The Internet and Data Privacy

What Data Is Collected

Sure, you’ve probably signed off on about a million different policies, but have you ever actually read any of them? Unless you’re a lawyer, you probably don’t have a legal background to actually understand the privacy policy, and almost no one has the time, patience or energy to try to parcel what data websites are storing and how they’re using it to their advantage. Fortunately, we read the privacy policies of large tech companies, browsers and apps, scouring them for every single piece of data they keep on users.

Let’s take a closer look at each company and the data that they collect. This guide also covers why they say they collect this information and their policies for sharing it with third parties.

Tech Companies

The largest tech companies include Google, Amazon, Facebook, Apple and X, so we did a deep dive into their privacy policies to start off.

Google

What started as a powerful search engine has evolved into the Swiss Army knife of online services. Google has it all covered, from emails and documents to maps and cloud storage. We love Google for that, but at the same time, it gives the company almost too much power to collect our data at will.

Before signing up for a Google account, take the time to learn what the company collects, how it uses the collected data, and with whom the company shares it.

• Information They Collect: Out of all the companies on this list, Google collects and stores the most of our information by far. That’s not surprising, as their business model relies on knowing as much data as possible (and making it super easy for people to access). However, the company keeps a ton of data on the searcher as well as the world at large. From users’ precise locations to their browsing histories, from their activity on third-party sites or apps to the emails in their Gmail accounts, if it’s data, there’s a good chance that Google is collecting it.
  • Unique identifiers: Google collects IP addresses, crash reports, system activity, date, time and referrer URL of requests, data about interactions between apps, browser and device type, application version number, app usage, carrier name and operating system.
  • Personal Information: They also collect names, phone numbers, payment information if the user has made any purchases through Google, email address, emails users write and receive, stored videos, photos, documents, and spreadsheets, and comments on Youtube.
  • Activity Data: Google keeps track of search terms, videos watched, views and interactions with content and ads, plus any video and audio information if these features were used. They’ll also keep track of any purchase activity, and, if a third-party site uses Google services, activity on those sites or apps. Additionally, they’ll keep track of your browsing history if the user uses a Chrome browser synced with a Google account. Finally, if they’ve used Google to make calls or text, then Google has also collected the calling and receiving party numbers, forwarding numbers, times and dates of your calls and texts, call durations, routing information, and types of calls.
  • Location Information: As far as location goes, Google keeps track via GPS, sensor data from devices, and information about things near the user’s device like Wi-Fi access points, cell towers, or Bluetooth-enabled devices.
  • Publicly accessible sources: Google may obtain information about users from local newspapers, third party marketing partners, or advertisers.
• Why They Say They Collect This Data: Aside from maintaining services, Google collects this data to personalize ads and content, although this isn’t done based on race, religion, health or sexual orientation by law. Google also uses this data to measure the performance of ads, sharing the data with advertisers so they can create more effective ads.
• Third Party Sharing Policies: Students or anyone who uses Gmail for work, listen up: Google is sharing your information with domain administrators along with a bunch of third parties like advertisers, publishers, and developers, although the user’s identity isn’t identifiable. However, Google does give their partners a ton of leeway, allowing them to collect data from users’ browsers and devices using cookies.²

Facebook

In 2023, Facebook had nearly 3 billion active monthly users,³ making it still the biggest social media platform of all time. However, the company has faced legal ramifications regarding its data collection policies, most notably the Cambridge Analytica scandal of 2018. So, what sort of data does the company collect on over 72% of North Americans?

• Information They Collect: Since Facebook is a purely social app, they know a ton about their users personally, from the people they interact with to the groups they’re in, and even their “private” messages. Facebook knows exactly when users log on, for how long they’re logged in, and what comments, shares, and transactions they’ve made in that time.
  • Unique identifiers: The only unique identifiers that Facebook keeps are users’ IP addresses, easy to cover up with a VPN.
  • Personal Information: Facebook is a wealth of personal information, most of which users enter themselves. The company keeps users’ names, phone numbers, payment information, email addresses, contact information from devices, as well as their stored videos and photos. Plus, they’ll keep the metadata of users’ photos and files.
  • Activity Data: In terms of activity, Facebook keeps track of connections and networks, messages, content, and videos watched, along with how users interact with different content and advertisements. They know exactly when people use their site and for how long.
  • Location Information: To figure out users’ location, Facebook uses sensor data from their devices.
  • Publicly accessible sources: Facebook doesn’t find data about users through publicly accessible sources, as they have all the data they need entered by users themselves.
• Why They Say They Collect Your Data: What does Facebook do with the data of billions of people? Well, the company claims they use it to personalize and improve their own products, like suggesting groups users might be interested in, showing users businesses nearby their current locations, or presenting them with, you guessed it, highly-targeted ads. Ever wondered why that concert you just looked up shows up everywhere you look on Facebook? That’s why. We do have to give the company some credit, though, as they do sometimes use their data for good, like to learn about migration patterns during crises to help relief efforts, for example.
• Third Party Sharing Policies: Facebook makes the majority of its money through its advertisers, so of course, they provide third parties with a ton of user data, aggregated so businesses can easily see the demographics of their customers and would-be customers. So while they can’t see a list of exactly who clicked on their ad, they can see that a woman aged 24 who lives in California interacted with it, for example. Facebook also provides data to researchers and academics, as well as law enforcement agencies, if requested.⁴

X (formerly Twitter)

There’s a ton of different ways people use X, whether it’s catching up on daily news, chatting with friends or just posting updates about their lives. Whatever people use it for, here’s how much of their data X keeps, and what they do with it after.⁵

• Information They Collect: Aside from basic account information, location information, and privacy settings, X also collects direct messages and private communications, cookies, and the content viewed on third-party websites. However, they’ll never associate web browsing history with any information that could identify specific users, and the data is deleted after a maximum of 30 days. On the other hand, if the user is on a browser that X thinks is in the European Union or European Free Trade Association, this may not be the case.
  • Unique identifiers: X logs many unique identifiers including a user’s IP address, browser and device type, carrier name and operating system.
  • Personal Information: They’re pretty lax on personal information, keeping only a user’s name, username, password, phone number and email address.
  • Activity Data: In terms of activity, X keeps track of users’ messages, content, the videos they’ve watched, their views and interactions with content and ads, plus video and audio information, if audio features were used. They’ll keep track of the time, frequency and duration of users’ activity on X as well as the people they communicate and share content with.
  • Location Information: X logs the time zone users are in as well as GPS information from their phones.
  • Publicly accessible sources: Finally, X logs data from third party marketing partners and advertisers.

Now, many people may be surprised to know that X tracks activity on third-party sites and apps along with users’ browsing history, although the latter is never associated with any identifying information. Again, as long as the user is not in the European Union or a state in the European Free Trade Association, X will delete their browsing history data after a maximum of 30 days. X also keeps track of the user’s privacy settings.

• Why They Say They Collect Your Data: According to X, they collect users’ data to scan for malicious content and spam, verify that users are who you say they are, help them find people to follow, protect the integrity of the platform and guess which topics users might like to create some personalized ads.
• Third Party Sharing Policies: Of course, X shares users’ data with advertisers, service providers, law enforcement, and the government, if necessary. When it comes to advertisers, users can control which device identifiers X can see as well as their interests and characteristics. However, a user’s name, phone number, X username and email won’t be shared with advertisers, thankfully.

Amazon

The biggest e-commerce web site in the country and one of the largest businesses in the world, to say Amazon has disrupted retail would be like saying that the Model T disrupted the horse and buggy. And Amazon isn’t just selling us products and services; they’re also collecting our data, selling it to their third-party marketplace sellers like Starbucks, OfficeMax, Verizon and Eddie Bauer. Let’s take a closer look.

• Information They Collect: Aside from obvious data like the products we search for and order, the videos we’ve watched, our wish lists, product reviews, phone numbers, addresses, and more, Amazon also keeps track of our IP addresses, browser types, and other automatic information. If we’re on mobile, they’ll see exactly where we’re located as well as collecting the data from our mobile carrier, third parties, and credit history gleaned from the three major credit bureaus, Experian, TransUnion and Equifax. But just how does Amazon customize our product search results or determine pricing based on who is doing the search? For this purpose, Amazon uses the following data⁶:
  • Unique identifiers: Amazon logs a user’s IP address, browser type and operating system, which is pretty minimal compared to the other companies in this article.
  • Personal Information: They also know a user’s name, if they give it to them, their username, password, phone number, payment information, shipping address and email. These are all pretty standard and necessary for Amazon’s services, but we were surprised to find that they also have your Social Security Number and driver’s license number, as well.
  • Activity Data: Amazon logs our search terms, the videos we’ve watched on Prime, our purchase activity, any reviews we’ve written and our browsing history. Since Amazon is an e-commerce site and not a search engine or social media platform, they don’t need to log as much of your activity data, as the website isn’t as dependent on advertisement revenue as Google.
  • Location Information: That being said, they are aware of a user’s location via GPS and sensor data from their device.
  • Publicly accessible sources: To fill in the blanks, Amazon sources data from third party marketing partners, advertisers, and even credit history from credit bureaus.
• Why They Say They Collect This Data: Amazon makes its money pretty differently from social media companies like Facebook and X, or even search engines like Google. The reason why Amazon is so profitable is because the actual purchase occurs on their platform, providing the majority of their revenue as opposed to money from advertisers. So as far as why they say they collect user data, it’s pretty simple— to improve their services and to prevent fraud. Amazon’s privacy policy is by far the shortest of any of the biggest tech companies, but with devices that are literally listening to your every move like the Echo Show smart display or the Echo Flex smart speaker, this seems a bit over-simplified.
• Third Party Sharing Policies: Since Amazon works with millions of Marketplace sellers, user information is shared with many third parties, from service providers like delivery men and marketing assistants to companies they co-brand products with like AT&T, Sprint and Northern Tool + Equipment. And while Amazon might send users promotional offers on behalf of other businesses, they don’t give them their names and addresses, and users can opt-out if they would like to. Basically, if it involves information going to third parties, Amazon lets users opt out.

Apple

Apple is known as the best large tech company for privacy, and their policy definitely confirmed that. And that’s a great thing, because Apple has a huge place in our lives. iPhones dominate the U.S. smartphone market, while Macbooks and Macs are quickly catching up to Windows computers.

All in all, we are pretty pleased with how little information they collect about us, especially when compared to the other companies on this list.

• Information They Collect: Apple collects a user’s personal information like their name, email address, IP address, location and payment information. They also keep track of obvious things like the user’s language, zip code, search queries (although they won’t be associated with their IP address), and how they use their devices and apps.⁷
• Unique identifiers: Apple knows a user’s IP address, device type and operating system, which makes sense as they’ve manufactured the device itself.
  • Personal Information: As far as personal information goes, Apple doesn’t keep much aside from the user’s name, phone number, payment information, shipping address and email, all necessary to uphold their account.
  • Activity Data: Apple stores by far the least amount of your activity data, logging only the user’s search terms and the time, frequency and duration of their activity.
  • Location Information: They’ll also know the user’s Time Zone for the clock as well as GPS information from their device.
  • Publicly accessible sources: Apple is the only large tech company to not share any information about users from publicly accessible sources.
• Why They Say They Collect Your Data: Apple collects user data to improve their products, services, content and ads, to keep accounts secure, to authorize users, prevent fraud, and, if you apply to work at Apple, to evaluate you, which is something we hadn’t seen on any other privacy policy.
• Third Party Sharing Policies: Apple emphasizes that a user’s personal information will never get “shared with third parties for marketing purposes,” a breath of fresh air compared to other large tech companies. Rather, Apple shares user data with customer service, delivery people, or any matter of legal necessity or public importance.

Browsers

Not only do large tech companies collect your data, but also browsers themselves, sometimes owned by the same companies we just discussed.

Chrome

Chrome is Google’s web browser and Security.org’s personal favorite. While Chrome makes it incredibly easy to Google information directly in the URL bar, they’re no stranger to data collection, not surprisingly.

• Information They Collect: In Chrome’s basic browser mode, they collect browsing history information, personal info and passwords, list of permissions the user granted to websites, cookies or data from other websites they visited, data saved by add-ons, record of files downloaded from websites, and more.
• Why They Say They Collect Your Data: Chrome collects user data for website operators, pre-rendering, updates, search features, search prediction service, navigation assistance, autofill/ password management, payments, language, web apps on Android devices, usage statistics and crash reports, media licenses, and other Google services.⁸
• Third Party Sharing Policies: Chrome’s third party sharing policies are the same as Google’s; scroll up to see exactly what that entails.

>> Related: Does Going Incognito Hide Your Browsing Activity?

Firefox

Mozilla Firefox is another popular browser available for Windows, MacOS and Linux devices.

• Information They Collect: Firefox collects information such as:
  • Technical data: This includes OS, available memory, crashes and errors, outcome of automated processes like updates, safebrowsing, activation, version numbers, and more.
  • Interaction data: Firefox keeps everything from how many tabs the user uses plus their add-ons, or windows open; uses of specific Firefox features; session length, scrolls and clicks to the the status of discrete user preferences.
  • Web activity and highly sensitive data: Firefox collects users’ specific web browsing history; general information about their web browsing history (such as categories of web pages visited over time), and potentially certain types of interaction data about specific web pages visited.⁹
• Why They Say They Collect Your Data: Firefox says they need this data to improve their service’s performance and stability, to suggest relevant content, to improve security, to create crash resorts, to measure and support marketing and more.¹⁰
• Third Party Sharing Policies: Firefox only shares user data with permission when processing or providing products or services to the user. They will share the data when it’s required by law, to prevent harm,¹¹ or to support their “mission of being open.”¹²

>> Learn more: The Best Firefox VPNs for Privacy Protection

Microsoft Edge

Replacing the old-school Internet Explorer, Microsoft’s recommended browser is Microsoft Edge. Now, Microsoft is known as being one of the better tech companies when it comes to privacy, depending on their premium products and services as opposed to revenue from advertising, and their privacy policy reflects that.

• Information They Collect: Microsoft only collects diagnostic data, browsing history and cookies.
• Why They Say They Collect Your Data: They collect this data to improve products and services and for online safety, making sure websites are legitimate, downloads are safe, and for filling in forms.¹³
• Third Party Sharing Policies: Microsoft only shares this data to complete transactions with their controlled affiliates and subsidiaries. They’ll also share the data with vendors, the law, when necessary, and to protect customers and their lives.¹⁴

Opera

Opera is a lesser-known browser originally released in 1995. Today, it’s available in 42 languages on Windows, iOS, MacOS, Android and Linux operating systems.

• Information They Collect: Opera collects users’ usernames, emails, and social media accounts if they used them to sign in. They also collect browser data including bookmarks and speed dial entries. If the user participates in a promotional campaign, Opera will log their name, age, physical address and phone number. Finally, the company keeps anonymous usage statistics like device IDs, hardware specifications, O.S, environment configuration, feature usage data, info about the articles the user reads, general location, crash reports, cookies and the like.
• Why They Say They Collect Your Data: Opera uses this data to uphold users’ accounts, improve their services, provide relevant news, personal ads and more.
• Third Party Sharing Policies: Opera is one of the few companies to list all the third parties they share user information with, which includes Facebook SDK, Google AdMob and the DU Ad Platform.¹⁵

Safari

Safari is the default browser that comes on all Macs and iPhones, so their privacy policy overlaps with Apple’s, although this information is specific to Safari.

• Information They Collect: Safari collects:
  • Personal information: This may include your name, address, phone number, email, contact preferences, device identifiers, IP address, location info, payment information, and government ID, for users setting up wireless accounts or activating devices.
  • Non-personal information: Safari will log your occupation, language, zip code, device identifier, referrer URL, location and time zone when you use Apple products, activity in iCloud, iTunes and the App Store, search queries, although they won’t be associated with your specific IP address, and how you use devices and apps.
  • Cookies and other technologies: This includes pixel tags and web beacons.
• Why They Say They Collect Your Data: Apple collects this data to keep their users updated on Apple news, help create and improve products, services, content and advertising, prevent losses and fraud, improve account and network security, authorize users, audit and analyze data, and, if you apply to work at Apple, to evaluate you.
• Third Party Sharing Policies: Apple is committed to their policy of never sharing personal information with third parties for marketing purposes. Rather, the data is only shared with service providers and matters of legal necessity or public importance.¹⁶

>> See More: The Best Safari VPNs for Privacy Protection

Operating Systems

Of course, there is a ton of overlap between large tech companies, browsers and operating systems; for example, Google owns Android while Apple owns iOS and MacOS devices, but not every operating system falls so neatly under a large tech company.

Linux

Linux is an operating system that’s open-sourced and free, originally invented in 1969 at AT&T’s Bell Laboratories. Today, organizations like NASA, IBM and Dell use it, but how do they stack up in terms of data privacy?

• Information They Collect: Linux collects the following types of data from users:
  • Registration information: Linux Foundation ID, account and profile info including profiles, names, email forwarding info, unique identifiers, contact and billing information.¹⁷
  • User content: Questions, answers, comments, forum postings and more.
  • Communications records and payment information
  • Cookies: This may include information such as domain name, browser type and operating system; web pages the user has viewed, when the user has opened certain emails they send, links the user has clicked; the user’s IP address; the length of time the user visited their sites and used their services, and the referring URLs.
  • De-identified information: Linux aggregates personal information so that it’s not identifiable to any particular user.
• Why They Say They Collect Your Data: Linux collects this data to provide their sites and services, operate open source projects, maintain training and certification programs, and personalize the web experience for users. It’s also used for marketing and promotions, ads, analytics, legal compliance, business and legal operations, and to prevent misuse.
• Third Party Sharing Policies: Linux may share this information with service providers or affiliates. They also share anonymized and aggregated information with third parties for research, marketing, analytics, advertising and cookies. Like most companies, Linux may also share this information to comply with the law when necessary.

>> More Information: The Best Linux VPNs for Privacy Protection

Windows

Windows is Microsoft’s operating system and includes desktop computers and mobile devices. While it originally dominated the market with over 90% of the market share, it’s still the most popular operating system for PCs, although the company has lost most of the market share to Android.

• Information They Collect: Windows operating systems collect data like content of messages, phone number of contacts, payment info, name, security code, family settings, current location, diagnostic data, support communications, personalized dictionaries, any files the user saves in OneDrive, reports related to malware, device, drivers, and software installed.
• Why They Say They Collect Your Data: Microsoft saves this data to help users communicate with people, buy items, keep kids safe, fix problems, help customers, show users stuff they might like, personalize ads and make systems safer.¹⁸
• Third Party Sharing Policies: Microsoft only shares this data to affiliates that they control as well as subsidiaries and vendors. They also comply with legal requests and will share information to protect customers’ lives.¹⁹
• If you’re using MacOS or iOS, scroll up to read about Apple’s privacy policy. The same goes for Android devices; that falls under Google, which we covered above.

>> Related: The Best Windows VPNs for Privacy Protection

Apps

That accounts for the majority of major tech companies, browsers and operating systems, but there are also a few common apps that we took a look at, as well.

Kik

Kik is a messaging app that’s available for free on iOS and Android devices. It’s popular because it lets users register without requiring a phone number, instead relying on the person’s data plan or Wi-Fi to send messages, photos and more. But what data do they collect?

• Information They Collect: Kik keeps the information that the user gives them, which may or may not include their name, email address, phone number, birthday, and password hash. They also keep:
  • Profile information: Basically, this section is as detailed as the user wants it to be; if they fill it out, Kik would save their profile pictures, interests, emoji status, and more information.
  • Message content: The big draw of Kik is that they don’t save messages after they’ve been delivered; rather, all delivered messages including their attachments will be lost from the app.
  • Conversation attributes: This includes group names, profile pictures, themes, administrators, and membership limitations.
  • Membership information: Kik notes whenever a user joins or leaves a public group.
  • Kik communications: This covers any communication between the user and the company, such as polls, surveys, and emails sent back and forth.
  • Kik wallet information: For users that use Kik wallet, the company will save the transaction value, recipient, and public wallet address.
  • Log and data usage information: While Kik deletes the content of messages after they’ve been delivered, they do keep the times and dates the messages were sent, who the user chatted with, their IP address, as well as how they use third-party websites or services through the apps, which could include everything from gifs to emojis.
  • Device information: The company will also log the user’s hardware model, O.S version, unique drive identifiers, and mobile network information.
  • Location information: Kik doesn’t log the user’s precise location through GPS; rather, they can get the user’s city and state from their IP address.
  • Device contacts and address book: Kik will only save this information with the user’s permission.
  • Bot chats: Kik will log the date, time, frequency of contents of users’ conversations with bots.
  • Kik code: Kik codes, scannable codes that allow users to connect with each other, are saved when the user uses them.
  • Kik transaction information: If the user performs transactions through Kik, the company will save the date and time of the transaction, account information, the account the user is transacting with, the public wallet address, balance and more.
  • Cookie information: Kik keeps track of web activity as well as browser and device information.
  • Local storage information: This could include a user’s photos and videos.
• Why They Say They Collect Your Data: Kik says that they collect this data to uphold their app and services, give users account notices, update the app, store user preferences, and speed up searches. They also use this data for billing, collection and advertising purposes.
• Third Party Sharing Policies: Kik shares this information to services used in their app, from analytics companies to GIF providers and bots. They also use tracking technology that could be associated with a user’s personal information or online activities.²⁰

Outlook

Outlook is Microsoft’s email service, but being a different application than Microsoft Edge, its privacy rules are a bit different as well.

• Information They Collect: Outlook collects the data the user provides, like their account information, search queries, emails and more. They also collect data from third parties including data brokers, local business reviews, public social media posts, communications services, service providers, partners, developers, publicly available sources and more.²¹
• Why They Say They Collect Your Data: Microsoft collects this data for service delivery, troubleshooting, and maintenance and improvement. They don’t profile users or use their information for advertising or market research.²²
• Third Party Sharing Policies: Again, Microsoft never shares user data for marketing or advertising; rather, they share it with their subprocessors.²³ They will also comply for customer data requests if they’re legal and there’s a subpoena, court order, warrant, etc.²⁴

Skype

Skype is a video messaging service that Microsoft also owns, so its privacy policies are the exact same as Outlook’s (scroll up to see it in detail).

LinkedIn

LinkedIn is the Facebook of the professional world originally launched in 2003. LinkedIn’s founder Reid Hoffman told The New Yorker that the majority of their revenue comes from recruiters, who pay to access information about the site’s users.²⁵ Of course, this is the purpose of professional networking in the first place, but we checked to see what other data of yours LinkedIn collects.

• Information They Collect: Linkedin collects:
  • Registration information: This could include the user’s name, email, phone number, password, and payment information, if they bought a Premium subscription.
  • Profile information: This includes any information the user has on their profile, which could include education, work experience, skills, photos, their city or area, and endorsements. Users also have the choice to sync their LinkedIn with their address book or calendar, so that information would be saved as well.
  • Posts and uploads: LinkedIn logs when the user provides, posts or uploads things to LinkedIn, responds to a survey, submits their resume, or fills out job information.
  • Content and news: LinkedIn logs users’ public information and professional-related news and accomplishments.
  • Visits and uses of services: This includes mobile applications as well as the desktop website.
  • Cookies, device and location information: LinkedIn logs each user’s IP address, proxy server, operating system, web browser, add-ons, device identifiers and features, cookie IDs, Internet Service Providers and mobile carrier.
• Why They Say They Collect Your Data: LinkedIn collects this data to support, provide, personalize and develop their services, which includes advertising, marketing and customer support.
• Third Party Sharing Policies: LinkedIn will only share user information with third parties for direct marketing purposes with their permission.²⁶

Spotify

Last but not least, Spotify is a popular music and podcast streaming service available on desktop as well as mobile devices. For free, users can listen to their gigantic music library with ads, while the Premium service takes away the ads. Still, no matter which subscription you’re under, here’s what Spotify logs:

• Information They Collect: Spotify collects the following information:
  • User data: This includes the user’s username, email, phone number, birthday, gender, address, and country. Also, if they logged in through a third party like Facebook, LinkedIn will log their data as well.
  • Usage data: This covers type of plan, search queries including the date and time of any requests, streaming history, playlists, library content, browsing history, and the user’s interactions with the Spotify Service content and other users. Spotify uses this information to make inferences about the user’s interests and preferences. They also log information like photos, playlist titles, interactions with customer service, as well as technical data like URL information, cookie data, the user’s IP address, device type, browser type, non-precise location from their IP address, and more.
  • Plan verification data: If the user has a Premium Family or Premium Duo plan, Spotify may use a third party map app like Google Maps to verify their subscription address. However, this address won’t be used for advertising or any other purpose.
  • Voice data: This is only collected if the user uses voice control
  • Payment and purchase data
  • Contest, survey and sweepstakes data
• Why They Say They Collect Your Data: Spotify says that they collect this data to provide and personalize their service, detect fraud and fix issues. They also use this data for marketing, promotions and advertising, legal obligations and law enforcement requests, contractual obligations from third parties, etc.
• Third Party Sharing Policies: Spotify shares publicly available information with third parties, like the user’s name and username, profile picture, who they follow and are followed by, their recently played artists and their public playlists. They share this data with everyone from service providers and payment processors to advertising partners, Spotify partners, academic researchers, other Spotify group companies, law enforcement and data protection authorities, and purchases of other businesses.²⁷

How To Avoid and Reduce Data Collection in the Future

If we’ve proven anything so far, it’s that companies you use online log a lot of our data. Is browsing online privately truly possible? Well, not 100%, but there are a number of things you can do to reduce the amount of data about you online, both in the future and from the past.

Prevent Data Collection Moving Forward

While you can’t get rid of all data collection, there are actions you can take to lessen it, starting with your browser itself.

By Browser

Naturally, browsers log the majority of your web traffic and search queries, but most of them allow you to delete the data and cookies as soon as you close the browser, or at the end of the day for Safari. Cookies, by the way, are bits of information that websites send to your computer, stored in the web browser, that keeps track of all web activity²⁸ from site to site.

• Chrome: Go into “settings”, “content settings”, “cookies and other site data” then check off “block all cookies”. Also, turn the toggle on “clear cookies and site data when you quit Chrome”.
• Firefox: Click on “menu”, “preferences” then “cookies and site data”. Check off “delete cookies and site data when Firefox is closed”.
• Microsoft Edge: Click on “settings”, “privacy and services”, then “clear browsing data on close”. Then, check off everything that you want to be deleted when you close your browser.
• Opera: Hit “settings”, “privacy and security”, and then “cookies and site data”. Turn the toggle on next to “clear cookies and site data when you quit Opera”.
• Safari: Click “Safari”, “preferences”, “general”, then “remove history items after” and choose one day. Next, go to “privacy” and check off “block all cookies”.

>> Additional Resource: A Complete Guide to Private Browsers

Social Media

There’s no way to use social media without the companies logging a ton of your information, so the only way to prevent this data collection is simply to not use social media; see below where we give you instructions on how to deactivate your accounts.

General Tips For Digital Privacy

Okay, now that you’ve got yourself as private as possible via your browsers and social media networks, here are a few general tips to stay private online.

• Use a VPN: If you’re on a public network, you’re much more susceptible to being hacked, which is why we recommend using a VPN, or Virtual Private Network, before connecting to the Internet. VPNs will completely encrypt your web traffic and even replace your IP address, making you essentially invisible online.
• Avoid phishing scams: Phishing is one of the most common ways that hackers can access accounts. Typically, hackers send emails to people with fake links to log on to accounts, from which they take their usernames and passwords. Make sure the URL you are clicking on is legitimate (google.com vs. go0gle.com, for example), and as a general rule, don’t click on any unfamiliar links or emails.
• Use a password manager: It’s hard to keep track of all our online accounts, let alone remember all our passwords. That’s why some people resort to using the exact same or different variations of the same passwords for multiple accounts. The problem is, if someone manages to hack into one account, you risk getting all your other accounts hacked as well. Use a password manager to conveniently and safely store all your passwords, and always use a strong password. Also consider turning on multi-factor authentication.
• Read companies’ privacy policies: We know, we know; reading privacy policies (or any legal jargon, for that matter), can be a long and unforgiving process, but it’s your best bet to keep track of how your information is stored, sold and shared with third parties.
• Only give companies data when absolutely necessary: Sometimes, companies let you opt out of cookies; we often don’t realize this is an option. Try to only allow cookies when it’s absolutely necessary!
• Avoid store loyalty cards: Store loyalty cards are certainly a nice way to save some money, but they’re also a nice way for companies to track your information. The privacy-minded should avoid store-loyalty cards completely.
• Use cash rather than cards: Cards in general are trackable in a way that old-fashioned dollar bills simply aren’t.
• Use fake information on forms: Now, we don’t recommend using fake information on important forms, like government or medical forms. However, for signing up for something as inconsequential as a newsletter from a fast fashion website, there’s nothing wrong with using a fake email, name or phone number.
• Use browser extensions to block trackers: There are a number of browser extensions that prevent or reduce online tracking, like Privacy Badger,²⁹ HTTPS Everywhere³⁰ and uBlock Origin.³¹ There’s another extension that also blocks ads called Ghostery.³²
• Opt out of data sharing: While there’s no magical button you can press to completely opt out of your data being shared with large companies, Simple Opt Out is a website with instructions to opt out of data-sharing from over 50 large companies, from X to Mastercard to Amazon.³³
• Limit use of identifiers for ad targeting on mobile devices: On iOS devices, go into “settings”, then “privacy” and “advertising” and turn on “limit ad tracking”. On Android devices, go into “Google settings” then “ads” and toggle on “opt of our Internet-based ads”.
• Turn location off on mobile devices: There’s no reason for your device to constantly know your location. On an iOS device, go into “settings”, “privacy” and then “location services”, and toggle on “don’t allow.”³⁴ For Android-users, click “settings” then “location” and turn off “use location.”³⁵.
• Limit app permissions: In general, apps will try to gain as much information about you as possible; make sure to go into your settings and limit this information to what is strictly necessary to run their service.

How To Delete Data That’s Already Been Collected

We cleared our data from the major browsers as well as social media networks, and here’s how we did it.

By Browser

• Chrome: Click “Chrome” then “more” and “more tools”, then choose the time range of “all time”. Check off the information you want deleted and click “clear data.”³⁶
• Firefox: Click on “Firefox” then “library”, “history”, “clear recent history”. Choose your time range and what information you want deleted, then click “clear now.”³⁷
• Microsoft Edge: Hit “Edge”, “settings and more”, “settings,”“privacy and services” then “clear browsing data”. Choose what you want to clear, the types of data and the time range, and hit “clear now.”³⁸
• Opera: Choose “Opera” then hit Ctrl + H. Click “clear browsing data” and select what you want to delete and the time range, and then hit “clear data.”³⁹
• Safari: Hit “Safari” then “history” and “clear history.”⁴⁰

By Social Media Network

Social media accounts, by their very nature, contain a ton of our personal information, so in order to get your data deleted, you’ll need to completely deactivate your accounts. Here’s how!

• Facebook: Click the down arrow at the top right corner, then click “settings”, “your Facebook information”, “deactivation and deletion”, “delete account”, “continue to account deletion”, “enter password”, “continue”, and finally “delete account.”⁴¹
• X: Hit “X”, “settings and privacy”, “account”, “deactivate account”, “ deactivate @username” and enter your password. Then, click “deactivate account.”⁴²
• Instagram: Go to the “delete your accounts” page⁴³ and select an option to answer why you are deleting your account. Next, re-enter your password and click “permanently delete my account.”⁴⁴
• LinkedIn: Click “LinkedIn”, “me”, “settings and privacy”, “account”, “account management”, “change”, “closing your LinkedIn account” and choose a reason why. Then, hit “next”, enter your password and click “close account.”⁴⁵

Data Privacy Statistics

Given that 90% of all adults in the United States used the Internet as of 2019,⁴⁶ data breaches are something that could affect nearly all of us at some point in our lives. Even more so, out of the adult Internet users in the U.S, 28% say that they are online “almost constantly,” while 45% say they’re online several times a day,⁴⁷ which makes for literally millions of opportunities for sensitive information to be revealed to someone it shouldn’t. On top of that:

• 81% of people think they have little to no control over how companies collect data
• 79% of people are very concerned about how companies use their data
• 59% say that they have little to no understanding of data use.⁴⁸

Hopefully, our data privacy guide can help people understand exactly how companies use their data and how to take back control. While using the Internet necessitates relinquishing some data, we can definitely decrease the amount significantly.

Data Collection Laws

Security.org’s Chief Editor Gabe Turner isn’t just a security expert; he’s also a lawyer with a strong grip on the laws surrounding data collection, including international, federal, and state legislation. Here’s what’s legal and what’s not when it comes to data privacy.

International

Even if you’re based in the United States like us, any business that has customers in the European Union must adhere to what’s called the General Data Protection Regulation⁴⁹(GDPR). The GDPR refers to “personal data”, which they define as “any information relating to an identified or identifiable natural person.”⁵⁰ Some examples of personal data include:

• Location data
• Names
• Identification numbers
• Gender
• Age
• Job
• Employer
• Address
• Phone number
• Email address

Now that we know what “personal data”, the GDPR protects, here’s a summary of their requirements for companies online⁵¹:

• Transparency and communication: Companies have to explain clearly exactly how they process user data and how people can request to have their data removed or altered. They’re also required to respond to these requests quickly and adequately.
• Right of access: People have the right to know about the source of their personal data, the purpose of why the company has processed it, the length of time the data will be held, and more. People can also access their personal data.
• Accuracy: If information is inaccurate or incomplete, people have the right to correct that information.
• Right to object: People can object to companies processing their data unless they have a legitimate reason to, like a legal obligation.
• Right to be forgotten: Otherwise known as the right to erasure, the right to be forgotten means that people can request to have data deleted at any time. However, there are exceptions, like if this request prohibits the company’s right to freedom of expression.
• Data portability: The company must store the data in a way that’s easily shareable and easily understood. In addition, if the user requests the data must be sent to a third party the company must comply, even if it’s a competitor.
• Right to restrict processing: Finally, users can change the way that the company processes their data, be it removing it from their site if it’s inaccurate or no longer needed.

Even though large tech companies like Google and Amazon are based in the United States, because they have customers in the E.U, the GDPR applies.

Federal

While the United States has federal data privacy laws, they only apply to two industries: healthcare and finance. As for the rest of the industries, there are no federal, personal data laws that apply to any company that stores and uses customer data.⁵² Let’s take a closer look at the current data privacy laws from the federal government:

• Health Insurance Portability and Accountability Act: Commonly referred to has HIPPA, this act applies to “covered entities” holding “protected health information”, according to the U.S Department of Health and Human Services.⁵³ That includes everything from doctors to insurance companies, ensuring that they keep medical data protected.
• Gramm-Leach-Bliley Act: Otherwise known as the Financial Modernization Act of 1999, this act covers everything from insurance companies and securities firms to banks; in other words, any company that provides financial services or products. These companies must adhere to what’s called the Financial Privacy Rule, which governs how they collect and disclose their customers’ personal financial information, as well as the SafeGuards Rule, which governs exactly how they safeguard this information. This act also prevents companies from “pretexting,” essentially accessing personal finance information under false pretenses.⁵⁴

State

This is America, which means that every state has their own rules and regulations for their residents, and data privacy is no exception. Note, this isn’t a complete list of every state’s data privacy laws, but a general overview. Find out where your state lies when it comes to protecting your online privacy.

• Alabama: According to the Alabama Data Breach Notification Act of 2018, certain entities have to tell people when there’s been a data breach involving their sensitive personally identifying information or PII.⁵⁵
• Alaska: Passed in 2009, the Alaska Personal Information Protection Act says that users need to be alerted when breaches involving their PII have occurred. This act also puts restrictions on the use of personal and credit information and requirements for proper disposal of records containing PII, among other things⁵⁶
• Arizona: Arizona’s Data-Breach Notification Law requires companies to let their users know if there has been a data breach involving their PII.⁵⁷
• Arkansas: Under the Arkansas Personal Information Protection Act, entities that collect PII must use “reasonable security procedures” to protect this information. However, they only have to alert users of data breaches if they’ve affected over 1,000 people and have a “reasonable likelihood of harm.”⁵⁸
• California: California is by far the most advanced state when it comes to protecting their residents’ digital privacy under acts such as:
  • Digital Privacy Rights for Minors: Websites can’t market products or services to minors if the minors aren’t allowed to buy them yet, like alcohol.
  • Online Privacy Protection Act of 2003: Any business that collects PII through a website must have a conspicuous privacy policy that it adheres to, identifying the PII they collect and the third parties they share it with.
  • Confidentiality of Medical Information Act: Individuals can maintain their own medical information on medical apps.⁵⁹
  • Data Security Breach Reporting: Any business or agency that releases unencrypted PII of more than 500 Californians must let them know.⁶⁰
• Colorado: Colorado has laws regarding the proper disposal of PII, and laws requiring “reasonable security measures” to protect it. Like most states, Colorado requires that companies notify people when their PII was compromised.⁶¹
• Connecticut: Connecticut’s General Statutes says that certain types of businesses must display privacy policies explaining how they will protect customer PII and share it with third parties.⁶² In addition, companies must disclose to residents when their PII has been compromised as well as notify the Office of the Attorney General.⁶³
• Delaware: The Delaware Online Privacy and Protection Act states that businesses must notify people of a security breach of their PII within 60 days.⁶⁴
• Florida: In Florida, businesses need to alert people of security breaches if they’ve affected at least 500 people within 30 days.⁶⁵
• Georgia: The Law of Georgia on Data Protection provides guidelines for data processing. Data should be kept for the shortest amount of time possible and then should be deleted, destroyed, locked or stored anonymously.⁶⁶ Businesses also must notify people of security breaches as soon as possible.⁶⁷
• Hawaii: Hawaii’s Health Care Privacy Harmonization Act says that identifying health information should be protected and anonymized.⁶⁸ Also, businesses and government agencies need to alert consumers if their PII has been compromised.⁶⁹
• Idaho: Companies need to tell people if their PII has been exposed within 24 hours of the breach.⁷⁰
• Illinois: People must be notified of a security breach as quickly as possible, and businesses need to take “reasonable security measures” to protect their data.⁷¹
• Indiana: Indiana’s Security Breach Notification Statute says that residents have the right to know when their PII has been breached.⁷²
• Iowa: In Iowa, businesses must alert people of PII security breaches that affect over 500 residents; the government allows five days between the breach and the customer notification.⁷³
• Kansas: In Kansas, businesses must tell people of security breaches as soon as possible if they affect over 1,000 consumers. In addition, they must also alert national reporting agencies.⁷⁴
• Kentucky: If there’s a security breach of PII, businesses must notify people as quickly as possible.⁷⁵
• Louisiana: If businesses don’t tell Louisiana residents of a breach, they could face a violation fee of up to $5,000.⁷⁶
• Maine: An Act to Protect the Privacy of Online Customer Information says that to sell or access PII, providers need affirmative consent from customers, which they can revoke at any time. However, there are exceptions to this rule, like a lawful court order. Businesses also must take reasonable measures to protect the PII.⁷⁷ In addition, providers must alert customers of security breaches if they affect over 1,000 people at a time “without reasonable delay.”⁷⁸
• Maryland: The Personal Information Protection Act says that consumer data should be reasonably protected, and consumers should be notified of a breach within 45 days.⁷⁹
• Massachusetts: Businesses must report security breaches or unauthorized usage of PII within 10 business days.⁸⁰ Massachusetts also requires that businesses have an information security program to protect consumer data, which lays out specific requirements regarding passwords, encryption and more.⁸¹
• Michigan: If a security breach of unencrypted information can cause substantial losses or injuries, businesses must alert consumers within three business days.⁸²
• Minnesota: Minnesota is one of the few states where only government data breaches need to be reported, not breaches from privately-owned businesses.⁸³
• Mississippi: Businesses must notify consumers of a security breach of PII “without reasonable delay.”⁸⁴
• Missouri: Businesses must tell people of breaches that expose PII.⁸⁵
• Montana: Businesses must tell Montana residents if their PII has been compromised “without reasonable delay.”⁸⁶
• Nebraska: Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 says that businesses must alert customers of security breaches of PII as soon as possible.⁸⁷
• Nevada: Once they know they no longer need it, businesses must destroy customers’ PII. Beforehand, they must protect the PII using “reasonable security measures”, and if they use a payment card, they must adhere to the Payment Card Industry Data Security Standard. Finally, businesses must alert people of security breaches as soon as possible.⁸⁸
• New Hampshire: Businesses must notify people of a PII breach as quickly as possible.⁸⁹
• New Jersey: New Jersey businesses also have to let consumers know if their PII was breached as soon as possible.⁹⁰
• New Mexico: New Mexico’s Data Breach Notification Act requires businesses to tell people if their PII has been exposed in a security breach. It also sets requirements for the secure storage and disposal of PII.⁹¹ In addition, the Consumer Information Privacy Act says that consumers can request their PII and get it deleted if they request. At anytime, consumers can also opt-out of the sale of their PII; to sell their information with a third party, businesses need the explicit consent of consumers, after they tell them exactly what is collected, how it will be used and sold, and more information.⁹²
• New York: The Empire State’s Information Security Breach and Notification Act says that customers have the right to know as quickly as possible when their PII has been exposed in a security breach.⁹³
• North Carolina: North Carolina’s Identity Theft Protection act says that people must be notified of PII breaches “without reasonable delay.”⁹⁴
• North Dakota: In North Dakota, businesses must notify consumers over PII breaches when 250 or more are affected as soon as possible.⁹⁵
• Ohio: The Ohio Protect Act is a program that incentivizes businesses to strengthen their cyber security, preventing breaches in the first place⁹⁶, while the Security Breach Notification Act says that they must alert consumers if their PII has been breached within 45 days.⁹⁷
• Oklahoma: Oklahoma’s Security Breach Notification Act says that people should be alerted of security breaches as soon as possible.⁹⁸
• Oregon: Businesses need to tell consumers of security breaches only if they affect more than 250 Oregon residents.⁹⁹
• Pennsylvania: The Keystone state’s Breach of Personal Information Notification Act requires that businesses tell customers of PII breaches “without unreasonable delay.”¹⁰⁰
• Rhode Island: The Rhode Island Identity Theft Protection Act says that businesses must provide “reasonable security” for PII and must notify customers of breaches that will increase their risk of identity theft “without unreasonable delay.”¹⁰¹
• South Carolina: South Carolina businesses must notify consumers of security breaches with PII within 60 days.¹⁰²
• South Dakota: Businesses must tell people of security breaches involving their PII within 60 days.¹⁰³
• Tennessee: The Tennessee Identity Theft Deterrence Act says that businesses must notify residents of breaches of unencrypted data within 45 days.¹⁰⁴
• Texas: The Texas Identity Theft Enforcement and Protection Act says that if there’s a security breach involving 250 people or more, they must be notified within 60 days. In addition, businesses need to get consumers’ consent when obtaining or transferring personal information. The PII must then be protected with “reasonable procedures” and must be destroyed after the business is done using it.¹⁰⁵
• Utah: Utah’s Protection of Personal Information Act says that businesses must implement reasonable procedures to protect PII and destroy it when done. Security breaches must be disclosed to consumers within 20 days.¹⁰⁶ In addition, the Electronic Information of Data Privacy Act says that law enforcement agencies must obtain a search warrant to access location information, stored or transmitted information from an electronic device. They also must obtain a warrant before getting any information about the device’s owner from their computing service provider. Even if they get the warrant, the agency must destroy this information as soon as they’re done with it.¹⁰⁷
• Vermont: Under the Security Breach Notice Act, businesses must alert Vermont consumers of a data breach within 45 days.¹⁰⁸
• Virginia: Virginia’s Personal Information Privacy Acts ensures that businesses can only sell customer data to third parties with their consent.¹⁰⁹ It’s also required that businesses notify customers when their unencrypted information is compromised as soon as they can.¹¹⁰
• Washington: If a breach affects over 500 Washington residents, businesses must let them know within 30 days.¹¹¹
• West Virginia: In West Virginia, the Consumer Credit and Protection Act says that businesses must notify people of a security breach as soon as possible.¹¹²
• Wisconsin: In Wisconsin, businesses only have to destroy customer PII if it’s related to health conditions, financial accounts or tax returns. They also have to notify people if there is a security breach of PII.¹¹³
• Wyoming: Finally, Wyoming requires businesses to notify customers of security breaches involving PII as soon as possible.¹¹⁴

As you can see, most of the states only have security breach notification laws, which require them to tell their customers if there was a breach of their PII, or personally identifiable information. However, two states, California and Maine, took things to a new level with some recently passed bills, which we’ve spotlighted:

• California Consumer Privacy Act: Similar to the GDPR, this act ensures that Californians know how their personal information is being collected, sold, and shared. If they want, they can prevent the sale of personal information, access it online, or delete it completely.¹¹⁵
• Maine’s Act To Protect the Privacy of Online Consumer Information: Companies can’t use, sell or share customer information unless they’ve consented to it, it’s essential to provide their service, to comply with the law, and a few other exceptions. They also must take “reasonable measures” to protect this information.¹¹⁶

Is Private Browsing Really Private?

We’ve all heard of private browsing before, but is it really private? Well, the short answer is no; during private browsing sections, cookies can still be shared with third parties who can track our web activity as we bounce from site to site. However, for someone sharing a device with another person, private browsing will work, as the browser itself won’t retain cookies, files downloaded, browsing history or search records. Keep in mind that different browsers have different privacy modes, so be sure to check your browser settings before using it to surf the web.¹¹⁷

How To Browse Privately by Browser

Want to turn on a private browsing section? Here’s how, on the most popular browsers available:

• Chrome: Press “more” then “new.”¹¹⁸
• Firefox: On Android¹¹⁹ or desktop¹²⁰, press “menu” then “new private tab/ window”. On iPhones¹²¹, tap the tab icon at the bottom of the screen then click on the purple mask button. From there, tap on the plus tab to open a private tab.
• Microsoft Edge: Click “settings and more” then “new Inprivate window”.¹²²
• Opera: On a mobile device, click the three dots in the upper right hand corner.¹²³ On a desktop computer, click “file” then “new private window”.¹²⁴
• Safari: Strangely, there’s no private mode for Safari on Androids, but on iPhones and other iOS devices, click “new page button” then “private” then “done”.¹²⁵ On desktops, hit “file” then “new private window”.¹²⁶

Recap

Compared to Europe, the United States has a long way to go when it comes to protecting consumer’s online privacy, however, with a few simple steps, you can greatly reduce the amount of data that companies have on you. Hopefully in the near future, the United States can adapt a federal law similar to the GDPR to ensure that customers are more in control of their data.

Citations:

1. Oberlo. (2024). HOW MUCH TIME DOES THE AVERAGE PERSON SPEND ON THE INTERNET?
   oberlo.com/statistics/how-much-time-does-the-average-person-spend-on-the-internet
2. Google. (2024). Google Privacy Policy. policies.google.com/privacy?hl=en-US
3. DataRePortal. (2024). FACEBOOK USERS, STATS, DATA & TRENDS. datareportal.com/essential-facebook-stats
4. Meta. (2024). Privacy Policy. facebook.com/privacy/policy/
5. X. (2023). X Privacy Policy. twitter.com/en/privacy
6. Amazon. (2023). Amazon.com Privacy Notice.  amazon.com/gp/help/customer/display.html?nodeId=201909010
7. Apple. (2022). Apple Privacy Policy. apple.com/legal/privacy/en-ww/
8. Google. (2024). Google Privacy Policy. policies.google.com/privacy?hl=en-US
9. Mozilla Wiki. (2024). Data Collection. wiki.mozilla.org/Data_Collection
10. Mozilla. (2024). Firefox Privacy Notice. mozilla.org/en-US/privacy/firefox/
11. Mozilla. (2020). Mozilla Privacy Policy.  mozilla.org/en-US/privacy/ 
12. Mozilla. (2024). The Mozilla Manifesto Addendum: Pledge for a Healthy Internet. mozilla.org/en-US/about/manifesto/
13. Microsoft. (2024). Microsoft Edge, browsing data, and privacy. support.microsoft.com/en-us/windows/microsoft-edge-browsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd
14. Microsoft. (2024). Microsoft Privacy Statement. privacy.microsoft.com/en-us/privacystatement
15. mOpera. (2023). Opera Privacy Statement. legal.opera.com/privacy/
16. Apple. (2022). Apple Privacy Policy. apple.com/legal/privacy/en-ww/
17. The Linux Foundation. (2023). Privacy Policy. linuxfoundation.org/legal/privacy-policy
18. Microsoft. (2024). Privacy at Microsoft. privacy.microsoft.com/en-US/
19. Microsoft. (2024). Microsoft Privacy Statement. privacy.microsoft.com/en-us/privacystatement
20. Kik. (2022). Privacy Policy. kik.com/privacy-policy/
21. Microsoft. (2024). Microsoft Privacy Statement. privacy.microsoft.com/en-us/privacystatement
22. Microsoft. (2024). Data protection and privacy. microsoft.com/en-us/trust-center/privacy
23. Microsoft. (2024). Microsoft Online Services Subprocessors List. drive.google.com/file/d/1kbKRzabSzzHzPNh6D9KXISGqBVVWccYQ/view?usp%3Dsharing
24. Microsoft. (2024). Law Enforcement Requests Report. microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report
25. The New Yorker. (2015). The Network Man. newyorker.com/magazine/2015/10/12/the-network-man
26. LinkedIn. (2020). Privacy Policy. linkedin.com/legal/privacy-policy#collect
27. Spotify. (2023). Spotify Privacy Policy. spotify.com/us/legal/privacy-policy/
28. Norton. (2022). Computer cookies: A definition + how cookies work. us.norton.com/blog/privacy/what-are-cookies
29. Privacy Badger. (2024). Frequently Asked Questions. privacybadger.org/
30. Electronic Frontier Foundation. (2024). HTTPS Everywhere. eff.org/https-everywhere
31. Github. (2024). uBlock. github.com/gorhill/uBlock#ublock-origin
32. Ghostery. (2024). Privacy You Can See. https://www.ghostery.com/
33. Simple Opt Out. (2024). Welcome. simpleoptout.com/
34. Apple. (2024). Turn Location Services and GPS on or off on your iPhone, iPad, or iPod touch. support.apple.com/en-us/102647
35. Google Account Help. (2024). Manage your Android device’s location settings. support.google.com/accounts/answer/3467281?hl%3Den
36. Google Chrome Help. (2024).  Clear browsing data in Chrome. support.google.com/chrome/answer/2392709?co%3DGENIE.Platform%253DDesktop%26hl%3Den
37. Mozilla Support. (2024). Delete browsing, search and download history on Firefox. support.mozilla.org/en-US/kb/delete-browsing-search-download-history-firefox
38. Microsoft. (2024). View and delete browser history in Microsoft Edge. support.microsoft.com/en-us/microsoft-edge/view-and-delete-browser-history-in-microsoft-edge-00cf7943-a9e1-975a-a33d-ac10ce454ca4
39. Tips & Tricks Opera Blog. (2023). Watching videos in a separate floating window. blogs.opera.com/tips-and-tricks/
40. Safari User Guide. (2024). Clear your browsing history in Safari on Mac. support.apple.com/guide/safari/clear-your-browsing-history-sfri47acf5d6/mac
41. Facebook Help Center. (2024). Permanently Delete Your Facebook Account. facebook.com/help/224562897555674?helpref%3Dsearch%26sr%3D2%26query%3Ddelete%2520data%26search_session_id%3D971a965d87ac7b7e512284e9bede41b2
42. X Help Center. (2024). How to deactivate your account. help.twitter.com/en/managing-your-account/how-to-deactivate-x-account
43. Instagram. (2024). Log in. https://www.instagram.com/accounts/login/
44. Instagram Help Center. (2024). Delete Your Account. help.instagram.com/370452623149242
45. LinkedIn Help. (2023). Close your LinkedIn account. linkedin.com/help/linkedin/answer/a1379064/closing-your-linkedin-account?lang=en-us&intendedLocale=und
46. Pew Research Center. (2024). Internet, Broadband Fact Sheet. pewresearch.org/internet/fact-sheet/internet-broadband/
47. Pew Research Center. (2021). About three-in-ten U.S. adults say they are ‘almost constantly’ online. pewresearch.org/short-reads/2021/03/26/about-three-in-ten-u-s-adults-say-they-are-almost-constantly-online/
48. Pew Research Center (2019). Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information. pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/
49. European Commission. (2019). EU data protection rules. commission.europa.eu/law/law-topic/data-protection/eu-data-protection-rules_en
50. GDPR.EU. (2024). What is considered personal data under the EU GDPR? https://gdpr.eu/eu-gdpr-personal-data/
51. GDPR. EU. (2024). A guide to GDPR data privacy requirements. gdpr.eu/data-privacy/
52. Council on Foreign Relations. (2018). Reforming the U.S. Approach to Data Protection and Privacy. cfr.org/report/reforming-us-approach-data-protection
53. U.S. Department of Health and Human Services. (2024). Summary of the HIPAA Security Rule. hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
54. Federal Trade Commission. (2024). Financial Privacy. ftc.gov/news-events/topics/protecting-consumer-privacy-security/financial-privacy
55. State of Alabama Office of Information Technology. (2024).
56. Alaska Law. (2024).
57. Arizona Attorney General Kris Mayes. (2024). Arizona’s Data-Breach Notification Law FAQ. azag.gov/consumer/data-breach/faq
58. Tim Griffin Attorney General of Arkansas. (2024). Consumer Protection. arkansasag.gov/consumer-protection/identity/security-or-data-breach/
59. Rob Bonta Attorney General. (2024).
60. Rob Bonta Attorney General. (2024). Data Security Breach Reporting. https://oag.ca.gov/privacy/databreach/reporting
61. Phil Weiser Colorado Attorney General. (2024). Colorado’s Consumer Data Protection Laws: FAQ’s for Businesses and Government Agencies. coag.gov/resources/data-protection-laws/
62. Connecticut Court. (2024). CHAPTER 743dd PROTECTION OF SOCIAL SECURITY NUMBERS AND PERSONAL INFORMATION. cga.ct.gov/current/pub/chap_743dd.htm
63. Creditors’ Collection Practices Act. (2024). CHAPTER 669 REGULATED ACTIVITIES. cga.ct.gov/current/pub/chap_669.htm
64. The Delaware Code Online. (2024). Title 6. delcode.delaware.gov/title6/c012c/index.html
65. Online Sunshine. (2023). The 2023 Florida Statutes (including Special Session C). leg.state.fl.us/Statutes/index.cfm?App_mode%3DDisplay_Statute%26URL%3D0500-0599/0501/Sections/0501.171.html
66. Law of Georgia. (2024). On Personal Data Protection. matsne.gov.ge/en/document/download/1561437/5/en/pdf
67. U.S. Senate. (2024). Senate Bill 230. eits.uga.edu/access_and_security/infosec/pols_regs/docs/0506regsession_sb230.pdf
68. Hawaii.gov. (2024).
69. State of Hawaii. (2024). ID THEFT INFORMATION – BUSINESS BRIEFING. cca.hawaii.gov/id-theft-information-business-briefing/
70. Idaho Legislature. (2024). Commercial Transactions. legislature.idaho.gov/statutesrules/idstat/title28/t28ch51/sect28-51-105/
71. Illinois. (2024). Illinois Compiled Statutes. ilga.gov/legislation/ilcs/ilcs3.asp
72. Indiana Attorney General Todd Rokita. (2006). Security Breach FAQ’s & Notification Form for Businesses. in.gov/attorneygeneral/consumer-protection-division/id-theft-prevention/security-breaches/security-breach-faqs-and-notification-form-for-businesses/
73. Iowa Department of Justice. (2024). Security Breach Notifications. iowaattorneygeneral.gov/for-consumers/security-breach-notifications
74. Kris W. Koback Kansas Attorney General. (2024).
75. Kentucky General Assembly. (2024). Kentucky Revised Statutes. apps.legislature.ky.gov/LAW/STATUTES/index.aspx
76. Fighting & Winning for Louisiana. (2024). Database Security Breach Notification. https://www.ag.state.la.us/Page/DataBreach
77. 129th Maine Legislature. (2024). An Act To Protect the Privacy of Online Customer Information. mainelegislature.org/legis/bills/bills_129th/billtexts/SP027501.asp
78. Maine Legislature Maine Revised Statutes. (2024). Title 10: COMMERCE AND TRADE Part 3: REGULATION OF TRADE Chapter 210-B: NOTICE OF RISK TO PERSONAL DATA. legislature.maine.gov/statutes/10/title10sec1348.html
79. Anthony G. Brown. (2024).  Guidelines for Businesses to Comply with the Maryland Personal Information Protection Act. marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx
80. Mass.gov. (2024). Massachusetts law about privacy. mass.gov/info-details/massachusetts-law-about-privacy
81.  OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION. (2024). 
    STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH. mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth/download
82. Michigan Legislature. (2024). Michigan Bill Search. legislature.mi.gov/(S(nwigwtujvuekfvitwos5kb2o))/mileg.aspx?page=home
83. Minnesota Legislature. (2024). 2023 Minnesota Statutes. revisor.mn.gov/statutes/cite/13.055
84. Mississippi Legislature. (2010). House Bill No. 583. billstatus.ls.state.ms.us/documents/2010/pdf/HB/0500-0599/HB0583SG.pdf
85. Andrew Bailey Missouri Attorney General. (2024).
86. Montana Department of Justice. (2024). Data Breaches – For Businesses. dojmt.gov/consumer/data-breaches-businesses/
87. Nebraska Attorney General. (2006). Financial Data Protection & Consumer Notification of Data Security Breach Act of 2006. ndbf.nebraska.gov/sites/ndbf.nebraska.gov/files/legal/87-801%20to%2087-808%20Financial%20Data%20Protection.pdf
88. Nevada State Legislature. (2024). SECURITY OF INFORMATION MAINTAINED BY DATA COLLECTORS AND OTHER BUSINESSES. leg.state.nv.us/NRS/NRS-603A.html
89. New Hampshire General Court. (2024). Right to Privacy. gencourt.state.nh.us/rsa/html/xxxi/359-c/359-c-20.htm
90. New Jersey Consumer Affairs. (2024). Identity Theft Prevention Act. njconsumeraffairs.gov/Statutes/Identity-Theft-Prevention-Act.pdf
91. New Mexico Legislature. (2024). An Act. nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf
92. New Mexico Legislature. (2024). 54TH LEGISLATURE – STATE OF NEW MEXICO – FIRST SESSION, 2019. nmlegis.gov/Sessions/19%20Regular/bills/senate/SB0176.pdf
93. Letitia James New York State Attorney General. (2024). Report a Breach. ag.ny.gov/resources/organizations/data-breach-reporting
94. North Carolina Legislature. (2005). Identity Theft Protection Act. ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html
95. North Dakota Century Code. (2024). Notice of Security Breach for Personal Information. ndlegis.gov/cencode/t51c30.html
96. Ohio Bar. (2019). Ohio’s Data Protection Act. ohiobar.org/member-tools-benefits/practice-resources/practice-library-search/practice-library/2019-ohio-lawyer/ohios-data-protection-act/
97. Ohio Laws & Administrative Rules. (2007). Section 1349.19 | Private disclosure of security breach of computerized personal information data. codes.ohio.gov/ohio-revised-code/section-1349.19
98. Oklahoma Government. (2024).
99. Oregon Department of Justice Consumer Protection. (2024). Data Breaches. doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/
100. Pennsylvania General Assembly. (2024).
101. State of Rhode Island. (2024).
102. Tennessee Bar Association. (2024). Home Page. https://www.tba.org/index.cfm
103. Texas Statutes. (2009). Personal Identity Information. statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm
104. Utah Code. (2009). Protection of Personal Information Act. le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf
105. State of Utah 2019 General Session. (2019). Electronic Information or Data Policy. le.utah.gov/~2019/bills/hbillenr/HB0057.pdf
106. Vermont General Assembly. (2024). The Vermont Statues Online. legislature.vermont.gov/statutes/section/09/062/02435
107. Virginia Law. (2023). Personal Information Privacy Act. law.lis.virginia.gov/vacodepopularnames/personal-information-privacy-act/
108. Virginia Law. (2023). § 18.2-186.6. Breach of personal information notification. law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/
109. Washington State Office of the Attorney General. (2024). Data Breach Notifications. https://www.atg.wa.gov/data-breach-notifications
110. West Virginia Code. (2024). Chapter 1. The State and Its Subdivisions. code.wvlegislature.gov/?chap%3D46A%26art%3D2A
111. State of Wisconsin Department of Agriculture, Trade and Consumer Protection. (2024). Wisconsin Privacy Laws – General Privacy. datcp.wi.gov/Pages/Programs_Services/WIPrivacyLawsGeneral.aspx
112. Wyoming Legislature. (2024).
113. California Legislative Information. (2024).
114. 129th Maine Legislature. (2024). An Act To Protect the Privacy of Online Customer Information. mainelegislature.org/legis/bills/bills_129th/billtexts/SP027501.asp
115. Federal Trade Commission Consumer Advice. (2024). How Websites and Apps Collect and Use Your Information. consumer.ftc.gov/articles/how-websites-and-apps-collect-and-use-your-information#Controlling_Online_Tracking
116. Google Chrome Help. (2024). Browse in Incognito mode. support.google.com/chrome/answer/95464?co%3DGENIE.Platform%253DiOS%26hl%3Den%26oco%3D1
117. Mozilla Support. (2024). Private Browsing on Firefox for Android. support.mozilla.org/en-US/kb/private-browsing-firefox-android
118. Mozilla Support. (2024). Private Browsing – Use Firefox without saving history. support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history
119. Mozilla Support. (2024). Private Browsing in Firefox for iOS. support.mozilla.org/en-US/kb/private-browsing-firefox-ios
120. Microsoft. (2024). Browse InPrivate in Microsoft Edge. support.microsoft.com/en-us/microsoft-edge/browse-inprivate-in-microsoft-edge-e6f47704-340c-7d4f-b00d-d0cf35aa1fcc
121. Opera Touch. (2019).  Opera Touch introduces private mode (Android and iOS) and comes to iPad. blogs.opera.com/mobile/2019/01/opera-touch-private-mode-ipad/
122. Opera Blog. (2014). Browse incognito: How to open a private window in Opera for computers. https://blogs.opera.com/news/2014/10/how-to-open-private-window-opera-for-computers/
123. Apple Support. (2019). Turn Private Browsing on or off on your iPhone. support.apple.com/en-us/105030
124. Safari User Guide. (2024). Browse privately in Safari on Mac. support.apple.com/guide/safari/browse-privately-ibrw1069/mac