Exercising online privacy rights
Following Europe’s 2016 General Data Protection Regulation (GDPR), California passed its own California Consumer Privacy Act (CCPA) in 2020. I won’t pretend to understand the intricacies of the law or the differences between the two, but from what I understand this gives you the right to know exactly what data of yours do businesses use, and request that this information is to not be sold or to be deleted.
As a California resident, I decided to dedicate a long weekend to exercising my privacy rights. The long weekend turned into a week worth of back and forth with a dozen-or-so companies, and me having a much better idea of what information about me is out there.
Turned out many large websites provide privacy dashboards where you’re able to review and see information collected or inferred about you. But most of this data is hidden behind a formal request process which takes a few days to a week.
First, I decided to stroll through Google’s privacy settings. There are two ways forward: privacy dashboard, or full-on Google Takeout. Google Takeout allows you to download an archive of everything Google has on you, which took a few days to process, and is near impossible to go through while keeping your sanity. So I decided to play with the privacy dashboard instead.
Google Maps has location history of most places I’ve visited for the past ten or so years (creepy, but I found it useful on more than one occasion), and YouTube and Search history stores thousands of searches. I already had Assistant history disabled, since storing audio recordings is apparently where I draw the line when it comes to privacy. Targeted ad profile was an interesting thing to look at, accurately summing up my lifestyle in 50 words or less. I ended up disabling targeted ads from Google (and all other services as I went about on my privacy crusade).
Google had some of the finest privacy controls compared to other services, with actionable privacy-leaning suggestions. Google’s not known for its services playing well together, but privacy is where Google feels closer to Apple experience - everything is in a single place, surfaced in the same format, easy to control, and plays well together. Given the amount of transparency and fine grained control, I feel pretty good staying in the Google ecosystem.
Next I looked at LinkedIn. Outside of the expected things – emails, phone numbers, messages, invitations, and a history of just about everything I’ve ever clicked on, a file labeled “inferences” stood out. Whether LinkedIn thinks you’re open to job seeking opportunities, or what stage of career you are in, or if you travel for businesses, or if you’re a recruiter or maybe a senior leader in your company.
Since LinkedIn is a professional network, all information I share is well curated and is meant as public by default – and I found LinkedIn privacy settings in line with my expectations.
As an avid gamer, I went through Steam, Good Old Games, Ubisoft, Epic Games, and Origin privacy details. Unsurprisingly, the services tracked every time I launched every game, shopping preferences, and so on. Thankfully the data seemed confined to the world of gaming – which made this level of being creepy somewhat okay in my book.
I also looked at random websites I use somewhat frequently – Reddit, StackOverflow, PayPal, Venmo, AirBnB, and some others – not too many surprises there, although I did end up tightening privacy settings and opting out of personal data sharing and ad tracking for every service.
Last year I requested deletion of all my data on Mint, Personal Capital, and YNAB (You Need a Budget), and to be honest I’m a little relived that I didn’t have to look at the data these companies had on me.
Amazon data sharing turned out to be the scariest finding. Until now I didn’t really self-identify as a heavy Amazon user, but that turned out to be a lie: Prime shopping, Kindle, Audible, Prime Video.
The amount of data Amazon kept on me was overwhelming: Kindle and Audible track every time I read, play, or pause books, the Amazon website keeps full track of browsing habits, and Prime Video has detailed watch times and history. Most of this data ties back into real world – including nearly every address I ever lived at or phone numbers I had.
Even scarier, despite never using Alexa, I found numerous recordings of my voice from close to a decade ago – me checking status of the packages, but a few of me just breathing and walking around. I found no way of deleting these, as they didn’t show up in any privacy settings (including me installing an Alexa app just to get into privacy settings).
All of this gave me pause. It feels like the privacy controls are either lacking, hidden, or spread out thin across Amazon’s various apps. And I’ve only briefly scanned through the data Amazon had on me.
That’s where I had to take a break.
I have accounts with hundreds of services, and I have no idea how my personal data is used, and what it’s joined with. As I’m go on about my daily life, I’ll start tightening privacy controls, and maybe deleting services and their data where possible.
It’s just too creepy for my taste.
While you have control over the services you have accounts for, companies and ISPs collect a trove of private information on you even while you’re not logged in. For that, I strongly recommend using a VPN. I’ve been using PIA since 2019 and I’ve been very happy with it. Wholeheartedly recommend.