Problems with Affiliate Sharing

Companies are not as protective of private information as users would like them to be. Without users' awareness, personal information flows through affiliate networks to other entities with whom the users may have no relationship. The average user cannot be expected to know the corporate families to which these websites belong. In our study, we found that it is impossible for a user to discover exactly who these affiliates are, even if they took the time to ask.

Privacy law has typically treated third party information sharing differently than affiliate sharing. Third party information sharing is often subject to more restrictions, including opt-in or opt-out consent requirements. These restrictions are based upon the heightened risk associated with sharing information with unrelated entities, which may have different incentives than the company that collected the information. The law on affiliate sharing generally is more permissive. Incentives for security and fair treatment of data are assumed to exist among affiliates. However, given the large size of affiliate networks, the fact that many affiliates are essentially unrelated entities with different business models in entirely different fields, and the practical challenge of identifying their size and scope, the more liberal treatment of affiliate sharing should be reexamined.

Recommendations

Full Disclosure

We recommend that websites disclose all affiliates with whom they may share user data.

Greater User Control

We recommend that websites request permission from users before sharing data about them with any party, regardless of affiliation.