To be a modern citizen is to see little bits of your personal information marketed to advertisers or shared with other companies. Facebook has given up your messages to Netflix and Spotify, while advertisers pay for the privilege of appearing on your news feed. The College Board has recently come under fire for allowing schools to purchase lists of low-scoring students. Schools then recruit and reject the students to boost their admissions numbers. Fast Company has identified more than 120 data broker companies whose business relies solely on selling your personal data.
In addition to those data broker companies, there’s a market for analyzing or selling your consumer behavior, too. Recently, New York Times journalist Kashmir Hill reported on several companies that have amassed data on customers. For instance, the Retail Equation warns retailers if consumers exhibit “excessive return behaviors” so that companies can reject their returns, while Sift tries to identify fraudsters for companies like SeatGeek, a ticket sales site. “We send Sift all the data we want, and get back actionable information we wouldn’t have found on our own,” reads SeatGeek’s testimony on Sift’s site.
Since the European Union’s General Data Protection Regulation went into effect in 2018, companies operating in the EU are required to disclose data collection and share the information it collects with consumers. The California Consumer Privacy Act, which will go into effect in 2020, aims to do the same thing in the U.S., and many of these companies are already offering up consumers’ data to ensure they comply with the new law.
When Hill requested her data from Sift, she received a 400-page report that detailed “all the messages I’d ever sent to hosts on Airbnb; years of Yelp delivery orders; a log of every time I’d opened the Coinbase app on my iPhone.” Call me naïve, but I had always assumed my Airbnb messages would remain private. It turns out, though, that Airbnb—along with Coinbase, Yelp, and other companies—have shared this info with Sift so they can assess consumer trustworthiness and identify abuse or fraud. Hill mentions four other companies—Zeta Global, Retail Equation, Riskified, and Kustomer—that also offer to share data with consumers. But, Hill notes, “just because the companies say they’ll provide your data doesn’t mean they actually will.” Inspired by Hill’s story, I, like many others, attempted to recover my own data. I learned that the process is slow and sometimes requires sharing even more data with the company. I also learned that these companies appear to be ill-equipped to answer large numbers of requests from consumers.
I contacted all five companies twice. First, I followed the companies’ instructions for requesting my data. Then, I emailed their media or communications departments asking whether they’d seen any uptick in requests as a result of the Times’ reporting and how they fulfill such requests. In particular, I wanted to know how they would verify my identity and how they tracked me, exactly—through my email address? My physical address? Phone number?
I waited 72 hours for responses from companies, but none provided any data in response to my requests. Riskified, which, according to its website, “identifies legitimate shoppers,” was the least responsive. It didn’t respond to my request for data—not even with an auto-reply saying it had been received—nor my request for comment.
The Retail Equation emailed back within a day, telling me to call a 1-800 number and to “please be prepared to provide your driver’s license or state ID number.” First off, I’m extremely reluctant to give any company information about myself it might not already have. This request also raises questions about how a company verifies consumers’ identities by license number—does the company have access to state databases to confirm valid ID numbers? And what about undocumented citizens who live in the 37 states that don’t allow them to obtain a government ID—are they not able to request their info? The company did not respond to my request for comment.
Zeta Global, which maintains a database of profiles on more than 350 million people, also requires additional information before providing a report. “We require a requestor to provide a government-issued ID into our OneTrust system as a security measure to prevent fraudulent accounts from acquiring personal data,” says Megan Rose, the company’s vice president of communications. “The ID is then manually verified and will be automatically deleted 90 days after the request has been closed.” Again, I was reluctant to provide any data to these companies, especially a photo of my ID, but it was heartening that the company has a clear plan both to confirm my identity and, eventually, to delete that information.
Kustomer, which says it offers a “platform to … provide unprecedented insight into a customer’s past experiences and current sentiment,” required me to fill out a form with my full name, country, email, and whether I was seeking data collected by Kustomer or by one of its clients. I was curious about both, but selecting “client” required you to specifically list a client, which I suspect most consumers would not have insight about—and I worry that’s a loophole the company could exploit to avoid handing over all its data to consumers. The company emailed me two days later saying there was no data on me, but I have definitely made accounts or even purchases with some of Kustomer’s publicly identified companies, like Rent the Runway and Glossier. It’s possible I used a different email address than the one I submitted to Kustomer, though.
In response to my request for comment, Kustomer issued a statement that did not address my question about how it fulfills consumer data requests. I asked again, and the communications firm handling Kustomer’s media requests told me they only process data, so privacy requests need to be directed to data controllers, the companies actually collecting data on us—but again, did not answer my question about how the company matches requests with consumer data. Based on my results, I suspect it must use email addresses, which makes me curious how useful Kustomer’s data analysis actually is to companies. Could I escape a bad consumer reputation profile simply by switching email addresses?
It’s possible that these holdups are due in part to a larger number of requests. Zeta Global’s Rose told me they’d seen an increase in requests since the Times article was published. Sift’s data privacy officer Bradley Flynn says that company “has experienced a large increase in the number of data requests in the past 24 hours.” A couple of days later, Sift emailed consumers requesting data to explain the delay, saying it was working to verify consumers’ identities and would fulfill requests for EU citizens within 90 days, per the GDPR, but that all other requests would take longer, as “we must give priority to those requests for which our timely response is legally required.” The company didn’t profile information on what “a large increase” means, but based on their email to requesters, it seems like they’ve gotten many more requests than they can handle in a timely manner.
Even if I ever do get access to what data these companies have about me, it’s unclear what I could do with that information besides recognize the extent to which my privacy has been violated. “Consumers can now find out how much information these companies have, but that does nothing for privacy,” says Kristen Walker, a professor of marketing at California State University, Northridge. Freely handing over this kind of data is often mistaken for transparency, but, says Walker, it’s too little, too late. “Transparency is being used in a way that misleads consumers,” she says. “Transparency isn’t ‘give everyone all the information at once’—it’s ‘make sure people understand what the product or service is offering.’ ” Even as consumers have access to “transparent” privacy policies, it falls on consumers to parse what’s often confusing legalese, and even then, “that does nothing for my ability to choose whether or not I have control over my data,” Walker points out. The California Consumer Privacy Act allows consumers to request deletion of their data, but just finding all of it would be a huge undertaking for any one consumer.
But requesting that data—to say nothing of requesting deletion of that data—is a cumbersome process, and none of these companies appears to have a streamlined system to allow for quick processing of such requests. At this point, it seems like companies’ data request options feel like an afterthought, tacked on for legal compliance rather than designed with the expectation that consumers might actually use it. Fielding large-scale data requests is not easy, of course, but if these consumer data companies can provide those details quickly for their clients, it feels like intentional obfuscation to require consumers to call a 1-800 number designed for complaints, not data requests, and then wait on hold for a few minutes and provide an ID number.
At this point, says Walker, our best hope at reining in these companies is to regulate them, but they’re amassing data at a pace that far outstrips the glacial speed of legislation. “If you look at the GDPR and the CCPA, both are trying to harness what companies are doing, but they’re putting the harness on while the companies are running,” she says. “Regulations can’t keep up.” Any time you’re buying things online, using social media or food delivery apps, or even just browsing the web, just know that you’re adding to your permanent record.
Update, Nov. 13, 2019: This article has been updated to clarify Kustomer’s product.