The Times Australia
The Times World News

.
The Times Real Estate

.

This law makes it illegal for companies to collect third-party data to profile you. But they do anyway

  • Written by Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW, UNSW Sydney
This law makes it illegal for companies to collect third-party data to profile you. But they do anyway

A little-known provision of the Privacy Act makes it illegal for many companies in Australia to buy or exchange consumers’ personal data for profiling or targeting purposes. It’s almost never enforced. In a research paper[1] published today, I argue that needs to change.

“Data enrichment” is the intrusive practice of companies going behind our backs to “fill in the gaps” of the information we provide.

When you purchase a product or service from a company, fill out an online form, or sign up for a newsletter, you might provide only the necessary data such as your name, email, delivery address and/or payment information.

That company may then turn to other retailers or data brokers[2] to purchase or exchange extra data about you. This could include your age, family, health, habits and more.

This allows them to build a more detailed individual profile on you, which helps them predict your behaviour and more precisely target you with ads.

For almost ten years, there has been a law in Australia that makes this kind of data enrichment illegal if a company can “reasonably and practicably” request that information directly from the consumer. And at least one major data broker[3] has asked the government to “remove” this law.

The burning question is: why is there not a single published case of this law being enforced against companies “enriching” customer data for profiling and targeting purposes?

Read more: It's time for third-party data brokers to emerge from the shadows[4]

Data collection ‘only from the individual’

The relevant law is Australian Privacy Principle 3.6 and is part of the federal Privacy Act[5]. It applies to most organisations that operate businesses with annual revenues higher than A$3 million, and smaller data businesses.

The law says such organisations:

must collect personal information about an individual only from the individual […] unless it is unreasonable or impracticable to do so.

This “direct collection rule” protects individuals’ privacy by allowing them some control over information collected about them, and avoiding a combination of data sources that could reveal sensitive information about their vulnerabilities.

But this rule has received almost no attention. There’s only one published determination of the federal privacy regulator on it, and that was against the Australian Defence Force[6] in a different context.

According to Australian Privacy Principle 3.6, it’s only legal for an organisation to collect personal information from a third party if it would be “unreasonable or impracticable” to collect that information from the individual alone.

This exception was intended to apply to limited situations[7], such as when:

  • the individual is being investigated for some wrongdoing
  • the individual’s address needs to be updated for delivery of legal or official documents.

The exception shouldn’t apply simply because a company wants to collect extra information for profiling and targeting, but realises the customer would probably refuse to provide it.

Who’s bypassing customers for third-party data?

Aside from data brokers, companies also exchange information with each other about their respective customers to get extra information on customers’ lives. This is often referred to as “data matching” or “data partnerships”.

Companies tend to be very vague about who they share information with, and who they get information from. So we don’t know for certain who’s buying data-enrichment services from data brokers, or “matching” customer data.

Major companies such as Amazon Australia[8], eBay Australia[9], Meta[10] (Facebook), 10Play Viacom[11] and Twitter[12] include terms in the fine print of their privacy policies that state they collect personal information from third parties, including demographic details and/or interests.

Google[13], News Corp[14], Seven[15], Nine[16] and others also say they collect personal information from third parties, but are more vague about the nature of that information.

These privacy policies don’t explain why it would be unreasonable or impracticable to collect that information directly from customers.

Consumer ‘consent’ is not an exception

Some companies may try to justify going behind customers’ backs to collect data because there’s an obscure term in their privacy policy that mentions they collect personal information from third parties. Or because the company disclosing the data has a privacy policy term about sharing data with “trusted data partners”.

But even if this amounts to consumer “consent” under the relatively weak standards for consent in our current privacy law, this is not an exception to the direct collection rule.

The law allows a “consent” exception for government agencies under a separate part of the direct collection rule, but not for private organisations.

Data enrichment involves personal information

Many companies with third-party data collection terms in their privacy policies acknowledge this is personal information. But some may argue the collected data isn’t “personal information” under the Privacy Act, so the direct collection rule doesn’t apply.

Companies often exchange information about an individual without using the individual’s legal name or email. Instead they may use a unique advertising identifier for that individual, or “hash” the email address[17] to turn it into a unique string of numbers and letters.

They essentially allocate a “code name” to the consumer. So the companies can exchange information that can be linked to the individual, yet say this information wasn’t connected to their actual name or email.

However, this information should still be treated as personal information because it can be linked back to the individual when combined with other information about them[18].

At least one major data broker is against it

Data broker Experian Australia[19] has asked the government to “remove” Australian Privacy Principle 3.6 “altogether”. In its submission[20] to the Privacy Act Review in January, Experian argued:

It is outdated and does not fit well with modern data uses.

Others who profit from data enrichment or data matching would probably agree, but prefer to let sleeping dogs lie.

A screenshot shows six different categories of consumer data offered by Experian.
On its website, Experian claims to offer a ‘combination of demographic, geographic, financial and market research data - both online and offline’. Screenshot/Experian

Experian argued the law favours large companies with direct access to lots of customers and opportunities to pool data collected from across their own corporate group. It said companies with access to fewer consumers and less data would be disadvantaged if they can’t purchase data from brokers.

But the fact that some digital platforms impose extensive personal data collection on customers supports the case for stronger privacy laws. It doesn’t mean there should be a data free-for-all.

Our privacy regulator should take action

It has been three years since the consumer watchdog recommended major reforms[21] to our privacy laws to reduce the disadvantages consumers suffer from invasive data practices. These reforms are probably still years away, if they eventuate at all.

The direct collection rule is a very rare thing. It is an existing Australian privacy law that favours consumers. The privacy regulator should prioritise the enforcement of this law for the benefit of consumers.

Read more: Amazon just took over a primary healthcare company for a lot of money. Should we be worried?[22]

References

  1. ^ research paper (papers.ssrn.com)
  2. ^ data brokers (www.oracle.com)
  3. ^ one major data broker (consultations.ag.gov.au)
  4. ^ It's time for third-party data brokers to emerge from the shadows (theconversation.com)
  5. ^ Privacy Act (www.legislation.gov.au)
  6. ^ Australian Defence Force (www.austlii.edu.au)
  7. ^ limited situations (www.oaic.gov.au)
  8. ^ Amazon Australia (www.amazon.com.au)
  9. ^ eBay Australia (www.ebay.com.au)
  10. ^ Meta (www.facebook.com)
  11. ^ 10Play Viacom (www.viacomcbsprivacy.com)
  12. ^ Twitter (twitter.com)
  13. ^ Google (policies.google.com)
  14. ^ News Corp (preferences.news.com.au)
  15. ^ Seven (www.sevenwestmedia.com.au)
  16. ^ Nine (login.nine.com.au)
  17. ^ “hash” the email address (help.abc.net.au)
  18. ^ information about them (www.austlii.edu.au)
  19. ^ Experian Australia (www.experian.com.au)
  20. ^ submission (consultations.ag.gov.au)
  21. ^ major reforms (www.accc.gov.au)
  22. ^ Amazon just took over a primary healthcare company for a lot of money. Should we be worried? (theconversation.com)

Read more https://theconversation.com/this-law-makes-it-illegal-for-companies-to-collect-third-party-data-to-profile-you-but-they-do-anyway-190758

The Times Features

Itinerary to Maximize Your Two-Week Adventure in Vietnam and Cambodia

Two weeks may not seem like much, but it’s just the right time for travelers to explore the best of Vietnam and Cambodia. From the bustling streets of Hanoi to the magnificent te...

How to Protect Your Garden Trees from Wind Damage in Australia

In Australia's expansive landscape, garden trees hold noteworthy significance. They not only enhance the aesthetic appeal of our homes but also play an integral role in the local...

Brisbane Homeowners Warned: Non-Compliant Flexible Hoses Pose High Flood Risk

As a homeowner in Brisbane, when you think of the potential for flood damage to your home, you probably think of weather events. But you should know that there may be a tickin...

Argan Oil-Infused Moroccanoil Shampoo: Nourish and Revitalize Your Hair

Are you ready to transform your hair from dull and lifeless to vibrant and full of life? Look no further than the luxurious embrace of Argan Oil-Infused Moroccanoil Shampoo! In a...

Building A Strong Foundation For Any Structure

Building a home or commercial building can be very exciting. The possibilities are endless and the future is interesting. You can always change aspects of the building to meet the ...

The Role of a Family Dentist: Why Every Household Needs One

source A family dentist isn’t like your regular dentist who may specialise in a particular age group and whom you visit only when something goes wrong. A family dentist takes proa...

Times Magazine

"Eternal Nurture" by Cara Barilla: A Timeless Collection of Wisdom and Healing

Renowned Sydney-born author and educator Cara Barilla has released her latest book, Eternal Nurture, a profound collection of inspirational quotes designed to support mindfulness, emotional healing, and personal growth. With a deep commitment to ...

How AI-Driven SEO Enhancements Can Improve Headless CMS Content Visibility

Whereas SEO (search engine optimization) is critical in the digital landscape for making connections to content, much of it is still done manually keyword research, metatags, final tweaks at publication requiring a human element that takes extensiv...

Crypto Expert John Fenga Reveals How Blockchain is Revolutionising Charity

One of the most persistent challenges in the charity sector is trust. Donors often wonder whether their contributions are being used effectively or if overhead costs consume a significant portion. Traditional fundraising methods can be opaque, with...

Navigating Parenting Arrangements in Australia: A Legal Guide for Parents

Understanding Parenting Arrangements in Australia. Child custody disputes are often one of the most emotionally charged aspects of separation or divorce. Parents naturally want what is best for their children, but the legal process of determining ...

Blocky Adventures: A Minecraft Movie Celebration for Your Wrist

The Minecraft movie is almost here—and it’s time to get excited! With the film set to hit theaters on April 4, 2025, fans have a brand-new reason to celebrate. To honor the upcoming blockbuster, watchfaces.co has released a special Minecraft-inspir...

The Ultimate Guide to Apple Watch Faces & Trending Wallpapers

In today’s digital world, personalization is everything. Your smartwatch isn’t just a timepiece—it’s an extension of your style. Thanks to innovative third-party developers, customizing your Apple Watch has reached new heights with stunning designs...

LayBy Shopping