On by default: marketing, cookies, and ML-driven targeting of Dropbox users
2023–2024
Dropbox uses cookies and machine learning to profile how engaged each user is — analyzing connected devices, storage used, file content, and sharing actions — to market premium services, with regional differences in what is on by default.
What happened
Beyond storing files, Dropbox runs marketing and personalization systems on top of account data. Its own privacy materials state that Dropbox uses 'machine learning, artificial intelligence, and algorithmic analysis' to gauge a user's activity and engagement — looking at factors such as how many devices are connected, how much storage is used, file content, and sharing actions — specifically to identify and market premium services to users likely to be interested.
Dropbox also sets cookies and similar technologies, including via third-party providers, to 'promote' its services, with a Cookies/CCPA preferences control in its site footer. Consent and default states vary by region: stricter regimes such as the EU and UK require consent-first handling, while users elsewhere are more likely to be opted in by default — a pattern Dropbox repeated explicitly with its 2023 third-party-AI toggle, where EU/UK/Canada users were opted out but most others were opted in. The result is profiling and marketing data use that many users do not expect from a 'file storage' product, governed by defaults that depend on where they live.
Impact
Users in less-protected jurisdictions carry a heavier default burden of profiling and marketing analytics, and few realize that file content, storage levels, and sharing behavior are inputs to machine-learning models aimed at upselling them. It illustrates how Dropbox monetizes behavioral signals around the files, and how privacy outcomes hinge on opt-out defaults most people never change.