The European Union will put in place one of the toughest data privacy laws in the world this week. The law, among other provisions, gives people in Europe the right to obtain the personal data that companies have on them.
That is a sweeping right to data access that Americans don’t have.
So we decided to conduct a privacy experiment: Request our data in both Britain and the United States, to get a sense of how easy it will be for people in Europe to access their personal information compared with American users.
We conducted our experiment using a 20-year-old British law that entitles individuals to see the personal data held about them by companies in that country. The law provides similar data access rights as the coming European rules, known as the General Data Protection Regulation, or G.D.P.R. — offering a sense of how the new law might play out.
Prashant, an editor in London, and Natasha, a technology reporter in New York, requested their records in their respective countries from Amazon, Facebook, Google, LinkedIn, Twitter, their mobile providers and marketing analytics companies that profile users.
The results were not what we expected.
What We Got When We Asked
Marketers for Our Data
Prashant, lives in the U.K.
- 200 rows of data containing details about my personal life.
- 343 rows of data on the consumer marketing segments I’ve been assigned.
- 1 row of data indicating I once read an article on Forbes.com.
Prashant: Quantcast, an analytics service that categorizes and targets online users for marketing purposes, sent me a spreadsheet with about 200 entries tracking my activities. They contained an astonishing degree of detail about my life.
It showed that I had used OpenTable to make a dinner reservation in March at a “casual” Indian restaurant in London, that I had read a CNN article on President Trump’s steel and aluminum tariffs, that I was looking to buy a new cellphone and was considering a trip to Stellenbosch, South Africa.
Then there were the 343 marketing classifications Quantcast had obtained about me from data brokers, companies that sell consumers’ details for marketing purposes.
The categorizations had me pegged as a “heavy spender” on pet food (I have a cat), an owner of a flat-screen TV, and part of a “likely nonsmoking household.” My colleagues in London will be unsurprised to learn that among my “interests” are biscuits and chocolate.
But the report also suggested there was a 3 percent likelihood that I am a woman above the age of 65, and that I own a car. (I am, to be clear, a man in my 30s. I got my first driver’s license a few months ago and do not own a car.)
Natasha: My spreadsheet from Quantcast contained just a single line of data: It showed that on Jan. 19 at 7:01 p.m., I read an article on Forbes.com about how Google was eliminating certain features for parents to control their children’s web-browsing. The spreadsheet even listed the author of the article: Kevin Murnane.
As with all these companies, Prashant and I acted as much as possible like regular consumers when we initially requested our information. But after our requests, we followed up with the companies as reporters. When I contacted Quantcast to ask why I had received only one line of data, a spokesman said users’ privacy settings could influence what details Quantcast collected. (I use various software tools to monitor tracking.)
The Quantcast spokesman added that the company responded to data access requests under European law. So sending me any data at all had been an error — because consumers in the United States do not have a comprehensive right to obtain copies of the data held by American companies.
Prashant, lives in the U.K.
- Order history.
- Credit card information.
- Prime subscription data addresses.
- Wish list items.
- Devices used to access Amazon services.
Amazon sent lists of the items my wife and I had bought through the site, the credit cards we used to buy them, the addresses the items were shipped to and the devices we had used to…