What to Expect
Our team wanted to see how data companies that are not used to being in the public spotlight would respond to people exercising their data rights. You have the right under the EU General Data Protection Regulation ("GDPR") to demand that companies operating in the European Union (either because they are based here or target their products or services to individuals in the EU) delete your data within one month. We wrote to seven companies and requested that they delete our data, and we've made it easier for you to do so too. Here's what you can do, and what you can expect in the process. We'd also recommend that you read the FAQ that we've put together.
An upfront warning - these companies might try to come up with excuses for not deleting your data or make it a complicated process. However, the more you push companies to respect your data rights, the more they will have to change their shady practices.
The ad-tech companies!
Criteo, Quantcast, Tapad directions
- Send PI's letter template to Criteo, Quantcast, and Tapad. Companies are required to resolve your request within 1 month, so mark your calendar.
- If Criteo, Quantcast, and Tapad respond with an opt-out link, you may choose to follow the link and opt-out. But, even if you choose to use this link, we would recommend that you respond by saying that their response does not satisfy your request, which was for your personal data to be deleted, not just to opt-out of future tracking. Say that you would like to opt-out of all tracking by email and ask for confirmation that the data Criteo, Quantcast, or Tapad has historically tracked, collected, or shared about you has been deleted.
- Criteo, Quantcast, and Tapad use cookies to identify you and may request from you your Criteo, Quantcast, or Tapad cookie ID. If they do not provide directions on how to find this ID, respond by asking for directions.
- If Criteo, Quantcast, or Tapad does not respond to you within 1 month, respond by saying that you have not heard from them regarding your deletion request that that you look forward to receiving their response immediately, given that the GDPR deadline of 1 month has passed.
- If the companies do not fulfil your request, you can complain to the Data Protection Authority where you live. A list of the Data Protection Authorities and their contact details can be found here. If you don't live in the EU you should send your complaint to the Data Protection Authority in the European base of the company, in this case Criteo (France), Quantcast (Ireland) and Tapad (UK).
PI's experience
Criteo, Quantcast, and Tapad's initial responses to our requests included 1) long explanations about the benefits of digital tracking, 2) assurances that the companies do not collect data that can be used to identify us, and 3) that it was super easy to opt out. To target ads even more granularly, for example, Quantcast placing people in more fine-grained categories. The names of these categories suggest that the data was obtained by data brokers like Acxiom and Oracle, but also MasterCard and credit referencing agencies like Experian.
Because Criteo, Quantcast, and Tapad's tracking and subsequent advertising is cookie dependent, the companies were only able to tell us to deactivate their tracking cookies - which meant that we had to accept their cookies and turn off our privacy friendly settings! For reasons of privacy and security, it is often recommended that people frequently delete their browser cookies, which are bits of code that can do a variety of things, including track your browsing habits for advertising purposes. However, in Criteo's response to our request they said that deleting your cookies may result in the reactivation of Criteo's tracking your browsing habits, meaning that these companies appear to be unable to permanently stop tracking people, even when those people have withdrawn (or have never given) their consent.
For these reasons and more, PI does not believe Criteo, Quantcast, or Tapad to be compliant with GDPR. We've taken action by filing complaints with the appropriate regulators. It's frustrating and unacceptable that there are so many steps and no simple way to delete our data. The more people that exercise their right to deletion, however, the more we push these companies to improve!
The data brokers!
Acxiom and Oracle directions
- Send PI's letter template. Companies are required to resolve your request within 1 month, so mark your calendar.
- Acxiom and Oracle may respond by asking for further information to identify you, such as you name and address. If you are happy to continue, send this information.
- Acxiom and Oracle may respond saying that they have supressed your information.
- If Oracle suggests you use an opt-out tool, you should say that you cannot use the Opt-Out tool Oracle has suggested without enabling third party cookies, and therefore this is not a satisfactory solution to your request to exercise your right under GDPR. Ask them to provide you with a method to permanently stop Oracle from tracking you on any device and to confirm that all the data Oracle has collected or shared already has now been deleted.
- If the companies do not fulfil your request, you can complain to the Data Protection Authority where you live. A list of the Data Protection Authorities and their contact details can be found here.
PI's experience
Classical data brokers use data such as your post code and address to identify and profile you. They do not offer a way to completely delete your data from their databases or from third-parties with which they have shared or sold your data, but rather they "supress" your data. What suppression looks like for companies like Acxiom is not clear (do they also "supress" the data they've already shared or sold?) but is generally understood to mean that they keep your data but no longer use, share, or sell it. However, it also may be based on online identifiers (such as cookies), as with Oracle. As explained above, this solution is far from satisfactory as they ask you to accept cookies to implement it.
Opting out of cookie-dependent advertising is done by deactivating tracking cookies - which means that you have to accept cookies and turn off your privacy friendly settings! For these reasons and more, PI does not believe Axciom or Oracle to be compliant with GDPR. We've taken action by filing complaints with the appropriate regulators.
The credit referencing agencies!
Equifax and Experian directions
- Send PI's letter template. Companies are required to resolve your request within 1 month, so mark your calendar.
- You may receive an automated response from Equifax and Experian saying you will hear from them soon and asking for more information. Wait for a person to respond to your request.
- Once a person responds, you may be asked to provide your full name, date of birth, and address. If you are happy to continue with the request:
- Equifax: Send this information.
- Experian: Send this information and reiterate that, as you set out in your original request, you want Experian to delete your data for all marketing purposes, this includes all marketing data relating to you (including all Mosaic data and profiled data).
- You may receive a response that Experian has amended its records so that it does not share your details with Experian's clients who purchase marketing lists, but that you may still receive mailings for the next few weeks. Respond by saying that as set out in your request, you want all marketing data related to you deleted.
- If the companies do not fulfil your request, you can complain to the Data Protection Authority where you live. A list of the Data Protection Authorities and their contact details can be found here. If you don't live in the EU, send to the UK Data Protection Authority as both these companies have bases in the UK.
PI's experience
Credit reference agencies have been imbedded into our societies and may be instrumental in our access to credit, such as a mortgage or a credit card. However, these companies also have marketing products and services, where they profile and provide insights on us - this is the data we are asking to be deleted. They normally associate data with you based on your name and address, but that's not the only data they hold. We've found it hard to get straight answers from these companies that they have deleted marketing data, including profiles, relating to us and that's why we all need to push them more. For these reasons and more, PI does not believe Equifax or Experian to be compliant with GDPR. We've taken action by filing complaints with the appropriate regulators.