Which Companies Are Selling Or Sharing Our Personal Information? Let’s Find Out Together

Problem

It has been more than three years since the California Consumer Privacy Act came into effect. The CCPA protects our rights to stop companies selling and exchanging our personal information, and to understand what information they have about us. And browsers and mobile platforms, most famously Apple iOS and Safari, have developed new protections. In some ways it looks like we’re better off.

But the surveillance business has not been standing still. In response to new privacy laws and technical privacy protections improvements to user privacy, surveillance marketers are changing how they track you. Instead of relying on your web browser or mobile device to send a cookie or send your info to a server, they’re tracking you in the background. When a company gets some information about you, their server can send it directly to another company’s server, without relying on your browser or device at all.

Switching to server-to-server tracking not only helps companies work around privacy protections on your device, it also helps them avoid privacy research that looks at cookies and other on-device activity. No privacy research tool that you run on your own computer or mobile device can see the new tracking methods. We can’t even see which companies are selling your information. We need a new way to see what companies are up to.

Approach

Fortunately, one of the largest surveillance companies offers a way to get a peek at what’s happening behind the scenes. The Facebook “Download your Information” page will let you get a copy of the information that Facebook has about you. And, because almost every company that does surveillance marketing uses Facebook for something, if we look at Facebook data from enough people, we will be able to get a more accurate map of the state of user tracking. This project isn’t just about Facebook, Facebook is just a convenient place to get a sample of personal data flows we can’t see otherwise. Even if you don’t have a Facebook account, or have one and rarely use it, a lot of your info will end up there.

Don’t worry, we won’t be reading your Facebook posts or looking at your photos. We have two levels of protection in place. First, you can download just the surveillance data transferred by other companies without downloading your personal content. Second, we have written a data extraction tool that reads only the surveillance info needed for this study and only outputs total counts, so we can’t see which companies go with which participants.

We will be collecting data from two different sources. Both are sent to Facebook from other companies, but they work a little differently.

Facebook Conversions API is a way that a company can have their server tell Facebook’s servers about something that you did. It could be any kind of event, from tapping on a control in a mobile app to visiting a retail store. Some people are concerned that companies report health-related or other sensitive information.

Facebook Custom Audiences are lists of email addresses or phone numbers that companies send to Facebook. Facebook’s written rules for companies require that they get your permission to do this, but we see a lot more companies doing this than we have ever given permission to do it.

Call to Action

Our next step is up to you. Please visit our volunteer page here to get the needed information from Facebook and share it with us. We’ll walk you through how to contribute your data. Facebook’s “Download Your Information” gives only minimal information if you only look at one data file at a time, but working together we can learn a lot. We’ll report back and conduct a follow-up survey. Our results will help us set priorities for our Permission Slip tool, to best protect you from the companies most likely to be sharing your information. And we’ll likely detect companies using your information that we might never have seen otherwise. The surveillance business has taken steps to avoid first-generation privacy protections, but now it’s our move.

Links

  • Facebook CAPI: What It Is, and How to Set It Up, by Justin Buckley for Triple Whale “Facebook’s Conversions API (CAPI) is a powerful marketing enablement tool that helps direct-to-consumer (DTC) brands track and optimize their marketing efforts on the social media platform. It was created in response to the recent changes in iOS14, which have made it more difficult for brands to track conversions using traditional methods.”
  • A step-by-step guide to Facebook Custom Audiences by Hephzy Asaolu for LeadsBridge “The customer file contains a list of people who have interacted with your business. They are your newsletter subscribers, customers, etc. You already have their details, such as their email and/or phone numbers, stored on your CRM or auto-responder. All you need to do is download this data as a CSV file and upload it to Facebook, and it will create a Custom Audience based on these details.”

Get the latest on Innovation at Consumer Reports

Sign up to stay informed

We care about the protection of your data. Read our Privacy Policy