• Key issues
  • Privacy
  • Protect

What do online retailers do with my data, and what can I do about it? Rightly's report.

Want to know what personal data the UK's largest online retailers collect, and how they use it? We've gone through each of their privacy policies to find out for you.
Illustration of people sitting around a desk, talking on their phones about how to sell your data to third parties

After a very unique Christmas at the end of 2020, it’s fair to say that there would’ve been a lot fewer presents under the tree had it not been for online retailers. As many as 87 percent of UK households made online purchases during 2020 according to Statistica, and the national industry is now valued at around 700 billion GBP.

It's important to note that selling products is not the only way that this money is made. Sharing and selling the personal data of their users is also big business. To make sure that you know what each big online retailer is doing with your information, we reviewed the privacy policies of the ten most popular.

Remember, if you'd like to ask any company what they know about you for free, or to delete your information, you can with Rightly.

Amazon’s Privacy Policy

What data do Amazon collect on you?

Amazon collects a LOT of information about its users. :

  • What you buy, search, download, stream, or view
  • Interactions with Alexa
  • Your wish lists and watch lists
  • Name, address, number, age
  • Credit history and information

Do Amazon share your data with third-parties for advertising purposes?

Yes.

Who with?

Amazon shares your information with “advertisers, publishers, social media networks, search engines, ad serving companies, and advertising companies working on their behalf”. The company does not “associate your interactions on unaffiliated sites with information which on its own identifies you, such as name or email address”, but the information they do share is certainly personal.

Any headlines?

Earlier this year, it was reported that Amazon stores data of every motion detected by its ‘Ring’ doorbells, and the exact time that they're logged. This is considered by many to be a pretty significant breach of privacy, considering the potential for motion and recording without a user’s consent. You can read more about this story on the BBC here.

In 2019, UK Secretary for Health Matt Hancock gave NHS data to Amazon for free to use as part of an Alexa device deal. While the material does exclude patient data, it does open up the possibility for Amazon to use the information for advertising purposes. Read more about it on the Guardian’s website here.

Earlier in 2019 Amazon, along with Apple, Google, Netflix, and Spotify, received complaints after only some of the data received back from SARs was ‘intelligible’. Customers requesting their information through subject access requests (which you can issue through Rightly) found that some of their information was impossible to understand, constituting a breach of GDPR law. Read more on this story here.

Next’s Privacy Policy

What data do Next collect on you?

Next collects information about:

  • How you interact with the website and any marketing you are exposed to
  • CCTV footage in stores “so that we can best arrange our stores and stock the ranges our customers will be most interested in”
  • Account and device information and your interactions with Next online

Do Next share your data with third-parties for advertising purposes?

Yes. Next explicitly state that they use “purchase history, demographics, account information and third party information, to show you products”, and also “share limited information with selected suppliers to enable them to identify new prospective customers on our behalf.”

Who with?

Next give a summary of their sharing practices, stating that they share personal information with:

  • “Marketing Companies and Online Advertising” (e.g. Facebook)
  • “Consumer profiling organisations”

Next also note that they use “ad exchanges and social media networks such as Facebook’s Custom Audience to get relevant marketing messages across to you”

Any headlines?

Not that we could find, but you can learn more about the company’s privacy practices from their policy below.

Marks and Spencer’s Privacy Policy

What data do M&S collect on you?

M&S collects a number of different data points about you when you use their service, such as:

  • Name
  • Age and date of birth
  • Gender
  • Billing address
  • Delivery address and payment details
  • Your online browsing activities
  • CCTV “and other images”
  • Your interests, preferences, communication and publicly available personal data (such as Twitter feed or public Facebook page)

Do M&S share your data with third-parties for advertising purposes?

Yes. M&S state in their privacy policy that “any advertisements you will see relate to products you have viewed whilst browsing our websites on your computer or other devices, or which we believe are of interest to you”

Who with?

M&S give a not-very-comprehensive list of their advertising partners who they share information with, which are:

  • Google
  • Facebook
  • Other “third party marketing partners”

Any headlines?

Yes. In 2015, M&S temporarily disabled its website after some customers complained they could see each other’s details when they logged into their accounts. The issue was resolved fairly quickly, and the Telegraph reported on it here.

Earlier, in 2011, M&S customers were warned to expect an increase of e-mail spam after hackers stole their details. While this was a fairly long time ago, it’s worth bearing in mind when you consider how you share your information through the supermarket. Read more about it on the BBC here.

John Lewis’ Privacy Policy

What data do John Lewis collect on you?

John Lewis collects data from its customers “to build a rich picture of who you are and what you like, and to inform our business decisions.” The kinds of information they collect include:

  • Name
  • Gender
  • Date of birth
  • Email and telephone number
  • Billing/delivery address
  • Order history
  • Items viewed or added to your basket or wishlist
  • Shopping preferences
  • Interactions/contact with John Lewis.
  • Your clothing size and skin type (if you provide it)
  • Internet connection and browser, country and browsing activity
  • CCTV footage and car number plate

Do John Lewis share your data with third-parties for advertising purposes?

Yes. John Lewis shares your data with a number of third-party advertisers to help them tailor their content towards you.

Who with?

John Lewis list a number of the advertisers they share data with, including:

  • Cablato
  • Impression Desk Technologies (Infectious Media)
  • “Direct marketing companies”
  • Google
  • Twitter
  • Instagram
  • YouTube
  • Facebook
  • “The companies we use to help us advertise”

Any headlines?

We couldn’t find any data privacy stories directly related to John Lewis, but it’s definitely worth keeping an eye out for them.

eBay’s Privacy Policy

What data do eBay collect on you?

eBay collects a lot of different information about its users, including:

  • Name
  • Address
  • Telephone number(s)
  • Email addresses
  • (In some cases) age, gender, country of birth, nationality, employment status, family status, interests and preferences
  • Interactions on eBay’s site

eBay also collects information from other sources, such as other eBay Inc. corporate family members, credit agencies or bureaus, and other data brokers.

Do eBay share your data with third-parties for advertising purposes?

Yes. eBay states in their privacy policy that they “share your information with third parties [...] to provide customer service, to provide you with personalized advertising and marketing communications.” The second entry on that list, personalised advertising, involves selling personal information to advertisers so that they can better target their marketing based on details about you.

Who with?

eBay doesn’t specifically identify who they share data with, instead opting to summarise their sharing with “third parties” and “eBay group companies.”

Any headlines?

In 2014, before the introduction of GDPR, eBay had a massive data breach in which hackers accessed 145 million eBay customers’ names, email addresses and other personal data. You can read more about it over on BBC here.

Argos’ Privacy Policy

What data do Argos collect on you?

Argos, like many other online retailers, collect a lot of information about their users. This kind of information includes:

  • Name
  • Address
  • Date of birth
  • Telephone number
  • Email address
  • Bank account and payment card details
  • Purchase details
  • Device information such as IP address
  • “Information required to make decisions about your applications for products and services” such as credit information for a loan or medical history for life insurance
  • Information from other sources such as “credit reference agencies such as Experian, the Royal Mail, fraud prevention agencies, claims databases, marketing and research companies, social media providers, pay TV providers and the DVLA, as well as information that is publicly available”

Argos also explicitly notes that it “creat[es] profiles about you” based on your browsing and activity on and off their site. Data profiling is a huge part of the ad-tech industry, and you can find out more about it here.

Do Argos share your data with third-parties for advertising purposes?

Yes.

Who with?

Argos don’t give a comprehensive list of the companies they partner with, and instead summarise their sharing practices, stating that they share information with “advertising companies, who help us place Sainsbury’s Group adverts online.”

Any headlines?

In 2019 it was reported that Tesco and Argos logins could be bought and sold for as little as £1 on the dark web. The information was part of an investigation into the illegal but common practice of account sale on the dark web, which you can read more about here.

Tesco’s Privacy Policy

What data do Tesco collect on you?

Tesco lists a number of type of information they collect about their customers, such as:

  • Name
  • Title
  • Date of birth
  • Email address and phone number
  • Delivery address
  • Billing address
  • Browsing behaviour on their site and app
  • Purchase information
  • CCTV footage in stores

Tesco also disclose that they collect data from “specialist companies that supply information” such as “our Retail Partners and  public registers (such as the electoral register)” and social media sites, pay TV providers, and “any other channels that become available to us”. Tesco pays to collect this information in order to “improve and measure the effectiveness of our marketing communications, including online advertising”.

Do Tesco share your data with third-parties for advertising purposes?

Yes. As well as purchasing information about you, Tesco also share their own collected data with advertisers.

Who with?

These kinds of third-party advertising partners such as:

  • Facebook
  • Adobe
  • Dunnhumby
  • Liveramp

Any headlines?

In 2020, Tesco announced it would issue replacement Clubcards to over 620,000 customers after a security breach of account details using stolen passwords. As far as supermarket data breaches go, this one is one of the biggest. Read more about it on Which here, or find out more about the company’s practices on their privacy policy below.

Asda’s Privacy Policy

What data do Asda collect on you?

Asda collects a number of different types of your personal data, including:

  • Name
  • City and postcode
  • Email address
  • Telephone number
  • Mailing address
  • CCTV footage in stores
  • Device information such as IP address
  • Cookie information
  • Purchase history and average spend
  • Interaction history
  • For pharmacy purposes, pharmacists may access your NHS number and information about medications you are taking

Do Asda share your data with third-parties for advertising purposes?

Yes. Asda disclose that they “use information about which of our websites and apps you visit, what products and services you browse and buy to help ensure that the advertising you see from us is as timely and relevant as possible.” They’re essentially saying that they share personal data with advertisers so that advertisers can target you more closely.

Who with?

Asda don’t actually list their third-party advertising partners, and instead just write that they share data with “Media partners” and “trusted partners, within the European Economic Area (EEA)”.

Any headlines?

Yep! In 2016 a security bug on Asda’s website left customer’s personal details and financial details vulnerable to hacking, putting millions of personal details at risk. The Telegraph reported on it here. More recently, in 2018, a hacker was jailed for selling Asda customer’s data on the dark web. This kind of practice is very common, and you can read more about it on the Guardian’s website here.

ASOS’ Privacy Policy

What data do ASOS collect on you?

ASOS is pretty reserved on detailing how much information they collect on you. In their privacy policy, they state that they collect the following info:

  • Your dress size
  • Your price range
  • Address
  • Order history
  • Search history
  • Styles you like
  • Social media accounts you link with ASOS and “how you might share your likes with your friends and how you might influence others with your style”

Do ASOS share your data with third-parties for advertising purposes?

Yes. ASOS is explicit that it “share[s] your data with the following categories of companies as an essential part of being able to provide our services to you.”

Who with?

ASOS list a number of kinds of companies they share information with, including:

  • “Marketing agencies, advertising partners and website hosts, who help us run our business”
  • “Affiliates who help us reach out to potential new customers or promote our products on their websites”
  • “[ASOS] provides third parties with aggregated and anonymised information and analytics about our customers”

Any headlines?

Not that we could find, but as always it’s important to be aware of how much information you’re sharing with your favourite online retailers. You can find out more about ASOS’s data practices on their privacy policy.

Currys PC World’s Privacy Policy

What data do Currys PC World collect on you?

Currys PC World collects a lot of information about its users, including:

  • Name
  • Address
  • Date of birth
  • Email address
  • Phone number
  • Purchase history and payment details
  • Employment details
  • Your financial position
  • ID information when you apply for insurance or loans offered by selected third parties’ partners
  • Contact with the company and feedback
  • IP address and cookie data

Do Currys PC World share your data with third-parties for advertising purposes?

Yes.

Who with?

Currys PC World notes that “some of our service providers place ads for us”, meaning they share information with third party advertisers. They also note their use of targeting cookies to track your behaviour across websites to “create profiles” of “general online behaviour”, which are also often shared with advertisers.

Any headlines?

In 2020 Currys PC World’s parent company, Dixons Carphone was fined £500,000 for a “massive data breach” - a cyber attack that affected 14 million people. You can read more about it over on the Guardian website here.

How can I take control of my data?

You might think that clearing your browsing history or even deleting your account from an online retailer's website is a surefire way to make sure a company no longer holds your data, but it's actually a lot easier than that. Online retail sites that operate in the UK have to comply with GDPR data protection laws, which means your rights as a consumer include the ability to access, review, and request the deletion of any and all personal data a company holds about you. Through Rightly, you can request to view it, demand they delete it, or even prohibit them from collecting certain kinds of data in the future.

Can I remove data from online retail sites?

Absolutely. As we mentioned, GDPR also affords consumers the right to request full deletion of their data, called the ‘right to be forgotten’. Users can contact companies, browsers, and even online retail sites and ask for them to delete all data the website holds about them. We can help with this too - deletion requests let you clear your purchase history for good, delete your online retail site profiles, or even delete all information the supermarkets holds about you.

Sound like something you'd like to do? You can get started below. If you want to get in touch with a company that's not on our list, please do get in touch with our friendly support team.

Related Articles