BreachExpress

Cybersecurity, explained for the rest of us.

VPN & Privacy

What 'we may share with partners' actually means in privacy policies

Margot 'Magic' Thorne@magicthorneJune 30, 202612 min read
Abstract visualization of data flowing from a single source to multiple connected nodes representing partner companies

You read "we may share your information with partners" in a privacy policy and keep scrolling. The sentence feels vague enough to ignore. But that one line authorizes the company to send your data to dozens or hundreds of other organizations, most of which you've never heard of, under terms you didn't negotiate.

The word "partners" does heavy lifting in privacy policies. It sounds collaborative, almost friendly. In practice, it describes a sprawling network of advertising platforms, analytics firms, data brokers, payment processors, cloud providers, email services, customer support tools, and anyone else the company does business with who touches user data.

Here's what actually happens when you agree to share with partners, who gets access, and what you can realistically control.

The partner ecosystem operates in layers

When you create an account or use a service, your data doesn't stay with that one company. It flows outward through a multi-tiered system of partners, subprocessors, and third-party vendors.

Layer 1: Operational partners. These are the services the company needs to function. Payment processors like Stripe or PayPal handle transactions. Cloud hosting providers like AWS or Google Cloud store your data. Email platforms like SendGrid or Mailchimp deliver messages. Customer support tools like Zendesk or Intercom manage tickets. These partners see your data because the core service can't operate without them.

Layer 2: Analytics and tracking partners. Google Analytics, Mixpanel, Segment, Amplitude, and similar tools collect behavioral data to measure how you use the service. They track clicks, page views, session duration, feature usage, and conversion funnels. The data feeds dashboards that inform product decisions, but it also builds profiles that extend far beyond the single service you're using.

Layer 3: Advertising partners. Ad networks like Google Ads, Meta Audience Network, and programmatic exchanges buy access to your behavioral data to serve targeted ads. These partners don't just see what you do on the service where you agreed to the policy. They correlate that activity with data from other sites and apps to build cross-platform profiles.

Layer 4: Data brokers and aggregators. Some companies sell or license data to brokers who compile dossiers on millions of people. These brokers combine purchase history, browsing behavior, location data, and demographic information from hundreds of sources. Your data from one service becomes a data point in a much larger profile sold to marketers, insurers, employers, and others.

Layer 5: Subprocessors and downstream vendors. Partners have their own partners. A payment processor might use fraud detection services. An analytics platform might store data with a cloud provider. A cloud provider might use subcontractors for specific regions. Each layer introduces additional entities with access to your data, often without direct disclosure in the original privacy policy.

The FTC has documented cases where data shared with "partners" traveled through five or more organizations before reaching its final destination. Each handoff creates risk. Each new entity operates under its own privacy policy, which you never agreed to and probably can't access.

Revenue drives the partner model

Companies share data with partners because it generates money. Advertising is the clearest example. When you use a free service, your behavioral data becomes the product. The company sells access to advertisers who want to reach people like you.

But revenue motives extend beyond ads. Analytics platforms offer free or discounted tools in exchange for access to aggregated user data. Payment processors charge lower fees when they can use transaction data for fraud detection models that they sell to other clients. Cloud providers negotiate volume discounts by mining usage patterns across customers.

Some companies explicitly sell data. Others license it. Many claim they only share "aggregate" or "anonymized" data, but research from organizations like EPIC has shown that combining anonymized datasets can often re-identify individuals. The protection is weaker than the language suggests.

Even when companies don't directly profit from data sharing, they benefit indirectly. Offering integrations with popular partners makes the service more attractive. Using industry-standard analytics tools helps the company compete. Partnering with established payment processors builds trust. The economic incentives all point toward maximum sharing within legal boundaries.

Legal frameworks create disclosure loopholes

Privacy laws in the U.S. generally don't require companies to name every partner. The FTC enforces rules against deceptive practices, but "we may share with partners" isn't considered deceptive if it's technically accurate, even if it's uninformative.

California's CCPA and Europe's GDPR impose stricter requirements. Companies operating in those jurisdictions must disclose categories of third parties and, in some cases, provide lists of specific partners. But even under these laws, companies often satisfy disclosure requirements with vague categories like "advertising partners" or "service providers" without naming names.

Subprocessor lists exist for some services, particularly those handling sensitive data like healthcare or financial information. But these lists are usually buried in legal documentation, updated irregularly, and written in language that assumes you know the difference between a data processor and a data controller.

The European Data Protection Board has issued guidance on transparency requirements, but enforcement varies by country and depends on regulatory capacity. In practice, most users never see a complete picture of where their data goes.

Categories of partners obscure individual entities

Privacy policies typically group partners into categories rather than listing specific companies. You'll see phrases like "advertising partners," "analytics providers," "payment processors," and "service providers." These categories can include dozens or hundreds of individual companies.

Some policies provide examples. "We work with advertising partners such as Google and Meta." But the word "such as" signals that the list is illustrative, not exhaustive. The actual number of partners is usually far larger than the examples suggest.

A 2023 FTC report found that major social media platforms shared data with more than 600 distinct third-party entities on average. Most users, when surveyed, estimated the number at fewer than 10. The gap between perception and reality is not accidental. Vague language serves the company's interests by minimizing user concern while maintaining legal compliance.

Some companies publish subprocessor lists or partner directories in separate documents linked from the privacy policy. These lists are more transparent, but they're also more technical. They assume you know what a CDN is, what a DMP does, and why a company needs 47 different analytics tools.

Consent mechanisms vary widely in effectiveness

Most privacy policies present data sharing as a condition of using the service. You can't opt out without opting out entirely. But some jurisdictions require more granular controls.

Under GDPR, companies must obtain explicit consent for non-essential data processing. This has led to cookie consent banners that let you accept or reject categories of partners. In theory, you can block advertising partners while allowing operational ones. In practice, the interfaces are designed to make acceptance easier than rejection. "Accept all" is a single button. Rejecting requires navigating multiple menus, toggling dozens of switches, and often repeating the process on every visit.

CCPA gives California residents the right to opt out of data sales. Companies must provide a "Do Not Sell My Personal Information" link. But what counts as a "sale" is narrowly defined. Sharing data with partners for "business purposes" doesn't qualify. The opt-out often covers less than you'd expect.

Some platforms offer privacy settings that let you limit specific types of sharing. You can turn off ad personalization, block third-party cookies, or restrict data access for certain apps. But these controls are scattered across account settings, platform-specific tools, and browser configurations. There's no single switch that stops all partner sharing.

Browser-based tools like Privacy Badger from the EFF can block some third-party trackers automatically. But they can't stop server-side data sharing, where the company sends your information to partners directly, outside your browser's visibility.

Server-side sharing is invisible to users

Most people think of data sharing in terms of cookies and tracking pixels. These are client-side technologies that run in your browser, where tools like ad blockers can intercept them. But a growing share of partner data sharing happens server-side, where your browser never sees it.

When you make a purchase, the company sends transaction details to its payment processor. That's server-side sharing. When you contact support, the company logs the conversation in a CRM tool hosted by a third party. Server-side. When you use a feature that relies on machine learning, the company might send your input to a cloud AI service for processing. Also server-side.

These transactions don't show up in your browser's network tab. Ad blockers can't stop them. Privacy Badger can't see them. They happen entirely within the company's infrastructure, between servers you don't control.

Some companies disclose server-side sharing in their privacy policies, but the language is often technical and buried. "We use third-party service providers to process transactions, store data, and deliver services." That sentence could mean anything from a single payment processor to a hundred different vendors touching your data at various points.

The Mozilla Privacy Principles emphasize transparency and user control, but even well-intentioned companies struggle to provide meaningful visibility into server-side data flows. The architecture of modern web services makes comprehensive disclosure difficult.

Data retention policies compound the problem

When a company shares your data with partners, those partners often retain it longer than the original service does. Privacy policies typically address the company's own retention practices but say little about what partners do with the data after receiving it.

A company might delete your account data 90 days after you close your account. But if that data was already shared with an analytics partner, the partner's retention policy governs how long it persists. Some analytics platforms keep data for years. Some advertising networks retain behavioral profiles indefinitely. Some data brokers never delete anything.

The original privacy policy rarely specifies retention terms for partners. It might say "partners are contractually required to protect your data," but that doesn't mean they're required to delete it on the same timeline.

Even when companies claim to anonymize data before sharing, anonymization isn't permanent. Researchers have repeatedly demonstrated that combining anonymized datasets can re-identify individuals. A 2019 study found that 99.98% of Americans could be re-identified from anonymized datasets using just 15 demographic attributes. The data you thought was anonymized five years ago might become personally identifiable tomorrow when a new dataset becomes available for cross-referencing.

Cross-device tracking links your activity across platforms

Partners don't just see your activity on one service. They correlate it across devices and platforms to build unified profiles.

Here's how it works. You visit a website on your laptop. An advertising partner drops a cookie in your browser. Later, you open an app on your phone. The app shares your device ID with the same advertising partner. The partner matches the cookie to the device ID using probabilistic techniques or deterministic identifiers like your email address. Now the partner knows that the person who browsed Product X on a laptop is the same person who uses App Y on a phone.

This cross-device tracking happens because multiple services share data with the same partners. Google, Meta, and other large ad networks appear in hundreds of thousands of privacy policies. When dozens of apps and websites share your data with the same partner, that partner can assemble a detailed profile of your behavior across digital contexts.

Privacy policies acknowledge this in vague terms. "Our partners may combine information from multiple sources." But they don't explain the scale or precision of the correlation. Users often assume their activity on different devices is separate. It's not.

Legal protections vary by jurisdiction and data type

If you're in California, CCPA gives you rights to know what data is collected, request deletion, and opt out of sales. If you're in Europe, GDPR provides stronger protections, including the right to data portability and stricter consent requirements.

If you're in most other U.S. states, you have far fewer rights. The FTC can take action against deceptive practices, but the agency's resources are limited and enforcement is reactive. Companies can share your data with partners as long as the privacy policy discloses it in some form, no matter how vague.

Some types of data have stronger protections. Health information covered by HIPAA, financial data under GLBA, and children's data under COPPA all come with specific restrictions on sharing. But these laws apply only to covered entities and specific data categories. Your browsing history, purchase behavior, location data, and most other digital activity fall outside these frameworks.

Industry self-regulation exists in the form of programs like the Digital Advertising Alliance's opt-out tools, but participation is voluntary and enforcement is weak. Companies that violate self-regulatory standards face few consequences beyond public relations risk.

In The Fellowship of the Ring, Frodo offers the One Ring to Galadriel

She refuses, knowing that even a tool offered freely becomes a source of corruption when its power is too great to resist. Privacy policies work the same way in reverse. You offer your data freely by agreeing to terms, but the power to control what happens next slips away the moment you click "I agree." The partners downstream from that agreement operate under their own rules, their own retention policies, their own interpretations of "legitimate interest." The original offer becomes a chain of transactions you never directly authorized, each one moving your data further from your control.

The analogy isn't perfect. Frodo could walk away. You often can't, not if you want to participate in digital life. But the underlying dynamic holds. Consent to share with partners isn't a single transaction. It's an open-ended authorization that compounds over time as partners share with subprocessors, subprocessors share with vendors, and vendors share with brokers. The original agreement you made becomes untraceable in the resulting network.

What you can actually control

You can't stop all partner sharing without opting out of digital services entirely, but you can reduce exposure.

Use privacy-focused alternatives when available. Some services prioritize user privacy and minimize partner relationships. Mozilla products, Signal, and privacy-respecting search engines like DuckDuckGo share less data with fewer partners. Switching to these tools reduces the number of third parties with access to your information.

Enable platform-level privacy controls. iOS, Android, and major browsers offer settings to limit tracking. Turn on "Ask App Not to Track" on iPhone. Disable ad personalization on Android. Use Firefox with Enhanced Tracking Protection. These controls don't stop all sharing, but they block some client-side tracking.

Review and revoke third-party app permissions. Many services let you connect third-party apps to your account. Each connection grants that app access to your data. Periodically audit connected apps and revoke access to ones you no longer use.

Opt out where possible. If you're in California, use the "Do Not Sell" link. If you're in Europe, reject non-essential cookies. Use the Digital Advertising Alliance opt-out tool to limit behavioral advertising. These opt-outs are imperfect and require periodic renewal, but they reduce some partner access.

Use separate accounts for different contexts. Create a dedicated email address for shopping, another for social media, and a third for sensitive accounts like banking. This compartmentalization makes it harder for partners to correlate your activity across services.

Read subprocessor lists when available. Some services publish lists of third parties that process user data. These lists are often linked from the privacy policy or available in legal documentation. Reviewing them gives you a clearer picture of who actually sees your data.

Limit voluntary data sharing. Don't connect your social media accounts to every app that asks. Don't enable location services unless you need them. Don't fill out optional profile fields. Every additional piece of data you provide creates more material for partners to work with.

Use browser extensions that block third-party tracking. Privacy Badger, uBlock Origin, and similar tools can block many client-side trackers. They won't stop server-side sharing, but they reduce the volume of data that leaks through your browser.

None of these steps eliminate partner sharing. They reduce it at the margins. The fundamental architecture of modern digital services is built on data sharing, and opting out completely means opting out of participation.

The language is deliberately vague

Privacy policies use "partners" because it's broad enough to cover everyone without committing to specifics. Companies want flexibility to add new partners, change vendors, and adapt to new business models without rewriting the policy every time.

From a legal perspective, this vagueness is defensible. Courts generally hold that privacy policies must be accurate but not exhaustive. As long as the policy discloses that data may be shared with third parties, it satisfies most legal requirements, even if it doesn't name those third parties or explain what they do with the data.

From a user perspective, the vagueness is a problem. You can't make informed decisions about risk if you don't know who gets access to your data, for what purposes, under what terms, and for how long. The information asymmetry is structural, not accidental.

Some companies are more transparent than others. Apple publishes detailed privacy labels for apps in its store. Mozilla provides clear explanations of data practices across its products. But these are exceptions. The industry standard is to disclose as little as legally required and frame that disclosure in language that minimizes concern.

Enforcement is inconsistent

The FTC has brought enforcement actions against companies that misrepresented their data-sharing practices, but these cases are rare relative to the number of potential violations. The agency prioritizes cases involving large-scale harm, deceptive statements, or violations of consent decrees. Most routine data sharing with partners, even when poorly disclosed, falls outside the scope of active enforcement.

State attorneys general have become more active in recent years, particularly in California and New York. But resources are limited and most investigations focus on high-profile cases or egregious violations. The vast majority of data-sharing relationships operate without regulatory scrutiny.

In Europe, GDPR enforcement is stronger but uneven. Some data protection authorities have issued significant fines for inadequate consent mechanisms and excessive data sharing. Others have been slower to act. The result is a patchwork of enforcement that varies by country and depends on which regulator has jurisdiction.

For most users, the practical reality is that privacy policies are legally binding contracts written by the company, with minimal oversight and limited consequences for vague or misleading disclosure.

What happens when you delete your account

When you delete an account, the company typically removes your data from its active systems. But data already shared with partners often persists.

Some companies claim they instruct partners to delete data when a user account is closed. But enforcement of those instructions is inconsistent. Partners operate under their own policies and technical constraints. Deleting data from distributed systems is harder than it sounds, especially when that data has been aggregated, anonymized, or incorporated into machine learning models.

In some cases, deletion requests don't propagate to partners at all. The original service deletes its copy, but partners retain theirs indefinitely. Privacy policies rarely specify what happens to partner-held data after account closure.

GDPR gives users the "right to be forgotten," which includes the right to have data deleted from third parties. But exercising this right requires knowing which partners received your data, contacting each one individually, and following their specific deletion procedures. The burden falls on the user, and the process is opaque.

The future of partner sharing

Some jurisdictions are moving toward stricter transparency requirements. Proposed legislation in several U.S. states would require companies to disclose specific partner names, not just categories. The FTC has signaled interest in stronger rules around data sharing and third-party access.

At the same time, technical changes are making some forms of tracking harder. Browser vendors are phasing out third-party cookies. Mobile operating systems are restricting access to device identifiers. These changes reduce client-side tracking but don't touch server-side data sharing, which is growing as a share of total partner activity.

The economic incentives haven't changed. Data sharing generates revenue, reduces costs, and enables services that users want. Companies will continue to share data with partners as long as the benefits outweigh the legal and reputational risks.

The language in privacy policies will likely remain vague until regulators or courts force more specific disclosure. Until then, "we may share with partners" will continue to mean "we share with dozens or hundreds of third parties under terms we're not required to detail."

Simplified network diagram showing user data radiating outward to various partner categories
→ Filed under
privacy policydata sharingthird-party partnersuser dataprivacy trackingdata brokers
ShareXLinkedInFacebook

Frequently asked questions

Partners include advertising networks, analytics providers, payment processors, data brokers, cloud hosting services, email platforms, and any third party that receives your data. The category is deliberately broad and rarely itemized.
Most privacy policies don't list specific partner names. Some provide categories like 'advertising partners' or 'analytics providers,' but the actual companies remain unnamed unless you dig into subprocessor lists or third-party cookie disclosures.
Companies claim they share data in aggregate or anonymized form, but research shows that combining datasets can often re-identify individuals. The protection is weaker than the language suggests.
Opt-out mechanisms vary widely. Some let you block specific categories like targeted advertising. Others only apply to certain partners or jurisdictions. Many require repeated action across multiple platforms and reset periodically.
Revenue. Advertising networks pay for targeting data. Analytics providers offer free tools in exchange for access. Payment processors and cloud hosts are operational necessities. The economic incentives favor maximum sharing within legal bounds.

You might also like

Laptop open on cafe table showing checkout page, coffee cup beside it, WiFi symbol visible on screen
VPN & Privacy

Online Shopping on Public WiFi: Separating Real Risk from Security Theater

Public WiFi isn't the universal threat security advice suggests. Here's what actually matters when you shop online at Starbucks in 2026, what's changed, and what hasn't.

11 min · Margot 'Magic' Thorne · Jun 6

Shared hotel computer terminal with keyboard and monitor in dimly lit business center
VPN & Privacy

Hotel Business Center Computers: The Real Risk You're Not Being Told

Hotel business centers offer convenience, but using shared computers abroad creates specific, serious risks. Here's what actually matters and what you can control.

11 min · Margot 'Magic' Thorne · Jun 16

Four browser icons arranged side by side on a dark background with privacy shield symbols overlaid
VPN & Privacy

Privacy-Focused Browsers Compared: Which One Actually Protects You

Brave, Firefox, Tor, and Safari all promise privacy. Here's how they compare on tracking protection, fingerprinting resistance, and real-world usability.

11 min · Margot 'Magic' Thorne · May 4