If you’re reading this story on Vox.com, we have probably already collected quite a few bits of information about you. We, as well as our third-party advertisers, likely know which type of device you’re on, what browser you’re using, what you do on our site (which articles you read, how long you stay, what ads you visit), and what site you visit next when you click somewhere else. We know where you are based on your device’s IP address — a unique identifier assigned to each device connected to the internet — but don’t use GPS to actively track your location.
We might be privy to more information, but what we utilize about people is restricted to information that signifies groups of people: say age, income, interests, gender.
I’m telling you all this because as part of our Open Sourced project, we intend to explore the hidden consequences that various technologies — including ones we employ — have on regular citizens. We’ll be looking at things like Twitter’s privacy and free-speech policies as it begins to impose restrictions on political advertising; we’ll examine how Facebook tracks you around the internet; and we’ll explain how technologies like artificial intelligence are hoovering up vast amounts of data — and what they’re doing with it. Our goal is to explore and demystify the online world we all live in, to explain how algorithms work and what data you’re sharing with companies. And this means not only looking outward, but inward.
So, let’s get back to Vox.com. If you logged into our network through social media we also have access to portions of your public social profile, such as your name, email address, and photo. We use this information to build your account and authenticate you as a user. We collect other analytic information from social media sites and combine it with analytic data from internet behemoth Google to get a demographic picture of who you are so that we can make our site better but, primarily, to serve you ads. We could, for example, sell an ad to Glossier that would land in front of wealthy women in their 30s who frequently purchase cosmetics.
We — like most publishers — also use Google to sell, manage, and track ads across our sites. Part of what makes that partnership so attractive to publishers is they can combine Google’s data about how different ads performed with their own data on who their readership is. The third-party advertisers on our site do the same thing but do so programmatically, meaning through an automated, auction-based system to sell the rest of the ad space on our site. If you buy something through certain links on some Vox Media sites, we can calculate how much is spent — though not your individual purchase — in order to calculate a revenue share percentage with the affiliate seller.
How ad-supported journalism works
We are an ad-funded publication: Advertisements help pay my salary, support our journalism, and keep the lights on. The more detailed a picture an advertiser can get of who they’re reaching, the more they will generally pay. Vox Media — the parent company of Vox, Recode, and Open Sourced — does not outright sell data about you for money, but we do sell access to you. Put another way, we tell advertisers that we can put ads in front of you and then track for them how these ads perform. We also share your data with third parties we pay to provide services that require that data, like, for example, providing user analytics. In turn, those third parties are contractually obligated not to reshare your data.
It’s a lot — I get it — but the net result is that you, dear reader, get to read our content without a paywall.
When you look closely, privacy policies in general can feel terribly invasive.
“I don’t think you guys are doing anything different than anyone else in the media ecosystem, but that doesn’t make it great,” Jennifer King, director of consumer privacy at the Center for Internet and Society at Stanford Law School, told me.
We’ve looked at a lot of other media privacy policies. The New York Times, BuzzFeed, The Atlantic, Vice — well, basically every media company — collect varying levels of personal information when you visit their sites and apps, interact with advertisements, or sign up for subscriptions. They also share that information with third parties, who in turn collect their own data.
King says the worst offenders are e-commerce sites that record your payment and other information even before you submit it and smartphone apps that require location data, essentially giving advertisers access to your address. Ad giants Google and Facebook by far know — and leverage — the most information about you.
“These are not documents for end users; they’re documents for lawyers and regulatory authorities,” King said. “They’re not there to help typical users navigate what’s going on.”
Government regulation of privacy policies is lacking
Some of this is changing thanks to the California Consumer Privacy Act, or CCPA, a new regulation that’s going into effect in January 2020. It’s keeping lawyers and developers at media companies across the country very busy.
This law will allow consumers from California to opt out of the sale of their personal information, and export and delete any data that’s been collected. It doesn’t stop sites from tracking you, however. To actually stop these sites from tracking you, you will still have to use third-party products.
The law also potentially broadens the definition of what “personal information” is and what “selling” that data means. It describes “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The definition of “selling” includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” What exactly a “valuable consideration” is isn’t clear, but it potentially could include letting third parties place cookies on our site and sharing information with them that could result in our overall ad value increasing.
Despite CCPA applying only to Californians, the law will require a substantial amount of work for both Vox and our third-party partners. Here’s an abbreviated list from our legal department of what actions we’re taking:
- Reevaluating all data practices across all our sites, including recent acquisitions
- Developing a new, simpler process so that people can opt out, access, or delete the data we collect
- Assessing whether data we exchange with partners is “personal information” according to CCPA and whether that exchange/transfer would be considered a “sale”
- Developing a method by which consumers could retrieve data from partners, request deletion, and opt out of sales
The fact that legislation is arising at the state level — California, Nevada, and potentially New York — means these policies could become even more piecemeal. However, it’s likely that companies like ours will seek to be compliant with the strictest policy, for simplicity’s sake.
What can you do to better prevent sites from using your data?
This is all good news for the privacy conscious. But what should you do if you’re still uncomfortable that sites like Vox have access to your data? Get off the internet. But, more practically, here are three things you can do.
- Update your settings on the web products you use like your browser, social media, and email clients. “They almost always have options to opt for higher privacy settings, but by default they’re usually set to a lower restrictive setting, so they can generate more profit off each user,” Daly Barnett, a staff technologist at the Electronic Frontier Foundation, told me. You can set your browser to “do not track”; however, Vox, like many other sites, chooses not to acknowledge that request. You can also use browser options like Chrome’s “Incognito” mode to keep your data from the browser, though your activity is still visible to the sites you visit.
- Download a privacy browser extension. Barnett recommends a nonprofit product she works on called Privacy Badger, as well as uBlock Origin, AdBlock Plus, Ghostery, and Noscript. Barnett warns, however, that there’s an “arms race” between the blockers and the tracking companies, with each responding in turn to developments by the other.
- If you live in California, as of January you can request to see or delete the data we and other websites collect.
Open Sourced is going to make readers a promise to be as transparent as possible. We can’t fix everything, but we can help you be better informed about the decisions you make online — even if you don’t realize you’re making them.
Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.