20 years ago, someone stole my credit card information and bought some stuff as me. I'm in Michigan, and they sent a bed and mattress to Florida. I called the store first, asking about the charge. Verified some part of the card number, name the order was under, etc... I asked what address it was sent to. "We can't tell you that. Our privacy policy prevents that".

Me: "So... you're charging what is my credit card, you've verified my identity, you acknowledge this order was placed in my name, and you're happy to take my money, but you won't tell me where 'my' order was sent?"

Sears(!): "Yes, that's correct".

Called the bank... got a 'fraudulent charge' form faxed(!) to me, which I filled out and sent back same day.

To be fair to the store, their privacy policy was likely designed to stop things like abusive spouses/parents tracking down people who they gave permission to use a card.

To be unfair to the store, they are probably just being stupid.

Not giving the shipping address to the “customer” is just dumb. I think it’s good to protect people from abusive spouses and parents, but if someone is using their credit card and impersonating them then that’s not quite right.

I also think it’s more likely to have identity theft than to have a spouse trying to find the new address where a mattress was sent.

My theory is that the store was trying to protect their sale and was gambling that with less info the real person would not be able to cancel the order. So short sightedness.

well... I ended up 'cancelling' via chargeback anyway.