Does Starbucks know if I wet the bed?

The crazy things data brokers share with everyday retailers.

The media loves to talk about Facebook, Google, and Amazon when it comes to privacy. But the true privacy offenders are the companies you’ve probably never heard of. We’re talking about the data brokers–a set of companies whose entire business is to track every single American consumer (that means you).

Things get creepy when you dig into these hidden databases accessible to retailers, banks, and law enforcement. The goal of each database is to have a singular file with your name that’s shared across thousands of companies and government agencies.

Let’s take a look at just one data broker as an example: Epsilon Data. Here’s a quote from their website:

“All Epsilon data is based on verified individuals and includes name and vital data on virtually every U.S. consumer…[we have] coverage of every marketable U.S. household.”

We spent days digging through Epsilon’s marketing material, downloading PDFs, reading white-paper downloads, and listening to corporate training videos. Here are the craziest things we found.

Data brokers know nearly everything about you

Do you wet the bed? Do you have a cold sore? Data brokers likely know the answer. Documents from Epsilon Data claim that they track over 100 medical conditions, procedures, or ailments. This includes knowing big things like if you have conditions like colitis, depression, or anorexia. It also includes small things, like how often you blow your nose. (Epsilon keeps track of how often you have nasal congestion).

In all, Epsilon has information on you across 13 different categories which include your “Ailments & Medications”, your restaurant preferences, your political views, and personal interests.

Here is Epsilon’s ‘data dictionary’. If you want to see what types of information Epsilon has on you.

You’ll notice that your health data is right beside other personal information like your net worth, number of kids, occupation, religion, and voting preferences. Here are some of the most personal labels:

Bedwetting

Bowel Irregularity

Trouble Sleeping Due to Breathing

Diet Concerns

Uses Adult Diapers or Liners

Cold Sores

Depression Medications

Coffee Brand Preference

NRA Members

Net Worth

Current Cash Savings

Treats Pets Like Family

Specific Vehicle (e.g. Toyota Corolla)

Online Dating Paid User

Number of Returns Last Year

Opens Text Messages from Retailers

Remember, this is a company that claims to “include the name and vital data on virtually every U.S. consumer”.

Why does Starbucks need to know if I wet the bed?

Perhaps more concerning than what data brokers collect, is who data brokers share this information with. There really isn’t regulation about which information data brokers can take from one retailer and give to another.

Let’s take a look at two retailers like Starbucks and CVS as a possible example. By selling their consumer data to data brokers, each company can examine your behavior across both stores.

Buy a lot of donuts? CVS could see this and begin offering you coupons to diet pills or weight loss products. Buy a lot of adult diapers? Maybe Starbucks wants to know that when you walk into the store. It’s up to the discretion of Starbucks or the data broker.

Each company having access to hundreds of your attributes and behaviors gives limitless possibilities of how to target, track, or sway your behavior.

While there hasn’t been publicly documented cases of retail companies or restaurants using your implied health data, there’s legally nothing stopping a company from doing so.

How do data brokers like Epsilon know so much?

The power of data brokers is their ability to mash together multiple streams of information to track your (nearly) every move. This happens to be their main selling point. Data brokers keep their sources largely secret. We’re told it’s ‘proprietary information’. We did our own research to reverse engineer how data brokers probably work.

The data broker’s first stop is likely free public records. Think US census data, property records, arrest records, or even your birth certificate. This is how data brokers know they have coverage over “every marketable consumer in the US”.

Public records are technically available for anyone to grab–just go to your local county recorder’s office to pull property sales or company filings. Many of these records are available online, albeit behind clunky, government-run websites. Data brokers put a lot of money into scraping these sites to pull out information. For counties with information not accessible online, there are rumors that data brokers pay people to go to each county’s recorder’s office and physically copy public records, one by one.

Data brokers can also access proprietary ‘public’ records. In 2020, lawmakers asked the California DMV how it makes $50 Million a year selling driver’s data. The DMV claims it helps them conduct “traffic studies, emissions research, background checks, and for pre- and existing employment” — Source. Companies like LexisNexis and Experian strike deals with the DMV to exchange cash for your data. While we don’t know exactly what information the DMV exchanges, it’s presumably identity data like (your address, height, age, weight, hair, eye color) and vehicle records like (your car registration details, miles driven, speeding tickets, etc).

Once your baseline identity is established, data brokers turn to the private sector to provide daily tracking. Data brokers partner with thousands of retailers who share your purchase history in a sort of data-potluck system. Everyone contributes, and everyone takes.

Thousands of retailers like CVS, Nordstrom, and Cabela’s participate. Gas stations like BP, Arco, Chevron. Restaurants like Cheesecake Factory, Chilis, and in some cases even your neighborhood coffee shop, all participate in tracking what you buy. They upload your detailed purchase information to data brokers. In return, they have visibility into your habits across other retailers.

By tracking purchase history, companies can get up-to-date information about your location, budget, interests, and medical conditions.

The last piece of the puzzle is tracking your online behavior. Many data brokers use online ‘cookies’ to track your browsing behavior. We recommend downloading Ublock Origin if you haven’t already done so.

Many data brokers have started to go directly to the source of online traffic — your Internet Service Provider (ISP). Think Comcast, Spectrum, Verizon, and AT&T. Each of these providers can see all of the websites you visit. No, incognito mode won’t protect you from your ISP. They know it all.

In October of 2021, the Federal Trade Commission (FTC) reported all the nasty ways that your ISP tracks you and shares your data. The FTC noted their worry:

“there is a trend in the ISP industry to combine the subscriber data with additional information from third-party data brokers, resulting in extremely granular insights and inferences into not just ISP subscribers but also their families and households.”

“in particular, browsing data, television viewing history, contents of email and search, data from connected devices, location information, and race and ethnicity data. More concerning, this data could be used in a way that’s harmful to consumers, including by property managers, bail bondsmen, bounty hunters, or those who would use it for discriminatory purposes.” 2021 FTC Staff Report

So there you have it, data brokers track nearly every facet of your modern life in order to put together a file on you. Oh, and your file is for sale. If you thought you weren’t being tracked–think again.

This seems really bad. What can I do?

If you’re worried about your every move being tracked by omnipotent corporations, the best thing you can do is opt-out of the most popular data brokers and change your ISP privacy settings.

You can visit our Atlas opt-out guides to see how to opt-out of nearly all the major data brokers. We recommend starting with Epsilon, Experian, and LexisNexis if you’re worried about being tracked by retailers. If you’re nervous about the general public seeing your information, you can start by removing yourself from Spokeo, WhitePages, and BeenVerified.

In the near future we’ll create a step-by-step guide on how to change your privacy settings to ensure your ISP won’t sell your browser history and contents of your email. In the meantime, we highly recommend that you use a VPN to mask your internet traffic from your ISP.

If you feel as passionate about this issue as we do, you can write a consumer complaint to the FCC about your ISP’s privacy practices https://consumercomplaints.fcc.gov/hc/en-us.