Different companies collect different data from different sources and use it in different ways. There isn’t really a one-size-fits-all explanation for this. Really we can only talk about what is *potentially* happening, and specific cases of what *has* happened.

When you visit a website, some information is obtained from the network connection. Mostly that’s just IP address, which in turn can roughly indicate your ISP and approximate geographical location (city/suburb level or higher, and not 100% accurately).

Your browser also sends a bunch of information automatically. That includes things like the browser name and version, operating system version, and cookies (bits of data that the site has previously set), and what website you came originally from (the HTTP Referer).

Your browser can send [a lot more information when requested](https://coveryourtracks.eff.org/learn). These days that can include screen size/resolution, fonts installed, browser plugins, battery status, time zone and lots more. Additional information can be sent if you consent to it, such as precise GPS location, audio or webcam capture.

Many sites ask you to provide some amount of personal info. Name, phone number, email address, home address, interests. Maybe it even gives you the option to log in with your social media account, which potentially grants them access to a lot more data.

Your interaction with the site itself is also monitored. Every behaviour from what products you purchased to how long you browsed the product page before adding them to your cart. Every page load, scroll, button click, keyboard press, mouse movement etc within that site can potentially be monitored. Individually, most of that data is harmless. Collectively, it helps identify and track you as an individual across multiple websites, and build a demographic profile of you.

Not all of that data is captured, and not all of the data captures is necessarily a problem. You can’t visit a website without telling the server your IP address, how else will it know where to send the web page you requested? Most web servers also keep basic logs of which URLs were requested, how long they took to load, what errors occurred etc, this is important for troubleshooting the website. Your geographic location can be used to redirect you to the correct regional-specific version of a website (eg. amazon.com vs amazon.co.uk). Traffic data can be collected to make sure the site isn’t under cyber attack. Cookie data is used to keep you logged in. And how can a business operate if it isn’t keeping track of purchases, historical orders, and updating stock levels? These are all completely benign uses.

Sometimes, businesses decide to use this data a lot more effectively. That can include things like gathering metrics on how long it takes people to go through the workflow of searching a product, finding the result, checking out. Or how many people are leaving items in their cart without checkout. Or what kind of products they’re searching but leaving because you don’t stock them. Or whether customers are leaving good or bad reviews. Or what age ranges are buying which products. This might let them promote certain products on the front page, or run certain deals, or advertise specific products to specific types of customer. Again, any company who doesn’t do this is basically throwing away money.

But sometimes, that data is shared explicitly or implicitly between multiple companies, and often consolidated in the hands of a few powerful companies such as Facebook or Google. And you end up with everything from your hobbies to your credit card history to your thoughts on abortion all wrapped up in a neat little profile. Then you have insurance companies denying your claims because they used this data to figure out you had a medical condition that you didn’t even know about yourself. Or companies like [Cambridge Analytica](https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal) using that data to target political advertising to certain demographics and sway elections with disinformation. Because after all if marketing and information can be used to convince you to buy a product you don’t need, what’s stopping it from changing your opinions on certain topics or convincing you to vote for certain candidates?

And don’t think this ends with websites either. Nowadays every business wants you to install their app, which not only gives a constant reminder that they exist right on your home screen, but gives them more access to data from your phone that a simple website can’t get. Thinking of ditching the digital age and shopping in person with cash? Don’t forget all the security cameras, facial recognition, AI behavioural analysis etc that’s happening in-store.

And these are just the problems that arise when the “right” people have access to this data, and they’re “only” using it to make more money or grow their power. What if your own government gains that access? Or a hostile foreign nation? Or a bad actor like a scammer?

This is why data privacy is important.