You have probably read the expression from big technology companies: "We do not sell your personal data".
Companies such as Facebook, Google and Twitter reiterate this statement in their privacy policies, public statements or when submitting to Congress.
And of course if we think about it literally, the companies' promise is true:
Despite the massive collection of personal data by their users and the conversion of this data into profits of billions of dollars, these companies do not sell their users' information.
At least as some data brokers sell them to advertisers.
But these denials divert attention from all the other ways in which big technology companies use our personal data to gain more and more, while in the process, endangering the privacy of users, as experts say.
Lawmakers, security guards, and privacy advocates have often shown different ways in which advertisers can pay to access data from companies such as Facebook, Google, and Twitter without purchasing the data directly.
And the focus on "selling" is essentially ashes in the eyes of the big tech companies, says Ari Ezra Waldman, a professor of law and computer science at Northeastern University.
"To say they do not sell data to third parties is like a yogurt company saying it is gluten free. "Yogurt, of course, is gluten-free," said Waldman.
"It is a misguided direction of seduction from all other ways that may be more subtle but still invade privacy."
These other ways include everything from data collected by real-time bidding streams, targeted ads that drive traffic to sites that collect data, or companies that use data internally.
How do I risk if my data is not sold?
Although companies like Facebook and Google do not sell your data directly, they use it for targeted advertising, which creates many opportunities for advertisers to pay more for it.
The simplest way is through an ad that links to a site with its own built-in trackers, which can collect information about visitors, including their IP address and device IDs.
Advertising companies of course consistently report that they are selling ads, not data, but they do not disclose that clicking on these ads often results in the collection of personal data from a website. In other words, you can easily give your details to companies that have paid to put an ad in front of you.
If the ad targets a specific demographic, then advertisers will be able to infer personal information about visitors from that ad, says Bennett Cyphers, a personal technologist at the Electronic Frontier Foundation.
For example, if there is an ad for expectant mothers on Facebook, the advertiser may conclude that everyone who comes from this link is someone whom Facebook believes is expecting a child.
Once a person clicks on this link, the site could collect device IDs and an IP address, which can be used to identify a person. Personal information such as "prospective parent" could be associated with this IP address.
So if you are looking for baby clothes, the next ads that will appear will show you baby clothes.
"You could say, at Google, I want a list of 18-35 year olds who attended the Super Bowl last year."
"They will not give you this list, but they will let you show ads to all these people," says Cyphers. "Some of these people will click on these ads and you can easily figure out who these people are. That way, you can actually buy data this way. "
Then there is the complicated but much more common way advertisers can pay for data without being considered a sale, through a process known as "real-time bidding streams".
Often, when an ad appears on your screen, it was not already there waiting for you. Digital auctions take place in milliseconds before ads load, where sites sell data at the highest bid with an automated process.
A one-page visit starts a bidding process where data such as an IP address, device ID, visitor interests, demographics, and location are sent to hundreds of advertisers simultaneously. Advertisers use this data to determine how much they will want to pay to show an ad to this visitor, but even if they do not make the best offer, they have already recorded personal information that may be too much.
With Google Ads, for example, Google Ad Exchange sends data related to your Google Account during this ad auction process, which may include information such as your age, location, and interests.
Advertisers do not pay for the data itself. But they pay for the right to show an ad on a page you visited. However, they still receive the data as part of the bidding process, and some advertisers gather this information and sell it normally, according to privacy advocates.
In May, a group of Google users filed a federal lawsuit against Google in a California court, alleging that the company was violating its claims of not selling personal information by operating real-time bidding streams.
The lawsuit alleges that although Google does not provide our personal information directly in return, its advertising services allow third parties to actually pay to access information from millions of people. The case is ongoing.
"We never sell personal data and have strict policies that specifically prohibit personalized ads based on sensitive categories," Google spokesman José Castañeda told the San Francisco Chronicle in May.
Real-time bidding has also caught the attention of lawmakers as well as security agencies for its impact on privacy.
In April, a bilateral group of U.S. senators sent a letter to ad technology companies participating in real-time bidding, including Google. Their main concern: foreign companies and governments may be collecting vast amounts of personal data from Americans.
On May 4, Google responded to the letter by telling lawmakers that it did not disclose personally identifiable information in bids and did not disclose demographics during the process.
What does "Sell" data mean?
The California Consumer Privacy Act, which came into force in January 2020, sought to create a broad scope for the definition of "sale" beyond a simple exchange of data for money. The law considers a sale when personal information is sold, rented, issued, shared, transferred or communicated (orally or in writing) from one company to another for "money or other consideration".
And companies that sell such data need to disclose that they are doing so and allow consumers to prevent it.
But this does not mean that the type of personal data that a company collects and sells is always known.
Mobile ad IDs can be easily linked to owners through third-party companies.
T-Mobile spokesman Taylor Prewitt did not say why the company did not consider the ad IDs to be personal information, but said customers had a right to opt out of the sale of that data.
Consumers need to look at corporate policies to see if there is an exception and how long they retain the data they collect, says Lindsey Barrett, a privacy expert.
These statements carry far more weight than companies that promise not to sell your data.