LOS ANGELES – As consumers get into full swing this gift-giving season, Incogni’s newest research uncovers the hidden practices of the largest retailers in the United States. The analysis reveals that customers unknowingly contribute more than they realize when purchasing gifts for loved ones. All 10 investigated retailers collect and share a significant number of personal data points, such as Social Security numbers, union membership status, and even sex-life data. Walmart took the top spot, followed by Amazon.com and Costco Wholesale. Amazon, Home Depot, and Lowe’s turned out to have the most data-hungry mobile apps.
Incogni’s researchers examined the privacy policies of the biggest retailers in the United States, focusing on their data-collection and data-sharing practices. With the holiday shopping season being the busiest time of the year in retail, it turns out the biggest stores might be trading in not only goods but also their customers’ data.
On average, the top 10 retailers collect customer data from 10 out of 12 categories. Walmart stands out by collecting data from all 12 categories, while Amazon, Costco Wholesale, The Kroger Co., and Lowe’s collect data from 10 categories each. All 10 companies collect data that includes customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).
Six out of the 10 top retailers—Walmart, Costco, Kroger, CVS, Walgreens, and Lowe’s—collect sensitive personal information such as Social Security numbers, union membership status, and even sex-life data.
When it comes to apps, on average, these 10 retailers’ apps collect 15 data points (out of 12 categories) each and share 9 of them with third parties. Three out of 10—Amazon Shopping, Home Depot, and Lowe’s—collect 20 or more data points, with Amazon’s app collecting the most information. Eight out of 10 apps collect precise location data, and four share this information with third parties.
Taking into consideration the amount of data each of these companies holds, the consequences of one of these companies experiencing a data breach are potentially catastrophic for consumers. Unfortunately, Incogni found that all 10 had had their user data breached or exposed (whether by themselves, their partners, or through a subsidiary).
At the same time, “only” two of these 10 companies, Target and Amazon, have been fined for actions related to user data. Target was fined for exposing the user data of 40 million customers in 2013, while Amazon was fined for failure to comply with the European GDPR (General Data Protection Regulation) rules in 2021.
As the holiday shopping season continues, Incogni urges consumers to consider the true costs of some of the modern conveniences they enjoy and encourages them to make privacy-conscious choices. By doing so, consumers can play a crucial role in influencing retailers to prioritize data protection.
“Incogni’s research exposes the concerning reality behind the extent of personal data collection by major retailers. Our findings underscore the need for an immediate implementation of comprehensive data-protection legislation to ensure transparency and accountability in the retail sector.” – says Darius Belejevas, Head of Incogni.
Incogni’s researchers sought out the privacy policies of the biggest retailers in the United States. They used each retailer’s California-specific data-collection statements to determine their data collection practices. The apps made available by these retailers were also identified. In instances where a retailer had several apps, priority was given to apps that allowed purchases, followed by those that were the most relevant for consumers seeking to make purchases (e.g., the Amazon Kindle app was found to be less relevant than Amazon Shopping). Relevant information was found in the data-safety sections of the Google Play Store pages of the studied apps. Data collection from the Google Play Store took place on December 6th, 2023.
The full text of the study and images are available here: study
The privacy policy URLs, as well as the data used in this research, are available here: public dataset.