Privacy advocates in the UK filed a series of complaints Thursday against Criteo, Tapad, Quantcast, Acxiom, Oracle, Equifax and Experian, questioning whether consumer profiling is legal under GDPR.
Watchdog group Privacy International is claiming that the way many ad tech and data companies use data is in direct contravention to Europe’s new privacy law. The group is urging regulators in the UK, Ireland and France to use those seven companies as test cases for whether GDPR really has teeth in practice.
“The fundamental business models of the data-sharing [companies] named in the complaint are being challenged,” said Daryl Crockett, president and CEO of data risk management consultancy ValidDatum.
Specifically at issue is a lack of transparency in the way these companies profile – Privacy International uses the word “exploit” – people by amassing and combining vast quantities of personal data in a manner that is, at best, opaque to the end consumer.
GDPR defines profiling as using “any form of automated processing of personal data” to analyze or predict someone’s personal preferences, interests, behaviors, location, health – and the like. Anyone who wants to engage in profiling is subject to the law and requires legal grounds for proceeding, which is either consent or legitimate interest.
Privacy International believes most of the ad tech and data companies that do profiling have neither, at least not where it counts.
In the case of Equifax and Experian, for example, both have a legitimate interest to collect data in their capacity as credit referencing agencies, but not for marketing services. Under its Marketing Services umbrella, Equifax promotes products that combine data assets to create segments of people in the market for a home, or to allow its customers to use its data to identify, profile and segment their marketing lists.
The complaints argue that there’s no way for a regular person to fully understand where and how their data is being sourced, who’s sourcing it, and what happens to it down the chain.
Tapad, for instance, sources data from 4.2 billion devices; purchases and licenses data from publishers, SDKs and ecommerce providers; gathers info from data providers, like BlueKai and eXelate; ingests telco data from its parent company Telenor’s 250 million subscribers; and derives other data points from its more than 130 integration partners, including a slew of RTB exchanges and supply-side providers.
“Even where sources are provided,” writes Privacy International in its complaint, “the sheer number and range of sources and the fact that the majority of the named sources are other data companies creates a matryoshka effect where finding the original source of the data is like finding a needle in a haystack.”
Tapad told AdExchanger in a statement that the company "invested in privacy and prepared well in advance of the GDPR coming into force, ensuring we continue to fulfill the obligations of the GDPR. We take privacy seriously and are thoroughly evaluating the content of the inquiry."
So, is consumer profiling as a marketing practice about to hit the cutting room floor in Europe?
Probably not, said Rob Rasko, CEO of The 614 Group, the consultancy that acted as due diligence advisor on IPG’s acquisition of Acxiom Marketing Services.
The issue isn’t profiling, per se, but rather transparency.
“Companies need to be transparent in how they collect data and how they’re managing it, and as long as they demonstrate that, profiling will be here for a while,” Rasko said. “I don’t think it goes anywhere.”
Profiling is lawful under GDPR – provided the profiled individual knows what’s being done and has given consent to do it, and that the use of any personal data is transparent, accountable and fair, said Johnny Ryan, chief policy and industry relations officer at Brave.
He added that the most obvious way for the companies cited in the complaint to reform is “to abandon personal data and use only non-personal data – with non-personal data, one can still have bid requests based on the context of a page, provided adequate care is taken.”
As it stands, though, "Privacy International's extensive filings indicate that major ad tech firms and data brokers fail each of these tests, and may have shown a staggering disregard for the law," Ryan said.
But even companies that try to comply can still get entangled in GDPR’s web. Take Quantcast, which got called out in one of the complaints for its consent management tool, which was developed specifically to satisfy the GDPR’s requirements. Privacy International says it has “concerns” about whether the consent being obtained through the tool is valid.
“Ultimately, regulators and courts will have to decide what is the right balance between individuals’ privacy concerns and businesses’ interest to pursue data-driven innovation,” said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals.
[Updated 11/9/18 to include an expanded quote from Johnny Ryan, a statement from Tapad and correction of the number of devices that Tapad sources data from.]