The business of collecting and selling personal data on the internet is one of the most lucrative on the web. Large companies such as Google or Facebook have been collecting them for years and making money with them, but the business is much broader and more diverse and there are other companies that collect a large amount of information from us, through what we share on social networks, to elaborate long reports that on the black market can exceed the value of one hundred euros per person.

In the collection and sale of personal data on the Internet there are companies that act within the margins of the law and illegal associations that capture the public information that we share without our permission and market it illegally. In this sense, the fundamental element to act within or outside the rules established by the General Data Protection Law (LGPD) is the explicit and informed consent of the user for their personal information to be used for a specific purpose . Therefore, if we do not consent to the use of our data, even if we have voluntarily shared it on the network, no one will be able to use it.

One of the companies that legally collects data in Spain is Xeerpa, an agency that gets users’ permission to collect the information they share on a social network through the social login . This mechanism allows anyone to register on a website, for example, on that of an airline to buy tickets, through their Facebook or LinkedIn profile, thus saving a long registration process and can purchase their tickets on seconds.

But, in return, the buyer gives him permission to collect all the data that he shares on that social platform, with which Xeerpa creates extensive profiles that help him to know his personality and predict his behaviors . With these reports, the companies that hire their services have access to a large amount of information about their users with the aim, according to what they say, of making more personalized marketing campaigns.

“With the new law there are two main aspects that mark the protection of the data: the property and the purpose. And if the user accepts, the company will be covered”

“Xeerpa helps you get to know each of your users / clients in detail, interpreting a large amount of data that they themselves share on networks such as Facebook, Twitter or LinkdIn. It creates ‘one to one’ profiles of them and stores them in a specially designed database so that you can precisely personalize your communications, creating unique experiences for your clients ”, it can be read on the agency’s website.

Therefore, Xeerpa collects personal information and creates profiles to use them in what is known as relationship marketing , a sales strategy that, in theory, uses the best knowledge of the user to personalize the messages and send you only information that may interest you, thus avoiding massive and low-interest advertising bombardment.

For this to be possible and, above all, legal, agencies such as Xeerpa must have the informed, explicit and unequivocal consent of the user . This is especially important since the entry into force of the new General Data Protection Law (LGPD), in May 2018, a regulation that eliminated the tacit or omission consent contained in the previous legislation, “since it was based on inaction ”, Points out the Spanish Agency for Data Protection (AEPD).

“The LGPD requires more clear information and that the user explicitly accepts what is going to be done with their data. With the new law there are two main aspects that mark the protection of the data: the property and the purpose. To whom does the user consciously and explicitly transfer the data, and for what purpose does it allow them to work with their personal information . And if the user accepts, the company will be covered ”, explains Álvaro García, Big Data expert at Genetsis Group.

García’s company is also dedicated to cross data to create user profiles and develop relationship marketing strategies, although it does not use social login, but rather captures that information through other channels , such as the interactions of a client with the digital trade of the brand or through free access to Wi-Fi in the company’s facilities.

I have read and agree…

Thus, one of the main dangers to the privacy of user data resides in their own way of interacting with the internet, according to the experts consulted by SamaGame. Since the companies that are dedicated to the collection and processing of personal information in a legal way try to keep their backs well and act within the current regulatory framework, but if the person does not read what they are accepting, they run the risk that their data will pass to hands of companies you don’t want .

“The current problem is ignorance. People sign up on many sites and don’t know what they have done, and then there are companies that collect and use that data. People give their consent without knowing, and then they are surprised if their personal information is marketed , something that in 90% of the cases is legal ”, explains Ernesto -name chosen by the source to preserve his anonymity-, who works in the business of personal data on the internet.

Another issue is the data that the user himself publishes voluntarily on the internet. Legally, and depending on the policies of each social network, this information belongs to the platforms where they were published and can only be used with the consent of these and of the user himself. But if anyone can access that data, anyone can use it, even if it is not legal .

“Even if they are public, if you do not have the express permission of the owner of the data, it is illegal. In all the promotion and registration pages, right now there are two checks, the one that I want to be sent advertising and the important one, that of I accept that my data is shared. Without this information together with the IP, this registration has no validity, the information could only be sold on the black market , because there is no one professional who is going to buy it, ”says Ernesto.

And, although the user thinks that what they share publicly on the internet is harmless information, it is not in a publication itself, but in the intersection of many of them with personal data, where the danger to their privacy lies .

“Sometimes information that might seem innocuous becomes useful depending on the objective that is pursued, simply by exploiting the correlation of data . This correlation of data, with Big Data and Data Minning, allows us to deduce behavior patterns that exceed statistical data, ”says Juan José Galán, Business Strategy of the IT security company All4sec.

The black market

The data is the new oil , experts point out to SamaGame. A succulent treasure that is much easier to obtain for those who do not follow the rules, obtain the personal information of users fraudulently and sell it on the black market.

Ernesto knows that world. As he explains to SamaGame, in Spain there is not much underhand activity of this type, but there are companies that do from countries such as India, Israel or the Netherlands. These people, with robots, get into the networks and collect everything that is public . If, for example, you put on Twitter that you like the new model of a car and you have an email account associated with your profile, they can automatically hunt down that data and send you advertising for that car, “he says.

As he explains, these robots usually make massive invitations on Facebook or LinkedIn to access information that users only share with their contacts – on Twitter and Instagram they have it easier if the profiles are public-, they keep the data and sell it to companies interested in sending advertising to a certain type of profile .

And with that information they prepare long dossiers that can have a price of more than one hundred euros per person , Ernesto reveals, because they help to predict behaviors in an exhaustive way and that is gold for certain companies and organizations.

“Imagine that they know that I like Apple, that I like mountaineering, that I like working with a type of computer, that they know what my habits are, where I move, etc. They can predict what I’m going to buy at all times! That is a treasure for a company whose products I am interested in, ”says Ernesto.

Those dossiers are so lucrative because they are comprehensive and often illegal. But there is a whole range of prices , from a few cents for simple information such as email and interest in a product – which can be obtained, for example, by registering a mobile phone in the raffle – up to 7 or 8 euros by a greater amount of data. And these are usually legal.

Xeerpa, for example, also offers its clients dossiers with a lot of information about the users who give them their data through the social login . But, unlike those cited by Ernesto, for the elaboration of these only the data for which the person has given permission when registering with their social network is crossed.

“These files basically collect the data of the social network profile that the user shares with their aggregate analytics : sociodemographic data, birthday, age, city of residence, hashtags, keywords used, an in-depth analysis of their personality and preferences of consumption, predictive interests in nearly 300 categories, favorite brands, communities and celebrities, places visited and level of influence ”, they explain from Xeerpa.

The legal use of personal data

Although there is a black market for personal data, experts say that most of this market is legal , at least in Europe. In the first place because the Old Continent has the toughest data protection law in the world, and secondly because the companies that are interested in that information prefer not to be involved in shady matters.

That is why the sources consulted by Engadget call for calm. Companies collect and use the personal data of Internet users, yes, but in most cases for a specific purpose and ethical treatment . In addition, companies are not usually interested in the profile of a particular person, but in segmenting many of them to send personalized messages to groups of people with similar interests.

What we want is to profile the user to get to know him better and send him appropriate communications . Instead of sending massive content to the entire database, segment them by the information they give and the interactions they have to send you, perhaps, one message per month, but that interests you a lot and that gives us more options to have with him a long-term relationship, ”explains Álvaro García.

Ernesto, for his part, points out that, although privacy is important, perhaps an unnecessary level of alarm is being created: “I’m tired of finding advertising for a pizzeria or kebab on my mailbox. They can put any kind of advertising on me without restriction, but to send an email I have to comply with a lot of laws. In the online world we are under much more pressure than in the offline world ”.

Data intermediaries

In this market there is also a difference between who collects the data to later sell it to third parties and who provides the necessary tools for the collection and processing of information to other companies. In the second case, which is that of Xeerpa and Genetsis Group, the owner of these data is the company that hires them , which stores and uses them as appropriate, in principle within the parameters established with the user for their transfer.

“When we work with any company there is a very important part which is the data storage architecture. The servers are usually from the company, we are third parties and we have to sign an agreement for the management and treatment of data. We signed an agreement with that company for a specific purpose, but the data is the property of the company, and when the work is finished, access is cut off and we cannot make backup copies, because it would violate the LGPD ”, explains the expert at Big Data from Genetsis Group.

Therefore, in the event of any complaint or to exercise any claim, such as the right to erase their data, the user must contact the company that hired the services of these agencies .

Social media and data collection

The way Xeerpa collects data is different from companies like Genetsis Group. The second does it through customer interactions with the brands’ digital platforms, such as their electronic store, and Wi-Fi accesses, while the first does it through social login, a more delicate tool since it must comply with the data protection policies of the social network that the person chooses to register.

“We collect data through Facebook, Twitter, Instagram or LinkedIn. To do this, we manage the obtaining of advanced permissions following the protocol of each social network, which are very strict when sharing data with external companies, with a series of limitations and restrictions. And we have to prove that we are going to use this information for a very positive purpose for the user in terms of recommending content ”, they explain from Xeerpa.

These limitations and restrictions, however, have not always been as harsh as they now claim from Xeerpa. Social networks appear to have become stricter with the information they share in the wake of the € 4.5 billion fine that the US Federal Trade Commission imposed on Facebook in 2018 for violating the privacy of 50 million of its users in the case. Cambridge Analytica. The sanction also included the obligation to report to the US authorities the measures they are applying in terms of data protection and to prevent future abuses.

Facebook was sanctioned for not properly protecting the privacy of its users and the fine set an important precedent in the protection of data on the internet. But the most important lesson learned from the Cambridge Analytica case is the danger of crossing data for a purpose other than that reported to the user to create psychological profiles and predict their behavior.

The data collected by an external company by Cambridge Analytica was, in theory, intended for academic study. Data collectors lured users to give their information through a personality test . By filling it out, they not only shared the test information, but also gave permission to access their profiles and that of their contacts.

Thus, Cambridge Analytica acquired the information of 50 million users. Later, they crossed the data of their interactions and comments and created psychological profiles that, according to the offending company, allowed them to identify the voting trend of those people . This would have made it possible to direct disinformation campaigns to the undecided to manipulate their intention to vote in favor of the party that hired their services.

Therefore, the key in the transfer of personal data is, on the one hand, the explicit consent of the user and, on the other, the duly informed purpose. If a company requests a person’s personal information exclusively to send them better publicity, the company will not be able to use it for other purposes , such as predicting certain political or social trends unrelated to that business relationship. And if the entity does so, the Spanish citizen may report it to the Spanish Data Protection Agency, which provides significant penalties for these cases.