Ask Slashdot: How Is It Even Legal For Websites To Gather And Sell Users' Data?

Long-time Slashdot reader dryriver sees it like this: Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

Would I be breaking the law if John D. has not given me explicit permission to do this? Very likely. If this is the case for "meatspace data gathering", how can websites justify gathering information about visitors, and selling that information to third parties?
How would you answer this question? Attempt your own best explantions in the comments. How is your country balancing the need for online privacy with actual laws governing what can and can't be collected?

How is it even legal for web sites to gather and sell users' data?

That would probably mean you're a private eye

They're completely legal.

Legal is relative to jurisdiction

[misnohmer]

One can't answer your question unless you specify "legal in jurisdiction X". For example Europe has GDPR, USA or Canada or Mexico or China does not, but they have other laws.

So I guess I would answer your question with "Legal where?" and a disclaimer "IANAL". ;-)

Private detective

[alvinrod]

Lets say that I follow a person named John D. around for days without permission, make note of what John D. does and where he buys with timestamps accurate to the second without John D. knowing it is happening, analyze what kind of personality traits John D. has, enter that data into an electronic database where it is stored forever, and also make the data purchaseable to any third party who is interested.

That sounds a bit like a private detective, with the exception that they typically work for a specific client.

Also, if you stop to think about it, going to a website it like going to some person's private establishment. I'm visiting their server, so it's their rules. Stores no doubt track my purchases, and some even have cameras on presence that record my every action. If I have a problem with it, I can take my business elsewhere.

Sure, terms of service could be more explicit, but most people wouldn't bother to read them or would just click through like they did when they signed up for a Facebook account or half of the other shit they use online.

Re:Private detective

[Jane+Q.+Public]

Not really.

Example 1: Facebook and Twitter track you on every web page you ever visit with Facebook or Twitter "share" icons (or "like" in the case of Facebook). They don't tell you that. (In fact they track people who have never been to Facebook or agreed to a damned thing.)

Example 2: It is illegal in the United States to track people who are less than 13 years old, without explicit parental consent. Yet not only to Google, Facebook, and Twitter do this on a massive scale, they don't care about the law and don't even try to abide by it.

The latter is BIG. The fine per violation is significant. If it were actually enforced, those companies would be out of business very quickly.

How would this be illegal?

[jimduchek]

What makes you think any of what you described in 'meatspace' is illegal? It's not, in the US, anyway. PERHAPS could be considered under harassment or stalking laws if it was very blatent, but if you are in public, you are subject to anyone recording/photographing you and what you are doing, pretty much.

Re:How would this be illegal?

[LynnwoodRooster]

Would the company whose website you are visiting have the right to watch what you're doing? It would be analogous to walking into a grocery store and having the cashier watch you walk up and down the aisles, and note what products you chose - and which you did not.

They're not following you to observe what you do.

[aussersterne]

You are going to their house and doing what you do, and they're just making note of what you did in their living room.

Not "following them around without permission"

[SlaveToTheGrind]

The real-world analogy would be more like keeping track of someone's location and activities who entered your retail store, then using/selling that data as they see fit. People may not like that, but I don't think there's any serious theory that it would be illegal. (Let's ignore for a moment the places in that retail store where you'd have a reasonable expectation of privacy like changing rooms, since that's outside the scope of the submitter's doe-eyed question.)

In the same way, you visit someone's website, you play by their rules. This doesn't seem particularly complicated or surprising.

Re:Not "following them around without permission"

[Kjella]

Well... while I can't fault your logic, I think your summary understates just how much previously private information we're now exposing. For example take newspapers, my dad still gets one in the dead tree format. Nobody knows what articles he reads or how long he's read it in total and outside the paperboy nobody knows if he's picked it up at all. With online newspapers they know exactly when and what you've read and with JavaScript probably how long it took, how often you scrolled the page and overall created way more data on whoever read the semi-critical article on the Party. Same goes for video games, TV series and whatnot... it used to happen on your computer, now there's a log in the cloud.

You are confusing the impractical with illegal

It's not necessarily illegal to follow someone around without there permission to the extent you are not entering private property illegally and trespassing. Basically assuming nobody tells you to say leave a store following someone onto private property of a nature open to the public it is going to be legal. There may be statues against harassment, but those are going to be more specific. There may also be laws against practicing investigations without proper licenses. However following someone around and making notes about them is not in and of itself necessarily either of these things. It's merely impractical to make such a business model work and so nobody has done it until more recently and really only to the extent it is automated via technology via cameras, cell phones, etc.

Well, we've been electing anti-regulation

[rsilvergun]

pro-business and pro-corporate leaders for nearly 50 years now. If the people in charge of regulation don't believe in regulation then we don't get regulation.

Seriously, it's not complicated.

Seems to be a blind spot in people

[Solandri]

People seem to think at the individual level, not at the group level. I first ran across this in the 1990s playing Everquest. In response to complaints about griefers harassing regular players, they came up with an anti-harassment policy. You could be banned for targeting a player and harassing them. This had the opposite effect than intended. Griefers didn't target specific players. They tended to hang out in an area and try to ruin the day of anyone who came into the area. On the other hand, people who got fed up with the griefers and tried to drive them out of an area were targeting a specific player. And so the anti-harassment policy ended up protecting griefers, while getting anti-griefers banned.

For some reason people seem to judge the harm of bad behaviors in terms of the average harm done to an individual, rather than to the overall harm done to society. A spammer sends out a hundred million spam emails, and people say "what's the big deal? It only takes you 3 seconds to realize it's spam and delete it." But 3 seconds times 100 million is 9.5 years of cumulative wasted time and productivity. Likewise, people handling private customer data don't take it seriously, since each individual's data is probably only worth a few dollars. Nobody cares if they lose a few dollars, right? But multiply it by several hundred million people and you're doing serious economic damage if you take it without permission or let it get stolen by hackers.