Medical details, kids' voice recordings and copies of passports are at risk when customers tick an online consent box.
Marriott International, Facebook, Asda, Paypal, BT and Tesco engaged in hidden data harvesting and sharing.
Big firms are able to use personal data to build a profile of customers for targeted adverts or to pass to other organisations, according to analysis by the Daily Mail.
Examples of this include:
- Pregnant women's due dates sold by Asda to a mystery third-party company for marketing;
- Kids' voices recorded on the YouTube Kids app are being harvested by Google to promote other apps;