Loyalty programs are one of the oldest forms of consumer surveillance and one of the least examined, probably because the exchange feels so mundane. You know the store is tracking your purchases; that is openly the deal. What has changed over the past decade is what the store does with the record, who else gets to query it, and how much a longitudinal purchase history actually reveals.
What One Swipe Records
Each loyalty transaction logs the full basket at item level: every product, its exact variety and size, the price paid, the discounts applied, the time, and the store location. Linked across years, that becomes a dense behavioral record. It shows your diet and how it changes, your alcohol and tobacco purchases, the over-the-counter medications you buy and when, your household size, your schedule, and which neighborhoods you shop in.
The identifier does the linking. A phone number given at checkout ties together every store in the chain, every family member who recites the same number, and increasingly, activity outside the store: the same phone number sits in data broker files, marketing databases, and other companies' loyalty programs, which makes it a ready-made join key for anyone enriching one dataset with another. If you use the store's app instead of a card, add precise location, in-store movement via connected features, and a device advertising ID to the record.
How much inference this supports has been public knowledge since at least 2012, when The New York Times Magazine reported that Target's statisticians had built a pregnancy-prediction score from about two dozen products whose purchase patterns shift early in a pregnancy, unscented lotion and supplements among them, and used it to time coupon mailings. The story's famous anecdote involved a father learning of his teenage daughter's pregnancy from the advertising. Whatever the details of that one household, the scoring program itself was real, and it ran on ordinary checkout data.
Purchase History Became the Product
For most of the loyalty card's history, the data mostly steered the chain's own coupons and shelf planning. The economics changed when grocers discovered they were sitting on advertising infrastructure. Kroger's data science subsidiary, 84.51°, and its Kroger Precision Marketing arm sell brands targeted advertising and campaign measurement built on the chain's transaction data. Walmart, Target, and most large retailers now run equivalent "retail media" businesses. Food retail runs on famously thin margins; selling advertisers access to purchase behavior does not.
The phrase "we never sell your data" deserves scrutiny in this context. A retail media network does not need to hand a raw purchase file to anyone. It sells targeting ("show this ad to households that buy diet soda weekly") and measurement ("how many people who saw the ad bought the product"), which monetizes the same information while keeping the file in-house. The data also flows outward in aggregated or "identity-resolved" forms through the advertising ecosystem, where it meets the real-time bidding machinery that already trades in everything else about you.
Who Else Can Ask
Purchase records are ordinary business records. In the United States, that means law enforcement can typically obtain them with a subpoena rather than a warrant, and civil litigants can pull them into discovery. Divorce and custody cases have used grocery records to argue about drinking habits. Insurers, employers, and immigration authorities operate in the same legal environment: the record exists, it is held by a third party, and the third party's privacy policy reserves the right to comply with legal process, because it must.
HIPAA covers the pharmacy counter, where prescriptions are dispensed. It does not cover the rest of the store. Pregnancy tests, emergency contraception, glucose monitors, nicotine patches, and every other health-adjacent product in the front of the store are ordinary retail SKUs in your loyalty profile, with no special legal protection.
That distinction matters more than it used to. After Dobbs, reproductive-health inferences from commercial data stopped being a hypothetical concern in the United States, and a purchase history is one of the more direct commercial records that supports them.
The Pricing Frontier
The next use of this data is pricing itself. In July 2024 the US Federal Trade Commission ordered eight companies, including consultancies and pricing-software vendors, to hand over information about "surveillance pricing": the practice of setting individualized prices informed by consumer data. The commission's initial staff findings, released in January 2025, reported that the tooling to price by individual characteristics and behavior exists and is offered commercially.
Grocery loyalty apps are a natural home for this, because personalized "digital only" coupons are already individualized prices in all but name. Two shoppers standing in the same aisle can pay meaningfully different amounts for the same item depending on what their apps offered them, and neither can see the other's price. The discount structure that once rewarded repeat customers now doubles as the mechanism for charging each customer whatever the model predicts they will tolerate, and the loyalty profile is the model's input. Electronic shelf labels, which large chains began installing in the mid-2020s, remove the last physical constraint on how often prices can move.
Shrinking the Profile
The discounts are real money, and for many households, walking away from them is not a serious option. The workable goal is deciding what the profile contains rather than refusing to have one:
- Use the card, skip the app. The card records purchases. The app records purchases plus location, device identifiers, and browsing behavior. Most of the discount usually survives the downgrade.
- Register with an alias. A dedicated email alias and a name variation keep the loyalty identity from joining cleanly to the rest of your digital life, and let you see who leaked or shared the address.
- Think about the phone number. The number is the join key. Some stores accept any ten digits that match an account; a long-running bit of American folklore has thousands of shoppers sharing the number 867-5309 in various area codes, pooling their baskets into one gloriously incoherent profile. Where a real number is required, a secondary number limits the linkage.
- Pay cash for purchases you would not want in a court filing. Card payments link baskets even without a loyalty scan. Cash plus no card produces a transaction that joins to nothing.
- Use the deletion rights you have. Under the CCPA in California, the GDPR in Europe, and similar laws elsewhere, you can request access to and deletion of your loyalty data. Retailers do comply, and the access request is worth making at least once just to see the file.
None of this is about the sixty cents. It is about the fact that the record outlives every context you created it in, and the store's lawyers, advertisers, and pricing models all get to read it. Decide what goes in the file, and the discount can stay.