Best Buy Is Illegally Selling Your Shopping History. You Were Never Told.

The Non-Financial Ledger

You walked into a Best Buy store. Maybe you bought a laptop because your old one died. Maybe you picked up a TV for a birthday. Whatever you bought, you handed over your name, your email, your address, your phone number. You probably didn’t think twice about it. That’s what stores ask for when they ring you up. That’s been normal for decades.

What you didn’t know is that Best Buy was building a file on you. Every purchase, every product category, every dollar amount. That file got sent to a company called LiveRamp, a data broker that already had its own file on you: credit card transactions, location data, browsing behavior, digital footprints stitched together across every device you own. LiveRamp merged their version of you with Best Buy’s version of you and handed back a more complete, more valuable, more sellable version of you.

Then Best Buy sold that version of you to brands. They didn’t ask you. They didn’t tell you. There was no sign at the register. There was nothing in the privacy policy that constituted the required legal notice under Virginia law. You were the product, and you had no say.

The complaint in this case frames this in economic terms: you paid for a product, you expected your data to stay private, and Best Buy stripped that expected value out of your transaction and kept the money. That’s accurate. But the experience is also something more personal than an economic shortfall. Someone decided your private information about what you buy, how often, how much you spend, what you care about enough to open your wallet for, was something they had the right to package and sell. They did it in the background, quietly, wrapped in technical language about “clean rooms” and “identity resolution” and “psychographic signals,” language designed to sound sophisticated enough that most people will stop asking questions.

A 2024 study found that 95% of consumers said they wouldn’t buy from a company if they believed their data was not protected. Best Buy knows this. That’s why they marketed their data practices as privacy-safe. That’s why data clean rooms carry a sanitized name. None of it changed what was actually happening to your information.

Legal Receipts

The following are verbatim statements from the complaint and from Best Buy Ads’ own documented marketing, as cited in the complaint. They speak for themselves.

“Best Buy profits handsomely from the unauthorized sale and disclosure of customers’ purchasing patterns and other personal information and does so at the expense of its customers’ statutory privacy rights.”

• This is the plaintiff’s direct characterization of the core transaction: Best Buy’s profit on advertising data is framed as coming directly at the cost of a legally-protected right the customer held.
• The word “handsomely” is doing significant legal work here: it signals the unjust enrichment claim, which asks a court to order disgorgement of the profits gained through the unlawful conduct.

“Our ability to observe these long-term customer journeys are the foundation of our data set that we also enrich with third party data to build audience segments across intender, consideration, and transactional cohorts.”

• This quote comes from Best Buy Ads’ own promotional materials, cited directly in the complaint. It confirms that Best Buy is not merely sharing aggregate statistics; it is tracking individual customer journeys longitudinally, from first exposure to a product through purchase and beyond.
• The phrase “enrich with third party data” is the key admission: Best Buy is explicitly combining its own first-party customer data with external data sources to build richer individual profiles. This is the core of the VPIPA violation allegation.

“Best Buy Ads claims to have fifteen thousand unique attributes that it can use to enrich this data.”

• This figure, sourced from Best Buy Ads’ own homepage, gives a concrete sense of the depth of profiling being performed. 15,000 attributes per customer goes far beyond what any consumer reasonably expects a retail store to hold about them.
• In the context of the lawsuit, this figure supports the claim that the data being sold is not merely a name and an email address: it is a comprehensive behavioral and demographic profile built without customer knowledge or consent.

“Best Buy sells sensitive customer interactions to third parties without giving prior notice as required by Va. Code §§ 59.1-442. Nowhere throughout the buying process, not even in the Best Buy Privacy Policy, will a customer be provided with the proper notice required by the VPIPA.”

• This directly alleges that Best Buy’s failure to notify customers is total: not at the register, not online, and not even in the privacy policy document that would be the last reasonable place a legally-curious customer might look.
• Under VPIPA, a merchant selling customer PII is required to provide notice. The complaint asserts Best Buy failed every available channel for providing it.

Public Deception

Best Buy and its data partner LiveRamp publicly marketed their data infrastructure as privacy-protective. The complaint documents a clear gap between those public claims and what was actually happening to customer data.

• Claim: LiveRamp markets its clean room with the promise that “first-party data goes in, and aggregated insights come out, without copying any data and concealing all personally identifiable information (PII).” Reality: The complaint alleges the customer information inputted into the clean room “is not anonymized” and is sold without Best Buy retail customers’ consent. The FTC itself stated clean rooms present “the same privacy risks as disclosure through other means like tracking pixels.”
• Claim: Best Buy claims to offer privacy protections for its consumers, and data clean rooms carry an industry branding designed to imply that data is being “cleaned” of identifying information. Reality: The FTC explicitly stated that clean rooms “are not rooms, do not clean data, and have complicated implications for user privacy.” The complaint characterizes this marketing approach as “privacy washing.”
• Claim: The IAB Tech Lab industry definition of a data clean room describes it as an environment that “limit[s] any exposure of the data.” Reality: The FTC warned that clean rooms “add more access points to data and increase the risk of data leaks and breaches” and “can also be used to obfuscate privacy harms.” The clean room infrastructure actually expanded how many parties had access to Best Buy’s customer data.
• Claim: Best Buy’s privacy policy is the place a consumer would reasonably look to understand how their data is used. Reality: The complaint states that “nowhere throughout the buying process, not even in the Best Buy Privacy Policy, will a customer be provided with the proper notice required by the VPIPA.” The policy does not contain the legally-required disclosure.

Profit-Maximization at All Costs

Best Buy built an entire second business line around monetizing the data its retail customers generate, and the scale of that business makes clear that the revenue motive behind the data sales is not incidental.

• Best Buy launched Best Buy Ads in February 2022, explicitly framing the retail media network as a tool to “reach high-intent tech enthusiasts when they’re actively searching for products.” The network was designed from the start to sell access to customer data, not just ad placement.
• The retail media network market generated $258.6 billion in total ad revenue in 2024. BCG projected RMN ad spending would grow 25% per year to reach $100 billion and account for more than 25% of all digital media spending by 2026. Best Buy’s data operation is a bet on capturing that growth.
• The complaint states Best Buy holds data on over 200 million customers, representing 80% of the U.S. adult population, with more than 2 billion customer interactions per year. Best Buy Ads claims 15,000 unique attributes available to enrich customer profiles. This is not a small side business; it is a surveillance infrastructure built on top of a retail operation.
• Best Buy charges brands a premium specifically because of the enhanced data it receives back from the LiveRamp clean room. The complaint states: “Best Buy charges more for the use of Best Buy Ads because of the enhanced data it has received through the clean room.” The violation itself is what makes the product more expensive and more profitable.
• Best Buy Ads boasts it can tie 93% of transactional revenue to a named customer, meaning the data Best Buy sells is not aggregated or anonymized; it is individually identified. That precision is the premium product. That precision is what brands are paying for.
• The complaint documents that Best Buy receives enhanced customer profiles back from LiveRamp in exchange for providing the clean room with access to Best Buy’s customer list for LiveRamp’s own business purposes. Best Buy input raw first-party data and received a more valuable profile back. The customer’s data was the currency of the exchange, and the customer received nothing.

Regulatory Gray Zones

The data clean room model is a deliberate architectural choice that exploits the gap between what privacy law prohibits and what the industry has convinced regulators to allow, long enough to profit at scale.

• The FTC has explicitly warned that data clean rooms present privacy risks “the same as disclosure through other means” and “can also be used to obfuscate privacy harms.” Despite these warnings, there is no federal law that specifically prohibits the clean room model. The industry has operated in this gap, using the technical complexity of the architecture as a shield against regulatory action.
• The lawsuit is brought under Virginia’s Personal Information Privacy Act (VPIPA), Va. Code Ann. §§ 59.1-442, a state law. The complaint is a class action in Hennepin County, Minnesota, on behalf of Virginia residents. The fact that a Virginia consumer must sue in Minnesota under state law, with no federal private right of action available for this specific conduct, illustrates how the regulatory framework has failed to keep pace with the retail media industry.
• The shift away from third-party cookies was driven by browser-level privacy protections, not by law. The industry responded by creating first-party data networks and clean rooms, which are functionally equivalent in their surveillance capabilities but lack the regulatory scrutiny that third-party cookies eventually attracted. The complaint notes this directly: advertisers “leaned more heavily on first party data and have created new ways to share first party data with each other” specifically to replace the functionality that was being restricted.
• LiveRamp is registered as a data broker in California under Cal. Civ. Code § 1798.99.80(c). California law defines a data broker as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Best Buy’s customers have no relationship with LiveRamp. Yet LiveRamp holds and sells data on them. The structural design of the clean room relationship is built to keep consumers legally outside the transaction while their data is commercially inside it.

Supply Chain Complicity

The data pipeline Best Buy uses is not a single-company operation; it is a multi-party commercial arrangement in which each tier extracts value from customer data while diffusing legal accountability across the chain.

• Tier 1: Best Buy stores. Every purchase at a Best Buy retail location in Virginia generates first-party data: name, email, address, phone, and purchase history. This raw data is the feedstock of the entire pipeline. The customer believes they are transacting with Best Buy alone.
• Tier 2: LiveRamp data clean room. Best Buy feeds that raw first-party data into the LiveRamp clean room. LiveRamp is a registered data broker that independently holds data from credit card transactions, location tracking, and other behavioral sources on approximately 250 million Americans. It merges Best Buy’s data with its own to produce enhanced customer profiles, which it assigns unique identification numbers. The complaint documents that LiveRamp acquired Habu, its earlier clean room software partner, in 2024, further consolidating the pipeline under a single data broker’s control.
• Tier 3: Best Buy Ads brand partners. Third-party brands pay to access the enhanced profiles produced by the LiveRamp clean room through Best Buy Ads. These brands can also input their own first-party data into the clean room to overlap it with Best Buy’s data, creating an even richer combined profile. The brands are end buyers in a data supply chain whose upstream inputs were collected from retail customers without their knowledge.
• The clean room architecture is specifically designed so that data flows between entities without the original data subject, the customer, being able to observe, consent to, or opt out of any transfer. The complaint characterizes this as a transaction that “is not anonymized and is sold without Best Buy retail customers’ consent.” Each link in the chain profits; the consumer at the origin of the chain is the only party who receives nothing.
• The FTC has noted that clean rooms “add more access points to data.” Each additional party in this supply chain represents an additional vector for data misuse, breach, or further unauthorized sale, none of which the original retail customer has any mechanism to prevent or even detect.