Q for Marketers Privacy FAQ
1. What is personal data and personal information?
Personal data (sometimes referred to as personal information) is any data that is or can be associated to an individual (such as a website or app user) enabling that individual to be singled out. For example, personal data includes ‘identified’ personal data such as names, usernames, passwords and contact information. It also includes ‘identifiable’ data such as online identifiers like cookie identifiers, device identifiers and IP addresses.
In providing its Q for Marketers service to its clients, Quantcast processes information such as a user’s Internet Protocol address or random identifiers assigned to a user’s browser or device, such as cookie identifiers that are considered personal data or personal information under certain privacy and data protection laws.
2. Why is Quantcast a “controller” or ”joint controller” and not a “processor” of personal data when providing its Q for Marketers service under the GDPR?
A company does not have discretion in determining its designation under the GDPR, i.e., controller, joint controller, or processor. Instead, the applicable role and associated obligations follow from an objective assessment about whether a company determines the means and purpose of the processing of personal data.
Quantcast regularly makes decisions about and on the basis of the personal data it processes to deliver and improve the service provided to its clients, including the means and purposes of the processing. For example, Quantcast has created Quantcast tags and cookies as the means to collect personal data and determines how that data is used to provide its services, improve its services, and keep its services secure. Therefore, Quantcast operates as a controller of personal data for its Q for Marketers service under the GDPR.
To the extent that a client implements a Quantcast tag on its website, Quantcast and the client may act as joint controllers for certain processing activities because the client has a degree of control over whether Quantcast processes personal data through the decision of implementing, or not, the Quantcast tag.
The designation of Quantcast as a controller for its Q for Marketers service does not give Quantcast any additional rights over personal data received or derived from a client’s use of the service. Quantcast’s use of personal data continues to be governed by the terms of its contracts with clients, in addition to applicable privacy and data protection law. See Question 5 “What are the contractual limitations for Quantcast’s use of personal data derived from a client’s use of the service?”
3. Why is Quantcast a “service provider” when providing its Q for Marketers service under the CCPA?
In order to be considered a service provider, a company must process personal information on behalf of a business and be bound by a written contract that prohibits it from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the service specified in that contract or as otherwise permitted by the CCPA.
Quantcast operates as a service provider for its clients on the basis of a written contract when providing the Q for Marketers service and does not retain, use, or disclose personal information derived or received from clients for any purpose other than for the specific purpose of performing its services under the Q for Marketers service. See Question 5 “What are the contractual limitations for Quantcast’s use of personal data derived from a client’s use of the service?”
4. Why does sharing personal information with Quantcast not constitute a “sale” of personal information under the CCPA?
While a sale of personal information under the CCPA is defined broadly and includes any exchange of personal information for money or other valuable consideration, the CCPA is clear that disclosure of personal information to service providers does not constitute a sale.
As Quantcast operates as a service provider to clients when providing its Q for Marketers service, disclosures of personal information by the client to Quantcast does not constitute a sale of personal information under the CCPA.
5. What are the contractual limitations for Quantcast’s use of personal data derived from a client’s use of the Q for Marketers service?
Under the Q for Marketers Master Services Agreement, Quantcast is prevented from using data collected or received in connection with providing the service to a client for any other purpose. In other words: Quantcast must use such personal data exclusively for the specific purpose of providing the service to the client in accordance with the Q for Marketers Master Services Agreement.
In practice, that means that personal data collected from a client’s website through tags provided by Quantcast for use in connection with Q for Marketers, or personal data received from a client for use in connection with Q for Marketers in other ways, such as through DMP personal data onboarding, will only be used to create a model or otherwise define an audience for the specific client from whom the personal data was derived.
While Quantcast will also use the personal data to generally improve its service, maintain the security of its service, and detect and prevent fraud, Quantcast will only do so on the basis of short-term, internal, and transient use of the personal data in question to achieve an aggregated result that cannot be linked back to any specific client.
In addition, the Q for Marketers Master Services Agreement includes a CCPA-specific addendum that clearly sets out the above in the context of the CCPA.
6. Which disclosures does Quantcast require clients to make on their websites?
In accordance with digital advertising industry self-regulation and best practice, Quantcast requires its clients who implement Quantcast tags to make certain disclosures with the aim of informing users about how their personal data may be processed and how they can exercise control over such processing in a conspicuous privacy notice. Specifically, Quantcast requires that such a privacy notice informs users about the fact that third parties may be collecting and processing personal information for interest-based advertising purposes and provides a link to an industry opt-out website, such as the Network Advertising Initiative Consumer Opt Out.
To the extent that a website may be accessed by users in the EU/EEA, Quantcast further requires clients to provide certain additional information in connection with obtaining a user’s consent for the use of cookies or other device information and the processing of their personal data. See Question 8 “How can a client comply with Quantcast’s EU consent requirement?”
7. Why does Quantcast require its clients to obtain consent from EU users?
To be consistent with EU privacy and data protection laws, the use of Quantcast technology on websites or apps requires the informed consent of users. As a third-party technology provider, Quantcast cannot directly provide information and obtain the user’s consent when they are accessing a client’s website or app. However, a client can provide information to users and obtain their consent because users will be accessing the client’s website. As such, Quantcast relies on its clients to provide necessary information to consumers and obtain their consent.
8. How can a client comply with Quantcast’s EU consent requirement?
Please consult “How can I comply with Quantcast’s EU consent requirement?”