Walmart collects sensitive categories of personal information including government ID numbers, health and pharmacy data, precise location, and financial account details, and states it limits the use of this data to purposes disclosed in the notice and permitted by law.
This analysis describes what Walmart's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The CPRA established specific rights for consumers to limit the use and disclosure of sensitive personal information; the policy's disclosure of sensitive data categories triggers those rights for California residents and creates heightened compliance obligations for Walmart's health and pharmacy data practices.
Interpretive note: Whether Walmart's pharmacy operations qualify as a HIPAA covered entity depends on operational structure and is not explicitly resolved in the privacy notice; the applicability of HIPAA versus state health privacy law requires separate legal analysis.
The policy states Walmart collects government ID numbers, precise geolocation, health and medical information from pharmacy interactions, and financial account details as sensitive personal information; California residents have the right under CPRA to direct Walmart to limit the use and disclosure of this sensitive information to what is necessary to perform the requested service.
Cross-platform context
See how other platforms handle Sensitive Personal Information Handling and similar clauses.
Compare across platforms →Monitoring
Walmart has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect certain categories of sensitive personal information, including financial account information, government-issued identification numbers, precise geolocation data, health and medical information provided in connection with pharmacy or health services, and information about your race or ethnic origin where voluntarily provided. We use sensitive personal information only for the purposes described in this Notice and do not use or disclose it for purposes other than those permitted under applicable law.— Excerpt from Walmart's Walmart Privacy Policy
1) REGULATORY LANDSCAPE: CPRA Article 1798.121 grants California consumers the right to limit the use and disclosure of sensitive personal information. Health and pharmacy data may separately implicate state health privacy laws and, depending on the context, HIPAA if Walmart's pharmacy operations qualify as a covered entity or business associate. The FTC's health breach notification rule may also apply to non-HIPAA health data. 2) GOVERNANCE EXPOSURE: High. The collection of government-issued identification numbers (driver's license, SSN fragments) in connection with age verification, check cashing, or pharmacy services creates significant data security and identity theft exposure. Health data collected through pharmacy operations may be subject to overlapping state health privacy requirements beyond CPRA. 3) JURISDICTION FLAGS: California CPRA creates the most defined sensitive data framework. Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA each contain sensitive data categories and processing restrictions that may differ from CPRA's definitions. Pharmacy health data in states with enacted health privacy legislation (Washington My Health MY Data Act) may require separate consent mechanisms. 4) CONTRACT AND VENDOR IMPLICATIONS: Vendors processing sensitive personal information on Walmart's behalf must be operating under data processing agreements that restrict use to specified service provider purposes. Pharmacy data vendors and health analytics partners require heightened contractual protections. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that the 'Limit the Use of My Sensitive Personal Information' opt-in or opt-out mechanism required by CPRA is clearly presented on Walmart's digital properties. Data mapping should distinguish health-related personal information processed in pharmacy contexts from general customer data to assess HIPAA applicability and state health privacy law obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The CPRA established specific rights for consumers to limit the use and disclosure of sensitive personal information; the policy's disclosure of sensitive data categories triggers those rights for California residents and creates heightened compliance obligations for Walmart's health and pharmacy data practices.
The policy states Walmart collects government ID numbers, precise geolocation, health and medical information from pharmacy interactions, and financial account details as sensitive personal information; California residents have the right under CPRA to direct Walmart to limit the use and disclosure of this sensitive information to what is necessary to perform the requested service.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Walmart.