Amazon is using my grocery purchases to sell me drugs

The weirdest thing happened to me recently. I ordered some groceries on Amazon Fresh. When you check out, Amazon recommends more things you might like to buy, usually related to your purchase. But this time, Amazon offered up “Treatments for High Cholesterol” along with a link for an Amazon One Medical consultation as well as links to prescription medications.

That’s weird, because my doctor and my wife are the only people who know about my cholesterol numbers. They’re pretty good, too! But there are certainly data points, including my age, my food preferences, and my past purchases, maybe even news stories I’ve read elsewhere on the web, that might suggest I’d be a good candidate for a statin, the type of cholesterol-lowering medication Amazon recommended to me. And while I’m used to Amazon recommending books I might like or cleaning products I might want to buy again, it felt pretty creepy to push prescription drugs in my direction.

It’s entirely possible that the Amazon recommendations I saw on this particular grocery order were random. The next time I ordered groceries, the app recommended bacon, not statins. At first, I thought it may have been a test or a mistake on Amazon’s part, but when I asked what was behind the recommendations, the company confirmed that it was a feature, not a bug.

“Amazon displays products that may be related or similar to the current item purchased,” Amazon spokesperson Samantha Kruse said in an email. “Protected health information from Amazon Health Services, including Amazon One Medical and Amazon Pharmacy, is not used to market or advertise general merchandise in the broader Amazon store.”

In other words, Amazon might use information from your purchases to suggest prescription medications, but it won’t use your protected medical information to try to sell you other stuff.

Simply seeing Amazon target me for a health condition draws attention to the unnerving amount of information Amazon has gleaned from my online activity — as well as the fact that Amazon is a health care company, one that can collect troves of data and push customers toward treatments accordingly.

It may not be surprising that Amazon is operating with an extremely powerful amount of data about us and what we buy. But in the past four years, Amazon has launched its own pharmacy business and bought One Medical, a primary care startup that could connect Amazon customers directly with doctors. 

It’s clear that Amazon’s health care ambitions are huge. We don’t yet know exactly how that will change the Amazon shopping experience for everyone — but maybe my recent shopping experience was a preview.

Before I get too riled up about Dr. Amazon, let’s take a closer look at what the retail giant knows about its customers and how. 

Amazon is famously known as the Everything Store, where you can buy everything from battery acid to, well, statins. Like most websites, Amazon also collects data about your activity on the site, like the things you buy, the things you don’t buy, and the things you consider buying. It creates a profile based on those interests and uses algorithms to recommend things that you might like to buy next. Amazon is proud of these algorithms. (The total amount of data that Amazon collects about you extends well beyond your shopping habits, by the way.)

Then there’s Amazon’s booming ad business. The company’s advertising arm now rivals the Google and Meta duopoly that has dominated online advertising for years, thanks in part to the massive amount of data Amazon has about what people buy, what they watch, where they live, and so forth. Amazon says it uses “cookies, pixels, IP addresses, and other technologies” to target these ads, which is why you can find Amazon tracking bugs on websites all over the web. These trackers could, for example, know if I looked up a health-related question on WebMD and use that data to tailor recommendations on Amazon, according to Christo Wilson, a computer science professor at Northeastern University.

“There may be an Amazon tracker lurking on the page, monitoring what you’re doing, and that’s how you can potentially have these kinds of freaky advertising,” Wilson told me.

Or, more likely, maybe it was simply a pattern in my purchase history. My grocery order that triggered the cholesterol medication recommendation included shredded cheese, salsa, tomatoes, flour tortillas — and, notably, ground chicken. Was this a tell? It is, after all, a heart-healthy alternative to ground beef and taco night was on the horizon. I also purchased the fat free version of Coffee Mate French Vanilla coffee creamer, which is delicious and cholesterol free. But do these purchases make me an obvious target for a cholesterol consultation with Amazon One Medical? And either way, should my Amazon purchases be associated with Amazon’s health care services at all?

Amazon One Medical is a relatively new service. Amazon bought One Medical in 2022, and combined it with its Amazon Clinic telehealth service earlier this summer. Now, Prime members can pay $99 a year to gain access to care through Amazon One Medical. For $5 a year, Prime members can get access to discounted medications with the Amazon Pharmacy RxPass. While I am a Prime member, I am not an Amazon One Medical customer, and I do not use Amazon Pharmacy. So, considering my choice in my healthy tacos, an algorithm might surmise that, as someone who’s proactive about his health care needs, I might be interested in Amazon’s health care offerings.

When Amazon bought One Medical, the FTC and others raised concerns over Amazon’s creep into the health care industry and what that might mean for sensitive health data. It was around this time that the Washington Post reported that customers signed away some of their health privacy rights when they enrolled in Amazon Clinic. None of this has made me feel any better about whether it was legal for Amazon to use my complex purchase history to sell me targeted health care products.

As far as I know, Amazon can. HIPAA, the federal law that protects health privacy, is narrower than most people think. It only applies to health care providers, insurers, and companies that manage medical records. HIPAA requires those entities to protect your data as it moves between them, but it wouldn’t apply to your Amazon purchases, according to Suzanne Bernstein, a legal fellow at the Electronic Privacy Information Center (EPIC).

“That background is especially important, as Amazon and other companies continue to collect, process, and use tremendous amounts of consumer health data that falls outside of HIPAA scope,” Bernstein said. “And it’s not the fault of American consumers for not necessarily knowing all that.”

In the absence of any federal protections, some states have passed their own data privacy laws. While California is perhaps most famous for giving its citizens more control over their data, Washington state changed the conversation around health data privacy when it enacted its My Health My Data Act last year. This law defines consumer health data much more broadly, Bernstein explained, so that any information about a consumer’s past, present, or future health conditions is covered. That might mean that Washington residents have the right to some privacy when their Amazon purchases indicate a health condition. It’s so far unclear how the law might apply to Amazon, which is based in Washington.

I’m still making sense of my recent brush with statins on Amazon and still have more questions than answers. Does Amazon plan to target its customers with prescription drug recommendations on a regular basis? Am I the only one who thinks that feels more invasive than convenient? Or does Amazon know what the people really want, even if it feels a little creepy at first?

I can’t know the answers to these questions. One thing I do know: Taco night with heart-healthy ground chicken is a hit.

A version of this story was also published in the Vox Technology newsletter. Sign up here so you don’t miss the next one!