Data selling 101: protecting your business and your customers’ privacy

Collecting and selling user data is a common practice, where that data is sourced from websites and applications. Individuals’ online activities create data that enables companies to optimize their marketing efforts and create better experiences for their customers.

The data resulting from browsing websites, shopping, interacting on social sites, and other online activity, is collected, processed, and sold by a variety of companies, websites, and analysis firms. In fact, data collection and data selling are a big part of the modern digital economy.

Let’s look at the what, when, why, and how of companies that collect and sell user data.

User data collection refers to the practice of gathering information about users or visitors to websites, apps, or online properties or services. This data can include various types of information, such as:

Before companies can process, package, or sell user data, they first need to collect it.

Data comes from nearly everywhere online, even when many people think they’re not doing anything. Browsers, apps, and other software can record IP addresses, revealing location. They also log browser type and version, operating system, device type, and whether a paid or free version of an app is in use.

Search history is valuable, too. Websites track the pages visited, search terms, what’s clicked on, and other activities. They also track the sites or pages visited before and after, items added to the shopping cart but not purchased, and detailed purchase information, including shoe size, favorite color, credit card details, and shipping address.

Ultimately, each of our digital interactions is a rich source of data, revealing who we are, what we like, and how we live. Companies want as much user data as they can get to use for targeted advertising, product development, website and app optimization, personalization, or to sell to third parties as a revenue stream.

79% of global companies collected personal data on individuals living in North America, Western Europe, and other developed regions in 2023.

Typically, companies collect a vast amount of user data, ranging from basic personal information like names, email addresses, and birthdates to more extensive details about behavior, interests, location, and even physical characteristics, depending on the company’s data needs or sales goals.

Organizations use various methods, like website tracking via cookies, forms completed by customers, and purchase records to build data profiles. This information can be used and stored across a company, from marketing to customer service to finance.

While data enables personalization, marketing, product improvement, and business insights, companies must balance data collection practices with user privacy concerns and compliance requirements from data protection regulations such as the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

Before selling data, companies typically process it in various ways to make it valuable and useful. It can be categorized by type of data or target demographic, for example. It can be from first- or third-party sources. It could be identifying or not, or have been de-identified.

Some data is made anonymous, ensuring the identities of individuals are not revealed to buyers. This anonymized data is still useful for understanding broader demographics and improving customer experiences, similar to Google’s planned switch from third-party cookies to newer strategies like Topics. Other data can make an individual identifiable without aggregation, including names, ID numbers, and email addresses

However, not all companies follow good data processing practices. Some may fail to secure user consent before collection where required. Some may not store data securely, limit employee access to it, or fully anonymize it when needed. While companies and data brokers typically do not make data publicly accessible, breaches can occur, leading to stolen data being sold illegally or otherwise misused, e.g. for credit card fraud or identity theft, causing harm to individuals and damaging companies’ reputations.

Companies collect data to predict demographics, learn about customer preferences, recommend products, and more. This data can be used directly by a company for purposes like emailing customers about sales or improving their website, or it can be sold to other companies or data analysis firms. Common uses include:

• tailoring products or services to target consumers
• advertising more accurately
• conducting statistical analysis

Data is valuable because it helps companies understand customers better, predict trends, and increase profits.

As noted, however, data is not always collected or used respectfully or compliantly. Consumers are increasingly savvy about access to their personal data online and fed up with intrusive practices by companies. Some of these intrusive practices can include unsolicited emails, endless ads for something they’ve already bought, or feeling like their devices are spying on them.

Often, when individuals are active online, such as when shopping, they agree to terms and conditions or privacy policies that allow their data to be used for marketing purposes. The agreement to such policies can often be built into the transaction. Though they agreed to the policies, few people actually read the terms and conditions before agreeing to such terms, and may not appreciate what they’ve agreed to.

While so-called click-wrap agreements are generally legal, in recent years there has been more scrutiny from data protection authorities on such agreements. In fact, some large tech platforms have been fined for detailing consent-related terms or practices regarding data collection and use of personal information deep in their terms and conditions rather than more prominently. Such actions are dubious under the GDPR, for example, which requires users to be accessibly informed about data processing and user rights, and requires user consent to be informed as well.

The sale of user data is big business. Companies may collect data for their own business needs, but they can also sell it as well. Under some data privacy laws, companies are required to explicitly disclose whether they sell personal data and to enable individuals to opt out of such sales. Companies that sell data can be broadly categorized into two groups.

Many companies across various industries collect, process, and/or buy user data. Companies want to know more about their target customer(s) or how to grow their business more efficiently via their website. They also seek to build strategies or projections based on how consumers have been acting or spending.

The legality of selling personal information depends on where your customers are, and, in some cases, where your business is located. Some privacy laws, such as the GDPR, require obtaining user consent before data collection (opt-in). California’s CPRA allows data collection without consent in many cases but requires an opt-out option for data sales or sharing. To enable this, the CPRA mandates a clearly accessible “Do Not Sell or Share My Information” link on websites. The laws can also have separate rules for the sale of sensitive data.

User data can often legally be sold under conditions that prioritize transparency, user consent, and compliance with relevant data protection laws. Companies must clearly inform users about the potential sale of their data, generally via a privacy policy or cookie banner.

Under many global privacy laws, individuals must provide valid consent for their data to be sold, such as through an opt-in mechanism (required under GDPR). Alternatively, they need to be allowed to opt out of data sales (required under CCPA/CPRA). Interestingly, however, the GDPR does not include direct rules about selling data.

Some companies try to require consumers to agree to data collection to use their services or products. This approach is illegal in some jurisdictions, and generally frowned upon by data protection authorities. Another approach that generally is not acceptable is charging users more or otherwise subjecting them to a different customer experience if they opt out of sharing their personal data. These practices do reduce the likelihood of users opting out — by design — enabling companies to collect more data, so they remain attractive to companies.

In some instances, data anonymization must be completed to protect private or sensitive personal information before the data can be sold. Some laws that don’t generally require prior consent still do require it for the collection and use of sensitive personal data, which can do more harm to individuals if misused. Commonly, data belonging to children is automatically categorized as sensitive under privacy laws and is subject to additional requirements to obtain valid consent.

For companies doing business with California residents, the CPRA requires companies to clearly and prominently display a “Do Not Sell or Share My Personal Information” button or link on their website. (Under the CCPA, which preceded the CPRA, the requirement for the link only included the sale of personal data.) Consumers can’t opt out of the collection and use of their personal data entirely (with a few exceptions), but they can decline sharing or sale, which also includes targeted advertising or profiling.

No matter the type of business you operate, it’s crucial to have a clear understanding of legal data privacy requirements. It’s common for data privacy laws to be extraterritorial (to apply across the borders of a state or country), so your business will have to comply with relevant laws if your website visitors, customers, app users, etc. are from a region with a privacy regulation, even if your company isn’t based there.

Online, customers can often be located anywhere, adding potential complexity to data collection and privacy compliance. Even basic functionality like data collection via website cookies or login systems calls for comprehensive data privacy and protection practices.

Understanding varying compliance parameters—such as revenue thresholds and consent models — is essential. Companies should engage qualified legal counsel and/or a privacy expert to ensure their data privacy compliance strategies and operations are robust and can be maintained over time as technologies, business goals, and regulations change.

Dealing with sensitive data, especially, requires enhanced protection and consent. Overall best practices dictate comprehensive policies and actions for obtaining data, as well as security, sharing (for processing or sale), deletion, managing consumer requests, generating risk assessments, and complying with audit requirements. Under some laws and circumstances, it’s a legal requirement to appoint a data protection officer (DPO) to oversee these operations; in other cases, it’s only a recommendation.

Many companies sell personal data about their customers to third parties. This data includes information about your account and history with them, including personal details, purchase transactions, and more. This can be quite profitable, and, as noted, a second use of already collected data from which companies have already gleaned value through their own analysis and marketing efforts.

Such sales do raise privacy concerns for consumers, especially when personal information is being shared and sold without their knowledge or consent — or at least not comprehensive understanding — often to entities they know nothing about. This data could potentially be used for ad targeting, to make automated decisions about you, or a variety of other uses.

If any entities the data is sold to have less than robust data protection practices, they could be a weak security point and the source of a data breach. It makes sense, through that lens, that some data privacy laws classify violations as bad trade practices and enforcement is handled accordingly.

Google states that it does not directly sell consumer data. However, it aggregates, shares, and monetizes user data in various ways.

Google allows advertisers to upload lists of users they want to target and then serves ads to those users across platforms like Search, YouTube, and Gmail. This indirect access lets advertisers reach specific users without directly handling their data. Additionally, during real-time bidding for ads, Google shares user data such as device IDs, IP addresses, and browsing activities with companies involved in the bidding process, often without explicit user consent.

Google uses first-party data collected from its products to create detailed user profiles for targeted advertising. While this data is not sold directly, it is monetized through personalized ad targeting. Google states it does not share personally identifiable information in bid requests or with advertisers without user consent. Users can control data sharing for ads through Google’s “Ads Personalization” settings.

To comply with regulations like the GDPR, Google has implemented solutions like Google Consent Mode, which restricts and controls data collection by and for Google services via tags based on user consent. Consent Mode enables websites to communicate user consent preferences to Google’s ad and analytics products, ensuring data processing only when permitted.

Not all customer data can be sold, and some data collection has specific consent requirements due to regulations like the GDPR and the CPRA.

Personal data such as Social Security numbers, banking details, and health records are not typically monetizable by data brokers since such data is not available for collection and is legally protected from sale. Privacy laws tend to defer to existing laws that protect health and financial records, for example. As the data involved is more sensitive, these laws tend to be quite stringent.

Some other kinds of personal user data, often referred to as sensitive personally identifiable information (PII), can be processed, but require explicit prior user consent from the individual or a parent or guardian.

Personal data that is or has been made public, like government records, social media posts, or search engine queries, can usually be processed without user consent.

It’s important to remember that organizations that collect, process, or sell data illegally can be held liable and heavily fined. Some privacy laws, like South Africa’s Protection of Personal Information Act (POPIA), even include the possibility of a prison sentence.

Companies are facing increasing regulation and scrutiny from data protection authorities around data sharing and selling practices involving user privacy. There are two key developments that organizations need to know about going forward.

Firstly, data protection authorities are cracking down on companies’ ability to freely collect, share, and sell personal data without user consent. Many laws mandate that companies obtain explicit consent from users before collecting, sharing, or selling consumer data for purposes like targeted advertising or personalized marketing. Companies must also be transparent about their data practices, users’ rights, and how those rights can be exercised.

Secondly, as third-party tracking cookies are being phased out, companies are shifting towards leveraging first-party and zero-party data strategies that rely on information voluntarily provided by users. By focusing on these voluntary and higher-quality data sources, companies can continue personalization and marketing efforts while respecting user privacy.

Additionally, measures like Google’s Consent Mode help companies communicate user consent preferences throughout the marketing ecosystem and only process data when permitted under privacy regulations and requirements levied by influential tech partners like Google.

Overall, there is a concerted push from regulators, privacy advocates, and influential players in digital markets to move away from unchecked data sharing and selling practices that violate user privacy. Instead, the emphasis is now on consent-based marketing.

The collection and use of user data is widespread but increasingly under scrutiny. Many consumers are becoming more aware of how their data is collected, sold, and used without their explicit understanding or consent.

Large tech platforms that millions of companies rely on, like the gatekeepers designated under the Digital Markets Act (DMA), are also ramping up new privacy-centric requirements. When your ad revenue, access to audiences, and more depends on access to those platforms, it’s a strong incentive to comply.

However, this doesn’t mean the end of data-driven practices. Companies can navigate this landscape successfully by prioritizing clear communication with users and obtaining their consent for data collection and sale. By doing so, companies can not only comply with regulations but also foster trust and loyalty among visitors and customers. This ethical approach not only mitigates legal risks but also positions businesses ahead in a competitive market where consumer trust and data privacy are paramount considerations.