CVS Not Providing Customers’ ‘Personally Identifiable Info’ To Facebook, Datalogix

Photo of a CVS pharmacy on Pennsylvania Avenue and 7th Street, SE, Washington D.C.
Start your day with TPM.
Sign up for the Morning Memo newsletter

Updated 2:36 p.m. EDT, Sunday, September 30

Facebook is again the subject of privacy concerns following a report by the Financial Times on Monday that the world’s largest social network has partnered with a Colorado-based company called Datalogix to “track whether people who see ads on the social networking site [Facebook] end up buying those products in stores,” as the Financial Times put it.

The article went on to note that Datalogix, a company that provides real-world purchasing data to marketers, already had in its possession something extremely valuable to Facebook and its advertising customers: Data on the purchases of upwards of 70 million U.S. households taken from “loyalty cards” and rewards programs at “grocers and drugstores.”

Datalogix was reported to be preparing reports for Facebook using this data, combined with Facebook profile data, to see how many Facebook users who saw specific product ads on Facebook went on to buy those products later in physical retail stores. The Financial Times reported, and Facebook later added, that the data was completely anonymized.

The Atlantic Wire reported that one of merchants whose customer purchasing data Datalogix had access to was popular pharmacy chain CVS, specifically purchaser data obtained through the CVS ExtraCare rewards program.

Asked about its work with either Datalogix or Facebook, CVS has told TPM that it doesn’t share “any personally identifiable information with Facebook.”

As a CVS spokesperson said in a statement:

CVS/pharmacy has no practice of sharing any personally identifiable information with Facebook, either directly or through Datalogix. CVS/pharmacy does not give or sell any identifiable information about our customers to other companies for their marketing purposes.

Importantly, that’s not to say that CVS doesn’t provide any purchasing information to third-parties like Datalogix, just no “personally identifiable information.” CVS did not elaborate on its data sharing practices with TPM

However, the company’s spokesperson provided the following statement on CVS’s customer privacy practices in general: “CVS/pharmacy is vigilant about protecting the privacy of our customers. We do not share any personal information without our customers’ permission and any suggestion that we do so is false.”

Further, CVS noted in a longer statement that its ExtraCare program doesn’t require customers to give the company any personal data to enroll. As CVS explained:

CVS/pharmacy ExtraCare cardholders are given an option when they sign up for the program about whether or not they want to receive promotional messages and offers. Additionally, customers do not have to provide any personal information to join the ExtraCare program to be eligible to receive special savings. They can simply visit any of our store locations and ask an associate for an ExtraCare card.

Separately on its website, Datalogix offers a one-click option to opt-out of “Datalogix cookie-based online advertising,” or online activity tracking, though this doesn’t stop real-world purchases from being tracked.

Still, the question remains from what source Datalogix and Facebook are procuring purchasing information from. TPM has reached out to both companies and will update when we receive a response.

Facebook earlier in the week provided TPM with the following statement on its relationship with Datalogix:

We are working with Datalogix to help advertisers understand how well their Facebook ads are working. We also do this through our partnerships with companies like Nielsen and comScore and through our own advertising tool. We know that people share a lot of information on Facebook, and we have taken great care to make sure that we measure the effectiveness of Facebook ads without compromising the commitments we have made on privacy. We don’t sell people’s personal information, and individual user data is not shared between Facebook, Datalogix or advertisers.

In the mean time, the admission from CVS that it does not hand over any identifying information about its customers to Datalogix, Facebook or anyone else is unlikely to stop the recent calls by privacy and Web user rights advocacy groups for the U.S. Federal Trade Commission to investigate Facebook over a possible violation of its earlier privacy settlement with the FTC. That settlement, finalized in November 2011, dealt with earlier incidents in which Facebook allegedly misled users about their privacy settings during updates. In the settlement, Facebook agreed that “prior to any sharing of a user’s nonpublic user information…with any third party” to “obtain the user’s affirmative express consent.”

Facebook is also looking to mine data on the purchases of physical goods and user credit card numbers directly on its website: The company launched a physical goods exchange called “Facebook Gifts” on Thursday, which so far is limited to primarily novelty items.

Correction: This piece has been updated to remove a reference stating that “the Atlantic Wire went on to report” that one of the merchants both Facebook and Datalogix had access to was CVS. In fact, the Atlantic Wire piece did not connect CVS directly to Facebook. The error has since been corrected in copy and we regret it.

Latest Idealab
1
Show Comments
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Deputy Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: