Grocery Dive
Kroger shared sensitive customer health data without permission, lawsuit claims
Grocery Dive, an Industry Dive publication · Grocery Dive · Industry Dive
Sam Silverstein
3 min read

In This Article:

Dive Brief:

  • Kroger is facing a federal class-action lawsuit claiming that the supermarket company shared confidential health details about pharmacy customers without their permission.

  • The suit, filed Nov. 13, alleges that Kroger “willfully and intentionally” installed tracking code provided by Facebook parent Meta on its web servers that surreptitiously transmitted people’s private information to third parties including the social networking company.

  • Kroger joins a range of companies, including Costco, facing allegations that it improperly disclosed health-related details collected from consumers to Meta.

Dive Insight:

The lawsuit paints Kroger as a willing partner with Meta in using information people thought was private for marketing purposes.

According to the suit filed on behalf of a plaintiff identified as “Jane Doe,” Kroger embedded tools provided by Meta on its web servers that allowed Facebook to access data including people’s names and other identifying information; appointment times, locations and reasons; prescriptions; and details about their health.

Kroger has positioned itself as a healthcare provider and violated the federal Health Insurance Portability and Accountability Act of 1996 by sharing people’s health information with outside organizations without obtaining “express written authorization,” according to the suit, filed in the U.S. District Court for the Southern District of Ohio, Western Division.

“Plaintiff and Class Members never consented, agreed, authorized, or otherwise permitted Defendant to disclose their Private Information to Facebook, nor did they intend for Facebook to be a party to their communications (many of them highly sensitive and confidential) with Defendant,” the suit says.

A Kroger spokesperson did not respond to a request for comment about the lawsuit by press time.

The computer code Kroger installed on its systems included a Meta tool known as Pixel that “commandeered” consumers’ devices and sent the information they provided to outsiders without their knowledge, according to the suit.

“Simply put, by installing the Facebook Pixel into its Website, Defendant effectively planted a bug on Plaintiff and Class Members’ web browsers and compelled them to disclose their communications with Defendant to Facebook,” according to the suit.

The suit claims Kroger also added Facebook’s Conversions Application Programming Interface, or CAPI, to its servers, allowing it to steer around ad blockers or other privacy controls on a user’s web browser that might have blocked Pixel from sweeping up people’s information.

Terms and Privacy Policy
Your Privacy Choices
Utah Privacy Notice
More Info

Recommended Stories