Customers give more than they realize when buying gifts for loved ones, research shows

The holiday season has long since become synonymous with gift-giving. You’re not alone if you’re convinced that the retail madness starts earlier and gets more intense with every passing year. The pressure is definitely there to buy bigger, better, and more gifts than in previous years.

You’d be hard-pressed to find anyone who enjoys the stifling crowds, Christmas jingles, and garish animatronics. Online shopping starts to look like a pretty good option at this point. Avoiding the crowds while shopping in your own time and at your own pace from the comfort of your own home—what could possibly be the downside?

Incogni’s research team looked at the top ten retail companies by sales¹ in 2022, focusing on their data-collection and data-sharing practices. With the holiday shopping season in full swing, retailers are making profits hand over fist. It seems they’ve found additional ways to generate revenue.

Key insights:

• Out of the 10 largest retailers in the US, Walmart stands out as potentially collecting the most data, followed by Amazon.com, and Costco Wholesale.
• All 10 companies collect data that includes their customers’ identifiers, characteristics of protected classifications, commercial information, and audio/electronic/visual information.
• 6 out of the 10 top retailers—Walmart, Costco, Kroger, CVS, Walgreens, and Lowe’s—collect sensitive personal information that can include Social Security numbers, union membership status, or even sex-life data.
• Three apps—Amazon Shopping, Home Depot, and Lowe’s—collect 20 or more data points, with Amazon’s app collecting the most information.
• Only 2 of the 10 examined companies were fined for actions related to user data: Target was fined for exposing the user data of 40 million customers in 2013 while Amazon was fined a record-breaking €746 million ($815 million) for not complying with GDPR regulations in 2021.

As you fill your cart, they fill theirs with your data

It’s in their privacy policies that companies disclose the various situations in which they can collect personal information. We looked specifically at their CCPA-based disclosures, in which they declare what data they could end up collecting on their customers. This means that residents of states other than California could have even more of their data collected by the investigated companies. To simplify and provide an apples-to-apples comparison, Incogni’s researchers considered the maximum number of data categories each company had specified in their privacy policy.

In this section, our researchers looked exclusively at the categories of collected data, not the particular data points that fall under those categories. For any category for which the retailer discloses data collection, they could have numerous data points. For example, under the data category of commercial information, a retailer could have your purchase history, your purchasing tendencies, and even your property records. 

On average, these 10 retailers collect customer data from 10 out of 12 categories. Walmart stands out by collecting data from all 12 categories, while Amazon, Costco Wholesale, The Kroger Co., and Lowe’s collect data from 10 categories each.

Our researchers observed that all 10 companies collect data that includes their customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and any disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).

At the other end of the spectrum, few retailers were interested in education information (which can include attendance records, student IDs, and admissions documents), with only Walmart, Amazon, and Lowe’s collecting data from this category, and biometric information (like fingerprints, vocal markers, and facial features), which was only collected by half of the analyzed companies: Walmart, Amazon, Costco Wholesale, CVS and The Home Depot.

Incogni’s researchers found that 6 out of the 10 top retailers collect sensitive personal information (potentially including Social Security numbers, sex-life information, and union membership). While it wasn’t possible to track down the exact uses all the companies claim to have for this type of information, Lowe’s states that sensitive personal information can be used to calculate delivery times and respond to security incidents while claiming that government issued IDs need to be collected for certain types of transactions.² 

More reasons to think twice before installing retailer apps

All 10 of the investigated retailers use their official apps to collect at least some data on their customers. This is nothing new, the vast majority of “free” apps generate revenues for their owners by collecting, sharing, and otherwise exploiting user data. Incogni took a closer look to see exactly what these particular retailers are collecting from their app users and what they’re sharing with third parties.

Data collection and sharing

Interestingly, when ranked by the number of data categories from which each retailer harvests data through its app, the retailers end up in a different order than when just comparing their CCPA (California Consumer Privacy Act) disclosures. 

On average, these 10 retailers’ apps collect 15 data points (out of 12 categories) and share 9 of them with third parties each. 

¹Location, personal data, financial data, health and fitness, messages, photos and videos, audio files, files and docs, app activity, web browsing, app info and performance, device or other IDs

Our researchers observed that three apps collect 20 or more data points: Home Depot, Amazon Shopping, and Lowe’s. Amazon’s app collects the most data – a whopping 25 data points. Home Depot, the third most “inquisitive” app, was first with respect to how much data it shares with third parties, sharing 19 data points. 

At the other end of the data-collection spectrum, only three apps collect 10 or fewer data points: CVS, Costco, and Albertsons. Albertsons only collects 3 data points and all of them are optional (more on optional data points below). 

8 out of 10 apps collect their users’ precise location (and 4 of them share this information with third parties). The same apps collect names, email addresses, addresses, and phone numbers; all of which are shared by 7 of the 8 apps that collect them.

5 out of the 10 apps collect users’ health information, while Walgreens and CVS collect fitness information.

Optional data—why it doesn’t make sense to give up more than you absolutely have to

Interestingly, a significant proportion of collected data can be stopped from reaching app developers in the first place. Our researchers found that 49% of all collected data points are optional. This means that retailers ask for this information even though it’s not required, and users can simply opt out of providing this data without consequence (although opting not to provide certain data might limit access to some features).

For example, Amazon (which collects the most data) allows its users to opt out from the largest proportion of the data it collects: 20 out of 25 (80%) of the data points it requests are optional. Home Depot has the highest number of compulsory data points, with only 6 out of 20 data points being optional.

Only CVS doesn’t have any optional data, meaning that all 8 requested data points are collected no matter what. 

Incogni’s researchers also found that:

• Five apps that collect users’ names, approximate locations, and phone numbers allow the user to opt out from this data reaching the developer. 
• The collection of precise locations and addresses can both be opted out of in 6 of the apps. 
• Health information can be prevented from reaching the app developer in 4 cases.

Purposes—the reasons retailers give for grabbing at user data

When publishing their apps, developers identify the data points they collect and those they also share with third parties. For every data point collected and/or shared, the developer needs to disclose the purposes behind their having that user data. For example, apps frequently collect crash logs that serve to help their developers with analytics or app functionality.

In total, the investigated apps collect 148 data points and provide 432 reasons for doing so, meaning that each collected data point has almost three stated purposes behind it, on average. 

The Google Play Store has 7 standardized categories for such purposes. These are all used by the retailers to explain what they do with the user data they collect. The purposes most frequently used to explain why certain data is collected were app functionality (evoked 110 times), analytics (91), personalization (60), and advertising or marketing (55 times). We know that a total of 55 data points are collected for marketing purposes. 

Target stands out as the retailer that collects the most app data for marketing purposes: 12 of the data points it collects have this reason ascribed to them. Lowe’s and Amazon also collect a noteworthy number of data points for advertising: 11 and 10 data points, respectively. The Albertsons app is the only one that doesn’t collect data for advertising purposes. 

Breaches, fines, and data from data brokers

The consequences of one of these companies experiencing a data breach scale with the amount of data it holds. Incogni found that all 10 had had their user data breached or exposed (whether by themselves, their partners, or through a subsidiary). This is cause for concern given just how much these companies know about their customers. Data exposure refers here to databases that contain consumer information being made publicly accessible.

Fines are more promising, as “only” two of these 10 companies have been fined for actions related to user data. Target was fined in California for exposing the user data of 40 million customers in 2013.³ Amazon was fined in the European Union for failure to comply with GDPR (General Data Protection Regulation) rules in 2021. The €746 million⁴ (approximately $880 million at the time) fine was the largest such fine ever issued at the time. 

Our researchers also found that two companies—Costco and Target—disclose potentially collecting additional information about their customers from data brokers. This is not to say that none of the other companies do the same.

What all this means for shoppers

It’s well-known that scammers create a sense of urgency to get their victims to act without thinking. Something similar is in play when it comes to shopping during the holiday season. With so much time pressure and other stressors, it’s easy not only to de-prioritize data-privacy concerns but to never give them a single thought in the first place.

Yet the personal data consumers give up during these shopping sprees stays given-up long after the holiday season has passed for another year. All that data stays there, in these companies’ databases and the databases of their partners and other third parties. Not only is this data exploited while it’s there, it’s also ripe for breach and exposure at any minute.

There’s no denying that protecting one’s data privacy is far from easy—it certainly requires much more effort than simply turning a blind eye. Data privacy is important, though. Looking after it means less junk mail, less spam, fewer robocalls, and a significant decrease in targeted scam attempts.

Until adequate federal data-protection legislation is in place, consumers will continue to have to trade convenience for privacy to find their own comfort zones. The first step in finding the best balance between privacy and convenience is understanding just what the costs of various modern-day conveniences truly are.

Incogni realizes that, for many people, the loss of some privacy in the name of convenience is unavoidable. We hope, though, to arrive at a point at which consumers can get more convenience for less of their data. We believe that revealing the true costs will help consumers make informed decisions and bend the needle by voting with their wallets.

Methodology

Having identified the top retailers in the US, Incogni’s researchers sought out their privacy policies. They used each retailer’s California-specific data-collection statements to determine their data-collection practices. Sometimes these had their own webpages and in other cases they were appended to the end of the general privacy policy.

Incogni’s researchers then identified the apps made available by these retailers. In instances where a retailer has several apps, the highest priority was placed on apps that allowed purchases, followed by those that were the most relevant for consumers seeking to make purchases (e.g., the Amazon Kindle app was found to be less relevant than Amazon Shopping). They then went on to collect information found in the data-safety sections of the Google Play Store pages of the studied apps. Data collection from the Google Play Store took place on December 6th, 2023. 

The privacy policy URLs, as well as the data used in this research, are available here: public dataset.

Sources

1. National Retail Federation. “Top 100 Retailers 2023 List.” Accessed December 14, 2023. https://nrf.com/research-insights/top-retailers/top-100-retailers/top-100-retailers-2023-list. 
2. Lowe’s Home Improvement. “Lowe’s U.S. Privacy Statement.” Your Privacy Right Under the California Shine the Light Act. Accessed December 14, 2023. https://www.lowes.com/l/about/privacy-and-security-statement#YourPrivacyRightUndertheCaliforniaShinetheLightAct. 
3. McCoy, Kevin. “Target to pay $18.5M for 2013 data breach that affected 41 million consumers.” Accessed December 14, 2023. https://eu.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/. 
4. Reuters. “Amazon hit with record EU data privacy fine.” Accessed December 14, 2023. https://www.reuters.com/business/retail-consumer/amazon-hit-with-886-million-eu-data-privacy-fine-2021-07-30/.

Visuals

We welcome the reuse of our images as long as proper attribution is given to Incogni. The charts, graphs, and tables used in this research can be seamlessly embedded in your website. Use the menu at the top right of the visual when you hover over it with your mouse. When embedded, these visuals maintain their interactivity and preserve their original quality.