Privacy International has filed complaints against seven data providers and ad-tech companies, asking European data-protection authorities to investigate their activities and determine whether they are in compliance with GDPR.
The firms being investigated are Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian.
“Together these companies profit from the exploitation of the personal data of millions of people in the UK, in the rest of the European Union and further afield,” the group contends in one of three complaints filed with the UK’s Information Commissioner’s Office.
Complaints were also submitted to data authorities in Ireland and France.
In its complaints, the group relies heavily on descriptions on the companies’ own web sites and in other materials. It also has submitted data access requests to the companies, as allowed under GDPR.
The complaint against Acxiom and Oracle argues that “the data infringements documented in this complaint merely constitute the ‘tip of the iceberg’ of the companies’ data practices.”
In the case of Acxiom, the complaint specifies three products:
Also coming under fire is the practice of profiling.
“Disparate and seemingly innocuous data can be combined to create a meaningful comprehensive profile of a person,” the complaint states.
It adds: “Advances in data analytics, as well as machine learning have made it possible to derive, infer and predict sensitive data from ever more sources of data that isn’t sensitive at all. For instance, emotional states, such as confidence, nervousness, sadness, and tiredness can be predicted from typing patterns on a computer keyboard.”
Profiling also figures in the complaint against Equifax and Experian. The group states that their profiling for marketing purposes “has no lawful basis” under Articles 5 and 6 of GDPR, adding that “the requirements for consent or legitimate interest are not fulfilled.”
In addition, the bureaus do not comply with “the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, accuracy and integrity and confidentiality,” it continues.
The complaint against Ad Tech firms Criteo, Quantcast and Tapad allege that the firms “all fuel each other through interminable data sharing,” and like the data brokers, are mostly non-consumer facing.
It adds that “these companies can make intrusive inferences about individuals which can be used to direct advertising to individuals and specific target audiences meaning that the output of the analysis is greater than the sum of its parts.”
In particular, the group challenges such products as the Tapad Graph, which “enables marketers to capture a wealth of consumer touchpoints across devices and channels, resolving them back to an individual,” according to copy quoted in the complaint.
It also questions Criteo’s Shopper Graph, saying: “This tool provides granular data on shoppers including offline and online information as well as cross-device data for better targeting. It also gives access to fresh, granular, shopping data, based on more than 35 billion daily historic browsing and transaction events from nearly three quarters of the world's online shoppers.”
Privacy International’s site urges consumers to “Tell companies to stop exploiting your data!”
According to Engadget, Experian responds: "We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements."
In addition, Criteo states: "We have complete confidence in our privacy practices," EnGadget continues.
Acxiom has also taken such positions in the past.