Most large companies doing business in California are required by the state’s new privacy law to disclose what they know about customers and how that information is used.

This resulted in fairly straightforward announcements by many businesses.

Then there’s Ralphs, the supermarket chain owned by Kroger.

Customers recently encountered a form at stores spelling out information that may be collected when joining the company’s Ralphs Rewards loyalty program.


The form is eye-opening, to say the least, in laying out the extensive efforts Ralphs says it could take to learn about customers’ lives beyond the supermarket, including your job, your education, your health and your insurance coverage.

While most if not all such corporate disclosures define possible data collection as broadly as possible to err on the side of caution, Ralphs’ form is unusually all-encompassing for a supermarket loyalty program.

“It’s scandalous,” said Joseph Turow, a professor of communication at the University of Pennsylvania who focuses on privacy issues. “Why does a grocer need to know so much about its customers?”

The form says this data gathering is necessary to improve the Ralphs customer experience and the company’s operations.


“This is one of the most intrusive data-gathering programs I’ve ever seen from a supermarket,” said Joel Reidenberg, who teaches information-technology law at Fordham University. “It’s an extraordinary amount of surveillance.”

He added: “This illustrates why the California privacy law is so important.”

As it turns out, it also illustrates that in their rush to comply with the law’s requirements, some companies may be inadvertently spooking consumers with sweeping disclosures that may not be applicable to all people.

John Votava, a Ralphs spokesman, told me this is the case with the company’s Ralphs Rewards disclosure.


“I can understand why it raises eyebrows,” he said. “We may need to change the wording on the form.”

That would be a good idea.

To comply with the new law, Facebook, for its part, posted a detailed outline of its data collection, including “information about your activities off Facebook — including information about your device, websites you visit, things you do on their services and purchases you make.”

The Los Angeles Times made its own such disclosure. The paper is keen to know “your name, username, password, email address, postal address, phone number, mobile phone number, payment information, gender, birth year, and information you provide or post on our Services.”


Ralphs’ form opens by highlighting the benefits of a Ralphs Rewards card. These include “exclusive members-only specials and sales,” personalized coupons and points that can be applied to gasoline purchases.

“Our best customers save $699 per year on average!” the form declares.

Fine and dandy. However, the form proceeds to state that, as part of signing up for a rewards card, Ralphs “may collect” information such as “your level of education, type of employment, information about your health and information about insurance coverage you might carry.”

It says Ralphs may pry into “financial and payment information like your bank account, credit and debit card numbers, and your credit history.”


Wait, it gets even better.

Ralphs says it’s gathering “behavioral information” such as “your purchase and transaction histories” and “geolocation data,” which could mean the specific Ralphs aisles you browse or could mean the places you go when not shopping for groceries, thanks to the tracking capability of your smartphone.

Ralphs also reserves the right to go after “information about what you do online” and says it will make “inferences” about your interests “based on analysis of other information we have collected.”

Other information? This can include files from “consumer research firms” — read: professional data brokers — and “public databases,” such as property records and bankruptcy filings.


“This level of intrusiveness seems like a very unfair bargain in return for, say, 20 cents off a can of corn,” Fordham’s Reidenberg said.

To be sure, all large supermarket chains stockpile customer information. Whole Foods, owned by data-hungry Amazon, says in its privacy disclosure that it collects reams of data in the name of “providing customer service.”

Albertsons has similarly broad data-collection practices, including “demographic information, citizenship and work history information.”

But these disclosures apply to all possible interactions with the company, including applying for or landing a job with the supermarket.


Where Ralphs has misstepped is in not making that distinction and linking all its snooping solely to the company’s rewards program — that is, they’re asserting a right to give Ralphs Rewards cardholders the same in-depth scrutiny they might give a credit card or job applicant.

In theory, you’re contractually agreeing to this all-encompassing level of data collection in return for a few discount coupons.

Votava, the Ralphs spokesman, acknowledged that the company has indeed staked out a right to a huge amount of customer data as part of joining Ralphs Rewards.

But he said the more sensitive areas, such as health and credit information, are applicable only to using a Ralphs pharmacy or applying for a Ralphs credit card.


“We could have made that clearer,” he said. “This is a very valid reason to rethink this.”

Here’s another: Ralphs shoppers, and those of other Kroger chains, may not know that the company has a subsidiary with the nondescript name of “84.51.” It’s devoted solely to using customer data as a business resource.

“We use a proprietary suite of tools and technology to uncover relevant customer patterns, and are committed to helping clients develop, nurture and embrace customer-driven relationships,” the 84.51 website says.

Votava said 84.51 — the name is derived from the longitude of the Cincinnati headquarters — uses non-identifying aggregate data to help food companies reach out to shoppers.


Color me skeptical, but if Kroger has set up an entire business centered on exploiting customer data, it’s hard to believe this is all perfectly benign — particularly in light of the fact that the company is apparently eager to know not just what I buy but also where I work, what I do online and where I go throughout the day.

84.51 unveiled a new service, dubbed Stratum, last July. Paying clients in the food and beverage industries can receive “data captured from brick and mortar as well as online transactions,” and “draw conclusions that are representative of consumer behavior nationally.”

“Simply put, data is our most valuable asset,” Stuart Aitken, chief executive of 84.51, said in a statement. “With Stratum, we have created a groundbreaking product, which will dramatically change the way our brand partners plan and execute their marketing and merchandising budgets.”

Votava insisted to me that neither Ralphs nor Kroger ever sell personally identifiable customer data. All customer information shared with marketing partners is anonymous, he said.


I asked how customers can know that for sure, considering Kroger has an entire business dedicated to profiting from customer data.

“That is not who we are,” Votava replied.

It’s a fact of modern life that all businesses we interact with are creating digital files on us. California’s new privacy law will help cast some much-needed sunlight on these practices.

But at this point it’s still a guessing game as to how much data is being collected and how it’s being used.


“Consumers may be getting some benefits in return, but they are giving up much more in value to get those paltry benefits,” said Jay Kesan, director of the Program in Intellectual Property and Technology Law at the University of Illinois.

Seems like even more sunlight is in order.