Consumer Privacy

Online Advertising & Tracking

Background

Massive troves of personal data are collected and transferred within the targeted advertising ecosystem. This ubiquitous tracking of everything we do online poses threats to consumers’ privacy, autonomy, and security.

Massive troves of personal data are collected and transferred within the targeted advertising ecosystem. Due to the failure of policymakers in the United States to establish adequate privacy laws and regulations, online firms have been allowed to deploy commercial surveillance systems that collect and commodify every bit of our personal data. The platforms and data brokers that track us across the internet and build detailed profiles to target us with ads also expose us to ever-increasing risks of breaches, data misuse, manipulation, and discrimination.  

Online trackers collect millions of data points about us each day that are sold or transferred to data brokers, who then combine them with other personal data sources to build invasive profiles, largely to target people with “personalized” advertisements that stalk them across the web. Ads designed to follow users across the Internet can be exhausting and annoying; Americans are inundated with an estimated 5,000 ads daily, up from 500 a day in the 1970s.

Some targeted ads aren’t just annoying — they can be predatory and harmful, using people’s online behavioral data to reach vulnerable consumers that meet specific parameters. People searching terms like “need money help” on Google have been served ads for predatory loans with staggering interest rates over 1,700%.  An online casino targeted ads to problem gamblers offering free spins on its site.  In another example, a precious metals scheme used Facebook users’ ages and political affiliations to target ads to get users to spend their retirement savings on grossly overpriced gold and silver coins. In 2019, the Department of Housing and Urban Development sued Facebook for engaging in housing discrimination by allowing advertisers to control which users saw housing ads based on characteristics like race, religion, and national origin.

This ubiquitous tracking of everything we do online, and the entities that aggregate and monetize it, poses threats to consumers’ privacy, autonomy, and security. And it shouldn’t be allowed to continue unregulated. Much of the pervasive tracking that drives targeted ads is not necessary. EPIC has long advocated for strong data minimization rules that limit data collection and use to what is necessary to provide the product or service the consumer has requested. A strong data minimization rule would allow companies to continue advertising to their intended customers but in a way that doesn’t involve ubiquitous tracking of our every movement online.

Online tracking and Mass Data Collection Happen Mostly Outside of Consumers’ View

Much of the collection of personal data happens so routinely and automatically in the online ecosystem that consumers have little to no knowledge of its scope. Tracking systems are embedded in most websites, apps, and services and begin to collect information as soon as a consumer connects to a service. Indeed, with the increasing proliferation of “smart” devices in homes, offices, and other locations, the collection of personal data frequently happens even when customers aren’t intending to interact with an online service at all. And other activities like credit card purchases and even physical movements can be logged and tracked without the consumer’s awareness or control. 

Personal Data Collected from Across the Web is Linked and Aggregated 

These pieces of personal data about us are then linked through identifiers used to track, profile, or target us across the online ecosystem. Data about what consumers do online can be linked to them automatically if they are browsing a site or using an app or service that already knows them through an established login or known credential (e.g., e-mail address, phone number, or username), but there are many other ways that data can be linked even by unknown third parties. When data is collected about activities of a consumer using a computer or mobile device, a device ID can be used to link that data with other data sets or profiles about the consumer.  Web browsers use small files called “cookies” to store information about a user’s interactions with the sites they visit, and many firms engaged in commercial surveillance have used versions of these files commonly referred to as “third party tracking cookies” to collect information about what sites users are visiting.  And even when a user’s browser or device is configured to block these tracking cookies or to not broadcast unique identifiers, online entities can use information about the consumer’s computer configuration (e.g., operating system, browser, versions, etc.) as a sort of “fingerprint” to link their data across apps, sites, and services.

For example:

A consumer, Frank, goes to a news website, and the website has a third-party tracking cookie from a different and unrelated website that he visited earlier in the day. This cookie identifies him. Data about what he’s reading is transferred to a broker and is linked to other things he read that day. The third-party cookies embedded in the webpage automatically collect his personal information, including his location data, time zone, his operating system, his WiFi network, what links he clicks on, and his IP address, linking all of this information to him and his browser. This information is quickly transferred to data brokers or advertising networks which use this information to continue to add to the Frank’s already robust profile.

When another user, Alice, reads an article on a news app on their phone, the third-party ad plugins on the app are not able to link their activity based on their phone’s device ID because it has been disabled. But data brokers are able to link Alice’s unique device configuration fingerprint from another app where they were logged in, and now the information about what news articles they were reading is added to their profile and linked to their earlier browsing activities.

Personal Data is Used to Create Intimate Profiles and Sold

This aggregated personal data is then used to create intimate profiles about us in order to target us with “personalized” advertisements that stalk us across the web. 

Some of the companies operating in the online ad tech space specialize in building or “enriching” consumer profiles, while others merely buy, combine, and sell data sets from many different sources. Many of these services are used by companies engaged in targeted advertising and marketing to identify audiences that fit within specified demographics or to find “look alike” audiences based on existing customer or target lists. The FTC has found that these data brokers “combine and analyze data about consumers to make inferences about them, including potentially sensitive inferences.”  The largest companies, like Acxiom and Oracle, offer a panoply of targeting and profiling tools. And the advertising platforms themselves, including Facebook and Google, also offer their own audience analytics tools. These companies profit off data harvested from consumer activities and transactions in ways entirely outside the expectations of consumers in their interactions with the websites they visit. Using raw data, data brokers and ad tech companies often summarize people with tags such as “working-class mom,” “frequent alcohol drinker,” “financially challenged,” or “depression sufferer.”

For example:

The religious social networking service and app Pray.com was found to be collecting detailed information about its users, including the texts of their posts, and linking it with information obtained from third-parties and data brokers. Pray.com was also releasing detailed data about its users with third-parties, including Facebook, meaning “users could be targeted with ads on Facebook based on the content they engage with on Pray.com — including content modules with titles like ‘Better Marriage,’ ‘Abundant Finance,’ and ‘Releasing Anger.’” Users of the app called these practices “exploitative,” “manipulative,” and “predatory,” and said they went against the private nature of prayer.

The goal of these and other similar systems is to enable companies to track and target specific users based on what they watch, what they read, what they buy, who they know, and where they go. And data brokers are continually expanding their reach deeper and deeper into the private lives of individuals, especially as connected devices, services, and even audio and visual sensors become more prevalent on streets, in stores, in offices, and in homes. Commercial surveillance has become impossible to avoid.

The Real-time Bidding Market: A Commercial Surveillance Machine

One of the largest systems of commercial surveillance, tracking, and profiling is the online advertising process known as real-time bidding (RTB), which is the engine that tracks and shares what people view online and their location in order to drive targeted advertising. The Interactive Advertising Bureau has explained how ubiquitous this process is: there is “not a single website publisher, mobile app, or advertising brand today that doesn’t participate in real-time systems for buying or delivering personalized ads to consumers.”  RTB systems rapidly relay information about consumers to facilitate auctions that sell digital ad space in real time. “The hundreds of participants in these auctions receive sensitive information about the potential recipient of the ad—device identifiers and cookies, location data, IP addresses, and unique demographic and biometric information such as age and gender.”  This “bidstream” data flows to hundreds of entities (including domestic and foreign entities that have no intention of actually serving ads) and are used to “compile exhaustive dossiers about” consumers that “include their web browsing, location, and other data, which are then sold by data brokers to hedge funds, political campaigns, and even to the government without court orders.” (source)

A recent study from the Irish Council for Civil Liberties (ICCL) found that the RTB market alone exposes the average American’s data 747 times per day. This means U.S. Internet users’ online activity and location is being tracked and disclosed 107 trillion times per year. ICCL cited some dangerous examples of the use of this data:

There is no way to restrict the use of RTB data after it is broadcast. Data brokers used it to profile Black Lives Matter protestors. The US Department of Homeland Security and other agencies used it for warrant-less phone tracking. It was implicated in the outing of a gay Catholic priest through his use of Grindr. ICCL uncovered the sale of RTB data revealing likely survivors of sexual abuse.

Consumers Should be Able to Use the Internet Without Surreptitious Monitoring

Consumers should be able to use their devices and apps and browse the internet without fear that every click will be added to a profile and used to push them towards buying something. Commercial surveillance entities surreptitiously monitor consumers’ browsing and purchasing habits, then use them to infer sensitive personal characteristics and modify consumer behavior. For example:

If a consumer, call her Ronna, decides to shop online for a new bag to use for different personal, professional, and parental tasks, she would likely start by searching for relevant reviews, product listings, and promotions. Each website she visits is providing a specific type of content or service, and some may ask her to register for promotional updates and offers. Many of the sites would be ad-supported, and Ronna would likely expect to see advertisements for shoes and similar items on the pages where she is reading reviews or listings about those products. But Ronna likely does not expect or know that her browsing habits are being logged and used to build and “enrich” profiles held by many different data brokers, as they attempt to fit her into categories based on her age range, level of affluence, frequency of online activity, and family status.  These categories, along with data about the specific products and sites she has been visiting, would then be used to target her with ads across other websites and services. She might keep seeing the same bag that was promoted on one of the pages that she visited, its image popping up in ads on news websites and other pages she visits for work, or even in the apps that she uses to manage her infant son’s sleep schedule.
 
Then when she mentions to her friend Sam that she had been shopping for a new bag recently, Sam does a quick search on his phone to look for a recent review and (unbeknownst to Sam) sees an advertisement for the same bag that has been stalking Ronna across all her devices. The data brokers analyzing the personal data collected from both Ronna and Sam’s browsing had noticed that they were located in the same place and were linked on social media, and the company marketing the product had automatically targeted individuals linked to or likely to influence other potential customers. When Sam mentions the product during his conversation with Ronna, she mistakenly thinks that her friend is recommending something to her based on his own knowledge, but it is all based on the coercive targeting that has happened without her knowledge and outside of her control.

The average consumer cannot reasonably avoid this mass data collection and abuse. Participation in modern society requires being online. But it should not require sacrificing your privacy. As long as businesses are only collecting the data necessary to provide consumers with the goods and services they have requested, data processing is not generally a cause for concern. But the average consumer has no way to control what data businesses collect about them as they browse the web or use mobile apps, and they certainly do not have a way to prevent those businesses from selling that data once they have collected it or using it for out-of-context secondary purposes like profiling and targeting.

The Solution: Strong Data Minimization Rules 

Most online transactions and interactions between businesses and consumers can be carried out without the customer’s personal data being sold, transferred, or stored to be used for an unrelated secondary purpose. Consumers reasonably expect that when they interact with a business online, that business will collect and use their personal data for the limited purpose and duration necessary to provide the goods or services they have requested. Data minimization sets limits on processing which requires data to be used specifically to deliver the goods and services that an individual has requested, consistent with the consumer’s expectations. Laws and regulations should incorporate a data minimization provision that prohibits businesses from collecting or using personal data beyond what is necessary to provide the products or services the consumer requests. 

Human beings are more than data points to be sold to advertisers and data brokers. We all deserve privacy and autonomy with respect to our personal information. Individuals should be allowed to browse the internet or scroll through their favorite apps without worrying whether companies will use their own data in ways they do not anticipate. Data minimization offers a practical solution to a broken internet ecosystem by providing clear limits on how companies can collect and use data. Learn more on EPIC’s data minimization page.

Recent Documents on Online Advertising & Tracking

EPIC's Experts on Online Advertising & Tracking

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.

Donate