What it means: We do not sell your personal data

You have probably read the expression from big technology companies: "We do not sell your personal data".

Companies such as Facebook, Google and Twitter reiterate this statement in their privacy policies, public statements or when submitting to Congress.

And of course if we think about it literally, the companies' promise is true:

Despite the massive collection of personal data by their users and the conversion of this data into profits of billions of dollars, these companies do not sell their users' information.

At least as some data brokers sell them to advertisers.personal data

But these denials divert attention from all the other ways in which big technology companies use our personal data to gain more and more, while in the process, endangering the privacy of users, as experts say.

Lawmakers, watchdog organizations, and privacy advocates have repeatedly pointed to different ways in which the they can pay to access data from companies like Facebook, Google and Twitter without buying the data directly.

And the focus on the term "selling" is practically ashes in the eyes of the big tech companies, says Ari Ezra Waldman, professor of law and computer science at Northeastern.

"To say they do not sell data to third parties is like a yogurt company saying it is gluten free. "Yogurt, of course, is gluten-free," said Waldman.

"It is a misguided direction of seduction from all other ways that may be more subtle but still invade privacy."

These other ways include everything from data collected by real-time bidding streams, targeted ads that drive traffic to sites that collect data, or companies that use data internally.

How do I risk if my data is not sold?

Although companies like Facebook and Google do not sell your data directly, they use it for targeted advertising, which creates many opportunities for advertisers to pay more for it.

The simplest way is through an ad that links to a site with its own built-in trackers, which can collect information about visitors, including their IP address and device IDs.

Advertising companies of course consistently report that they are selling ads, not data, but they do not disclose that clicking on these ads often results in the collection of personal data from a website. In other words, you can easily give your details to companies that have paid to put an ad in front of you.

If the ad targets a specific demographic, then advertisers will be able to infer personal information about visitors from that ad, says Bennett Cyphers, a personal technologist at the Electronic Frontier Foundation.

For example, if there is an ad for expectant mothers on Facebook, the advertiser may conclude that everyone who comes from this link is someone whom Facebook believes is expecting a child.

Once a person clicks on this link, the could collect device identifiers and an IP address, which can be used to identify an individual. Personal information such as “expected parent” could be associated with this IP address.

So if you are looking for baby clothes, the next ads that will appear will show you baby clothes.

"You could say, at Google, I want a list of 18-35 year olds who attended the Super Bowl last year."

"They will not give you this list, but they will let you show ads to all these people," says Cyphers. "Some of these people will click on these ads and you can easily figure out who these people are. That way, you can actually buy data this way. "

Then there is the complicated but much more common way advertisers can pay for data without being considered a sale, through a process known as "real-time bidding streams".

Often, when an ad appears on your screen, it was not already there waiting for you. Digital auctions take place in milliseconds before ads load, where sites sell data at the highest bid with an automated process.

A one-page visit starts a bidding process where data such as an IP address, device ID, visitor interests, demographics, and location are sent to hundreds of advertisers simultaneously. Advertisers use this data to determine how much they will want to pay to show an ad to this visitor, but even if they do not make the best offer, they have already recorded personal information that may be too much.

With Google Ads, for example, Google Ad Exchange sends data related to your Google Account during this ad auction process, which may include information such as your age, location, and interests.

Advertisers do not pay for the data itself. But they pay for the right to show an ad on a page you visited. However, they still receive the data as part of the bidding process, and some advertisers gather this information and sell it normally, according to privacy advocates.

In May, a group of Google users filed a federal lawsuit against Google in a California court, alleging that the company was violating its claims of not selling personal information by operating real-time bidding streams.

The lawsuit argues that even though Google doesn't directly give away our personal data in exchange, its advertising allow third parties to essentially pay to access information from millions of people. The case is ongoing.

"We never sell personal data and have strict policies that specifically prohibit personalized ads based on sensitive categories," Google spokesman José Castañeda told the San Francisco Chronicle in May.

Real-time bidding has also caught the attention of lawmakers as well as security agencies for its impact on privacy.

In April, a bilateral group of U.S. senators sent a letter to ad technology companies participating in real-time bidding, including Google. Their main concern: foreign companies and governments may be collecting vast amounts of personal data from Americans.

On May 4, Google responded to the letter by telling lawmakers that it did not disclose personally identifiable information in bids and did not disclose demographics during the process.

What does "Sell" data mean?

The California Consumer Privacy Act, which came into force in January 2020, sought to create a broad scope for the definition of "sale" beyond a simple exchange of data for money. The law considers a sale when personal information is sold, rented, issued, shared, transferred or communicated (orally or in writing) from one company to another for "money or other consideration".

And companies that sell such data need to disclose that they are doing so and allow consumers to prevent it.

But this does not mean that the type of personal data that a company collects and sells is always known.

In T-Mobile's privacy policy, for example, the company states that it sells bulk compiled data, which it calls "audience segments." The policy states that the audience segments for sale do not contain IDs such as your name and address, but do include the mobile ad ID.

Mobile ad IDs can be easily linked to owners through third-party companies.

Nevertheless, T-Mobile's privacy policy states that the company "does not sell information that directly identifies customers."

T-Mobile spokesman Taylor Prewitt did not say why the company did not consider the ad IDs to be personal information, but said customers had a right to opt out of the sale of that data.

So what should I look for in a privacy policy?

Even if a privacy policy states that it does not disclose private information beyond the company's walls, the data collected may be used for purposes you may not enjoy, such as the internal training of algorithms and machine learning models.

Consumers need to look at corporate policies to see if there is an exception and how long they retain the data they collect, says Lindsey Barrett, a privacy expert.

These statements carry far more weight than companies that promise not to sell your data.

Alfred Ng's article was published in The Markup.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
personal data, google, facebook, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).