Where and how is your data being sold?

Written by Shrisha Sapkota
Written by Shrisha Sapkota


case management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdomcase management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdom


Your activity on the internet is valuable[1]. Both in terms of time and money. Everything you do, including everywhere you click, all the pages you browse and anything you buy are valuable to some company somewhere[2]. Your internet activity and data are collected, processed and sold daily by a variety of companies, websites and analysis firms[3].

Most people don’t know how much of their activities are being tracked. “Most companies are collecting data these days on all the interactions, on all the places that they touch customers in the normal course of doing business,” says Elea Feit, a senior person at Wharton Customer Analytics and a Drexel marketing professor[4]. For example, a retailer would be keeping track of all the emails it sends you and whether you click on any of the links inside the email; it tracks your visits to its site and any purchases in a store if the retailer, say, has a loyalty card program[5]. “Every time you interact with the company, you should expect that the company is recording that information and connecting it to you,” she notes[6].

Companies have legitimate business purposes for tracking consumers and it brings benefits[7]. For example, a business that knows you’re a pet owner based on your searches for cat food could send you coupons[8]. Companies can also use your data to improve product designs and performance, Feit says[9]. For instance, smartphone companies monitor how devices are working on an ongoing basis to see how they can improve upon the battery life[10]. Carmakers also will often collect data on driving performance for such things as improving a vehicle’s fuel economy, she adds[11]. From sole proprietor online shops to tech giants like Google and Facebook, user data is used for everything to do with sales, marketing, product development, user experience, and more[12].

The web has become a dystopian surveillance state in which companies stalk their unsuspecting victims across the web, extracting maximal profit from removing any shred of privacy or dignity and socialising the risk of data breach or damage to the user while privatising all the monetary benefit of exploiting them[13]. Social media platforms often generate the majority of their revenue through selling hyper-targeted advertising based on algorithmically mining every second of their unwilling and unwitting users’ lives[14].

Browsers, apps and other software can record your IP address, which tells them where you are[15]. Which browser (and version) you use is recorded, as is the operating system and what type of computer or phone you’re using[16]. Your search history is super useful, and with every website you go to the pages are recorded, as are search terms, what you clicked on, and other functions[17]. What sites or pages you were on before and the ones you go to after are also tracked[18]. What did you put in your cart, but abandon?[19] And when you buy something, everything from your shoe size to favourite colour to credit card details to shipping address gets recorded[20].

Every person online is a rich source of data that reveals a treasure trove of information about who we are, what we like, how we live, and more[21]. And companies want as much of it as they can get, either to use or to sell[22].

When we think about “selling” user data we typically think of a company boxing up the personal information of its customers and selling them as downloadable ZIP files with per user and flat-rate pricing[23]. Indeed, the enormous world of data brokers exists to do precisely this[24]. Many companies we do business with, from the grocery stores and brick and mortar stores we shop at to the newspapers and magazines we subscribe to, collect their subscriber information and sell those lists for a profit[25]. While most Americans likely believe that their drug prescriptions are protected from any form of exploitation under medical privacy laws like HIPAA, it turns out that those laws permit pharmacies like Walgreens to monetize their users through advertising[26]. Specifically, pharmaceutical companies can pay Walgreens to send an advertisement for a drug trial to all its customers that suffer from a particular medical condition[27]. The pharmaceutical company itself is never given a list of patients, it merely hands the ad over to Walgreens and pays a fee and Walgreens sends the mailers itself[28]. Walgreens has created an offline physical mail advertising model that mimics the hyper-targeted digital ads that clog the online world[29]. Like Facebook, the company is careful to argue that it does not “sell” its customer data, it merely sells access to those customers to show them advertisements[30]. Notably, when asked why the company does not explicitly inform customers at purchase time that it will use their prescriptions to sell access to them, the company noted that under HIPAA, selling access to customers does not “require patient authorization[31].”

Facebook is therefore in good company when it comes to businesses distinguishing between selling access to their users for advertising versus boxing up their data and offering downloadable ZIP files[32]. Does that count as Facebook “selling” the data of two billion users[33]? It certainly constitutes “selling access[34].”

Classification of data

The consumer data that businesses collect can be broken down into four categories:

Personal Data:

Personal data is any information that relates to an identified or identifiable living individual[35]. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data[36]. This category includes personally identifiable information such as Social Security numbers and gender as well as non personally identifiable information, including your IP address, web browser cookies, and device IDs (which both your laptop and mobile device have)[37]. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR[38].

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data.

Health records, social security numbers, and banking details make up the most sensitive information stored online[39]. Many apps use your location to serve up custom advertisements, but they don’t necessarily make it clear that a hedge fund may also buy that location data to analyse which retail stores you frequent[40].

Engagement data: 

Engagement data generally falls into four basic categories:  product usage, brand and marketing engagement, support engagement, and successful engagement[41]. This type of data details how consumers interact with a business’s website, mobile apps, text messages, social media pages, emails, paid ads and customer service routes[42]. For example, it may be the amount of time customers spend browsing a blog, the average amount of order values, how many likes your Facebook page has, or how many customers utilise your customer support system[43]. While the term “engagement” has many definitions depending on what the metric is trying to measure, in Google Analytics, the definition of engagement is quite simple[44]: It measures how much time a group of visitors spend on a site (Visit Duration) or it measures the depth of pages visited while on the site by a group of visitors (Page Depth)[45]. The page depth report shows a distribution of how many pages a visitor traverses as they view your site[46].

Behavioural data:

Behavioural data is data generated by, or in response to, a customer’s engagement with a business[47]. This can include things like page views, email sign-ups, or other important user actions[48]. Common sources of behavioural data include websites, mobile apps, CRM systems, marketing automation systems, call centres, help desks, and billing systems[49]. It can also include transactional details such as purchase histories, product usage information (e.g., repeated actions), and qualitative data (e.g., mouse movement information)[50]. These critical day to day insights allow us to further optimise for conversion, engagement, and retention. For example, if a business is looking for insight into why users bounce before subscribing, they can build out an analysis that compares user flows of those who open an email and begin their journey to creating an account[51].

Attitudinal data:

Attitudinal data is data which is used to understand a respondent’s opinions, beliefs, feelings or thoughts[52].This data type encompasses metrics on consumer satisfaction, purchase criteria, product desirability and more[53].

Attitudinal Research is the gathering of data to measure consumers’ attitudes to a product or brand in terms of their knowledge and opinions ot it (cognitive approach), their overall impressions of it (affect approach) and their degree of loyalty to it (behavioural approach)[54].

The data brokers

Data brokers are companies that collect information about you and then sell that data to others, usually companies or individuals[55]. The information that data brokers collect can be extensive, everything from your birthdate and addresses to your job title, number of children, and even your outside interests[56].

These firms compile info from publicly available sources like property records, marriage licences, and court cases[57]. They may also gather your medical records, browsing history, social media connections, and online purchases[58].

Data brokers can collect information by buying it from other companies (such as credit card companies), crawling the internet for public sources of information (such as social media like LinkedIn, Instagram, Facebook etc) and many other legal means[59]. The data brokerage industry generates over $200 billion of revenue yearly and continues to grow annually[60]. This shouldn’t be surprising given the amount of information that is created every year[61]. It’s estimated that 1.7MB of data was created by every person, every second of 2020[62]. If its combined with the increased usage of the internet and integration of applications like GPS, fingerprint scanning and facial recognition into people’s everyday lives, a business can have a very valuable product[63].

Data brokers might compile your favourite games or your favourite category of games, and then sell that information to companies hoping to sell you their own video adventures[64]. Businesses purchase your shopping and spending information[65]. Data brokers can often tell them what brand of laundry soap you’ve bought in the past and when you purchased it[66]. This allows companies to send ads timed to when you might need pods[67].

Companies capture data in many ways from many sources[68]. Some collection methods are highly technical in nature, while others are more deductive (although these processes often employ sophisticated software)[69]. Larger advertisers, including data brokers themselves, already track their customers across the web using cookies and know the most recent IP address each of their customers used to access their website or mobile app[70]. They can run tens of thousands or even millions of ad campaigns on Facebook targeting each demographic of interest and simply cross reference the IP addresses of the click throughs from each campaign against their own records of which IP address is associated with each customer[71].

If you want to limit your digital footprint your best bet is to be careful of who you give your consent to online, reduce the information in your public profiles and only use services by companies that you trust not to misuse your information[72].

Good Law Software is a top legal software that offers various tools for law firm management. This law firm database software offers enhanced encryption, data backup, and exceptional security features; so that you don’t have to worry about your data being sold to third parties or being misused. Its legal document storage system ensures legal document security while storing your documents. It’s law firm cloud security  feature has enhanced data security model for cloud computing which prevents privacy and data security risks in cloud computing, protecting your privacy and ensuring data protection in cloud computing


  1. [1] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [2] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [3] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [4] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [5] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [6] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [7] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [8][8] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [9] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [10] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [11] https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/

    [12] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/



    [15] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [16] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [17] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [18] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [19] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [20] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [21] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/

    [22] https://usercentrics.com/knowledge-hub/data-is-the-new-gold-how-and-why-it-is-collected-and-sold/













    [35] https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

    [36] https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en


    [38] https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

    [39] https://www.wired.com/story/wired-guide-personal-data-collection/

    [40] https://www.wired.com/story/wired-guide-personal-data-collection/



    [43] https://www.indicative.com/resource/engagement/

    [44] https://www.datadrivenu.com/google-analytics-guide/engagement-report/

    [45] https://www.datadrivenu.com/google-analytics-guide/engagement-report/

    [46] https://www.datadrivenu.com/google-analytics-guide/engagement-report/

    [47] https://www.indicative.com/resource/what-is-behavioral-data-and-behavioral-analytics/

    [48] https://www.indicative.com/resource/what-is-behavioral-data-and-behavioral-analytics/

    [49] https://www.indicative.com/resource/what-is-behavioral-data-and-behavioral-analytics/


    [51] https://www.indicative.com/resource/what-is-behavioral-data-and-behavioral-analytics/






    [57] https://www.wired.com/story/wired-guide-personal-data-collection/

    [58] https://www.wired.com/story/wired-guide-personal-data-collection/

    [59] https://www.securitymadesimple.org/cybersecurity-blog/what-does-a-data-broker-do

    [60] https://www.securitymadesimple.org/cybersecurity-blog/what-does-a-data-broker-do

    [61] https://www.securitymadesimple.org/cybersecurity-blog/what-does-a-data-broker-do

    [62] https://www.securitymadesimple.org/cybersecurity-blog/what-does-a-data-broker-do

    [63] https://www.securitymadesimple.org/cybersecurity-blog/what-does-a-data-broker-do









    [72] https://www.securitymadesimple.org/cybersecurity-blog/what-does-a-data-broker-do

case management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdomcase management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdom

Similar to this article