How Do Sales of Personal Data Work and How to Protect Yourself

Updated: 19 July 2021
Updated: 19 July 2021

Fact-checked by

In this guide you’ll learn:

  • What are data brokers
  • What types of personal data they collect and process
  • How they collect personal data
  • Why you don’t want your personal data in their hands
  • How to protect yourself from data brokers

Media abounds with articles about Googles and Facebooks of the world earning tons of money on our personal data. They often call it “selling your personal information to other businesses”, “selling your identity for money”, and so on and so on.

While it is true that Google, Facebook, and the likes are business platforms where people’s attention and business ads meet based on personal information, there are businesses whose business model involves collecting personal information and simply selling it.

By selling data we don’t mean a platform that people use for free and businesses pay for access to pools of these people based on online tracking. Nor do we talk about businesses disclosing personal data to third-party apps.

We talk about one business collecting personal information and selling it to another one for money. As simple as that.

These companies are called data brokers.

Sale of Personal Data

What Are Data Brokers?

Data brokers are companies that collect people’s personal information, package it well, and sell it to other companies for money. Other companies buy it because they need the data to make better business decisions.

People whose personal data is being sold often have no idea about it. In the meantime, data brokers grow into billion-dollar businesses.

Just to give you an idea how big these companies are:

  • In 2019 ad company Publicis bought data broker Epsilon for $4.4 billion
  • Acxiom is valued at $4 billion
  • ZoomInfo makes nearly $500 Million per annually

All that from harvesting, packaging, and selling personal data.

And to give you an idea how good they are in their business, check out this piece of one person’s quest to figure out how some companies on the internet knew his personal data.

In the end he learnt that even Facebook bought data from a data broker. Yes, Facebook, the company we all think has the most superior algorithms for automated data processing has bought data about its own users from data brokers.

Data brokers are serious with data processing. Acxiom, for example, has over 23.000 servers processing data of more than 500 Million people worldwide. That’s about 7% of the total world’s population.

They do not agree, though, and claim to process data of 10% of the world’s population. Only two countries – China and India – have more population than Acxiom’s list of persons whose personal data they have processed.

What Types of Personal Data They Collect and Process?

What Type of Personal Data Do Data Brokers Collect

Data brokers collect and process just about any category of data they could collect. Whatever data is good for them. Acxiom processes 1500 data points per person.

Aside from the basic personal information, such as name, email address, home address, phone number, or SSN, they also process massive amounts of data related to your behavior.

This may include your political views, philosophical views on the world, online purchase behavior, family life, and so on.

When analyzing your online purchase behavior, for example, they may analyze multiple data points. For example, a simple purchase of a t-shirt online may give them an information about:

  • What you have browsed before the purchase
  • Do you buy during the day, in the afternoon, or late at night
  • Do you buy on weekdays or weekends
  • How many times you have visited the online store before buying
  • Did you look at similar products or not
  • What color and pattern was the t-shirt
  • If there were some words printed on the t-shirt, what do they mean
  • How may these words relate to your worldviews
  • Do these words mean that you are single or married or have children
  • Do these words mean that you support certain NBA team
  • Did you buy the same t-shirt size as the last time or you have added some weight

These are less than 1500 data points, but you get the idea.

It is very powerful. And the next time you’ll be served a relevant ad by a random online company that has bought this data.

How Data Brokers Collect Personal Data

How Data Brokers Collect Personal Data

As you may know already, just by getting yourself online, some categories of your personal information are already exposed. Although private browsing is possible, very few people opt for it. If you are not one of them, you are exposed.

Well, when you get your data exposed, data brokers await with arms wide open.

They get their hands on your personal data in two ways: buy it, or harvest it themselves. Buying data is self-explanatory. Harvesting is done mostly by web scraping.

Web Scraping

Web scraping is an online activity with which someone can send a small piece of software or a script that extracts data from any website on the internet.

So, data brokers send web scrapers to any website that could possibly contain personal data. It collects the data and sends it back to the data broker in a format ready for processing. Then the processing begins. They match many data points about the person eventually building a profile of the person.

In most cases, they collect the data by scraping:

Public records. Your personal data from court records, voting records, divorce records, city/state/federal records made be made at least partially available to the public. Data brokers take advantage of it to collect everything they can in their databases.

Social network profiles. They won’t hesitate to scrape the public parts of your social media profiles, such as your name, phone number, email address, or others.

Websites rarely forbid web scraping public data from their websites and almost always forbid web scraping from members-only areas. However, data harvesters never take it seriously and just keep scraping, no matter the provisions in the Terms of Use.
So, if they send a scraper to LinkedIn, aside from scraping public data, they wouldn’t hesitate to access the data visible only to members and collect it.

Yes, it is against the Terms of Use, but they get away with it and keep doing it.

Scraping public data breaches. When personal data leaks from a website, data brokers have work to do – sending the scraper straight to the scene of the accident to get what they need. It may include sensitive data as well.

Other data brokers. There is a latin proverb: “A man is a wolf to another man (Homo homini lupus est)”. Well, a data broker is not a wolf to another data broker. They scrape each other’s databases and that never results in legal action.

So, if one data broker has many data points about you, it is likely that many others, sooner or later, will get that data as well – without your consent and without your knowledge.

Buying your data from other companies

When scraping is not enough or not possible, data brokers pay for the data out of their own pockets.

Email list aggregators. There are companies whose sole purpose of existing is to collect email addresses of people based on their interest, segment them, and sell the data packaged based on certain characteristics of the users.

For example, you can approach them and buy an email list of 30+ years old men who use personal finance apps. Or an email list of people interested in paleo diets.

Some businesses buy these lists, but data brokers buy them, too.

Just other companies that have collected your data. Many online businesses who did not intend to sell users’ data collect it for their own needs. However, if data brokers come to them with the right opportunity at the right time, some of them may opt to sell it.

Some laws protect you from such sales, and others do not. Hint: you accept the Terms of Use without reading them. More on that further down the article.

How to Protect Yourself?

Data brokers operate in the wild west out there, but you can challenge them by exercising your data subject rights. But, you have such rights only if the applicable laws grant you so.

As of the moment of publishing this article, the GDPR, the CCPA, Nevada NRS63, Brazil LGPD, Canada PIPEDA, and some others protect users from sales of their information.

Having in mind that there are two major trends in data privacy laws worldwide – laws similar to the GDPR and laws similar to the CCPA (only US states laws), there are two major paths to protection. Both lead through users’ consent. One of them requires it, the other doesn’t.

Protection where consent is required

Protection Where Consent is Required

The laws that require consent for collection of users’ personal information usually require consent for selling of the data as well. Such laws include the EU GDPR, non-EU European countries, the laws on Brazil, Argentina, Thailand, South Africa, Dubai, Australia, New Zealand, Japan, China, Russia, and other countries that have passed new data protection laws or updated the old ones in the last few years.

Where laws require explicit consent for use of personal information, including sales, it means that the data controller has to inform the user in the privacy policy that their data will be sold. If the user consents, they are free to do so. If the user says no, sales must not occur.

Step-by-step protection

Take the following steps:

  1. Determine the applicable data protection laws. As a rule of thumb, both the laws applicable where the business is located and where you are located apply. If consent for use/processing of data is required, continue to step number 2.
  2. Check out their privacy policy. Determine what they do with personal data and for what purposes. Pay close attention to the parties with whom they disclose personal data or to any section explaining the process of sales of data, if any.
  3. Send a data subject request to the data controller. Request information on:
    • With whom they share your personal data and for what purpose, and
    • Whether they sell personal data, including your data.

    This should give you an idea about what they do with data. However, you should be prepared to struggle a bit. If you are an EU citizen and you send a data subject request to an US business or an India business, for example, these businesses may not be compliant with the GDPR.

    That would mean that you have to explain to them that the GDPR applies to them when interacting with EU users and they should be compliant. If they ignore your request, submit a complaint to your national data protection authority. They will make them give you the requested information.

  4. Determine if they sell your data. Once you have the requested information, whether by yourself or through the data protection authority, determine what they have done with it.
    If they don’t sell it, this is where it ends. If they sell it, keep reading.
  5. Request them to cease selling your data. This is self-explanatory. And whatever their response – positive or negative – continue to step number 6.
  6. Submit a complaint to the data protection authority. If your personal data has been sold without your consent, and you are protected by the GDPR or a similar law, your data privacy rights have been violated. That calls for a complaint to the data protection agency. The procedure should result with a monetary fine for the business that sold your data.

Protection where consent is not required

Protection Where Consent is Not Required

Consent is not required where:

  1. The applicable law doesn’t require explicit consent for the use or sales of data, but grants you the right to opt-out of the sale. For now, this is the case with California, Nevada, and Canada. Virginia will join this group from 2023. Some other US states may follow, but Canada is likely to start requiring consent soon.
  2. The applicable law is non-existent, is outdated, or doesn’t provide sufficient protection. This includes the rest of the US states (except California, Nevada, and soon Virginia), India, Indonesia, and other countries where data protection is non-existent or outdated.

    If the applicable law does not grant you any personal data protection, there is no way to protect yourself. You can request the data broker to delete your information, but they can shut the door in your face if they want so. So, you are left on your own.

If the California CCPA or the Nevada NRS603A apply to you in the particular case, do the following:

  1. Read their privacy policy. Check out if it mentioned anything about sales of personal information. The law obliges them to provide notice on sale of data.
  2. If the CCPA applies, check out if there is a Sales of Data notice on arrival on the website. Businesses that need to comply with this law are required to provide users with a notification that they sell personal data along with a link to the privacy policy and an opt-out button. If there is such a notification, hit the opt-out button and your data must never be sold by them.

    If it is too late for that, keep reading.
    Sell Data

  3. Check out if there is an opt-out button/link/toggle with the text “Do Not Sell My Personal Information” or “Do Not Sell My Info” anywhere on the website. If the company sells data, they are obliged to have one on the website. It is usually placed on the website footer. You can opt-out here as well and prevent your data from being sold to a data broker.
    Do Not Sell Data
  4. Submit a data subject request to know. Ask them if they sell personal information and to whom they sell it. You may need to verify your identity in the process, because they shouldn’t give data to anyone who requests so.
  5. The response to your request will let you know whether the company sells data and, if so, to whom. If your data has been sold, you’ll know where to look next. In the meantime, you can opt-out from the sales of data and request deletion of all the information about you that the business possesses.
  6. Submit a request to know to the data broker. Let’s see what they have about you.
  7. If they have any information about you, submit a request to have your data erased from their databases and opt-out from the further sales of personal data.
  8. If you don’t get a response from any company you have submitted a data subject request to, make sure you complain to the Attorney General. They are competent to take action against non-compliant businesses.

Bonus step: Check out Brand Yourself. It is a company that scans for your data in the databases of major data brokers. The scan results with a report on where your data has been found. Then you’ll know where to start from.

On the other hand, if the Canada PIPEDA is applicable to your case, i.e. you or the business in question is Canadian, then make sure you give a “negative consent”.

This means contacting the data controller and asking them to cease selling your personal data to other parties. In addition, you can submit a request to know to whom your data has been disclosed and then request all of them to erase your personal information from their records.

Final words

Your personal data is likely on someone’s servers without your consent and without your knowledge. And it is likely being sold for money.

If you are comfortable with that, you can go on with your life. But if it makes you anxious, then it may be just about the right time to act.

Written by: Petar Todorovski

Connect with the author:

Data privacy expert

Legal Advisor for IT Regulation - Ministry for Information Society and Administration of Macedonia

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Leave a Reply

Your email address will not be published.