Privacy - D200

From New Media Business Blog

Jump to: navigation, search

Data privacy, also called information privacy, is the aspect of IT that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.

Data profiles are built from personal information that companies collect from you. The type of information gathered about you ranges from your age and gender to more specific information such as your location history. The following wiki highlights how companies collect and combine your data to create profitable personal profiles, discusses the laws pertaining to data use, and the future implications of prioritizing convenience over our privacy.


Methods of Collecting Data


Google location history[1]

Google tracks your information in more areas than the average consumer is aware of. The company tracks your personal data in areas such as your web and app activity as well as your location history. Web and app activity includes things such as your purchase history through your Gmail account as well as your social media interactions. Each of these data sets on their own is not very powerful, however, Google aggregates all information collected on you to create a detailed personal profile, creating specific targeted marketing data used to sell Google Advertisement space.

How to opt out of Web & App Activity tracking[2]:

  1. Go to Activity Controls on your Google account
  2. Go to Web & App Activity
  3. Click Manage Activity
  4. Click Delete Activity by link on the left
  5. Select All Time as date range and All Products as the filter

How to opt out of Location History:

  1. Go to
  2. Go to Location History
  3. Choose Manage Location History and toggle the button to turn off location history

How to delete your location history:

  1. Tap setting button on Location History map
  2. Select Delete all location history


Facebook gathers data about you based on your activity on the site and the pages that you interact with.

It tracks and stores data such as[3]:

  • Ads you click on
  • Personal information added to your profile such as the schools you attended
  • IP addresses used when logging in
  • Activity log of your posts and activities

Facebook does not sell your data to make money, instead, it sells access to you. More specifically, it uses data collected from you to show personalized ads.

In attempt to be more transparent with its users, Facebook now shows who shares your information for other advertisers to target you. You can browse the different businesses that have information on you through Facebook by following these steps [4]:

  1. Go to Settings
  2. Click Ads
  3. Go to Ad Preferences

Here you can choose ad settings such as turning off data based from outside advertisers or view which companies have access to your data.

Genetic Data

Genetic data can be collected through home based genetic testing kits such as 23andMe or, where customers mail their saliva to the companies and their DNA is analyzed and in return you receive a detailed report about your DNA [5].

23andMe has sold a $300 million dollar stake to a pharmaceutical company, GlaxoSmithKline (GSK), to combine large DNA datasets with GSK’s medical knowledge to create new pharmaceuticals based on consumer data. Customers agree to the sharing of their DNA when they sign up for the service, and they have the option to opt out of future sharing of their data. However, consumers can not have their data removed once it has already been transferred, such as the GSK case.

There are many implications of personal data being used in this manner. Having over 5 million customers genetic data added to data profiles reduces customer privacy, and will have drugs created targeting customers with genetic predispositions that have been discovered through their DNA [6].

Genetic information can also be combined with basic data sets such as one’s age to track individuals. For example, in the Golden State Killer case, a California murderer was caught when his DNA from a crime scene was tested with data obtained from and 23andMe, matching his DNA to his ancestors[7].

Smart Home Devices

Virtual Assistants[8]

Smart home devices such as Google Home and Amazon Alexa, who assist users by responding to voice activated commands use microphones that are always on in order to be able to respond to voice commands.

Both Amazon and Google have reported that they listen to audio clips in order to improve the virtual assistant’s speech recognition, and in turn, the customer experience. Amazon reports that employees do not have access to identifying information about their customers, as the recordings are anonymized. Similarly, Google claims that they listen to anonymous voice recordings to improve their multilingual voice assistant, and the audio samples that the contractors listen to are approximately 0.2% of voice recordings. However, Google does state that they use your interactions with Google Home to build your personal ad profile. Amazon also states that they use consumer interactions with their device to provide personalized ads [9].

Data Brokers

Once data has been collected through the various methods noted above, data brokers, which are companies who collect personal information about consumers from multiple sources, compile this data to derive profiles of consumer data for marketing purposes.

Acxiom is a data broker who shows comprehensive consumer data on approximately 250 million US customers, and claims to have consumer profiles on 2.5 billion of the world’s marketable consumers [10].

It sells data packages that are ideal for companies looking to better understand their consumers, with insight packages such as:

  • Consumer analysis – identifies suppression audiences such as minors more accurately
  • Geospatial insights – consumer locations are used to develop marketing campaigns
  • Touchpoint data – phone and email information to support “omnichannel”
  • Lists – marketable names and addresses for offline customer acquisition

The information that they provide includes areas such as[11]:

  • Individual demographics – age, gender, ethnicity, education, occupation
  • Household characteristics– size, number of children
  • Financial information – income ranges, net worth, economic stability
  • Life events – marriage/divorce, birth of children
  • Interests – sports, families, pets, activities
  • Buying activities – products bought, payment methods
  • Behaviors – community involvement
  • Major purchases– travel, tech

Targeted Advertising

Sample Google Ad Profile [12]

Once data has been obtained and packaged by companies or data brokers, it can be used for targeted advertising. Targeted advertising focuses on certain traits of consumers in order to increase the effectiveness of advertisements.

Google’s targeted advertising is based off of personal information you add to your Google Account, data from advertisers that partner with Google, and the aggregated data is used to predict ads you would be interested in. Google's main source of revenue is advertising using aggregated data to build ads that appeal to consumers. When users click on the ads shown on a third party site, Google keeps a portion of the profit from each ad.

You can see the ad profile Google has built on you by going to this link:

Google Adwords

Google has earned 32.2 billion in advertising revenue. When someone searches for something on Google, it looks at the Adwords advertisers pool and determines whether or not there will be an auction.

If more than two advertisers are bidding on keywords that Google deems relevant to the search query, an auction is triggered. Keywords are not search queries, instead, they provide access to a wide range of search queries. For example, the keywords ‘pet food’, may be entered into auctions for a wide range of search queries, such as ‘food for dogs’. Next, advertisers identify key words that they would like to bid on as well as how much they want to spend. Their chosen keywords are then grouped and paired with ads. Next, Google enters the keyword from the bidder’s account it sees as most relevant to the auction with the maximum bid specified as well as the associated ad.

Google determines which ad is shown whereby determining bidder’s ad ranks. It does this by looking at the bidders maximum bid and their quality score. A quality score is a metric to determine how relevant and useful the bidder’s ad to the user. Lastly, the bidder pays the minimum amount they can pay for the position they bid on if their ad is clicked on [13].

Privacy Laws

Personal Information and Electronic Documents Act (PIPEDA)

PIPEDA, Personal Information and Electronic Documents Act, is a Federal Canadian law that applies to private sector companies in Canada that disclose personal information for commercial activity. It states that organizations must gain consumer’s consent when collecting, using, or disclosing personal information. Obtaining consent must be meaningful, meaning that an organization must make a reasonable effort to make sure that individuals are aware of the reasons their data is being collected and what it is being used for.

Personal Information means information that is identifiable to an individual, including [14]:

  • Name
  • Opinions about the individual
  • Birthday
  • Income
  • Physical description
  • Medical history
  • Gender
  • Religion
  • Address
  • Political affiliations and beliefs
  • Education
  • Employment

Freedom of Information and Protection of Privacy Act

BC’s version of PIPEDA is called FIPPA (Freedom of Information and Protection of Privacy Act), which sets out the access rights to personal records as well as privacy rights of individuals related to the public sector. It establishes terms in which the public body can collect, use, enclose personal information [15].

American Law

A single overarching law for data privacy does not currently exist in America. Instead, there is a patchwork of regulations in both federal and state levels that focus on particular types of data. State laws may impose restrictions on businesses relating to the collection, use, and disclosure of information for different categories of information, such as email addresses, medical records, or phone records. At the Federal level, the Federal Trade Commission Act (FTC) protects consumers against unfair or deceptive business practices. “Deceptive practices” include failure to provide enough security of personal information as well as using deceptive advertising techniques[16].

Ireland Friends with Tech Companies

Ireland is the chief enforcer for one of the worlds toughest privacy rules, General Data Protection Regulation (GDPR) [17]. These rules are in place for the protection of personal data of all citizens in the European Union, making sure their privacy is intact from big companies, like Google, Facebook, twitter, and Amazon.

As acting Chief Enforcer for the GDPR, Ireland keeps a friendly relationship with big companies like Facebook and Google. Ireland went far as to granting low taxes, opening access to top officials, and securing funds for big companies to build their new headquarters [18]. Based on Ireland being friendly with tech companies, many data privacy experts and regulators say that Ireland is not taking policing seriously. These experts and regulators are calling Ireland’s authority into question, when privacy concerns arose around Facebook’s reintroduction of facial recognition software and data sharing with WhatsApp, and Google sharing its information with its numerous social platforms.

Ireland’s Data Protection Commission Compliant

The main concern for most European Union (EU) countries was the competition to attract tech companies to their country. As regulators, they knowingly want tech companies to come into their country, thus creating an influx in their economy. But, in doing so, creates a blurred line on a regulators integrity to operate without bias, much is the case with Ireland. Tech companies are a dominate force in Ireland’s economy and this caused alarms for other regulators, as Ireland seems hesitant to be intrusive in their company affairs.

Ireland was at the forefront of preventing a privacy breach but their reluctant efforts to screen applications caused, The Cambridge Analytica Scandal. When Facebook launched their platform called “Open Graph” in 2010. Open Graph was available for third party apps, allowing external developers to request permission to access oceans of personal data from Facebook users and their Facebook friend’s data [19]. In 2011, Ireland’s Data Protection Commission filed a compliant against Facebook, for allowing outside app developers access Facebook friend data. Facebook pushed back on these complaints and Ireland backed off and gave Facebook an almost score for their privacy practices.

Cambridge Analytica Scandal

As a result, in 2016 during the American elections a scandal broke out about Cambridge Analytica using people’s personal data to sway public opinion. In 2013, Cambridge Analytica created an app called “thisisyourdigitallife”. This app asked the users to answer questions for a psychological profile [20]. The app also harvested data from their Facebook friends, which was reportedly done to over millions Facebook profiles. In the following year in 2014, Facebook amended their rules and limited the developer’s access to user data. This ensured that third party individuals will have to ask permission to gain access their data first. But this did not stop Cambridge Analytica to delete the data that they collected.

In 2018, 87 million Facebook profiles were harvested without the user’s consent. Cambridge Analytica used the data that they acquired and used it to develop a “psychographic” profile. The FTC (Federal Trade Commission) opened an investigation into Facebook to see if Facebook took the necessary precautions that Facebook CEO, Mark Zuckerberg, said in his 2011 settlement with the US government. After a year into their investigation, the FTC found that Facebook went against their settlement with the government. The FTC gave Facebook a $5 billion fine for the privacy breach, this is biggest fine that was ever given to any company, previously given to Google for 22.5 million for bypassing the privacy controls in Apple’s safari browser [21]. SEC (Security and Exchange Commission) was also given 100 million for settling charges it made misleading disclosures about the risk of misuses of Facebook user data.

Facebook Fined

However, a $5 billion fine would hardly stunt a Facebook who is worth $539 billion [22]. The news following of the $5 billion fine for the Cambridge Analytica Scandal, actually increased Zuckerberg’s networth by $1 billion. The Facebook stocks went up 1%, since Zuckerberg owns 88% of Facebook his shares have increased by $1 billion. Facebook anticipated that they will be fined between 3 – 5 billion [23]. Therefore, they planned its annual financials around that expectations, investors reacted positively to that plan playing and the fine not being bigger [24].

To rein in Facebook’s control over our data is to monetize the data they extract from their users, not allowing Facebook to collaborate with its other online platforms e.g. WhatsApp and Instagram and watching Facebook and Google under a microscope. The ability to fine big tech companies is a powerful tool, however the problem will still persist especially if the problem in question is a rogue industry that is worth billions and putting it under democratic control will take more than a few fines.

Facebook Integrating Acquired Platforms

Facebook acquired social media platforms and messaging platforms like Instagram and WhatsApp. Facebook addressed that it will not share data with these platforms, but it will integrate the infrastructures of all its subsidiary apps for the purposes of end to end encryption. Meaning it structure the platform to make it easier to transfer data to each platform, allowing the apps to communicate with each other or in other words share.

Comparing the privacy levels of Instagram and Facebook Messenger to WhatsApp, which is known for it end to end encryption will strongly affect the integration. Thus, meaning one of two things when integrating the platforms: either the upwards level of encryption will be upgraded on Instagram and Messenger or the downward level of encryption will be downgraded on WhatsApp [25].

The security implications could be good or bad, depending on the motive of the company. However, Facebook has not been known for upholding their user’s privacy, but rather utilizing their privacy for monetary gain for profit. Although, having Facebook control over these platforms could be caused for alarm especially with Facebook’s misuse with our data. As a profit seeking business, monetizing mined personal messages does not give the company the content they need to make money [26]. Therefore, leaving us the question what Facebook intends on doing with these integrated platforms. Another motive for Facebook to integrate these platforms, is to make it impossible for regulators to break up Facebook platforms, WhatsApp and Instagram [27]. By doing so, Facebook is cleverly defending itself from losing its acquired platforms [28].

Nevertheless, linking these platforms together will improve security, but it will also allow Facebook to receive metadata through the platforms sharing information with each other. For example, WhatsApp uses our phone numbers to access the app, as does Instagram or through your email, while Facebook does both your phone and emails but also through your personal data like your gender and your birthday.

This information will likely be used to carter advertisements better to the user. Zuckerberg said that they received complaints that if their users are going to see ads, then they would like them to be relevant [29]. Zuckerberg also mentioned that the majority of the people agreed to collect data to improve the relevancy of adverts as part of the EU General Data Protection Regulation (GDPR). Although, Facebook could possible use the metadata for improved advertisements, Facebook has been a financially motivated company so leaving our data in theirs is problematic to say the least.

Facebook Facial Recognition

Facial recognition[30].

Facebook tried to reintroduce the once banned Facial Recognition tool which was previously deemed an invasion of privacy by EU who feared that the pictures would be used without permission [31]. Facebook responded saying that the pictures will be used with the consent of the user and not otherwise. However, EU regulators argue that merely storing the pictures is against the rules of the GDPR.

The reasoning for Facebook to launch Facial Recognition is too help safeguard their user’s identity. The Facial Recognition is in place to see if strangers are using their photo to impersonate them. Nevertheless, the possible implications of this technology can be used for identifying people without their knowledge or consent, as well as a tool to catch criminals [32]. This causes alarms for a future surveillance state, unlike china who is already implemented a surveillance state with the help of tech giants [33].

Google’s Mass Sharing

Google failed to contain consent before sharing data among its many growing networks and products like YouTube, Google photos, Gmail, and more. The controversial move by Google raised alarms to all the EU regulators, except for Ireland. Irish regulators would not investigate since the paperwork for them to probe into Google has not been finalized [34]. The paperwork was finished in 2018 January but there is yet to be an investigation. German authorities have expressed that Irish data protection commission can go after googling without Google’s consent [35]. Whereas, France took action and went after Google and fined them 50 million euros [36].

Politicians on Making Laws on Technology

In terms of making laws, politicians have the most experience and we leave the law making to the government. In spite of that, politicians lack the fundamental knowledge of cyber security or data privacy, making them unfit to make laws on areas they are oblivious too. The average age of a House Representative in the US is 57 years old and the age of a Senator is 61 years old, while the average age of tech giants are nearly half those ages [37]. The age disparity alone makes them unqualified to make laws. During, the Facebook congressional hearing the lack of knowledge was apparent when the Senator of Ohio, Orin Hatch, asked Facebook CEO, Mark Zuckerberg, on “how do you sustain a business model when people don’t pay for services?” [38]. Although, Zuckerberg had to answer to his action, these were not the answer we were hoping for. These government officials could not grasp the fundamental way Facebook operated and expecting luddites to make rules that will affect future seems like the wrong move. Instead, the government should opt for a third party who is knowledgeable in tech world and use their experience to craft laws against data breaches.

Monopoly Merger

From 2018 to 2019, there have been news about tech companies like Google and Facebook using their online platforms to collect and gather data from their unsuspecting user base. Essentially, creating a mountain of data for their disposal which some would say is a monopoly on personal data. The way events progress, there is a future for our data to be used against us for monetary gain, quintessentially creating the new currency for these tech companies.

Since, the acquisitions of numerous platforms like Instagram, Whatsapp, and YouTube, Google and Facebook have their fair share of user data. So hypothetically, a merger between Google and Facebook would cause for an unprecedented move in the tech world, which will create pandemonium. Issuing government intervention if such events where to occur, but if these tech companies were to integrate their system together that would make it impossible for regulators to break down. Thus, creating a monopoly on data and a force more powerful than the government can control in their democratic system [39].

The power Facebook and Google would possess could turn on and off our platforms, blinding us and causing hysteria. When Facebook, WhatsApp, YouTube, and Instagram are down people are in a panic because they are disconnected to the world [40]. Others depend on these platforms to create content and to distribute their content for an income, so losing these platforms would greatly affect them.

General Data Protection Regulation (GDPR)

Why it was drafted?

The GDPR is known in the UK as the Data Protection Act 1998. This was drafted because businesses were dependent on the web. The advancement of social media and our personal information available on these websites, leaves room for misuse of information.

How data is used by a slew of digital platforms

Google and Facebook are digital platforms that offer free services in exchange for data collection. You are paying them back by every click, comment, or like. Every search you make on Google’s search engine or Facebook’s newsfeed. This information is conveniently packaged up for third party individuals for their own monetary gain through targeted advertisements.

Facebook’s Cambridge Analytics Scandal

User data was found to have been improperly shared with a third-party app, which was used to target adverts to influence individuals during the 2016 elections. GDPR is a regulation and is not applied as a law, creating fewer variations in interpretation between member states. Believing it will create a smooth data flows but also collectively saving companies billions.

When did GDPR come into effect?

The GDPR came into effect in May 25, 2018 for all the customers and clients that are residents of the EU.

Who does it apply?

Every business must comply with the Eu’s data laws, even if they’re based in the US. Most companies have at least some data belonging to EU citizens stored on their servers. To process that data, they must comply with the GDPR principles. You can avoid EU traffic by having EU traffic blockers like LA Times, is one company that has implemented this GDPR avoidance scheme.

Data controllers and Data Processors

  • Responsible for setting out how and why data is collected but doesn’t necessarily collect the data itself
  • Can be anyone, high street retailer to a global manufacturer, while a processor could be an IT services firm, they employ
  • Controller’s job that the processor complies with data protection law, while processors must maintain records of their processing

How can I process data under the GDPR?

Controllers must see that personal data is processed lawfully, transparently, and for a specific purpose. Meaning that they must notify and make it understandable why their data is being processed and how its being done, while abiding GDPR rules.

What counts as personal data under the GDPR?

Types of data organizations now collect about people

  • Online identifiers (IP addresses)
  • Economic data
  • Cultural or mental health information

When can people access the data we store on them?

  • Submit a SAR to an organization
  • Data controller will then have 30 working days in which to provide a full response
  • Hold companies to account over how they use their data
  • Right to understand how their information is handled, and for what reasons
  • Customers can also ask data to be removed, completed or brought up to date at any time if deemed incorrect

Right to be forgotten?

People can have their data deleted at any time if the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like if

  • Object to processing their info
  • Or, do not want it collected anymore

Controller responsible for telling organizations to delete any links to copies of that data, as well as copies themselves.

Fines for breaches of GDPR

ICO (Information Commissioner’s Office) was able to fine companies a max of 500,000. Now its 2% of their annual turnover, or 10 million euros, failure to report data breach to the ICO. Given a 72 hours notice after the discovery of an incident.

Data breaches of personal data under GDPR, maxed fine of 4% of your organization’s annual turnover, or 20 million euros.

ICO says fines are a last resort if other options have been explored.

Do we need a data protection officer?

Any data processing place needs to employ data protection officer. Especially, for places that predominately do data processing need regularly monitored individuals. Data protections officer’s job is to inform and advise the organization about meeting GDPR requirements, and monitoring compliance. Data protection authority’s primary point of contact and expected to cooperate with the authority.

Smart City

The future of our data protection raises concerns over obtaining data without consent, as methods of collecting our data are increasing. For example, plans for Alphabet’s Self-Regulating Neighborhood are underway to develop a 12 acre “smart city” in Toronto called Quayside. The lot would collect mass amounts of data to be analyzed, such as how quickly pedestrians cross the street and traffic patterns. This is used to keep things such as traffic, pollution, and noise levels calibrated to maintain resident’s happiness [41]. Personal data would be collected from anyone who walks through the neighborhood, regardless if consent is given to do so. Our privacy continues to decrease as technologies develop and become more automated and self-regulating. This raises the question, at what point do we start placing more value on our privacy than convienance?

Draft plan for Smart City [42]


Anna MacDonald Ranyodh Dhami
Beedie School of Business
Simon Fraser University
Burnaby, BC, Canada
Beedie School of Business
Simon Fraser University
Burnaby, BC, Canada



Personal tools