Data is sold to advertisers. They use it in a variety of ways, but one of the most disturbing ways is building a profile on you based on all that data and using that profile and psychology to try to manipulate you the best way they can into spending more money.

Most of the time this data and the selling of it, means information that can be used to sell ads space to advertisers that are targeted at you.

Data brokers and other companies use this data to build a profile of you in order to target ads to you AND to predict your behavior (sometimes incorrectly).
It’s not just about selling you shoes to go with the pants you’re looking at, it’s also about sending a crafted piece of (mis)information to you on Facebook, etc. to get you angry about a candidate, or join an echo chamber with more poison. Instead of one campaign commercial to everyone in a city at 6pm, how about one with a message crafted just for you.

Here’s an interesting and scary article about how Target was able to determine that a young woman was pregnant before her father did based on purchase data: https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

Now apply that to a larger scale: If I’ve just booked a flight somewhere, maybe ads for hotels and rental cars are going to be more interesting to me. Maybe if I just bought a tent, I might want a sleeping bag or a camp stove. Knowing all this means the ads you see are far more relevant that what you see on TV, which means it’s far more likely for you to engage with the ad and purchase the product.

It’s not usually bad for you in that it will cause you direct harm, it’s just generally an invasive mechanism that is pulling information without your awareness or consent.

As to what data they get, it really depends on what it going on. Generally they are gathering information on what device you are using, what web browser, and what website/content you are looking at. In addition they can also find out what other websites you’ve been too, your physical location to varying accuracy (very general using geo-ip to exact with gps if you enabled the permission). You don’t even need to ever visit a website directly for the company to track your browsing habits*.

Some extremely invasive data gathering can get more sensitive info, think about every message you may have sent over something like facebook. Facebook doesn’t have to keep those messages to gather data from them. A pattern match algorithm can determine topics/interests/demographics/etc. and store those without needing to save the actual conversation. Facebook and its software is actually really bad about system invasion for data gathering.

*Those little facebook/twitter/etc. buttons on webpages/news articles/shopping sites that are supposed to allow you to share the *thing* on your feed with your friends is one way they do it. That little facebook symbol isn’t stored on say [amazon.com](https://amazon.com)’s web site. It’s stored on facebook’s. So when your browser opens up the page for a blender listing, it reaches out to facebook’s server for that little symbol using an encoded link. That code tell’s facebook’s server exactly what page you are visiting and your browser supplies it’s information as part of the standard request. This allows facebook (and others) to track your browsing without you ever visiting their website.

Data isn’t stolen. It is willfully given in the multi-page agreements that users check when installing apps or visiting websites.

There’s a spectrum of abilities your digital data can enable, some of which are more abusive than others.

On the mundane side, they can target ads for consumer goods you’re more likely to be interested in.

Or they could target drugs/supplements to you based on a guess about your medical condition.

Or predatory financial products based on guesses about your level of debt.

Or gambling opportunities based on historical behavior despite your desire to stop.

Or a scam based on how likely you are to be fooled.

Or a political message that’s more likely to resonate with you.

Or put you on a government watchlist as someone who’s more likely to sympathize with a radical group, an oppressed minority group, or an opposition party.

Or (in some countries), map out where you probably live, who you hang out with, and the most efficient way to arrest you.

For a lot of these, we rely on large tech companies like Google to police themselves. Legal protections are still immature in this area, and in some regimes, the law slants heavily toward informing the government vs. protecting individuals.

Different companies collect different data from different sources and use it in different ways. There isn’t really a one-size-fits-all explanation for this. Really we can only talk about what is *potentially* happening, and specific cases of what *has* happened.

When you visit a website, some information is obtained from the network connection. Mostly that’s just IP address, which in turn can roughly indicate your ISP and approximate geographical location (city/suburb level or higher, and not 100% accurately).

Your browser also sends a bunch of information automatically. That includes things like the browser name and version, operating system version, and cookies (bits of data that the site has previously set), and what website you came originally from (the HTTP Referer).

Your browser can send [a lot more information when requested](https://coveryourtracks.eff.org/learn). These days that can include screen size/resolution, fonts installed, browser plugins, battery status, time zone and lots more. Additional information can be sent if you consent to it, such as precise GPS location, audio or webcam capture.

Many sites ask you to provide some amount of personal info. Name, phone number, email address, home address, interests. Maybe it even gives you the option to log in with your social media account, which potentially grants them access to a lot more data.

Your interaction with the site itself is also monitored. Every behaviour from what products you purchased to how long you browsed the product page before adding them to your cart. Every page load, scroll, button click, keyboard press, mouse movement etc within that site can potentially be monitored. Individually, most of that data is harmless. Collectively, it helps identify and track you as an individual across multiple websites, and build a demographic profile of you.

Not all of that data is captured, and not all of the data captures is necessarily a problem. You can’t visit a website without telling the server your IP address, how else will it know where to send the web page you requested? Most web servers also keep basic logs of which URLs were requested, how long they took to load, what errors occurred etc, this is important for troubleshooting the website. Your geographic location can be used to redirect you to the correct regional-specific version of a website (eg. amazon.com vs amazon.co.uk). Traffic data can be collected to make sure the site isn’t under cyber attack. Cookie data is used to keep you logged in. And how can a business operate if it isn’t keeping track of purchases, historical orders, and updating stock levels? These are all completely benign uses.

Sometimes, businesses decide to use this data a lot more effectively. That can include things like gathering metrics on how long it takes people to go through the workflow of searching a product, finding the result, checking out. Or how many people are leaving items in their cart without checkout. Or what kind of products they’re searching but leaving because you don’t stock them. Or whether customers are leaving good or bad reviews. Or what age ranges are buying which products. This might let them promote certain products on the front page, or run certain deals, or advertise specific products to specific types of customer. Again, any company who doesn’t do this is basically throwing away money.

But sometimes, that data is shared explicitly or implicitly between multiple companies, and often consolidated in the hands of a few powerful companies such as Facebook or Google. And you end up with everything from your hobbies to your credit card history to your thoughts on abortion all wrapped up in a neat little profile. Then you have insurance companies denying your claims because they used this data to figure out you had a medical condition that you didn’t even know about yourself. Or companies like [Cambridge Analytica](https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal) using that data to target political advertising to certain demographics and sway elections with disinformation. Because after all if marketing and information can be used to convince you to buy a product you don’t need, what’s stopping it from changing your opinions on certain topics or convincing you to vote for certain candidates?

And don’t think this ends with websites either. Nowadays every business wants you to install their app, which not only gives a constant reminder that they exist right on your home screen, but gives them more access to data from your phone that a simple website can’t get. Thinking of ditching the digital age and shopping in person with cash? Don’t forget all the security cameras, facial recognition, AI behavioural analysis etc that’s happening in-store.

And these are just the problems that arise when the “right” people have access to this data, and they’re “only” using it to make more money or grow their power. What if your own government gains that access? Or a hostile foreign nation? Or a bad actor like a scammer?

This is why data privacy is important.