The other day, a woman walked into a mall. She visited several stores, among them Macy's, Starbucks, Nordstrom's, an interior design shop, a paint store, and finally the Apple store.
She didn't buy in each one, but in cases where she did, she gave quite a bit of information about herself to the store in order to make her purchase. In fact, she gave quite a bit of information to each store and she didn't realize it. It wasn't long before she was inundated with coupons, offers, ideas for purchase, calendar of sales, and various other items related to her trip to the mall. It was as if she returned to her car and found all this under her windshield wiper. These coupons and offers were from the stores she visited, but from other stores that offered the same or similar products. At first she wondered, "Is someone following me?" At that point, her smartphone buzzed, and she had an email. Target was letting her know there was a sale on dresses from a designer she had recently purchased.
The mall the woman walked into was the internet, and there was somebody following her. But that somebody wasn't just one person. It was a large number of people. Faceless, nameless people collecting data on sites she visited so they could tell what she was interested in from her clicking, what online stores she visited, on her purchase decisions, whether she got to that store by clicking on an ad, as well as other data points. If this had happened in real life, as described above, how would you react? Certainly there are laws against this, you'd think? Not really. If I chose to sit in the mall and just pay attention to where you went, then visited each store to peek and see what you purchased, and then leave coupons on your car, you are limited in your ability to stop me. Laws exist to prevent stalking, but if I'm sneaky enough, you may never even notice me.
On the internet, this is happening every day. The tracking, in some cases, is persitent. There are cookies, dropped on your computer or on websites you visit, which may last up to 30 years. There are also pixels, little dots (more or less), that track what you watch and where you go, and relay that information back to a database. There are tags on web pages and ads that can drop cookies that last momentarily on your computer which send information from your computer, or your behavior on a site, back to a database. All this is happening and you don't notice...and hopefully you don't care.
Maybe you noticed, after you visited a paint store online, that your email box started serving Benjamin Moore ads. You may have thought this was probably just coincidence, right? Or after visiting a dress store online, Talbot's ads were suddenly appearing. Just luck on their part...
Not at all. This is deliberate, and plays a very important role in marketing known as 'recency'. The goal of advertising is to reach somebody consistently and build brand awareness and loyalty. Another goal is to generate leads for future purchase. Yet another is to generate direct sales now. Recency plays into all these goals. A directive of recency is to find somebody with a mindset geared toward purchase, and direct their attention to your product now! Another is to hit a consumer, when they are thinking of making a purchase, with a brand name, so they associate the desire to buy with the brand displayed.
Most publishers of websites are very wary of this behavior on the part of information collectors. Reputable sites limit the amount of this that goes on. All large well-known publishers deny the ability of data collectors to get Personally Identifiable Information (PII). If advertisers want PII, they have to ask you for it, and you have to provide it on your own, giving permission by filling out a form. Getting PII is known as 'opt-in'. All other forms of data collection, anonymous or semi-anonymous, are 'opt-out'. Why? Because opt-out is the best way to build a database, and as long as the data is mostly anonymous, who cares? The problem is that if you follow a user long enough, you can piece together almost a perfect picture of who that user is and what they like, all without PII. Opt-out information can work as well as opt-in, if you build the data properly, and you don't need anyone's approval.
Not all PII is on your computer - companies are also targeting smartphones which has loads of data about who you are and where you are:
As it announced that it would in the second half of 2011, Apple has begun to reject apps in its Apple App Store that use a device's universal device identifier (UDID), which is an long, alphanumeric code that is unique to each Apple device. Ad networks use UDIDs to track, better collect information on and target users through how they are using the apps and services on that particular device.
All this information heads back to a database. Your name may not show up anywhere. All you appear to be, in their database, is a unique number which quantifies "computer X, a user who happens to enjoy football, basketball, home repairs, and is looking to buy a car, lives in zip code XXXXX, has children and is about 45 years old and male." Doesn't sound too threatening. An issue arises when those 'coupons, flyers, leaflets' and various other items start appearing on your computer in the form of advertising. They will be geared toward your behaviors, so you'll see ads for Home Depot, Stubhub, and the latest model cars offered at dealers lots. A little creepy, but they still don't know who you are. That is, they don't know you're Tom Smith. But they may know your IP address, which happens to belong to Tom Smith. If you think this is only happening online, you're wrong. It is, however, far more common online.
Where the rubber hits the road is when advertisers can start to link your name and your address to this information. This is happening, in a small way. Every time you get a form online that was prompted by a site you visit, and you willingly fill it out, that site or its advertisers collect your data and link it to other data they've already collected. They do this via a variety of methods, and one of the best is overlaying data from various resources.
Most reputable sites avoid this, and publishers are seeking to create guidelines and policies to limit data collection. Others are more interested in just making a buck. As a result, it's important to find ways to protect yourself, and hope the reputable web publishers can provide an extra layer of protection. Make no mistake, the government will not help, even if they want to. Even if the government were involved, you would not be pleased to know who is cozying up to the lawmakers. It happens to be data vendors who see their revenue streams in peril due to a potential privacy backlash. The government may make noise about providing protection to private citizens. Remember, there is no Constitutional right to privacy. We shouldn't have to expect the government to provide much in the way of protection aside from some words (they did a great job regulating other industries, didn't they?) and mild oversight. The fact is, the best source for protection are the sites themselves. Self-regulation is taken very seriously, as is enforcement. Part of my job is to shut down vendors who behave in a manner inconsistent with the policies we have in place for privacy and data protection.
Some steps you can take to protect yourself: First, on your browser, click on "Tools", then "Options". Clear your history and cookies at least once a day. 
Set your history to be cleared when you close the browser. This is minimal, but useful protection. Second, if you see an ad with the "Ad Choices" logo, click the logo. Follow the steps to "Opt Out" of being followed. It is also a minimal layer of protection, but still worth taking. Fewer than 1% of the people who click on this follow it through to completion, a fact advertisers use to justify their view that privacy is not valued by internet users. Finally, remember that if you click on an ad which takes you to a social media site, they can collect large amounts of data with relative ease. Social media sites make money from your information, so they are not shy about collecting it. Neither are large email (Spam) list providers.
If you click an ad which asks you to fill out a form, it goes without saying that you should do so only if you are absolutely sure who the advertiser is and why they are collecting that data. If you're asked to fill out a form and you haven't clicked an ad, definitely don't fill it out! Lord knows who it is or why they are collecting data.
Most sites make money by providing users with information and entertainment. It is important to many online publishers to generate your trust and loyalty. 
You may feel uncomfortable thinking they are looking out for your best interest, but most actually are. Unfortunately, you will have a hard time telling who those sites are, unless you're willing to look into their privacy guidelines and see if they are "OBA Compliant". This term means they are working under strict rules about privacy management. Rules that need to be much stricter, but are very good for now. Usually you can find out if they are compliant if they have a logo like this on their page somewhere:
In the end, it's worth remembering two things. First, the government may have strong words about protecting your online privacy, but if it gets involved it will set rules that benefit a politician's loudest and highest-paying supporters. Companies that play fast and loose have very high profit margins, and can afford good lobbyists. Secondly, while all companies are trying to make money off your behaviors, there are some which are more interested in just taking information from you than providing you much benefit in return. You can be sure that most large, reputable publishers will at least give you value back for the limited pieces of information they have collected. In the end, however, you still have to take steps to protect yourself because whether you're walking through a dark parking lot or browsing the web on your home computer, you still have to be aware of your surroundings.
