Companies Are Collecting Your Personal Information Online and Selling It

Why it's still legal and how to protect yourself

by Anna Fiorentino

July 22, 2022

Companies you’ve never heard of shouldn’t be surveilling your location 24 hours a day and selling it. Yet, it’s happening every time you turn on your smartphone or sign into a browser on your computer. And there are hardly any laws preventing it.

“Businesses aren’t going to stop collecting data and selling it on their own so it really should just be stopped at the federal level,” says Christo Wilson, an affiliate member of the Institute for Experiential AI and founding member of the Cybersecurity and Privacy Institute at Northeastern University.

Even one of the few laws that truly protect an individual’s privacy — a patient’s medical records through HIPAA — was potentially violated last month by some of the country’s top hospitals, according to multiple June reports. An investigation showed that a third of top hospitals were using a Facebook tracking tool to tap into hospital websites that collect intimate details about a patient’s condition and appointments. As a result, Facebook’s parent company, Meta, is now facing a lawsuit.

Meanwhile, following the Supreme Court’s late June ruling overturning Roe vs. Wade, fear is mounting about the threat of data brokers gathering the location of women seeking illegal abortions. That’s after Facebook was allegedly collecting data about people who visit the websites of hundreds of crisis pregnancy centers, often run by religious organizations on a mission to talk people out of abortion.

In today’s fast-paced digital world, the harsh reality is that everyone from retail companies tracing foot traffic, to city zoning officials counting cars, to hedge funds planning investment strategies are paying data brokers for our sensitive information.

“Even law and immigration enforcement officials have been known to buy this kind of data,” says Wilson, adding that it circumvents the Fourth Amendment, which prohibits unreasonable searches and seizures.

Surveillance has been normalized. Data brokers are tapping into and paying companies for our personal information on the internet, our phones, and other monitoring devices. They’re selling this Big Data to private and public entities all over to build AI models that, through AI methods like natural language processing and image recognition, save them significant time and money. And while data brokers may claim only to sell data to authorized people or vow to incorporate protections, what we see time and again is the protections are very weak, explains Wilson. Data is relatively cheap to purchase and once it’s collected and sold it’s even harder to control.

“There’s an infamous case of a pastor who was a closeted homosexual,” says Wilson, a Northeastern associate professor of computer sciences who doubles as a faculty associate of the Berkman Klein Center for Internet & Society at Harvard University. “His sexuality was revealed when somebody got his location data, deanonymized it, and said, look this guy is both a pastor and going to gay bars. And it probably ruined his life,” adds Wilson.

Now, a growing number of researchers, like Wilson, are advocating for new laws, standards, and regulations to preserve the privacy of individuals. National online privacy protection legislation has been kicked around for years, but the Federal Trade Commission still doesn’t prevent data brokerage. While HIPAA protects the privacy of patient health records, the longstanding healthcare protection law doesn’t apply to other health data, like vitals from a smartwatch or user visits to a healthcare provider’s website — or to an abortion clinic. Other than narrow protections, like for children under 13, credit reports, and some financial information, most privacy laws in this country are very weak. And when it comes to location data, which is often easy to deanonymize, there really is no online privacy protection at all.

Of the five states — California, Colorado, Connecticut, Utah, and Virginia — that have passed comprehensive consumer data privacy laws, California’s newly enacted law is the most stringent, according to Wilson. That act, which will go into effect in January 2023, tightens up the preceding law by requiring companies to inform website and app users about data collection and provide an opt out clause. It also gives users the right to obtain copies of data collected about them and the right to remove it altogether. But the California law is more complex than it seems, particularly when it comes to data brokerage. What if, for example, by the time you opt-out your data has already been sold to a broker? Does that mean you have to go to the data broker and execute your rights there as well?

“It’s not clear that opting out will have a trickle-down effect and get rid of everything already collected by the brokers,” adds Wilson. He and others believe that lobbyists representing the companies buying the data have a bigger plan in mind.

“Longterm, their strategy appears to be to get every state to pass one of these milquetoast laws that are all slightly different so the tech lobbyists can go to Congress and say there’s a patchwork of laws that’s making it difficult for our businesses, so they need a federal privacy law that preempts all of those,” says Wilson. “Their goal is to get the federal law to be the lowest common denominator and then we’re pretty much stuck.”

So for now, he adds, “once you have agreed to some opaque terms of use for an app or a website they’re pretty much free to collect your data and sell it and share it as they choose.” That makes it even more important for each of us to learn how to protect ourselves online. Below is a list from Wilson on how to help prevent companies, apps, and data brokers from surveilling you online.


How to Protect Yourself From Data Brokers