Fair Data is the New Black: Online Shopping, Data Leaks, and Broadening the Understanding of Sustainable Fashion

Abstract

Fashion is an embodied form of culture. It builds on intimate information about the wearer, concerning e.g. body shape, size, age, weight and style. As fashion is digitalized, intimate body data is shared in online environments, which raises novel concerns about the privacy of fashion consumers. This is especially visible in online shopping, which has revolutionized fashion retail and data collection practices in fashion, particularly as concerns the secure and fair use of consumer data. We argue that the datafication of fashion should be investigated as part of sustainability discourse, and data fairness be established as a responsibility criterion. We analyzed 32 popular Finnish online clothing stores. Data management was studied by analyzing the online stores’ network traffic to third parties, investigating the transparency of their privacy policy documents and analyzing possible dark patterns in the website’s cookie banners. Our findings raise concerns over data responsibility and privacy in various areas. The analyzed websites had a high number of third-party services, averaging 5.2. Only 17 online stores out of the examined 32 (53%) clearly mentioned that they collected identifying information and product information in their privacy policies, and only five of the stores (16%) had no dark patterns in their cookie banners. Our results also suggest that several brands that are otherwise considered ethical may need to pay more attention to their fair data processing and privacy. This indicates that a wider discussion about data privacy and data handling practices is needed. Fair management of data must be part of the process of evaluating the sustainability of clothing companies.

Keywords:

• online shopping
• datafication of fashion
• data tracking
• data leaks
• dark patterns
• data waste
• fair data
• responsible fashion

Introduction

Fashion, clothes and the body have an intimate relationship. Clothes are situated between the self and the world as a kind of social skin, making intimate information such as the wearer’s gender, sexual orientation, wealth, occupation, ethnic background and their intersections—whether true or untrue—public. The embodied nature of fashion is further concretized in the development of wearable technology, including rings and smart watches (Vänskä, Hokka, and Särmäkari 2023). Fashion has become fertile ground for digital applications to be integrated into fashion objects, the fashion business and industry, and the customer experience (Kalbaska and Cantoni 2019).

Digital applications and environments are built on openness and sharing. In the context of online shopping, “sharing” is an ambiguous term. It relates, inter alia, to users giving personal information to companies in exchange for services and product development, and involves the companies passing on this data to third parties. These third parties are external organizations, such as analytics companies like Google and Meta involved in the functioning and content delivery of a website, not directly controlled by the website owner. Web stores use analytics services to gain insights and metrics related to website performance, user behavior, online marketing and user experience, but these services entail privacy concerns. We refer to data transfers to third parties as “data leaks” to emphasize their nature as potentially unnecessary and privacy-violating from the perspective of the website user, even if they do not constitute actual data breaches in the sense of unlawful access to data. We also use the concept of “dark pattern” to refer to website elements and practices that deceive the consumer, e.g. by making the rejection of cookies or opting out of personal data collection unnecessarily difficult (Waldman 2020 107; European Data Protection Board 2023, 3)¹. By “cookies” we mean small files that websites place on the user’s device to collect information about the pages the user views and the activities the user engages in on the site (Kirtley and Shally-Jensen 2019, 117; Pisano, Smith, and Badr 2022). A “cookie banner” is a notification that is displayed on websites and other apps in the form of a banner or pop-up window upon the user’s visit. It explicitly asks for users’ consent before deploying cookies.

While sharing and openness is the norm for digital devices (van Dijck 2013), the aforementioned concepts indicate that openness may come at a cost. There is a discrepancy between the initial ideas of the web as free and open for all and its current use for making unwarranted profits out of shared data. As data giants have concentrated data power and ownership to the few (van Dijck, Poell, and Waal 2018; Zuboff 2019), new developments such as the metaverse, the decentralized online parallel reality and a three-dimensional and immersive network of different platforms promises to grant simultaneous openness, data ownership and privacy protection, as well as the dismantling of the tech giants’ hold on users (Ball 2022).

The discussion on data openness vs. data privacy also connects to issues of the sustainability of fashion. Data collection that informs design is a continuation of research for user-centered purposes. Its aim is to better cater to users’ needs. Companies can and do use consumer data in positive ways, e.g. to reduce wasteful overproduction, to provide more accurate demand forecasts and thus more reasonable production schemes, to control the amount and quality of products, to abandon bulk stock and to enable smaller inventories (Alton 2018; Greene 2018). Data can also be used to enhance the shopping experience, to target marketing more accurately, and to help companies understand firstly how to develop customer communication and customers’ long-term engagement with the company, and secondly how and what customers they buy (Greene 2018). Digital tools are being developed to evaluate brands’ sustainability (Turunen and Halme 2021) and to track clothes in the blockchain to see their life spans (Chen 2023). Data-driven design and retail practices are defined as effective approaches for optimizing fashion products and their supply (Sibley et al. 2015). The rating of brands’ sustainability performance is based on these communications. For example, the German brand-comparison website Rank a Brand is known for its annual reports that provide consumers with impartial information about brands’ performance regarding sustainability and social responsibility (https://goodonyou.eco/?utm_medium=referral&utm_source=rankabrand.nl&utm_campaign=rankabrand-redirect). In the Finnish context, the NGO Pro Ethical Trade Finland (Eetti ry, https://eetti.fi/en/) conducts similar brand rankings. We used the latter’s sustainability rankings in our own analysis to investigate the data practices of the best- and worst-ranked brands.

While technological innovations may play a role in the ethical transformation of the fashion industry, they also conjure up new questions about ethics, fairness and sustainability. How do companies use the personal data gathered from consumers? We argue that to meet the requirements of social sustainability, a brand must handle user data with care, and be as open about its uses as it is about its production chain. According to the UN, social sustainability is about “identifying and managing business impacts, both positive and negative, on people,” including customers (United Nations Global Compact n.d.). The production chain must abide by principles of fairness and transparency, and so must the management of data waste (Bietti and Vatanparast 2020). Furthermore, it has been suggested that the ESG (environmental, social and corporate governance) model could include data as one area. This could include privacy protection and responsible data sharing, but also an environmental aspect: energy efficiency of data use and the minimization of data collection. In general, data responsibility and the sustainable use and management of data can be regarded as one part of a wider corporate social responsibility (CSR) framework, overarching all its areas (Parikka and Härkönen 2020, 4-5, 19; COM(2020) 66 final; Allen and Peloza 2015).

We use the terms “personal data” and “data waste” to explain problems with data gathering practices from legal and societal perspectives, and to tackle issues of ethical handling of data connected to legislation. We use the term “personal data” in the same sense as the EU General Data Protection Regulation (GDPR)² does, referring to any information based on which a person can be directly or indirectly identified. Identifiers can include name, location data or an online identifier, or the physical, physiological, genetic, mental, economic, cultural or social identity of that person (Article 4(1) of the GDPR).

“Data waste” generally refers to the harmful environmental impact of data-driven infrastructures, such as digital platforms, AI system development and use, and blockchain-based technologies that have become a broader social problem (Bietti and Vatanparast 2020). Data waste also refers to “dark data”, i.e. data that is collected but not used. It is estimated that even 70–90% of collected data is not turned into business insights and therefore causes unnecessary energy and storage waste (Podder & Singh n.d.). It is important to investigate data waste in both senses, as a practice that results in collecting and storing too much unnecessary personal data that, unless efficiently regulated, may negatively impact both the environment and individuals (Bietti and Vatanparast 2020 7). In the context of this article, we have especially focused on data collection that causes problems with privacy, and have consciously left closer analysis of environmental impacts to a separate study. We argue that dealing with data is a significant and extensive part of a brand’s sustainability: it is important that consumers know not only how their clothes are made, but also what energy-efficient technologies and renewable energy sources are used in a company’s digital services, and, especially, why and how consumer data is gathered, how it is used and whether it is transmitted further to third parties.

Clearly, third-party services on websites often produce data waste, as they consume energy by using computational power. More importantly, they also jeopardize users’ privacy, which raises ethical questions about social sustainability. There are several reasons why fair data practices and privacy are crucial for social sustainability. The right to safety, also in the digital world, can be considered a part of social sustainability (Eizenberg and Jabareen 2017). Protecting individuals' privacy creates a safer and more secure digital environment, promoting cohesion and social sustainability. Additionally, robust privacy practices protect many vulnerable groups from exploitation. Unless proper measures are taken, certain demographics, especially those that are socially marginalized, may be disproportionately affected and discriminated against (e.g. Nikunen 2021 2). Fair data processing practices contribute to the protection of these groups, which enhances social sustainability. At the same time, this expedites progress toward a more equitable and inclusive society. Finally, fair data practices, such as transparency, foster a culture of accountability, responsibility and ethical behavior, which are important elements of social sustainability.

This article is the first to identify, discuss and develop a framework to address ethical and fair data processing practices of fashion brands from the perspective of consumer privacy. We bring together expertise from fashion studies, computer science and the law to open discussion on the complex, multifaceted and multidisciplinary discourse that affects shopping for fashion in our data-driven culture. We focus on a scenario in which the user browses products in a web shop and purchases clothing. We then analyze the effects that third-party analytics on websites have on individuals and their privacy, as well as on the wider development of data-driven fashion cultures. We address the question of fair use of data from the perspective of 32 online clothing stores frequently used by Finnish consumers. Our study involves analyzing network traffic bleeding to third parties in the selected online clothing stores, studying the personal data found in the traffic and the third parties receiving it. Each online clothing store is assessed in terms of the number of third parties it leaks data to. The nature of personal data leaked to third parties is also studied and leaked data items are categorized. We also analyze the privacy policy documents for transparency and accuracy. Finally, we analyze cookie consent banners of the websites to see whether they include dark patterns that deceptively encourage users to accept cookies and data collection. All these aspects together provide insight into the fairness of data processing and a method for measuring how ethical and fair online clothing stores’ data processing practices are.

Through fashion, we raise questions about the effects on privacy of datafication. Although the concerns we raise apply to online shopping in general, we also claim that certain issues are fashion-specific. Purchasing clothes online requires sharing intimate physiological data about the shopper that is interpreted as protectable personal data under the GDPR, the EU’s flagship law. We also propose that fair and ethical use of data forms part of the broader debate on the sustainability and social responsibility of fashion. Alongside ranking brands’ sustainability in terms of production, a new evaluation criterion should be developed to measure brands’ openness about their data practices. This comprises brands’ fair or unfair use of personal data and should be accounted for in the overall evaluation of brand sustainability.

Datafication of online shopping

Since the 1990s, with ubiquitous access, the Internet and social media platforms have become common and important shopping sites, especially among young people (Kim, Wang, and Malthouse 2015). Especially during and after the Covid-19 pandemic, Finland witnessed a surge in the number of online shops, and fashion shopping rapidly shifted from brick-and-mortar retailers to online shops and shopping platforms (Posti 2022). Compared to traditional shopping, online shopping has many advantages: convenience, information availability, price comparability, benefiting from earlier purchasers’ reviews, and shopping from any location (Aziz and Wahid 2018).

With the digital transformation, shopping has gone beyond the buying and selling of products to become quantified and data-driven, or datafied (Rocamora 2022). By “datafication of fashion” we refer to social actions such as shopping for clothes, and items such as the clothes themselves being transformed into quantifiable data. Datafication of online shopping refers to ways in which owners of websites and platforms gather, quantify, use and monetize data they extract from individuals who use the shopping site or platform. In principle, users (in our case online shoppers) provide personal information such as age, size and gender to the product and service providers. This data is connected to the items browsed and purchased, creating an identifiable profile of the shopper.

The datafication of shopping has several positive effects. The collected data can be utilized in designing clothes and personalizing them to consumer groups or individuals (Sibley et al. 2015). It can be used for predicting consumer behavior or for more accurate trend forecasting. Fashion companies, marketers and advertisers have always aimed to shape customer behavior through priming, suggestion, social comparison and trend forecasting (Kim, Fiore, and Kim 2011; Lynch and Strauss 2007). They have used demographics to analyze socioeconomic data such as gender, age, income, relationship status, and ethnicity, or tools such as focus groups or customer loyalty programs to gain information about how to create selling points that target consumers (Shaw and Koumbis 2017). Computing has made fashion forecasting and consumer behavior prediction an increasingly important area in developing computer vision and machine learning (Liu et al. 2016). Data-driven trend forecasting tools are also in the making. Currently these emerging systems rely on computational image and object analysis, as well as analysis of comments and likes (Zhao, Li, and Sun 2021); however, there is no reason why these systems could not address individuals and their personal information more extensively.

Datafication can also be used to build customer-company relationships. The better a company knows the customers and what they want, the better the shopping experience can become, and a longstanding relationship between the company and the customer can be built. Datafication can create an experience of affinity with the platform when the website algorithms begin to recommend products based on previous purchases and browsing history. Getting to know the customer and their assumed tastes, wants and needs is based on employing a ubiquitous digital architecture that can automate the continuous monitoring and shaping of the shopper’s online behavior with unprecedented accuracy, intimacy, and effectiveness. For example, Amazon, one of the world’s largest online stores and also popular among Finnish online shoppers, makes extensive use of user data to better understand what kinds of clothes customers like and want, and which recommendations to make (Luce, 2019 126). The relationship between the company and the customer is furthered by self-built or externally provided size and fit recommendation systems and virtual fit solutions. They help customers find and purchase clothes that match their size, body type, fit and other preferences (Januszkiewicz et al. 2017). On the one hand, this information helps people buy well-fitting items and reduces the need to order multiple sizes. On the other hand, it creates a detailed digital persona of the consumer.

Overall, data collection may seem harmless; it is part of making the online experience smooth and building a good customer relationship (Abbott, Stone, and Buttle 2001). However, the datafication of shopping also raises concerns over trust, privacy and safeguarding of personal information, which are reasons for some consumers not to buy online (Acquisti, Taylor, and Wagman 2016; Jai and King 2016; Eurostat 2020). Finnish online shoppers fear that their personal information is abused (Akter 2020). These concerns are not unfounded and open discussion about the authorized and unauthorized commercial use of personal data is needed. Online shopping is based on trust: that products meet the promised criteria and are delivered, that card payments are secure, that the return policy is respected—and that consumer data is used fairly.

Fair data

Fair data should be seen as a value that aligns with the wider principles that guide the practices of sustainability. Sustainability is a normative concept that explains what people value. Sustainability has three dimensions or “pillars”: environmental, economic, and social (Purvis, Mao, and Robinson 2019). They are monitored via a plethora of practices by companies, consumers, NGOs and, increasingly, the law. We maintain that the datafication of culture and everyday life, including online shopping, sets new demands for sustainability from the perspective of data use. Since people value privacy and the knowledge of how their data is used, monitoring data practices should be regarded as the “fourth pillar” of sustainability. Since collecting user data has become such an important part of online shopping, and since companies use data mining and analytics technology to extract large amounts of personal data, including online shopping history and social media preferences, consumers should be well informed in order to evaluate the benefits and risks of releasing their personal information (Jai, Burns, and King 2013). This is the core of fair data practices. By “fair data” we mean personal data provided by consumers not being abused and meeting the customer’s reasonable expectations. And online shop should not share personal information with third parties without consumers’ consent.

EU data protection law has addressed excessive personal data collection and unfair use of data by setting principles of data minimization, fairness and transparency, requiring that organizations only collect necessary personal data for predefined purposes and that the collection is in line with the expectations of the person whose data is collected (Article 5 of the GDPR; Council of Europe 2018, 118). The GDPR has set the standard for data protection laws globally (COM (2020) 264 final, 3; Bradford 2020 133).³ One key element of fair data is that the information and options concerning personal data processing are provided in an objective and neutral way, avoiding any deceptive or manipulative language or design (European Data Protection Board 2020, 18). Misleading information enables excessive data collection and compromises users’ privacy, allowing data transfers to third parties.

Fair data is ever more important, as the networked shopping environment has handed over the tracking and linking of consumers’ personal data and online actions across platforms, often without their knowledge or explicit consent, to just a few tech giants. It matters because website and platform owners have also become owners and routine leakers of consumer data to third parties for the purpose of making additional profit, e.g. through customized marketing (van Dijck, Poell, and Waal 2018). Fair data is also important because leaking data has transformed data gathering into a behavioral surplus; into part of a process in which all of life in all its details becomes useful for capital. We are not against datafication per se; we criticize the unfair data practices that benefit companies at the cost of the consumers and, to quote Couldry and Mejias (2019), “colonize them”. Online user data is not gathered out of the companies’ altruistic desire to create better products, services or consumer experiences, but to predict, shape, mold—manipulate—consumers’ future behavior (Zuboff 2019). Unfairness means that data gathering and leaking are no longer a tradeoff between consumers and companies but a new means to control and profit from people. Datafication is a problem when it becomes a euphemism for practices that make humans a source of free raw material for the companies and that cater for “surveillance capitalism” (Zuboff 2019). The concept refers to aims of laying claim to private experiences and translating them into fungible commodities. The discourses of colonization and surveillance capitalism refer to the fear that the digital milieu is instrumentalized to transform people into data hubs or money bags from which intimate information can be milked for profit. It also means that companies are interested in consumers only insofar as they are free raw material for profit-making: that goods and services are a handy means to lure consumers before stripping them of their personal autonomy. In this scenario, the act of online shopping is part and parcel of unlimited data extraction operations to gain control over masses. To achieve this, products and services function as a mere smoke screen.

To prevent the aforementioned dystopia, discussion is needed on fair data practices, including accountability, openness, transparency and trustworthiness, as is the development of tools and practices that enable users to own and control their personal data. From the perspective of data protection law and an individual’s right to privacy and data protection, fair data particularly means the minimization of personal data collection. It should be mandatory for companies to follow fair data principles set in legislation, and also to understand them as an important element in creating a trusted online environment. To summarize, fair data means being transparent about uses of data, safeguarding privacy, granting users access to their data, being open about transferring data to third parties, enabling users to download their own data and allowing them to be forgotten if they so choose (Nikunen and Hokka 2020).

Fashion companies, like any organization, should process data in a fair manner throughout their operations, from collecting and storing to using and/or sharing it. Being fair applies to any situation or functionality where there is a possibility that data is leaked to or shared with third parties. Fairness, interpreted in the context of sustainable fashion, should also include methods to diminish and manage data waste, i.e. the collection and storing of unnecessary data. All this amounts to demanding that practices related to data gathering and its use, as well as to how clearly and understandably these practices are communicated to users, be considered an important aspect of a company’s sustainability performance. Since contemporary business operations are becoming data-driven, focus on fair data practices should be recognized as the cornerstone of building a trust-based relationship with customers.

It has in fact been shown that when an online store’s privacy policy is salient and accessible, consumers are more willing to pay premium prices (Tsai et al. 2011). Caring for privacy therefore benefits both the online retailer and the fashion consumer and can also be used as an element of building a responsible brand.

Study setting and method

To initiate the discussion on fair use of user data in the field of fashion, we analyzed the data processing practices of 32 online clothing stores frequently used by consumers in Finland. The network traffic of the websites was analyzed to find out what kind of personal data is leaked to third parties when a customer buys clothes. The most popular online clothing stores in Finland were taken from a list provided by Posti (the Finnish mail delivery company). In addition, the top and bottom five most and least responsible clothing stores were taken from a report by the nonprofit organization Pro Ethical Trade Finland (Vaateränkkäykset 2021). Through this, we assessed whether companies known for their sustainability are also responsible in how they handle customers' personal data. The selected online stores are shown in Table 1. We also collected information on the selected brands’ revenues to show the scale of the companies. This information was retrieved from freely available sources, Wikipedia, Vainu⁴ and Asiakastieto⁵.

Table 1. The selected online clothing stores.

Name	Description	Revenue
Alibaba	Chinese technology company specializing in e-commerce, retail, Internet, and technology.	US$ 135 B (2022)
Alpa	Finnish ecological knitwear company.	US$ 2.7 M (2022)
Amazon	American multinational technology company focusing on e-commerce, cloud computing, online advertising, digital streaming, and artificial intelligence.	US$ 514 B (2022)
Billebeino	Finnish ecological lifestyle brand.	US$ 4.4 M (2021)
Cellbes	Swedish post-order store.	US$ 50.9 M (2021)
Disturb	Finnish online store.	US$ 2.1 M (2022)
eBay	American multinational e-commerce company.	US$ 9.8 B (2022)
Ellos	Swedish post-order and e-commerce company.	US$ 48.0 M (2021)
Finlayson	Finnish textile company.	US$ 43.6 M (2021)
FRENN	Finnish ecological menswear label.	US$ 307 K (2022)
Gudrun Sjöden	Swedish sustainable women’s fashion label and retail chain.	US$ 13.8 M (2021)
H&M	Swedish mass fashion clothing company.	US$ 369 M (2021)
IVALO.COM	Marketplace for sustainable fashion.	US$ 289 K (2021)
Ivana Helsinki	Finnish independent fashion, art and film label.	US$ 771 K (2021)
Lindex	Finnish mass fashion label.	US$ 73.1 M (2021)
L-Fashion Group	Finnish consolidated corporation of multiple sportswear brands. The accountability of these brands has been ranked low.	US$ 162.7 M (2021)
Marimekko	Finnish textile, clothing and lifestyle design company renowned for its original prints and colors.	US$ 162.6 M (2021)
Nelly	Nordic e-commerce fashion platform.	US$ 6.2 M (2022)
NOOM	The Finnish department store Stockmann's own women's fashion label.	US$ 961.4 M (2021) (Department store Stockmann’s revenue)
Nosh	Ethical Finnish womenswear brand.	US$ 12.8 M (2022)
PaaPii	Ethical Finnish textile, lifestyle and clothing company targeting women, men and children.	US$ 2.6 M (2022)
Papu	Ethical Finnish clothing and lifestyle brand targeting women and children.	US$ 3.3 M (2021)
Partioaitta	Finnish outdoor clothing brand.	US$ 40.5 M (2021)
Prisma	Finnish retail chain offering a wide range of products.	US$ 14.4 B (2022) (S Group’s revenue)
Pure Waste	Finnish company which produces garments only of recycled fibers.	US$ 3.1M (2021)
Scandinavian Outdoor	Finnish retail and online store that sells outdoor clothing and equipment.	US$ 28.1 M (2022)
Shein	Chinese online fast fashion retailer.	US$ 24 B (2022)
Stockmann	Iconic Finnish department store.	US$ 961.4 M (2021)
Varusteleka	Specialist store for military surplus, outdoor and camping gear.	US$ 19.9 M (2022)
Wish	American online marketplace.	US$ 2.1 B (2022)
Zalando	Publicly traded German online retailer of shoes, fashion and beauty.	US$ 30.7 M (2021)
Zara	Spanish multinational retail mass fashion clothing chain.	US$ 21 B (2021)

Table 2. Product information sent to third parties.

Data item	Number of online stores (max. 32)	Percentage
Product name	31	97.0%
Product price	27	84.4%
Product category	24	75.0%
Add to cart event	22	68.8%
Product ID	19	59.4%
Used currency	16	50.0%
Number of pieces	15	46.9%
Product size	10	31.3%
Product color	8	25.0%

The websites were analyzed using the Google Chrome browser. We started the analysis by navigating to the front page of the clothing store, clearing the browser cache and cookies, and reloading the page. Under EU e-privacy law, personal data collection by cookies requires receiving valid consent from the website user (Article 5 of the ePrivacy Directive)⁶. The GDPR’s consent provisions together with the ePrivacy Directive’s requirements demand the use of cookie banners on websites (Articles 6 and 7 of the GDPR; Article 5 of the ePrivacy Directive). This applies regardless of where the website is based, as the website owners must inform the users located in the EU about personal data collection and request their consent for installing cookies (see e.g. Soe, Santos, and Slavkovik 2022). Thus, EU data protection laws have widespread effects globally (Bradford, 2020 133-134), including on clothing stores based outside of the EU. From reloading onwards, while navigating the store website, we recorded the network traffic using Chrome’s Developer Tools and stored the recordings in HAR (HTTP Archive) files. We also collected the privacy policy documents from the websites and saved screenshots of cookie consent banners for further analysis.

On arrival on the websites, we gave full consent to cookies and analytics. Cookies can improve the browsing experience by allowing sites to remember preferences or by letting the user avoid signing in each time a certain site is visited. They may also constitute a privacy risk by tracking visited sites. We started the testing sequence from the front page, moving on to a product category or collection. Next, we chose a product, opened its product page, chose a size and color, and added the product in question to the shopping cart. As the final step, we proceeded to the checkout page.

The recorded network traffic was studied and any data identifying a specific user sent to third-party services was extracted from the log file. Identifying personal data items such as IP addresses, device identifiers and other technical details were listed. In the context of online clothing stores, it is also particularly interesting to see what kind of data is sent to third parties about product viewing and purchase intentions. Any product-related data transferred to third-party services was also extracted from the traffic log files.

In addition to the technical experiments described above, the privacy policy documents of the online clothing stores were analyzed to determine whether the collected personal data (identifying information and data concerning the products the user viewed or intended to purchase) and the third parties receiving the data were appropriately reported. In other words, the fairness and transparency of data collection and sharing were assessed. Two researchers read the privacy policy documents and discussed discrepancies arising from differing interpretations or mistakes, until an agreement was reached.

When arriving on the clothing store websites, cookie banners were also analyzed. To assess how appropriate and fair they were, we used two criteria designed by the Cookie Banner Taskforce of the European Data Protection Board⁷. First, we studied whether there was a button to immediately reject the cookies on the first layer of the cookie banner. The undesirable practice of not including the immediate reject button is called Type A practice. Secondly, we analyzed whether deceptive button colors or contrasts were used to surreptitiously persuade the user into accepting the cookies (Type E and D practices). The deceptive button colors or lack of clearness are a “dark pattern,” i.e. a design feature that can mislead users to accept data gathering which they may not wish to do.⁸

Analyzing the network traffic, studying privacy policies and assessing the cookie banners for dark patterns was intended to measure the fair data practices of the company when processing data and informing users. They should align with values of transparency, choice and trust: users should easily find out the uses of their data, have a clear option to choose how their data is used by the company, and have the opportunity to opt out of its use without uncertainties. This creates data fairness: trust that the company handles users’ personal data in a responsible, reasonable and lawful way and that the company protects the rights of users and reduces risks to their privacy.

Results

Third-party services on online clothing store websites

The bar chart in Figure 1 shows the number of third-party services on each online clothing store's website. It ranged from a single third-party service to a staggering 12 services. At the bottom of the chart, NOOM (est. 2008), a mid-range women’s mass fashion brand owned by the Finnish department store Stockmann (est. 1862), had the highest number of third-party services (12), followed by the Finnish outdoor and camping store Partioaitta (est. 1942) (10). Cellbes, a Swedish post-order store (est. 1954), the iconic Finnish textile company Finlayson (est.1820), and the Swedish mass fashion company H&M (est. 1943) were also in the top five with nine third-party services each. Marimekko (est. 1951), a Finnish textile, clothing and lifestyle company known across the world, also ranked quite high with eight third-party services. Out of companies whose brand image is built on sustainable fashion, ones that stood out were the Swedish women’s fashion label Gudrun Sjödén (est. 1976) and the Finnish sustainable fashion marketplace Ivalo.com (est. 2015), with four third-party services, and the Finnish brand Pure Waste (est. 2013), which produces garments out of recycled fibers, with six. When it comes to sharing data with third parties, the abovementioned companies do not appear to be very privacy-friendly or data-responsible in their data processing practices. It is especially noteworthy when they are companies that explicitly claim to represent sustainable development in fashion, considering that fair data processing practices such as avoiding excessive collection of data should be part of companies’ pursuits to be ethically viable.

Figure 1 The number of third-party services in online clothing stores.

The found third-party services were mostly analytics services, which are important for targeted advertising, for helping online stores to keep track of how users navigate on the website, and for achieving business goals. However, since third-party services often have overlapping functionality and largely collect the same data, one can wonder whether a company derives genuine benefit from using several analytics services, and whether it is worth sacrificing consumers’ privacy for by sending personal data to many external parties and locations. The analytics services often collect more data than the company needs. Moreover, using numerous third-party services creates more data waste and slows down the website’s loading speed. It is also possible to analyze consumer behavior and website performance without revealing private information to third parties by using tools that store data locally instead of leaking it to a third party (Gamalielsson et al. 2021). In this light, it is hard to justify using a wide array of third-party services on one website or disseminating personal data to several different parties.

At the other end of the bar chart are Amazon (est. 1994), with a single third-party service, and eBay (est. 1995), the Finnish sustainable menswear label FRENN (est. 2012), Stockmann’s “money-making machine” Lindex (est. 1954), and the German online shoe, fashion and cosmetics retailer Zalando (est. 2008), with two services each. As Amazon is a huge company capable of collecting analytics and advertising by itself, it likely does not want to give any valuable data to its competitors, and thus the lack of third-party services is hardly surprising. It seems that the online stores with the fewest third-party services have consciously reduced the number of analytics tools instead of hoarding third-party data collectors that may not ultimately provide much value. It is also worth noting that Ivana Helsinki (est. 1998), one of the best-known Finnish fashion brands in the United States, does relatively well with three third-party services. Overall, websites used 5.2 third-party services on average. Considering that these services often have similar purposes—targeted marketing and enhancing consumer experiences—one could argue against sustainable fashion brands embedding too many third parties on their websites.

Figure 2 shows the third parties that received data from the studied online clothing stores. Each third party was only counted once per one website, although there may be several connections to it. For instance, 31 separate online stores used Google’s services (usually Google Analytics). Facebook was close behind with 28 online stores. This highlights the significant prevalence of the analytics services provided by the two tech giants, which allows these third parties to effectively track users, learn their preferences and build detailed user profiles. The L-Fashion Group website was the only one which was not tracked by either Google or Facebook. Microsoft came third with 13 online stores. It is worth noting that personal data was also being collected by many social media companies such as Pinterest, TikTok and Twitter, which people may not often consider analytics companies.

Figure 2 The third-party services which received data from clothing store websites. Each third party is counted only once per website.

Network traffic analysis of leaked data

The data items found and analyzed in the network traffic can be divided into two groups: 1) data items used to identify a specific consumer, and 2) contextual data items related to their actions, such as information on purchases. The identifying information transmitted to third parties typically includes technical details such as IP addresses, unique identifiers for both devices and users, data on the operating system and browser and their versions, as well as other technical information like screen size (Heino et al. 2022). The device’s IP address, which is transmitted with every web request, is often an important piece of data when identifying a specific user (Mishra et al. 2020), e.g. for targeted advertising. “Targeted advertising” refers to the practice of displaying advertisements to specific user groups based on their demographic, behavioral or other characteristics (Liu et al. 2013). To make targeting possible, data about users’ browsing activity, interests, personal details and preferences is gathered by various means, such as cookies. It is safe to assume that with the collected personal data and technical details, large analytics companies can effectively identify individual consumers.

When a consumer is identified, the contextual information associated with them becomes valuable. It turned out that all found data items were related to products consumers were viewing or intending to buy. The different pieces of product information sent to third parties are listed in Table 2. It is worth noting that every online store sent product information to third parties. Of this data, the name of the product was the most frequently sent piece of information (31 out of 32, or 97.0% of the studied stores). Product names come in many different forms and may sometimes contain other product attributes such as color. Details on the price and product category were also frequently sent out, as this data is important for effective target marketing, recommendations, product optimization and personalization. The “add to cart” event, when combined with a specific product, is a valuable indication of the user’s intent to buy. The product ID was also sent to third parties by most online stores, although the value and usability of this data may be limited, as product IDs usually vary from store to store. Other details delivered to third parties included currency, number of ordered products, size and color.

Table 3. The analysis of mentions of collected data in privacy policy documents.

Clothing store	Is the collection of identifying personal information mentioned?	Is the collection of product information mentioned?
Alibaba	X	X
Alpa		X
Amazon	X	X
Billebeino	X
Cellbes		X
Disturb	X	X
Ebay	X
Ellos	X	X
Finlayson	X	X
FRENN
Gudrun Sjödén		X
H&M	X	X
Ivalo.com	X
Ivana Helsinki
Lindex	X	X
L-Fashion Group	X	X
Marimekko	X
Nanso	X	X
Nelly	X
NOOM (Stockmann)	X	X
Nosh	X
PaaPii		X
Papu	X
Partioaitta	X
Prisma	X	X
Pure Waste
Scandinavian Outdoor	X	X
Shein	X	X
Varusteleka	X	X
Wish	X	X
Zalando	X	X
Zara	X	X

Privacy policies and cookie consent banners

Out of the 32 studied online clothing stores, only one, Ivana Helsinki, entirely lacked a privacy policy document—there was only a broken link that was supposed to lead to it. Making available a privacy statement is a prerequisite for the transparency of data processing, and informing consumers about personal data processing is mandatory under the GDPR (Articles 12–14 of the GDPR). If consumers are not adequately informed about personal data collection, they cannot effectively control and make informed decisions about the use of their data. Therefore, we analyzed the privacy policy documents of 31 stores, listed in Table 3. The aim was to find out whether the collection of identifying personal data and product information were mentioned. In other words, we assessed whether consumers were properly informed that their individual preferences and shopping behavior were recorded and tracked. The results show that seven out of 31 stores did not clearly mention that identifying information was collected. The ones that mentioned it often revealed that device identifiers, IP addresses or simply consumers’ “digital footprints” were recorded. When users were informed, the used terms were abstract and fairly unclear. Similarly, 11 out of 31 stores did not mention data collecting, giving users no knowledge that their purchases were surveilled. Privacy policies can discuss the collection of product information in many ways. Most of them only mentioned “product information” without specifying what that entailed. Zalando, on the other hand, was the only store that listed the collected product attributes (product name, size, color, etc.) in an accurate and detailed manner. The privacy policies of 17 stores clearly mentioned both types of collected data, the identifying personal information and the product information. Two stores—FRENN and Pure Waste—did not mention either type, even though both brands claim to be sustainable. Although it is inevitably a matter of interpretation whether something is mentioned clearly and accurately enough in a privacy policy, the fact that only half of the stores were found to properly report the collection of two analyzed data types is a cause for concern. If users have no way of understanding data collection practices because of poor transparency, or if it is not mentioned in the first place, they cannot make informed decisions when choosing a web store and protecting their privacy.

Table 4. Dark patterns found in the cookie banners of online stores.

Table 4 shows the dark patterns found when analyzing the cookie banners. The color red indicates that a specific dark pattern was found, while green indicates it was not. Seven of the studied stores—Disturb, FRENN, Gudrun Sjödén, Ivalo.com, Ivana Helsinki, Paapii and Pure Waste—had no cookie banners and did not ask for consent for cookies and third-party services. These stores’ rows are marked in black, as dark patterns cannot be assessed. This left us with 24 stores with cookie banners. Among these stores, Cellbes, Ellos, Finlayson, Papu and Zara did poorly, exhibiting all of the four studied dark patterns. Only five online stores—Ebay, H&M, Marimekko, NOOM and Shein—achieved a perfect score. NOOM’s good result is interesting, because contrasted with its poor result in having the highest number of third-party services.

Table 5. Summary of responsible and irresponsible clothing stores.

Most of the clothing stores had at least one shortcoming in their cookie banners. For instance, only 11 out of 25 stores provided an option to reject cookies on the same view as the accept button. The other cookie banners required at least two clicks to reject cookies. The stores fared better with pre-ticked boxes: 18 out of 25 did not have them. A pre-ticked box suggests that the consumer has already given the consent, whether they have or not. Pre-ticked boxes are not considered a valid form of consent under the GDPR (recital 32 of the preamble to the GDPR), as the user must provide consent by a clear affirmative act. Thus, free consent is given only when the user ticks the box themselves. The case with colors and contrast between accept and reject buttons was the worst of all studied dark patterns—only five stores out of 25 used colors and contrasts that did not unfairly entice the user to press the accept button. In conclusion, the clear majority of the analyzed cookie banners contained at least one dark pattern, making it more difficult for consumers to reject cookies and data transfers to third parties, and to make a truly informed decision.

Fair use of data

We also compared the overall responsibility of the clothing stores to evaluate data fairness. Table 5 summarizes the findings regarding dark patterns and third parties that have been assessed to be the most responsible or irresponsible by Pro Ethical Trade Finland. Companies ranked as responsible did not do that well in terms of fair data, meaning that they did not clearly demonstrate the options users have in deciding about the uses of their personal data. In fact, when it comes to the five most responsible and five least responsible clothing brands, the latter performed better. While this finding should not be interpreted to mean that irresponsible brands are better in the digital world, it certainly shows that brands that are otherwise responsible do not always pay sufficient attention to fair handling of consumer data. Even though privacy and fair data should be an integral part of today’s supply chains, it appears they are not yet considered as components of responsibility and sustainability.

Table 5 also shows that three out of the five most sustainable companies—FRENN, Pure Waste and PaaPii—did not even have cookie banners. Therefore, the user is not even given the chance of opting out of data collection. The other two sustainable fashion brands, Papu and Alpa, failed almost every dark pattern test, which makes informed decisions much more difficult. The results of the five least responsible brands were better, but not by much. Ivana Helsinki did not have a cookie banner, Billebeino failed all dark pattern tests except for pre-ticked boxes. The L-Fashion Group (Luhta, Rukka and YourFACE) and Nanso had issues with colors and contrasts of cookie banner buttons, making it harder to understand what consumers consent to. Lastly, NOOM sends mixed messages by not showing any dark patterns but still including an excessive number of third parties on its website. It is obvious that the overall responsibility of the studied brands does not correlate with fair data practices or avoiding dark patterns. These findings highlight a blind spot that the companies should observe if they claim to be responsible.

Discussion

Collecting consumer data has become an integral part of online shopping. As we have shown, personal data collection by third parties is widespread and companies fare differently in letting consumers know about it and being transparent about the uses of collected data. Our key findings are:

• The studied online clothing stores included an average of 5.2 third-party services, the highest number being 12. Excessive third-party services put consumers’ privacy at risk, as data is stored in several locations, often without consumers’ knowledge. At the same time, data waste is created and resources are wasted.

• Only 17 out of 32 online stores were found to properly and transparently inform consumers about collecting identifying personal data and information on purchased products. Only five stores asked for permission to use cookies and analytics services without using any dark patterns in their cookie banners.

• The fashion brands considered as responsible and sustainable by Eetti ry did not do any better than the allegedly irresponsible ones in terms of fair data processing, which is understood as limiting data collection by third parties, avoiding dark patterns, and informing consumers transparently.

Along with attitudes toward responsibility and fair data processing, the practical software development process and website design have to change to solve the privacy challenges introduced by datafication. For example, the ready-made web store platforms used by developers to create online clothing stores often readily offer the option of easily adding third-party analytics services, which makes it easy to enable tracking, often without fully realizing that personal data is also delivered to the third party providing the service. Companies and brands should be mindful of what kind of personal data flows out of their online stores when they design the sites and their functions. It is worth carefully considering whether using third-party services provide so much value that it is worth sacrificing the customers’ privacy for and potentially creating data waste, and whether using several such services can be justified. Our findings suggest that these issues have not been given much consideration, paving the way for the dystopia of data colonization and surveillance capitalism (Couldry and Mejias 2019; Zuboff 2019). Even if consumer data were not deliberately leaked by the company, it can still be used for manipulation by the service provider. Sustainable brands should resign from any practices that transform consumers into free raw material.

Our analysis also gave surprising results in terms of cookie banners and dark patterns. The findings on Shein were unexpected: it has been criticized for unsustainability on all fronts of production, but it gets a good score in avoiding dark patterns. The opposite was true for FRENN and Pure Waste: both ranked well in terms of climate, environmental, human rights and transparency in Pro Ethical Trade Finland’s ranking (Vaateränkkäykset 2021), but did less well in their data practices. Fair data practices do not necessarily translate to fair production models but can support unfair ones. The explicitly data-driven Shein tracks users, collects vast amounts of data on what they view and like, and uses it to instruct its factories to produce garments faster at a lower cost than its competitors. Shein’s seemingly fair data practices actually feed into unsustainability: in rankings it fares poorly in design, garment quality, production, labor conditions, animal welfare and brand values (Wolfe 2023). Data collection must thus always be measured in combination with an evaluation of production methods to draw conclusions about a brand’s sustainability. In the case of FRENN and Pure Waste, in contrast, ethical production methods do not necessarily entail ethically sound data handling—perhaps due to a lack of knowledge and training on data collection, both being small companies that do not necessarily have personnel that focuses on data and analytics practices. This calls for action to educate brands on how ethical production and fair data practices are linked and form part of a company’s sustainability.

Our results indicate that many online clothing stores have failed to write clear privacy policies containing appropriate information about data processing. This would greatly improve if the nature of leaked personal data and the third parties were accurately and transparently mentioned. Finally, the state of cookie banners was poor, probably due to the fact that in many cases ready-made cookie management solutions were used without realizing how many dark patterns they contain. One explaining factor for dark patterns and poor cookie notices is that while, for example, the use of pre-ticked boxes has explicitly been rejected by the GDPR (recital 32 of the preamble to the GDPR), data protection laws do not set forth clear, unified rules on how to implement fair cookie banners and to avoid dark patterns. In recent years, this gap has gradually been filled by case law (e.g. C-61/19 - Orange Romania) and guidelines of the EU (European Data Protection Board 2020, 2023; Report of Cookie Banner Taskforce). 

Due to the complexity of legal requirements, the fashion industry, particularly small and medium-sized companies, would benefit from having clear instructions on how to build fair cookie banners and write clear privacy policies. Based on the results of our study, data responsibility and privacy awareness training offered to companies could include areas such as minimization, alternatives to using third-party analytics services on websites, balancing business needs against data privacy, and responsible use of social media platforms. In addition, user testing of transparency practices is recommended to ensure that users understand how their data is being shared and are offered a fair chance of choosing whether they agree to tracking.

Concluding remarks

Datafication has made shopping more than just buying and selling products; it has become an act that turns browsing, selecting and purchasing, as well clothes and consumers’ bodies into quantifiable data that companies can gather, store, use, manipulate and share with third parties. The datafication of online shopping is built on unselfish ideals, such as creating a solid customer-company relationship, providing better products and services, and catering for a positive experience of the company. At its best, datafication can be used to humanize the rather technical act of shopping when the website algorithm learns what types of products the customer likes and is interested in. But datafication also raises concerns, especially ones related to the managing of intimate personal data collected from fashion consumers. In some bleak scenarios, datafication means the colonization and controlling of people. This may become a reality if data is not managed with care and consumers’ right to privacy is violated. When companies accumulate and use data, they must be ethical and transparent, especially if they want to be regarded as sustainable.

Fair data evaluation should be included in the analyses, criteria and rankings of the sustainability and responsibility of fashion companies. Network analysis of data transfers to third parties, analysis of the transparency of privacy policies, and assessment of the presence of dark patterns on websites can be used as criteria of fair data evaluation. It is important to note, however, that they may not cover all considerations of fair data processing, as companies also handle personal data in their internal systems. Nonetheless, insights into critical parts of the supply chain where large technology companies have the best chance to capture the customer’s valuable personal data are a good starting point.

Further research should be carried out on measuring the data waste produced by fashion companies: if they gather and store data that they do not need, they also consume unnecessarily high quantities of electricity. Failing to control and limit data gathering leads to data waste, which slows down system performance, results in longer processing times and ultimately causes higher costs and energy wastage. The datafication of fashion affects both the environmental and social aspects of fashion, as well as the behavior of fashion producers and the whole culture of fashion. Data and algorithms have become new powerful players and gatekeepers in fashion. Technological standards and infrastructures shape human behavior, culture and the everyday lives of people, and online shopping is only one mundane example of this. Therefore, fashion companies as well as technology developers should scrutinize the impact of their practices on consumers. Our article lays a ground for further analysis of the implications of datafication for fashion consumption, brand-customer relationships, as well as fashion culture and design on a wider scale.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This study was supported by the Strategic Research Council.

Notes on contributors

Annamari Vänskä

Annamari Vänskä PhD is Senior University Lecturer at the Department of Design at Aalto University, Finland. Her research focuses on fashion and visual culture, and digitalization of creative work from the perspective of gender studies and queer theory. She is currently the Deputy-PI of the consortium “Intimacy in Data-Driven Culture” and PI of the research project “Intimacy, Creative Work and Design,” funded by the Strategic Research Council (2019-2025). [email protected]

Sampsa Rauti

Sampsa Rauti is a university teacher and a PhD student at the Department of Computing, University of Turku, Finland. His research areas include software security and privacy, with a current focus on online privacy and third-party data leaks. He has authored over 90 peer-reviewed international publications.

Timi Heino

Timi Heino is a research assistant at the Department of Computing, University of Turku, Finland. He studies third-party data leaks in the “Intimacy in Data-Driven Culture” project.

Robin Carlsson

Robin Carlsson is a research assistant at the Department of Computing, University of Turku, Finland. He studies third-party data leaks in the “Intimacy in Data-Driven Culture” project.

Sini Mickelsson

Sini Mickelsson is a doctoral researcher in the Faculty of Law at the University of Turku and practicing data protection specialist (CIPP/E). Her research focuses on data protection law and in particular the justifications of sharing and reusing sensitive data.

Natalia Särmäkari

Natalia Särmäkari is a postdoctoral researcher in the Department of Design at Aalto University School of Arts, Design and Architecture and a fashion professional. Her research concentrates on the culture, practices and ethical issues of digital fashion.

Notes

1 In its guidelines the EDPB has referred to “dark patterns” as “deceptive patterns” as the word “deceptive” is more inclusive and descriptive (European Data Protection Board 2023, 8).

2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. OJ L 119, 4.5.2016, 1–88.

3 The fundamental principles of data protection law, such as notice and consent, as well as data minimization and purpose limitation, affecting the GDPR have their roots in earlier global and local privacy standards such as the OECD Privacy Guidelines and the Federal Trade Commission’s Fair Information Processing Principles (OECD Privacy Guidelines of 1980; OECD 2002, 14–16; FTC’s FIPPs of 1998, Federal Trade Commission 1988, 15–16).

4 A company data platform that uses sales intelligence software to collect company information (https://www.vainu.com/).

5 A platform that provides information on businesses in Finland and the Nordic countries (https://www.asiakastieto.fi/).

6 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). OJ L 201, 31.7.2002, 37. (“ePrivacy Directive”).

7 A report of the work undertaken by the Cookie Banner Taskforce of the European Data Protection Board, available at https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf.

8 Dark patterns used on websites can also include features that pressure users into spending. These features can include countdown timers, notices of other customers being interested in the same item, possibilities to save credit card information, providing a one-click checkout option and so on (e.g. Bain 2022).