Feb. 22, 2018

What's stopping the sale of your private data?

New study co-authored by Haskayne profs examines business decisions companies make when selling your data online

As website publishers gather and share their users’ data with third parties, privacy concerns are growing. A newly published study sheds light on the practice by examining the tradeoffs that website publishers must make between privacy and monetization when they share information with third parties.

Co-authored by Haskayne School of Business professors Hooman Hidaji and Ray Patterson, pictured above, and researchers from the University of Connecticut, California State Polytechnic University and Georgia State University, the study is among the first to closely examine the decision-making process for how website publishers decide to share user personal information or browsing data with third parties, and the growing privacy concerns associated with the practice.

“When we began this study, it was shocking to learn the extent to which websites instantly share your data with third parties. Within the first two or three seconds of landing on a website, your data is often shared with dozens of third-party firms,” says Patterson, a business technology management professor.

In their work, the researchers empirically showed that sharing data may be lower in industries where user privacy concerns are higher. However, the result is fewer third parties and a higher industry concentration of third parties. Thus, even though the number of third parties is lower, users’ activity across multiple websites in the same industry is more likely to be observed by the same third party. That means a more complete picture of users’ activity across an entire industry is more likely to be known when you have higher privacy concerns.  

Regulations against data sharing not seen as effective

The researchers also examined whether there are any safeguards against rampant data sharing besides regulation, which they found does not seem to be all that effective. Through their exploration of the impact of user privacy concerns, they show there is at least a market mechanism that creates a sort of natural limit to the number of third parties that get to see your personal data. 

“News websites and websites catering to kids and teens do a lot of data sharing with third parties. It can easily be argued that news readers are not concerned about third parties knowing their taste in news, yet this can be very valuable information to an advertiser. Health care and adult website users are arguably much more sensitive to a permanent record being made of their surfing behaviour, and thus these websites share this information with fewer third parties. Knowledge about your health care and adult website viewing habits could be potentially extremely valuable to sell,” says Patterson.

“A fear of having the health care and adult websites you visit come back to haunt you may be quite reasonable, especially when considering potential workplace and social discrimination that could result if your surfing behaviour were common knowledge. Publisher websites do not limit their sharing of sensitive data out of the goodness of their heart. They limit their sharing because violating user trust would drive all of their customers away. The natural market mechanism plays off website users’ fear, and is a powerful brake on how much data publisher websites are willing to share with third parties.”

Third-party content on websites can provide value and utility such as improved website performance, better website functionality and advertising. But the cost is that valuable and private user information is shared with third parties, usually without the user’s knowledge or consent.

Collection, sale of private data has grave implications

Co-author Hidaji says the large-scale collection and sale of user private data has grave implications that can result in systematic discrimination and privacy breaches.

“I think online targeting and tracking has enabled firms to access unprecedented data attributes on their customers and clients which was not previously available. These include interests, browsing history, location, and past purchase history, which can be rather easily mined to provide customized products and/or services,” says Hidaji.

“However, there is a fine line between customization and discrimination: the same data can be used by firms to systematically offer certain products at certain prices to potential customers in a certain location or with certain interests, but not others, in order to maximize profits.”

Another threat to website publishers’ bottom line is the potential for data breaches, such as what happened with the American retailer Target.

“Target tended to share with a lot more third parties than other large retailers. Eventually, it was through a third party that millions of credit cards were stolen. This is a potential risk that could easily cost companies hundreds of millions of dollars, and this curbs the appetite for sharing,” says Patterson.

“Thus, even news websites and kids and teen websites have some natural limit to how many third parties they are willing to share your data with, because eventually the lawsuits associated with security breaches would drive completely irresponsible publisher websites out of business. But that leaves a lot of room in the middle for publisher websites to sell your private and sensitive data.”

The study "How Much to Share with Third Parties? User Privacy Concerns and Website Dilemmas," has been published in the journal MIS Quarterly.