Privacy Group Asks European Regulators To Test GDPR Against Seven Tech Companies

GDPR defines profiling as using “any form of automated processing of personal data” to analyze or predict someone’s personal preferences, interests, behaviors, location, health – and the like. Anyone who wants to engage in profiling is subject to the law and requires legal grounds for proceeding, which is either consent or legitimate interest.

Privacy International believes most of the ad tech and data companies that do profiling have neither, at least not where it counts.

In the case of Equifax and Experian, for example, both have a legitimate interest to collect data in their capacity as credit referencing agencies, but not for marketing services. Under its Marketing Services umbrella, Equifax promotes products that combine data assets to create segments of people in the market for a home, or to allow its customers to use its data to identify, profile and segment their marketing lists.

The complaints argue that there’s no way for a regular person to fully understand where and how their data is being sourced, who’s sourcing it, and what happens to it down the chain.

Tapad, for instance, sources data from 42 billion devices; purchases and licenses data from publishers, SDKs and ecommerce providers; gathers info from data providers, like BlueKai and eXelate; ingests telco data from its parent company Telenor’s 250 million subscribers; and derives other data points from its more than 130 integration partners, including a slew of RTB exchanges and supply-side providers.

“Even where sources are provided,” writes Privacy International in its complaint, “the sheer number and range of sources and the fact that the majority of the named sources are other data companies creates a matryoshka effect where finding the original source of the data is like finding a needle in a haystack.”

So, is consumer profiling as a marketing practice about to hit the cutting room floor in Europe?

Probably not, said Rob Rasko, CEO of The 614 Group, the consultancy that acted as due diligence advisor on IPG’s acquisition of Acxiom Marketing Services.

The issue isn’t profiling, per se, but rather transparency.

“Companies need to be transparent in how they collect data and how they’re managing it, and as long as they demonstrate that, profiling will be here for a while,” Rasko said. “I don’t think it goes anywhere.”

Profiling is lawful under GDPR – provided the profiled individual knows what’s being done and has given consent to do it, and that the use of any personal data is transparent, accountable and fair, said Johnny Ryan, chief policy and industry relations officer at Brave.

He added that the most obvious way for the companies cited in the complaint to reform, if they need to, is “to abandon personal data and use only non-personal data – with non-personal data, one can still have bid requests based on the context of a page, provided adequate care is taken.”

But even companies that try to comply can still get entangled in GDPR’s web. Take Quantcast, which got called out in one of the complaints for its consent management tool, which was developed specifically to satisfy the GDPR’s requirements. Privacy International says it has “concerns” about whether the consent being obtained through the tool is valid.

“Ultimately, regulators and courts will have to decide what is the right balance between individuals’ privacy concerns and businesses’ interest to pursue data-driven innovation,” said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals.

This post was syndicated from Ad Exchanger.