It’s long been known that the ad industry is powered by intrusive data collection practices.
In recent years, that narrative has been shifting. The industry is pushing for more transparent, privacy-friendly practices, whether that’s Apple’s AppTrackingTransparency framework, which cracks down on user tracking on iOS, Google’s decision to phase out third-party cookies on Chrome or various legislative actions across the world that aim to protect consumer privacy online.
But like many things in this industry, talk about embracing a brighter future is covering up an open but dirty secret: companies are still allowing the ease of buying, selling, commingling and appending personal data to lead to nefarious practices right under their noses.
Last week, Campaign US’ technology editor Jessica Heygate published an investigation uncovering a Department of Justice lawsuit filed against WPP in 2021. The suit was related to data broker KBM Group, a now defunct subsidiary of what is currently Wunderman Thompson. It alleged that the company was knowingly selling data to perpetrators of fraudulent mass-mailing schemes for nearly seven years.
The fraud schemes included offers for astrology readings or to claim bogus cash prizes or government grants – run-of-the-mill scams that disproportionately affected thousands of elderly Americans.
WPP negotiated a deferred prosecution agreement with the DoJ, which allowed it to avoid prosecution by admitting wrongdoing, implementing a compliance program and paying $42 million in penalties, $33.5 million of which went directly to the fraud victims. KBM also let go of staffers who knowingly facilitated the data sales to fraudulent companies.
A year later, KBM Group no longer exists (Heygate’s piece pulls apart the complicated thread of M&A that led to this), and its IBehavior database, which housed the personal data sold to scammers, is in the process of being shut down. The suit was quietly swept under the rug while KBM Group’s assets and some of its senior staffers were rolled up and rebranded into Choreograph, a new data unit within WPP.
What’s most shocking to me about this story is not the fact that a data broker owned by an ad holding company was perpetrating elder fraud. Not only have we seen that story play out before, but the lack of guardrails around data sales in the U.S. leaves the entire system vulnerable to bad actors.
What’s shocking is the stealth with which WPP was able to sweep the scandal under the rug, especially in contrast to a nearly identical lawsuit that hit Publicis Groupe-owned Epsilon the same year and splashed across industry headlines. (It’s worth noting that Mark Read, the CEO of WPP, was overseeing Wunerman while the fraud was taking place.)
No one knew about the WPP suit, despite it being openly archived on the DOJ website and discoverable with a simple Google search. If they did, they didn’t care enough to expose it. Because this behavior is common practice in digital advertising in the U.S.
Data brokers and holding companies sense the industry’s changing tide and have started to push narratives of working with first-party data on privacy-centric solutions. But look hard enough under the hood and sketchy practices are happening daily — from selling sensitive personal information to committing outright fraud.
It would seem that the time to clean up any questionable practices is now.
The question is — does anybody care enough, or are we content as an industry to sweep this dirty secret under the rug?