The Internet and Data Privacy What Is Collected, How To Opt-Out of Cookies and Disable Data Collection Covering Social Media Platforms, Web Browsers, Operating Systems, Smartphone Apps and More
The Internet is an essential part of today’s society for workplaces, educational institutions, businesses and government agencies. In fact, in 2020, Americans have spent an average of 13 hours and 35 minutes online per day, up an hour from the previous year1. At the same time, every time a person visits a website, posts an image on social media or does a search on Google, their personal information is collected. While most companies list privacy policies on their websites, they’re oftentimes long, complicated and hard for the average consumer to understand. Given how much time we spend online, it’s important to look at how we can keep our personal data private in simple, actionable steps.
This guide explains what data is collected, how companies use it and share it with third parties, and what you can do to protect your data in the future and delete data that’s already been collected. The information below covers everything from the biggest tech companies like Facebook and Apple to popular browsers like Chrome and Firefox and commonly-used apps like Outlook and Spotify.
Table of Contents
- What Data Is Collected
- Large Tech Companies
- Operating Systems
- Mobile Applications
- How To Avoid and Reduce Data Collection in the Future
- By Browser
- By Social Media Platform
- General Tips
- How To Delete Data That’s Already Been Collected
- By Browser
- By Social Media Platform
- Data Privacy Statistics
- Data Collection Laws
- Is Private Browsing Really Private?
- How To Browse Privately By Browser
What Data Is Collected?
Let’s take a closer look at each company and the data that they collect. This guide also covers why they say they collect this information and their policies for sharing it with third parties.
The largest tech companies include Google, Amazon, Facebook, Apple and Twitter, so we did a deep dive into their privacy policies to start off.
We use Google so often that it’s almost hard to think of as merely a set of products and services. Whether it’s Gmail, where we send all our emails, or Google Maps, which we are completely dependent on to know where we are at any given time, Google has a myriad of ways of collecting our data, and collect our data they do.
- Information They Collect: Out of all the companies on this list, Google collects and stores the most of our information by far. That’s not surprising, as their business model relies on knowing as much data as possible (and making it super easy for people to access). However, the company keeps a ton of data on the searcher as well as the world at large. From users’ precise locations to their browsing histories, from their activity on third-party sites or apps to the emails in their Gmail accounts, if it’s data, there’s a good chance that Google is collecting it.
- Unique identifiers: Google collects IP addresses, crash reports, system activity, date, time and referrer URL of requests, data about interactions between apps, browser and device type, application version number, app usage, carrier name and operating system.
- Personal Information: They also collect names, phone numbers, payment information if the user has made any purchases through Google, email address, emails users write and receive, stored videos, photos, documents, and spreadsheets, and comments on Youtube.
- Activity Data: Google keeps track of search terms, videos watched, views and interactions with content and ads, plus any video and audio information if these features were used. They’ll also keep track of any purchase activity, and, if a third-party site uses Google services, activity on those sites or apps. Additionally, they’ll keep track of your browsing history if the user uses a Chrome browser synced with a Google account. Finally, if they’ve used Google to make calls or text, then Google has also collected the calling and receiving party numbers, forwarding numbers, times and dates of your the and texts, call durations, routing information, and types of calls.
- Location Information: As far as location goes, Google keeps track via GPS, sensor data from devices, and information about things near the user’s device like Wi-Fi access points, cell towers, or Bluetooth-enabled devices.
- Publicly accessible sources: Google may obtain information about users from local newspapers, third party marketing partners, or advertisers.
- Why They Say They Collect This Data: Aside from maintaining services, Google collects this data to personalize ads and content, although this isn’t done based on race, religion, health or sexual orientation by law. Google also uses this data to measure the performance of ads, sharing the data with advertisers so they can create more effective ads.
- Third Party Sharing Policies: Students or anyone who uses Gmail for work, listen up: Google is sharing your information with domain administrators along with a bunch of third parties like advertisers, publishers, and developers, although the user’s identity isn’t identifiable. However, Google does give their partners a ton of leeway, allowing them to collect data from users’ browsers and devices using cookies2.
In 2019, Facebook had 2.37 billion active monthly users with a revenue of over $60 billion3, making it one of the most popular and profitable social media platforms of all time. However, the company has faced legal ramifications regarding its data collection policies, most notably the Cambridge Analytica scandal of 2018. So, what sort of data does the company collect on over 72% of North Americans?
- Information They Collect: Since Facebook is a purely social app, they know a ton about their users personally, from the people they interact with to the groups they’re in, and even their “private” messages. Facebook knows exactly when users log on, for how long they’re logged in, and what comments, shares, and transactions they’ve made in that time.
- Unique identifiers: The only unique identifiers that Facebook keeps are users' IP addresses, easy to cover up with a VPN.
- Personal Information: Facebook is a wealth of personal information, most of which users enter themselves. The company keeps users’ names, phone numbers, payment information, email addresses, contact information from devices, as well as their stored videos and photos. Plus, they’ll keep the metadata of users’ photos and files.
- Activity Data: In terms of activity, Facebook keeps track of connections and networks, messages, content, and videos watched, along with how users interact with different content and advertisements. They know exactly when people use their site and for how long.
- Location Information: To figure out users’ location, Facebook uses sensor data from their devices.
- Publicly accessible sources: Facebook doesn’t find data about users through publicly accessible sources, as they have all the data they need entered by users themselves.
- Why They Say They Collect Your Data: What does Facebook do with the data of billions of people? Well, the company claims they use it to personalize and improve their own products, like suggesting groups users might be interested in, showing users businesses nearby their current locations, or presenting them with, you guessed it, highly-targeted ads. Ever wondered why that concert you just looked up shows up everywhere you look on Facebook? That’s why. We do have to give the company some credit, though, as they do sometimes use their data for good, like to learn about migration patterns during crises to help relief efforts, for example.
- Third Party Sharing Policies: Facebook makes the majority of its money through its advertisers, so of course, they provide third parties with a ton of user data, aggregated so businesses can easily see the demographics of their customers and would-be customers. So while they can’t see a list of exactly who clicked on their ad, they can see that a woman aged 24 who lives in California interacted with it, for example. Facebook also provides data to researchers and academics, as well as law enforcement agencies, if requested4.
There’s a ton of different ways people use Twitter, whether it’s catching up on daily news, chatting with friends or just posting updates about their lives. Whatever people use it for, here’s how much of their data Twitter keeps, and what they do with it after5.
- Information They Collect: Aside from basic account information, location information, and privacy settings, Twitter also collects direct messages and private communications, cookies, and the content viewed on third-party websites. However, they’ll never associate web browsing history with any information that could identify specific users, and the data is deleted after a maximum of 30 days. On the other hand, if the user is on a browser that Twitter thinks is in the European Union or European Free Trade Association, this may not be the case.
- Unique identifiers: Twitter logs many unique identifiers including a user’s IP address, browser and device type, carrier name and operating system.
- Personal Information: They’re pretty lax on personal information, keeping only a user’s name, username, password, phone number and email address.
- Activity Data: In terms of activity, Twitter keeps track of users’ messages, content, the videos they’ve watched, their views and interactions with content and ads, plus video and audio information, if audio features were used. They’ll keep track of the time, frequency and duration of users’ activity on Twitter as well as the people they communicate and share content with.
- Location Information: Twitter logs the time zone users are in as well as GPS information from their phones.
- Publicly accessible sources: Finally, Twitter logs data from third party marketing partners and advertisers.
Now, many people may be surprised to know that Twitter tracks activity on third-party sites and apps along with users’ browsing history, although the latter is never associated with any identifying information. Again, as long as the user is not in the European Union or a state in the European Free Trade Association, Twitter will delete their browsing history data after a maximum of 30 days. Twitter also keeps track of the user’s privacy settings.
- Why They Say They Collect Your Data: According to Twitter, they collect users’ data to scan for malicious content and spam, verify that users are who you say they are, help them find people to follow, protect the integrity of the platform and guess which topics users might like to create some personalized ads.
- Third Party Sharing Policies: Of course, Twitter shares users’ data with advertisers, service providers, law enforcement, and the government, if necessary. When it comes to advertisers, users can control which device identifiers Twitter can see as well as their interests and characteristics. However, a user’s name, phone number, Twitter username and email won’t be shared with advertisers, thankfully.
The biggest e-commerce web site in the country and one of the largest businesses in the world, to say Amazon has disrupted retail would be like saying that the Model T disrupted the horse and buggy. And Amazon isn’t just selling us products and services; they’re also collecting our data, selling it to their third-party marketplace sellers like Starbucks, OfficeMax, Verizon and Eddie Bauer. Let’s take a closer look.
- Information They Collect: Aside from obvious data like the products we search for and order, the videos we’ve watched, our wish lists, product reviews, phone numbers, addresses, and more, Amazon also keeps track of our IP addresses, browser types, and other automatic information. If we’re on mobile, they’ll see exactly where we’re located as well as collecting the data from our mobile carrier, third parties, and credit history gleaned from the three major credit bureaus, Experian, TransUnion and Equifax. But just how does Amazon customize our product search results or determine pricing based on who is doing the search? For this purpose, Amazon uses the following data6:
- Unique identifiers: Amazon logs a user’s IP address, browser type and operating system, which is pretty minimal compared to the other companies in this article.
- Personal Information: They also know a user’s name, if they give it to them, their username, password, phone number, payment information, shipping address and email. These are all pretty standard and necessary for Amazon’s services, but we were surprised to find that they also have your Social Security Number and driver’s license number, as well.
- Activity Data: Amazon logs our search terms, the videos we’ve watched on Prime, our purchase activity, any reviews we’ve written and our browsing history. Since Amazon is an e-commerce site and not a search engine or social media platform, they don’t need to log as much of your activity data, as the website isn’t as dependent on advertisement revenue as Google.
- Location Information: That being said, they are aware of a user’s location via GPS and sensor data from their device.
- Publicly accessible sources: To fill in the blanks, Amazon sources data from third party marketing partners, advertisers, and even credit history from credit bureaus.
- Third Party Sharing Policies: Since Amazon works with millions of Marketplace sellers, user information is shared with many third parties, from service providers like delivery men and marketing assistants to companies they co-brand products with like AT&T, Sprint and Northern Tool + Equipment. And while Amazon might send users promotional offers on behalf of other businesses, they don’t give them their names and addresses, and users can opt-out if they would like to. Basically, if it involves information going to third parties, Amazon lets users opt out.
Apple is known as the best large tech company for privacy, and their policy definitely confirmed that. And that’s a great thing, because we personally literally can’t imagine my life without their products. All in all, we are pretty pleased with how little information they collect about us, especially when compared to the other companies on this list.
- Information They Collect: Apple collects a user’s personal information like their name, email address, IP address, location and payment information. They also keep track of obvious things like the user’s language, zip code, search queries (although they won’t be associated with their IP address), and how they use their devices and apps7.
- Unique identifiers: Apple knows a user’s IP address, device type and operating system, which makes sense as they’ve manufactured the device itself.
- Personal Information: As far as personal information goes, Apple doesn’t keep much aside from the user’s name, phone number, payment information, shipping address and email, all necessary to uphold their account account.
- Activity Data: Apple stores by far the least amount of your activity data, logging only the user’s search terms and the time, frequency and duration of their activity.
- Location Information: They’ll also know the user’s Time Zone for the clock as well as GPS information from their device.
- Publicly accessible sources: Apple is the only of these large tech companies to not source any information about users from publicly accessible sources.
- Third Party Sharing Policies: Apple emphasizes that a user’s personal information will never get “shared with third parties for marketing purposes,” a breath of fresh air compared to other large tech companies. Rather, Apple shares user data with customer service, delivery people, or any matter of legal necessity or public importance.
Not only do large tech companies collect your data, but also browsers themselves, sometimes owned by the same companies we just discussed.
Chrome is Google’s web browser and Security.org’s personal favorite. While Chrome makes it incredibly easy to Google information directly in the URL bar, they’re no stranger to data collection, not surprisingly.
- Information They Collect: In Chrome’s basic browser mode, they collect browsing history information, personal info and passwords, list of permissions the user granted to websites, cookies or data from other websites they visited, data saved by add-ons, record of files downloaded from websites, and more.
- Why They Say They Collect Your Data: Chrome collects user data for website operators, pre-rendering, updates, search features, search prediction service, navigation assistance, autofill/ password management, payments, language, web apps on Android devices, usage statistics and crash reports, media licenses, and other Google services8.
- Third Party Sharing Policies: Chrome’s third party sharing policies are the same as Google’s; scroll up to see exactly what that entails.
Mozilla Firefox is another popular browser available for on Windows, MacOS and Linux devices.
- Information They Collect: Firefox collects information such as:
- Technical data: This includes OS, available memory, crashes and errors, outcome of automated processes like updates, safebrowsing, activation, version numbers, and more.
- Interaction data: Firefox keeps everything from how many tabs the user uses plus their add-ons, or windows open; uses of specific Firefox features; session length, scrolls and clicks to the the status of discrete user preferences.
- Web activity and highly sensitive data: Firefox collects users’ specific web browsing history; general information about their web browsing history (such as categories of web pages visited over time), and potentially certain types of interaction data about specific web pages visited9.
- Why They Say They Collect Your Data: Firefox says they need this data to improve their service’s performance and stability, to suggest relevant content, to improve security, to create crash resorts, to measure and support marketing and more10.
- Third Party Sharing Policies: Firefox only shares user data with permission when processing or providing products or services to the user. They will share the data when it’s required by law, to prevent harm11, or to support their “mission of being open”12.
- Information They Collect: Microsoft only collects diagnostic data, browsing history and cookies.
- Why They Say They Collect Your Data: They collect this data to improve products and services and for online safety, making sure websites are legitimate, downloads are safe, and for filling in forms13.
- Third Party Sharing Policies: Microsoft only shares this data to complete transactions with their controlled affiliates and subsidiaries. They’ll also share the data with vendors, the law, when necessary, and to protect customers and their lives14.
Opera is a lesser-known browser originally released in 1995. Today, it’s available in 42 languages on Windows, iOS, MacOS, Android and Linux operating systems.
- Information They Collect: Opera collects users’ usernames, emails, and social media accounts if they used them to sign in. They also collect browser data including bookmarks and speed dial entries. If the user participates in a promotional campaign, Opera will log their name, age, physical address and phone number. Finally, the company keeps anonymous usage statistics like device IDs, hardware specifications, O.S, environment configuration, feature usage data, info about the articles the user reads, general location, crash reports, cookies and the like.
- Why They Say They Collect Your Data: Opera uses this data to uphold users’ accounts, improve their services, provide relevant news, personal ads and more.
- Third Party Sharing Policies: Opera is one of the few companies to list all the third parties they share user information with, which includes Facebook SDK, Google AdMob and the DU Ad Platform15.
- Information They Collect: Safari collects:
- Personal information: This may include your name, address, phone number, email, contact preferences, device identifiers, IP address, location info, payment information, and government ID, for users setting up wireless accounts or activating devices.
- Non-personal information: Safari will log your occupation, language, zip code, device identifier, referrer URL, location and time zone when you use Apple products, activity in iCloud, iTunes and the App Store, search queries, although they won’t be associated with your specific IP address, and how you use devices and apps.
- Cookies and other technologies: This includes pixel tags and web beacons.
- Why They Say They Collect Your Data: Apple collects this data to keep their users updated on Apple news, help create and improve products, services, content and advertising, prevent losses and fraud, improve account and network security, authorize users, audit and analyze data, and, if you apply to work at Apple, to evaluate you.
- Third Party Sharing Policies: Apple is committed to their policy of never sharing personal information with third parties for marketing purposes. Rather, the data is only shared with service providers and matters of legal necessity or public importance16.
Of course, there is a ton of overlap between large tech companies, browsers and operating systems; for example, Google owns Android while Apple owns iOS and MacOS devices, but not every operating system falls so neatly under a large tech company.
Linux is an operating system that’s open-sourced and free, originally invented in 1969 at AT&T’s Bell Laboratories. Today, organizations like NASA, IBM and Dell use it, but how do they stack up in terms of data privacy?
- Information They Collect: Linux collects the following types of data from users:
- Registration information: Linux Foundation ID, account and profile info including profiles, names, email forwarding info, unique identifiers, contact and billing information17.
- User content: Questions, answers, comments, forum postings and more.
- Communications records and payment information
- Cookies: This may include information such as domain name, browser type and operating system; web pages the user has viewed, when the user has opened certain emails they send, links the user has clicked; the user’s IP address; the length of time the user visited their sites and used their services, and the referring URLs.
- De-identified information: Linux aggregates personal information so that it’s not identifiable to any particular user.
- Why They Say They Collect Your Data: Linux collects this data to provide their sites and services, operate open source projects, maintain training and certification programs, and personalize the web experience for users. It’s also used for marketing and promotions, ads, analytics, legal compliance, business and legal operations, and to prevent misuse.
- Third Party Sharing Policies: Linux may share this information with service providers or affiliates. They also share anonymized and aggregated information with third parties for research, marketing, analytics, advertising and cookies. Like most companies, Linux may also share this information to comply with the law when necessary.
Windows is Microsoft’s operating system and includes desktop computers and mobile devices. While it originally dominated the market with over 90% of the market share, it’s still the most popular operating system for PCs, although the company has lost most of the market share to Android.
- Information They Collect: Windows operating systems collect data like content of messages, phone number of contacts, payment info, name, security code, family settings, current location, diagnostic data, support communications, personalized dictionaries, any files the user saves in OneDrive, reports related to malware, device, drivers, and software installed.
- Why They Say They Collect Your Data: Microsoft saves this data to help users communicate with people, buy items, keep kids safe, fix problems, help customers, show users stuff they might like, personalize ads and make systems safer18.
- Third Party Sharing Policies: Microsoft only shares this data to affiliates that they control as well as subsidiaries and vendors. They also comply with legal requests and will share information to protect customers’ lives19.
That accounts for the majority of major tech companies, browsers and operating systems, but there are also a few common apps that we took a look at, as well.
Kik is a messaging app that’s available for free on iOS and Android devices. It’s popular because it lets users register without requiring a phone number, instead relying on the person’s data plan or Wi-Fi to send messages, photos and more. But what data do they collect?
- Information They Collect: Kik keeps the information that the user gives them, which may or may not include their name, email address, phone number, birthday, and password hash. They also keep:
- Profile information: Basically, this section is as detailed as the user wants it to be; if they fill it out, Kik would save their profile pictures, interests, emoji status, and more information.
- Message content: The big draw of Kik is that they don’t save messages after they’ve been delivered; rather, all delivered messages including their attachments will be lost from the app.
- Conversation attributes: This includes group names, profile pictures, themes, administrators, and membership limitations.
- Membership information: Kik notes whenever a user joins or leaves a public group.
- Kik communications: This covers any communication between the user and the company, such as polls, surveys, and emails sent back and forth.
- Kik wallet information: For users that use Kik wallet, the company will save the transaction value, recipient, and public wallet address.
- Log and data usage information: While Kik deletes the content of messages after they’ve been delivered, they do keep the times and dates the messages were sent, who the user chatted with, their IP address, as well as how they use third-party websites or services through the apps, which could include everything from gifs to emojis.
- Device information: The company will also log the user’s hardware model, O.S version, unique drive identifiers, and mobile network information.
- Location information: Kik doesn’t log the user's precise location through GPS; rather, they can get the user's city and state from their IP address.
- Device contacts and address book: Kik will only save this information with the user’s permission.
- Bot chats: Kik will log the date, time, frequency of contents of users’ conversations with bots.
- Kik code: Kik codes, scannable codes that allow users to connect with each other, are saved when the user uses them.
- Kik transaction information: If the user performs transactions through Kik, the company will save the date and time of the transaction, account information, the account the user is transacting with, the public wallet address, balance and more.
- Cookie information: Kik keeps track of web activity as well as browser and device information.
- Local storage information: This could include a user’s photos and videos.
- Why They Say They Collect Your Data: Kik says that they collect this data to uphold their app and services, give users account notices, update the app, store user preferences, and speed up searches. They also use this data for billing, collection and advertising purposes.
- Third Party Sharing Policies: Kik shares this information to services used in their app, from analytics companies to GIF providers and bots. They also use tracking technology that could be associated with a user’s personal information or online activities20.
Outlook is Microsoft’s email service, but being a different application than Microsoft Edge, its privacy rules are a bit different as well.
- Information They Collect: Outlook collects the data the user provides, like their account information, search queries, emails and more. They also collect data from third parties including data brokers, local business reviews, public social media posts, communications services, service providers, partners, developers, publicly available sources and more21.
- Why They Say They Collect Your Data: Microsoft collects this data for service delivery, troubleshooting, and maintenance and improvement. They don’t profile users or use their information for advertising or market research22.
- Third Party Sharing Policies: Again, Microsoft never shares user data for marketing or advertising; rather, they share it with their subprocessors23. They will also comply for customer data requests if they’re legal and there’s a subpoena, court order, warrant, etc24.
Skype is a video messaging service that Microsoft also owns, so its privacy policies are the exact same as Outlook’s (scroll up to see it in detail).
LinkedIn is the Facebook of the professional world originally launched in 2003. LinkedIn’s founder Reid Hoffman told The New Yorker that the majority of their revenue comes from recruiters, who pay to access information about the site’s users25. Of course, this is the purpose of professional networking in the first place, but we checked to see what other data of yours LinkedIn collects.
- Information They Collect: Linkedin collects:
- Registration information: This could include the user’s name, email, phone number, pasword, and payment information, if they bought a Premium subscription.
- Profile information: This includes any information the user has on their profile, which could include education, work experience, skills, photos, their city or area, and endorsements. Users also have the choice to sync their LinkedIn with their address book or calendar, so that information would be saved as well.
- Posts and uploads: LinkedIn logs when the user provides, posts or uploads things to LinkedIn, responds to a survey, submits their resume, or fills out job information.
- Content and news: LinkedIn logs users’ public information and professional-related news and accomplishments.
- Visits and uses of services: This includes mobile applications as well as the desktop website.
- Cookies, device and location information: LinkedIn logs each user’s IP address, proxy server, operating system, web browser, add-ons, device identifiers and features, cookie IDs, Internet Service Providers and mobile carrier.
- Why They Say They Collect Your Data: LinkedIn collects this data to support, provide, personalize and develop their services, which includes advertising, marketing and customer support.
- Third Party Sharing Policies: LinkedIn will only share user information with third parties for direct marketing purposes with their permission26.
Last but not least, Spotify is a popular music and podcast streaming service available on desktop as well as mobile devices. For free, users can listen to their gigantic music library with ads, while the Premium service takes away the ads. Still, no matter which subscription you’re under, here’s what Spotify logs:
- Information They Collect: LinkedIn collects the following information:
- User data: This includes the user’s username, email, phone number, birthday, gender, address, and country. Also, if they logged in through a third party like Facebook, LinkedIn will log their data as well.
- Usage data: This covers type of plan, search queries including the date and time of any requests, streaming history, playlists, library content, browsing history, and the user’s interactions with the Spotify Service content and other users. Spotify uses this information to make inferences about the user’s interests and preferences. They also log information like photos, playlist titles, interactions with customer service, as well as technical data like URL information, cookie data, the user’s IP address, device type, browser type, non-precise location from their IP address, and more.
- Plan verification data: If the user has a Premium Family or Premium Duo plan, Spotify may use a third party map app like Google Maps to verify their subscription address. However, this address won’t be used for advertising or any other purpose.
- Voice data: This is only collected if the user uses voice control
- Payment and purchase data
- Contest, survey and sweepstakes data
- Why They Say They Collect Your Data: Spotify says that they collect this data to provide and personalize their service, detect fraud and fix issues. They also use this data for marketing, promotions and advertising, legal obligations and law enforcement requests, contractual obligations from third parties, etc.
- Third Party Sharing Policies: Spotify shares publicly available information with third parties, like the user’s name and username, profile picture, who they follow and are followed by, their recently played artists and their public playlists. They share this data with everyone from service providers and payment processors to advertising partners, Spotify partners, academic researchers, other Spotify group companies, law enforcement and data protection authorities, and purchases of other businesses27.
How To Avoid and Reduce Data Collection
If we’ve proven anything so far, it’s that companies you use online log a lot of our data. Is browsing online privately truly possible? Well, not 100%, but there are a number of things you can do to reduce the amount of data about you online, both in the future and from the past.
Prevent Data Collection Moving Forward
While you can’t get rid of all data collection, there are actions you can take to lessen it, starting with your browser itself.
Naturally, browsers log the majority of your web traffic and search queries, but most of them allow you to delete the data and cookies as soon as you close the browser, or at the end of the day for Safari. Cookies, by the way, are bits of information that websites send to your computer, stored in the web browser, that keeps track of all web activity28 from site to site.
- Chrome: Go into “settings”, “content settings”, “cookies and other site data” then check off “block all cookies”. Also, turn the toggle on “clear cookies and site data when you quit Chrome”.
- Firefox: Click on “menu”, “preferences” then “cookies and site data”. Check off “delete cookies and site data when Firefox is closed”.
- Microsoft Edge: Click on “settings”, “privacy and services”, then “clear browsing data on close”. Then, check off everything that you want to be deleted when you close your browser.
- Opera: Hit “settings”, “privacy and security”, and then “cookies and site data”. Turn the toggle on next to “clear cookies and site data when you quit Opera”.
- Safari: Click “Safari”, “preferences”, “general”, then “remove history items after” and choose one day. Next, go to “privacy” and check off “block all cookies”.
There’s no way to use social media without the companies logging a ton of your information, so the only way to prevent this data collection is simply to not use social media; see below where we give you instructions on how to deactivate your accounts.
General Tips For Digital Privacy
Okay, now that you’ve got yourself as private as possible via your browsers and social media networks, here are a few general tips to stay private online.
- Use a VPN: If you’re on a public network, you’re much more susceptible to being hacked, which is why we recommend using a VPN, or Virtual Private Network, before connecting to the Internet. VPNs will completely encrypt your web traffic and even replace your IP address, making you essentially invisible online.
- Avoid phishing scams: Phishing is one of the most common ways that hackers can access accounts. Typically, hackers send emails to people with fake links to log on to accounts, from which they take their usernames and passwords. Make sure the URL you are clicking on is legitimate (google.com vs. go0gle.com, for example), and as a general rule, don’t click on any unfamiliar links or emails.
- Use a password manager: Since we all have so many different accounts, people tend to use the exact same password or a variation on multiple accounts. The problem? If a hacker accesses one account, it’s easy for them to access others using the same information. To keep track of all your usernames and passwords without repeating, we recommend employing a password manager, which will store everything in an encrypted vault and perform a password audit. After picking out which passwords are old, weak or repeated, the manager will generate a long, unique and complicated password for each account. For more security, add two or multi-factor authentication to prevent unauthorized access.
- Read companies’ privacy policies: We know, we know; reading privacy policies (or any legal jargon, for that matter), can be a long and unforgiving process, but it’s your best bet to keep track of how your information is stored, sold and shared with third parties.
- Only give companies data when absolutely necessary: Sometimes, companies let you opt out of cookies; we often don’t realize this is an option. Try to only allow cookies when it’s absolutely necessary!
- Avoid store loyalty cards: Store loyalty cards are certainly a nice way to save some money, but they’re also a nice way for companies to track your information. The privacy-minded should avoid store-loyalty cards completely.
- Use cash rather than cards: Cards in general are trackable in a way that old-fashioned dollar bills simply aren’t.
- Use fake information on forms: Now, we don’t recommend using fake information on important forms, like government or medical forms. However, for signing up for something as inconsequential as a newsletter from a fast fashion website, there’s nothing wrong with using a fake email, name or phone number.
- Use browser extensions to block trackers: There are a number of browser extensions that prevent or reduce online tracking, like Privacy Badger29, HTTPS Everywhere30 and uBlock Origin31. There’s another extension that also blocks ads called Ghostery32.
- Opt out of data sharing: While there’s no magical button you can press to completely opt out of your data being shared with large companies, Simple Opt Out is a website with instructions to opt out of data-sharing from over 50 large companies, from Twitter to Mastercard to Amazon33.
- Limit use of identifiers for ad targeting on mobile devices: On iOS devices, go into “settings”, then “privacy” and “advertising” and turn on “limit ad tracking”. On Android devices, go into “Google settings” then “ads” and toggle on “opt of our Internet-based ads”.
- Turn location off on mobile devices: There’s no reason for your device to constantly know your location. On an iOS device, go into “settings”, “privacy” and then “location services”, and toggle on “don’t allow”34. For Android-users, click “settings” then “location” and turn off “use location”35.
- Limit app permissions: In general, apps will try to gain as much information about you as possible; make sure to go into your settings and limit this information to what is strictly necessary to run their service.
Delete Past Collected Data
We cleared our data from the major browsers as well as social media networks, and here’s how we did it.
- Chrome: Click “Chrome” then “more” and “more tools”, then choose the time range of “all time”. Check off the information you want deleted and click “clear data”36.
- Firefox: Click on “Firefox” then “library”, “history”, “clear recent history”. Choose your time range and what information you want deleted, then click “clear now”37.
- Microsoft Edge: Hit “Edge”, “settings and more”, “settings,”“privacy and services” then “clear browsing data”. Choose what you want to clear, the types of data and the time range, and hit “clear now”38.
- Opera: Choose “Opera” then hit Ctrl + H. Click “clear browsing data” and select what you want to delete and the time range, and then hit “clear data”39.
- Safari: Hit “Safari” then “history” and “clear history”40.
By Social Media Network
Social media accounts, by their very nature, contain a ton of our personal information, so in order to get your data deleted, you’ll need to completely deactivate your accounts. Here’s how!
- Facebook: Click the down arrow at the top right corner, then click “settings”, “your Facebook information”, “deactivation and deletion”, “delete account”, “continue to account deletion”, “enter password”, “continue”, and finally “delete account”41.
- Twitter: Hit “Twitter”, “settings and privacy”, “account”, “deactivate account”, “ deactivate @username” and enter your password. Then, click “deactivate account”42.
- Instagram: Go to the “delete your accounts” page43 and select an option to answer why you are deleting your account. Next, re-enter your password and click “permanently delete my account”44.
- LinkedIn: Click “LinkedIn”, “me”, “settings and privacy”, “account”, “account management”, “change”, “closing your LinkedIn account” and choose a reason why. Then, hit “next”, enter your password and click “close account”45.
Data Privacy Statistics
Given that 90% of all adults in the United States used the Internet as of 201946, data breaches are something that could affect nearly all of us at some point in our lives. Even more so, out of the adult Internet users in the U.S, 28% say that they are online “almost constantly,” while 45% say they’re online several times a day47, which makes for literally millions of opportunities for sensitive information to be revealed to someone it shouldn’t. On top of that:
- 81% of people think they have little to no control over how companies collect data
- 79% of people are very concerned about how companies use their data
- 59% say that they have little to no understanding of data use48.
Hopefully, our data privacy guide can help people understand exactly how companies use their data and how to take back control. While using the Internet necessitates relinquishing some data, we can definitely decrease the amount significantly.
Data Collection Laws
Security.org’s Chief Editor Gabe Turner isn’t just a security expert; he’s also a lawyer with a strong grip on the laws surrounding data collection, including international, federal, and state legislation. Here’s what’s legal and what’s not when it comes to data privacy.
Even if you’re based in the United States like us, any business that has customers in the European Union must adhere to what’s called the General Data Protection Regulation49 (GDPR). The GDPR refers to “personal data”, which they define as “any information relating to an identified or identifiable natural person”50. Some examples of personal data include:
- Location data
- Identification numbers
- Phone number
- Email address
Now that we know what “personal data”, the GDPR protects, here’s a summary of their requirements for companies online51:
- Transparency and communication: Companies have to explain clearly exactly how they process user data and how people can request to have their data removed or altered. They’re also required to respond to these requests quickly and adequately.
- Right of access: People have the right to know about the source of their personal data, the purpose of why the company has processed it, the length of time the data will be held, and more. People can also access their personal data.
- Accuracy: If information is inaccurate or incomplete, people have the right to correct that information.
- Right to object: People can object to companies processing their data unless they have a legitimate reason to, like a legal obligation.
- Right to be forgotten: Otherwise known as the right to erasure, the right to be forgotten means that people can request to have data deleted at any time. However, there are exceptions, like if this request prohibits the company’s right to freedom of expression.
- Data portability: The company must store the data in a way that’s easily shareable and easily understood. In addition, if the user requests the data must be sent to a third party the company must comply, even if it’s a competitor.
- Right to restrict processing: Finally, users can change the way that the company processes their data, be it removing it from their site if it’s inaccurate or no longer needed.
Even though large tech companies like Google and Amazon are based in the United States, because they have customers in the E.U, the GDPR applies.
While the United States has federal data privacy laws, they only apply to two industries: healthcare and finance. As for the rest of the industries, there are no federal, personal data laws that apply to any company that stores and uses customer data52. Let’s take a closer look at the current data privacy laws from the federal government:
- Health Insurance Portability and Accountability Act: Commonly referred to has HIPPA, this act applies to “covered entities” holding “protected health information”, according to the U.S Department of Health and Human Services53. That includes everything from doctors to insurance companies, ensuring that they keep medical data protected.
- Gramm-Leach-Bliley Act: Otherwise known as the Financial Modernization Act of 1999, this act covers everything from insurance companies and securities firms to banks; in other words, any company that provides financial services or products. These companies must adhere to what’s called the Financial Privacy Rule, which governs how they collect and disclose their customers’ personal financial information, as well as the SafeGuards Rule, which governs exactly how they safeguard this information. This act also prevents companies from “pretexting,” essentially accessing personal finance information under false pretenses54.
This is America, which means that every state has their own rules and regulations for their residents, and data privacy is no exception. Note, this isn’t a complete list of every state’s data privacy laws, but a general overview. Find out where your state lies when it comes to protecting your online privacy.
- Alabama: According to the Alabama Data Breach Notification Act of 2018, certain entities have to tell people when there's been a data breach involving their sensitive personally identifying information or PII55.
- Alaska: Passed in 2009, the Alaska Personal Information Protection Act says that users need to be alerted when breaches involving their PII have occurred. This act also puts restrictions on the use of personal and credit information and requirements for proper disposal of records containing PII, among other things56.
- Arizona: Arizona’s Data-Breach Notification Law requires companies to let their users know if there has been a data breach involving their PII57.
- Arkansas: Under the Arkansas Personal Information Protection Act, entities that collect PII must use “reasonable security procedures” to protect this information. However, they only have to alert users of data breaches if they’ve affected over 1,000 people and have a “reasonable likelihood of harm”58.
- California: California is by far the most advanced state when it comes to protecting their residents’ digital privacy under acts such as:
- Digital Privacy Rights for Minors: Websites can’t market products or services to minors if the minors aren’t allowed to buy them yet, like alcohol.
- Confidentiality of Medical Information Act: Individuals can maintain their own medical information on medical apps59.
- Data Security Breach Reporting: Any business or agency that releases unencrypted PII of more than 500 Californians must let them know60.
- Colorado: Colorado has laws regarding the proper disposal of PII, and laws requiring “reasonable security measures” to protect it. Like most states, Colorado requires that companies notify people when their PII was compromised61.
- Connecticut: Connecticut’s General Statutes says that certain types of businesses must display privacy policies explaining how they will protect customer PII and share it with third parties62. In addition, companies must disclose to residents when their PII has been compromised as well as notify the Office of the Attorney General63.
- Delaware: The Delaware Online Privacy and Protection Act states that businesses must notify people of a security breach of their PII within 60 days64.
- Florida: In Florida, businesses need to alert people of security breaches if they’ve affected at least 500 people within 30 days65.
- Georgia: The Law of Georgia on Data Protection provides guidelines for data processing. Data should be kept for the shortest amount of time possible and then should be deleted, destroyed, locked or stored anonymously66. Businesses also must notify people of security breaches as soon as possible67.
- Hawaii: Hawaii’s Health Care Privacy Harmonization Act says that identifying health information should be protected and anonymized68. Also, businesses and government agencies need to alert consumers if their PII has been compromised69.
- Idaho: Companies need to tell people if their PII has been exposed within 24 hours of the breach70.
- Illinois: People must be notified of a security breach as quickly as possible, and businesses need to take “reasonable security measures” to protect their data71.
- Indiana: Indiana’s Security Breach Notification Statute says that residents have the right to know when their PII has been breached72.
- Iowa: In Iowa, businesses must alert people of PII security breaches that affect over 500 residents; the government allows five days between the breach and the customer notification73.
- Kansas: In Kansas, businesses must tell people of security breaches as soon as possible if they affect over 1,000 consumers. In addition, they must also alert national reporting agencies74.
- Kentucky: If there’s a security breach of PII, businesses must notify people as quickly as possible75.
- Louisiana: If businesses don’t tell Louisiana residents of a breach, they could face a violation fee of up to $5,00076.
- Maine: An Act to Protect the Privacy of Online Customer Information says that to sell or access PII, providers need affirmative consent from customers, which they can revoke at any time. However, there are exceptions to this rule, like a lawful court order. Businesses also must take reasonable measures to protect the PII77. In addition, providers must alert customers of security breaches if they affect over 1,000 people at a time “without reasonable delay”78.
- Maryland: The Personal Information Protection Act says that consumer data should be reasonably protected, and consumers should be notified of a breach within 45 days79.
- Massachusetts: Businesses must report security breaches or unauthorized usage of PII within 10 business days80. Massachusetts also requires that businesses have an information security program to protect consumer data, which lays out specific requirements regarding passwords, encryption and more81.
- Michigan: If a security breach of unencrypted information can cause substantial losses or injuries, businesses must alert consumers within three business days82.
- Minnesota: Minnesota is one of the few states where only government data breaches need to be reported, not breaches from privately-owned businesses83.
- Mississippi: Businesses must notify consumers of a security breach of PII “without reasonable delay”84.
- Missouri: Businesses must tell people of breaches that expose PII85.
- Montana: Businesses must tell Montana residents if their PII has been compromised “without reasonable delay”86.
- Nebraska: Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 says that businesses must alert customers of security breaches of PII as soon as possible87.
- Nevada: Once they know they no longer need it, businesses must destroy customers’ PII. Beforehand, they must protect the PII using “reasonable security measures”, and if they use a payment card, they must adhere to the Payment Card Industry Data Security Standard. Finally, businesses must alert people of security breaches as soon as possible88.
- New Hampshire: Businesses must notify people of a PII breach as quickly as possible89.
- New Jersey: New Jersey businesses also have to let consumers know if their PII was breached as soon as possible90.
- New Mexico: New Mexico’s Data Breach Notification Act requires businesses to tell people if their PII has been exposed in a security breach. It also sets requirements for the secure storage and disposal of PII91. In addition, the Consumer Information Privacy Act says that consumers can request their PII and get it deleted if they request. At anytime, consumers can also opt-out of the sale of their PII; to sell their information with a third party, businesses need the explicit consent of consumers, after they tell them exactly what is collected, how it will be used and sold, and more information92.
- New York: The Empire State’s Information Security Breach and Notification Act says that customers have the right to know as quickly as possible when their PII has been exposed in a security breach93.
- North Carolina: North Carolina’s Identity Theft Protection act says that people must be notified of PII breaches “without reasonable delay”94.
- North Dakota: In North Dakota, businesses must notify consumers over PII breaches when 250 or more are affected as soon as possible95.
- Ohio: The Ohio Protect Act is a program that incentivizes businesses to strengthen their cyber security, preventing breaches in the first place96, while the Security Breach Notification Act says that they must alert consumers if their PII has been breached within 45 days97.
- Oklahoma: Oklahoma’s Security Breach Notification Act says that people should be alerted of security breaches as soon as possible98.
- Oregon: Businesses need to tell consumers of security breaches only if they affect more than 250 Oregon residents99.
- Pennsylvania: The Keystone state’s Breach of Personal Information Notification Act requires that businesses tell customers of PII breaches “without unreasonable delay”100.
- Rhode Island: The Rhode Island Identity Theft Protection Act says that businesses must provide “reasonable security” for PII and must notify customers of breaches that will increase their risk of identity theft “without unreasonable delay”101.
- South Carolina: South Carolina businesses must notify consumers of security breaches with PII within 60 days102.
- South Dakota: Businesses must tell people of security breaches involving their PII within 60 days103.
- Tennessee: The Tennessee Identity Theft Deterrence Act says that businesses must notify residents of breaches of unencrypted data within 45 days104.
- Texas: The Texas Identity Theft Enforcement and Protection At says that if there’s a security breach involving 250 people or more, they must be notified within 60 days. In addition, businesses need to get consumers’ consent when obtaining or transferring personal information. The PII must then be protected with “reasonable procedures” and must be destroyed after the business is done using it105.
- Utah: Utah’s Protection of Personal Information Act says that businesses must implement reasonable procedures to protect PII and destroy it when done. Security breaches must be disclosed to consumers within 20 days106. In addition, the Electronic Information of Data Privacy Act says that law enforcement agencies must obtain a search warrant to access location information, stored or transmitted information from an electronic device. They also must obtain a warrant before getting any information about the device’s owner from their computing service provider. Even if they get the warranty, the agency must destroy this information as soon as they’re done with it107.
- Vermont: Under the Security Breach Notice Act, businesses must alert Vermont consumers of a data breach within 45 days108.
- Virginia: Virginia’s Personal Information Privacy Acts ensures that businesses can only sell customer data to third parties with their consent109. It’s also required that businesses notify customers when their unencrypted information is compromised as soon as they can110.
- Washington: If a breach affects over 500 Washington residents, businesses must let them know within 30 days111.
- West Virginia: In West Virginia, the Consumer Credit and Protection Act says that businesses must notify people of a security breach as soon as possible112.
- Wisconsin: In Wisconsin, businesses only have to destroy customer PII if it’s related to health conditions, financial accounts or tax returns. They also have to notify people if there is a security breach of PII113.
- Wyoming: Finally, Wyoming requires businesses to notify customers of security breaches involving PII as soon as possible114.
As you can see, most of the states only have security breach notification laws, which require them to tell their customers if there was a breach of their PII, or personally identifiable information. However, two states, California and Maine, took things to a new level with some recently passed bills, which we’ve spotlighted:
- California Consumer Privacy Act: Similar to the GDPR, this act ensures that Californians know how their personal information is being collected, sold, and shared. If they want, they can prevent the sale of personal information, access it online, or delete it completely115.
- Maine’s An An Act To Protect the Privacy of Online Consumer Information: Companies can’t use, sell or share customer information unless they’ve consented to it, it’s essential to provide their service, to comply with the law, and a few other exceptions. They also must take “reasonable measures” to protect this information116.
Is Private Browsing Really Private?
We’ve all heard of private browsing before, but is it really private? Well, the short answer is no; during private browsing sections, cookies can still be shared with third parties who can track our web activity as we bounce from site to site. However, for someone sharing a device with another person, private browsing will work, as the browser itself won’t retain cookies, files downloaded, browsing history or search records. Keep in mind that different browsers have different privacy modes, so be sure to check your browser settings before using it to surf the web117.
How To Browse Privately by Browser
Want to turn on a private browsing section? Here’s how, on the most popular browsers available:
- Chrome: Press “more” then “new incognito tab/ window”118.
- Firefox: On Android119 or desktop120, press “menu” then “new private tab/ window”. On iPhones121, tap the tab icon at the bottom of the screen then click on the purple mask button. From there, tap on the plus tab to open a private tab.
- Microsoft Edge: Click “settings and more” then “new Inprivate window”122.
- Opera: On a mobile device, click the three dots in the upper right hand corner123. On a desktop computer, click “file” then “new private window”124.
- Safari: Strangely, there’s no private mode for Safari on Androids, but on iPhones and other iOS devices, click “new page button” then “private” then “done”125. On desktops, hit “file” then “new private window”126.
Compared to Europe, the United States has a long way to go when it comes to protecting consumer’s online privacy, however, with a few simple steps, you can greatly reduce the amount of data that companies have on you. Hopefully in the near future, the United States can adapt a federal law similar to the GDPR to ensure that customers are more in control of their data.