What do supermarkets do with my data, and what can I do about it?

Everyone knows what a supermarket is, but did you know that more than three quarters of UK customers are now doing their groceries online? The outbreak of coronavirus in 2020 has also caused an increase in consumer spending in grocery stores across the country, with more people than ever organising and managing their grocery deliveries online.

Like any other site, online retailers collect data about their customers, and supermarkets are no different. We’ve done a bit of digging, and gone through the privacy policies of the UK’s ten largest supermarkets to find out a little more about what data they collect, how they share it, and what you should be aware of before you shop with them. Wherever you shop online, we're here to help.

Morrisons' Privacy Policy

What data do Morrisons collect on you?

Morrisons collects a number of different data points about its customers which are worth being aware of, such as:

• Name
• Date of birth
• Contact details
• Marketing preferences
• (Optional) racial or ethnic origin, religious belief, or health records
• Financial details
• CCTV footage in stores
• Device details such as IP address
• Location
• Site usage
• “Technical data from analytics providers” like “Google, advertising networks and search information providers”
• ‘Lists of potential customers from companies that collate these details and make them commercially available for marketing purposes’.

It’s also worth noting that Morrisons performs some data profiling, which you can read more about here on our blog. Their privacy policy explains how Morrisons “use Experian’s Mosaic customer classification, which places you into one or more defined behavioural and socio-economic groups, to understand our customer database and to assist in location planning and purchasing decisions.”

Do Morrisons share your data with third-parties for advertising purposes?

Yes, they do. Morrisons shares your information in a similar way to other retailers by offering it to “Social media companies such as Facebook and Twitter as advertisers”. These companies receive some personal information about your preferences, and analytics information to assess how their advertisements are doing.

Any headlines?

In 2020, a Morrisons employee with a grudge leaked the payroll data of 100,000 company employees. 5,000 were affected by the breach and sought compensation, but Morrisons was found ‘not liable’. You can read more information about it over on the Guardian here.

• Morrisons’ Privacy Policy
• Morrisons’ Cookie Policy

Delete my data from Morrisons

Lidl's Privacy Policy

What data do Lidl collect on you?

Lidl collect quite a bit of information about their customers, such as:

• Email address
• Residential address
• Telephone conversations with Lidl
• CCTV footage in stores
• Device information like IP address
• Site usage information
• (Optional) Information shared with Facebook, Twitter, Youtube, Instagram and LinkedIn

Do Lidl share your data with third-parties for advertising purposes?

Yes. Lidl summarises their data-sharing by noting how it “enables us to display advertising content that is suitable for you, based on the analysis of your pattern of use.” Essentially, they share your usage information with advertisers so that advertisers can target you more closely. You can even be tracked “via different websites, browsers or terminal devices using a User ID (unique identifier)”.

Who with?

Lidl principally share information with the following advertisers:

• Google (“for example, [...] Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites”)
• Bing

Any headlines?

In 2008, Lidl shops across Germany were accused of spying on their employees; mini video cameras officially used to ‘reduce shop-lifting’ were used to collect and document details about employee’s tattoos, love lives, personal finances, menstrual cycles and even how many times they went to the toilet! Read more about it over on the Guardian here.

• Lidl’s Privacy Policy
• Lidl’s Cookie Policy

Delete my data from Lidl

Aldi's Privacy Policy

What data do Aldi collect on you?

Aldi collects information like all the other supermarkets on this list, such as the following types:

• Name
• Title
• Date of birth
• Gender
• Username
• Email address and telephone number
• Marital status
• Billing address and financial details
• Delivery address and postcode
• Device information such as IP address and device cookies
• Time zone setting and location
• Your interests, preferences, reviews and purchase history

Do Aldi share your data with third-parties for advertising purposes?

Yes. Aldi shares your information with advertisers so that they can target you more closely through their marketing

Who with?

The companies Aldi shares your personal data with include:

• Google
• Facebook
• AppNexus
• Addthis
• Adobe
• Avocet
• Richrelevance.com

Any headlines?

In 2018, bank card skimmers were installed in two shops, but no customers were affected; this seems to have been a small, localised problem. You can read more about it here, and find more information about the company on their privacy policy below.

• Aldi’s Privacy Policy

Delete my data from Aldi

Marks and Spencers (M&S) Privacy Policy

What data do M&S collect on you?

M&S collects a number of types of information when you use their site, including:

• Name
• Age and date of birth
• Gender
• Billing address and payment details
• Delivery address
• Your online browsing activities
• CCTV ‘and other images’ from stores
• Your interests, preferences, communication and publicly available personal data (such as Twitter feed or public Facebook page)

Do M&S share your data with third-parties for advertising purposes?

Yes. M&S explicitly note that “Any advertisements you will see relate to products you have viewed whilst browsing our websites”, meaning that the supermarket shares browsing information with marketers who they advertise to you accordingly. Like other companies, M&S also note that they can track you “on your computer or other devices”, which is also worth bearing in mind.

Who with?

M&S give the following list of third-party advertisers, which is by no means comprehensive:

• Google
• Facebook
• Other “third party marketing partners”

Any headlines?

Yes. In 2015, M&S temporarily disabled its website after some customers complained they could see each other’s details when they logged into their accounts. The issue was resolved fairly quickly, and the Telegraph reported on it here.

Earlier, in 2011, M&S customers were warned to expect an increase of e-mail spam after hackers stole their details. While this was a fairly long time ago, it’s worth bearing in mind when you consider how you share your information through the supermarket. Read more about it on the BBC here.

• M&S’s Privacy and Cookie Policy

Delete my data from M&S

Tesco's Privacy Policy

What data do Tesco collect on you?

Tesco lists a number of type of information they collect about their customers, such as:

• Name
• Title
• Date of birth
• Email address and phone number
• Delivery address
• Billing address
• Browsing behaviour on their site and app
• Purchase information
• CCTV footage in stores

Tesco also disclose that they collect data from “specialist companies that supply information” such as “our Retail Partners and  public registers (such as the electoral register)” and social media sites, pay TV providers, and “any other channels that become available to us”. Tesco pays to collect this information in order to “improve and measure the effectiveness of our marketing communications, including online advertising”.

Do Tesco share your data with third-parties for advertising purposes?

Yes. As well as purchasing information about you, Tesco also share their own collected data with advertisers.

Who with?

These kinds of third-party advertising partners such as:

• Facebook
• Adobe
• Dunnhumby
• Liveramp

Any headlines?

In 2020, Tesco announced it would issue replacement Clubcards to over 620,000 customers after a security breach of account details using stolen passwords. As far as supermarket data breaches go, this one is one of the biggest. Read more about it on Which here, or find out more about the company’s practices on their privacy policy below.

• Tesco’s Privacy Policy

Delete my data from Tesco

Asda's Privacy Policy

What data do Asda collect on you?

Asda collects a number of different types of your personal data, including:

• Name
• City and postcode
• Email address
• Telephone number
• Mailing address
• CCTV footage in stores
• Device information such as IP address
• Cookie information
• Purchase history and average spend
• Interaction history
• For pharmacy purposes, pharmacists may access your NHS number and information about medications you are taking

Do Asda share your data with third-parties for advertising purposes?

Yes. Asda disclose that they “use information about which of our websites and apps you visit, what products and services you browse and buy to help ensure that the advertising you see from us is as timely and relevant as possible.” They’re essentially saying that they share personal data with advertisers so that advertisers can target you more closely.

Who with?

Asda don’t actually list their third-party advertising partners, and instead just write that they share data with “Media partners” and “trusted partners, within the European Economic Area (EEA)”.

Any headlines?

Yep! In 2016 a security bug on Asda’s website left customer’s personal details and financial details vulnerable to hacking, putting millions of personal details at risk. The Telegraph reported on it here. More recently, in 2018, a hacker was jailed for selling Asda customer’s data on the dark web. This kind of practice is very common, and you can read more about it on the Guardian’s website here.

• Asda’s Privacy Policy

Delete my data from Asda

Sainsbury’s Privacy Policy

What data do Sainsbury’s collect on you?

Sainsbury's collect lots of different kinds of data about you, such as :

• Name
• Date of birth
• Address
• Telephone number
• Email address
• Payment details
• Communication and interaction information
• Purchase history and information
• CCTV footage in stores
• “Information required to make decisions about your applications for products and services” such as credit information for a loan or medical history for life insurance.
• Information from other sources such as “credit reference agencies such as Experian, the Royal Mail, fraud prevention agencies, claims databases, marketing and research companies, social media providers, pay TV providers and the DVLA, as well as information that is publicly available.”

Do Sainsbury’s share your data with third-parties for advertising purposes?

Yes. Sainsbury’s share your personal data with “Advertising companies, who help us place Sainsbury’s Group adverts online and on other media”.

Any headlines?

None that we could find, but it’s always worth being on the lookout for potential privacy problems.

• Sainsbury’s Privacy Policy

Delete my data from Sainsbury's

The Co-op Food (Co-op) Privacy Policy

What data do they collect on you?

The Co-op does not collect that much information about you in comparison to other supermarkets on this list. The kind of details they collect include:

• Details from when you request a product, service, offers or news from us from the website, emails, telephone conversations, and written and verbal communication.
• Information may be supplemented with other information obtained from dealings with you or which from other parts of The Co-operative Group or their Partners.

Do they share your data with third-parties for advertising purposes?

No. The Co-op states that they only share information to provide you with ‘special offers or promotions’ and for market research.

Any headlines?

In 2019, 4.2 million members and business clients of the Canadian Co-op were affected by a data breach. The data breach included the social insurance numbers, addresses and details of banking habits of these members, and whilst this didn’t occur in the UK, it’s important to remember when choosing to share information with the supermarket chain. Find more information about it on the Co-op’s own website here.

• The Co-op’s Privacy Policy

Delete my data from supermarkets for free

Waitrose's Privacy Policy

What data do Waitrose collect on you?

Waitrose collects the following kinds of information about its customers:

• Name
• Gender
• Date of birth
• Billing and delivery address
• Email and telephone number
• Order history
• Items viewed or added to your basket and wish list
• Brands you show interest in
• Web pages you visit and interactions/contact with Waitrose.
• (Optional) clothing size and skin type.
• Internet connection and browser, country and browsing activity
• CCTV footage and car number plate

Do Waitrose share your data with third-parties for advertising purposes?

Yes. Waitrose note that they share your information with the following companies:

• Google
• Facebook
• Youtube

Any headlines?

We couldn’t find any, but again it’s always worth keeping up to date about privacy issues.

• Waitrose’s Privacy Policy

Delete my data from Waitrose

Iceland Foods (Iceland) Privacy Policy

What data do Iceland collect on you?

Iceland collects a lot of information both from details you provide them and from elsewhere. This information includes:

• Name
• Age
• Gender
• Email address and telephone number
• Home address
• Device information such as IP address
• Location data
• Purchase history
• Linked social media accounts
• CCTV footage in stores
• Iceland also notes that “The Government has provided us with basic contact details of people who it, in conjunction with the NHS, has determined are potentially medically vulnerable during the Covid-19 pandemic...who have requested assistance with access to food.”

Do Iceland share your data with third-parties for advertising purposes?

Yes. Iceland says that while “No one wants to see adverts”, they do share cookie information with advertisers. “With cookies, you'll see adverts that are more relevant to you. In fact, these cookies limit the number of times you see an advert, and measure the effectiveness of an advertising campaign.” As great as they make it sound, cookie information can be really intrusive and sensitive.

Who with?

Iceland share information with “advertising partners and other advisors and agents, who help us run our business, undertake market research and gather product reviews.”

Any headlines?

In 2017, a privacy loophole existed that meant that when customers were asked to sign a delivery sheet after receiving their food order the contact details of other customers were visible. The problem was fixed, but you can read more about it here.

• Iceland’s Privacy Policy

Delete my data from Iceland

What can I do about my data?

Trying to figure out what to do about your data (or whether to do anything at all!) can be pretty overwhelming at times, but we're trying to change that. Essentially, new laws introduced by the GDPR make it easier than ever for users to exert their consumer rights. Regulations mean that companies, including supermarket websites, are legally obliged to allow their users to take certain actions in relation to their personal data.

For example, it's super easy to send a subject access request (or SAR) to a company of your choice. SARs allow consumers to request any and all data that a company or website holds about them, and the company is obliged to provide the information in a readable and understandable way. Thanks to GDPR, the company has to respond to your request within 30 days!

Can I remove data from supermarket sites?

Yes! As well as subject access requests, GDPR also means that users are able to request a total deletion of their data from a company's records. This rule, conventionally known as the 'right to be forgotten', means that you can ask companies to delete any personal information about you that they hold whether it's account profile information, records or history, or interests and marketing preferences.

You delete your data from supermarket sites here. Or, if you still have questions, get in touch - we'd love to hear from you.