Opinion This law makes it illegal for companies to collect third-party data to profile you

The terms of the Australian Privacy Principle 3.6 are quite clear. So why is there not a single published case of this law being enforced?

A woman's hand holding a mobile phone

'Data enrichment' is the intrusive practice of companies going behind our backs to 'fill in the gaps' of the information we provide. Photo: Unsplash, CC BY-SA.

A little-known provision of the Privacy Act makes it illegal for many companies in Australia to buy or exchange consumers’ personal data for profiling or targeting purposes. It’s almost never enforced. In a research paper published today, I argue that needs to change.

“Data enrichment” is the intrusive practice of companies going behind our backs to “fill in the gaps” of the information we provide.

When you purchase a product or service from a company, fill out an online form, or sign up for a newsletter, you might provide only the necessary data such as your name, email, delivery address and/or payment information.

That company may then turn to other retailers or data brokers to purchase or exchange extra data about you. This could include your age, family, health, habits and more.

This allows them to build a more detailed individual profile on you, which helps them predict your behaviour and more precisely target you with ads.

For almost ten years, there has been a law in Australia that makes this kind of data enrichment illegal if a company can “reasonably and practicably” request that information directly from the consumer. And at least one major data broker has asked the government to “remove” this law.

Read more: ACCC says consumers need more choices about what online marketplaces are doing with their data

The burning question is: why is there not a single published case of this law being enforced against companies “enriching” customer data for profiling and targeting purposes?

Data collection ‘only from the individual’

The relevant law is Australian Privacy Principle 3.6 and is part of the federal Privacy Act. It applies to most organisations that operate businesses with annual revenues higher than A$3 million, and smaller data businesses.

The law says such organisations:

must collect personal information about an individual only from the individual […] unless it is unreasonable or impracticable to do so.

This “direct collection rule” protects individuals’ privacy by allowing them some control over information collected about them, and avoiding a combination of data sources that could reveal sensitive information about their vulnerabilities.

But this rule has received almost no attention. There’s only one published determination of the federal privacy regulator on it, and that was against the Australian Defence Force in a different context.

According to Australian Privacy Principle 3.6, it’s only legal for an organisation to collect personal information from a third party if it would be “unreasonable or impracticable” to collect that information from the individual alone.

This exception was intended to apply to limited situations, such as when:

  • the individual is being investigated for some wrongdoing
  • the individual’s address needs to be updated for delivery of legal or official documents.

The exception shouldn’t apply simply because a company wants to collect extra information for profiling and targeting, but realises the customer would probably refuse to provide it.

Who’s bypassing customers for third-party data?

Aside from data brokers, companies also exchange information with each other about their respective customers to get extra information on customers’ lives. This is often referred to as “data matching” or “data partnerships”.

Companies tend to be very vague about who they share information with, and who they get information from. So we don’t know for certain who’s buying data-enrichment services from data brokers, or “matching” customer data.

Read more: A new proposed privacy code promises tough rules

Major companies such as Amazon Australia, eBay Australia, Meta (Facebook), 10Play Viacom and Twitter include terms in the fine print of their privacy policies that state they collect personal information from third parties, including demographic details and/or interests.

Google, News Corp, Seven, Nine and others also say they collect personal information from third parties, but are more vague about the nature of that information.

These privacy policies don’t explain why it would be unreasonable or impracticable to collect that information directly from customers.

Consumer ‘consent’ is not an exception

Some companies may try to justify going behind customers’ backs to collect data because there’s an obscure term in their privacy policy that mentions they collect personal information from third parties. Or because the company disclosing the data has a privacy policy term about sharing data with “trusted data partners”.

But even if this amounts to consumer “consent” under the relatively weak standards for consent in our current privacy law, this is not an exception to the direct collection rule.

The law allows a “consent” exception for government agencies under a separate part of the direct collection rule, but not for private organisations.

Data enrichment involves personal information

Many companies with third-party data collection terms in their privacy policies acknowledge this is personal information. But some may argue the collected data isn’t “personal information” under the Privacy Act, so the direct collection rule doesn’t apply.

Companies often exchange information about an individual without using the individual’s legal name or email. Instead they may use a unique advertising identifier for that individual, or “hash” the email address to turn it into a unique string of numbers and letters.

They essentially allocate a “code name” to the consumer. So the companies can exchange information that can be linked to the individual, yet say this information wasn’t connected to their actual name or email.

However, this information should still be treated as personal information because it can be linked back to the individual when combined with other information about them.

At least one major data broker is against it

Data broker Experian Australia has asked the government to “remove” Australian Privacy Principle 3.6 “altogether”. In its submission to the Privacy Act Review in January, Experian argued:

It is outdated and does not fit well with modern data uses.

Others who profit from data enrichment or data matching would probably agree, but prefer to let sleeping dogs lie.

A screenshot shows six different categories of consumer data offered by Experian.

On its website, Experian claims to offer a ‘combination of demographic, geographic, financial and market research data - both online and offline’. Screenshot/Experian

Experian argued the law favours large companies with direct access to lots of customers and opportunities to pool data collected from across their own corporate group. It said companies with access to fewer consumers and less data would be disadvantaged if they can’t purchase data from brokers.

But the fact that some digital platforms impose extensive personal data collection on customers supports the case for stronger privacy laws. It doesn’t mean there should be a data free-for-all.

Our privacy regulator should take action

It has been three years since the consumer watchdog recommended major reforms to our privacy laws to reduce the disadvantages consumers suffer from invasive data practices. These reforms are probably still years away, if they eventuate at all.

The direct collection rule is a very rare thing. It is an existing Australian privacy law that favours consumers. The privacy regulator should prioritise the enforcement of this law for the benefit of consumers.

The Conversation

Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW, UNSW Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.