Browse all articles

A Majority of Apps Are About to Come Clean and Say They've Been Selling Your Data All Along

Our State of Kids' Privacy research indicates the selling of data is about to completely change.

Jeff Graham | March 29, 2022

We hear from families and educators in surveys that they want better privacy protections for their children and students, but what is the actual state of kids' privacy? For example, how often is kids' data actually sold to third parties or data brokers? 

Our 2021 State of Kids' Privacy report answered these questions, and others, by evaluating hundreds of products' privacy policies. We looked at the most popular applications and services that are currently used by millions of children at home for play and homework, and by tens of millions of students in classrooms across the country. Our findings indicate that kids' data from the apps and services they use every day at home and in the classroom is currently sold to third-party companies like data brokers across the industry.

However, new privacy laws are about to bring clarity to data selling practices. As a result, companies that claim not to sell users' data are about to start saying they've actually been selling kids' data all along.

Companies are required to tell you they sell your data

Companies may not like it, but now they are required to actually say whether they sell users' data in their privacy policies, thanks to the passage of a landmark privacy law in 2018 called the California Consumer Privacy Act (CCPA). The CCPA includes many rights, but we're going to focus on two:
 

  1. The right to know what personal information is collected, used, shared, or sold. 
  2. The right to opt out of the sale of personal information. Children under the age of 16 must provide opt-in consent, and a parent or guardian must provide consent for children under 13. Parents can also opt out of sale on behalf of their children. 

However, since the CCPA passed, many companies have said they don't understand what "sale" or "selling" of data means. As a result, the California Privacy Rights Act (CPRA) was passed in 2020 by ballot initiative to update the CCPA and more clearly explain what selling data means, as well as expand the law to include many additional privacy rights. 

The CPRA is expected to come into effect in January 2023, and will be enforced by the new California Privacy Protection Agency (CPPA). Companies will be required to provide a clear and conspicuous link on their internet homepage, titled "Do Not Sell or Share My Personal Information," if they engage in the practice of selling or sharing personal information. 

What does selling data really mean?

The new CPRA expands the definition of a company's selling practices to be more in line with consumer expectations -- particularly the need to know if companies make money from data. The definition provided in the CPRA includes other methods and technologies that companies can use to monetize users' data, including third-party tracking technologies, the tracking of users across apps and the internet, and the creation of advertising profiles of users. These practices include several ways that companies either directly or indirectly track and profile the who, what, when, where, and how we interact with a variety of content and across what apps, platforms, and social networks.

These practices might all seem fairly benign and innocuous, but the majority of consumers are clear that they don't want companies profiting from their own private human experiences or their kids' experiences online without their explicit consent. When these practices and the resulting data are shared with other third-party companies or combined with additional data sources, they enable the "creepy" experiences that many families and consumers have repeatedly indicated they're either concerned about or don't appreciate. Consumers want to stop companies from extracting behavioral knowledge about them that can be used to exploit them or their future behavior. The result of these practices can be as seemingly harmless as an advertisement that seems to follow us around the internet, or as clearly problematic as knowing too much about us and our personal interests or relationships -- or being able to influence our behavior or purchasing decisions. 

Since our privacy evaluation process has always evaluated these issues, we can compare companies' historical practices and speculate about what a product's practices for selling data will be after the CPRA becomes law and clarifies how companies need to talk about the sale of data. Just scratching the surface, we can take a look at what companies disclose regarding three additional practices that companies use to make money from a user's data, beyond explicitly saying they sell data:

  1. Third-Party Tracking: Do the policies clearly indicate whether or not third-party tracking technologies collect any information from a user of the product for the third party's own purposes, including advertising?
  2. Tracking Users: Do the policies clearly indicate whether or not a user's information is used to track users and display personalized advertisements on other third-party websites or services?
  3. Ad Profiles: Do the policies clearly indicate whether or not the company allows third parties to take a user's data and create an automated profile or engage in data enhancement for the purposes of personalized advertising?

To get a better understanding of how a company may change their privacy policy disclosures about selling data in the future, let's first take a look at what companies are currently saying about the historical way selling data was discussed, and these other practices.

Graph of four stacked bar charts indicating data for 2021 in the following practices: Sell Data 14% worse, 14% unclear, 72% better. Third-Party Tracking 55% worse, 14% unclear, 31% better. Track Users 48% worse, 18%unclear, 34% better Ad Profile: 39% worse, 25% unclear, 36% better.
This visualization indicates that companies are disclosing their data selling practices in a manner that is inconsistent with the guidelines and clarifications in the new CPRA. For example, 72% say they don't sell data. However, looking at just the Third-Party Tracking practices, we can see that, generously, at most 45% don't sell data. Note that this is a generous interpretation, since only 31% explicitly say they don't allow third-party tracking, while 14% don't explain their third-party tracking practices. From our State of Kids' Privacy report, we know that it's extremely unlikely that better practices are being used by the majority of the 14% of products that don't clearly disclose their Third-Party Tracking practices. 

Let's take a more nuanced look at the 72% of companies we looked at that say they don't sell data, relative to the other practices, and see what a more realistic interpretation of data-selling practices looks like. After we account for all three of the other practices mentioned above (Third-Party Tracking, Tracking Users, and Ad Profiles), a more accurate interpretation would be that only 27% don't sell your data, that approximately 14% are unclear across all practices (or a mix of better and unclear practices), and that a majority 58% should indicate they sell data under CPRA guidelines. This is a huge 44% discrepancy between how companies are choosing to discuss their data-selling practices. From our State of Kids' Privacy report, it's most likely that the majority -- if not all -- of the remaining 14% that do not describe all four of the above practices are also likely selling data. That suggests that somewhere between 58–72% of the industry is selling data. For a deeper look into companies' practices when it comes to selling data, please see the "Multiple Privacy Practice Comparison" section of our State of Kids' Privacy report.

There is a banded area connected the two graphs that indicates a portion (44%) of the 2021 better practices will indicate worse practices in 2023. The banded area has the following text overlaid. "44% of products evaluated will be required to change their policies and say they now sell data"

Conclusion

Consumers are increasingly concerned about their privacy, and they already understand that companies make money by tracking their online activities and selling their data to third-party companies for advertising purposes. What's currently unclear for many consumers is the complex and indirect ways that companies go about monetizing through tracking, bundling, and profiling their personal information and behavior in order to further influence parents', kids', and consumers' behavior. Laws like the CPRA help to bring clarity to these practices and force companies to use more plain and direct terms, rather than overly complex, confusing language, or technical jargon that works to prevent understanding of their actual practices by the average parent or consumer.

It's estimated that almost three quarters of companies currently selling data will either need to update their policies this year to disclose additional methods they currently use to monetize data and user information, or they will need to improve their practices to better protect their users' data and privacy.

The new CPRA is a good first step to increase clarity on what the sale of data means in order to better protect kids and families, who can now make better-informed decisions about whether to use products that say they sell kids' data for profit. But we can't stop there. The next step will require holding companies accountable when they don't follow the rules or mislead consumers. That enforcement may come from the new California Privacy Protection Agency (CPPA), as well as state attorneys generals, and local district attorneys' offices. 

However, to fully protect kids' privacy, we need meaningful consent in which companies actually say whether they sell your data, and a stronger and more comprehensive federal privacy law that bans the practice of selling data for all users unless separate opt-in consent is explicitly obtained. Without these base-line expectations, the industry will continue making money by influencing and exploiting our behavior.

For more information about the privacy program, please visit our website.