Until recently, the types of tech giants facing regulatory scrutiny under terms of the European General Data Protection Regulation (GDPR) were consumer-facing companies like Facebook, Google and Apple. But that is now changing, thanks to a breach of privacy complaint by Privacy International filed on behalf of EU citizens. Privacy International hopes to challenge the way big adtech companies such as San Francisco-based Quantcast use data collected from users to form highly specific profiles that can then, in turn, be used to show users targeted advertisements. The case of Quantcast is currently being investigated by the Irish Data Protection Commission (DPC), which is the lead privacy regulator for multinational tech giants based in Europe.

Why Privacy International is making an example of adtech giant Quantcast

According to Privacy International, players in the online advertising sector deserve further scrutiny for their practices, almost all of which happen behind the scenes, out of sight of the typical consumer. Back in November 2018, Privacy International filed a breach of privacy complaint with the European data protection authorities, calling to their attention the practices of 7 major companies (Quantcast, Acxiom, Oracle, Citreo, Tapad, Equifax, Experian) that work together in the online advertising sector in order to build intricate profiles of users. At the time, Privacy International suggested that these practices (especially the aggregating of personal data) fail to meet the standards set by the GDPR.

The decision by the Irish DPC to investigate adtech giant Quantcast could mean that further breach of privacy investigations into this space could be forthcoming. Privacy International, when contacted for comment on the case, said it was “extremely pleased” by the decision of the DPC to investigate the case and check for compliance with the relevant statutes of the GDPR.

One major breach of privacy issue, says Privacy International, is the way adtech companies like Quantcast process and aggregate personal data about users. Quantcast provides its tracking technology to nearly 100 million websites, and is thus able to form very detailed and granular profiles. Over the course of any time period, Quantcast is able to see which sites you are visiting and how much time you are spending there, and then cross-link their data with that from data brokers and credit agencies to form very detailed profiles that can be used by many players in the adtech ecosystem to reach and influence customers.

As Privacy International notes, Quantcast knows a lot about you – even if you know nothing about Quantcast. Based on your online activity, for example, Quantcast can make very accurate guesses about your age, gender, income level, and educational level. And it can start to predict what types of products you might buy, what types of advertising messages you might be open to receiving, and how your browsing activity is related to your personal, everyday life. The big question, of course, is just how much of this information is needed by companies for “legitimate” business purposes. If Quantcast is unable to show that all of this information is needed to show advertisements online, it could potentially result in a breach of privacy infraction. In addition, the company’s transparency and retention practices could come under closer scrutiny.

Concerns about consent under the GDPR

Another important issue, says Privacy International, is the fact that adtech giant Quantcast may not be obtaining consumer consent properly. Starting in May 2018, Quantcast began working with website owners and online publishers to display “consent pop-ups.” Internet users, in order to continue using these sites, must click a giant blue button that says “I accept.” However, in much smaller fine print is exactly what the Internet users are consenting to – in almost every case, it involves sharing data with third parties. Quantcast has proudly proclaimed in the past that they have a “90% consent rate,” which implies that 9 out of 10 Internet users simply click on the big blue button, completely unaware of what they are agreeing to do.

And this, says Privacy International, is completely at loggerheads with the provisions of the GDPR, which espouses principles like “transparency.” In its November 2018 complaint, Privacy International implored the European data protection authorities to take a much closer look at the consent management tool for publishers and advertisers. The current consent solution enables publishers to gain consent too easily, without consumers fully understanding what they are doing and may not meet the standards set by the GDPR. If the transparency and consent solution is found to be lacking, it could encourage advertising groups such as IAB Europe to change their practices in order to meet the standards set by the GDPR and, perhaps, even create a new commercial GDPR compliant framework.

Penalties for breach of privacy cases

According to the Irish DPC, there are more than 50 large-scale investigations into breach of privacy concerns, 17 of which involve big Silicon Valley tech giants. Facebook, WhatsApp, Instagram, Apple, Twitter and LinkedIn are all being looked into for potential breach of privacy practices. If anything, momentum is growing to make an example of one or more of these companies. New examples of privacy lapses – such as Instagram storing user passwords in plaintext without any encryption, are constantly being added to the types of activities under investigation. For now, the online ad sector and their compliance appears to be a new area of focus.

The big question, of course, is whether the Irish DPC will choose to make an example of adtech giant Quantcast or any of the consumer-facing Silicon Valley tech giants on the basis of breach of privacy. Failure of compliance with the GDPR can bring some large penalties. Theoretically, the GDPR gives regulations the option to assign penalties and fines as high as 4% of annual global turnover (or €20 million, whichever is higher), so the penalties could be very extensive indeed.

Re-thinking the adtech ecosystem

Increasingly, brands and agencies understand what is at stake here: a complete re-thinking of the legal basis of the adtech ecosystem. The Quantcast adtech case could be a real test of the GDPR, influencing how data is collected, stored and shared across mobile and Web destinations. Data for the purposes of building intricate profiles would need to be re-thought, and any profiles generated for targeted advertising purposes would need to show that they are not using any unneeded data. Only then would it be possible to say that advertising is in compliance with the GDPR.

Quantcast tracking data on nearly 100 million websites to form specific profiles and show users targeted advertisements. #privacy Click to Tweet

For nearly a decade, the Quantcast suite of insights has become a fundamental part of the way advertisers learn about Internet users, and some even say that Quantcast has become part of the very “fabric” of the web that people take for granted. Thus, making an example of Quantcast would give a very clear signal that the provisions of the GDPR are having a real, immediate impact on the data privacy of Internet users everywhere, and that failing to meet the standards set by the GDPR will result in swift regulatory action.