The policy states that Walgreens collects prescription information, health conditions, pharmacy interaction data, OTC purchase history, and health-related browsing activity across its digital and physical service channels.
This analysis describes what Walgreens's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision identifies a broad category of sensitive health-related data collected across both HIPAA-regulated pharmacy operations and non-HIPAA retail and digital channels. The policy does not consistently delineate which data flows are governed by HIPAA Notice of Privacy Practices and which fall solely under this privacy policy, creating potential gaps in regulatory coverage for health-adjacent data.
Interpretive note: The exact delineation between HIPAA-governed and non-HIPAA health data flows cannot be fully determined from the policy text; operational data architecture review is required to assess segregation.
The policy now explicitly includes over-the-counter product purchases and health-related browsing activity, while removing mention of immunizations and health and wellness programs.
View full change record →Under this provision, Walgreens collects prescription history, health condition data, OTC purchase history, and health-related browsing activity. Data collected outside the HIPAA-covered pharmacy context, such as OTC purchases and app-based health tracking, is governed by this privacy policy rather than HIPAA protections.
How other platforms handle this
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Walgreens has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information about your prescriptions, health conditions, and pharmacy interactions, as well as over-the-counter product purchases and health-related browsing activity through our website and mobile applications.— Excerpt from Walgreens's Walgreens Privacy Policy
1. REGULATORY LANDSCAPE: HIPAA, enforced by HHS Office for Civil Rights, governs protected health information processed within Walgreens' covered entity pharmacy operations. Data collected outside that context, including OTC purchase history, health app interactions, and website browsing related to health products, is not HIPAA-protected and falls under CCPA/CPRA, FTC Act, and applicable state health data statutes. Several states including Washington (My Health MY Data Act) and Nevada have enacted health data privacy laws that may apply to non-HIPAA health data. 2. GOVERNANCE EXPOSURE: High. The collection of health and pharmacy data across both HIPAA-regulated and non-HIPAA contexts within a single platform creates significant data segregation and governance challenges. Misrouting HIPAA-regulated data into advertising or analytics data flows would constitute a HIPAA violation; mischaracterizing non-HIPAA health data as HIPAA-protected could obscure applicable state law obligations. 3. JURISDICTION FLAGS: Washington State's My Health MY Data Act imposes consent requirements for collection and sharing of consumer health data outside HIPAA coverage. Nevada's similar statute may apply. California's CPRA treats health information as a sensitive personal information category requiring additional use limitations. Illinois may impose additional obligations depending on data types. 4. CONTRACT AND VENDOR IMPLICATIONS: Business Associate Agreements must be in place with any vendor receiving HIPAA-regulated pharmacy data. Vendors receiving non-HIPAA health-adjacent data should be assessed under applicable state health privacy statutes. Procurement teams should confirm that data processing agreements distinguish between HIPAA-regulated and non-HIPAA data flows. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should map data flows to confirm operational segregation of HIPAA-regulated pharmacy data from non-HIPAA health and behavioral data. The policy's treatment of OTC purchase history and health app data should be evaluated against Washington My Health MY Data Act consent requirements and CPRA sensitive personal information obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision identifies a broad category of sensitive health-related data collected across both HIPAA-regulated pharmacy operations and non-HIPAA retail and digital channels. The policy does not consistently delineate which data flows are governed by HIPAA Notice of Privacy Practices and which fall solely under this privacy policy, creating potential gaps in regulatory coverage for health-adjacent data.
Under this provision, Walgreens collects prescription history, health condition data, OTC purchase history, and health-related browsing activity. Data collected outside the HIPAA-covered pharmacy context, such as OTC purchases and app-based health tracking, is governed by this privacy policy rather than HIPAA protections.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Walgreens.