Rite Aid sued for allegedly sharing customer data with Meta

Image via Rite Aid

There's no nationwide privacy protection, yet, but one expert says consumers do have ways of protecting themselves

A new class action lawsuit alleges that Rite Aid disclosed the personal and health information of its website to major website and social media companies without those visitors’ express consent.

The lawsuit claims that when consumers visit RiteAid.com to make a request for a prescription to be filled, tracking tools – invisible to the user, but embedded into the website – “secretly” sent all kinds of personal information to Meta, Google, TikTok and other companies.

That information purportedly included the person’s name, phone number, email address, birthdate, their Rite Aid client ID numbers, the services selected, assessment responses, patient statuses, medical conditions, treatments, provider information, and appointment information. 

Why would Rite Aid, Google, Meta, etc. need this information? Just like they need it for most everything else: to enhance their ability to more effectively target advertising opportunities.

“As the case tells it, Rite Aid can also capture and disclose visitors’ names, email addresses, phone numbers, IP addresses, device IDs and Facebook IDs, which anyone can use to ‘quickly and easily’ locate, access and view an individual’s Facebook profile,” ClassAction.org’s Kelly Mehorter said.

“Tech companies are under particular scrutiny because they already have access to a massive trove of information about people, which they use to serve their own purposes, including potentially micro-targeting advertisements to people with certain health conditions,” the lawsuit states, adding that Rite Aid’s actions have affected millions of Rite Aid’s customers. 

“Information about a person’s physical and mental health is among the most confidential and sensitive information in our society and the mishandling of such information can have serious consequences including, but certainly not limited to, embarrassment, discrimination in the workplace and denial of insurance coverage.”

ConsumerAffairs reached out to Rite Aid for its position on this lawsuit, but did not immediately hear back.

Privacy policies vs. reality

As ConsumerAffairs has reported before, just because a privacy policy says one thing, that doesn’t mean it’s a certainty. 

This lawsuit alleges pretty much the same thing – that Rite Aid’s purported data-sharing is different from what it claims on RiteAid.com’s privacy policy.

However, the company’s privacy policy does leave the door open a bit, stating that “we may otherwise continue to share your personal information with our affiliates and service providers, and as otherwise directed by you, for the purposes described in our Policy.” 

What that means exactly is unclear. ConsumerAffairs asked Rite Aid for an explanation, but did not get an immediate response. The policy also stated that it may charge a “reasonable fee” to comply with a privacy “request.”

Are we making any headway with consumer privacy? A little…

At present there’s no national privacy law that protects everyone in the U.S., but one by one, individual states are trying to pick up that slack, not necessarily in a blanket policy way but certainly in some vertical niches.

Matt Voda, CEO of OptiMine, a company that prioritizes consumer privacy, tells ConsumerAffairs that while most Americans know their data is being collected by the various sites they interact with, most of them have zero idea how that information is being used. 

“The sale and purchase of American data is a billion-dollar industry, made simpler by the fact that users consent to it with the click of a button,” Voda said. 

In an attempt to combat this, he points to Massachusetts which is set to become the first state to ban the sale of consumer’s location data. Its "Location Shield Act” – which has not yet been officially approved – is designed to give consumers more location privacy and control over location data that is collected by mobile apps and websites.

Upon passing this act, Massachusetts consumers will have a choice to opt in or out of location data collection, which is a significant new consumer right in terms of privacy.

Don’t live in Massachusetts? Not a problem, Voda says, because no matter where you live, you have this much of this ability right now. 

“Consumers can go into their phone's privacy settings and turn on/off location data collection for each app installed on their phone,” he told us.

"The main difference is that these settings are buried deeper into phone settings and app makers can require the collection of this data for use of the app or service. With the Location Shield Act, app makers will no longer be able to require the collection of location data as a pretext for using the app or service.”

Take an Identity Theft Quiz. Get matched with an Authorized Partner.