It'd be useful if the author revealed how she managed to obtain her data. I am pretty sure that a request with just your real name wouldn't reveal much. I assume that most data is collected under some identifier which isn't matched to your real name in order to thwart this kind of request.
Send an email to the address specified (privacy@quantcast.com) with your information and what you're trying to accomplish (typically either a disclosure of what personal information they have on you, or erasure of any said information).
They will almost certainly satisfy your request (even if you don't truly live in California or the EU) because there are significant regulatory repercussions for not responding to legitimate requests. Or at least that's how it works at the big company I work for.
Depends on the company. Atlassian for example thinks they've found a loophole by not allowing access to your account -- California allows a business to use logins to verify identity if you already have an account, but if they turn a blind eye and don't let you in with valid credentials then they supposedly don't have to respond to data access or deletion requests. I haven't cared enough to get a lawyer involved (which is what they're banking on I'm sure), but it seriously pisses me off.
Try emailing legal@atlassian.com if privacy@atlassian.com isn't getting you anywhere.
I can't speak to Atlassian specifically, but at sufficiently large companies, privacy@ emails tend to get routed directly to internal compliance teams, which may be operating under/within the legal org or just using a playbook legal has previously signed off on.
Legal@ has a good chance of being monitored by someone else. Worst case they route it back to the appropriate team and you continue getting stonewalled. Best case, the new set of eyeballs on the conversation has a very different view of the legal risk of your stonewalling experience, and you get what you want.
I haven't tried the above for compliance requests (as I'm not in a jurisdiction covered by GDPR or CCPA), but general BigCo experience has taught me just how variable responses from legal can be depending on which particular lawyer covers it[1]. Every lawyer evaluates risk in their own way, based on their experience, understanding, and conservative (or not) predilections. Simply having your correspondence seen by a different set of (legal) eyes could be enough to get a more satisfactory outcome for you.
[1] Or in this case, if the legal team sees it at all. Which may not be the case for privacy/compliance requests, if they've been delegated to a purpose-specific team that's operating off of a playbook.
I actually e-mailed to the author a year ago to ask that very question.
Her answer was that she provided her cookie ID to Quantcast and then asked for any data associated with that ID. She also promised me to include that information in the article to prevent confusion, but she never did.
Ironically, Quantcast only knew her real identity after the request.
A cookie to take to live ramp and they tell you all the other “anonymous” ids you have, including those that can identify you. Which is how ads follow across devices, for example. But can be used for any purpose.
Is this comment and that website [0] sarcasm? What exactly are you automating? The theft of my PII or the opposite? On this matter your privacy policy[1] confuse me.
Certainly seems like theft to me. Just because computers spew ridiculous amounts of PII does not mean company xyz llc has a right to collect that information or to use it for anything without educated and explicit opt in disclosure that verbosely enumerates every single instance in which said PII will be used between the time of collection and the heat death of the universe.
'server logs' fails to account for how that data is used which should explicitly defined. Failures to do so is misappropriation. A good litigation firm couls retire by challenging reckless companies on these grounds.
>does not mean company xyz llc has a right to collect that information or to use it for anything...
I guess this is where our opinions differ. In order for them to be absent the right to collect it you must force them to forget. That's where it doesn't seem like your information, after all they need to erase it. I'm all for legislation to regulate it's use.
Yeah, that’s a grey area actually. It’s why Google Analytics has the option of chopping off the last byte of IP addresses, for example.
Better to assume all PII and PI even if not identifying, belongs to the user. GDPR is explicit on some of this and not on others. Shared information, or that deemed necessary, won’t be deleted on request for say Uber/Lyft. There is a financial transaction and a driver etc, they won’t delete. They could sever the link to your profile though. Facebook offers something like this, but don’t do it. You will never be able to authenticate yourself again, and they will keep building the “anonymous” profile. It’s complicated for users out there...
>Better to assume all PII and PI even if not identifying, belongs to the user.
I agree from a liability standpoint, from a company's perspective. From a user perspective, better to assume all information that can be captured will be, it will eventually be available to all humanity and it doesn't belong to you.
Not sarcasm, we issue GDPR requests from an app on device, and you can request data (back to your device and not through us unless stated). Deletion requests are done as well. Data brokers, as a group, are obviously very anti-consumer, and getting them to comply in CA has been a huge headache (most simply do not). Prop 24 should help, so it’s going to be a long burn for consumers to take control. CCPA made hiring an agent (like us) explicit, but almost no one accepts that at the moment.
Alright, that's good, because I would really love for there to be a service that would streamline the way I request data from service providers or request the deletion of data connected to my account, as well as the account itself.
However, your site says:
>> We import and analyze all of your data across your online accounts and give you an audit and a plan of action.
Doesn't that mean that apart from all the, possibly bad, actors out there that have gotten their hands on my activities _you_ are now also in possession of PII connected to me? How does that improve things for me?
No, you are. Which has been a pain on our side to not have possession of the data, and also why it is an app for desktop if you want to have a copy of your data. It can be really large for a mobile device, and processing in the background is generally not available on mobile. Trying to get some things on mobile though -- deletion is easier than copies of data.
And yeah, we don't want to become a honeypot for what is the largest profile on you -- the combination of all the others.
One more reason to make sure your email account is not compromised in any way. I have many emails associated with my 'profile'. If one of those is compromised somebody could potentially request all of my data.
Requests for information should only be fulfilled with a notarized identification verification. The potential for security breaches here is massive.
In your request, let them know that you are specifically wanting to see what data they have that needs to be updated/corrected. Let them know that the ads you are getting are currently not working, and you are only wanting to help them fix the problem.
The data quantcast collects and stores is associated with cookies in the browser. Generally, you would have to visit their site to allow their code to query the data associated with their domain from your browser.
What to me _seems_ to be much more likely though is that multiple cookies are connected to a classification ID that multiple other users may also be connected to and that to identify your PII within their system you'll need to provide your user name.
I'd also like to know this. It seems like asking this organisation to delete my data would be largely beneficial, but what data do I need to provide for them to do it?
According to GDPR, the contact info for sending an access or deletion request must be provided in the Privacy Policy.
Under GDPR (Europe), if you send a request, the company must honor it unless they have reason to doubt your identity, in which case they must ask for follow-up. Under CCPA (California), they are only obligated to honor "verified" requests. There's a range of what counts as verifying, from just being able to log in to your account on the low end, up to providing 3 pieces of matching data on the high end.
The company is obligated to tell you what data they have. They are not obligated to go out of their way to make connections, though, so you're better served by providing as many identifiers as possible (like account numbers).
This is explicitly false. Mastercard or Experian might know her name but this would not be shared for an audience. Its simply cookie123 is in audience456.
It's a sizable revenue stream for the payment networks, credit bureaus, Tivo/Roku, and others you wouldn't even think of. When a cashier asks you for your zip code or phone number in the store, that's two ways used to tie the purchase back to your identity.
I did enjoy my time at Quantcast. The dataset is used for more than targeting advertising. For example, Quantcast's offers a free analytics product that uses the same dataset.
I am conflicted, and my view on data collection more broadly is more nuanced than what's in this comment. For this kind of data collection specifically: On one hand, it's how the entire publishing industry has built their revenue model. And I like news, sports, content, etc. On the other hand, it's creepy for a 3rd-party service that I've never heard of or interacted with being able to infer traits about me based on my browsing patterns, and then sell targeted advertising to yet another company I've never interacted with. I use an adblocker specifically for this reason, despite running an analytics startup.
