Information is power, and with the ease with which we transact business and communicate, each one of us generates information at an astonishing rate. This is of interest to a specific type of organisation: data brokers.
What are data brokers?
Data Brokers are organisations that buy and sell data from a variety of sources. Every person, regardless of whether they use social media or not, leaves a massive trail of data in their wake with every purchase. Data brokers harvest this data through completely legal means, and sell it to data analytics firms, who then monetise the data by using it to enable businesses to target their advertising.
While this is usually legal, data brokers often sail close to the wind with liberal interpretations of data protection legislation; for instance, ‘fair usage’ and ‘legitimate interest’ are two terms that are fairly open-ended, and many data brokers use this to their advantage.
What is personal data?
Personal data is an umbrella term for anything that applies to an individual. For instance, bank PINs, passwords and account balances are a deep form of data; the banks responsible for keeping this data are bound by another layer of customer protection under the banking code and Financial Conduct Authority (FCA) legislation. However, there are some types of personal data that are fair game: birth, death and marriage data are in the public domain and can be used to ascertain the age and marital status of an individual.
Similarly, property registers hold the details of homeowners, and home ownership can give an insight into an individual’s socioeconomic status.
Other forms of data might involve vehicle ownership, which is held by the DVLA and sold on to various parties who have a legitimate reason to request the information, or browsing history, which is easy to obtain.
How is this information gathered?
There are many ways that people inadvertently give their data out for free. Anyone with a smartphone who shops online using Google is giving them a snapshot of their online shopping habits: what they’re interested in, and what they actually purchase.
Some companies are able to gather deep data for legitimate reasons: credit card companies use your purchasing habits and credit card use to assess your creditworthiness, and that is perfectly legal. Your vehicle registration and personal details will be passed on to the police or local authorities should you commit a parking or motoring offence. However, credit card companies will sell your purchasing habits if you’ve ever given them (or failed to withdraw) permission; card terminals also collate and anonymise your purchase data for sale.
On the other hand, some unscrupulous firms use ‘phishing’ to gain bank login details for fraudulent reasons, and there is also the practice of data ‘scraping’, where an individual gives certain information voluntarily, but the firm uses this to delve deeper and help themselves to information to which they have no right. The best example of this was the Cambridge Analytica scandal, where Facebook users volunteering for a survey through an app had their contact details scraped by the app. Facebook were subsequently fined $5 billion for allowing the data breach to occur.
Following this scandal, Europe toughened up its data protection laws and penalties considerably. Previously, data protection laws required only passive consent to obtain data; if an individual didn’t want to share their details, they had to physically tick or check a box to deny consent. Often these were worded for deliberate ambiguity: “please check this box unless you consent to us sharing your personal data”.
The introduction of the General Data Protection Regulations (GDPR) aimed to stamp out many of these practices: users now have to give their explicit consent to allow companies to share their data. Unless they specifically allow it by ticking or checking boxes, the data controller is in breach if they pass on the information.
Nonetheless, sharp practices continue: the consent flow for signing up for Facebook makes it very easy for users to agree to everything to expedite sign up.
What about the information businesses already have on me?
Under the GDPR, any business has to tell you exactly what information they have on you within 30 days if you request it, you can tell them to delete anything you don’t want them to have. Writing to businesses can be time-consuming and laborious, but there are many services now online that can help you to make a data subject access request with any organisation.
This is the first step to controlling who knows what about you. You don’t live your life to make money for others, so take the initiative first.
So, how do I stop companies from selling my details?
Unfortunately, unless you have always paid cash, don’t have a smartphone, have ticked every box withdrawing consent to your data being shared, and have taken every step to keep your data private, the damage is already done. If you have given a company permission to move your data onto a broker, they have done their job, and the data is out of their hands. How it’s used after that is out to the judges.
Data is now an arms race: the GDPR is putting the power in peoples’ hands to compel companies to keep customers’ data safe, but are they using it? The answer is no. People are still giving consent to businesses to share their information. Furthermore, people are very willing to overshare on social media; each ‘like’ and ‘share’ gives an insight into an individual’s tastes or political leanings, and every comment on Facebook or Twitter tells a story.
The data imperative has led to data exploitation. The GDPR means that you can start taking the power back, and prevent your life being monetised, by restricting who has your data. Read the small print to find out what information you are consenting to sharing before hitting ‘accept’; use a VPN for online shopping; use an internet browser that doesn’t track you, such as DuckDuckGo; turn off your location on your smartphone unless you really need it on, and think before you ‘like’ ‘share’ or post on social media.