Clario’s summary on the types of personal data collected by various companies is a sobering / fun (depending on which side of the aisle are you on) article.
I’m borrowing it here because it’s a useful piece of awareness:
But the table is not complete, so here are some additional thoughts:
- Instagram is owned by Facebook, and (according to the chart) is collecting some data above what Facebook is collecting. There is no boundary/fence/firewall whatsoever between Instagram and Facebook, so whatever Insta collects, you can bet Facebook will mine. You have an Insta account on top of your Facebook? Tough luck, Facebook now has access to 76% of your personal data, instead of the reported 70%.
- I miss Google products from the list. Sure, Google Maps is there, but where’s Youtube; where’s Search itself; where’s Gmail; where’s Android in general. Google probably out-collects Facebook but is not included as a whole.
- Same goes actually for Amazon and its subsidiaries like Ring. Sure, Amazon is a retailed with limited data collected. This data, incidentally, includes video of your front yard. And your Alexa search history. And the times when you leave your house, listen to music, or start cooking. And your kids’ favorite songs or cartoons.
- In defense of these data hog companies, “Bank Account Details” in the list, in most realistic cases, means an app knows e.g. your PayPal id, normally an id that is harmless in itself, but of course is needed to initiate any sort of transaction. The real deal (having access to your credit card or real bank account) is in your payment processor like PayPal or Apple Pay, so here naturally additional trust is crucial. If you don’t trust someone, don’t give them your credit card details.
- Browsing history resulting from following you in your browser and devices is something very hard to measure but extremely valuable information. Facebook, Google are probably winners here, and arguably this is a multiplicator on the usefulness of all other “hard” data collected, giving that extra touch of behavioral tracking and analysis. (Credit where credit is due, Clario’s own website does not do any such tracking.)
Most importantly, what a company does with your data is as, or more important than anything they collect. A bank in Europe or your insurance company knows a lot about you. But they also fall under fairly strict regulations and (admittedly, sometimes less strict) audits on what they can do with that data, so it unlikely for example that you would be targeted against your will (again, in Europe) based on your bank transactions or medical history — because your audited provider will most likely not expose this and risk of losing their license. (Of course there are exceptions: for example, if you did the 23andme exercise, you forfeited some of your rights here, plus you left European jurisdiction so ymmv. And even in Europe, if you are unlucky you can fall in potholes of GDPR violations like the patients of that psychotherapy clinic in Finland. (You could say that after this, the clinic will be… Finnished?…)
So there’s benefit in thinking through data you grant access to, and who we grant that access. Do you trust Company X? How much? Would you give them your medical info? How about your credit card details? No? How about your name and email? How about Google or Facebook or Amazon buying that company, how does that change your preferences?
I hope Clario’s nice table gets to a lot of people and will trigger thinking about what’s not there, and what it means.