Your activity on the internet is valuable. Both in terms of time and money. In fact, everything you do – including everywhere you click, all the pages you browse and anything you buy – is valuable to some company somewhere. Your internet activity and data are collected, processed and sold daily by a variety of companies, websites and analysis firms.
Why? So they can use that data to sell to you again, or sell it to others for a profit. Data collection and sale are a huge part of the modern digital economy. From sole proprietor online shops to tech giants like Google and Facebook, user data is used for everything to do with sales, marketing, product development, user experience, and more.
Let’s explore what exactly it means for companies to collect and sell user data. We’ll also go over how important compliance with relevant privacy laws is, and how you can ensure your company obeys the law, obtains valid user consent and executes smart marketing and data strategies.
Where does user data come from?
Before companies can process, package or sell user data, it has to be collected. To say that data comes from “everywhere” online isn’t really an exaggeration, even if you don’t think you’re really doing anything.
Browsers, apps and other software can record your IP address, which tells them where you are. Which browser (and version) you use is recorded, as is the operating system and what type of computer or phone you’re using. Do you have the paid or free version of that app?
Your search history is super useful, and with every website you go to the pages are recorded, as are search terms, what you clicked on, and other functions. What sites or pages you were on before and the ones you go to after are also tracked. What did you put in your cart, but abandon? And when you buy something, everything from your shoe size to favourite colour to credit card details to shipping address gets recorded.
Every person online is a rich source of data that reveals a treasure trove of information about who we are, what we like, how we live, and more. And companies want as much of it as they can get, either to use or to sell.
What does it mean for companies to “sell” user data?
All these collected data points can be aggregated to make predictions about what demographics might represent you, what other products or services you might be interested in, and more.
A company that collects such data might use it for their own purposes – from emailing you about a sale to revamping their website – or sell it to other companies or to a data analysis firm. Some of the uses for that data are:
- Better tailoring products or services (including the website or ecommerce experience) to target consumers
- Advertising more accurately
- Statistical analysis or other quasi-scientific uses
Data is valuable because it helps companies understand customers and prospects more accurately, predict business or social trends and changes and make more money.
You have likely experienced the results of data collection and sale to third parties firsthand as a consumer. Ever thought your phone was spying on you, wondered how a telemarketer got a hold of your phone number, or how a brand you have never shopped with is sending you emails? It’s probably because your data was sold to third parties.
It’s also par for the course that when you interact online in other ways for specific purposes – like buying those shoes – agreeing to be contacted for marketing purposes by that company or its “trusted partners” is built right into the transaction process. So while you technically did opt in, you were likely unaware of it, or didn’t click through to read the fine print before checking some box.
When used intelligently and compliantly, this kind of data collection and use can be a great thing for businesses. Your company probably already collects user or customer data and processes it to fuel various marketing strategies. There are endless tools and technologies to automate and customize user data collection and analysis online.
What user data is off limits?
Not all customer data can be sold, and some data collection has specific consent requirements, especially due to regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Personal data such as one’s Social Security number, banking details, and health records are not typically monetizable since they aren’t available for collection and are legally protected.
Some other kinds of very personal user data, often referred to as sensitive personally identifiable information (Learn more: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?) requires explicit user consent to be collected or processed at all.
On the other hand, personal data that is or has been made public, like some government records or your social media posts or search engine queries, are generally sellable and do not require consent for collection of sale, since they are already accessible and the data can be easily collected.
It’s important to remember that organizations that collect, process, or sell data illegally can be held liable and heavily fined. Some privacy laws, like South Africa’s Protection of Personal Information Act (POPIA), even include the possibility of prison sentences in some cases.
When can user data legally be sold?
It depends on where your customers are and, in some cases, where your business is located. Some privacy laws, like the GDPR, require user consent before data is collected, let alone sold (opt-in model). In California, though, under the CCPA, data can be collected without user notification or consent, but consent has to be obtained before data can be sold (opt-out model).
The CCPA also requires websites to have a “Do Not Sell My Information” button clearly accessible on website homepages, or similar features that enable consumers to opt out of data sale. As noted earlier, where sensitive data is concerned, people can typically opt out of its collection as well as sale.
Not every state (or country) has a privacy law that protects its consumers like this. In the US only three states have passed privacy laws to date. Though Gartner Inc. predicts that by 2023, 65 percent of the world’s population will have its privacy protected by law. User data can legally be sold as long as legal conditions for its collection and sale have been met and there isn’t any regulation against it. In some instances, for example, data has to be de-identified first. (Learn more: Data Anonymization: The What, Why, and How of Data Anonymization.)
Around the world, governments are taking steps to ensure that consumers know when companies are collecting their data and for what purposes, and that they have the ability to opt out if they choose.
That said, some companies have tried to require consumers to agree to data collection if they want to use a business’s services or products. That way, users are much less likely to opt out, and companies can collect more data. However, many privacy laws make it illegal to make access to products or services contingent upon providing consent for data usage.
This is an incredibly important balance for companies and their apps and websites. Privacy compliance is required, but at the same time companies cannot afford to degrade user experience. Consumers tend to be impatient online, and if they are blocked from getting where they want to go and doing what they want to do quickly, they’re likely to click away and go somewhere else. Privacy notifications and consent choices have to be clear and transparent, but also not detract from the user experience. Optimized user experience can help increase user acceptance rates.
How does data have to be processed before being sold?
Generally, companies that collect marketing data will process it by categorizing it into different graphs or statistical lists. Data brokers or similar companies may also process data by separating it into identifiable or de-identified data buckets.
Some data is rendered anonymous, and the people who provided the data points are not revealed to those who purchase the data sets. This is still useful for broader demographic usage or to improve customer experience generally. It’s a similar approach to Google’s planned switch to Federated Learning of Cohorts (FLoC) from third-party browser cookies. (Learn more: Google’s Federated Learning of Cohorts: why you need to give a FLoC.)
Other data is attached to individual users or identifiable personal information (name, ID number, email address, etc.).
Not all companies or data brokers practice good processing methods. They may not secure or transfer collected data properly. They may not adequately limit access to it or fully anonymize it. Brokers are unlikely to simply collect data and put it online for anyone to check out, since they don’t make money that way, but that can happen if there is a breach and data is stolen (though stolen data is also worth money). This increases the risks of credit card and identity theft for consumers, among other things.
Selling vs. sharing user data
Companies that collect user data don’t always sell it to another organization or data broker. Instead, they will share it as part of corporate partnerships.
Facebook, for example, is known to do this with a variety of other software or social media firms. This arrangement can be mutually beneficial in helping companies capitalize on market dominance, grow their user base, improve their marketing, iterate on their products or services, and more. Sharing user data can enable some companies to get around certain stipulations of privacy regulations as no money is exchanged for the data. (Remember those checkboxes for consent to share data with “trusted partners or third parties”?)
What kinds of companies sell data?
As noted, many companies collect and process data for their own business uses and benefits or those of their partners. For some companies, data collection and sale is a significant part of their revenue. This is reflected in the compliance requirements of several privacy laws, like the CCPA. Under this California law, the compliance requirements for companies are:
- The company has at least $25 million annual gross revenue; or
- The company receives, buys, sells, or shares for commercial purposes, alone or in combination, personal information on at least 50,000 California residents, households, or devices; or
- The company derives more than half of its annual revenues from the sale of personal information.
Clearly, the sale of user data is big business.
The prevalence of easily accessible user data has been accompanied by the increase in data brokerages: businesses that compile personal information from a variety of sources and then sell it to other companies for advertising and marketing purposes. The data that these companies collect is a product and they do not directly use it in their businesses. This business model is very profitable. In 2018, American companies spent over US $19 billion acquiring and analyzing consumer data. Why?
Because the more data a company has, the more effectively it can advertise to its target consumers and the better it can understand the people who purchase its products. Data is the digital equivalent of oil or gold, but more so, as data can be used to affect future behaviours. Customers provide revenue to companies, e.g. by buying products, and the data that users part with in the course of giving the company money for products enables the company to make more money. It’s no surprise that more data brokers and companies than ever before are looking to amass as much personal information as possible.
Consent and user trust
However, just because companies can collect, process and sell user data and make money from it, doesn’t mean it’s the best business strategy long term. At least not in the ways it has often been done before now. As noted, noncompliant data usage can increasingly result in serious penalties, loss of that data, even prison terms.
But even if a company does make efforts to achieve privacy compliance in the regions where they do business, making the minimum effort required still isn’t an ideal business strategy. Because consumers aren’t stupid, and they’re increasingly informed and concerned about their privacy and the use of their data online.
This is, in no small part, due to previous abuses of their data that many consumers have been subjected to, and the advent of tools that enable people to easily check what, where, how and by whom their data gets collected online.
Obtaining user consent should be looked at as relationship building, not strip mining. Companies should view transparency about consent requests and user choice as a key part of their marketing and branding, not to mention customer experience. Clearly explaining to website visitors, app users, ecommerce customers, and others what a company is requesting consent for, and how collected data will be used and secured, shows that the company is investing resources in these consumers and values their privacy.
This enables companies to make consent a competitive advantage. It builds trust with users and encourages return visits or purchases, consent for additional data usage, and the development of long-term customer relationships. This is a much smarter strategy than trying to strip mine people for all the data you can get, then selling it off to the highest bidder, who may use it in unethical or annoying ways.
Who buys user data?
Consumer data is lucrative to sell, but who’s buying it? Any and everyone. Apparel retailers, software companies, movie studios. Just about every industry wants to know its customers or potential customers, what they like, what they buy, and how they can be hooked into greater interest. Data brokers may also buy data from one another to build out their lists, refine their algorithms and improve their data collection techniques.
What you need to know about selling user data
It is unlikely at this point that anyone running an online store, launching an app, or operating any other online property that potentially collects user data is unaware of legal requirements for data privacy. Even with basic website cookies that just enable correct functionality, or anywhere that requires a login, most websites do collect some data, which has to be handled with care.
Organizations generally need to consider where their users or customers are located, as that is how privacy laws tend to define compliance requirements. For example, if a company has customers who are California residents, they are subject to the CCPA. It doesn’t matter if the company is headquartered there or even has a physical office in the state. In the same way, the GDPR protects residents of the European Union and their data, regardless of where the companies that want to collect their data are located in the world. It is increasingly difficult for any business online to not be global.
As also outlined, it’s important for companies to know the compliance parameters of the privacy laws to which they are subject, e.g. revenue or customer number thresholds. The consent model is also important, whether consumers must opt in before data is collected, or only before it’s sold. Companies that do or could collect data from special groups like children also need to be educated and receive counsel from a qualified lawyer, and ensure that peripheral operations, like security, storage, deletion, consumer requests, risk assessments and audits, are also correctly handled.
Fortunately, compliance with any of the major international privacy laws, especially well-established and fairly conservative ones, like the GDPR, ensures a considerable amount of work has been done toward achieving compliance with other international laws, current and future.
“Do Not Sell My Personal Information” – What does it mean?
The CCPA requires companies to clearly and prominently display a “Do Not Sell My Personal Information” button or link on web properties. This is only a legal requirement for companies doing business with California residents, but is a good faith action for other companies as well, and is growing in usage.
This means that companies can continue to collect (non-sensitive) data without consent from California residents, but if a consumer who can be verifiably linked to that data has requested it not be sold, then its use is limited to the company that collected it.
What kinds of personal data do companies collect and sell?
Some types of personal data that such an opt-out could cover are:
- First and last name
- Email address
- Phone number
- Credit card number
- Driver’s licence number
- Social Security Number
- Passport number
- Account username
- Financial records
- Medical records
- Biometric data
All privacy laws outline relevant types of personal information and types that are of increased sensitivity. These definitions are generally fairly similar, though always evolving as technologies continue to advance and change. The ways laws address new tech keep evolving as well.
Privacy laws also outline generally similar rights that consumers have regarding their data, like the rights to access it or have it corrected or deleted. These stipulations are also evolving with technology. For example, some laws enable consumers to opt out of having AI make decisions using their data, but other laws don’t yet address this.
Consumers’ data is collected everywhere online, for more purposes than the average person will ever understand. However, people who read, work, shop, and play games online are not completely ignorant, nor apathetic about the collection, sale, or use of their data. Especially when they have not received clear communication about the practice or provided valid consent to it.
However, these practices are not going away. And user data, whether a company’s list of its own customers, or vast anonymized data dumps to help companies better understand and influence large swaths of society, is a critical component in many business strategies. Around the world, legislation introduced and laws passed aim to keep up with these realities.
Fortunately, all of these considerations need not be at odds. Companies can draw users to their websites and apps, sell their products, and build out sophisticated marketing strategies. Consumers can engage in online activities safely and with the expectation of respect for their privacy.
It all hinges on consent, and doing the work to communicate and obtain consent for data collection – and yes, sale – that is useful to the company, legally compliant and engenders trust with users. Companies that put in the effort to achieve this are future-proofing their operations and creating a competitive advantage.
If you have any questions about data collection or storage, or legally compliant user consent, we’d love to talk. Contact one of our experts!