What is Data Shadow?

Your data shadow is everything companies know about you that you never told them. It's often larger than the data you've explicitly shared.

How Data Shadows Are Created

Inferred Data

Companies use algorithms to infer personal attributes:

• Pregnancy prediction: Target famously identified a pregnant teen before her father knew, based on purchase patterns
• Political affiliation: Inferred from browsing habits, media consumption, and location data
• Income level: Inferred from ZIP code, device type, and shopping patterns
• Health conditions: Inferred from search queries, app usage, and purchase history
• Sexual orientation: Inferred from app usage, browsing, and social connections

Contact Sharing

When friends upload their contacts:

• Facebook builds "shadow profiles" of non-users from uploaded contact lists
• Google gains your phone number and email from others' contacts
• LinkedIn suggests connections based on contacts others have shared

Cross-Reference Data

• Data brokers merge records from multiple sources to build comprehensive profiles
• A single matching data point (email, phone, address) links records across datasets
• Your offline purchases (loyalty cards, public records) are merged with online behavior

Location Data

• Your phone broadcasts location data that companies collect and sell
• Even with location turned "off," cell tower data and WiFi scans reveal approximate location
• Location data reveals where you live, work, worship, receive medical care, and who you visit

The Facebook Shadow Profile

Facebook builds profiles on people who have never created an account:

• Friends upload contacts containing your phone number and email
• Websites with Facebook Pixel track your browsing
• The "Like" button loads on millions of sites, tracking visitors
• Facebook can build a detailed profile without you ever visiting facebook.com

Why You Can't See It

• GDPR requires access to "personal data," but companies argue inferred data is their intellectual property
• No US federal law requires companies to show you inferred data
• Even where data access rights exist, companies often provide only the data you explicitly gave them — not the inferences drawn from it
• The most valuable and sensitive data about you is often data you never provided

What You Can Do

1. Request your data under GDPR/CCPA — specifically ask for inferred and derived data
2. Minimize data generation — Use privacy tools that prevent tracking data from being created
3. Don't upload contacts — When apps request contact access, say no
4. Use ad blockers — Prevent tracking scripts from building behavioral profiles
5. Opt out of data brokers — Reduce the cross-reference data available about you
6. Use aliases and separate identities — Make it harder to link records across platforms