[rgbrenner]

No, you wouldnt be in legal trouble. I have news for you: When you're grocery shopping, there are cameras watching you: how long you spend looking at an item (which tells them if it's a regular purchase, or something you're considering), the path you take through the store, etc. They use this info to increase the amount of your purchase. The layout of a store is not random.

And then when you get to the register, they know you. Not just from your loyalty number, but from your credit card (even if you're not a member). They use this to create a history of your purchases and create a demographic profile of you.

They use this profile to determine what to stock in the store, what to put on sale, etc. For example, sometimes they'll stock an item with poor sales, because the customers that buy it make larger purchases (keeping these customers loyal to the store). They'll also use this info to advertise to you, send you flyers and coupons in the mail, for example.

They'll combine this with your credit card purchase history to create a more detailed profile... because Visa (et al) sell your purchase history to analytics firms that sell this data to companies like your grocery store.

Similarly, analytics firms already know who you're related to, and can match up purchases from other members of your household.

My point is: You dont think about even the stuff above, because it's hidden from your view and you arent familiar with what they're doing. Just like many people dont think about what Facebook is doing with their data. You phrase your questions like a hypothetical, but it already exists.

[johnny53169]

> They'll also use this info to advertise to you, send you flyers and coupons in the mail, for example.

It would be good to say which country you are talking about, in Europe this has never happened to me outside of online stores or with loyalty cards (which is why they give those cards in the first place).

[lrvick]

They are certainly talking about the US. I know this nightmare all too well.

[mhaberl]

> I have news for you: When you're grocery shopping, there are cameras watching you

Well, it is not the same - cameras are maybe watching "a person" inside that store, not John Doe inside the store, the car, the toilet and the bedroom..

[4oh9do]

Those things aren't particularly news to me.

My question is more along the lines of, it seems to me that it's OK (in the sense of being tolerated by the public and legal) when corporations engage in this kind of behavior, but would it be OK if individuals engaged in this kind of behavior against employees of these corporations?

[nerdponx]

Imagine if you got free groceries, as long as you allowed someone to constantly monitor you. I bet a bunch of people would still do it.

[lrvick]

This is sadly accurate, and why I only use cash and cash-purchased pre-paid Visa gift cards IRL.

[eftychis]

They are tracking you in their store, not your own backyard.

[chopin]

I am not sure whether this is the case in Europe. This can get you in GDPR trouble pretty quickly.

[johnchristopher]

> Not just from your loyalty number, but from your credit card (even if you're not a member). They use this to create a history of your purchases and create a demographic profile of you.

I believe GDPR would forbid this but there maybe (in Europe) something like "we consider logs of payments made in a store a legitimate interest", idk.

edit: an ongoing story I suppose:

- Instead of only processing the payment, the German payment service “giropay” (formerly “paydirekt”) keeps the information about each individual item purchased in online shops. This may lead to the processing of sensitive, personal data. https://edri.org/our-work/giropay-knows-what-you-bought-last...

> I have news for you: When you're grocery shopping, there are cameras watching you:

I don't think so. CCTV's goal is security. Not even employees can be filmed for a different purpose:

- The DPC received a complaint stating that a supermarket had instructed athird party to remove a CCTV hard-drive. The hard drive contained CCTVfootage of the complainant's image from the store where the complainantworked as store manager. The complaint statedthat no member of thesupermarket staff accompanied this third-party contractor during theremoval. The complainant alleged that the supermarket viewed had threeweeks of CCTV footage. The footage contained the complainant’s image andthe supermarket used this CCTV footage to ground a disciplinary hearingagainst the complainant. The complaint further stated that at no point hadthe complainant been consulted in relation to the removal, viewing orprocessing of the footage. The key issue before the DPC was consideration of whether the supermarkethad acted in accordance with the requirements of the applicable law when it processed the CCTV footage which contained images of the complainant,specifically Section 2A(1)(d) of the Acts which provide that a data controllershall not process personal data unless “the processing is necessary for thepurposes of the legitimate interests pursued by the data controller or by athird party or parties to whom the data are disclosed, except where theprocessing is unwarranted in any particular case by reason of prejudice to thefundamental rights and freedoms or legitimate interests of the data subject.”.The DPC determined that the use of CCTV in employment situations shouldonly be used for stated valid purposes, such as security. It should not be usedfor employee monitoring, and policies should be in place to ensureproportionality and transparency in the workplace. However, the DPCconsidered that, when the supermarket viewed the CCTV footage for theperiod, it did so in the pursuit of its own legitimate interests and in thisinstance found there was no contravention of the Act. https://www.ejtn.eu/PageFiles/17861/Deciphering_Legitimate_I...

I'd say the same applies to credit/debit card number. They can only process the data to fulfill the purpose of paying for the goods, not add a legitimate interest to profile the customer.

[denton-scratch]

> "we consider logs of payments made in a store a legitimate interest"

That sounds like the kind of get-out I'd expect from a US company, or any other company with no significant assets under GDPR jurisdiction. The GDPR defines "legitimate interest", and that isn't one of them.