How Well Are Big Brands Handling User Rights Under The GDPR?

The 25th of May, 2019, marked the first anniversary of the introduction of the General Data Protection Regulation (GDPR) – an EU law meant to give internet users better control of how their data is collected and shared. Much has been written about the regulation since then, but its true impact can only be measured by the actual changes it brings and how well it is respected and enforced.

The GDPR intended to tame the digital-advertising world, curtail unlimited user tracking, and return control to users over their data, but over a year into its implementation, we still run into blatant displays of disrespect for the law’s noble assumptions.

Who Processes My Data?

When you share your data with an online service, you instinctively expect that the data is processed only by the company whose website you’re visiting, but this is far from the truth. Almost every website integrates many third-party AdTech platforms that process inordinate amounts of data about you. You may not even be aware of their existence (Quantcast, anyone?), but they certainly know a thing or two about you. 

Pretty much every publisher shares your data with a number of such third-party companies, and if you don’t pay proper attention to the consent notices and simply click “agree” just to close it, you’ll likely be handing over your data to companies you’ve never even heard of.

There are good reasons to take better care of your online data. User data and consents (post-GDPR) are the new currency that fuels online marketing. Advertising companies and data brokers – often unbeknownst to internet users – collect, analyze and sell data on the people that browse the internet.

Has the GDPR Improved the Privacy of Users?

Despite the growing awareness of privacy issues after the introduction of the GDPR in May 2018, not much has changed in terms of how people browse the internet. 

Bad habits die hard. 

Back in 2017, Acxiom, an AdTech company providing an identity-resolution platform, admitted to having data on 700 million people and boasted that their “data products contain over 5,000 data elements from hundreds of sources.” What has changed after the GDPR is the extent and granularity at which this is possible today.

With trackers on numerous websites and apps you use, AdTech companies are able to piece together a very detailed image of you as a potential advertising target. 

From a user’s perspective, it is really difficult to keep track of all consents and to control the dissemination of data. The GDPR was introduced with just that in mind – to give individuals solid legal backing and tools to regain control and ownership of their data.

But even with the GDPR in force, AdTech companies are still boasting surprisingly high concentrates on websites using consent-management frameworks; the numbers reach an eye-watering 90%. This statistic certainly seems inflated due to a number of reasons:

• Misleading consent-box design. Providers of consent-collection platforms (or the companies using such platforms themselves) use very deceptive or intentionally unintuitive design for their consent-collection boxes. Not agreeing is typically made more tedious and time-consuming than simply accepting tracking. On top of that, some consent boxes use “assumed consent” – anything other than an explicit “no” constitutes consent. For example, closing the consent box and continuing straight to the website without adjusting the privacy settings is interpreted as an agreement. As a result, most internet users instinctively press the biggest button to get straight to the website’s content, and ultimately, unintentionally, agreeing to all, or most, data-processing purposes. 

• The privacy paradox. This is a term coined back in 1998 as a name for the phenomenon of online users declaring strong concern about privacy combined with behavior that directly negates it. For example, users of Facebook may not agree to disclose their real home address on the website, but they readily allow for location tracking.Similarly, internet users may express dislike for online behavioral advertising that uses cookies, but then hand over personally identifiable information (PII) to companies like Facebook and Google, which is then used for demographic targeting.  
• Data leaks. Some publishers are known to continue firing third-party tags even when users don’t give consent for the processing of their data. There is, of course, the need to collect and store user consent and pass it along to a publisher’s AdTech partners, but user’s data may still be passed (or “leaked”) to various AdTech platforms.

What Is the GDPR Really For?

Contrary to common belief, GDPR is not about putting an end to advertising per se. Instead, it’s about allowing people to make conscious decisions about sharing their data with AdTech companies – and the ways in which their data is then processed. 

GDPR is intended to stop AdTech companies from using user data for personalization and ad profiling without prior explicit consent. The reasoning behind it is that unrestricted sharing of user data could potentially lead to situations where users are profiled and targeted in very detailed ways that take advantage of their social and economic situation (people who divorces, suffer from cancer, are addicted to gambling etc.). The GDPR basically puts an end to such illicit practices, and gives users practical tools to wield control of the data in the internet space.

Thus, the GDPR boils down to stopping:

• Profiling using personal data without the person’s explicit consent
• Using thus obtained data in automated decision making
• Unsafe storage and transfer of personally identifiable information

The Abuse of Legitimate Interest

Legitimate interest is very likely GDPR’s most controversial and debated clause. It is one of the six lawful grounds for personal data processing that do not require explicit user consent. 

Legitimate interest applies when data collection and profiling is allowed without consent – only in situations where the consent is implied, i.e. expected and required e.g. to fulfill an order placed online. For example, the user must provide their home address, and Amazon must share it with DHL to be able to fulfill the order. 

However, because legitimate interest is very prone to misinterpretation, it often serves as a loophole for AdTech companies, whose reasoning may be something like: “we have legitimate interest. We have to display you targeted ads because this is our business model and the only viable way to provide our free content.”

Fortunately, this interpretation is a little far-fetched with regard to GDPR, which also states that legitimate interest only works if it doesn’t infringe on the rights of the data subject. Also, the Article 29 Working Party stipulates that behavioral advertising and data brokering doesn’t classify as legitimate interest.

Legitimate interest may, however, apply in very specific situations like: direct marketing (where no third parties have access to your data), website personalization for improved experience, web analytics, providing security, fraud detection, and reporting of criminal acts (i.e. Facebook will share your data with the Police as part of criminal investigation).

What Are Data Subjects’ Rights?

According to the provisions of Article 15 of the GDPR – “Right of access by the data subject” – data subjects have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed by the company. They have the right to know about the following:

• Purposes of the processing.
• Categories of personal data concerned.
• Recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations.
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
• Existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
• Right to lodge a complaint with a supervisory authority.
• Where the personal data are not collected from the data subject, any available information as to their source.
• The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

Under the GDPR, data subjects – individuals sharing their data with companies on the internet – must have the right to access their personal data, correct it or even request the company to delete the collected data. This means that every company processing the data should have proper tools in place to enable efficient processing of such requests, or face the risk of having to handle such email requests manually. 

Individuals also must be given access to their personal data – not only the data that was willingly provided, but all the data being processed by such an entity. 

The specific user rights regarding data under the GDPR:

Right to Access

You have a right to know what data a company has stored on you. In addition, you can, for example, ask for the purpose of storing the data or which source it was obtained from. If the company employs scoring, they have to tell you your score and explain in detail how it is calculated.

Right to Rectification

If a company is storing incorrect information on you, they have to correct it immediately upon receiving a notice from you.

Right to Be Forgotten

As soon as the data a company has stored about you is no longer necessary for the purpose for which it was collected, you can demand they delete this data. If the data was passed on to third companies, they must even be informed about your deletion request.

Right to Object

Even if you have given your consent to the use of your data at some point, you may revoke it at any time. The company cannot make the revocation of consent more difficult than the original approval.

Right to Data Portability

The information you provide to a company is yours. You have the right to receive this information from them in a common machine-readable format so that you can easily transfer it to another company.

How to Exercise Your Rights Under the GDPR

There are several ways your GDPR rights concerning data can be exercised. Companies have a one-month timeframe (counted from receipt of the request, which can be debatable in itself) to respond to each request they receive from a user.

Here are a couple of ways to file your data requests:

• Using a relevant form on the data controller’s website. This is the easiest way to request access to your data and exercise your rights. However, not every website has a form like that. McDonald’s has a nice implementation of such a form on their website, allowing users to use any of the data rights under the GDPR:

• Writing an email to the address provided on the website. When no relevant GDPR compliance form is found on the company’s site, emailing them is probably the easiest and most intuitive way to gain access to your data. The company must respond to you within a month’s time of sending such a request (check your “sent” date and count 30 days). Mind that companies may provide a dedicated email for handling electronic-data requests. The content of the email does not have to be different for each company you send the request to. Here’s a template you can use:

Dear Sir or Madam:

I am writing to obtain the following information that I am entitled to receive pursuant to Article 15 of the General Data Protection Regulation (GDPR):Please confirm as to whether or not my personal data is being processed, and, where that is the case, please provide access to the personal data, and the following information:
The purposes of the processing;
The categories of personal data concerned;
The recipients or categories of recipient to whom the personal data have been or will be disclosed;
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
Where the personal data are not collected from me, any available information as to their source;
The existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.
If you need any more information from me, please let me know as soon as possible. Please note that I have the right to receive this information in a standardized format within 30 days of your receipt of this request.
If you do not normally deal with these requests, please pass along this letter to your Data Protection Officer. I can be contacted by email, phone, and mail. My preferred method of contact is email.
Regards,

[ MY SIGNATURE ]

[ MY NAME ]
[ MY ADDRESS ]
[ MY PHONE NUMBER ]
[ MY EMAIL ADDRESS ]

• Using a dedicated “wizard” tool. Website like https://www.datarequests.org/ or https://mydatarequest.com/ make it much easier to take back control of your data. They help you send multiple requests from one place.

How Big Brands Respond to User Requests

To put the GDPR’s assumptions to the test, I decided to see how well data requests are handled in real life, and sent my requests to a number of companies processing my data.

Most of the companies were big multinationals that would never be able to manually handle the onslaught of millions of data subjects like myself exercising their data rights. Instead, these companies have put proper self-service mechanisms in place to provide users easy ways to download the data on their own. This implementation was offered by big social media and platforms, including Facebook, Google, Twitter and LinkedIn.

Other companies provided dedicated forms enabling users to submit requests. In such a case, the request may not handled immediately and, require the company to respond first. according to the GDPR, the company has 30 days to respond. What few people know, however, is that in specific cases (with regard to the complexity and number of filed requests) the period may be extended by two further months, which makes a total of 90 days.

In the list, I’ve also included a number of companies whose services I’ve never actually used, just to see to what extent the data is leaked or shared when I don’t specifically express my consent.

Facebook

The more different data a platform has on users, the more automated processes they need to use to enable users submitting GDPR requests. Facebook offers its users an easy way to amend, transfer or delete data using a dedicated automated form and immediate download links. The data is downloaded directly from the website. 

What Facebook Knows About You

Facebooks keeps information about everything you do while logged in. This includes, but is not limited to: what you do on Facebook (interactions, places, likes, etc) and what you say on Facebook Messenger. On top of that, Facebook knows:

• How long you spend online
• Your current location — this is how it knows which restaurants to recommend and which ads to display
• The places you check in
• The pages, accounts and hashtags you connected with on Facebook and your interactions with them
• Your contacts, if you choose to upload your phone book or call history.
• Things you buy directly from or through Facebook, but also things you may not think about, like the metadata from photos you upload.
• Your friends can tag you in posts and photos, which gives Facebook information about how you look (even if your own profile does not use a photo).

The amount of data Facebook has on you is truly staggering, but fortunately users can amend or delete their data any time by accessing and editing their accounts.

Many online and mobile apps include the popular Login with Facebook feature, which, while very convenient for the users, shared a lot of your data with third parties. Developers can also use this feature to get your permission to access Facebook data. In addition to iOS and Android, it also works across the web and on some smart TVs.

Integrations of Facebook login originally served much like a Trojan Horse, allowing third-party apps to tap into your Facebook profile information without you directly providing it. Facebook has allegedly changed this, setting strict data sharing rules and introducing a stringent review process for all apps that want to use anything beyon basic identity information made available via Facebook.

McDonald’s

Most of the information McDonald’s has on its users is voluntarily provided by them first, e.g. by filling in a form to submit a vacancy, sign up for our newsletter or fill in any other question and comment form. 

McDonald’s has created a dedicated GDPR rights center on its website through which it collects all data requests (access, object, portability, rectification, deletion) under GDPR. After submitting a request, the user receives an immediate request receipt confirmation which looks like this: 

I submitted my deletion and access requests together, received a confirmation email, and three weeks later got another email trying to verify that I was really the person sending the requests. Once I confirmed my identity, the deletion request was fulfilled as first. My right to portability was then ignored as there was no longer data to transfer. Disappointing, but understandable.

Uber, Uber Eats, Jump

Uber offers a very simple online wizard for all GDPR-related data requests. The company has also prepared a very comprehensive guide detailing why and how they use user data.

When requested, your data download is ready on the same day. The archive is downloaded directly from the website and contains all data points collected in CSV files. This includes all data Uber has collected on you across Uber, Uber Eats and Jump.

What Uber Knows About You

• Your name and email address, mobile number, rating(s), and the date you signed up for Uber
• Referral code(s) issued by Uber
• Payment method information, such as the date you created and updated a payment method, the issuing bank’s name, billing, and payment method type (Visa, debit, etc.)
• Metadata about support conversations with Uber
• Communications sent between driver and rider or between delivery partner and customer (note: you will only see messages you sent)
• Your rider data includes information used to get you to your destination:
  • Times and locations at which a trip was requested, started, and ended, as well as distance traveled
  • Trip prices and currency
• Your JUMP data includes information for trips you took using JUMP bikes, including:
  • Times and locations at which a trip was started and ended, as well as distance traveled
  • Trip prices
• Your Uber Eats data includes order history details like:
  • Restaurant names, items ordered, prices, and the time you placed your order
  • Customizations or special instructions

Twitter

User data can be deleted and amended at any time directly by accessing your Twitter account settings. A copy of your data can be requested and downloaded directly from the website within a few minutes. The zip archive contains JSON files with all your data.

What Twitter knows about you

Twitter has all the information is has collected through your profile, including your Tweets, your DMs, your Moments, and your media (images, videos and GIFs you’ve attached to Tweets, DMs, or Moments). Twitter also knows your followers, your address book, lists that you’ve created, and checks what you have subscribed to. It has the inferred information about your interest and demographics, and information about the ads that you’ve seen or engaged with on Twitter.

• Profile activity
• Interests
• Inferred interests
• Tailored audiences

YouTube

HTML, JSON, MP4 video (your uploaded videos). Immediate response (automated form). Users can amend or delete their data any time by accessing and editing their accounts. 

Like for many other Google products, data can be easily accessed and amended by accessing the account settings. Through a dedicated page called Google Takeout, you can also download the data (i.e. exercise the right to data portability), and download your data directly from the website.

What YouTube Knows About You

YouTube shares the data it collects from you with other Google products. Apart from the data you can easily access and amend directly from the user panel, YouTube allows you to download additional all the data that may otherwise be not accessible in a machine-readable format.

• Videos that you’ve uploaded
• Video metadata
• History
• Subscriptions
• Playlists
• Comments
• Live chats
• Community posts
• Community posts attachments
• Stories
• Chats
• Community contributions (e.g. translations and transcriptions that you’ve contributed for videos on other channels)

Google Maps

Like for many other Google products, data can be easily accessed and amended by accessing the account settings. Through a dedicated page called Google Takeout, you can also download the data (i.e. exercise the right to data portability), and download your data directly from the website.

What Google Maps Knows About You

Google Takeout offers an automated form/link to download the data directly from the website. The data is available in multiple formats (JSON, GeoJSON and CSV) depending on the type of data, and includes:

• Preferences and personal places in Maps,
• Food and drink preferences,
• Commute routes,
• Added dishes, products, activities
• Labelled places
• Location data collected (while opted-in to Location History),
• Records of your starred places and place reviews,
• Your preferences and personal places in Maps

Slack

Users can update their basic profile information at any time by accessing and editing their accounts. GDPR’s removal and portability requests, however, are typically only possible through the administrator of you Slack instance. Go to the bottom of your Team Settings page to check whether compliance exports have been turned on for your team.

Slack offers your space’s administrators various data portability and management tools:

• Import and export tools allowing to access, import, and export their Customer Data using Slack’s tools.
• Profile deletion tool. Allows to respond to user requests to delete personal information, such as names and email addresses, from a Slack account.
• Workspace settings center. See your workspace’s plan and settings, or contact an admin who controls the workspace.

The content available for export may be limited depending on the organization’s plan and data retention settings. The download is prepared in CSV and text formats.

What Slack Knows About You

Slack data download is prepared in a .zip file and contains your:

• Message history
• Private channels
• Direct messages

Final Thoughts

The EU was the first mover with data-protection laws and many other countries are now following suit, such as Brazil, India, and the US. 

Many data-protection authorities in Europe have already started making use of their newly acquired powers. 

Case in point: the UK’s Information Commissioner’s Office (ICO) recently imposed a fine of £99,200,396 ($123,705,870) on the international hotel chain Marriott for non-compliance. 

But these high-profile cases are not the only examples. By browsing GDPR Enforcement Tracker, a website that keeps a regularly updated, comprehensive list of all companies fined under the new data-protection law, we can see that various EU DPAs have already handed down fines in over 66 separate cases. 

The future of online advertising, and the internet more broadly, is one that respects user privacy by default and adheres to privacy and data-protection laws.

Many companies are changing to become compliant with laws like the GDPR, but there are so many that have done next to nothing.

History will show that those who don’t act now will be the ones that get left behind.