Kroger, the largest supermarket chain in the U.S., is being sued in federal court for the unauthorized sharing of personally identifiable information and health data with Meta.
Two different proposed class-action lawsuits were filed on Nov. 10 and Nov. 13 in the Southern District of Ohio, Western Division. The plaintiffs, both from Ohio, are anonymous.
Privacy
Forget Milk and Eggs: Supermarkets Are Having a Fire Sale on Data About You
When you use supermarket discount cards, you are sharing much more than what is in your cart—and grocery chains like Kroger are reaping huge profits selling this data to brands and advertisers
The suits alleged that Kroger essentially ”planted a bug” on its website, which includes an online pharmacy, and was “looking over the shoulder of each visitor for the entire duration of their Website interaction.” That “bug” refers to the Meta Pixel and the other trackers Kroger used on its website. The Nov. 10 suit claimed that as a result, Kroger leaked details of which medications and dosages a patient sought or purchased from Kroger’s pharmacy, which then allowed “third parties to reasonably infer that a specific patient was being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and an array of other symptoms or conditions.”
In February, The Markup revealed that Kroger collects extensive data through its loyalty program. The investigation detailed Kroger’s use of the Meta pixel on kroger.com, including how the company sent information to Meta when a pregnancy test was added to a virtual shopping cart. A similar example was included in the Nov. 10 lawsuit, showing that Meta is informed when a user searches on Kroger.com for Plan B contraceptives. The Nov. 13 lawsuit, in trying to establish the harms of “mishandling medical information,” also cited a Markup story on hospital websites disclosing sensitive information to Meta through the pixel.
Both suits claim that the use of Meta’s tracking pixel violates the Electronic Communications Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) and Ohio state laws covering health information and privacy. They both cite warnings from the Federal Trade Commission and the Department of Health and Human Services against improper disclosure of personal health information online.
Kroger did not respond to a request for comment.
Attorneys for the plaintiffs either declined to comment or did not respond.
The Markup has reported extensively on sensitive information shared to Meta through the pixel, including by education technology providers, crisis mental health hotlines, hospitals, tax preparation companies and student financial aid providers.
The Markup will continue to follow this case.
