What we know about you when you click on this article

Vox has a pretty typical privacy policy. That doesn’t make it great.

If you’re reading this story on Vox.com, we have probably already collected quite a few bits of information about you. We, as well as our third-party advertisers, likely know which type of device you’re on, what browser you’re using, what you do on our site (which articles you read, how long you stay, what ads you might click on), and what site you visit next. We know where you are based on your device’s IP address — a unique identifier attached to each device connected to the internet — but don’t use GPS to actively track your location.

We might be privy to more information, but what we utilize about people is restricted to information that signifies groups of people: details like age, income, interests, gender.

I’m telling you all this because as part of our Open Sourced project, we intend to explore the hidden consequences that various technologies — including ones we employ — have on regular citizens. We’ll be looking at things like Twitter’s privacy and free-speech policies as it begins to impose restrictions on political advertising; we’ll examine how Facebook tracks you around the internet; and we’ll explain how technologies like artificial intelligence are hoovering up vast amounts of data — and what they’re doing with it. Our goal is to explore and demystify the online world we all live in, to explain how algorithms work and what data you’re sharing with companies. And this means not only looking outward, but inward.

So, let’s get back to Vox.com. If you reached us through social media — or even a device on which you’re also using social media — we also have access to portions of your social profile, such as your name, email address, and friend list. We collect all this information and combine it with other data from internet behemoth Google to get a demographic picture of who you are so that we can make our site better but, primarily, to serve you ads. We could, for example, sell an ad to Glossier that would land in front of wealthy women in their 30s who frequently purchase cosmetics.

If you click to play an Open Sourced video on our YouTube channel, you’re also subject to Google’s privacy policy. And if you happen to be signed in with a Google account like Gmail, Google can collect even more info.

We — like most publishers — also use Google to sell, manage, and track ads across our sites. Part of what makes that partnership so attractive to publishers is all the information Google has about you and is willing to share. The third-party advertisers on our site do the same thing but do so programmatically, meaning through an automated, auction-based system to sell the rest of the ad space on our site. If you buy something through certain links on some Vox Media sites, we know how much you spent in order to calculate a revenue share percentage with the affiliate seller.

How ad-supported journalism works

We are an ad-funded publication: Advertisements help pay my salary, support our journalism, and keep the lights on. The more detailed a picture an advertiser can get of who they’re reaching, the more they will generally pay. Vox Media — the parent company of Vox, Recode, and Open Sourced — does not outright sell data about you for money, but we do sell access to you. Put another way, we tell advertisers that we can put ads in front of you and then track for them how these ads perform. We also share your data with third parties we pay to provide services that require that data, like, for example, providing user analytics. In turn, those third parties are contractually obligated not to reshare your data.

It’s a lot — I get it — but the net result is that you, dear reader, get to read our content without a paywall.

We broadly spell it out for you in our privacy policy, but to know that you’d have to go looking for it and read it — something most people (including me, before writing this article) don’t actually do. Just 9 percent of Americans say they always read a privacy policy before agreeing to it, while 36 percent never do, according to a new Pew Research survey.

When you look closely, privacy policies in general can feel terribly invasive.

Fortunately for you, Vox’s privacy policy is pretty normal for a media company. It’s also quite readable in the pantheon of intentionally arcane privacy policies.

“I don’t think you guys are doing anything different than anyone else in the media ecosystem, but that doesn’t make it great,” Jennifer King, director of consumer privacy at the Center for Internet and Society at Stanford Law School, told me.

We’ve looked at a lot of other media privacy policies. The New York Times, BuzzFeed, The Atlantic, Vice — well, basically every media company — collect varying levels of personal information when you visit their sites and apps, interact with advertisements, or sign up for subscriptions. They also share that information with third parties, who in turn collect their own data.

King says the worst offenders are e-commerce sites that record your payment and other information even before you submit it and smartphone apps that require location data, essentially giving advertisers access to your address. Ad giants Google and Facebook by far know — and leverage — the most information about you.

And companies’ long, dense, and ever-changing privacy policies give little insight for regular people about when this is happening and what exactly is happening with your data. As required by the Federal Trade Commission, we update users when we change our privacy policy.

“These are not documents for end users; they’re documents for lawyers and regulatory authorities,” King said. “They’re not there to help typical users navigate what’s going on.”

Government regulation of privacy policies is lacking

While most sites have some sort of privacy policy, the content of those policies is largely unregulated. Basically, as long as the data websites are collecting is legal and users are informed of what’s being collected, it’s fair game. (Vox Media and many others read consent as simply going to our website, having had the opportunity to read our terms of use.) Unless you’re in an area like the European Union where it’s required by law, we don’t provide our own ways for you to opt out of tracking, but plenty of third parties do (more on that later). Under the EU’s General Data Protection Regulation, users see a banner with our privacy policy when they land on the site and must opt in to let us collect personal data.

Some of this is changing thanks to the California Consumer Privacy Act, or CCPA, a new regulation that’s going into effect in January 2020. It’s keeping lawyers and developers at media companies across the country very busy.

This law will allow consumers from California to opt out of the sale of their personal information, and export and delete any data that’s been collected. It doesn’t stop sites from tracking you, however. To actually stop these sites from tracking you, you will still have to use third-party products.

The law also potentially broadens the definition of what “personal information” is and what “selling” that data means. It describes “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The definition of “selling” includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” What exactly a “valuable consideration” is isn’t clear, but it potentially could include letting third parties place cookies on our site and sharing information with them that could result in our overall ad value increasing.

Despite CCPA applying only to Californians, the law will require a substantial amount of work for both Vox and our third-party partners. Here’s an abbreviated list from our legal department of what actions we’re taking:

• Reevaluating all data practices across all our sites, including recent acquisitions
• Updating our existing privacy policy to include the CCPA
• Developing a new, simpler process so that people can opt out, access, or delete the data we collect
• Assessing whether data we exchange with partners is “personal information” according to CCPA and whether that exchange/transfer would be considered a “sale”
• Developing a method by which consumers could retrieve data from partners, request deletion, and opt out of sales

The fact that legislation is arising at the state level — California, Nevada, and potentially New York — means these policies could become even more piecemeal. However, it’s likely that companies like ours will seek to be compliant with the strictest policy, for simplicity’s sake.

What can you do to better prevent sites from using your data?

This is all good news for the privacy conscious. But what should you do if you’re still uncomfortable that sites like Vox have access to your data? Get off the internet. But, more practically, here are three things you can do.

1. Update your settings on the web products you use like your browser, social media, and email clients. “They almost always have options to opt for higher privacy settings, but by default they’re usually set to a lower restrictive setting, so they can generate more profit off each user,” Daly Barnett, a staff technologist at the Electronic Frontier Foundation, told me. You can set your browser to “do not track”; however, Vox, like many other sites, chooses not to acknowledge that request. You can also use browser options like Chrome’s “Incognito” mode to keep your data from the browser, though your activity is still visible to the sites you visit.
2. Download a privacy browser extension. Barnett recommends a nonprofit product she works on called Privacy Badger, as well as uBlock Origin, AdBlock Plus, Ghostery, and Noscript. Barnett warns, however, that there’s an “arms race” between the blockers and the tracking companies, with each responding in turn to developments by the other.
3. If you live in California, as of January you can request to see or delete the data we and other websites collect.

Open Sourced is going to make readers a promise to be as transparent as possible, even if our privacy policy says different. We can’t fix everything, but we can help you be better informed about the decisions you make online — even if you don’t realize you’re making them.

Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.