There’s been a lot in the news this year about how companies such as Facebook and Google record and exploit users’ personal data, but less so about the companies that quietly build profiles of people behind the scenes, in order to target advertising at them or decide how credit-worthy they should be.
So privacy campaigners in the U.K. have filed a series of complaints about these firms, which generally don’t deal directly with consumers. The complaints are under the EU’s fearsome new privacy law, the General Data Protection Regulation (GDPR,) which potentially means the companies will need to change their ways. It could also mean major fines for them, if regulators decide they’ve been abusing people’s data illegally.
Privacy International (PI) announced its complaints on Thursday. The targets include the data brokers Oracle and Acxiom, advertising technology firms Criteo, Quantcast and Tapad, and the credit referencing agencies Equifax and Experian.
The NGO previously said on May 25th—the day the GDPR came into effect—that it was asking the companies to explain how they used people’s data. It clearly didn’t like their responses.
“The data broker and ad-tech industries are premised on exploiting people’s data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives,” said PI lawyer Ailidh Callander. “GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why we consider these companies’ practices are failing to meet the standard—yet we’ve only been able to scratch the surface with regard to their data exploitation practices.”
“GDPR gives regulators teeth and now is the time to use them to hold these companies to account,” Callander added.
Under the GDPR, European privacy regulators can fine companies up to 4% of their global annual revenue, for particularly egregious violations. Google, Facebook, Twitter and other big names are all currently under investigation.
PI alleges that the targets of its complaints are all violating the law by not getting proper consent from people before recording and using their personal information. It also says the companies don’t have any “legitimate interest” in processing that data. This is one of the legal bases for data processing that companies can cite, and regulators have advised that online marketing operations can use it, but not in all cases—so this looks like it will be an interesting test case for that defense.
The organization also says the companies aren’t transparent or fair about the way they use people’s data, and that they don’t adhere to rules around accuracy and minimizing the amount of data they collect.
“The world is being rebuilt by companies and governments so that they can exploit data. Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us beginning to understand why or being able to effectively fight back,” said Frederike Kaltheuner, who heads up PI’s data exploitation program.
Criteo said Privacy International contacted it in May with a request to complete a questionnaire on privacy, but after it responded it heard nothing back from the group.
“Instead yesterday we learnt of this intended complaint,” the company said Thursday. “Whilst disappointed that they have chosen to take this action, we have complete confidence in our privacy practices and we remain open to answer any questions that Privacy International may have.”
“We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements,” said an Experian spokesperson.
Oracle, Quantcast and Equifax declined to comment on the complaint. Acxiom and Tapad had not responded to requests for comment at the time of writing.
