Privacy Lawls with Donata
Ep. 7 | Collecting vs. Sharing vs. Selling Data… what’s the difference? (Guest: Justin Brookman)
![PrivacyLawls_V3](https://termageddon.com/wp-content/uploads/2023/07/PrivacyLawls_V3.png)
What does it mean for a website to collect data? What about sharing data? Selling data?
These are all real realities of today’s online world, but that doesn’t necessarily mean they’re bad. We discuss when it’s ok and when it’s maybe not so ok on today’s episode.
Show Transcript
[00:00:00] Hello, and welcome to Privacy Lawls a podcast where we talk about privacy and have some laughs along the way. I’m your host, Donata Stroink-Skillrud and today we’ll be talking about data collection, the sharing of data, and the selling of data. My hope is that by the end of this episode, consumers will be able to understand whether their data is being collected, shared, or sold.
And businesses will also be able to understand whether they engaged in those practices as those practices are regulated by a variety of different privacy laws. So today I’ll be interviewing Justin Brookman. Justin is the Director of Technology Policy for Consumer Reports, where he’s responsible for helping the organization continue its groundbreaking work.
To shape the digital marketplace in a way that empowers consumers and puts their data, privacy and security needs. First, prior to joining consumer reports, Justin was the policy director at the Federal Trade Commission’s Office of technology, research and innovation and the director of consumer privacy at the Center [00:01:00] for democracy and technology.
Lastly, Justin has also worked as a New York state assistant attorney general. So, Justin, thank you so much for agreeing to be on the podcast today. It’s great to have you here. Can you please tell us a bit more about your career and how you got interested in privacy? Yeah, thank you. So thanks very much for having me on.
I’ll say I first got into privacy and tech policy issues probably when I was at the New York Attorney General’s office, which is you mentioned in the intro. I joined there from a law firm. I’d always wanted to do consumer protection work. And the New York Attorney General’s office at the time, this is the mid 2000s, was, had created a new internet bureau to try to find online stuff that was bad for consumers.
And a lot of it was like adware and some early net neutrality stuff. But it started to become more about privacy as well. Privacy and data security. So I was involved in a few cases then. And then I think it was starting to become more of a big issue. And [00:02:00] so then when my wife got a job in D. C. I was able to get a fellowship with the Center for Democracy and Technology, who had already done a lot of work on privacy stuff.
And then from then it’s been a lot of maybe, full time privacy a lot of the time ever since. Maybe not as much in my current role. But certainly at the federal trade commission and at CDT it was all about commercial privacy. And it’s still a lot of my, my job today. That’s so cool. Yeah. I mean, consumer reports where you’re at right now, everybody knows about consumer reports.
You guys provide so many great. Information and resources for consumers. One of the resources that I was recently looking at is the data privacy product ratings. What are those? And can they be helpful in the upcoming Black Friday and Cyber Monday shopping? Yeah, and that’s actually the reason I originally joined Consumer Reports back about, like, five or [00:03:00] six years ago.
You know, I wasn’t sure that there was actually a lot of policy opportunities at that time, and that ended up being terribly wrong. Because I think pretty soon after I joined, Cambridge Analytica happened, the CCPA happened, and then it’s been a lot of policy. But I was thinking, you know, Consumer Reports does provide, has done product evaluations for not quite 100 years, but for pretty close.
And then we evaluate, you know, you know, what’s good about a smart, smart TV screen and what’s good attributes in a refrigerator. But also like privacy and security are now increasingly parts of connected products. And so a lot of my initial job here was trying to figure out how to give companies scores on, on things like privacy and security.
And now, as you know, as part of our, our regular rating services privacy and security is an element of like, you know, 20 or so product lines. And so we give individual scores on those, but also it affects overall score. And so if a smart TV is not really good on privacy and security it’s actually going to get an overall lower [00:04:00] score.
And so that’s, that’s a big piece of it. We also do a lot of investigative journalism to try to say, you know, hey, here’s like a maybe a product area that’s evolving or emerging or that people are suddenly interested in. I think period tracker apps is an example that especially after Dobbs, people were suddenly very interested and worried about fertility data.
So we looked at a bunch of fertility apps and talked about what they’re sharing to try to expose, you know, what, what some good practices and some practices not as good. And then a lot of Maybe the rest of it is like, like how to guidance, kind of practical tips for folks around how to stop your browser from sharing information, like when to update your software again, to try to educate folks you know, a lot of my policy work is not, is to try to not put too much burden on consumers to have to micromanage their privacy but, but, but, you know, still as part of being a digital citizen, there’s, there’s things you need to be able to do.
And so consumer reports tries to help folks know the basics that help protect themselves. That’s [00:05:00] great, because it saves a lot of time on on research, right? Like not every consumer has the time to read the privacy policy for every product that they buy or have the knowledge to be able to interpret what those things mean.
So that’s very, very helpful. What about advocating for laws for consumer privacy? Yeah so like I said, I wouldn’t sure how much policy work I would be doing but then it pretty soon after I joined the California ballot initiative, which ended up turning into CCPA became a thing.
And then, I mean, just since I joined California and like 14 or so other states have passed privacy laws. There was a lot of interest in Congress. State attorneys general are interested in doing a lot. So, it actually had been a lot of work on the policy front. I will say, like, most of our effort has been focused at the state level a couple of years ago when it looked like Congress was close, we were pretty closely involved, but mostly pushing pushing, trying to make these state laws that are being proposed stronger.
Maybe opposing in some cases [00:06:00] bills that we think are too weak or maybe pushed by industry in lieu of stronger bills. So California has been a lot of our focus. We were definitely involved closely in Colorado and Connecticut and like I said, a lot of the other states that have have gone forward in recent years.
A lot of our focus has been on how to make. Data rights usable. I think a lot of like these laws, they offer new rights, which is great. But it’s really hard for folks to take advantage of those. It’s asking a lot of folks. And so one idea we stress is the idea of data minimization that by default companies should be, you know, collecting your data and using it and sharing it as needed to deliver a certain product someone wants, but then other, other sharing and processing maybe just shouldn’t happen and you shouldn’t be pestering someone with opt ins requests or like making them find an opt out should just work and people should be able to expect that to happen.
The laws we’ve been able to pass have not been quite that strong, so a lot of them are opt out based, and so we try to find ways to make opt out more usable. And so a couple ways we did that are one, on universal opt [00:07:00] outs, if you want to, you know, through your browser broadcast to everybody. Whoever you are, I don’t want you selling my data.
And so that’s, that’s an idea that was included in the California law. It’s been included in about half of the laws that have passed and you can appoint some sort of universal browser setting to opt out for you. And so we helped coordinate the global privacy control project, which is an open source standard for you to, in your browser, send everyone a request not to sell.
And then there’s also the idea of authorized agents that okay. It’s a lot for one person to manage. Maybe you can appoint someone to help manage your opt in requests, your opt out requests your deletion requests, your access requests. And so those there are provisions in most of the state bills around that.
And so consumer reports now has a product called permission slip, which is designed to help you. Kind of manage where your data is stored across different services. So that’s something that we actually launched just last month in the Android store and in addition, we are already in the, the, the Apple [00:08:00] store.
And again, we, we, it’s been educational. We’ve already sent over a million rights requests on behalf of folks. Again, trying to find ways to make these rights somewhat more manageable for people. So what is the app called in the app store in case people want to check it out? Yeah, so it’s called Permission Slip, Permission Slip by Consumer Reports.
And you can get it and it’ll show you kind of cards, like do you want to, you know, manage your, your information from Amazon or Home Depot or whoever. And again, we’re trying to find ways to scale it. Again, there’s new, there’s going to be new law in California, the less you universally opt out of data broker records.
And so we definitely want to help folks take advantage of that. And so it’s mostly a service kind of help you either get your information from, from a company. to delete it if you don’t necessarily want it there. And then to, you know, just opt out if you don’t want them to share or sell your information.
Very cool. That’s, that’s an awesome product. So let’s get into our topic for today. So many people don’t even know what, what personal data even is.[00:09:00] So can you tell us what it is and also provide some examples of personal data as well. Yeah, and so I think maybe like, you know, 15 or so years ago when I was first getting into this space, people had a real, probably a more narrow conception of personal information.
It was, we talked about PII, personally identifiable information. If it was tied to your name, then that counted. And I think over time, people have realized, well, no, there’s lots of, you know, other data, like, you know, what you do online, browsing can come back and like, you know, and you get targeted ads or you can you know, change your browsing experience and people still have an interest in that.
And so. The Federal Trade Commission, maybe, I don’t know, maybe about 10 years ago, said no, anything tied to a device or a household in ways that can change your behavior, especially, we’re going to consider that to be personal data, and so all these laws that are passing, Have a pretty expansive view of it’s tied to your IP address.
It was tied to a cookie Then yeah, that’s gonna be considered personal information A lot of these laws have [00:10:00] special protections for they come for like sensitive data And so if it’s health data, there should be no higher rules around that if it’s geolocation There’ll be maybe from some rules around that But at the end of the day, I mean all data can be fairly sensitive I think doing web browsing is is generally not considered sensitive in most of these laws but Web browsing can be incredibly revealing, very specific about, you know, the sort of things that you’re interested in, and maybe would not necessarily want the world to know every website you go to.
And so we, we generally try to push for fairly strong protections for all personal data. Because again, I think most people would expect it to stay, you know, with whoever you share it with. And not necessarily expected to be then sold or shared with giant technology companies or with data brokers. It’s funny, the, I think there’s probably billions or millions of memes now saying that you know, if I die, delete my browsing history.
Yeah. Yeah, I mean, again, like, like, we all like spend, we spend, what, like, [00:11:00] hours like ten to more hours a day online. And you know, like most of what we do, I think it’s probably, we’ve probably not necessarily in mind, but it’s also not anyone’s business. I mean, again, we, surfing the internet, it feels like, you know, it should be something, it feels somewhat passive, like you’re reading the paper.
When you’re reading the newspaper, you don’t expect to have, you know dozens of, you know, little companies over your shoulder watching what you do. When you’re at the library, You don’t expect to have like, you know, dozens of cameras on you watching every page you, you view or book that you browse, but unfortunately, that’s the way that the Internet is structured that, that, that there are lots of third parties on every single website you go to who then can collect a pretty detailed dossier of all the different things you do online.
So speaking of third parties, I mean, most of us have submitted our data to websites like we’ve filled out contact forms, email newsletters, subscription forms, maybe we’ve created accounts, but can you tell us about other ways in which websites or applications collect data that we may not [00:12:00] be fully aware of?
Yeah, so yeah, when you’re typing information in, you’re just kind of intuitive that you’re sharing it at least with that company when you’re logging in, you provide your email address. But after that, you don’t necessarily know what’s going to happen. It’s like most websites have companies like Google and Facebook, maybe other data brokers embedded.
So your information about what you’re doing there might be shared with them and then added to their, their general profile about you. Also, especially when you give identifying information like an email address or a phone number, then they can go to a data broker and say, Oh, tell me more about this person.
And so even if you didn’t share your interest or some other histories about things you did on different sites, they can import that from elsewhere. And then like in the physical world, you know, when, when you you know, we share information all the time. When you go to first of all, your phone is constantly collecting and in many cases sharing geolocation information about all the places you go.
And so when you open an app and it says, you know, can you do, do you wanna you use geolocation, you know, maybe you wanna know like the [00:13:00] location of a store nearby. But in fact it’s then, you know, sharing information about. Who you are and where you’re going. You know, also whenever you use a credit card, like that creates a record of what you’re doing.
And a lot of companies are trying to get smarter about matching credit card and purchase data with information about you, maybe about what you do online and, you know, maybe it’s just to try to see if. Advertising is effective and or maybe it’s to kind of create, figure out, Oh, this person’s a big spender, or this person’s really interested in a certain product.
So let’s try to find other ways to get this person to, to buy more of that. Some of it is, is really creepy. You know, this happened to me a couple of days ago where I was going onto a website to look at coffee tables because I need a new one. And I did not submit any of my information. I didn’t subscribe to anything.
I didn’t buy anything, nothing like that. And then two days later, I started getting emails from them saying, here are all the coffee tables that you might be interested in. And there are companies now that can tie your [00:14:00] browsing history to an email somehow, and then send you emails that you never signed up for.
Yeah, I mean, I’ve had that happen as well. And I think a lot of people probably have seen that experience. And so, yeah, once you, if you share online with like, let’s say the Washington Post, I don’t know if the Washington Post does it, you give them your email address, then that company can then share it with a bunch of other data brokers.
And then if that data broker, so then like that data broker can know that cookie 1234 is associated with Justin at gmail. com. And then later, if you go to a different site that also uses the same data broker, that data broker can recognize that cookie and say, Oh, that, that’s a cookie one, two, three, four.
We know that’s Justin. And then they can tell the new website owner, the coffee tables. com. Oh, well, this person didn’t buy anything, but for a small fee, we can let you email that person to try to nudge them to buy more. And it’s like, that’s definitely a common practice. And sometimes it’s actually convenient.
Like a lot of time I’ve gone to like a[00:15:00] a coffee shop and then I’ve, I’ve checked out and then later I got an email address for that receipt and that actually makes I was kind of surprised by it because I never gave them my personal information, but it also makes like doing my expenses a little bit easier, but then.
If I get signed up for a loyalty program or if I get, you know, Decided to get marketing messages. That’s more annoying and so it’s companies like right now trying to find like what’s the what’s the appropriate line for what’s a useful little nudge? And what’s the what’s? Yeah. So as a, as a regular consumer, if I’m just visiting a website, how would I know what data is being collected from me?
Yeah. Unfortunately, there’s no great answer to that. Cause like, you know, it’s kind of intuitive what you’re handing over. But then again, if you enter an email address, like you think you’re just sharing it with the Washington post or whoever. You don’t necessarily think that this could go to a data broker, this could go to someone else, this could get shared with Google or Facebook.
I think it’s not really fair to expect consumers to [00:16:00] try to read privacy policies. I mean, first of all, we visit, we all visit dozens of websites a day. It would just not be practical to scroll to the bottom and find the privacy policy and then try to read it all. Even if you did, like, it doesn’t necessarily say anything very concrete.
It says we reserve the right to share your data with select marketing partners or affiliates and like no one’s Even, yeah, even if they took the time, they had four hours a day to do that. They’re not gonna be able to decipher it. So unfortunately, it is not really clear to folks. You know, a lot of A lot of sites are now, like, trying to get you to agree to cookies when you go there, when you, when you show up, probably recreating the, recreating the, the European experience, which is mandated by the e privacy directive.
They’ll say, okay, are you okay with cookies? But even then, like, you know, maybe you’re like, okay, well, first party cookie, that’s fine. Just so they can, you know, process my transaction. They may not necessarily understand. They’re agreeing to, like, then embed, like, dozens of other companies from, from setting their cookies as well.
So it’s. It’s definitely a lot to ask folks to try to figure out. [00:17:00] Absolutely. So you kind of touched on sharing data. So once a website collects data, is it customary for that data to be shared? Like, what does it mean to share data? Yeah, it’s pretty common. So, I mean, that’s like the way that the web is architected.
So when you go to any publisher site. There’s usually going to be like dozens, I don’t know, of third parties embedded there. And then just by the nature of the way the web is set up, you know, it sets a pixel and then it pings to them. And then they can set their own, their own cookies. And so that by, by definition kind of shares data with them.
You know, it’s kind of open question is considered to be a data sale. You know, is a company promising only to do it for very limited reasons, just to help the first party, in which case maybe that should be under certain rules. But again, that’s really hard for any individual to, to figure out, even if they know.
Even if they, like, they set a web browser extension to show how many third party services are on any given site, they can’t [00:18:00] really necessarily know what any of those third parties are doing. Maybe they’re totally benign, maybe they’re actually helpful, maybe they’re making the site experience better.
Or maybe they’re a data broker or doing something that they might consider to be more nefarious. Yeah, I think a lot of consumers don’t understand that you do have to share data somewhat to be able to run a business, right? Like, let’s say I buy shoes online. My information has to be shared with a shipping company to ship the actual shoes to me, right?
So that kind of sharing is is expected and customary and it has to happen to provide the goods and services that people are buying. But I think there’s a whole another sense of sharing where. Sharing is not necessary and not expected, right? So instead of sharing something with a shipping company, you’re sharing data with a data broker.
Yeah, it’s definitely a continuum. So like some, some sharing is totally fine. Like your example is a good one. I often use Amazon. I go to Amazon. I don’t want them to have to like [00:19:00] get separate permission from me to share my information with like UPS just to send it to me or to process my credit card.
Like that’s kind of intuitive. Like I don’t need to click some. Okay. Yes. You may ask chase to charge me money. That’s kind of like intuitive to me. And then there’s like some kind of like middle ground area, like sharing with like maybe the Google analytics. And like, again, that’s just like to make the site run perfectly maybe to like, you know, to some basic debugging.
Maybe that’s not too controversial. And maybe there’s some like sites to try to like optimize the site to make it better or maybe make it a little bit more effective and trying to get me to buy stuff. And maybe that feels a little bit more manipulative, but it’s all still right there in that, in that first party experience.
And then there’s like, yeah, sharing with data brokers again, maybe to, to help connect coffee tables. com to, to me in the future in ways I would never possibly expect. And I think the laws. Try to distinguish that. And so all these new laws that are being passed often preserve a lot of like the basic operational uses and [00:20:00] maybe some of the, the analytics and and maybe, maybe even more expansively things like audio measurement or, or advertising effectiveness and then try to actually attack more directly the sharing with data brokers or sharing for targeted advertising.
So how would a website owner know that they’re sharing personal data? Do they just, you know, think about the fact that they’re using third party services, so that means that they’re sharing data? Yeah, that’s a good question because I mean, yeah, it seems kind of intuitive. The website should know what it’s doing, but in practice, you’re right.
A a lot of a lot of websites don’t actually know what they’re doing. By default it’s kind of expected that, that websites will have to rely upon a lot of third party services to deliver the functionality they expect, like Google analytics like the Facebook pixel. And so, you know, almost all websites now do rely upon third parties and the mobile app for even more so that you, you’re, you kind of rely upon.
Software development kits, SDKs to kind of build a lot of the basic functionality of the app and in some way that [00:21:00] democratizes apps, it kind of makes it easier for like a small developer to do stuff that they can just rely. on Google or Facebook or someone else to do a lot of plumbing for you, which is great.
But it also means you kind of, you lose a lot, a lot of control. And so a lot of websites will, you know, no, they embed Google and Facebook and maybe like 10 or 20 other companies, but they probably won’t necessarily have the capacity to figure out what they’re doing, or they might not configure it right.
And so there’s been lots of like, I guess many scandals where I like to say, Hey, this is, this, this, this app is sharing data with Google and Facebook. And like, you know, that, that’s understandable, but like a lot of times Google and Facebook will say, well, we didn’t want that data. We don’t want like to know like what prescriptions you’re buying or what your medical history is.
We tell a company is not to do that. But again, it’s kind of like companies are, you know, you’re a small business. You’re trying to like, you know, meet payroll and do lots of, lots of. Like a thousand things, and maybe you’re not an expert coder, or maybe you’re relying upon, you know, a cousin to help you [00:22:00] configure your site.
And again, you may not necessarily know all what all the companies you’re relying upon are doing with your data. I mean, it’s, it’s definitely too much for consumers to, to read. 20 privacy policies. But it’s also a lot to expect, like business business owners to to read and process 20 privacy policies.
Maybe they should be. But in practice, I think it’s just not happening. It’s interesting seeing from all these new privacy laws, seeing so many new products that are more privacy focused for businesses, like Google Analytics alternatives that don’t collect all this data. So it seems like there are a lot of choices, but those privacy focused choices are there.
paid. You know, because with Google, it’s free because they get the data and then they sell it and then they make the money. But with the alternatives, you do have to pay for them, but they do offer more privacy protections. Yeah, I think there is more of a market for it. I mean, again, I think we have had like 15 or so new laws and obviously, you know, Europe has [00:23:00] had a law in effect since 1995, but they’ve gotten more aggressive in enforcing it.
And again, it’s all trying to, you know, go back and in some ways put the genie back in the bottle, you know, back in the way websites were developed back in the nineties, you know, they did rely upon third parties and, you know I think they didn’t, like people knew it was a problem back then third, third party cookies.
were kind of an accident of web development. They weren’t like designed to do that, but then people realized, oh, they could use cookies for this purpose. And I know like Epic, the, the privacy group sued DoubleClick back in the day for tracking people using third party cookies. And the court said, no, it’s actually probably okay under the law.
And it probably was like legally but people are still creeped out by it and don’t like it. And so I think now we’re seeing. Lots of efforts to try to undo that. And again, I think it would be great if we can rely upon more privacy friendly alternatives to it. You know, again, Google is largely dependent upon a lot of third party tracking for a lot of their revenues, though, again, like a lot of the basic search revenues is not by nature, privacy invasive, but stuff they [00:24:00] do through the, the, the double click and AdMob services do rely upon that.
But, but even Google, you know, does, does recognize that. A lot of this needs to change and the, the winds are shifting. And so you know, they’ve announced they’re getting rid of third party cookies in Chrome at some point, though there’s a lot of open question about what they’re going to replace it with.
If, if, if, if the replacement is going to do the same exact thing, maybe in slightly more privacy preserving way, but still with a net result about people getting targeted ads or having data share in ways they wouldn’t expect. So a lot of that’s still to be determined. Yeah, it seems like they’ve been working on it for forever now, but let’s talk about selling personal data.
So I think there’s two meanings to selling personal data. So one is kind of the conventional sense, which I think that most consumers think of, which is taking the data and then scrolls, Selling it and getting money in return. And then we also have the new privacy laws where they talk about providing data for other [00:25:00] considerations.
So you can provide it for money or other consideration. So what does selling data actually mean? Yeah. So I think yeah, the original CCPA was written explicitly said, don’t there should be an opt out to selling data and a lot of companies in response to that. So, well, no, we don’t really sell data, right?
You think about like a shoe company like shoes. com and they’ll embed Google on their site or advertisers on their site and and, and they’ll, they’ll share data. But then they’ll also will give them money. And so, Hey, you know, here’s some money, go target this person somewhere else. And so I think they would say, well, it doesn’t really feel like you’re selling data, you’re both, you’re kind of giving the data away and giving some money away in exchange for advertising, you’re selling advertising.
And so a lot of companies said the CCP doesn’t apply to us. And so but again, the CCPA was trying to get to that, they just didn’t really maybe articulate it quite well, and so the CCPA was then revised to say, okay you can now opt out of selling or sharing to try to get to other ways of commercial sharing that [00:26:00] felt invasive and you might want to offer folks the ability to opt out of that.
Other states got, got to it in different ways. They, they retained the definition of the prohibition or the opt out for, for selling. They, they phrased it a little more expansively, right? Like you said, for any consideration, but then they also offered new opt outs. Like there’s now opt out for targeted advertising in most of these states.
It’s also an opt out for profiling.
And so I think what was originally perceived of as a loophole in the CCPA, I think has been closed, though closed in different ways. And again, we’re still relatively early days on enforcement. There’s still Even though we have like 15 of these new laws, there’s still only been like one actual enforcement action of the CCTA, and that was, that was over a year ago now.
Yeah, I think the opt out of sharing is very confusing too, because with the new consent mechanisms that they have, so now it’s opt out of sale and opt out of sharing. But opt out of sharing actually means opt out of sharing of [00:27:00] your personal information for purposes of targeted ads. So like opt out of sharing my information with Facebook or something like that, which I think to a regular consumer opting out of sharing means don’t share my data at all with anyone.
Yeah, it’s a fair point, right? It says opt out of sharing, but then like there’s like preserved operational purposes and operational purposes under the CCPA are really broad. You can argue like this most things except for targeted advertising. So maybe it is the same that maybe it’s just the opt out.
In both California and Colorado, and I’ll be there a stage since just around targeted advertising. It was something we fought against. We thought, like, again, like, you don’t want your data shared. You know, you probably don’t like, you may not like targeted advertising, but again, you may not want Google to have.
All your records, all the websites you go to, and there’s doing it for like machine learning or AI for anything else. Maybe you just think it’s none of their business. So we pushed back on that and we argued for a more expansive view of sharing or at least like fewer carve outs, fewer loopholes, but we lost that fight.[00:28:00]
But then again, like now we have like the California Privacy Agency who’s enforcing that. And again, I think there’s still like some open question around like what degree of sharing is allowed. I don’t know. Again, there’s, there’s not been a ton of enforcement. And so and I guess I said, and the other laws, but no enforcement.
And so again, what degree of sharing is operationally preserved? I think it’s still an open question. Like the one, the one enforcement case was the Sephora case, and that took a pretty broad view and said, you know, they embedded Google, blah, blah, and that was it. And then, but now the, the law has been revised.
Again, to add sharing, but then I also added some operational exceptions. And so I think there is some uncertainty in the law. Yeah, there’s definitely a lot of confusion. And then they come out with regulations that conflict with the text of the law itself. So it’s very hard to determine what you actually should do.
But, you know, how would somebody know if their data is being sold? I mean, do they look at the bottom of the website and [00:29:00] see, do not sell my data? That means they’re selling it. Like, how would I know? When visiting a website, whether my data is being sold. Yeah, I mean, again, that puts a lot of bonus on users to get who go to dozens of websites today, and it’s really hard to to really figure it out.
And so I think it’s really, yeah, I think it’s just not practical to expect someone to know if any particular site is doing it. Obviously, there’s a lot of advertising being embedded. A lot of like sites, like if it takes a long time to run and there are a lot of scripts that are running it’s not a good sign.
There’s probably a decent chance of something sharing, a lot of sharing going on there, as opposed to somewhere like Wikipedia, which loads super quickly and like that feels safer. But again, it’s not, it’s not necessarily definitive. You know, I guess one, you know, one right, all these laws offer data access rights now.
And so you do have the ability to go to say like a Google or a Facebook or a data broker and, you know, find out what kind of records they have about you. And then maybe you can tie that back to who might’ve sold it to them. But that still puts a lot of onus on folks. [00:30:00] And, and I think most folks aren’t going to do that.
You know, consumer reports, we, we try to do like participatory studies where we try to recruit like, you know, like a thousand folks to kind of, to say, Hey, Share your, you know, go access your request from Facebook and tell us what you got and like we try to help decipher it and tell folks tell the world like, you know, what kind of things we see to help, you know, crowdsource that and make it easier for folks.
But for any individual to do it is pretty overwhelming. So why is why selling personal data bad for privacy? Like, what are the risks of your data being sold? Yeah, I mean, like, obviously, like, I mean, a lot of it’s just used for marketing, which again, you might find obnoxious, like, you don’t want to, like, go, you know, have, like, the shoes you saw follow you around, especially if it’s, like, on a shared device, like, you know, we’re getting near Christmas time, and I’ve definitely had, like, Christmas presents ruined for me when I saw what my wife was shopping for on the same computer, and so that would just be maybe annoying to you.
Oops. More, you know, but I could also, you know, again, be sold to data brokers for other purposes, right? It could be used, you know, it could [00:31:00] potentially be used for hiring or credit decisions or things, something that’s more consequential. You know, we have laws around that, but like, they’re not necessarily always followed.
And you may not necessarily know, like, why, you know, if a company was, you know, using a service that reviewed your, your social media history, you may not ever, ever be able to find that out. You know, it could be, it could be exposed in a data breach. We’ve had tons of data breaches that expose, you know, personal information.
And so they have, if a company has like a pretty detailed dossier about you that were exposed to the world and someone could just look it up, that could potentially be embarrassing, but kind of more fundamentally, it’s just. Not really their business, right? I mean, like, you know, you think, you know, you don’t necessarily have to articulate, you know, what could go wrong if someone’s, like, looking over your shoulder, and, like, the, the idea of privacy is some, like, some right to seclusion, the right to be left alone and, you know, maybe motivated by concerns about what could go wrong, but, like, you know, fundamentally, I think of it as a, as a right, where we should have some right to not have someone on our shoulder watching every single thing we do all the time.
Thank you. Absolutely. My husband and I [00:32:00] share an Amazon account. So during the holidays, we are forbidden from looking at the order history when things are arriving. Yeah. And I think like that, that, that was, and then, and that’s, you know, understandable and like Amazon actually makes it easy for you to bifurcate it.
And you can share a prime membership. Cause I’ve done, I’ve done the same thing. But again, the app that kind of ask a lot of folks kind of micromanage their, you know, everything like, you know, okay, we can, we can Have certain rules for Amazon. But again, it’s suddenly you’re just like, you know, going to the New York times and want to read the news.
And suddenly you see like, you know, like the, the coat that you’re just shopping for it can be pretty frustrating. And so I think a lot of folks in response, just. Install ad blockers to kind of like cut advertising out entirely. And, you know, I’m sympathetic to that because like that’s probably the easiest way to make sure that no tracking happens.
I actually, I actually like advertising. I don’t mind it. I just don’t want it to be like tailored to every single thing that I’ve done online. But I think for most folks, like the kind of brute force solution is probably the most effective right now. I have [00:33:00] all of my advertising privacy settings on and the ads that I receive are amazing because they’re so far from what I would actually be interested in.
A great example is I get ads for, for men’s underwear that are extremely graphic about men’s issues. And it’s really funny just. of who they think that I am having very little data. Yeah. I would say I was like, fine. Like the ways ads be startling, like, you know, again, ways zone by Google, like one of the most sophisticated companies in the world.
And there was like, do you want to drive like 80 miles out of your way to go to Kohl’s? I’m like. No, not really. And again, I find it charming how untargeted and maybe ineffective it is, but it is somewhat startling. I mean, again, that’s the case where they have some, some degree of, you know, first party data about you.
And maybe, you know, there was a coffee store right nearby. Maybe it would not be terribly invasive because they know where you are. If you’re stopping for a little bit, like that’s, that’s the sort of ad that folks might find to be somewhat more [00:34:00] contextual. But it’s, it’s, it’s more like when, you know, you’re doing something totally unrelated and they’re using some fact about you that they don’t necessarily have any right to know that I think folks find to be more, more objectionable.
Yeah, absolutely. You know, like women getting ads for, for pregnancy products you know, or something like that, which can be very sensitive. Do you have any final tips for businesses on ensuring that they treat customer data responsibly? Oh, geez. Yeah. I mean, try to do some due diligence. I mean, you know, for better or worse, these laws apply mostly to the businesses and not necessarily the data brokers and the ad tech companies are using.
Because again, it’s a right not to have your data shared or sold. And so that falls upon the company that’s doing the sharing, not necessarily the company that’s doing the collecting. And so again, the one enforcement action was against Sephora, like a publisher, And not against like all of the third parties who [00:35:00] got the data from Sephora.
And so the legal obligations are on you for configuring your website. And so, you know, trying to know like, you know, what you’re, what you’re doing, trying to honor, you know browser based signals to, to, and again, like most of the, the most I think publishers rely upon like a company like OneTrust or, or, or Transcend to.
To do a lot of the work for them and they do offer good tools. They are helpful to kind of like either honor global controls or to limit sharing to a lot of cases. It is some work. But I think, you know, fundamentally to, to to respect your customer base. I think you kind of need to do a little bit of legwork to not share data that they wouldn’t expect you to do.
Awesome. Well, thank you so much, Justin, for joining us today and for sharing your, your tips and your knowledge. This has been super helpful. And for anybody listening, make sure to subscribe so you don’t miss the next episode.