United States Securities and Exchange Commission
Washington, D.C. 20549
NOTICE OF EXEMPT SOLICITATION
Pursuant to Rule 14a-103
Name of the Registrant: Walmart, Inc.
Name of persons relying on exemption: Clean Yield
Asset Management
Address of persons relying on exemption: 16 Beaver
Meadow Rd, Norwich, VT 05055
Written materials are submitted pursuant to Rule
14a-6(g) (1) promulgated under the Securities Exchange Act of 1934. Submission is not required of this filer under the terms of the Rule,
but is made voluntarily in the interest of public disclosure and consideration of these important issues.
PROXY MEMORANDUM
| TO: | Shareholders of Walmart. Inc. |
| RE: | Proposal No. 10 (“Report on Reproductive Rights and Data Privacy”) |
| CONTACT: | Molly Betournay, molly@cleanyield.com |
This is not a solicitation of authority to vote your proxy. Please
DO NOT send us your proxy card; Clean Yield Asset Management is not able to vote your proxies, nor does this communication contemplate
such an event. Clean Yield Asset Management urges shareholders to vote for Proposal No. 10 following the instructions provided on management's
proxy mailing.
Clean Yield Asset Management urges shareholders to vote YES on Proposal
No. 10 on the 2023 proxy ballot of Walmart, Inc. (the “Company”). The Proposal’s “resolved” clause states:
Shareholders request the Board issue a public
report detailing known and potential risks and costs to the Company of fulfilling information requests relating to Walmart customers for
the enforcement of state laws criminalizing abortion access, and setting forth any strategies beyond legal compliance the Company may
deploy to minimize or mitigate these risks. The report should be produced at reasonable expense, exclude proprietary or privileged information,
and be published within one year of the annual meeting.
Why a YES Vote is Warranted: Rationale in Support of the Proposal
| 1. | Walmart handles sensitive consumer data that may be vulnerable to prosecutions concerning abortion access. |
| 2. | Walmart does not offer transparency reporting on law enforcement data requests, exposing the Company to financial and reputational
risks. |
| 3. | Walmart’s data sharing practices are vague and unclear to consumers and investors. |
| 4. | Regulatory and legal compliance is insufficient to minimize privacy risks related to reproductive healthcare. |
| 5. | Production of the requested report would be cost-effective and a good use of resources. |
About Clean Yield Asset Management
Clean Yield Asset Management is an investment firm based in Norwich,
VT specializing in socially responsible asset management. We have filed this shareholder proposal on behalf of our client, Julie Kalish,
a long-term shareholder in Walmart, because the Company amasses large amounts of sensitive consumer data but lacks transparency as to
how such data may imperil access to reproductive healthcare. In a time when abortion access is criminalized or severely restricted by
half of the states, greater understanding about the Company’s data handling practices is warranted.
Background on the Proposal
Reproductive rights are under siege in the United States. State lawmakers
have enacted more than 1,380 restrictions on abortion access since Roe v. Wade – the U.S. Supreme Court ruling in 1973 that
legalized the procedure.1 Following the reversal of Roe v. Wade in June 2022, twelve states have banned most abortion
services outright.2 The Supreme Court is likely to rule on a case in the coming weeks that will decide the future of medication
abortion in the United States.
_____________________________
1 https://tinyurl.com/4az3pce3
The overturning of constitutional protections for abortion access
elevates the need for the report requested in this Proposal. Law enforcement in abortion-restrictive states have relied on consumer data
to investigate and prosecute individuals who have sought abortions or have provided aid to those who have and are expected to continue
to do so.
A digital reproductive health footprint can be easily accessed by law
enforcement and lead to criminal or civil charges. Meta recently received significant negative press after complying with a data request
from a local Nebraska police department for private Facebook messages between a mother and daughter, who were both subsequently charged
with felony crimes related to the alleged illegal termination of the daughter’s pregnancy (for additional examples, see Addendum
A).3
As a nationwide business, the Company amasses large troves of consumer
data. Walmart is America’s leading brick-and-mortar retailer,4 with 90% of the U.S. population living within 10 miles
of its stores.5 In fact, just one Walmart store in the U.S. serves an average of 10,000 customers every day.6 Walmart
is also the second largest e-commerce company and the fifth largest pharmacy by prescription drugs market share in the United States.7
Notwithstanding, Walmart has been largely silent on the issue of data privacy following the revocation of constitutional abortion protections.
Given the sensitive nature of the Company’s data, Walmart
will be especially vulnerable to law enforcement data requests related to abortion, particularly with respect to interstate conflicts
regarding exercise of reproductive rights in states where abortion remains legal. Idaho, for instance, criminalizes interstate travel
to obtain a legal abortion under certain circumstances.8 Yet, Americans largely oppose criminalizing abortion, thereby amplifying
the risk of reputational damage that may ensue from the Company’s participation in the enforcement of abortion-related criminal
laws. Indeed, a May 2023 Kaiser Family Foundation national survey found that “majorities of the U.S. public oppose criminalizing
women, doctors, or people who assist those seeking abortion care.”9 According to the Kaiser survey, at least two-thirds
of respondents living in certain states threatened by abortion bans opposed “criminalizing doctors for performing abortions (69%),
making it a crime for women to cross state lines to get an abortion (76%), making it a crime for a woman to get an abortion (74%), or
allowing private citizens to sue people who provide or assist in abortions (78%).” Similarly, a January 2023 national poll from
Change Research on behalf of Planned Parenthood reveals that “Americans strongly oppose law enforcement being used to enforce abortion
bans.”10
_____________________________
2 https://www.nytimes.com/interactive/2022/us/abortion-laws-roe-v-wade.html
3 https://tinyurl.com/msazvebu
4 https://nrf.com/resources/top-retailers/top-100-retailers/top-100-retailers-2022-list
5 https://corporate.walmart.com/about
6 https://tinyurl.com/yxx5syby
7 https://tinyurl.com/79kbkkk9; https://tinyurl.com/4h85xubj
8 https://tinyurl.com/y2a79x4c
9 https://www.kff.org/womens-health-policy/poll-finding/kff-health-tracking-poll-views-knowledge-abortion-2022/
10 https://changeresearch.com/wp-content/uploads/2023/01/PPFA-_-Poll-Results-January-2023-1.pdf
Shareholders have reason to be concerned about whether the enforcement
of criminal abortion laws will impact the reputation and financial wellbeing of the Company. The Proposal thus calls upon management to
examine the risks associated with the Company’s current data handling practices, including its response to government information
requests, in the face of new restrictive abortion laws.
1. Walmart handles sensitive consumer data that may be vulnerable
to prosecutions concerning abortion access.
Consumers interact with the Company through various ways. They may
shop in-store or via the Walmart app, browse the Walmart website to learn about products, use the Company’s medical and pharmacy
services, or contact customer care. By way of these interactions, Walmart collects detailed and sensitive data from consumers, including
geolocation data, purchase and transaction history, demographic information, and inferences related to customers’ shopping patterns
and behaviors.11 Walmart Health & Wellness and related operations also collect personal health information (“PHI”)
from patients who use Walmart’s various pharmacy and medical services.12
While medical records – which the Company keeps – is one
of the “most definitive proof[s]” of conduct related to illegal abortions,13 officials who cannot get those records
may search for other evidence such as information about consumer purchases (e.g., pregnancy tests or abortion medication) or searches
related to abortion (e.g., searching for “mifepristone” in Walmart’s search tool). Less granular consumer data may also
provide evidence supporting abortion-related prosecutions, including “information regarding the payer, the payee, the payment amount,
and the users’ transaction labels.”14
_____________________________
11 https://corporate.walmart.com/privacy-security/walmart-privacy-notice
12 https://corporate.walmart.com/privacy-security/notices/
13 https://www.nytimes.com/2022/06/29/business/payment-data-abortion-evidence.html
14 https://tinyurl.com/3dp5tx2r
Given the current environment the Company is operating in following
the revocation of constitutional abortion rights in the United States, consumers’ digital reproductive health footprint is at risk
of being obtained through law enforcement data requests with the intent to prosecute those who have received an abortion, even when the
procedure is legal. We believe it is crucial that Walmart explore all options to protect users from these risks.
2. Walmart does not offer transparency reporting regarding law enforcement
data requests, exposing the Company to financial and reputational risks.
A recent empirical study in the Journal of Marketing showed
that the misuse of commercial data can generate negative outcomes for businesses, including negative abnormal stock returns and damaging
customer behaviors such as negative word of mouth and switching to a close business rival.15 These negative customer effects
are due to both anxiety about the potential for data misuse and feelings of corporate betrayal, as well as actual data misuse. Corporations
collecting large troves of consumer data, such as Walmart, are thus exposing themselves to higher financial and reputational risks. Apropos
to the current Proposal, the study found that data transparency, among other things, can alleviate these detrimental effects.
Walmart does not publish transparency reporting on the issue of law
enforcement data requests, in contrast to many other publicly traded companies. CVS – an industry competitor – recently
announced that it will publish “semiannual transparency reports on the number of legal information requests received,” among
other privacy-related information.16 Amazon – Walmart’s biggest e-commerce rival – as well as Meta, Google
and Apple also offer such reporting semiannually, including details on the types of data requests, compliance rates and jurisdictional
information.17 This information would be extremely helpful for investors to make determinations about the Company’s risk
exposure as well as serve as an accountability tool. In turn, consumers would gain more assurances that Walmart respects the privacy of
their data.
_____________________________
15 See Kelly D. Martin et al., Data Privacy: Effects
on Customer and Firm Performance, 81.1 Journal of Marketing at 36-58 (2017), https://doi.org/10.1509/jm.15.0497
16 https://tinyurl.com/5yt3xnn7
17 https://tinyurl.com/e7j4me8u (Meta); https://tinyurl.com/y37bzv97
(Amazon); https://tinyurl.com/4bvubser (Google); https://tinyurl.com/4zbwk6bv (Apple).
A Response to Walmart’s Opposition Statement
3. Walmart’s data sharing practices are vague and unclear
to consumers and investors.
In opposing the Proposal, Walmart states consumers may easily access
the Company’s privacy notices to learn how their data may be used. However, these notices seem to lack critical information as to
how and under which circumstances law enforcement may access customer data.
Walmart’s Privacy Notice only states that the Company may share
consumer data with third parties when the Company “believe[s] sharing will help to protect the safety, property, or rights of Walmart,
[its] customers, [its] associates, or other persons.”18 Pursuant to this provision, it is unclear whether conduct related
to criminalized abortion would be considered a situation where the Company could share consumer data. Moreover, Walmart has failed
to clarify if a data request from law enforcement must be accompanied by a court order or if the Company could voluntarily share the data.
For instance, could the Company disclose information about purchases of pregnancy tests in response to a police department seeking evidence
in connection with an illegal abortion, but without a judge having ever reviewed or approved the request?
On the other hand, the Walmart Health & Wellness Notice of Privacy
Practices provides that the Company “may disclose PHI to a law enforcement official for certain law enforcement purposes, such as
reporting crime on our premises or responding to legitimate law enforcement inquiries,”19 which could include criminalized
abortion investigations. While the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) would normally prohibit
Walmart from sharing PHI with third parties without the individual's consent, HIPAA provides an exception for law enforcement purposes.
Following the revocation of abortion rights in 2022, the U.S. Department of Health and Human Services (“HHS”), which enforces
HIPAA, published guidance providing stricter HIPAA protections when it comes to the law enforcement exception, which the Company has failed
to expressly adopt in its privacy policies or via other Company statements.20 According to HHS, entities regulated by HIPAA
may disclose only the PHI expressly requested by a court order, but no more. In addition, HHS provides that HIPAA generally “permits
but does not require” a covered entity to disclose PHI to law enforcement without consumer consent if the entity believes
the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Some
have argued that this exception applies to reproductive healthcare, and even to protection of a fetus, which position HHS disavows.
_____________________________
18 https://corporate.walmart.com/privacy-security/walmart-privacy-notice
19 https://corporate.walmart.com/privacy-security/notices/
20 https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html
In contrast, other publicly traded companies have adopted many of
the foregoing HHS or HIPAA provisions as part of their privacy notices. Amazon, for instance, provides that it “does not disclose
customer information in response to government demands unless [it is] required to do so to comply with a legally valid and binding order.”21
Meta’s privacy policy contains a similar provision and further states that the company “produce[s] narrowly tailored information
to respond to that request.”22 Cisco Systems similarly “interpret[s] demands to produce the least data necessary
to comply.”23
Based on the Company’s vague privacy notices, Walmart consumers
and investors cannot ascertain whether a judicially enforceable order is necessary for the Company to turn over user data to law enforcement
in all cases, or whether an informal request on government letterhead may suffice, making it easy for law enforcement to access user data
without judicial scrutiny. Clarity is further needed as to how the Company will protect PHI related to reproductive health information.
The requested report could provide guidance on how to correct, update or reconcile the Company’s privacy notices.
4. Regulatory and legal compliance is insufficient to minimize privacy
risks related to reproductive healthcare
Data privacy laws in the United States are considered by many experts
to be lacking in scope and woefully outdated. In fact, there is no single, comprehensive federal law regulating how companies collect,
store, or share customer data.
As the New York Times reports, “[t]he data collected by
the vast majority of products people use every day isn’t regulated.”24 In most states, companies can use, share,
or sell most data they collect about consumers without notifying them that the company is doing so. There is no federal law standardizing
when (or if) a company must notify consumers if their data is breached or exposed to unauthorized parties. If a company shares consumer
data – including sensitive information such as an individual’s web searches or location – with third parties (e.g.,
data brokers), those third parties can often sell the data or share it without notifying the affected consumers. HIPAA – one of
the few federal privacy laws but which only protects PHI – contains the previously mentioned loopholes, which could allow Walmart
to disclose information to law enforcement seeking to prosecute abortion-related crimes.
_____________________________
21 https://tinyurl.com/y37bzv97
22 https://transparency.fb.com/data/government-data-requests/
23 https://tinyurl.com/4zs6akk6
24 https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
As a result of this lax regulatory environment, many businesses have
implemented firmer privacy practices that more fully protect consumers from nefarious data uses while increasing brand trust. One such
practice is abiding by the principle of “data minimization,” in which companies only collect personal data that is strictly
necessary for delivering the service a user is expecting to receive, and use it for only that purpose.25 Data minimization
is already a legal requirement for certain companies doing business in the European Union,26 and U.S.-based publicly traded
companies like Apple and PayPal, to name a few, have already explicitly adopted this practice.27 As a result of data minimization,
companies amass less information that may be subject to law enforcement information requests or shared with third parties seeking to participate
in the enforcement of abortion-restrictive laws. Notably, data minimization would also reduce the Company’s liability, reputational
risk exposure, and storage costs.28 Walmart has nonetheless failed to disclose in its various privacy statements whether it
abides by this principle.
Privacy experts further recommend that in order to protect consumers
from being targets of abortion-related prosecutions, companies should employ data security measures such as data encryption, de-identification,
and anonymization.29 Encryption is the process of converting information or data into a code, especially to prevent unauthorized
access. De-identification entails segregating personally identifiable data like names and addresses from PHI and other sensitive data
that the company stores. Anonymization protects private or sensitive information by erasing identifiers that connect an individual to
stored data.
While Walmart is legally required to apply some of these security measures
before sharing HIPAA-covered PHI, it is unclear whether these measures could be applied to other consumer information contemplated in
the Proposal such as data collected in its website (e.g., product searches, geolocation data). Sharing consumer data without proper security
measures could expose the Company to significant risks, including the threat of burdensome litigation. In 2021, for example, the most
popular fertility and period tracking app developer, Flo Health, faced legal action upon claims that the platform shared sensitive health
information with third parties, including Google and Facebook, without the users’ consent.30
_____________________________
25 https://pirg.org/articles/do-you-know-where-your-data-is-because-facebook-doesnt/
26 https://www.business.com/articles/how-to-apply-data-minimization/
27 https://tinyurl.com/4npba7a6 (Apple); https://tinyurl.com/2p8er5r2
(PayPal)
28 https://tinyurl.com/2p92fr8t
29 https://www.securitymagazine.com/articles/98414-privacy-and-data-protection-in-the-wake-of-dobbs
30 https://tinyurl.com/2sduk56f
Finally, most companies doing business in California, Virginia and
the European Union are also required to provide consumers with “deletion rights,” as contemplated by the Proposal.31
Deletion rights generally grant consumers the ability to have personal information erased in instances where the business is not required
to maintain the data. Implementing a sustainable data deletion program can help Walmart reinforce its standards and governance for data
deletion, meet regulatory requirements, reduce the risk of data breaches, and improve data hygiene overall.32
Since Walmart already complies with data deletion requirements under
California and Virginia law, applying deletion rights or other related data deletion mechanisms nationwide could be a feasible and cost-effective
mitigation measure to the problems raised identified in the Proposal. Mastercard provides deletion rights to consumers nationwide.33
Synalab Group, an international health services provider, automatically deletes or anonymizes a website visitor’s IP address from
the company data logs, while other remaining website-visitor data “is stored for a limited period of time” with the explicit
purpose of improving the “operation of [Synalab’s] website.”34 DaVita, a leading healthcare provider, gives
consumers the opportunity to “amend or delete” information collected from them through the company’s online platforms.35
The requested report would advise investors whether the foregoing
data security and protection measures could indeed provide benefits to Walmart. The report would also assess whether consumers’
trust in the Company could be increased by enhancing or adding new privacy safeguards, which, in consultation with reproductive rights
and civil liberties organizations, may include:
| ● | Establishing a robust policy of challenging overbroad or vague government data requests; |
| ● | Providing user-friendly and easy-to-read privacy guidelines (e.g., infographics, disclosure banners, privacy policy outlines); |
| ● | Implementing a default policy of, whenever legally permissible, notifying users whose data is requested by law enforcement; and, |
| ● | Publishing periodic transparency reporting on data privacy and government data request, with special attention to issues related to
reproductive rights. |
_____________________________
31 https://tinyurl.com/mryrf3jc (CA); https://tinyurl.com/53s7zn5t
(VA); https://tinyurl.com/3w7mek6x (E.U.)
32 https://www.grantthornton.com/insights/articles/advisory/2020/how-data-deletion-empowers-data-protection
33 https://tinyurl.com/yck8twbp
34 https://www.synlab.com/privacy-policy
35 https://www.davita.com/privacy-policy
5. Production of the requested report would be cost-effective and
a good use of resources.
In opposing the Proposal, the Company notes that staff resources would
be better used on “upholding and enhancing its robust processes and responding to requests than in preparing the requested report.”
We wholeheartedly disagree with this statement.
The requested report would provide an opportunity for Walmart to fully
consider the risks of becoming a target of abortion-related law enforcement requests so that it may mitigate future controversies and
increase investors’ trust in the Company. The scope of research involved in the production of the report is narrow and limited to
the risks associated with the Company’s fulfillment of information requests relating to Walmart customers for the enforcement of
state laws criminalizing abortion access. Furthermore, production of the requested report would be cost-effective and feasible. Interpublic
Group Companies recently conducted an assessment of its reproductive health data with respect to state laws criminalizing abortion,36
showing that the type of analysis contemplated by this Proposal could be done. As such, we believe that the requested report could be
produced by current Walmart staff in consultation with outside experts and groups, thus satisfying this Proposal without incurring substantial
cost.
In sum, we believe that implementing the requested report will help
ensure that Walmart does more to monitor its data handling practices, reducing consumer exposure to serious risks stemming from abortion-related
criminal prosecutions. Failure to do so may erode shareholder value by diminishing the Company’s reputation, consumer loyalty, brand,
and values.
Vote “Yes” on Shareholder Proposal No. 10.
For questions, please contact molly@cleanyield.com.
The foregoing information should not be construed as investment
advice.
_____________________________
36 https://tinyurl.com/mvrmfj2x
ADDENDUM A:
Examples of harms from companies sharing reproductive
health-related data with third parties without consumer consent
Aaron Sanderford, Facebook data used to prosecute Nebraska mother,
daughter after alleged abortion, Nebraska Examiner (Aug. 10, 2022), https://tinyurl.com/2etavr8t
In 2022, Meta complied with a data request from a local Nebraska
police department for private Facebook messages between a mother and daughter, who were both subsequently charged with felony crimes related
to the alleged illegal termination of the daughter’s pregnancy.
Cynthia Conti-Cook, Surveilling the Digital Abortion Diary,
University of Baltimore Law Review (Oct. 2020), https://scholarworks.law.ubalt.edu/ublr/vol50/iss1/2/
In 2017, a woman in Mississippi experienced an at-home pregnancy
loss. A grand jury later indicted her for second-degree murder, based in part on her online search history, which recorded that she had
looked up how to induce a miscarriage.
Drew Harwell, Is your pregnancy app sharing your intimate data
with your boss?, The Washington Post (Apr. 10, 2019), https://tinyurl.com/57mrfs3n
A 2019 report revealed that pregnancy app Ovia Health sold
user health data to their employers, without user consent.
Patel v State of Indiana, 60 N.E.3d 1041 (Ind. App. 2016),
https://tinyurl.com/yc6v27f9
In 2013, a woman was sentenced to twenty years in Indiana
prison for “neglect of a dependent and feticide” after taking abortion pills she purchased online. Evidence presented against
her at trial included online research she conducted, the email confirmation she received from an online mail order pharmacy, and unencrypted
text messages to a friend about her relationship, becoming pregnant, and the abortion medication she purchased.
Shoshana Wodinsky & Kyle Barr, These Companies Know When
You're Pregnant—And They're Not Keeping It Secret, Gizmodo (Jul. 30, 2022), https://tinyurl.com/mthv8jzc
In 2022, Gizmodo identified 32 brokers selling data
on 2.9 billion profiles of U.S. residents pegged as "actively pregnant" or "shopping for maternity products."
Jennifer Gollan, Websites Selling Abortion Pills Are Sharing
Sensitive Data With Google, ProPublica (Jan. 18, 2023), https://tinyurl.com/3ty8cb45
A 2023 investigation by ProPublica found online pharmacies
that sell abortion medication such as mifepristone and misoprostol are sharing sensitive data, including users' web addresses, relative
location, and search data, with Google and other third-party sites — which allows the data to be recoverable through law-enforcement
requests.
Federal Trade Commission v Kochava, Inc. (Aug. 29, 2022),
https://tinyurl.com/ywbffb4b
In 2022, the Federal Trade Commission sued Kochava –
a data analysis platform primarily used by companies for marketing purposes – for selling data that tracks people at reproductive
health clinics, places of worship, and other sensitive locations.
THE FOREGOING INFORMATION MAY BE DISSEMINATED TO SHAREHOLDERS VIA TELEPHONE,
U.S. MAIL, E-MAIL, CERTAIN WEBSITES AND CERTAIN SOCIAL MEDIA VENUES, AND SHOULD NOT BE CONSTRUED AS INVESTMENT ADVICE OR AS A SOLICITATION
OF AUTHORITY TO VOTE YOUR PROXY. PROXY CARDS WILL NOT BE ACCEPTED. PLEASE DO NOT SEND YOUR PROXY TO CLEAN YIELD ASSET MANAGEMENT. TO VOTE
YOUR PROXY, PLEASE FOLLOW THE INSTRUCTIONS ON YOUR PROXY CARD.
12
Walmart (NYSE:WMT)
Historical Stock Chart
From Nov 2023 to Dec 2023
Walmart (NYSE:WMT)
Historical Stock Chart
From Dec 2022 to Dec 2023
