You’ve likely run into this claim from tech giants before: “We do not sell your personal data.” Companies from Facebook to Google to Twitter repeat versions of this statement in their privacy policies, public statements, and congressional testimony. And when taken very literally, the promise is true: Despite gathering masses of personal data on their users and converting that data into billions of dollars in profits, these tech giants do not directly sell their users’ information the same way data brokers directly sell data in bulk to advertisers. But the disclaimers are also a distraction from all the other ways tech giants use personal data for profit and, in the process, put users’ privacy at risk, experts say. Lawmakers, watchdog organizations, and privacy advocates have all pointed out ways that advertisers can still pay for access to data from companies like Facebook, Google, and Twitter without directly purchasing it. (Facebook spokesperson Emil Vazquez declined to comment and Twitter spokesperson Laura Pacas referred us to Twitter’s privacy policy. Google did not respond to requests for comment.) And focusing on the term “sell” is essentially a sleight of hand by tech giants, said Ari Ezra Waldman, a professor of law and computer science at Northeastern University. “[Their] saying that they don’t sell data to third parties is like a yogurt company saying they’re gluten-free. Yogurt is naturally gluten-free,” Waldman said. “It’s a misdirection from all the other ways that may be more subtle but still are deep and profound invasions of privacy.” Those other ways include everything from data collected from real-time bidding streams (more on that later), to targeted ads directing traffic to websites that collect data, to companies using the data internally.
How is my data at risk if it’s not being sold?
Even though companies like Facebook and Google aren’t directly selling your data, they are using it for targeted advertising, which creates plenty of opportunities for advertisers to pay and get your personal information in return. The simplest way is through an ad that links to a website with its own trackers embedded, which can gather information on visitors including their IP address and their device IDs. Advertising companies are quick to point out that they sell ads, not data, but don’t disclose that clicking on these ads often results in a website collecting personal data. In other words, you can easily give away your information to companies that have paid to get an ad in front of you. If the ad is targeted toward a certain demographic, then advertisers would also be able to infer personal information about visitors who came from that ad, Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, said. For example, if there’s an ad targeted at expectant mothers on Facebook, the advertiser can infer that everyone who came from that link is someone Facebook believes is expecting a child. Once a person clicks on that link, the website could collect device IDs and an IP address, which can be used to identify a person. Personal information like “expecting parent” could become associated with that IP address. “You can say, ‘Hey, Google, I want a list of people ages 18–35 who watched the Super Bowl last year.’ They won’t give you that list, but they will let you serve ads to all those people,” Cyphers said. “Some of those people will click on those ads, and you can pretty easily figure out who those people are. You can buy data, in a sense, that way.” Then there’s the complicated but much more common way that advertisers can pay for data without it being considered a sale, through a process known as “real-time bidding.” Often, when an ad appears on your screen, it wasn’t already there waiting for you to show up. Digital auctions are happening in milliseconds before the ads load, where websites are selling screen real estate to the highest bidder in an automated process. Visiting a page kicks off a bidding process where hundreds of advertisers are simultaneously sent data like an IP address, a device ID, the visitor’s interests, demographics, and location. The advertisers use this data to determine how much they’d like to pay to show an ad to that visitor, but even if they don’t make the winning bid, they have already captured what may be a lot of personal information. With Google ads, for instance, the Google Ad Exchange sends data associated with your Google account during this ad auction process, which can include information like your age, location, and interests. The advertisers aren’t paying for that data, per se; they’re paying for the right to show an advertisement on a page you visited. But they still get the data as part of the bidding process, and some advertisers compile that information and sell it, privacy advocates said. In May, a group of Google users filed a federal class action lawsuit against Google in the U.S. District Court for the Northern District of California alleging the company is violating its claims to not sell personal information by operating its real-time bidding service. The lawsuit argues that even though Google wasn’t directly handing over your personal data in exchange for money, its advertising services allowed hundreds of third parties to essentially pay and get access to information on millions of people. The case is ongoing. “We never sell people’s personal information and we have strict policies specifically prohibiting personalized ads based on sensitive categories,” Google spokesperson José Castañeda told the San Francisco Chronicle in May. Real-time bidding has also drawn scrutiny from lawmakers and watchdog organizations for its privacy implications. In January, Simon McDougall, deputy commissioner of the United Kingdom’s Information Commissioner’s Office, announced in a statement that the agency was continuing its investigation of real-time bidding (RTB), which if not properly disclosed, may violate the European Union’s General Data Protection Regulation. “The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now,” McDougall said. “Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data.” And in April, a bipartisan group of U.S. senators sent a letter to ad tech companies involved in real-time bidding, including Google. Their main concern: foreign companies and governments potentially capturing massive amounts of personal data about Americans. “Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them,” the letter said. “In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments.” On May 4, Google responded to the letter, telling lawmakers that it doesn’t share personally identifiable information in bid requests and doesn’t share demographic information during the process. “We never sell people’s personal information and all ad buyers using our systems are subject to stringent policies and standards, including restrictions on the use and retention of information they receive,” Mark Isakowitz, Google’s vice president of government affairs and public policy, said in the letter.
What Does It Mean to “Sell” Data?
Advocates have been trying to expand the definition of “sell” beyond a straightforward transaction. The California Consumer Privacy Act, which went into effect in January 2020, attempted to cast a wide net when defining “sale,” beyond just exchanging data for money. The law considers it a sale if personal information is sold, rented, released, shared, transferred, or communicated (either orally or in writing) from one business to another for “monetary or other valuable consideration.” And companies that sell such data are required to disclose that they’re doing so and allow consumers to opt out. “We wrote the law trying to reflect how the data economy actually works, where most of the time, unless you’re a data broker, you’re not actually selling a person’s personal information,” said Mary Stone Ross, chief privacy officer at OSOM Products and a co-author of the law. “But you essentially are. If you are a social media company and you’re providing advertising and people pay you a lot of money, you are selling access to them.” But that doesn’t mean it’s always obvious what sorts of personal data a company collects and sells. In T-Mobile’s privacy policy, for instance, the company says it sells compiled data in bulk, which it calls “audience segments.” The policy states that audience segment data for sale doesn’t contain identifiers like your name and address but does include your mobile advertising ID. Mobile advertising IDs can easily be connected to individuals through third-party companies. Nevertheless, T-Mobile’s privacy policy says the company does “not sell information that directly identifies customers.” T-Mobile spokesperson Taylor Prewitt didn’t provide an answer to why the company doesn’t consider advertising IDs to be personal information but said customers have the right to opt out of that data being sold.
So what should I be looking for in a privacy policy?
The next time you look at a privacy policy, which few people ever really do, don’t just focus on whether or not the company says it sells your data. That’s not necessarily the best way to assess how your information is traveling and being used. And even if a privacy policy says that it doesn’t share private information beyond company walls, the data collected can still be used for purposes you might feel uncomfortable with, like training internal algorithms and machine learning models. (See Facebook’s use of one billion pictures from Instagram, which it owns, to improve its image recognition capability.) Consumers should look for deletion and retention policies instead, said Lindsey Barrett, a privacy expert and until recently a fellow at Georgetown Law. These are policies that spell out how long companies keep data, and how to get it removed. She noted that these statements hold a lot more weight than companies promising not to sell your data. “People don’t have any meaningful transparency into what companies are doing with their data, and too often, there are too few limits on what they can do with it,” Barrett said. “The whole ‘We don’t sell your data’ doesn’t say anything about what the company is doing behind closed doors.” This article by Alfred Ng was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.