Consumer privacy risks of data aggregation: What should organizations do?
In September 2024, the Federal Trade Commission (FTC) released an eye-opening report that digs into the data habits of nine major tech giants, including Amazon (Twitch), ByteDance (TikTok), Discord, Facebook, Reddit, Snap, Twitter, WhatsApp, and YouTube. The findings reveal extensive, often unsettling, data aggregation practices that go beyond user expectations and present considerable privacy risks.
This article breaks down key privacy challenges and offers practical guidance to help organizations safeguard consumer data in today’s complex digital landscape.
The downstream impacts of data collection
While the report focuses on the data privacy practices of nine major technology companies, we want to highlight two concerning themes that should resonate with a broader audience, including all consumers and organizations:
1. Inadequate data privacy practices: Large companies, despite having extensive user bases and significant resources, frequently exhibit inadequate data privacy practices. This gap is particularly alarming given the sheer volume of data they handle.
2. Downstream impacts of data collection: In recent years, the FTC has cracked down on companies—including GoodRx, BetterHelp, and Cerebral—for embedding trackers from Meta and other platforms on their websites, which allegedly shared customers’ sensitive data without proper disclosure or consent. The report illustrates how organizations using tools like Meta, TikTok, or Snap pixels on their websites—often for the purpose of retargeting audiences on these social platforms—can unintentionally contribute to data-sharing with numerous third parties, extending far beyond the specific pixel they embedded on their site.
The report underscores a disturbing reality: large tech companies, despite facing regulatory scrutiny, need more robust control over their own data-sharing practices. Commissioner Alvaro Bedoya noted, “Although most companies reported sharing users’ personal information with third parties, none effectively disclosed all of the recipients of that data. Some even claimed it was impossible to identify all third parties involved.” Similarly, Commissioner Melissa Holyoak added that many companies were “incapable of accurately relaying what information they gathered or how it was used.”
This lack of transparency reveals a troubling truth—once a platform like Meta collects data, it can be passed to affiliates or data partners without users’ knowledge or control. This leads to unchecked data proliferation, as the report mentions, these platforms combine data from multiple sources—including their own, third-party affiliates, and data brokers—to build comprehensive profiles on both users and non-users. Privacy tracking technologies, like pixels, are then deployed to support targeted advertising based on the user’s interests and preferences, which the user may never have intended to share.
Complexity and lack of visibility in ad tech
One critical point the report emphasizes is how difficult it is to meet privacy directives. Many companies rely on extensive data collected through ad tech, like tracking pixels and SDKs, often with limited transparency and control over how the data is used. This data flows through complex advertising ecosystems, making it difficult for companies and users alike to understand where and how their data is ultimately used.
The report raised serious privacy concerns across several key areas, including:
- Sensitive data: Companies collect massive amounts of sensitive information, often without adequate safeguards for vulnerable groups like children and teens. Transparency remains a significant issue, with a wide gap between data practices and consumer-facing policies.
- Foreign entities: Some US companies share customer data with foreign entities, increasing the risk of government surveillance. Concerns are particularly acute regarding data shared with countries like China, where privacy standards vary. Consumers deserve clear information on how these cross-border transfers impact their data privacy.
- Third parties: While companies often acknowledge sharing user data with third parties, tracking every recipient is challenging. This lack of control creates vulnerabilities in data privacy management. Few organizations rigorously vet their third-party data-sharing practices, raising accountability concerns and increasing the risk of data breaches.
- Data brokers: By using data brokers, companies build detailed user profiles and retain data indefinitely, often monetizing it through online advertising. The report calls for closer scrutiny of broker practices—including data collection, retention, and sales—beyond simply regulating targeted advertising.
This report illustrates that data rarely remains with its original collector, leaving both companies and consumers vulnerable to privacy breaches. It can pass from one entity to another and, without stringent privacy controls, end up in the hands of foreign entities or in unregulated AI models. This reality serves as a wake-up call for companies that embed tracking pixels or use ad tech tools from major platforms.
The FTC has made it clear that meaningful regulation is necessary for consumer data to continue to be shared and sold with little restraint. The report’s findings serve as a rallying cry for lawmakers to act, addressing the entire data ecosystem, not just the visible ad-tech layer.
FTC Commissioner Lina Khan emphasizes that effective legislation needs to regulate data practices across the board to make a real difference in protecting consumer privacy and rein in unchecked data exploitation.
The responsibility of organizations: Taking action
The FTC has outlined several key steps for organizations to improve their data practices:
- Limit data collection: Implement concrete data minimization and retention policies.
- Restrict data sharing: Limit data sharing with third parties and affiliates, delete consumer data when it is no longer needed, and adopt clear, consumer-friendly privacy policies.
- Avoid sensitive data collection: Avoid collecting sensitive information via invasive ad-tracking technologies, and carefully review ad-targeting policies that use sensitive data categories.
However, these measures only address data that organizations actively track. Much of the data-sharing ecosystem operates under the radar, making comprehensive consumer protection challenging. Organizations need tools that block unauthorized data sharing and detect “piggybacking” pixels to safeguard consumer data effectively.
“Piggybacking” pixels refer to third-party tracking pixels or tags added to a website through an existing tag or pixel. The site owner does not directly implement these secondary pixels; instead, they load via another party’s pixel—such as one from an ad network or analytics service—which may include additional scripts that load other tracking tags without the website owner’s involvement.
Identifying and blocking unauthorized trackers and pixels is essential to enhancing data transparency. By enforcing strict data-sharing policies and actively managing third-party trackers, companies can take meaningful steps to improve consumer privacy.
Organizations must proactively secure user data in an era where consumer trust relies on solid privacy protections. Such efforts align with FTC guidance and demonstrate a commitment to transparency and consumer protection—a valuable advantage in today’s privacy-conscious market.