Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


The sale of aggregated commercial data

Barclays recently announced that they were looking to sell "aggregated" customer data to third parties. While the news sparked concern among the UK public, the practice, unfortunately, is becoming common among many industries.

A few months ago, it was revealed that Everything Everywhere appeared to be selling location and de-identified data to Ipsos MORI, who in turn made it available to third parties, which included offering it to the Police. Despite another outcry from the public, this type of sale doesn't appear to be stopping.

It's not just in the UK, either. In the Netherlands, Tom Tom provoked outrage from their customers in the Netherlands by giving driver speed data to the police. And in the Cote d'Ivoire, Orange issued a mass release of customer data for a development program, without proper oversight to how the data could be used. Hopefully no bodyguard or assistant to the President of Cote D'Ivoire was carrying an Orange phone at this time.

General guidelines for consideration

With more companies looking to sell data, it's no wonder why consumers are nervous. This is especially true when it comes to mobile networks and the revealing of a user's location. However, proponents of this practice claim benefits for "anonymised" location services, citing the example of censuses reporting "Travel To Work" areas.

That information, though, is based on self-reported data. If the mobile companies want to offer up similar data, they should ensure commensurate precautions are taken, such as providing an opt-in choice for consumers. Implementation details matter greatly. So if companies are going to sell "aggregated" data on their customers, or aggrodata, either directly or via transaction data analysis, they must go beyond the minimum of what’s currently required by law.

We suggest a number of initial guidelines,  which should form the basis for future discussions. This should include at the very minimum the following elements:

  • Explicit consent is mandatory: Where participation in services offers a benefit to customers, people will choose to receive those benefits.
  • Transparency of practices: Includes details of whom the data is sold to, what type of data and for what purpose, and how many personal data sets are included in the aggregation.
  • Visibility of uses: Individuals whose data is included must have access to the same data and services as are being sold.
  • Industry uses will differ, and must be considered: The protections for location data from mobile phone companies should be different to location protections from shopping malls. Both industries are starting to look at their own, neither is currently inspiring confidence.
  • Independent reviews: Protection/deidentification techniques used, such as a privacy impact assessments, must be reported by an outside party.

All data protection principles still apply. Companies should not collect more data than necessary for the purpose of providing the primary service to customers, or retain it for longer than the law requires. If profits are to be made, there must not be a perverse incentive to collect more data and for longer period.

Doing it the right way

Data needs to be aggregated legally and correctly, and if not, there must be consequences. For instance, according to the UK Anonymisation Code of Practice, if the law is not followed then both the suppliers and recipients could be in breach of the Data Protection Act.

There are remedies companies can take. After consideration and privacy discussions, Tom Tom now report what they know on traffic along the road, rather than data on drivers. It provides utility without privacy risks, as there is no ability to know exactly how many people supplied information into that reading. Structuring the data correctly in the first place is vital, but then full transparency, and explicit informed consent, builds confidence. Whether customers wish to purchase from a company that sells their data is something they should be able to decide.

We welcome the various privacy and data organisations who are looking at this issue from their perspectives. That dialogue should continue, and be expanded beyond the small group so far. If you're interested, email sam@privacy.org.

[Note: Here we have dealt only with data being sold by companies to third parties. Governments internationally are also looking to open non-personal data for public benefit, and are pushing companies to return copies of data held about them to the individual to whom it pertains, although parts of this are getting confused. The privacy issues raised here are very different but related.]