You’d be amazed at how precisely companies can tailor their advertising based on your data. You’d be even more amazed at where — and how easily — they find it.

“The one that people are most surprised by is location-based targeting,” said Timothy Zercher, president and CEO of Pueblo-based EasySocial, which manages online marketing and advertising efforts across the United States. “That’s data on where they are right now, where they have been, where they live, where they work. In business marketing we can say, ‘We want to target only people who visited this dental office — because they’re our competitors — and we want only people who visited that dental office four months ago, because they’ll be ready for their six-month checkup in a couple of weeks.’

“I mean it’s creepy, but it’s also really, really powerful for businesses.”

Marketers can also segment location data to target only people who live in a certain area, work in a certain area, or even people who attended a certain conference on a certain day — by using Google Images to map the location of the conference center within the shape of a hotel, for example, then targeting anyone whose location data shows them entering that specific space.

People know their smartphones track their location, but they often don’t know — or they forget — how many other apps collect and sell GPS data.

Guardian Mobile’s “Location Data Monetization in iOS Apps” report, released in September, found a growing number of iOS apps are being used to “covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms.

- Advertisement -

“In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information,” the report said.

Every location data monetization firm listed in the report was collecting Bluetooth LE beacon data, GPS longitude and latitude, WiFi SSID (network name) and BSSID (network MAC address) from app users. Some were also collecting timestamps for departure and arrival to a location, accelerometer information, advertising identifier, cellular network name and GPS altitude and/or speed.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation,” the report said.

Researchers listed examples of popular iOS apps confirmed to be sending user data to third-party data monetization firms. They included social networking app ASKfm, fitness app C25K 5K Trainer, shopping app Coupon Sherpa, Gas Buddy,, beauty app Perfect365, NOAA Weather Radar, photo storage app Photobucket and QuakeFeed Earthquake Alerts.

If those apps aren’t on your phone, don’t relax. Countless others gather specific location data — and users give permission without much thought about where it will end up.

“I’ll give you an example: Snapchat is very privacy-focused,” Zercher said, “but almost everyone gives it express permission to track their location because that’s an actual feature of the app — you can see where your friends are and your friends can see where you are. If they turn that feature off, they actually lose a whole feature of the app. So we might not have the ability to buy GPS location from something like Facebook — although everyone also allows that because they want to be able to check in — but if I turn off my Facebook [location] but I allow Snapchat [location], well, we can still go and buy that data.”

Want more? Marketers and advertisers also target consumers based on the apps they download (a Zillow download means you might be interested in buying a house) and by layering first-party data (like email addresses) with third-party data (like location).

“There are a lot of ways companies will use [layering],” Zercher said. “For instance if you’ve bought a certain product online, they can take that email address and say, ‘These people already bought our Android 1, so we’re going to advertise to them for the Android 2 because they’re already clearly interested. We don’t have to bombard their email inbox, because no one reads those anyway; we’ll just deliver ads to them everywhere they go, about this.’”

Other data that’s collected and sold, Zercher said, includes “basically anything that’s ever been typed into a web browser or read on a web browser.

“We can target people based on past searches on Google or Bing, or current searches obviously; and we can target them based on the fact that they read two articles on this topic. It’s pretty effective. … That information especially, there’s almost no limits on who can buy and sell what pages you’ve seen.”

In the United States, at least, it’s all perfectly legal.

“There’s a whole universe of data brokerage, data transfers and profiling which most consumers know nothing about,” said Katharine Kemp, an expert in consumer protection and data privacy at the University of New South Wales in Sydney, Australia. “It’s invisible to us. … The [Federal Trade Commission] conducted an investigation into the data brokerage industry several years ago which would be a big eye-opener for most people, but still likely just shows the tip of the iceberg.”

“Right now there’s actually very, very few — if any — laws on [how far afield your data can be sold] in the U.S.,” Zercher said, adding he expects increased regulation, but not anytime soon.

“A lot of the restrictions are politically driven, so long-term I’m sure that there will be some legislation on this kind of advertising and what you can use people’s information for, how far it can go, how far it spreads from the original person who got the information,” he said. “I’m sure that will be something that the U.S. will look at. A couple of states are already doing it. Europe did it this year, and I’m sure that the U.S. will be — behind. I don’t want to say ‘close behind,’ because this is not a regulation-friendly administration.”

But data collection and sales — and data-driven marketing — are very, very business-friendly.

“[The amount a business can save] is really enormous,” Zercher said. “I can give you a great example. We had a client that hired us mid-summer and prior to hiring us they’d spent $10,000 on traditional ads, and they had generated zero new business. The service they offer is quite expensive — about $12,000 a pop — so one sale would’ve made that up. It wasn’t that big of a goal to shoot for.

“Then they hired us, and month one we did a campaign just using Facebook targeting, so really basic-level targeting. I think our total expenses including all of our fees was $1,100 — and we generated four customers for them. That was 3,500 percent return in one month. And they had been doing that other campaign for four months.

“Then the next month we did hyper-targeting. We did location-based targeting of people who work in a very specific industry that needs this service, and we spent a total on that one of, I think, $1,200 and we generated nine clients for them.

“For businesses there’s almost no downside,” Zercher added. “For consumers, if you tend to be a little bit more paranoid, I can definitely see how it would be scary.”

“Data brokerage firms collect your personal information from various companies you’ve dealt with and combine it with information they buy from each other as well as some publicly available information to build profiles on you made up of thousands of data points,” Kemp said. “Then they put you in certain lists based on what they’ve discovered and sell those lists to companies who want to know about you. You don’t know which lists you’re on. It could be ‘Diabetes Interest,’ ‘Cholesterol Focus,’ ‘Financially Challenged,’ ‘Urban Scramble.’

“Based on your list, you might be targeted with certain products, or charged higher prices or interest rates, or excluded from certain offers.”

Editor’s note: This is the first in a two-part series. Next week, the Business Journal looks at the explosion of data collection and use — and its dark side.

Disclosure: CSBJ Digital Editor Helen Robinson and Katharine Kemp, who is cited in this article, are related.