Another tech giant is under investigation in Europe for potential privacy breaches of the General Data Protection Regulation (GDPR), TechCrunch has learnt.
The Irish Data Protection Commission (DPC), which is the lead data protection regulator for most multinational tech giants in Europe, has opened a formal probe into Quantcast’s business — adding +1 to the 17 investigations it already had up and running into Facebook, WhatsApp, Instagram, Apple, Twitter and LinkedIn.
In a statement about the new statutory inquiry into Quantcast the DPC told us:
Since the application of the GDPR significant concerns have been raised by individuals and privacy advocates concerning the conduct of technology companies operating in the online advertising sector and their compliance with the GDPR. Arising from a submission to the Data Protection Commission by Privacy International, a statutory inquiry pursuant to section 110 of the Data Protection Action 2018 has been commenced in respect of Quantcast International Limited. The purpose of the inquiry is to establish whether the company’s processing and aggregating of personal data for the purposes of profiling and utilising the profiles generated for targeted advertising is in compliance with the relevant provisions of the GDPR. The GDPR principle of transparency and retention practices will also be examined
We’ve reached out to Quantcast for comment.
The privacy advocacy group raises a number of concerns about Quantcast’s products — including behavioral ad targeting tech and its consent management tool for publishers and advertisers — as well as arguing it does not have a proper legal basis for processing people’s data.
Along with two other “adtech brokers” also named in the complaint, Criteo and Tapad, Privacy International argues “the data practices of these companies give rise to substantial and on-going breaches of the GDPR”.
The DPC’s head of communications, Graham Doyle, told us it’s not releasing information on the number of complaints it received about Quantcast specifically.
As we reported in February, Facebook and Facebook-owned companies still account for the lion’s share of the Irish regulator’s probes of big tech — with another added to its tally just last week (into the breach of “hundreds of millions” of Facebook and Instagram user passwords which had been stored in plaintext).
But Quantcast is an interesting addition to the DPC’s investigation list given that it’s not a consumer-facing tech giant but rather an adtech veteran which sits behind the scenes, selling ‘marketing intelligence’ tools to other brands so they can sift and mine Internet users’ personal data.
The addition of Quantcast shows the value of GDPR enabling campaign organizations such as Privacy International to make complaints on EU citizens’ behalf. Few consumers know the half of how adtech works.
A 2017 AdAge article described Quantcast’s technology as “almost woven into the fabric of the internet” — on account of how it got started providing measurement capabilities to publishers. (It was founded in San Francisco, back in 2006.)
But since the GDPR came into force last May Quantcast’s b2b brand has become increasingly visible to web users — with its branded technology powering many of the consent pop-ups used by online publishers to claim GDPR ‘compliance’.
These pop ups typically feature a big blue ‘I agree’ button that nudges Internet users to agree to their personal data being processed by the website they’re visiting — and any ad/analytics partners it wants to share it with.
Clicking the almost invisible and gnomically named ‘Show Purposes’ link opens a fuller menu of consent options — where users are able to toggle on/off any fields that the tool’s user has not deemed ‘required’.
Powered by WPeMatico