Case Proposal: "Your personal data may be purchased through data brokers"

Phoenix Case Discussions
, , , ,
1

I know Case 382 (Information is gathered about you through third parties) exists. This is indeed a subset of it, but I’ll argue this is a way more alarming and unique case for user privacy.

Same argument for Case 492 (Your provided identifiable information is actively checked by the service). I’ll argue this one is even less related given the description of that case, which does not mention the purchase of data.

Reasoning

PLEASE, VIEW THIS AS IF YOU WERE A NORMAL USER USING OUR EXTENSION / VISITING OUR WEBSITE (WHICH IS ARGUABLY MOST OF OUR AUDIENCE)!

I’m of the opinion that “gathering data” does not necessarily entail “purchasing data”.
Having this case would be a clear and concise warning for users and their privacy.

Also, I’ve reviewed a bunch of services that mention this explicitly, including Slashdot Media (formerly Sourceforge), as an example. There are more of them, but I can’t remember which ones specifically. It’s more than 5 as far as I’ve reviewed, and I only expect this number to increase as we review.

Case Characteristics

NOTE: The wording is not final, just a first draft.

  • Name: “Your personal data may be purchased through data brokers”
  • Type: Blocker (this practice has the potential to be REALLY invasive for users’ privacy)
  • Weight: 50(?)
  • Topic: Either Topic 41 (Personal Data) or Topic 48 (Third Parties)
  • Description: “This service actively buys your personal data from data brokers and/or other sources,”(?)

What are your thoughts?

2

do you mean that the service purchases data about you from data brokers or that it sells data to databrokers?

For the second option all cases that I have seen would be covered by this Terms of Service; Didn't Read - Phoenix

If you did find a service that sells data without having the option to opt-out then I would be for a blocker with the title “This service may sell your personal data and you can not opt-out”

Topic is personal data imo

1 Like
3

slashdot for example does offer an opt-out Terms of Service; Didn't Read - Phoenix

1 Like
4

Purchsing, not selling.

For example this line from Slashdot Media’s Privacy Policy would be a case:

We collect Personal Data from publicly available sources and from third parties (such as data brokers), which we may combine with Personal Data you have provided to us or that we have collected automatically.

In this case there’s no specific mention of selling but, as far as my limited knowledge goes, data brokers SELL data.

I believe we have the selling part somewhat covered (though I have some issues with our current cases that describe the selling of data, but that’s out of scope).

1 Like
5

I’m 80% sure I have read one ToS that would qualify, but I can’t remember. Out of scope though.

6

I agree, but I have this itch… Wouldn’t data brokers count as third parties?

7

@shadowwwind What if instead we changed “though” to “from”, to be more concise?

“Your personal data may be purchased from data brokers”

1 Like
8

Yes that’s better.

Then the description of 382 needs also to be updated to exclude purchasing.

I agree for a new case as 382 also applies on basic “sign in with" buttons and having something separate is a good idea.

Actually not so sure about that. The selling part is the bigger Privacy breaching part in my opinion.

9

I get your point, but I’m of the opinion that both selling and purchasing are equally bad. They’re part of the same business of trading personal data from users, in the end.

10

@shadowwwind Perhaps we could make it a negative. I have my disagreements but I can agree with your points if needed. That being said, because this is regarding user data being purchased, I’d saythe penalty should be high (within reason).

That being said, I’d prefer it to be a blocker.