The 600+ Companies PayPal Shares Your Data With

AmiMoJo shares a report from Schneier on Security: One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data. Is 600 companies unusual? Is it more than average? Less? We'll soon know.

Not that shocking

[JaredOfEuropa]

A good many of these seem legit: companies to which PayPal has outsourced work, or partners such as banks, which all form an integral part of PayPal's actual operation. The shady ones are the companies listed under "marketing and communications". But all in all there aren't many shocking revelations in there. The sheer number seems high until you look at the list, and realise that this is what comes with running a global service.

What we see there in some cases that "shared data" also includes data collected by embedded crap from 3rd parties such as FaceBook (which pretty much every site has these days). "Advertising ID and device ID to segment user groups based on app behaviour, encrypted e-mail address associated with PayPal users (without indicating account relationship), IP Address, Anonymous ID generated by cookies, pixel tags or similar technologies embedded in webpages, ads and emails delivered to users. Mobile advertiser ID, IP Address and other metadata via Facebook SDK in mobile apps." Yeah, just about what we expected, and it's good that they actually include this sort of stuff on the list.

Here's an odd entry: Carrenza Limited (UK) | To hose a marketing database | Name, address, email address, business name, domain name, account status, account preferences, type and nature of the PayPal services offered or used, and relevant transaction information. I just wish that wasn't a typo...

Nothing to do with outsourcing

e.g. pull one from the list at random: Global Data Consortium.

"To verify identity and carry out checks for the prevention and detection of crime including fraud and/or money laundering; research and testing as to appropriateness of new products"

There's the cover (fraud prevention) and the catchall "research and testing" which covers any reason at all.

GDC sell data, they buy it from "Data Partners" and resell it. They phrase it real nice here:

"We invest in our data partners, establishing deep relationships with them and providing them with technology to make their information available on our platform. We give them access to a broader market through our MARKETING AND DISTRIBUTION programs, PAYING FAIR ROYALTIES that reflect the value of their services."

i.e. they are a data broker that pays Paypal royalties for selling your data to others. A conduit rather than an endpoint. And Paypal use the catchall phrase to cover bulk sales of all data.