies of Amazon and JD.com,[1] both companies claim that they collect their users’ personal information to promote user experience and provide more personalized recommendations.[2] However, there are differences between their privacy policies. Amazon has a provision referencing third-party links including third-party advertisers, while JD.com does not mention third-party links.[3] As claimed in the Privacy Notice of Amazon, the purpose of those third-party links is to offer better personalized recommendations and to enhance use experience,[4] but these links may also put the privacy of the users at risk.[5] The difference lies in the privacy policy between Amazon and JD.com, which may hypothetically result in Amazon emphasizing user experience more and offering better personalized recommendations, while JD protecting users’ privacy more. 

A series of mock online shopping process on the two websites will be conducted to collect data and to examine the hypothesis of the different emphasis on privacy protection of the two online retailers. The focus of the data collected will be on the comparison of the number of third-party advertisers and third-party trackers between the two websites after searching the same product. The article will use mitmproxy to collect the data flows of website links captured when visiting Amazon and JD.com. Mitmproxy will reveal how many websites, both from Amazon and JD.com, and from third-parties, make contact with customers of the online retailers.

Part I of the article will briefly introduce the two subjects. Part II will introduce the methodology used, including the working principle of mitmproxy and the procedures of the mock online shopping process. In Part III, after comparing the privacy policies of the two websites, the results of categorized and analyzed data flows of links will be presented. Part IV will conclude the article and confirm the hypothesis.

I. Introduction of the Two Subjects: Amazon and JD.com

Amazon is the United States’ biggest e-commerce company,[6] with its business model blending B2B and B2C.[7] Although JD.com is not the largest e-commerce retailer in China (it is second to Alibaba[8]), the business model of JD.com resembles Amazon more than Alibaba. Alibaba operates through a unique combination of business models, but its core business resembles that of eBay; Alibaba acts as a middleman between buyers and sellers online and facilitates the sale of goods between the two parties through its extensive network of websites, which is a C2C[9] sales services model.[10] However, the business model of JD.com is more similar to the one of Amazon, a blending of B2B and B2C.[11] The similarity in the business model between the two companies serves as the basis for comparison between them. 

A. A Brief Introduction of Amazon

“As a titan of e-commerce, Amazon is the go-to site for online shoppers and merchants alike.”[12] Its business model thus blends both B2B and B2C. The number of consumers of Amazon is estimated to be 85 million in the US, equivalent to about two-thirds of American households.[13] To be more specific about its market coverage, the sales of the past Prime Day[14] of Amazon have grown by more than 60 percent from the same 30-hour window in 2016, with a “record number” of Prime members shopping across 13 countries.[15]

Aiming to deliver an outstanding user experience on a different level, Amazon has created its own massive warehousing facilities enhancing its processing capability.[16] Aside from that, all the things that hide beneath the surface but make the experience of Amazon prominent are that Amazon has adopted technology to improve its ability to track its customers as they move around online so as to provide them with personalized browsing experience.[17]

B. A Brief Introduction of JD.com

JD.com is an online shopping website similar to Amazon. JD.com is one of the two largest business-to-consumer (“B2C”) online retailers in China by transaction volume and revenue, and a major competitor to Alibaba-run Tmall.[18] By September 2017, JD.com had 258.3 million monthly active users.[19] Trying to make life easier for rural dwellers, JD is building drone launch centers to test drone deliveries.[20] Although second to Alibaba, on Singles Day[21] this year, JD.com’s total transaction volume was an impressive 127.1 billion yuan, which works out to about $19.14 billion, more than Alibaba did in 2016.[22] The CEO of JD.com has stated that the main difference between his company and other online retailers is that JD always places its customers first in order to provide the best user experience.[23]

The article chooses JD.com and Amazon as subjects in the privacy audit based on their similarity in the business model and commercial scale.

II. Introduction of the Methodology

The software mitmproxy will be used in the privacy audit to reveal the behind the scenes data collection. The data flows of links collected by mitmproxy will be transferred into text files through Linux. After that, Excel will be used to organize, categorize and analyze the domain of the links captured by mitmproxy during the mock online shopping process.

A. Mitmproxy and A Series of Mock Online Shopping Process

Mitmproxy acts as the proxy who is the man in the middle of the end-consumer and the online retailer. “While other proxies typically focus on content filtering or speed optimization through caching, the goal of mitmproxy is to let an attacker monitor, capture and alter these connections in realtime.”[24] After a consumer accesses the website of an online retailer, from the perspective of the consumer, he may conceive that his computer has only communicated with the website of the online retailer, i.e., the URL of the webpage. However, visiting the same webpage after running mitmproxy in Linux will tell a different story. As is shown in Part III of the article, the number and categories of the links tend to lead the consumers to concern about the safety of their privacy.[25]

In the privacy audit of this article, a series of mock online shopping process has been launched while mitmproxy is running. First, since both Amazon and JD.com claim to create better personalized recommendations for its registered users,[26] whether the users have logged in may affect the final results. Therefore, every procedure of the mock online shopping process will be conducted twice, one before login and the other after login. Secondly, a mock online shopping of the book “The Great Gatsby” will be used as main data for analysis. Two sets of data will be collected during the book search. The first set of data will show the number of links generated during the complete process, from visiting the homepage to adding the book to cart. The second set of data will examine the complete process step by step so as to collect links generated in separate procedures. Finally, since the results of the mock online shopping of “Pampers” and “Sony α5000” are similar to the results of “The Great Gatsby” search. The results of “Pampers” and “Sony α5000” will be attached to Appendix B and Appendix C to support the findings in “The Great Gatsby” search.

Mitmproxy allows its users to save the intercepted data flows of links. After conducting the series of mock online shopping process, the links saved by mitmproxy will be preprocessed that they will be transferred into text files that only contain the domain of the links.[27]

B. Methodology After Mitmproxy

In Part III, the article will first compare the privacy policies of Amazon and JD.com to see whether there are differences and whether these differences can be reflected in the data collected by mitmproxy. Then, for the preprocessed text files containing domain of the links, the article will compare them with two lists, the EasyList and EasyPrivacy,[28] so as to categorize the domain by different functions. These functions include:

1) Web Server: Ad. This category stands for the links that are from the Web server (Amazon or JD.com) itself, which serves the purpose for the site’s advertisement; 

2) Web Server: Tracker. This category stands for the links that are from the Web server, which will track the users’ movement during online shopping; 

3) Web Server: Others. This category stands for the other links that are from the Web server, which serves other purposes such as loading images; 

4) Third-Party: Ad. This category stands for the links of third-party advertisers; 

5) Third-Party: Tracker. This category stands for the links of third-party trackers;

6) Third-Party: Others. This category stands for the links of third-party websites, which serves other purposes such as the safe browsing function offered by the browser.

The article will compare the number of differently categorized links when visiting the homepage of the two subjects before and after login, so as to see whether the user’s status of logged in will trigger more links of advertisements and trackers since if the user is logged in, the user will be more specific targets to third-party advertisers and trackers and the personalized recommendations can be more pertinent to the user’s preference. Then, the article will analyze the links collected during the mock online shopping of the book “The Great Gatsby” on both subjects. By comparing the number of third-party advertisers and trackers and by comparing different time third-party advertisers show up in mitmproxy, the article will examine the hypothesis of the two subjects’ different emphasis on user experience and privacy protection.

III. Comparison between Amazon and JD.com: The Privacy Policies and The Data

In the privacy policies, the information collected by Amazon and JD.com ranges from personally identifiable information to non-personally identifiable information. They both claim the collection of personal information is to enhance user experience.[29] However, it may result in users losing control over their personal data, and involuntarily and often unknowingly opening the door for third-party websites, thus leading to privacy intrusions.[30] In this part, after the privacy policies of the two websites are compared, the data collected by mitmproxy will be presented and analyzed. 

A. Privacy Policies

Currently in the USA, aside from the legislation including the 1986 Electronic Communications Privacy Act and the Telephone Consumer Protection Act of 1991,[31] online privacy is mostly subject to the regime of self-regulation.[32] Different online companies can have their own privacy policy. Similarly, in China, through the enactment of Cybersecurity Law of the People’s Republic of China, the privacy protection in e-commerce is gradually expanding.[33] Amazon and JD.com both have their own privacy policies, but these policies differ along several dimensions. This article will examine the differences of the privacy policies of Amazon and JD.com in three aspects, the differences in the kind of information collected by the two subjects, the differences in the cookies policies and the differences in the third-party links policies.

1. The Differences in the Kind of Information Collected

Screen Shot 2018-05-18 at 2.06.10 PM.png

The table has shown the kind of information Amazon and JD.com collect from their users. Although JD.com does not collect Mobile related information of its users’ location, JD.com has categorized its users’ location information into Information Provided by the Consumers, which consumers can choose to opt-out and refuse to provide. For E-mail Communication, even though JD.com may not send advertisements to its users’ e-mail address as Amazon has done, JD.com may collect its users’ e-mail information if its users register through their e-mail. Thus, in this sense, the type of information the two websites collect is not so different.

Aside from the table above, in Amazon’s Privacy Notice, Amazon claims the reason that they collect customers’ information is to help customers to personalize and continually improve their Amazon experience.[35] Similarly, in the Privacy Policy of JD.com, the website makes the same statement that the information they collect will smoothen the searching process and will help customers to receive more interesting recommendations from the website.[36]

When it comes to disputes over privacy, it is important to define whether the information collected by Amazon and JD.com is personally identifiable information. JD.com has claimed in its privacy policy that the website will de-identify the data after collection of users’ information.[37] However, JD seems to include a pervasive provision within its privacy policy that by visiting JD.com, customers agree to JD’s usage of their de-identified personal information regardless of users’ consent.[38] De-identification is a “process to prevent a personal identifier from being connected with information.”[39] However, there is high potential for the de-identified information to be re-identified,[40] which inserts a potential risk of exposure of privacy. 

Although Amazon does not promulgate a similarly pervasive provision in its Privacy Notice, the company has reminded the users that by visiting Amazon, customers are accepting the practices described in its Privacy Notice.[41] Regardless of whether the personal information collected by Amazon is identifiable or not, as long as Amazon uses or discloses the personal information according to its privacy notice and allows users to opt-out of tracking,[42] it will not harm the privacy of the customers.[43]

2. The Differences in Cookies Policies

The web server’s collecting of personal information is actually a process of remembering. To remember what customers have ordered and browsed, as well as what customers are interested in, Amazon and JD.com both adopt cookies to remember their customers and to realize their claims to promote user experience. 

A cookie is a small text file placed on the hard drive of a consumer’s computer that is then offered back to the Web site during subsequent visits by the consumer.[44] Cookies are mainly used to identify users and possibly prepare customized Web pages or to save site login information.[45] When a customer visits Amazon or JD.com for the first time, cookies from these two Web servers will be stored in the Web browser, that is to say in the hard disk of the customer’s computer. When the customer visits the Web server again, the Web server will look into the cookies stored in the customer’s computer to recall user preferences and other online shopping history.[46]

Screen Shot 2018-05-18 at 2.06.37 PM.png

As is shown from the table above, both of the websites have introduced cookies[47] as the tool to support fundamental online shopping functions such as keeping the storage of items in the shopping cart.[48] Although JD.com has not informed its users how to enable and disable cookies, the company warns its users, just as Amazon does, that turning off cookies will disable essential functionality of the shopping websites.[49] For example, online shopping sites that store items in a virtual shopping cart require the placement of cookies on the shopper's hard drive to identify the shopper as the individual who stored those particular items.[50] If cookies are turned off, the items in the shopping cart will be lost.

Allowing Amazon and JD.com to remember their users’ personal information may have more pros than cons. At least, it will be convenient for the customer not to login infinite times or lose items stored in the shopping cart. Furthermore, with users’ preferences in mind, the Web servers may provide users better online shopping experiences with more interesting recommendations. 

3. The Differences in the Third-Party Links Policies

Based on the data gathered through mitmproxy, when the customers of Amazon or JD.com visit the website, not only Amazon and JD.com will store cookies in the computer of their customer, but a large number of Third-Party websites will also store cookies. 

Screen Shot 2018-05-18 at 2.06.47 PM.png

Unlike Amazon, JD.com has not mentioned the third-party links that will contact its customers while they are shopping on JD.com.[51] However, the company has admitted that customers will find on third-party websites the advertisements of JD.com and possibly the commodities the customers have viewed on JD.com.[52] The company assures its customers that the links of the advertisements will be managed by JD and will be connected to JD directly, so JD will not provide third-party websites with any personal information of its consumers.[53]

Hypothetically, while shopping on JD.com, the consumers will not expect to contact third-party websites because the company has not provided its consumers with notice in its privacy policy. However, the data captured by mitmproxy reveal that there are third-party advertisers linked to JD.com, but the third-party advertisers show up in the latter procedures of the mock online shopping process, which is different from Amazon. This difference and its connection to the hypothesis will be analyzed in the upcoming Part B.

B. Data Analysis

In this part, the article will present the analysis of links captured by mitmproxy during the mock online shopping on Amazon and JD.com. For online shopping customers, it may be convenient and acceptable to allow the Web server to know their interests, shopping habits, and preferences so that the Web server can easily recommend to customers relevant products. However, the situation will be different if the links are from third parties and may raise concern of leaking users’ private information. Thus, the analysis of links in this part will focus on third-party advertisers and trackers in the data collected.

1. Homepage

Since users’ information and privacy is at stake here, it is possible that the links generated when users are not logged in will be different from those after they login when shopping on Amazon and JD.com.

Screen Shot 2018-05-18 at 2.07.11 PM.png

From the table above, after login, the number of third-party advertisers in Amazon and JD.com both increases. Also, for Amazon, after login, there is an increase in the number of third-party trackers. This likely occurred because those internet users who visit Amazon before login might only be a one-time visitor since they are not registered users. However, when users are logged in, they are more specific targets and more likely to be long-term visitors. Their information worth more attention from the third-party websites especially third-party advertisers if they want to provide more personalized recommendations. 

2. “The Great Gatsby” Search

This part will show the results of the mock online shopping process. The online shopping process of “The Great Gatsby” is made up of four procedures. The first is visiting the homepage of the Web server; the second is keyword searching; the third is clicking the first product in the keyword search results; and the fourth is adding the product chosen to the cart. The links generated in the complete process will be shown first and then the links generated exclusively from each procedure will be presented.

a. Number of Links Generated in the Complete Mock Online Shopping Process

Screen Shot 2018-05-18 at 2.07.42 PM.png

Similar to the results in the homepage test, the data show an increase in the third-party advertisements after login in both websites. However, there have been two differences. The first is the number of third-party trackers of Amazon before its users’ login. From the results in the Amazon homepage visiting above, there has been no third-party tracker before login, whereas after completing the four procedures of the mock online shopping process here, the customers’ computer will make contact with third-party trackers even if they have not logged in. The second difference is the number of third-party advertisers of JD before its users’ login. The customers of JD.com will make contact with third-party advertisers before login, which is different from the results of the JD homepage visiting. 

It can be inferred from the two differences that the third-party advertisers and trackers have contacted the customers in the latter three procedures of the mock online shopping process. To determine when exactly a third-party advertiser and tracker may make contact with a customer during online shopping, another mock online shopping process of “The Great Gatsby” was carried out, but this time it was performed in a step-by-step way so as to collect data in separate procedures.

b. A Step-by-Step Mock Online Shopping Process

Since the links generated after visiting the homepage of Amazon and JD.com have been shown above, the article will start from the second procedure of the mock online shopping process, the keyword searching.

i. Number of Links Generated after Clicking Search Button

The links generated during visiting homepage have been deducted from the results; the links are generated exclusively from the keyword searching.

Screen Shot 2018-05-18 at 2.07.56 PM.png

The data above show that after clicking the search button, for users of Amazon, they will be contacted by third-party advertisers and trackers before login and they will be contacted with even more third-party advertisers and trackers after login. However, for users of JD.com, they will mostly interact with the web server. 

ii. Number of Links Generated after Clicking the First Product in the Search Result

The links generated during homepage visiting and keyword searching have been deducted from the result; the links are generated exclusively from clicking the first product in the search results.

Screen Shot 2018-05-18 at 2.08.37 PM.png

From the data above, the results of Amazon in the third procedure of the mock online shopping process are similar to those in the second procedure. Its users have been contacted with third-party advertisers and trackers. However, for users of JD.com, although the company has not mentioned third-party links in its privacy policy, its users will be contacted by third-party advertisers regardless of the status of its users being logged in or not. This still expose JD.com’s users to the risk of privacy intrusion as Amazon’s users, because the company fails to give notice to JD’s users and acquire consent from its users.[56]

iii. Number of Links Generated after Adding the Product to Cart

The links generated during homepage visiting, keyword searching and clicking the first product in the search result have been deducted from the result; the links are generated only from adding the chosen product to cart.

Screen Shot 2018-05-18 at 2.08.54 PM.png

The data in the last procedure of the mock online shopping process show similar pattern of its previous procedures. The table below is a simplified version of the third-party advertisers connected to the two subjects during the last three procedures of the mock experiment. 

Screen Shot 2018-05-18 at 2.09.04 PM.png

What worth noticing is the decline in the number of third-party advertisers of Amazon in the last three procedures after login. The decline indicates that the third-party advertisers connected to Amazon may have different interests in Amazon’s registered users’ information from those third-party advertisers connected to JD.com.

c. Analysis: The Third-Party Advertisers and Trackers

Picture1.png

From the chart above, before login, the third-party advertisers start to store cookies in JD’s customers’ computer after the customers click a specific product in the search results. For Amazon, before login, the third-party advertisers start to memorize Amazon’s customers after keyword searching. 

Picture2.png

However, after the customers of both websites have logged in, the third-party advertisers start to memorize them from the very beginning. Furthermore, no matter the customers of JD.com have logged in or not, no third-party advertisers apparently memorize what they have searched.

As the data have shown, Amazon and JD.com have taken different approaches of memorizing users’ preferences. For Amazon, it is more important to know from the beginning, or at least that what the customers have searched for is important, while for JD.com, what attracts the third-party advertisers is the product the customer has viewed.

Picture3.png
Picture4.png

Surprisingly, in contrast to Amazon, there has been no third-party tracker throughout the process for JD.com. The mock online shopping experiments of “pampers” and “sony α5000” have shown similar results of third-party advertisers and trackers. The detailed data will be attached in Appendix B and the data exclusively for third-party advertisers and trackers will be presented in Appendix C.

From the perspective of improving user experience, the task for web server and third-party advertisers is to spot the customers’ preferences and to enhance the efficiency of recommendation.[57] Meanwhile, customers’ privacy should not be neglected in the name of gathering personal information for personalized recommendations. Amazon may provide its customers with better user experience because the keyword searched by the customers can directly show what the customers are interested in. However, for JD.com, on the one hand, there are third-party advertisers connected to its users, which raises the same concern of privacy intrusion as Amazon. On the other hand, the third-party advertisers will only know the specific product viewed by the customer, which may not be as direct as the keyword searched, though users’ preferences may be inferred from the specific product they have chosen. As a result, Amazon may provide more personalized recommendations than JD.com. Nevertheless, from the perspective privacy protection, since the storage of cookies starts later in the shopping process of JD.com and there have been no third-party trackers throughout the process, JD.com may reduce the possibility of privacy exposure of its users more than Amazon.

IV. Conclusion

In the privacy policies of JD.com and Amazon, both of them claim to collect personal information of its users. JD.com even claims to use de-identified information of its users regardless of the users’ consent. For Amazon, the precedent has favored its usage and disclosure of information over privacy as long as Amazon use the information according to its privacy notice and offer its users a chance to opt-out. Furthermore, personal information is not the same as privacy and allowing web servers such as Amazon and JD.com to memorize their users’ behavior and preferences through cookies may benefit its users. However, it is different for third-party websites to contact users of online retailers during online shopping without users’ notice and consent. 

By means of mitmproxy, all the third-party links have been revealed.Since Amazon has provided notice to its users of its third-party links especially third-party advertisers, after login, the third-party advertisers have shown up throughout the mock online shopping process, while for JD.com, the third-party advertisers tend to show up in the latter part and has not shown up in the keyword searching procedure. Still, JD.com should provide notice to its customers in the privacy policy that there will be third-party links connected to its users during online shopping, in attempt to acquire its users’ consent. As for the third-party trackers, surprisingly, different from Amazon, there have been no third-party trackers in JD.com throughout the mock online shopping process. 

From the comparison of privacy policies and the data collected, it can be inferred that by collecting more user information, Amazon may provide its users with better personalized recommendation, while it seems that JD.com has better protected its users’ privacy by postponing the collection and eradicating third-party trackers.[58]


[Appendices Omitted]


[1]. JD.com is an online shopping website similar to Amazon, which will be introduced in detail below in Part I.

[2]See Amazon Privacy Notice, https://www.amazon.com/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=468496 (last visited Nov. 14, 2017); See Privacy Policy of JD.com, https://about.jd.com/privacy/ (last visited Nov. 14, 2017).

[3]Id.

[4]Id.

[5]. Corey A. Ciocchetti, E-Commerce and Information Privacy: Privacy Policies as Personal Information Protectors, 44 Am. Bus. L.J. 55. 71 (2007).

[6]See Rani Molla, Amazon Could Be Responsible For Nearly Half Of U.S. E-Commerce Sales In 2017, Recode (Oct. 24, 2017, 2:02 PM), https://www.recode.net/2017/10/24/16534100/amazon-market-share-ebay-walmart-apple-ecommerce-sales-2017.

[7]See Alex Cosper, Description of How Amazon Uses eBusiness and eCommerce for B2B and B2C, Chron, http://smallbusiness.chron.com/description-amazon-uses-ebusiness-ecommerce-b2b-b2c-36453.html (last visited May 18, 2018). 

On the Internet, B2B (business-to-business), also known as e-biz, is the exchange of products, services or information (aka e-commerce) between businesses, rather than between businesses and consumers, Margaret Rouse, B2B (Business to Business), TechTarget (June 2014), http://searchcio.techtarget.com/definition/B2B. 

B2C, or business-to-consumer, is the type of commerce transaction in which businesses sell products or services to consumers, SeeElaine J. Hom, What is B2C? Bus. News Daily (Sept. 11, 2013), http://www.businessnewsdaily.com/5085-what-is-b2c.html. Traditionally, this could refer to individuals shopping for clothes for themselves at the mall, diners eating in a restaurant, or viewers subscribing to pay-per-view TV at home. Id. More recently, the term B2C refers to the online selling of products, or e-tailing, in which manufacturers or retailers sell their products to consumers over the Internet. Id.

[8]See Jon Russell, China’s Second Largest E-Commerce Firm Just Showed Alibaba Has Competition, TechCrunch (Nov. 11, 2017), https://techcrunch.com/2017/11/11/jd-com-singles-day/. 

Alibaba is China’s, and by some measures the world’s, biggest online commerce company. See Marc Lajoie and Nick Shearman, What is Alibaba? Wall St. J., http://projects.wsj.com/alibaba/ (last visited Nov. 13, 2017). Its three main sites, Taobao, Tmall and Alibaba.com, have hundreds of millions of users, and host millions of merchants and businesses. Id.

[9]. C2C, or customer-to-customer, or consumer-to-consumer, is a business model that facilitates the transaction of products or services between customers, See Elaine J. Hom, What is B2C? Bus. News Daily(Sept. 11, 2013), http://www.businessnewsdaily.com/5084-what-is-c2c.html.

[10]See The Difference Between Amazon And Alibaba's Business Models, Investopedia (Aug. 2, 2016), https://www.investopedia.com/articles/investing/061215/difference-between-amazon-and-alibabas-business-models.asp.

[11]See Neelima Mahajan and Iris Mir, Jingdong Leads the E-Commerce Charge in China, CKGSB Knowledge (Aug. 23, 2013), http://knowledge.ckgsb.edu.cn/2013/08/23/videos/jd-com-leads-the-e-commerce-charge-in-china/.

[12]. Dave Gershgorn, Alison Griswold , Mike Murphy , Michael J. Coren, & Sarah Kessler, What is Amazon, Really? Quartz (Aug. 20, 2017), https://qz.com/1051814/what-is-amazon-really/.

[13]Id.

[14]. Prime Day is Amazon’s summertime version of Black Friday, Gary Marshall, How Prime Day Became Amazon’s Biggest Day of All Time, TechRadar (Sept. 14, 2017), http://www.techradar.com/news/amazon-prime-day-2018. It’s when thousands of products are sold at a discount, and in 2017 it was the biggest day in Amazon’s history: busier than Black Friday, busier than Cyber Monday, and busier than Prime Day 2016, Id.

[15]See Lauren Thomas, Amazon Prime Day Breaks Record; Sales Grew by More Than 60 Percent, CNBC (July 12, 2017), https://www.cnbc.com/2017/07/12/amazon-prime-day-breaks-record-event-grew-by-more-than-60-percent.html.

[16]See Dr. Tony Grundy, The Source of Amazon’s Competitive Advantage, ACCA (Feb. 1, 2015), http://www.accaglobal.com/us/en/member/discover/cpd-articles/business-management/amazon-flow.html.

[17]See Charles Hill, Gareth Jones, Strategic Management: An Integrated Approach 122 (2008).

[18]See Giulio Prisco, Chinese E-Commerce Giant JD.com Launches Blockchain Accelerator, Bitcoin Mag. (Feb. 26, 2018), https://bitcoinmagazine.com/articles/chinese-e-commerce-giant-jdcom-launches-blockchain-accelerator/.

[19]See Suthichai Yoon, JD.com’s CEO: We Will Make Thailand Aseans’ Hub, Nation (Sept. 25, 2017), http://www.nationmultimedia.com/detail/business/30327558.

[20]See Lucy Handley, This Chinese Retailer Is Building 150 Drone Launch Center For People In The Countryside, CNBC (Apr. 11, 2017), https://www.cnbc.com/2017/04/11/this-chinese-retailer-is-building-150-drone-delivery-launch-centers.html

[21]. First celebrated in 2009 by Alibaba, Singles Day in China is a shopping day every year on Nov. 11th and the popularity of this shopping day is similar to Black Friday or Cyber Monday or Amazon’s Prime Day in the US, SeeChris Morris, What Is Singles Day? Fortune(Nov. 10, 2017), http://fortune.com/2017/11/10/what-is-singles-day/.

[22]See supra note 15.

[23]See Michael Schuman, JD.com's Richard Liu Takes On Alibaba In A Cutthroat Contest For China's Consumers, Forbes (Oct. 26, 2016), https://www.forbes.com/sites/michaelschuman/2016/10/26/jd-coms-richard-liu-takes-on-alibaba-in-a-cutthroat-contest-for-chinas-consumers/#6df9225870ab.

[24]. Philip C. Heckel, How To Use Mitmproxy to Read and Modify HTTPS Traffic, Philipp's Tech Blog (July 1, 2013), https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/.

[25]. See supra note 5.

[26]See supra note 2 and 23.

[27]See supra note 24.

[28]. EasyList is a list of URLs which are Internet advertisements, while EasyPrivacy is a list of URLs which are Internet Trackers. See Easylist, https://easylist.to (last visited Nov. 13, 2017).

[29]See supra note 2.

[30]See N. van Eijk, N. Helberger, L. Kool, A. van der Plas & B. van der Sloot, Online Tracking: Questioning the Power of Informed Consent, 14 Info. 57, 57 (2012).

[31]See Yanfang Wu, Tuenyu Lau & David Atkin & Carolyn Lin, A Comparative Study of Online Privacy Regulations in the U.S. and China, Telecomm. Pol’y 603, 608 (2011).

[32]See Dennys Marcelo Antonialli, Watch Your Virtual Steps: An Empirical Study of the Use of Technology, 8 Stan. J. Civ. Rts. & Civ. Liberties 323, 334 (2012).

[33]. Michelle Chan & Clarice Yue, China Cybersecurity Law Update: Personal Information National Standards Officially Published, Lexology (Jan. 26, 2018), https://www.lexology.com/library/detail.aspx?g=23b69b8e-9240-4cbe-9d9a-ca7a25a36c03.

[34]. Information provided by the consumer includes personally identifiable information such as name and address. See supra note 2. Automatic Information includes non-personally identifiable information such as cookies. Id. Information from other sources will be collected from third parties and added to the users’ account. Id. Mobile means information regarding location and mobile device of Amazon’s users when they are using apps created by Amazon. Id. E-mail communications means Amazon’s users will receive e-mail from Amazon. Id

[35]See Amazon Privacy Notice, https://www.amazon.com/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=468496 (last visited Nov. 14, 2017).

[36]See Privacy Policy of JD.com, https://about.jd.com/privacy/ (last visited Nov. 14, 2017). 

[37]Id.

[38]Id.

[39]. Yianni Lagos, Taking the Personal Out of Data: Making Sense of De-Identification, 48 Ind. L. Rev. 187, 187 (2014).

[40]See Melissa W. Bailey,Seduction by Technology: Why Consumers Opt Out Of Privacy By Buying Into the Internet, 94 Tex. L. Rev. 1023, 1029-1030 (2016).

[41]See supra note 35.

[42]. As is shown below in the discussion of its cookies policy, Amazon has provided its users the choice to opt-out.

[43]See In re DoubleClick Privacy Litig., 154 F. Supp. 2d 497, 503 (S.D.N.Y. 2001).

[44]See Anthony D. Miyazaki, Online Privacy and the Disclosure of Cookie Use: Effects on Consumer Trust and Anticipated Patronage, 27 J. of Pub. Pol’y & Marketing 19, 20 (2008).

[45]Id.

[46]Id.

[47]. The cookies involved include advertising cookies and tracking cookies as is shown in the upcoming Part B Data Analysis.

[48]See supra note 35-36.

[49]See Stephen Y. Chow, Data Security and Privacy in Massachusetts, § 11.4.3 (MA-CLE 11-1 2015).

[50]See Anthony D. Miyazaki, Online Privacy and the Disclosure of Cookie Use: Effects on Consumer Trust and Anticipated Patronage, 27 J. of Pub. Pol’y & Marketing 19, 20(2008). 

[51]See supra note 36.

[52]See supra note 36.

[53]Id.

[54]. The simplified domain of the links of Web Server: Ad, Web Server Tracker, Third-Party: Ad and Third-Party: Tracker, generated throughout the whole process of the mock online shopping process, instead of the mere homepage visiting procedure, will be attached in Appendix A.

[55]. Unlike Amazon which has clear signals of advertisement links and can be verified in the easylist mentioned above, most links generated from JD.com itself can be confusing to customers. The specific links generated during homepage visiting will be shown inPart B of Appendix A. Also, JD.com once was known as Jingdong and formerly called 360buy. See supra note 14. In this article, links ending with 360buyimg.com will be considered the same category as links ending with jd.com, both of which are generated by the Web server JD.com itself. 

[56]See supra note 36.

[57]See Alessandro Acquisti, The Economics of Personal Data and Privacy: 30 Years after the OECD Privacy Guidelines (2010).

[58]See supra note 36.


What Rules Apply to Information Privacy and the Internet of Things?