The shadow data market: Privacy risks lurking in forgotten information

In today's digital age, consumers are increasingly aware of their privacy rights, and when they request their data to be deleted, they often believe it is gone for good. Reality, however, is more complex.

Even when organizations comply with data deletion requests, a persistent and overlooked issue looms in the background: shadow data.

This hidden trove of data not only undermines compliance with laws like the California Consumer Privacy Act and the EU General Data Protection Regulation but also fuels a thriving secondary market in which data brokers monetize this forgotten data for advertising, analytics and more.

What is shadow data?

Shadow data refers to unmanaged or forgotten copies of personal information that reside in backups, archives or third-party systems. These forgotten fragments of data create a range of privacy risks, from regulatory noncompliance to significant security vulnerabilities, and also contribute to a thriving secondary market for personal data.

Shadow data emerges from the complexities of modern data management and, even when organizations strive for transparency and compliance, technical and operational realities often get in the way. For example, backups made for disaster recovery purposes might inadvertently retain data long after a deletion request has been processed. Similarly, legacy systems with outdated architectures can make it difficult to trace and fully erase data.

This problem is compounded when organizations work with third-party vendors or partners to process data. Once personal information is shared outside the organization, ensuring its proper deletion becomes significantly more challenging. Without strict oversight, these third parties may inadvertently or intentionally retain data in systems beyond the reach of the original controller.