The new data brokers: retailers, rewards apps & streaming services are selling your data

The future of the targeted ad industry depends on first party data, and your favorite retailers are open for business.

Consumer alerts


Pxhere | Public Domain

Take Action

The online targeted advertising industry is currently mid-evolution. After five years of new regulations, rising consumer concern, and significant backend changes at some Big Tech companies, the broader ad technology industry is scrambling for new ways to carry out its business model. Understanding the trajectories of this industry built on harvesting and commodifying our personal data is important – both for decision makers looking to regulate it, and for anyone hoping to control the information collected about us by companies intending to make money off it. 

The targeted advertising industry, also known as AdTech, is tussling with itself over its future. One of the significant emerging trends is the entry of a new kind of broker in the marketplace for people’s data: the retail businesses you’ve been shopping at all along. 

How the old, third party data model works, and why it’s changing

The Internet we’ve all come to know has, essentially, one business model: offer a useful or entertaining service through a website or phone app, and collect users’ data as payment that many don’t even realize is owed. While we use many of our favorite sites & apps, third party companies like data brokers install tracking technology on our devices, gathering info about us they can package into profiles detailing where we work & live, who our friends & family are, what we spend our time doing, and what personality traits & behavioral patterns we exhibit. These dossiers compiled on each of us are sold to the highest bidder in invisible auctions happening behind every page we load. Hundreds of companies we’ve never heard of know every site we’ve visited, search we’ve conducted, app we’ve opened, and what makes us most likely to do what companies want us to do: buy stuff they show us in targeted ads, and stare at our screens longer so they can show us as many targeted ads as possible. 

This AdTech model is changing in response to the passage and implementation of new regulations in Europe and California and a public becoming more unnerved by being watched so closely with no power to stop it. Eyeing new targeted advertising models of their own, Apple and Google have shaken up the field for other AdTech companies. Apple released a new iOS feature in 2021 to cut down on the harvesting of user data on iPhones, and Google has announced it will phase third party tracking cookies out of Chrome by a date that keeps getting pushed back, but most recently was set for late 2024.

One thing has started to become clear for AdTech’s future: data harvesting by companies you’ve never heard of is out, and data harvesting by companies you know is in. Enter the age of first party data. 

The new AdTech model: first party data

First party data is what a company gathers on its customers directly. Swipe your MasterCard, and MasterCard has data on you. Place an order on the McDonald’s app, and McDonald’s has data on you. Stream on Disney+, and Disney has data on you. This is all first party data. 

Just because you have a direct relationship with these companies, however, doesn’t mean they’re keeping your info to themselves. Thanks in part to Google’s killing off third party tracking cookies, demand for first party data has risen, and companies with direct relationships with customers have realized they’re sitting on valuable troves of information. The result: a lot of companies that sell goods & services to customers are getting into the business of selling their customers’ data. 

Some companies, like Visa and Mastercard, sell their customer’s data in the existing data broker and auction market. But others are taking a different approach – aided by the near-absolute saturation of online commerce in all parts of retail, many companies are blending the role of retailer, data broker and advertising platform all in one, by establishing what’s called retail media networks.

What are retail media networks?

Last week I called Best Buy to check if it had the printer ink I needed in stock. The first question the associate asked, before I could even say what I was calling about, was for my name, phone number, and email address. Best Buy doesn’t need any of that to tell me if there’s ink on the shelves – but it’s sure valuable for it to have. That’s because Best Buy is one of a whole slew of consumer-facing businesses that has recently established a retail media network. 

Retail media networks are advertising platforms owned by a retailer with first party relationships with customers. Here, retailers can sell their customers’ data to advertisers for targeting ads on the channels that the retailer owns. (And, in some cases, on other channels all across the web.)

For example, an advertiser using Best Buy’s retail media network gets access to the information Best Buy has on me, like what I’ve searched for on its site, pages I’ve viewed, carts I’ve abandoned, reviews I’ve written, emails I’ve opened, service appointments I’ve scheduled, and purchases I’ve made. As the company puts it, “these inputs create a rich profile of audiences’ objectives, interests and intent”. There might be other inputs besides the above that are up for sale, too.

Best Buy sells this data to advertisers to place targeted ads on Best Buy’s channels, like the homepage of the store’s website or the search results inside the store’s app. There’s also “proximity messaging”, an offering that allows advertisers to use your location harvested by the Best Buy app to target you with ads on nearby TV and PC screens as you walk through a physical Best Buy store. 

Screenshot taken Aug 16 2022
In-store “proximity messaging” is enabled by location tracking.

Of course, in many cases, the customer data sold through retail media networks isn’t limited to targeting ads on a retailer’s channels. A retailer partnering with existing AdTech companies like Criteo, for example, can offer advertisers the chance to use its customer’s data to target ads all across the web. In this way, some retail media networks are largely a new incarnation of the old system. 

Best Buy is far from the only retailer entering the AdTech business. It joins Target, Walmart, Lowe’s, Kohl’s, Kroger, Dollar Tree, Marriott, CVS, Macy’s, Albertson’s and Walgreens, all getting into the data and online advertising business themselves.

The data harvesters toolbox: rewards programs, memberships, logins and subscriptions

Not all data is created equal – the most valuable is info that’s linked to a specific customer, allowing advertisers to target an individual based on past, current and predicted future behavior. There are lots of ways companies collecting first party data can incentivize us to give up as much data as possible.

Loyalty programs collect your data

Loyalty programs are not only good for rewarding customers – they’re good for tracking them, too. The airlines in the 80s were the first to figure this out, using frequent flier programs to both incentivize customers and build some of the earliest corporate databases of customer identities and activities.

Doling out perks via a physical punch card is one thing, but when rewards programs are mediated digitally – as they often are today – they have the capacity to become a vehicle for extensive and detailed data collection.

Today, many loyalty programs are administered through apps, giving customers the ability to place orders in advance or pay with a scan of a phone. For customers, it’s about convenience and accumulating rewards. For companies, they get data on our consumption habits they can commodify in a number of ways, including selling it to outside parties like advertisers.

And of course, getting you to download a smartphone app only increases the amount of extraneous data collection that’s possible. Earlier this year, the Tim Hortons app, for example, was found to be constantly collecting users’ location, even when the app was closed. 

Memberships collect your data

Like loyalty programs, memberships are a way to encourage customers to continually identify themselves, allowing companies to record all of their interactions with you in a running log. In order to shop at Sam’s Club, for example, you have to be a registered member and provide your member info every time you check out. 

Incidentally, Sam’s Club announced the establishment of its own retail media network last month. The company has long had access to heaps of data, such as who exactly shops at its stores, at which locations and at what times of day, and, crucially, every single item every single one of its customers has ever bought. As a Sam’s Club VP put it in a blog post announcing their new advertising venture: “As a membership organization, we have an incredible amount of insight on our members. Not only do we have 100% visibility into their purchases, but we also know their search behaviors.” 

Logins can collect your data

Logins are another way to force otherwise anonymous users to identify themselves. You’ve probably noticed every time you go to create an account with a new site or app, Google and Facebook ask if you’d rather use your existing account with them. Letting them serve as an intermediary allows both them and the site you’re creating an account with to share data, associating what you do across sites & apps and across time to you specifically, with as little uncertainty about your identity as possible.

As third party tracking cookies continue to deteriorate, it’s likely the use of login gates for online sites will rise. Akin to paywalls, login gates keep web content out of view until you make an account with your email or phone number and login every visit, making whatever data they collect first party data. Not every company and site will rush to this model, but it’s likely a number of them will, and it’s similar to what some publishers like news outlets are already doing. 

Logins are already a familiar feature for most, particularly thanks to the digital subscriptions that are central to a consumer’s life today. Which are also tools for data harvesters. 

Subscriptions can collect your data

Services that use the monthly subscription model rely on logins to ensure that the only person accessing a digital service is the one who’s paying for it. The biggest example is the streaming services – and because everyone has to be logged in to stream, streaming is, of course, becoming a big player in the future AdTech model. 

NBCUniversal was one of the earlier companies to start offering its user data up to advertisers airing ads on the platform. Clients of NBCUniversal can match their first party data with that of NBCUniversal’s, as well as supplement with third-party data through NBCUniversal’s AdTech service to figure out as much about a consumer’s behavior as possible, including how they respond to ads. With the pandemic, the increase in the number of people spending more and more time streaming on their TVs has led others, like Disney+, to expand AdTech capabilities. Netflix’s recent downturn in subscribers has led the company to make plans for an ad-tier subscription, and it recently announced a partnership with Microsoft’s new AdTech arm to do it. 

The future is first party

The old AdTech model isn’t dead yet – lots of free and cheap sites & apps are still serving as fronts for data harvesting operations. But increasingly, retail businesses are becoming AdTech companies themselves, and the broader AdTech industry is hoping this will earn consumers’ trust back by making the data broker a company that customers have at least heard of. But there’s plenty about this new first party data model that may not be very trustworthy in the end. 

For one, how clear these businesses will be with customers about the use of their data remains to be seen. So is how they’ll go about gathering a consumer’s consent, and, more importantly, if people will have real choice or control about what happens to their data; if agreeing to data sales is obligatory to being able to shop at a retailer or use a streaming platform, it’s closer to consumer coercion than it is to getting consent. 

This all raises a question: how is it that companies can collect whatever data about us they want, and sell it to whomever they want, and use it in ways that have nothing to do with the service we’re expecting to get when we shop at their store, or download their app, or become a subscriber? 

We’re currently barreling towards a future where the only way to control your data is to not participate in society at all. You could argue we’ve arrived there already. It’s possible, however, to change this trajectory with meaningful new rules that understand both how the web-enabled economy works today, and where it’s headed tomorrow. Without forward-looking action, we risk finding ourselves up for sale in more and more ways, facing consequences we have yet to discover.


R.J. Cross

Director, Don't Sell My Data Campaign, PIRG

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.

Find Out More