Hacker News new | ask | show | jobs
by a254613e 1780 days ago
I can't quite understand this article and its conclusion.

The article says: "[The extension] will collect information about the products you look at and the ones you search for".

Yet, two sentences later it says "The company behind the extension fails to comply with its legal obligations. The privacy policy is misleading in claiming that no personal data is being collected."

So which personal information is exactly included in the data submitted to their servers about the products? Because in that json example I don't see anything that would be even close to personal information.

The remote scraping/execution abilities are not great, I'll give it that. But the rest of it seems like overblown conclusion and interpretation of how it works.
2 comments
Semaphor 1780 days ago
I’d assume that "products you searched for", even if only implicitly thanks to the results, is personal information. It also is not mentioned in their privacy policy, which only mentions sending on product pages.
link
palant 1780 days ago
Note: I am the author of the article above.

The history of all Amazon products you looked at or searched for is personal data, and it can tell a lot about you. Whether it is also personal data in the legal sense is not something I can say for sure. But it definitely has to be properly covered in the privacy policy, for GDPR compliance at the very least.

link
timdorr 1780 days ago
But it is not personal data that would identify you (PII). If someone was able to determine who I was based solely on my browsing activity on Amazon, then they've already obtained my personal information.
link
iamacyborg 1780 days ago
PII is not a term that is used in the GDPR. The person you're replying to is correct that your browsing data is likely to count as personal data given that it's linked to an individual.
link
palant 1780 days ago
No, it isn’t PII in the legal sense, it doesn’t allow identifying you directly. Which doesn’t mean that it cannot be tied to your identity. Just one example: if you regularly post to social media what you bought online, this information could be correlated with the Keepa data to find out which profile is likely yours and what else you looked at.

But GDPR doesn’t merely require you to disclosure collection of PII, but rather all data collected. There is a good reason for that.

link