Selling personal data: When data becomes the latest currency

• Author:
• Author name

  Quantumrun Foresight
• October 13, 2022

Insight summary

Numerous companies buy and sell data without customer consent, from mobile phone locations to driver information. Marketing and advertising firms are especially eager to obtain their target markets’ online activities. As a result, consumers find themselves vulnerable amidst a predatory data economy.

Selling personal data context

Nonstop data collection of users’ online activities has become a trillion-dollar industry. Data science is indispensable for businesses, and as a result, tech giants like Facebook, Google, and Amazon are cashing in from the continuous tracking of users’ online behavior. According to a 2019 column published by Washington Post tech writer Geoffrey Fowler, Google and Mozilla browser plugins caused data leaks from 4 million people. Many people install these add-ons, thinking they help them remember passwords or curate coupons. However, some of these plugins are also conducting surveillance.

In fact, surveillance is marketed as a bargain by some plugins. For example, Amazon offered people USD $10 to install their Assistant extension. The company assured customers that while the extension collects surfing history and pages viewed, all that information stays inside the firm. Academic researchers say thousands of browser extensions gather data while people browse online.

Some of these programs have user data practices described as lax or deceptive. The now-defunct “marketing intelligence service” Nacho Analytics is an example of data brokers that profit from often illegally harvested personal data. For as low as USD $49 a month, anyone can see which websites (including the actual web addresses) are viewed the most. While Nacho Analytics said the information released was redacted of identifiable data, website hosting provider Sam Jadali found usernames, passwords, and GPS coordinates in Nacho’s database. 

Disruptive impact

Many companies and federal agencies have found themselves in peril for selling personal data. In 2022, beauty brand Sephora was fined $1.2 million USD for violating the California Consumer Privacy Act (CCPA). According to the complaint, the company failed to inform its customers that their data was being sold. The firm also ignored consumer requests to avoid selling their information through the opt-out option on its website. In addition, Sephora overlooked the demands of customers who signed up with a Global Privacy Control supporting browser/extension. Sephora still allowed third-party firms, such as marketing, advertising, and data analytics companies, to access its customers’ data in return for their services.

Government agencies are also notorious data sellers and buyers. For example, Colorado state sells DMV (Department of Motor Vehicles) records to third-party data vendors that are not required to mention the existence of subsequent sales. Citizens who want to preserve their privacy are not protected by the Driver’s Privacy Protection Act of 1994, which legalizes this practice and prevents anyone from opting out.

In 2020, a class-action lawsuit was filed against data broker LexisNexis for the alleged inappropriate sale of this data. In 2021, Texas passed the Texas Consumer Privacy Act (TCPA) that prohibits DMV from selling personal data to marketing companies. Laws like TCPA, CCPA, and the European Union (EU)’s General Data Protection Regulation (GDPR) have become more necessary than ever to prevent the unethical practice of data trading. 

Implications of selling personal data

Wider implications of selling personal data may include: 

• Companies and startups selling facial recognition databases to federal agencies for surveillance and law enforcement.


• More governments requiring corporations to share their user databases under the justification of national security.


• Increased public pressure for governments to increase transparency on collecting and using public information.


• Increased rates of cyberattacks and breaches as more firms collect personal data.


• Consumers pushing back against the commodification of their personal information, including opting out, uninstalling browsers, and filing class-action lawsuits.


• Firms specializing in data security experiencing a surge in demand as businesses seek to safeguard their increasing stores of personal data.


• Consumers becoming more aware of their digital footprint, leading to a rise in demand for services that offer control over personal data.


• Educational institutions integrating data privacy and digital literacy into curricula, preparing future generations for a data-centric world.

Questions to consider

• How do you ensure that your data is not being collected/sold without your permission?


• How else can people protect their personal information online?