Adtech veteran Quantcast is latest tech giant to face GDPR privacy probe


Another tech giant is under investigation in Europe for potential privacy breaches of the General Data Protection Regulation (GDPR), TechCrunch has learnt.

The Irish Data Protection Commission (DPC), which is the lead data protection regulator for most multinational tech giants in Europe, has opened a formal probe into Quantcast’s business — adding +1 to the 17 investigations it already had up and running into Facebook, WhatsApp, Instagram, Apple, Twitter and LinkedIn. 

In a statement about the new statutory inquiry into Quantcast the DPC told us:

Since the application of the GDPR significant concerns have been raised by individuals and privacy advocates concerning the conduct of technology companies operating in the online advertising sector and their compliance with the GDPR. Arising from a submission to the Data Protection Commission by Privacy International, a statutory inquiry pursuant to section 110 of the Data Protection Action 2018 has been commenced in respect of Quantcast International Limited. The purpose of the inquiry is to establish whether the company’s processing and aggregating of personal data for the purposes of profiling and utilising the profiles generated for targeted advertising is in compliance with the relevant provisions of the GDPR. The GDPR principle of transparency and retention practices will also be examined

We’ve reached out to Quantcast for comment. Update: The company declined to comment.

The full Privacy International submission to the DPC can be found here.

The privacy advocacy group raises a number of concerns about Quantcast’s products — including behavioral ad targeting tech and its consent management tool for publishers and advertisers — as well as arguing the company does not have a proper legal basis for processing people’s data.

Along with two other “adtech data brokers”, Criteo and Tapad, also named in the complaint, Privacy International argues “the data practices of these companies give rise to substantial and on-going breaches of the GDPR”.

It will now be up to the regulator to investigate and determine whether the complaint stands in the case of Quantcast.

The DPC’s head of communications, Graham Doyle, told us it’s not releasing information on the number of complaints it received about the company specifically.

As we reported in February, Facebook and Facebook-owned companies still account for the lion’s share of the Irish regulator’s probes of big tech — with another added to its tally just last week (into the breach of “hundreds of millions” of Facebook and Instagram user passwords which had been stored in plaintext).

But Quantcast is an interesting addition to the DPC’s investigation list given that it’s not a consumer-facing tech giant but rather an adtech veteran which sits behind the scenes, selling ‘marketing intelligence’ tools that sift and mine Internet users’ personal data.

The addition of Quantcast shows the value of GDPR enabling campaign organizations such as Privacy International to make complaints on EU citizens’ behalf. Few consumers know the half of how adtech works.

A 2017 AdAge article described Quantcast’s technology as “almost woven into the fabric of the internet” — on account of how it got started providing measurement capabilities to publishers. (It was founded in San Francisco, back in 2006.)

But since the GDPR came into force last May Quantcast’s b2b brand has become increasingly visible to web users — with its branded technology powering many of the consent pop-ups used by online publishers to claim GDPR ‘compliance’.

These pop ups typically feature a big blue ‘I accept’ button that nudges Internet users to agree to their personal data being processed by the website they’re visiting — and any ad/analytics partners it wants to share it with.

Clicking the almost invisible and gnomically named ‘Show Purposes’ link opens a fuller menu of consent options — where users are able to toggle on/off fields that the tool’s user has not deemed ‘required’.

Reached for comment on the news of the DPC’s investigation, a spokeswoman for Privacy International told us: “We are extremely pleased that as a result of our submission the Irish DPC are commencing an inquiry into Quantcast. Quantcast is a company that most of us have never heard of but that amasses data and builds intricate profiles of our lives. PI’s submission sets out why we consider Quantcast’s practices are failing to meet the standards set by GDPR, especially its profiling. The real test of GDPR will be its enforcement.”

In cases where data controllers are found to have breached the regulation they can face financial penalties which can scale as high as 4% of their annual global turnover.

EU regulators also have the power to order data controllers to suspend or stop processing data altogether.

This report was updated with comment from Privacy International

Europe – TechCrunch