It's going to be a busy holiday season, especially online, where U.S. shoppers are expected to drop $95 billion over the next two months, according to a report from market research firm Forrester.
While customers click and spend, a massive industry is tracking their activity on the Web, hoping to turn that data into profit — if hackers don't steal it first.
So how exactly is your data collected, stored, and profited from? And how safe is it? Put down that credit card, because it's time for a lesson on what happens to your personal information when you shop online.
What happens when you browse online
Yes, even when people don't enter their personal information to buy something, online shops are collecting information about them.
That includes which products they click on, how long they spend looking at that product, which browser and operating system they're using, and their IP address.
What are companies doing with that stuff?
They are using it for their own research. If a sporting goods store, for example, sees you like a certain brand, it might try to show you more of that brand next time you visit. But there is no guarantee that data will stay put.
In fact, the vast majority of sites are letting other companies look at the information they collect. In a recent study, University of Pennsylvania researcher Timothy Libert found that nine in 10 sites leak user data to third parties.
Which companies are getting my data?
Here are the websites that are collecting this information, ranked by which percentage of the top 1 million websites send data to them, according to Libert's study.
- Google (78 percent)
- Facebook (32 percent)
- Twitter (18 percent)
- ComScore (12 percent)
- AppNexus (12 percent)
It's not like e-commerce websites are creating reports and sending them off to Google. Instead, companies like Google and Facebook offer free social media and analytics tools. In return, they get access to data.
In no way, however, are these the only companies that can see your browsing habits. Data brokers such as Acxiom, CoreLogic, Datalogix, ID Analytics and others create profiles and then sell those profiles to businesses looking to advertise a product.
It's not clear how many of these companies exist, but a study released last year by the Federal Trade Commission found that data brokers "collect and store billions of data elements covering nearly every U.S. consumer."
What are these cookie things I have heard about?
Companies build profiles of people using "cookies." In his paper, Libert compared them to the "tracking bracelets" that scientists place on "migratory birds."
Wherever your browser goes, this little text file goes too. A website might create one for you. When you come back, it recognizes the cookie and does things like automatically fill out your username and password.
Many of the social media buttons and analytics tools on the Web create cookies on people's computers, as do data brokers. In fact, according to Libert's study, around 60 percent of sites spawn third-party cookies.
These cookies follow you around the Internet and allow companies to see which websites you have visited.
What are these companies doing with the data?
Data brokers and ad networks essentially create profiles of you for advertising purposes. It's supposed to be anonymous. That is not always the case.
"Cookies are like the name tags of the internet, but instead of your actual name you usually have an 'anonymous' identifier," Libert said. "But if one person in the party knows that '0x7bQ7s' is really 'Bob,' they can tell everybody else and you are no longer an anonymous party-goer."
Online profiles will include information purchased by data brokers from other sources. Ever subscribe to a magazine? Make a purchase at a store? Register with a travel site? Take an online survey? Those businesses will sometimes sell that information to data brokers, according to the FTC report.
Data brokers will also sell information to other data brokers, creating a complex web that makes monitoring and regulating the industry very difficult.
All that stuff can then be combined with browsing history to place people into very detailed market segments. Those include, according to the FTC, such real categories as "Affluent Baby Boomer," "Twitter User with 250+ Friends" and "Financially Challenged."
What about when I actually buy stuff?
When people stop browsing, hit the "Checkout" button, and actually buy something, they knowingly give up a lot of personal information.
At a minimum, that includes their name and credit card number — often it also includes their home address, birthday, email address and more. All of that information has to be stored somewhere.
For some big e-commerce sites, that means developing their own security safeguards. Other companies use third-party payment processors like PayPal, ACH Payments, WooCommerce for WordPress, and many more.
The problem? It's very hard to tell which third-party payment processor a website is using, and whether that third party is secure.
"There are organizations that are doing the right thing," George Rice, senior director of payments at Hewlett Packard Enterprise, told NBC News. "But there are many that are not doing anything, and this personal information is completely exposed."
Does anyone else see that data?
Ultimately, there is at least one other party involved: the banks that verify your payment information.
If a customer is applying for financing, there also might be a credit check involved. Those are performed by companies such as Experian, which experienced a security breach last month that affected 15 million T-Mobile records.
Sometimes, third-party payment companies use other companies to complete a transaction. Before he was a security researcher for Tripwire, Lane Thames was hired to build a payment processing app for a client.
When a purchase was made, money came to the client "via the third party’s third party," he said.
That is a lot of hands for sensitive data to pass through. Then, according to the FTC report, the major data brokers sometimes buy information from merchant and financial services companies, and use that data in "aggregated, de-identified form" for market analysis.
In other words, it's anonymous — or it should be. But there are so many payment processing companies and data brokers out there, it can be hard to tell who is sharing what with whom.
A company's willingness to directly share "customer contact information" varies, according to Thames, on their "willingness to gamble with litigation exposure."
How to protect yourself
Not everybody minds sharing their data, and plenty of people would rather see ads for products they might buy instead of totally irrelevant ads.
But for those who want to maintain their privacy, there are some steps they can take to protect their information. Disabling cookies in your browser can limit (but not entirely stop) third-party cookies from forming, as can installing programs like Adblock Plus.
When it comes to buying something, only give information that is absolutely required to make a purchase, Rice said. A website might ask for your email address or date of birth, but often that isn't needed to complete the transaction.
Chances are, however, that there are companies out there that know who you are and what you might like to buy next.
"The vast majority of data brokers and advertisers who watch you never alert you to this in the first place," Libert said, which makes it hard to opt out or demand legal or political action.
"If you have enough data, powerful enough computers, and smart enough people, no data is truly anonymous in 2015."