And their response?
"The data laws don't apply, that's not "your" data, that's our data now and we can do whatever we like with it."
Privacy International (PI) has filed complaints of "systematic infringements" of data protection law by seven info-sucking companies that it says find it too easy to fly under the radar. In the civil rights group's sight are data brokers Acxiom and Oracle, ad-tech firms Critero, Quantcast and Tapad, and credit referencing …
Also:
"...And what are you going to do about it?"
or possibly:
"You and what army?"...
.
GDPR sounds good, but I need to see it in action before I trust it will have any effect. There have been lots of "theoretically you don't have to put up with this, but don't get your hopes up nevertheless" type laws, and those companies have good lawyers and all the right connections.
My next exciting diversion is dealing with that fact that at least two of the credit reference agencies, work off the Postcode Address File which lists delivery points and omits sites with multiple households but a single mail drop point (37 households in our case). So, whenever I try and do anything which requires a credit reference check, it's a toss up what the result is going to be. Royal Mail do have a multiple-occupancy database, which I am on, but that costs extra so the obviously badly cash-strapped agencies don't bother with it.
It's not that these companies are not interested in complying, it's just that they are being thorough. They get an email asking them to refrain from gathering information on someone and to get rid of what they have already got. They comply. As part of this action, they wipe all email correspondence with the individual in question (that's data, too). Going forward, they are free to gather more information concerning the same individual as they have no record of being asked not to.
Not quite. Your personal information is your data, not theirs.
I believe DPA considers them to have legitimate reason for collecting your data. Presumably it should be possible to ask them to delete all your data, however that would most likely make it somewhat difficult to obtain credit (or many services that may either do credit checks or effectively offer credit if you pay monthly).
I don't think they can necessarily do whatever they like with it either without risking falling foul of GDPR.
With all that said, I think they hoard way too much data that can be abused (or lost...) and welcome probing into their practices.
I think Oath are open to a GDPR investigation as well. Demurring from data collection must be as easy as consenting, and if you have seen the number of extra pages, check boxes, and voluminous text you have to read through, rather then clicking on the 'I agree' button, I suspect they could fairly easily be shown not to be in compliance.
The relevant test is Article 7 of the GDPR
Art. 7 GDPR - Conditions for consent
[Para 3, sentence 4]It shall be as easy to withdraw as to give consent.
Frankly, if the default were no collection and processing, with the end user having to read though voluminous text and check a number of tick boxes in order to consent, it would be more in tune with the spirit of the GDPR, which is generally a default of no permission to collect or process personal information.