Do You Know What Your Data is Doing?

The headline is a mouthful, but in the time you read this column your personal data has probably been collected by the more sophisticated vendors with whom you do business and is being used to target you for more purchases. This now-common practice might offend or it might be seen as consumer-useful.  It’s very clear, though, that artificial intelligence plays a role in selecting data capture and crafting the ad messages.

Lululemon, the chic athletic apparel purveyor, collects and uses its consumers’ data. When a customer buys at a store, she provides her email so she can be sent an electronic receipt. Her data is used by Lululemon to make gender and geographic targeting decisions. AI will analyze the customer’s visits to the company’s website, and will gather and analyze the customer’s choices (for example, what was viewed, for how long, and what was skipped). It will track and analyze a customer’s search terms. All of this data will be saved and used to create commercial messages targeting the customer’s preferences.

Probably every sophisticated seller of goods and services employs some form of data collection software and uses the data to personalize communication with customers and to predict how their customers will search.

The result is increased sales. AI software can process vast amounts of data and provide much needed intel about the seller’s target audience.

The goal of data collection is to build AI-powered experience engines that reach out and attract consumers based on their historical choices, as deduced from their personal data that has been gathered, stored and analyzed by artificial intelligence. There is plenty of cross-pollination. An airline that understands that its customers enjoy shopping at Walmart might offer points that can be redeemed there and with other known, preferred vendors.

Many question whether the aggressive collection and use of a consumer’s data violates privacy rights. Others ask whether a seller should profit from a consumer’s data when it was not freely given for the purpose used. Consumer privacy laws can give consumers the right to control the collection and use of their data, but the United States is far, far behind the European Union in enacting such laws.

While there are some federal laws governing specific data-related practices, such as those that limit collection of data for children under 13, and the use of video rental records, disclosure of some financial information and health records, there are no federal laws generally protecting consumer data from collection, use and sale. Unless a state has enacted restrictions on the collection and use of consumer data, companies can collect, use, share and even sell data.

Once the consumer’s data is sold, the buyer can resell it, and it can end up anywhere. Some websites disclose their data use policies and claim what it will and will not do with data; a violation of stated policy might be considered a deceptive trade practice. Some policies provide an opt-out, but some of the opt-outs are hard to use. Many policies inform the consumer the collector will use the data for its own purposes, and some tell the consumer the collector will share or sell data.

There are laws in Virginia, California, and Colorado that provide some protection to their residents. California’s laws are the most stringent, and they recognize a private right of action. Virginia’s laws, based on opt-out protection, are considered weak and they come without a private right of action.

Meaningful laws that actually provide protection to consumers are hard to pass. This is partly due to the pressure powerful vendors like Amazon exert on state legislators. In 2021 Amazon spent $21 million to lobby just Congress; Google spent $10 million.  No doubt they would spend heavily to protect this motherlode of valuable data.

Still, concerned consumers need to demand that state legislators pass data protection laws that allow consumers to see what of their data has been collected, to demand deletion and prevent sale or transfer. Instead of an opt-out, a data user should be required to get a consumer’s affirmative consent to collect and use the data so that the consumer affirmatively understands her data will be stored, absent a refusal.  That refusal should be made easy; where it exits now, it’s not so easy.

This all ties into AI because consumer data is the fuel that propels the personalization of commercial messaging, which occurs when data marries with a company’s AI engine. Without data, the engine can’t run, and that is why states should regulate the use of a consumer’s data.

The consumer should have a say in the matter and if consent is given, something of value should be given to the consumer in exchange — even if it’s a small discount on her favorite togs.

James B. Astrachan is a partner at Goodell, DeVries, Leech & Dann, LLP and teaches trademark and unfair competition law at University of Baltimore Law School.

If you have questions about artificial intelligence and its implications for data privacy and intellectual property, contact Jim at

This article was originally published in The Daily Record.