How Do Sales of Personal Data Work and How to Protect Yourself

What Are Data Brokers?

Data brokers are companies that collect people’s personal information, package it well, and sell it to other companies for money. Other companies buy it because they need the data to make better business decisions.

People whose personal data is being sold often have no idea about it. In the meantime, data brokers grow into billion-dollar businesses.

To give you an idea of how big these companies are:

• In 2019 ad company Publicis bought data broker Epsilon for $4.4 billion
• Acxiom is valued at $4 billion
• ZoomInfo makes nearly $500 Million per annually

All that from harvesting, packaging, and selling personal data.

And to give you an idea of how good they are in their business, check out this piece of one person’s quest to figure out how some companies on the internet knew his data.

In the end, he learned that even Facebook bought data from a data broker. Yes, Facebook, the company we think has the most superior algorithms for automated data processing, has purchased data about its users from data brokers.

Data brokers are serious about data processing. Acxiom, for example, has over 23.000 servers processing data of more than 500 Million people worldwide. That’s about 7% of the total world’s population.

They do not agree, though, and claim to process data of 10% of the world’s population. Only two countries – China and India – have more population than Acxiom’s list of persons whose personal data they have processed.

What Types of Personal Data They Collect and Process?

Data brokers collect and process just about any data category they can collect. Whatever data is good for them. Acxiom processes 1500 data points per person.

Aside from the basic personal information, such as name, email address, home address, phone number, or SSN, they also process massive amounts of data related to your behavior.

This may include your political views, philosophical views on the world, online purchase behavior, family life, etc.

For example, when analyzing your online purchase behavior, they may analyze multiple data points. For example, a simple purchase of a t-shirt online may give them information about:

• What you have browsed before the purchase
• Do you buy during the day, in the afternoon, or late at night
• Do you buy on weekdays or weekends
• How many times you have visited the online store before buying
• Did you look at similar products or not
• What color and pattern was the t-shirt
• If there were some words printed on the t-shirt, what do they mean
• How may these words relate to your worldviews
• Do these words mean that you are single or married or have children
• Do these words mean that you support a certain NBA team
• Did you buy the same t-shirt size as the last time, or you have added some weight

These are less than 1500 data points, but you get the idea.

It is mighty. And the next time, you’ll be served a relevant ad by a random online company that has bought this data.

How Data Brokers Collect Personal Data

As you may know already, just by getting yourself online, some categories of your personal information are already exposed. If you are not one of them, you are exposed. Although private browsing is possible, very few people opt for it.

When you get your data exposed, data brokers await with arms wide open.

They get their hands on your data in two ways: buy it, or harvest it themselves. Purchase data is self-explanatory. Harvesting is done mainly through web scraping.

Web Scraping

Web scraping is an online activity with which someone can send a small piece of software or a script that extracts data from any website on the internet.

So, data brokers send web scrapers to any website that could contain personal data. It collects the data and sends it back to the data broker in a format ready for processing. Then the processing begins. They match many data points about the person, eventually building a person’s profile.

In most cases, they collect the data by scraping:

Public records. Your data from court records, voting records, divorce records, and city/state/federal records made at least partially available to the public. Data brokers take advantage of it to collect everything they can in their databases.

Social network profiles. They won’t hesitate to scrape the public parts of your social media profiles, such as your name, phone number, email address, or others.

Websites rarely forbid web scraping public data from their websites and almost always prohibit web scraping from members-only areas. However, data harvesters never take it seriously and keep grinding, no matter the provisions in terms of Use.
So, if they send a scraper to LinkedIn, aside from scraping public data, they wouldn’t hesitate to access the data visible only to members and collect it.

Yes, it is against the Terms of Use, but they get away with it and keep doing it.

Scraping public data breaches. When personal data leaks from a website, data brokers have work to do – sending the scraper straight to the accident scene to get what they need. It may include sensitive data as well.

Other data brokers. There is a Latin proverb: “A man is a wolf to another man (Homo homini lupus est)” . Well, a data broker is not a wolf to another data broker. They scrape each other’s databases, which never results in legal action.

So, if one data broker has many data points about you, it is likely that many others, sooner or later, will get that data as well – without your consent and your knowledge.

Buying your data from other companies

When scraping is not enough or not possible, data brokers pay for the data out of their own pockets.

Email list aggregators. There are companies whose sole purpose of existing is to collect email addresses of people based on their interests, segment them, and sell the data packaged based on specific characteristics of the users.

For example, you can approach them and buy an email list of 30+ men who use personal finance apps. Or an email list of people interested in paleo diets.

Some businesses buy these lists, but data brokers buy them, too.

Just other companies that have collected your data. Many online businesses who did not intend to sell users’ data manage it for their own needs. However, if data brokers come to them with the right opportunity at the right time, some of them may opt to sell it.

Some laws protect you from such sales, and others do not. Hint: you accept the Terms of Use without reading them further down the article.

How to Protect Yourself?

Data brokers operate in the wild west, but you can challenge them by exercising your data subject rights. But, you have such rights only if the applicable laws grant you so.

As of publishing this article, the GDPR, the CCPA, Nevada NRS63, Brazil LGPD, Canada PIPEDA, and some others protect users from sales of their information.

Keeping in mind that there are two major trends in data privacy laws worldwide – laws similar to the GDPR and regulations identical to the CCPA (only US state laws), there are two primary paths to protection. Both lead through users’ consent. One of them requires it; the other doesn’t.

Protection where consent is required

The laws that require consent to collect users’ personal information usually require approval for selling the data as well. Such laws include the EU GDPR, non-EU European countries, the rules on Brazil, Argentina, Thailand, South Africa, Dubai, Australia, New Zealand, Japan, China, Russia, and other countries that have passed new data protection laws or updated the old ones in the last few years.

Where laws require explicit consent for personal information, including sales, it means that the data controller has to inform the user in the privacy policy that their data will be sold. If the user consents, they are free to do so. If the user says no, sales must not occur.

Step-by-step protection

Take the following steps:

1. Determine the applicable data protection laws. As a rule of thumb, both the laws applicable where the business is located and where you are located apply. I consent for the use/processing of data is required, continue to step number 2.
2. Check out their privacy policy. Determine what they do with personal data and for what purposes. Pay close attention to the parties with whom they disclose personal data or to any section explaining the process of sales of data, if any.
3. Send a data subject request to the data controller. Request information on:
   • With whom they share your personal data and for what purpose, and
   • Whether they sell personal data, including your data.

   This should give you an idea about what they do with data. However, it would help if you were prepared to struggle a bit. If you are an EU citizen and send a data subject request to a US business or an Indian business, these businesses may not be compliant with the GDPR.

   That would mean that you have to explain that the GDPR applies to them when interacting with EU users, and they should be compliant. If they ignore your request, submit a complaint to your national data protection authority. They will make them give you the requested information.

4. Determine if they sell your data. Once you have the requested information, determine what they have done with it, whether by yourself or through the data protection authority.
   If they don’t sell it, this is where it ends. If they sell it, keep reading.
5. Request them to cease selling your data. This is self-explanatory. And whatever their response – positive or negative – continue to step number 6.
6. Submit a complaint to the data protection authority. If your data has been sold without your consent, and the GDPR or a similar law protects you, your data privacy rights have been violated. That calls for a complaint to the data protection agency. The procedure should result in a monetary GDPR fine for the business that sold your data.

Protection where consent is not required

Consent is not required where:

1. The applicable law doesn’t require explicit consent for the use or sales of data but grants you the right to opt out of the sale. This is the case with California, Nevada, and Canada. Virginia will join this group in 2023. Some other US states may follow, but Canada is likely to start requiring consent soon.
2. The applicable law is non-existent, is outdated, or doesn’t provide sufficient protection. This includes the rest of the US states (except California, Nevada, and soon Virginia), India, Indonesia, and other countries where non-existent or outdated data protection.

   If the applicable law does not grant you any personal data protection, there is no way to protect yourself. You can request the data broker to delete your information, but they can shut the door in your face if they want to. So, you are left on your own.

If the California CCPA or the Nevada NRS603A applies to you in this particular case, do the following:

1. Read their privacy policy. Check out if it mentioned anything about sales of personal information. The law obliges them to provide notice on the sale of data.

Businesses that need to comply with this law must provide users with a notification that they sell personal data along with a link to the privacy policy and an opt-out button.

2. If the CCPA applies, check out if there is a Sales of Data notice on arrival on the website. If there is such a notification, hit the opt-out button, and they must never sell your data.

   If it is too late for that, keep reading.
   

3. Check out if there is an opt-out button/link/toggle with the text “Do Not Sell My Personal Information” or “Do Not Sell My Info” anywhere on the website. If the company sells data, they are obliged to have one on the website. It is usually placed on the website footer. You can also opt-out and prevent your data from being sold to a data broker.
   
4. Submit a data subject request to know. Ask them if they sell personal information and to whom they sell it. You may need to verify your identity in the process because they shouldn’t give data to anyone who requests so.
5. The response to your request will let you know whether the company sells data and, if so, to whom. You’ll know where to look next if your data has been sold. In the meantime, you can opt-out from the sales of data and request deletion of all the information about you that the business possesses.
6. Submit a request to know to the data broker. Let’s see what they have about you.
7. If they have any information about you, submit a request to have your data erased from their databases and opt out from the further sales of personal data.
8. If you don’t get a response from any company you have submitted a data subject request to, make sure you complain to the Attorney General. They are competent to take action against non-compliant businesses.

Bonus step: Check out Brand Yourself. It is a company that scans for your data in the databases of major data brokers—the scan results in a report on where your data has been found. Then you’ll know where to start.

On the other hand, if the Canada PIPEDA applies to your case, i.e., you or the business in question is Canadian, make sure you give a “negative consent.”

This means contacting the data controller and asking them to cease selling your data to other parties. In addition, you can submit a request to know to whom your data has been disclosed and then request all of them to erase your personal information from their records.

Final words

Your data is likely on someone’s servers without your consent and knowledge. And it is likely being sold for money.

If you are comfortable with that, you can go on with your life. But if it makes you anxious, it may be just about the right time to act.