I asked an online tracking company for all of my data and here's what I found

In fact, Quantcast’s deceptive design is so effective, that the company proudly declares that it achieves a 90 percent consent rate on websites that use its framework.

Data brokers and the hidden data ecosystem

The fact that countless companies are tracking millions of people around the web and on their phones is disturbing enough, but what is even more disturbing about my Quantcast data is the extent to which the company relies on data brokers, credit referencing agencies, and even credit card companies in ways that are impossible for the average consumer to know about or escape.

Advertising companies and data brokers have been quietly collecting, analysing, trading, and selling data on people for decades. What has changed is the granularity and invasiveness at which this is possible.

Data brokers buy your personal data from companies you do business with; collect data such as web browsing histories from a range of sources; combine it with other information about you (such as magazine subscriptions, public government records, or purchasing histories); and sell their insights to anyone that wants to know more about you.

Even though these companies are on the whole non-consumer facing and hardly household names, the size of their data operations is astounding. Acxiom’s Annual report of 2017, for instance, states that they offer data “on approximately 700 million consumers worldwide, and our data products contain over 5,000 data elements from hundreds of sources.”

Part of the problem is that this data can be used to target, influence, and manipulate each and every one of us ever more precisely. How precisely? A few years ago, an advertising company from Massachusetts in the US targeted “abortion-minded women” with anti-abortion messages while there were in hospital. Laws in the US are very different from what is legal in the IS, yet the example shows what it technically possible: to target very precise groups of people, at particular times and particular places. This is the reality of what targeted advertisement looks like today.

While uncannily accurate data can be used against us, inaccurate data is no less harmful, especially when data that most of us don’t even know exists and have very little control over is used to make decisions about us. An investigation by Big Brother Watch in the UK, for instance, showed how Durham Police in the UK were feeding Experian’s Mosaic marketing data into their ‘Harm Assessment Risk Tool’, to predict whether a suspect might be at low, medium or high risk of reoffending in order to guide decisions as to whether a suspect should be charged or released onto a rehabilitation program. Durham Police is not the only police force in England and Wales that uses Mosaic service. Cambridgeshire Constabulary, and Lancashire Police are listed as having contracts with Experian for Mosaic.

How Privacy International is challenging the hidden data industry

If you have been following the Cambridge Analytics and Facebook scandals over the past few months, you might get the impression that privacy scandals are about bad actors misusing well-intended platforms during major elections, who are guilt of responding too slowly. Our interpretation has always been that we are faced with a much more systemic problem that lies at the very core of the current ways in which advertisers, marketers, and many other exploit people’s data.

The European General Data Protection Regulation, which entered into force on May 25, 2018 gives people strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers.

That’s why Privacy International has filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.

These companies do not comply with the Data Protection Principles, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. They also do not have a legal basis for the way they use people's data, in breach of GDPR.

The world is being rebuilt by companies and governments so that they can exploit data. Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back. We urge the data protection authorities to investigate these companies and to protect individuals from the mass exploitation of their data, and we encourage journalists, academics, consumer organisations, and civil society more broadly, to further hold these industries to account.

This piece was written by PI's Data Exploitation Programme Lead Frederike Kaltheuner