Next time you head down to your local supermarket, beware: your every move could be monitored. Intimate surveillance of the nation’s shopping habits is here. Earlier this month a shopping centre in Portsmouth began tracking its customers’ movements through their mobile phone signals, which were picked up by receivers hidden around the centre. Managers at Gunwharf Quays were able to see the kind of goods people were shopping for, how long they stayed and even when they used the toilets.

The system was condemned by MPs and civil liberty campaigners as a Big Brother-style invasion of privacy, forcing the centre to claim the tactics were only “an experiment”.

However, while shoppers may feel uneasy about being tracked by their mobile phones the reality is that their shopping habits are already being closely scrutinised on a far larger scale than in the Gunwharf shopping centre. Data on the buying habits of tens of millions of shoppers are routinely recorded every time they use a store loyalty card.

Go online and browse and you are instantly transmitting details about your whereabouts, your tastes in reading material, music, fashion and much more. And that’s before you’ve started inputting the kind of personal details required when you request, for example, an online insurance quote.

Most people who rent a car are unaware that hire companies are fitting tracking devices to alert them if one of their vehicles is stolen. It means they have the potential to track every move their customers make.

We live in such an information-hungry economy that it has become almost impossible to perform many everyday tasks without facing a demand for personal data. The majority of people in the UK today have their personal information stored in about 700 databases, according to a recent Which? magazine report.

So who collects all this personal information, where is it stored, how is it used and who has access to it?

Store loyalty cards and online shopping databases now account for the biggest source of personal data about consumers held by private companies. In fact, one company alone – Dunnhumby, which operates the Tesco Clubcard – holds detailed data on the 13m Britons who regularly use one. Nectar, a rival loyalty scheme that includes Sainsbury’s, Ford and BP, has 10m active UK members while Boots boasts that 15m people regularly use its own Advantage loyalty card. It is a lucrative business: Dunnhumby had a turnover of £77m last year.

The money is made by creating detailed shopper profiles from the raw data, which are then sold to affiliated companies that are interested in the purchasing habits of consumers.

This is possible because by joining a loyalty scheme, consumers sign away some of their rights under the Data Protection Act, which states that information can only be used for the purpose it was collected for and must be deleted afterwards. Without all that protection, firms feel free to keep hold of everything you ever tell them. When I asked Tesco what data it held on me, I discovered it had a complete record of every address I had lived at since 1999, even though I had only actually used a Clubcard once during that time.

According to Clive Humby, the chairman of Dunnhumby, who set the Tesco system up, there is no question of prying into people’s personal lives. When you sign up for a Clubcard the data are separated into two streams – red and blue. Red data are essentially your name and address, whereas blue consists of your Clubcard number and details of any Tesco transactions conducted with it. Humby insisted that his firm only tracks the anonymous blue data: “All the store knows is that card 157 has arrived and the contents of the basket of goods it has bought.”

However, anyone who has received shopping vouchers through the post knows that there is clearly some correlation: the vouchers are usually for items that you have bought in the past.

“These companies have finely grained data silos, or categories, that can assess if you are, say, a Jewish middle-income earner who travels regularly,” says Simon Davies of Privacy International, a human rights watchdog on surveillance and privacy invasions. “I don’t believe there is absolute separation – there is always some coming together of data. It’s easy to make these claims, far harder to stand them up under scrutiny. I challenge Tesco to have the technology inspected by independent privacy analysts.”

The British Retail Consortium defends the practice, saying that no one forces customers to sign up to the schemes. This isn’t strictly true: to even browse the Tesco website properly you must first sign up for a Clubcard. Tesco says this is so that it can check whether your local has sufficient stock of the goods you wish to order.

Which brings us to privacy on the web. The amount of personal information demanded by many websites to register with them is so detailed it would have been unheard of even a few years ago. The insurance price comparison website www.confused.com, for example, asks for the usual age, address and contact details when requesting a life insurance quote. However, it also demands to know whether you are a smoker and your mother’s maiden name. This sensitive information would be a gift to any identity thief.

And what does it do with all the information it was so quick to demand? “Your details are pinged off to pretty much every insurer in the country,” says Jennifer Rose, a spokeswoman for the company. “The data are stored by them for up to a month in order to ensure that any quotes that are given remain active.”

She also insisted that these insurers have each provided written commitments not to use this information for any purpose other than providing the initial quote – after all, this would breach the Data Protection Act – but when pressed, Rose agreed that Confused “cannot be certain that they don’t analyse it for their own purposes or that they delete it when they are supposed to”.

The level of detail required can be astonishing. Not so long ago all you would need to hire a car for a few days would have been your driving licence. Today Europcar, the car rental firm, takes a copy of your thumbprint as well as your credit card details as proof of identity. It also hides a GPS tracker device in many of its vehicles that enables it to record every mile covered. The aim is to prevent cars being stolen. However, as with many other surveillance techniques used ostensibly in the fight against crime, innocent people are caught up in the spy net.

David Alexander, operations director of Europcar, admitted it keeps hold of personal data for some time after a vehicle is returned: “Some people say, ‘I’ve given the car back, so what’s the beef?’ but we can still receive speeding tickets much later on.”

In London the Oyster card used for payments on public transport also keeps track of wherever you go on the network. Since it was launched in 2003 about 17m Oyster cards have been issued. To get one, you need only to hand over a £3 deposit, but to qualify for a refund if you lose the card you need to register properly – 4.1m cards have been registered so far. This enables Transport for London (TfL) to see where you have been and when.

A spokesman for TfL explained that “any information on passenger travel movements is held for a maximum of eight weeks on TfL’s central Oyster card system and used for customer services purposes”. After this time elapses, the information is still not deleted but “depersonalised” and then used for planning purposes. The Data Protection Act says consumers should be told what personal information is being collected and for what purposes, but TfL fails to mention this fact.

Local councils were criticised last week by Sir Simon Milton, head of the Local Government Association, for using new antiterror laws to spy on residents. The laws, passed under the Regulation of Investigatory Powers Act (Ripa) in October, were intended to protect against a serious terrorist attack. However, they also give more than 600 public bodies, including local authorities, the right to demand itemised phone bills and carry out surveillance to investigate all kinds of offences such as failing to put bins out.

The act could soon be extended to internet browsing and e-mail if the UK implements the full European Union directive that underpins the Ripa.

Even the police are worried about the so-called “function creep” of legislation designed to protect but increasingly used to snoop. Last week Ken Jones, president of the Association of Chief Police Officers (Acpo), warned at the launch of its annual conference that “the ceding of intrusive powers to local government and other bodies and giving them access to once sacrosanct personal data” was causing widespread unease.

When senior police officers warn about the rise of a Big Brother state you know something is wrong.

Explore Tech & Web

• Personal Tech

• The Web

• Gadgets & Gaming

Times recommends

• BlackBerry Storm joins the touchscreen scrum
• ITV plans unavoidable TV adverts
• BT rolls out Phorm web tracking