Users beware: The banks are spying on you! It recently emerged that deep inside a TD Canada Trust Visa cardholders agreement are embedded a couple of troubling lines giving the bank the legal right to collect data on everything a person does online.

The scope of these provisions, revealed last week by the CBC, is expansive. They basically give the bank the right to view the content of Google searches, the sort of online videos a cardholder watches, their social media activity and much, much more.

The bank can learn a lot from this information. Are you searching for legal advice on defaulting from a loan? Are you thinking of moving or getting married? Are you straight or gay? Do you prefer cats or dogs?

Story continues below advertisement

TD might have overreached in wanting to gain access to all this information, because maybe the bank doesn't really need to know that much about its customers.

At the margin, more information is probably going to give the bank a business edge – for example, knowing which people are having financial troubles could be useful. But these advantages probably aren't enough to justify violating customers' privacy.

At the end of the day, though, TD is not the problem. It's just one cog in a much larger data-driven market.

And even the bank's own legal language paints the wrong picture.

Despite wording to the effect that the bank is "collecting" information on our online activity, it's probably not "collecting" anything in the strictest sense of the term. It's most likely buying information from data brokers and private companies that aggregate information gleaned from mobile applications, Google Inc., Facebook Inc., Twitter Inc., Instagram and other online platforms.

This practice is hugely common and hugely problematic. As Frank Pasquale notes in his book The Black Box Society, insurers in the United States routinely try to buy records of people's pharmaceutical visits in order to gain an edge.

Target, the retail giant, famously sent individually tailored advertising to a teenaged girl near Minneapolis because its data aggregation and analytics had correctly predicted that she was pregnant – a fact she hadn't yet told her family.

Story continues below advertisement

Other cases include a data broker selling information on 500,000 gamblers to criminals and the sale of information on people with severe diseases such as cancer or Alzheimer's to those who sought to profit from those with poor health.

The real problem with the cases mentioned above, including the one involving TD, is the lack of clear rules in an era of Big Data.

We don't yet really know who can collect what, and even fewer restrictions exist on how data that have already been collected can actually be used.

But the onus here is not on the private sector alone. We, the individual users of Twitter, Facebook and Gmail, share a lot of the responsibility. We have all struck a Faustian bargain that encourages us to use free online applications and services.

But, as the old saying goes, nothing in life is actually free. It's the digital age, but the dusty old rule from the analog era still applies. Facebook, Gmail, Twitter and all the rest are not providing you with a free service. They are selling data on your voluntarily turned-over habits and behaviours to marketers and data-aggregation services. As the new saying goes, if you're not paying for it, you are the product.

In short, we should be worried about what TD was reportedly doing, but we shouldn't view it as an isolated event. It's part and parcel of the new normal.

Story continues below advertisement

What we need now is a new approach that clarifies both who can collect specific types of information and how user-generated data can be utilized once it does exist. All this can only start if people realize that nothing is free. We pay for our free e-mail somehow.

If we really care about privacy, we need to start from the source and work our way out – rather than merely trying to roll back the edges of the Big Data tide.