The 600+ Companies PayPal Shares Your Data With

AmiMoJo shares a report from Schneier on Security: One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data. Is 600 companies unusual? Is it more than average? Less? We'll soon know.

Not that shocking

[JaredOfEuropa]

A good many of these seem legit: companies to which PayPal has outsourced work, or partners such as banks, which all form an integral part of PayPal's actual operation. The shady ones are the companies listed under "marketing and communications". But all in all there aren't many shocking revelations in there. The sheer number seems high until you look at the list, and realise that this is what comes with running a global service.

What we see there in some cases that "shared data" also includes data collected by embedded crap from 3rd parties such as FaceBook (which pretty much every site has these days). "Advertising ID and device ID to segment user groups based on app behaviour, encrypted e-mail address associated with PayPal users (without indicating account relationship), IP Address, Anonymous ID generated by cookies, pixel tags or similar technologies embedded in webpages, ads and emails delivered to users. Mobile advertiser ID, IP Address and other metadata via Facebook SDK in mobile apps." Yeah, just about what we expected, and it's good that they actually include this sort of stuff on the list.

Here's an odd entry: Carrenza Limited (UK) | To hose a marketing database | Name, address, email address, business name, domain name, account status, account preferences, type and nature of the PayPal services offered or used, and relevant transaction information. I just wish that wasn't a typo...

Re:Not that shocking

[houghi]

I work in the financial industry in Brussels, Belgium and we do not share customer information with banks or anybody else.

e.g. you go into a store and open a credit to buy a TV. The person working for Seller will put in the data on our platform.No sharing of personal data is going on.

With another partner, we had to make a secondary company where we BOTH where partners, just so we could share the data.

The third parties we work together with will get very limited data. Basically just a name, address and phone number and they better not do anything else with it, or else. Yes, that is marketing.

Sharing it with 600 companies? Seems extremely high to me. Especially for a financial company. What they need to share is very well regulated up to the wazoo. Stricter regulations are coming. (I believe in May) and they will overturn the current Belgian law and turn it into a European law.

Seriously, 600 is a shitload. We deal with plenty more companies and we have about 4 we share data with and that is strictly regulated.

Re:Not that shocking

[JaredOfEuropa]

Not at all the same business or scale, by the sound of it. Even so, aren't you sharing data with a lot more companies? For instance, if you collect monthly fees from customers by direct debit, you are sharing personal data with their banks.

Nothing to do with outsourcing

e.g. pull one from the list at random: Global Data Consortium.

"To verify identity and carry out checks for the prevention and detection of crime including fraud and/or money laundering; research and testing as to appropriateness of new products"

There's the cover (fraud prevention) and the catchall "research and testing" which covers any reason at all.

GDC sell data, they buy it from "Data Partners" and resell it. They phrase it real nice here:

"We invest in our data partners, establishing deep relationships with them and providing them with technology to make their information available on our platform. We give them access to a broader market through our MARKETING AND DISTRIBUTION programs, PAYING FAIR ROYALTIES that reflect the value of their services."

i.e. they are a data broker that pays Paypal royalties for selling your data to others. A conduit rather than an endpoint. And Paypal use the catchall phrase to cover bulk sales of all data.

Re:PayPal not such a concern

[TheRaven64]

eBay no longer forces you to use PayPal. They did back when they owned PayPal, but that doesn't really count because any data that PayPal had, eBay also had.

Let's stop calling it "sharing"

"Sharing" is a friendly gesture and a positive thing. This is neither friendly nor positive -- it's an act of pure greed. What these companies are doing is selling your personal data, not "sharing" it.

Re:Let's stop calling it "sharing"

[Maritz]

Your ISPs are allowed to sell your browsing data, lol. I guess corrupt representation leads to that kind of situation.

I had a PayPal account briefly,

[jenningsthecat]

back when they first started. They were such assholes that I've only used them once or twice since. And even then, it was only their credit card processing service that I used, and only because I really, really wanted to donate money and that was the only way to do it. In the meantime there have been lots of musical artists, software authors, etc. that I wanted to give some money to - but not badly enough to suck it up and support a company that I'd like to see die. As for making purchases, if PayPal is the only way to pay, then I simply don't buy. I've made special arrangements to do Interac transfers, both to make a point with a vendor, and as a 'fuck you' to PP. As for an actual PayPal account with my money in it? I wouldn't be caught dead with one of those. PayPal is utterly evil, and I'm glad that the choice to never support them in any way is a viable one. Now if only I found it viable to make the same choice with Google...

I'd like to hope that this latest report about PayPal will hurt their business. Sadly, I don't think it will.

Re:PayPal not such a concern

[Megol]

That's not an argument - it's fantasy.

Nobody forces you to buy food.
Nobody forces you to seek medical treatments.

So you aren't forced to use money. You will not live but then nobody forces you to stay alive.

Nobody forces you not to kill or do other illegal actions, it will have consequences but the choice isn't forced upon you.

(Skipped some steps in the reductio ad absurdum (sp?) argument, the rest is left as homework for the reader)