Already the fallout has been massive. Facebook lost $US40bn in stock value in a few hours. There were reports that its chief information security officer, Alex Stamos, will quit in August over internal resistance to his wanting more extensive disclosure about Russian interference in the platform.

It is claimed 270,000 users downloaded an app by researcher Aleksandr Kogan called thisisyourdigitallife. When they approved the download, they inadvertently granted the app developer permission to harvest the data of their friends too — up to 50 million in all

These users were taking part in they thought was social research. But data was passed to data analysis firm Cambridge Analytica which made it available for political purposes, in this case to aid the Trump presidential bid in 2016.

Cambridge Analytica head of product Matt Oczkowski says the data helped decide which cities the Trump campaign would hold rallies in, which groups to appeal to, and what to say. (see the video below). App users had not given permission for this.

An undercover video suggests Cambridge Analytica was offering similar services to other countries including Australia. Facebook, which faces probes in the US, UK and Europe, could face them elsewhere too. Fines could run to billions.

Once an impenetrable fortress, Facebook’s foundations are creaking. But it’s not just Facebook. The data scandal amplifies long-held concerns about the massive marketing economy that has exploded around Facebook’s apparent scant regard for privacy.

Like me, you’ve probably experienced Facebook “coincidences”. Such as receiving an email from a business contact about an audio transcription service, then finding an ad for a competing service in my Facebook feed. Or having a Facebook ad remind me that if I scan my Woolworths Rewards card at a supermarket, I could win groceries. What! Facebook knows I am a Rewards member?

Then there’s the ads about DJI drones and Samsung S9 phones: technology I have reviewed. I once conducted searches in Google for self-improvement masterclasses and I’ve been served Facebook ads about them since.

When we buy goods at retail outlets and online, or when we do a search, our interest can find its way on to Facebook, Instagram, Google Chrome and YouTube as ads. It’s a Faustian bargain most of us accept when we trade our privacy for ads that may interest us. But can we trust the custodians of our personal data, especially Facebook after this latest case?

Take the loyalty card economy. We in Australia love loyalty cards. The inaugural report by Mastercard into their use in the Asia-Pacific, released in January, stated that nine out of 10 of us have loyalty cards and 79 per cent of us have loyalty cards specifically for retail. About 18 per cent of us are in Woolworths Rewards and 31 per cent in Flybuys for rival Coles. And 64 per cent of us are happy to share our personal information with loyalty/reward programs.

But fewer might be happy if we had read the privacy statements of major retailers. To their credit, Australian retailers do declare how they use their data. And no one is claiming leaks. But extensive data is kept nonetheless. And there would be huge consequences if information got into the wrong hands.

Customers might be surprised at the degree of data matching. In its Woolworths Rewards privacy policy, Woolworths says information about shopping transactions can be collected from your payments card matched to your rewards card, even if you don’t present the card at the checkout. The grocery giant says it can collect data about you from partners such as insurers, public information providers, delivery service companies and third-party data providers.

So Woolies can build a decent picture of you. And it can share it with service providers and marketers, although it says that data is de-identified. “We do not disclose Personally Identifiable Information to suppliers or partners,” says spokesman Mike Scott.

But it’s no surprise that Facebook reminds me I could win groceries by swiping my Rewards card.

Coles also collects data through Flybuys, owned by parent Wesfarmers. Names, contact details, identification information, household details, payment and transaction details and history are among details collected. It may be exchanged with providers of data analysis, information broking, credit reporting, marketing, security and investigators. Wesfarmers retail outlets include Kmart and Target, so it’s a big operation. Coles lists 23 other countries where data may be located.

Chemist Warehouse’s privacy policy is important to me because I buy my pharmaceuticals there. Any information leak is potentially a leak of my medical history. It says it logs users’ visits to its website but doesn’t try to identify them except for law-enforcement purposes.

But it does collect names, addresses, allergies, conditions and medications, and can use this for marketing. Its servers are in Australia but information may be disclosed to service providers including some overseas. It takes “reasonable steps” to protect your privacy.

Privacy Commissioner Timothy Pilgrim says individuals should make sure they are getting a fair deal from this information exchange. “Each swipe of a loyalty card is another package of information that can form a picture. Businesses collect this information because it’s of great value to them,” he says.

It’s not just retailers and web browsing. Apps on your phone not only offer marketers data, they can also give away your location. By cross-referencing other data sources, they can profile your entire household.

In a report by Media Play News, the CEO of US subscription service MoviePass, Mitch Lowe, revealed the app watched your movements. “We watch how you drive from home to the movies. We watch where you go afterwards, and so we know the movies you watch. We know all about you,” he told the publication. That’s just one app.

Sometimes we are our own worst enemy. A post about a Sydney hospital on my Facebook feed listed a friend who had “checked in” there. Why check-in to a hospital on Facebook? Just check-in at the counter.

But we must become masters of our privacy. If you don’t want your shopping tracked, don’t use loyalty cards. And use cash. I pay for medications with cash, although my prescriptions are identifiable.

It’s tough. Even if you switch off your phone GPS to safeguard your location, your IP address, Wi-Fi address or a snap from a nearby security camera can give your position away.

More related stories

World

Trump’s good news day

Those repeated claims of no collusion now have credence.

Read more

World

A searing indictment of FBI

Americans deserve a full accounting of the missteps of James Comey and the FBI.

Read more