It's disingenuous to have problems with websites collecting entirely anonymous browsing data -- that goes beyond any arguments for privacy and just steers into "yelling at clouds" territory.
In what way? I agree that personally tracking an individual and using psychology tricks and whatnot to trick them into buying stuff is bad, but if it's just a company knowing what works well for them, I don't see the argument.
> when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party
Retail stores also use your shopping data to target you with ads. Credit cards also obviously sell your purchase data to anyone willing to pay for it. I wouldn't be surprised if retail stores even sell your cash purchase data to any third party willing to pay for it.
Information is valuable, but it is not holy.
Analytics isn't that. Analytics is tracking a customer walking into the store and looking for which store they came from. Analytics is noting down how long a customer spent holding a blue item, if they looked at a big red item, and noting it down because it might matter. Analytics is seeing how the customer went back and forth between one aisle and another. Whether looking at one item made them less inclined to look at the next. Analytics is hoarding all of that information and keeping it even if the customer doesn't make a purchase.
Of course stores have been looking at how and why and when customers shop for years, but through consensual studies. They learnt to put the fruit at the entrance and the sweets at the exit. They learnt to put their high value items at eye level. And they didn't do it through spying and analysing the behaviours of everyone walking through their doors. They didn't keep years of CCTV with the sole excuse that they might want to see how long you lingered between deciding on diaper brands.
The web has no excuse.
How, you don't enter your name when you pay with cash.
Also in EU is illegal to share any personal info in physical world too, say you go and make a subscription to a gym they can't share your data with a third party unless they make you sign a paper first.
Edit:typos
You don't need to be identified by name, just by a "fingerprint". If you go there regularly you will be identified by your "fingerprint".
"Oh, it's that one privacy nut again who always wears sunglasses and a hoodie and only pays in cash"
And the store person will then what? Open excel wnd write "a dude with glasses was ehre at 12:51"? and then send the file to 100+ partners?
>You don't need to be identified by name, just by a "fingerprint". If you go there regularly you will be identified by your "fingerprint".
So the physical stores have some shady dudes attempting to lift fingerprints from money then some statistics guy try to put probabilities on which fingerprint matches which anonymous guy?
here in my country you still pay with cash and the store people put it in a machine combine it with money from other people, it will be a lot of work and risk for some shitty nano reward.
Edit typo
it is cash, not cache.
(By the way, a gym can and usually does share contract data including personal information with numerous third-parties such as external bookkeepers. This is legal under the GDPR without explicit consent.)
Why is it legal, does the gym need those 100 contractors to know my data for it to work? What are those for 100 different accountants? How did gyms or other businesses worked before the internet, did a guy walked to 100 different locations with papers in hand so those "partners" take a quick look?
If they want to send you a letter, they have to give your data to the postal service. Again, no consent needed.
This is legal because our whole economy is based on devision of labor. Privacy laws account for that.
Before the internet, the owner took a shoe box of receipts to their bookkeeper every month. Those receipts had your name, date, etc. on them.
GDPR requires data sharing to be done for a defined purpose.
The purpose of sharing data with an external company bookkeeper for bookkeeping is not remotely connected to any purpose an analytics service fulfills. So while the shared data is capable of the same insights, it's explicitly illegal for it to be processed that way without a defined purpose (which is it's own can of worms).
>entirely anonymous browsing data
It's never entirely anonymous, because how useful data is, is inversely related to how anonymous it is.
ergo it would only be truly anonymous if it was truly useless.
Can you ask your bookkeeper to tell you the top 3 best selling products for your top 5 customers without declaring that the purpose of the data transfer to the external bookkeeper is also to run sales analytics?
> top 5 customers
You probably have to declare that the data is processed for that purpose in general terms but I don't see why consent would be necessary. Anyway, this analytics service claims it doesn't do this kind of analysis.
This is very unlike the accounting firm, which never receives any identifying for cash transactions and thus couldn't store it even if they wanted to.
It's still a difference between not having data and not storing it. The later needs trust, the former doesn't.
I think you are wrong. What they receive is a set of purchases in a given period of time that allow them to make many important decisions (when people buy most, what purchases are more likely on a given date etc.) but there is no way of finding out my shopping habits.
The issue with all the tracking is that most consumers have no choice, no functional UI to interact with the tracking systems, and no clear idea of who they are ultimately transacting with.
With enough good data (so probably not in all sectors) you can also identify people out of the system.
There are not that many bits of entropy in (contextualized) human behavior.
Extreme case: you are the only person that ever buys product X around time Y, so that fact can be used as an anchor to build a profile.
You need to be way more paranoid if you want to be a true privacy warrior.
I think the element you're missing is - of course this is OK, it happens all the time. What the comment you were responding to before wasn't making clear is that when it's done, there must be contractual provisions limiting the service provider's use of the data, so they can't use it for their own purposes.
