Survey of Retail Industry’s Privacy Practices

December 30, 2019

Authored by: BCLP

There is no one strategy for disclosing privacy practices to consumers, or for complying with the federal and state laws (including the California Consumer Privacy Act, or CCPA) that govern data privacy.  The following summarizes current trends within the retail industry:

  • Privacy notices are, on average, 7.5 months old.
  • Retail industry privacy notices are significantly newer than the privacy notices of companies in other industries.
  • The majority of retailers have not updated their privacy notices for the CCPA.
  • Retailer privacy notices that reference enumerated categories tend to use lists instead of tables.
  • Retailers that discuss the sale of information are evenly split between selling and not selling data. The majority of retailer privacy notices, however, are silent or ambiguous about sale.
  • The majority of retailer privacy notices do not include a “Do Not Sell” option. Retailers are slightly more likely, however, than other companies to include a Do Not Sell option.
  • Some retailers disclose that they sell information, but are choosing not to provide a Do Not Sell option.
  • A small, but significant, number of retailers that don’t sell personal information are still providing a “Do Not Sell” option. That trend departs from companies outside the retail industry.
  • Most retailers are not including a “Do Not Sell” link on their homepage.
  • Some companies provide a Do Not Sell option but are not highlighting the option on their homepages.
  • The percentage of retailers that offer access and deletion rights is significantly less than the percentage of overall companies that offer such rights.
  • Retailers deploy, on average, 23.8 behavioral advertising cookies on their homepages.
  • Retailers deploy 3.5X more advertising cookies than other companies.
  • Retailers are significantly less likely than other companies to use cookie notices.

View full survey here.  For more information and resources about the CCPA, visit