When it comes to data-privacy scandals, Facebook and Google immediately spring to mind as the key culprits. These companies are the scapegoats whose shady data-privacy practices get plastered all over the news and lead to investigations, but there are other companies that operate away from the spotlight, unbeknownst to most internet users.
In the United States, where data-privacy law is not very restrictive, there are companies known as data brokers that have up to 1,500 pieces of information about a person. In the EU, data brokers operate on the brink of the law and swiftly navigate GDPR restrictions, for example, by skewing the interpretation of “legitimate interest” or by exploiting the inattention of internet users who don’t read what they consent to.
Saying that such companies have more information about citizens than state authorities is not far from the truth.
Welcome to the murky realm of data brokers.
What Are Data Brokers?
Data brokers (aka information brokers, data providers, and data suppliers) are companies that collect data themselves or buy it from other companies (like a credit card company), crawl the internet for useful information about users – legally or otherwise – and aggregate that information with data from other sources (e.g. offline sources). Most people are not even aware such companies exist, but data brokerage has become a lucrative industry that generates $200 billion in revenue yearly, and it’s still growing.
Ask us anything about data privacy
Whether it’s by purchasing things online, searching for something on Google, liking a Facebook page, or creating a profile on a dating website, every internet user’s actions leave certain traces. With this mountain of data in hand, data brokers may either sell or exchange the information with third parties: other companies, individuals, or other data brokers for whom the information may be very valuable.
What Types of Data Do Data Brokers Collect and What Do They Do With It?
Data brokers collect information from a range of online and offline sources.
Examples of these sources include:
- Social media
- Web history
- Online and offline purchase history and warranty information
- Credit card information
- Government records (driver’s license and motor-vehicle records, census data, birth certificates, marriage licenses, voter-registration information, etc).
The types of data that brokers collect and sell includes, among others:
- Full name
- Address of residence (and previous addresses)
- Telephone numbers
- Email addresses
- Age and gender
- Social security number
- Data about real estate owned
Data brokers combine these pieces of information and create audience segments (aka user segments, or simply audiences) which are then sold to companies.
When used for online advertising purposes (e.g. ad targeting), most AdTech platforms, like demand-side and data-management platforms, are not interested in data such as names, addresses and other sensitive information. Instead, they are interested in a person’s web and purchase history, but may also use age, gender and income to improve targeting.
How Do Data Brokers Make Money?
Data brokers may utilize various business models, but on the most basic level, data brokerage involves sourcing and aggregating data, and reselling the most valuable categories of users to third parties. For example, one of the biggest scandals to date involved a data broker that sold to advertisers contact data of rape victims, alcoholics, and erectile dysfunction sufferers. Such lists sold for $79 per 1,000 contacts.
When audience segments are sold to AdTech companies, they are often sold on a cost per mille (CPM) basis, or as a percentage of media.
Even though we often hear stories about data brokers selling sensitive data to advertisers, most data brokers, especially those who sell it to mainstream advertising companies, don’t sell such sensitive data, and focus on the more common categories like “sports enthusiast,” “music lover,” “impulse buyer,” etc.
What Types of Data Brokers Are There?
There are several thousand companies around the world collecting information about consumers from public and non-public sources in order to sell them to other companies. Depending on the range and type of data they store, data brokers are divided into three categories:
Type 1: Data brokers for marketing and advertising
There are data brokers that focus on marketing, such as Acxiom and Datalogix (recently purchased by Oracle). Other examples of companies that have data brokers as separate divisions include Experian and Equifax.
The role of such companies is to create databases of individuals and use them later for targeted advertising and marketing. Data brokers create audiences that include a person’s age, location, education level, income, web history, purchase history, and interests.
Advertising companies can purchase these audiences and show them targeted ads.
Type 2: Fraud detection data brokers
Some data brokers offer fraud detection – a service typically used by banks and mobile phone operators.
For example, before granting a loan, a bank might turn to a data broker to help it determine whether the information provided is accurate and legitimate, and therefore reduce the risk of granting a loan to a fraudster.
Type 3. Risk-Mitigation Data Brokers
These types of data brokers can use a person’s search history to offer them high-interest (high-risk) loans rather than low-interest (safe) loans. For example, a history of regular online credit-card purchases of luxury products may indicate that a person has a lot of debt, especially if their income is modest.
Likewise, having an active gym membership could land the user in a group with lower risk of having a heart attack, and thus receive lower life-insurance premiums.
Similarly, users of the mobile app Yanosik (a Polish dashcam app informing the driver about speed cameras and providing other useful road information) can get cheaper car-insurance offers, provided they consent to their driving style being tracked. Naturally, reckless drivers pay a premium and careful drivers are rewarded.
The problem is that such risk-mitigation classifications may be based on completely inaccurate information, and because people are rarely aware of such information being collected, there’s no simple process in place allowing them to access the information, amend, correct, or remove it.
Type 4: People-Search Sites
People-search sites such as PeekYou and Spokeo allow individuals and companies to find information about a person by searching for their name, phone number(s), address, email address and social-security number.
The information can include:
- Addresses (present and past)
- Education information
- Employment details
- Marital status
- Financial information (e.g. bankruptcy)
- Social-media information (e.g. profiles)
Due to the nature of this information, and the fact that it’s easily and readily available, people often become victims of doxxing.
How Do Data Brokers Work?
While their operation seems very shady, data brokers don’t necessarily source the data illegally. Instead, they may search the internet for publicly available information about the users from social-media sites and receive it from companies who have collected the data themselves.
Wait… Is This Legal?
Data brokers often operate either on the brink of the law, or in full accordance with the law, especially in countries where data policies are not very strict or diligently enforced.
The consent to share your data with third-party brokers may be sneakily included as one of the checkboxes you select when registering on a site, or presented to you in small print, for example, when you fill out a form with your detailed data to get a loyalty card (alongside a 10% discount towards future purchases in the store).
Interestingly, while most people don’t feel completely comfortable with the idea of someone selling their data, there are some people who voluntarily participate in special data-broker programs like Luth Research, where you can get paid for freely sharing very granular details about yourself and your interests and consent to the data being resold to third parties, allowing them to more efficiently target you in their campaigns. In theory, it’s a win-win situation.
The tightening of data protection and privacy laws around the world has brought new challenges to the data-brokering model.
For example, under the European Union’s General Data-Protection Regulation (GDPR), in order to process a person’s data, one of the six legal bases for data processing must apply. One of these bases is legitimate interest, which is relatively vague and possibly the most abused and misinterpreted legal basis.
Data brokers and many AdTech companies are relying on legitimate interest as their legal basis for processing user data. The specifics of this are somewhat murky, but it’s clear that legitimate interest doesn’t apply to advertising. Instead, data brokers and AdTech companies should obtain clear, explicit and unambiguous consent (another legal basis for data processing) to collect and process user data.
Derived, inferred and predicted data
Some data brokers believe that derived, inferred and predicted data are not examples of personal data, despite the fact that they can be used to target users via unique identifiers.
Vague opt-out procedures
While in most cases opting out is completely free, most people don’t even know such an option exists in the first place. Also, data brokers may not be too willing to show all the data they’ve collected about a user – but some of them do. About the Data is a website run and administered by Axciom, offering individuals a glimpse into the data points the company has about them and allowing them to update incorrect data.
Secondly, while data-brokerage companies may offer a way to opt out, they may not consider the inferences made using the data itself. Also, the bad news is that since it’s really hard to erase things permanently on the internet, some copy of your data will always be stored somewhere.
Data brokerage has fallen under careful scrutiny since the GDPR went into effect in 2018 and data brokers must be more careful in their practices if they do not want to pay severe fines and face data-breach investigations. Case in point: Google was recently fined $57 million in France by data regulator CNIL following non-compliance with the EU’s data-protection rules.
Also, formal complaints to European regulators under the GDPR by the UK’s non-profit organization Privacy International were filed last year against some of the major ad-tech companies like Criteo, Quantcast and Tapad, as well as credit agencies Equifax and Experian.
But this does not mean users are to feel completely safe – no one using the internet will ever be. The best thing you can do right now is to use common sense. Don’t share your data with suspicious websites, try to read consent forms (as much as possible) and be more cautious when using free services. After all, there is no such thing as free lunch.