Epsilon elder fraud case raises questions for holding companies

When holding companies began getting into the data business back in 2016, the privacy conversation began to shift.

Just a few months after Dentsu purchased a majority stake Merkle in late 2016, Apple introduced Intelligent Tracking Prevention (ITP) on Safari, blocking third-party cookies from its browser.

Conversations about GDPR and CCPA began percolating around the same time, as the digital advertising industry began a long, difficult reckoning with its tracking policies—or lack thereof. Even Google caved to the pressure, dropping the bombshell in early 2020 that it will phase out third-party cookies in Chrome by next year.

As online privacy concerns started to grow, holding companies became increasingly intertwined with data businesses that fueled efficiency and growth for their clients. IPG bought Acxiom for $2.3 billion in 2018, and Publicis scooped up Epsilon for $4.4 billion a year later.

At the time, both companies were questioned for wading into the murky waters of data sales. But the business case that proprietary data could drive more effective media buys made sense. Plus, an army of data scientists could staff a fast-growing service area: first-party data and management. 

It was a storyline that hit home with prospective clients, and it’s been driving the entire business forward. Look no further than Publicis’ Q4 earnings, reported Wednesday, where the worst of its pandemic revenue declines improved to 0.5% growth in the U.S., specifically thanks, in part, to Epsilon, which grew 5.5% in the quarter.

Fast forward to 2021, and the privacy conversation has escalated. GDPR is the law of the land in the EU, resulting in fines on giants like Google and Facebook. CCPA has morphed into the even stronger CPRA in the U.S., with added protections for consumers. There’s still no comprehensive federal privacy law, but that could change under the new Democratic administration.

It was in this context that The Wall Street Journal reported last week that Epsilon had settled a $150 million lawsuit related to a nine-year elder fraud scheme, in which the firm knowingly sold personal data on 30 million consumers to bad actors.

The transgression was prior to Epsilon’s acquisition by Publicis, which has indemnified itself against any charges related to the case. The case is also primarily about criminal fraud in addition to data privacy.

But it raises important questions about potential liabilities that lie ahead for agencies as data privacy regulation continues to evolve in the U.S., where it's still very much the Wild West.

When Dentsu, IPG and Publicis bought Merkle, Acxiom and Epsilon, respectively, they were clear that the value went beyond their access to third-party data.

But what if these parts of their businesses one day become incompatible with U.S. privacy law, and holding companies are forced to spin them off (or more realistically, wind them down)? Do their services become less valuable without the ability to bundle data with media buys? How would that impact the media effectiveness they’re now pitching?

These companies have won massive pieces of business with elegant stories about how access to proprietary data can supercharge their capabilities. But as the scale continues to tip toward privacy, will the narrative shift from one about possibilities to one about risks and liabilities?

For holding companies without the immediate risk of owning a data brokerage, questions about rethinking data collection, usage and deployment are just as relevant. Agencies are already asking themselves these questions from both a legal and ethical standpoint, and that’s a good thing.

Consumers are clear in their rejection of creepy advertising practices. They’ve shown their willingness to pay for ad-free experiences. And governments around the world are ready to step in and back them up.

Privacy regulation in this country is still very much in the making, but the train is moving in a very clear direction.

---

Alison Weissbrot is the editor of Campaign US.