Does your rewards card know if you're pregnant? Privacy experts sound the alarm
Last month, a viral Twitter thread sparked fear and debate about the ways consumer data may be stored and shared by big-box stores, and how this could take on a new dimension in a post-Roe world.
It began when the user, Nicole, stated that on July 16 that they had received a package from infant formula company Enfamil after buying a pregnancy test from Walgreens with their rewards card.
The tweet included an image of a box that had various tubs of infant formula, a pacifier, and a box with the phrase, "Here's our first gift for the most important person in the world."
Nicole wrote they were asked to take the pregnancy test by a doctor, and they raised the issue of someone receiving this this type of package in states where abortion was now illegal.
Nicole did not respond to NPR's request for comment. But several others responded to the original tweet with their own experiences of targeted marketing after purchases at other large chain stores. Some shared stories of receiving these types of packages in the wake of miscarriages.
In an email statement to NPR, a representative for Walgreens said: "The privacy of our customers is important to Walgreens. We did not provide individual customer purchase information to Enfamil."
So could an infant formula company feasibly get a customer's data and send them a package? The history of this kind of marketing is long, and the legality is complicated.
How it works
One of the most infamous examples includes a case from 2012, when a teenage girl's father found out his daughter was pregnant through advertisements from Target coupons before she had told him herself.
Alicia Solow-Niederman, an associate professor of law at the University of Iowa College of Law, cites this as a landmark example in how valuable your purchase history and spending habits can be to a store, regardless of your search algorithms or online deliveries.
"Companies such as Walgreens, Target, really any organization, can amass profiles of the kinds of things that consumers in particular categories are likely to purchase," she said. "So, it may be that people who are pregnant are likely to purchase X, Y and Z bundle of goods, then the company can make an inference that, OK, well, because you bought X, Y and Z, you're probably like these other categories of people in a particular class, like pregnant women. And therefore, we're going to assume you are, and send you the targeted item."
In a statement to NPR, Reckitt, which produces the Enfamil formula, said it didn't have access to Walgreens' customer information. However, it said consumers may voluntarily opt in to receive marketing material, and that this can happen "through a third party who states that information will be shared."
Solow-Niederman said the fine print for many store rewards programs allowed corporations to collect and share consumer data and make inferences about targeted marketing items.
In most cases, signing up for a rewards program means you are agreeing to your data being collected and utilized in this manner, Solow-Niederman said, but she argued that another issue lay in the expectation for consumers to have the capacity to navigate this type of legal language on their own, a concern that scholars in data privacy and protection have been voicing for years.
"To my mind, the question is less, 'Did Target or Walgreens, or any company, say outright what their policies are?' and more, 'Is it reasonable for any individual to be expected to pass and read these policies, particularly in a world where, I don't know, I kind of rely on these companies to get things I need in basic life?'"
Now that some states may pursue criminal charges against those seeking information related to abortions, or abortions themselves, Solow-Niederman said this data may become valuable to more than just the stores trying to track your spending habits.
"Information can flow across contexts, including to law enforcement officials, including to doctors or medical providers, or in some states, private individuals who might have an interest in going after people suspected of obtaining an abortion," she said.
How to protect yourself
Solow-Niederman argues that the most effective solutions to these problems lie in broader legislation and stricter regulations surrounding data collection and storage.
"It's a systemic problem. And the ways to plug it are things like statutes that make it harder to share information with law enforcement for certain purposes, without proper warrants, without proper procedural protections, or on the companies that data minimization just collect less data or destroy it after a particular period."
Still, there are many ways that you can protect yourself and your data, regardless of where you live or where you shop.
"The first thing I always say when folks ask me this question is don't panic," said Evan Greer, director of Fight for the Future, a nonprofit organization that aims to protect basic rights in the digital age.
"I think a lot of what kind of gets us in trouble when we think about digital security is that we tend to get really overwhelmed really fast and throw up our hands and say, 'There's so many ways that my privacy is being invaded."
Greer said the steps you take should reflect your risk level, and there was no universal way to keep your data more safe. But there are some things you can do as starting points. Their first recommendation is an "app diet".
"Just pay attention to how many apps you have on your phone," they said. "The high likelihood is that most apps on your phone are collecting and storing some type of data on you. And that data could be used in ways that you haven't even begun to imagine."
Greer also emphasized the importance of having strong protections for accessing your phone, and utilizing a password manager to protect your accounts.
"The biggest mistake that many, many people are still making is using the same password for all their accounts or using face ID on their phone, which if you're worried about law enforcement, there's actually legal precedent to suggest that a law enforcement officer can force you to unlock your phone by holding it up to your face," they said." They can't force you to give them your passcode."
Their final suggestion is to seek out resources that don't store data, including search engines like DuckDuckGo, and end-to-end encrypted messaging services like Signal.
"This is the one that I think is just very relevant for a lot of people, because as reproductive healthcare becomes more and more criminalized, people are looking for information. People are scared. They want to know what their rights are and what type of healthcare they can access and where. And all of that involves searching on the internet."
Ultimately, Greer said that the most important privacy effort any consumer could make is to call their congressperson and let them know that legislation that protects digital privacy is an important issue.
"We need collective congressional regulatory action to make it so that it's illegal for companies to collect so much data about us in the first place," they said. "That's the only thing that's going to really protect people in the long run."
Copyright 2022 NPR. To see more, visit https://www.npr.org.