Formal complaints to European regulators under the GDPR by UK non-profit Privacy were also filed against ad-tech companies Criteo, Quantcast and Tapad as well as credit agencies Equifax (the subject of a massive breach just last year) and Experian
"Ailidh Callander, a legal officer at Privacy International, said in an email to Engadget."
"Our complaints target companies that are exploiting the data of millions of people, are not household names and therefore have their practices challenged.
Data brokers aggregate personal information from other sources ̵
This alleged lack of consent is exactly what Privacy International is targeting. The non-profit claims that these companies paint "legitimate interest" (in legal terms) for processing the personal data, which may infer political, ethnic and religious affiliations. The companies fail to comply, with the principles of "transparency, fairness, purpose limitation, data minimization, accuracy and confidentiality and integrity" – in other words, almost all of the new privacy law's core foundations.  "The law has changed to such companies as well," said Callander.  GDPR conceptualises data privacy and [how] these companies do on the onus is on them (if necessary, pushed by regulators) to close it. "
In public statements, Experian has said : "We have worked hard to ensure that we are compliant with GDPR and continue to believe that our services meet its requirements." Criteo has stated: "We have complete confidence in our privacy practices."
Companies are still feeling out of control. Facebook and Google are among the other companies who have faced complaints so far. A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.