When you sign up for a digital service that asks you to sign a long terms-of-service agreement, chances are that company is going to be sharing your data with third parties. But what data is being shared with whom, and why, is often shrouded in secrecy–or at least confusing design, legalese, and hard-to-find disclosures.
A new tree diagram created by the designer and researcher Rebecca Ricks charts out all the different third parties with whom the online payment company PayPal “may” share the data of users who live in Europe. Based on a spreadsheet the company posted online at the beginning of January 2018 in order to comply with the EU’s strict data privacy laws, the visualization breaks the many companies that receive customer data from PayPal into broad categories and details what data is being shared and why. In essence, it’s a list of PayPal’s European service vendors, all of whom are supposed to be using the data to perform services for PayPal.
Ricks’s visualization is a useful tool that should exist for every company that shares the personal data of its customers with third parties. “As consumers we don’t have transparency into how this system works,” Ricks says. “I think people don’t realize their data is shared with third parties. For me, a data viz is a really easy way for people to see what information is shared about them.”
Some entries are ambiguous. Take Microsoft, under the “operational services” category. PayPal apparently supplies the tech company with an image of a customer–a photo or video–or their image from an identity document for the purposes of “facial image comparison for fraud protection” and “research and testing as to appropriateness of new products.” The former sounds like some kind of facial recognition system that PayPal uses to look for fraud. But the latter is uneasily broad. What kind of research is Microsoft doing using pictures of PayPal users’ faces? PayPal did not comment on this specific question.
By putting these revelations in the form of a data visualization, Ricks is trying to make it far easier for consumers to easily see how PayPal is spreading its data around to dozens of third parties. Even if a user might trust PayPal, it’s hard to know if all of these third parties are trustworthy or have any kind of data security. This practice of sharing personal data with third parties is common, and PayPal is just one example.
Ricks was particularly surprised that PayPal released the information at all, surmising that it might be legal compliance–or an attempt to get ready for the new data protection law passed in Europe that will require far greater transparency from any company that processes EU citizens’ personal data in the coming months. PayPal confirmed that the page comes from the company’s European entity, and was published to adhere to current EU data laws. It does not apply to American users of PayPal, and the company does not publish a similar list of the third parties that receive its American customers’ data because it’s not required to do so.
It would be a great resource for consumers if all companies that collect and share their customers’ personal data were up-front about how they were sharing it–and better yet, if they presented it through this kind of visualization, which makes it much easier to comprehend the overwhelming scale of the list and dig into particular categories.
“When you can present it in a way that’s engaging, you can draw people’s attention to how data is organized that they probably wouldn’t have been looking at in a spreadsheet,” Ricks says. “You can take this info sitting in a spreadsheet and make it more palatable and interesting and relevant to people.”