Surveillance Capitalism
Conduct Screen Surveillance Capitalism
Companies whose business model involves deploying behavioral surveillance against their own users, customers, or subjects — extracting behavioral data, building prediction products, and monetizing them without meaningful consent. Covers surveillance capitalism (Zuboff) platforms (search, social, adtech, data brokers) and any actor that turns its own user relationship into a surveillance apparatus for commercial gain. Includes: ad-tech behavioral profiling, data brokerage, identity resolution, and financial behavioral analytics. Distinct from surveillance_tech, which covers manufacturers and vendors of surveillance tools.
28 companies currently excluded under this screen
Excluded Companies (28 total)
Showing 25 of 28 companies excluded under this screen.
| Ticker | Company | Reason |
|---|---|---|
| HD | Home Depot, Inc. (The) | Home Depot's data privacy record begins with one of the largest retail breaches in history. From April to September 2014 attackers used credentials stolen from a third-party vendor to deploy custom malware on self-checkout systems across 2,200 stores, exposing 56 million payment cards over five months. The breach cost Home Depot $179 million in settlements: $134.5 million to banks and credit card companies, $27 million to additional financial institutions, and $17.5 million to a multistate coalition of 46 attorneys general. Home Depot's Orange Apron Media network (formerly Retail Media+) provides advertisers access to behavioral and purchase data from 198 million individual customers, enabling retargeted advertising across social media and offsite channels. In January 2023, the Office of the Privacy Commissioner of Canada found that Home Depot had been sharing customer email addresses and in-store purchase information with Meta through Meta's Offline Conversions program from 2018 through October 2022, without customer knowledge or consent. The Commissioner rejected Home Depot's argument that its privacy statements constituted adequate consent. In 2024 a class action filed under the California Invasion of Privacy Act alleged that Home Depot allowed Google's Cloud Contact Center AI to monitor and record customer service calls without consent. A separate 2023 class action alleged the company embedded session-replay software on its website to intercept users' browsing activity. Home Depot also deploys Flock Safety automated license-plate readers in its parking lots and stores. Although the company states it does not grant direct access to federal law enforcement, reporting by 404 Media documented that ICE agents have used Flock Safety data for immigration enforcement investigations after local police departments forwarded the data — creating what the Interfaith Center on Corporate Responsibility described in a letter to Home Depot's board as "de facto federal surveillance without transparency or consent." Home Depot stores have become frequent sites for ICE arrests targeting migrant day laborers who congregate in parking lots. In January 2026, Zevin Asset Management led a shareholder proposal with 17 co-filers asking Home Depot to evaluate and report the privacy and civil rights risks associated with sharing data with third-party surveillance vendors, including the risk of "discrimination or wrongful detention from misuse of customer data." Home Depot's own privacy policy discloses that it shares demographic information including age, race, ethnicity, and gender with "law enforcement, public and government authorities." |
| GOOGL | Alphabet Inc. | Alphabet derives over 77% of its $350 billion annual revenue from advertising fueled by behavioral data extraction across Search, YouTube, Maps, Gmail, Android, and Chrome. Shoshana Zuboff's "The Age of Surveillance Capitalism" identifies Google as the originator of the surveillance capitalism business model — the systematic conversion of personal experience into behavioral prediction products sold to advertisers. The company's products function as an integrated behavioral surveillance infrastructure covering over 4.3 billion users globally. Regulatory enforcement has been sustained and escalating. In September 2025, a federal jury in the Northern District of California awarded $425.7 million in compensatory damages after finding Google continued collecting data from third-party apps even after nearly 100 million users explicitly disabled the "Web & App Activity" setting — a practice that persisted for eight years. The same month, France's CNIL imposed a €325 million fine for displaying advertisements in Gmail without consent and placing cookies during account creation without valid consent, affecting 50 to 60 million users, with a compliance deadline backed by €100,000 per day of non-compliance. Cumulative EU enforcement includes a €150 million CNIL cookie fine (2022), the 2018 GDPR record fine of €50 million, and the European Data Protection Board's 2022 finding that Google's adtech practices violated GDPR. Alphabet has not published a human rights impact assessment covering its advertising surveillance infrastructure. The company's 2024 FTC Staff Report documents indefinite retention of behavioral data and systematic failure to protect minors across its platform ecosystem. |
| CART | INSTACART (MAPLEBEAR INC) | Instacart's core business model is built on extracting and monetizing detailed behavioral data from both customers and shoppers. The company collects granular data on shopping habits, location, spending patterns, and even in-store movements, which it uses to power its advertising and pricing algorithms. This surveillance apparatus underpins its platform economics. This model has led to specific regulatory actions grounded in deceptive data practices. In December 2025, the Federal Trade Commission (FTC) announced a $60 million penalty against Instacart for deceiving consumers. The FTC order found the company misrepresented how customer data was used and failed to obtain meaningful consent for its practices. Separately, the District of Columbia Attorney General held Instacart liable for misrepresenting and omitting material facts about variable service fees added to orders. In January 2026, New York's Attorney General demanded information regarding Instacart's algorithmic pricing, citing non-compliance with 'clear and conspicuous' disclosure requirements. The company's deployment of this surveillance for price optimization was explicitly exposed in late 2025. An investigation by Consumer Reports, cited in regulatory filings, identified "surveillance pricing" and price manipulation on the platform. Instacart was testing an AI-driven model that used collected behavioral data to dynamically adjust item prices. Following significant customer backlash and regulatory scrutiny, the company shut down these dynamic pricing experiments in December 2025. |
| PINS | Pinterest operates a social media platform whose business model is built on behavioral surveillance and targeted advertising. The company extracts detailed data on user interests, browsing habits, and interactions to build predictive models for ad targeting, a core monetization strategy. This surveillance apparatus functions without meaningful consent. In October 2024, privacy advocacy groups filed a formal complaint with the French data protection authority, alleging Pinterest secretly tracks European users without obtaining lawful consent, allowing the platform to unlawfully profit from personal data. The complaint centers on the platform's processing of user data for personalized advertising without a valid legal basis under the GDPR. This follows the company's documented efforts in "Ads Candidate Generation using Behavioral Sequence Modeling," which explicitly seeks to enhance advertising systems by leveraging advanced behavioral tracking. The platform's privacy policy outlines broad data collection practices, but the 2024 complaint indicates a gap between stated policy and operational reality regarding consent. Pinterest's economic reliance on surveillance-based ad targeting places it within the surveillance capitalism model, where user relationships are systematically turned into data extraction and prediction products for commercial gain. | |
| BRZE | Braze, Inc | Braze operates a customer engagement platform that enables brands to collect, integrate, and leverage customer data for personalized marketing campaigns. The company’s core product is a software platform designed to orchestrate customer interactions across email, push notifications, SMS, and in-app messages based on user behavior and data signals. The platform’s functionality includes the collection and activation of customer data for real-time behavioral targeting and segmentation. While marketed for commercial engagement, the underlying data integration, predictive analytics, and automated decisioning capabilities represent a class of intelligence software that can be adapted for surveillance applications by third-party clients, including corporate or government entities. BrazeAI™ further augments this with automated content generation and optimization. Braze supplies the technical infrastructure that enables clients to execute large-scale, data-driven outreach and monitoring. The company’s positioning as a platform “built for today's on-demand, always-connected customers” underscores its role in enabling the persistent tracking and profiling of individuals. This places Braze within the ecosystem of companies providing surveillance-enabling technology to third parties. |
| MAR | Marriott International | Marriott International has been subject to enforcement actions across three separate data breaches spanning 2014 to 2022, collectively affecting approximately 344 million customers worldwide. The most significant breach originated in Starwood Hotels' reservation database in 2014, continued undetected through Marriott's 2016 acquisition of Starwood, and was disclosed in November 2018 after exposing approximately 383 million guest records including unencrypted passport numbers, payment card data, and loyalty account information. The UK Information Commissioner's Office fined Marriott GBP 18.4 million for GDPR violations. In October 2024, 49 state attorneys general and the District of Columbia reached a $52 million settlement, and Texas separately settled for $3.5 million. The FTC imposed a 20-year consent order requiring a comprehensive security overhaul, multi-factor authentication, and biennial third-party security assessments. A second breach in 2020 exposed 5.2 million guest records after hackers obtained employee credentials; a third in 2022 involved 20 GB of data exfiltrated via social engineering at a Baltimore property. |
| ALL | ALLSTATE CORP | Allstate, through its subsidiary Arity, covertly collected driving behavior data from over 45 million Americans by paying app developers to embed Arity tracking software into consumer apps including Life360, GasBuddy, Routely, and Fuel Rewards. The collected data — trillions of miles of geolocation tracking — was used to build what Arity called the "world's largest driving behavior database," which Allstate and other insurers used to justify premium increases on individual policyholders. Texas Attorney General Ken Paxton filed suit in January 2025 under the Texas Data Privacy and Security Act, the first enforcement action under that statute. The complaint alleges Allstate failed to provide clear notice or obtain informed consent before collecting and selling sensitive geolocation data. Separately, New York Attorney General Letitia James sued Allstate and subsidiary National General in 2025 over back-to-back data breaches in 2020 and 2021 that exposed driver's license numbers of more than 165,000 New Yorkers, after National General's websites displayed full driver's license numbers in plain text with minimal input. |
| TMUS | T-MOBILE US INC | T-Mobile has a documented pattern of massive data breaches spanning 2021-2023, demonstrating systemic failures in data security governance. In August 2021, attackers stole records of 47.8 million customers including SSNs, driver's license numbers, and dates of birth, resulting in a $350 million class action settlement (approved June 2023) plus $150 million in mandatory security investments. In 2022, another breach via SIM-swapping and phishing compromised internal systems. In January 2023, a misconfigured API exposed personal data for 37 million current customers. The FCC settled in September 2024 for $31.5 million ($15.75M penalty + $15.75M security investment) covering all three breaches, finding the attacks were "varied in their nature, exploitations, and apparent methods of attack" — indicating not isolated incidents but recurring governance failures. Washington State AG filed a separate lawsuit over the 2021 breach. T-Mobile was required to adopt zero trust architecture and phishing-resistant MFA, confirming the company's prior security posture was materially deficient. |
| META | Meta Platforms, Inc. | The company has broken records around the world for data privacy fines. Ireland's Data Privacy Commission assessed a $1.2 billion fine for transferring European users' data to the United States, which is the largest GDPR fine yet. The Texas Attorney General won a $1.4 billion settlement against Meta for surreptitiously building a database of biometric facial data without user consent, in violation of the Texas Capture or Use of Biometric Identifier Act. The European Commission assessed an additional $200 million fine for Meta's ‘Consent or Pay' advertising model. Under this model, EU users of Facebook and Instagram had a choice between consenting to personal data combination for personalised advertising or paying a monthly subscription for an ad-free service. The Federal Trade Commission has also sought to ban Meta from collecting data on users under the age of 18 and block new product launches without a third party assessor's confirmation that META's privacy program has no gaps or weaknesses. |
| VZ | Verizon Communications Inc. | Verizon Communications Inc. operates a telecommunications network that collects and monetizes customer location data as a core business activity. The company’s privacy notice discloses the collection of a wide range of personal data, including precise geolocation, device identifiers, browsing history, and app usage data, which it uses for advertising and business intelligence. This data monetization practice has resulted in significant regulatory penalties. In September 2025, the Second Circuit upheld a Federal Communications Commission order imposing a $46.9 million fine on Verizon. The penalty was for selling access to customers’ real-time location data to data aggregators without obtaining meaningful, affirmative consent, a violation that constituted 63 continuing days of non-compliance. This enforcement action followed earlier findings that Verizon and other carriers had failed to protect this sensitive information from unauthorized access. |
| RAMP | LiveRamp Holdings Inc | LiveRamp Holdings (formerly Acxiom) is a pure-play data broker whose core business is compiling detailed identity profiles on hundreds of millions of individuals and selling them to advertisers, pharmaceutical companies, and other data brokers. The company aggregates personal data from online and offline sources into unique "RampID" profiles containing names, addresses, device identifiers, and browsing histories, then monetizes them through a Data Marketplace. A class-action lawsuit (Riganian v. LiveRamp) alleges that one plaintiff's data was disclosed to at least 62 third parties including Google, Amazon, and Microsoft without consent. In July 2025 a federal judge in the Northern District of California denied LiveRamp's motion to dismiss, allowing claims of privacy violations and wiretapping to proceed. The company rebranded from Acxiom in 2018 after its connection to Cambridge Analytica's voter targeting operation was exposed. |
| TTD | The Trade Desk Inc | The Trade Desk operates a global digital advertising platform whose business model is built on behavioral surveillance. The company collects, analyzes, and monetizes detailed data on internet users' browsing habits, interests, and online behaviors to facilitate targeted advertising. This core activity—profiling individuals across the web to predict and influence their actions for commercial gain—constitutes surveillance capitalism. This data-centric model has drawn legal scrutiny. As of March 2025, The Trade Desk is a defendant in a federal data privacy litigation case in the Northern District of California (*In re The Trade Desk, Inc. Data Privacy Litigation*, Case No. 3:25-cv-02889-CRB). The company's own regulatory filings consistently cite material risks from evolving data privacy laws and consumer protection statutes like the FTC Act, which govern its core data processing activities. |
| T | AT&T INC | AT&T operates a telecommunications network that inherently collects detailed behavioral data on its customers’ location, browsing habits, and communication patterns. This data is monetized through its advertising business, AT&T Ads, which uses customer data to target ads across its own properties and through partnerships. The company’s business model turns its essential service relationship into a commercial surveillance apparatus. This surveillance infrastructure has repeatedly failed to protect the data it collects. In March 2024, AT&T confirmed a data set affecting 73 million current and former customers was released on the dark web. This followed a $177 million class-action settlement approved by a U.S. court in June 2025 to resolve litigation over a separate data breach. The scale of these incidents demonstrates systemic vulnerabilities in AT&T’s data governance. |
| CARG | CARGURUS INC | CarGurus operates an online automotive marketplace that suffered a major data breach in February 2026 when the ShinyHunters hacking group compromised 12.5 million user accounts. Attackers impersonated IT support staff and used social engineering to trick employees into providing Single Sign-On codes, bypassing multi-factor authentication to access internal systems. Exposed data included names, email addresses, phone numbers, physical addresses, IP addresses, and auto finance application outcomes. Multiple class-action lawsuits were filed in federal court alleging that CarGurus violated common law, contract law, and FTC Act obligations by failing to implement reasonable data security measures. The breach revealed systemic failures in employee security training and access controls at the company. |
| TTGT | TECHTARGET INC | TechTarget operates a global network of information technology websites and publishes editorial content covering enterprise technology, including security and surveillance products. Its coverage includes detailed technical analysis of surveillance technologies such as facial recognition systems, liveness detection for biometric verification, and cloud-based video surveillance storage. While TechTarget is a media and marketing company, not a manufacturer, its business model involves creating and monetizing content that educates enterprise buyers on the implementation and use of these surveillance systems. This positions the company as an integral part of the surveillance technology ecosystem, enabling its adoption and deployment by third-party governments and corporations. |
| MS | Morgan Stanley | Morgan Stanley paid $35M (SEC, September 2022) for failing to properly dispose of devices containing PII of approximately 15 million customers. The firm hired an unqualified moving company to decommission hard drives; devices were sold online with unencrypted data intact. In a separate incident, 42 servers with unencrypted PII went missing. Additionally, a $1M SEC penalty (2016) followed an employee accessing and transferring data on 730,000 customer accounts to a personal server, which was subsequently hacked. Morgan Stanley failed to maintain reasonable access controls for over 10 years. |
| LIF | LIFE360 INC | Life360 has a documented history of selling precise geolocation data of users — including minors — to approximately a dozen data brokers (Safegraph, X-Mode, Arity). While the company announced it would stop selling "precise" data to most brokers in 2022, it continues to monetize "driving data" through its Arity/Allstate partnership. In January 2025, the Texas AG filed a lawsuit against Allstate/Arity, naming Life360 as a primary source of data used to justify insurance premium increases without adequate consumer consent. |
| CSCO | Cisco Systems, Inc. | US Supreme Court granted cert in Cisco Systems v. Doe I (Jan 2026, case 24-856): Falun Gong plaintiffs allege Cisco designed and built the Golden Shield surveillance system with custom databases and real-time monitoring specifically engineered for violent persecution of religious minorities. Cisco allegedly tailored networking hardware to enable tracking, detention, and torture of practitioners. Center for Constitutional Rights and BHRRC are amicus parties. |
| ADBE | Adobe Inc | While Adobe markets its Firefly AI as being trained exclusively on "licensed and public domain" data to avoid copyright infringement, investigative reports (Bloomberg/Symbio6) revealed that Adobe utilized AI-generated images from competitors (e.g., Midjourney) to train its models without explicit disclosure. This "synthetic data" loop undermines Adobe's marketing claims of total provenance transparency and has led to internal ethical disputes among staff. |
| COR | CENCORA INC | In August 2025, Cencora and its subsidiary The Lash Group agreed to a $40 million class-action settlement following a February 2024 cyberattack. The breach exfiltrated the data of over 1.43 million individuals, including Social Security Numbers, health diagnoses, and prescriptions. Plaintiffs alleged Cencora was negligent in its HIPAA duties and failed to notify victims in a timely manner (taking nearly three months to start notifications). |
| AMZN | Amazon.com, Inc. | FTC/DOJ $25M civil penalty (May 2023): Amazon programmed Alexa to retain children's voice recordings indefinitely to train speech recognition models, violating COPPA. Court also ordered deletion of algorithmic models derived from illegally retained data. Separate FTC $5.8M penalty against Ring (Amazon subsidiary): employees illegally surveilled customers, failed to stop hackers from taking control of users' cameras. |
| HSIC | HENRY SCHEIN INC | Between late 2023 and early 2025, Henry Schein suffered catastrophic series of ransomware attacks by BlackCat (ALPHV) group. Breach compromised personal and protected health information of 166,432 individuals (names, bank accounts, SSNs). In February 2025, $2.9M settlement approved for class-action alleging cybersecurity failures, specifically after hackers re-encrypted data during initial restoration. |
| ODFL | OLD DOMINION FREIGHT LINE INC | Old Dominion Freight Line faces a class-action lawsuit in Illinois for violating the Biometric Information Privacy Act (BIPA). The company mandated workers use fingerprint scans to clock in/out, unlawfully collecting and retaining biometric data without proper consent or legal destruction protocols. |
| TGT | Target Corporation | Target's 2013 data breach exposed 40M+ credit cards and 110M customer records. Settlements: $39.3M federal class action (banks), $18.5M multi-state AG settlement (47 states), $67M Visa settlement, $10M customer settlement. $71M+ per ViolationTracker. Pattern of inadequate data security governance. |
| VRSK | VERISK ANALYTICS INC | Surveillance capitalism (Zuboff): Verisk Analytics — insurance data consortium collecting behavioral data from insurer customers, aggregating billions of records, selling behavioral risk analytics back to same clients; primary insurance data utility in the US |
+ 3 more companies excluded under this screen
Sign in to see the full list. We cap the public list to keep our research from being scraped wholesale.
The Naughty List
A digest of changes to our exclusion list — new additions, removals, and the evidence behind them. We review the list continuously as new evidence surfaces.
RSS feed
No spam · Unsubscribe anytime