Last Update: February 22, 2022
This documents the arrangement between Quantcast and its advertiser partners or clients for allocating privacy-related responsibilities and ensuring that users’ rights are honored with respect to data processed by Quantcast’s services.
Privacy regulation around the world is dynamic. Quantcast may update this document from time to time at its own discretion in order keep pace with changes in privacy rules and risks, and industry best practices, as well as to ensure users’ rights are honored appropriately.
Quantcast may take reasonable measures to ensure that data processed in its services is collected and processed in accordance with privacy rules and industry best practices. We may review locations where data is collected and may refuse to accept data that is not collected in a manner consistent with the approaches described in this document.
Terminology
This document uses “user” or “users” as interchangeable with “data subject” or “consumer” or other equivalent terms from various rules.
When we say rules, we mean laws, regulations, and industry self-regulatory codes that are applicable to the processing of personal data in relation to Quantcast’s services. Quantcast has a global footprint, including operations in Europe, the UK, and California, so those jurisdictions’ rules are applicable to Quantcast for data about users who reside in those jurisdictions.
We also will use “personal data” as interchangeable with terms such as, “personal information.” Personal data processed by Quantcast’s service is pseudonymous, including but not limited to IP address, cookie or device IDs, and other identifiers used for advertising-related purposes. In the case where a partner has express permission from Quantcast to use email address, phone number, or other directly identifying information, such information will be pseudonymized (usually hashed or encrypted,) according to Quantcast specifications, before transmitting to Quantcast.
Industry standards and self-regulatory programs
Quantcast supports and participates in industry self-regulatory programs, and generally implements industry standards and best practices when it comes to handling personal data. Partners and clients are responsible for ensuring their own implementation of self-regulatory rules and industry best practices, in particular related to providing transparency and choice to users in places where data is collected or used by Quantcast’s services.
Controller, processor, service provider, vendor, etc.
Unfortunately, terms describing the relationships between parties sharing data are not interchangeable. Quantcast determines its role based on applicable law and the facts of its processing of personal data. In many relationships with advertiser partners or clients, Quantcast is a controller or joint controller, because of the role that Quantcast plays in defining exactly how data is used. This does not mean Quantcast has unfettered rights to use this data; rather, Quantcast’s use of the data is usually restricted by contractual limitations. If you have questions about this, please consult your agreement or ask your account representative.
Advertisers: Where the GDPR applies, Quantcast is a joint controller of personal data collected using Quantcast tags and pixels and of other personal data introduced into Quantcast’s services by the advertiser. Where the CCPA applies Quantcast acts as a service provider to the advertiser.
Notice/Transparency and Choice
Laws, self-regulatory rules, and industry best practice require users be notified about processing of personal data, and be offered a choice – either opt in or opt out — with respect to that processing.
When deploying Quantcast tags or pixels, or otherwise introducing data into Quantcast’s services, partners and clients are responsible to make sure that users are given notice and choice that is required for Quantcast to be able to collect and process the data. And, of course, partners and clients have to make sure of notice and choice for their own personal data collection and processing.
Generally, notice must include the fact that third parties are collecting and processing users’ data, along with information about the data collected, the means of collection, the purposes for processing (including interest-based advertising), and access to choice. Laws or rules in some jurisdictions would require that Quantcast be specifically identified in the notice and a link to Quantcast’s privacy policy be included.
Quantcast’s methods of collection include, depending on particular circumstances, cookies, pixels, JavaScript tags, probabilistic device matching and cross-device matching (using passively collected data). Details about Quantcast’s cookies can be found here.
Quantcast implements choice using industry standard methods, and will be responsible for honoring that choice with respect to personal data within Quantcast’s services.
For their part, partners and clients need to provide access to the choice using industry standard and legally compliant methods, depending on the applicable laws and rules. Usually this means providing access to choice within other privacy disclosures, including in a privacy policy.
In all cases, partners and clients should have user-facing privacy policies that are prominently linked from their homepages and from content (sites, apps, etc.) where personal data are collected or used.
Privacy policies will adhere to applicable laws, as well as industry self-regulatory requirements and industry best practices. At minimum, policies should disclose the fact that third parties are collecting personal data for advertising-related purposes, and should describe the methods of collection, as described above. Particular circumstances and applicable rules may create additional requirements.
Where consent (opt-in) is required prior to setting cookies or collecting data, such as in Europe under ePrivacy and the GDPR, partners and clients are responsible to make sure that tags or pixels don’t fire until that consent is obtained.
Europe and the UK: The industry standard means for ensuring notice and choice for vendors like Quantcast in Europe and the UK is the IAB Europe Transparency and Consent Framework. Quantcast is vendor ID 11. Quantcast’s required purposes and associated legal bases are viewable in the Global Vendor List. Because Quantcast is subject to European law, the TCF should be used for all users in Europe or the UK, even if the client or partner has no operations in Europe. Alternatively, such partners and clients may elect not to introduce data about European or UK users into Quantcast’s services. Quantcast Choice is a leading, and TCF compliant, Consent Management Platform. Proper use of Quantcast Choice will meet these requirements.
Partners and clients not using the TCF for European or UK users need to use a legally compliant alternative means to ensure Quantcast’s legal basis for using cookies, where applicable, and for processing the data. This includes that Quantcast must be identified as a controller of the user’s personal data, and a link to Quantcast’s privacy policy must be provided. Quantcast may in the future require TCF.
Privacy policies in Europe and the UK need to include a link to the European Digital Advertising Alliance (EDAA) opt out page, located at youronlinechoices.com.
US: In the US, along with other requirements laid out here, privacy policies need to include links to an industry standard opt out page, like the NAI or DAA.
California: The CCPA applies for users in California. Partners and clients need to provide notice of selling and access to the right to opt out, as required. Quantcast does not sell data, as defined under the CCPA. Unless agreed otherwise with Quantcast, Quantcast acts as a service provider, as defined under the CCPA, for Quantcast Advertise customers.
Access and Deletion
Under the GDPR, as a controller or joint controller, Quantcast will be responsible for providing users access to their personal data that is within Quantcast’s services, and for deleting personal data after a user’s request.
Under and as required by the CCPA as a service provider, Quantcast will cooperate in honoring access and deletion requests. Note that data is regularly aged off as part of the normal function of the services. Consult Quantcast documentation or your account representative for details.
Other Matters
Sensitive data. Because Quantcast’s services are not intended for processing sensitive or special category data or data about children, partners and clients must not transmit to Quantcast or cause Quantcast to collect any such data. Quantcast tags and pixels may not be deployed on content that is directed at children. Sensitive or special category data includes data defined under Article 9 of the GDPR, Section 1798.140 of the CCPA (as amended by the CPRA), or any equivalent term under applicable law.
Directly identifying personal data. Quantcast’s services are not designed to process directly identifying personal data, such as names or email addresses, and partners and clients may not send such information to Quantcast or cause Quantcast to collect it. If a partner has express permission from Quantcast to use email address, phone number, or other directly identifying information, such information will be pseudonymized (usually hashed or encrypted,) according to Quantcast specifications, before transmitting to Quantcast.