Data Ethics Club: Is retail the next sector to be hit by a privacy scandal?#

What’s this?

This is summary of Wednesday 11th October’s discussion, where we spoke and wrote about the article Is retail the next sector to be hit by a privacy scandal?, an article on the privacy compliance hub written by Emma Sheppard, discussing data collection in the retail industry. The summary was written by Jessica Woodgate, who tried to synthesise everyone’s contributions to this document and the discussion. “We” = “someone at Data Ethics Club”. Huw Day, Nina Di Cara and Natalie Thurlby helped with the final edit.

The use of electronic loyalty cards, emailed receipts, and e-commerce has opened the retail industry up to a tsunami of consumer data. This often comes with a lack of consumer awareness about what they are giving away, and where their data is going. Loyalty cards give users discounts in exchange for data, which is then used for increasingly personalised and highly profitable advertising. The article suggests that whilst sectors such as healthcare and financial services have imposed stringent privacy regulation and compliance responsibilities, retail has been comparatively slow with addressing privacy concerns. How much should we be concerned about transparency and informed consent in the use of data in retail, and should we be anticipating a massive privacy scandal?

Q1 Were you aware how much your shopping data is tracked by shops and supermarkets? How do you feel about it?#

We realised we felt some disconnection and naivety to how data is gathered and employed by the retail industry. On the free market, it’s hard for customers to know the full pipeline of where their products are from and other associated processes. The amount of data collected from our choice of meal deals wasn’t something that we had been in tune with before, and now we’re wondering if we should invest in trench coats. Some of us were aware of data tracking, however the use of facial recognition in supermarkets to analyse consumer behaviour was new to us.

Q2 Do you think the discounts offered by shops for using a loyalty card are a fair exchange for tracking your data?#

Loyalty cards are designed to make us feel like we are autonomously bargain hunting. However, are we truly informed about the decision we are making? Supermarkets feed off of convenience, taking advantage of time poverty. Reading terms and conditions, privacy policy updates, and relevant legal conditions (e.g. these might change between locations) takes a huge amount of time and energy, rendering terms and conditions virtually incomprehensible to the average consumer. This seems to us like gambling; discounts are presented to us in a way that seems like we are winning, however the house always has to win. For all that we get out of the deal, the house must always get more.

Opaqueness of systems#

What the house gets from us - our “retail value” - is something that we don’t truly know. The decisions we make in terms of our retail consumption and volunteering of data might be different if we knew how much our data was valued by companies. Could we conceive of a more transparent system in which we could opt-in to n annoying ads per week, and get paid m amount for our data? It would be interesting to find out the value of data for different groups of people, for example, if there is a difference in the value of data from different socio-economic groups.

Not only is there opacity in the quality of our retail value, but we also don’t know who has access to the data surrounding it. Data is frequently farmed out to third parties, and if your intention is to allow one company access to your data, you can’t be sure that it will stay with that company. There might be multiple other companies who can see parts or all of it, breaching GDPR without “technically” breaching it.

Sharing data with multiple companies increases privacy concerns, as it increases the risk of breaches and decoding of supposedly private data. The line between data that is private and data that could personally identify you is subtle. In DEC we are largely hesitant to share our data, however do we take enough action to prevent information being personally identifiable? The extent of privacy is often not made explicit even though GDPR says maybe it should be.

There are also implications for how much autonomy we have over our data when it is shared with multiple companies. For example, it makes it harder to enforce the right to be forgotten. In places like the US, getting even a single company to remove something as simple as an email address can be a difficult and drawn out process. There might be something to learn here from countries like Germany, where it is quick and easy to permanently delete your account.

We simply don’t know a lot about where our data is going, what these systems are being used for, and what the correct uses of these systems are – if there even are any. We hear data scientists who work in advertising bemoan the fact that their superiors don’t care about how good the models are; they just want the profit to go up. This doesn’t give us confidence in the protection of our data, and what it might be used for. Other than supermarkets, are other parts of the retail sector tracking and selling our data, like biometric data from gyms? FitBit has an option to track your menstrual cycle, and we wondered what they might do with that kind of data.

Using data in personalised services can have negative side effects, such as the relationship between fitness tracker apps and eating disorders. There have also been instances of FitBit finding out people are pregnant before they know. With difficulties surrounding unwanted pregnancy, or for people in abusive relationships, the handling of this data could be a huge safety concern.

Advertising and Profit#

Most of the value around data collection stems from its effectiveness in personalised advertising. We felt like the whole point of advertising is to make you feel like you don’t have enough and that you need more. With more data comes better predictions about what kind of person you are, and what exactly it is that you need more of.

We reflected on our own relationship to advertising, and wondered how many suggested recommendations we usually get before we actually buy something. Some of us only clicked on ads in specific domains (e.g. Instagram); some of us always scrolled past sponsored ads. Some of us admitted that ads do work on us, especially from somewhere we’ve already bought from, but we don’t tend to click on random adverts that pop up. We only need one toilet seat – we’re not collectors. This shows how importance of context is not something that recommender systems have perfected yet; when we buy pink size three socks at Christmas but our usual footwear is size 10 flip flops, we see more adverts for women’s socks. This sort of inference is easy for humans to do. We wondered if companies send out random offers to people to see how well they work, as well as more targeted things.

Profit from advertising is a big incentive for data collection, and we can see how successful this is as companies can afford to sell things for cheaper (or rather sell things for more expensive to customers whose data isn’t getting collected?). We wondered if there was a threshold of the minimum discount that a company could give for a customer to hand over their data. The lack of awareness around the issue might mean that in some cases customers could be incentivised to hand over data without any discount at all, e.g. through perceived group membership and brand loyalty.

Q3 “Walmart’s chief financial officer revealed advertising was faster growing than the company’s main retail business and had higher margins” - what do you think about this?#

Currently, different companies have different pieces of data. The colossal growth of advertising revenue for companies like Walmart is concerning when we consider how industry giants are turning towards business models where you can buy anything and everything from one company. These companies would then have access to even more data, with an even more complete coverage of different aspects of society. The power that comes along with that would be immense. We’re feeling Minority Report and Person of Interest themes…

Bonus question What change would you like to see on the basis of this piece? Who has the power to make that change?#

We’re thinking: game the system. Shopping bag rebellion (Sainsburys bag in Tesco’s), use different email addresses, share accounts with different people. Dismantle capitalism (klaxon) so companies aren’t as incentivised to buy and sell data, and stop pressuring individuals to sign up for loyalty cards and the like.


  • Natalie Zelenka, Senior Research Fellow in Health Data Science, UCL, NatalieZelenka, @NatZelenka

  • Huw Day, JGI Data Scientist, University of Bristol, @disco_huw

  • Noshin Mohamed - Quality Assurance in Children’s Service

  • Virginia Scarlett - Open data specialist, HHMI Janelia Research Campus

  • Euan Bennet - Lecturer, University of Glasgow, @DrEuanBennet

  • Robin Daslelr, Data Product Manager, daslerr