This law makes it illegal for companies to collect third-party data to profile you. But they do anyway

A little-known provision of the Privacy Act makes it illegal for many companies in Australia to buy or exchange consumers’ personal data for profiling or targeting purposes. It’s almost never enforced. In a research paper^[1] published today, I argue that needs to change.

“Data enrichment” is the intrusive practice of companies going behind our backs to “fill in the gaps” of the information we provide.

When you purchase a product or service from a company, fill out an online form, or sign up for a newsletter, you might provide only the necessary data such as your name, email, delivery address and/or payment information.

That company may then turn to other retailers or data brokers^[2] to purchase or exchange extra data about you. This could include your age, family, health, habits and more.

This allows them to build a more detailed individual profile on you, which helps them predict your behaviour and more precisely target you with ads.

For almost ten years, there has been a law in Australia that makes this kind of data enrichment illegal if a company can “reasonably and practicably” request that information directly from the consumer. And at least one major data broker^[3] has asked the government to “remove” this law.

The burning question is: why is there not a single published case of this law being enforced against companies “enriching” customer data for profiling and targeting purposes?

Read more: It's time for third-party data brokers to emerge from the shadows^[4]

Data collection ‘only from the individual’

The relevant law is Australian Privacy Principle 3.6 and is part of the federal Privacy Act^[5]. It applies to most organisations that operate businesses with annual revenues higher than A$3 million, and smaller data businesses.

The law says such organisations:

must collect personal information about an individual only from the individual […] unless it is unreasonable or impracticable to do so.

This “direct collection rule” protects individuals’ privacy by allowing them some control over information collected about them, and avoiding a combination of data sources that could reveal sensitive information about their vulnerabilities.

But this rule has received almost no attention. There’s only one published determination of the federal privacy regulator on it, and that was against the Australian Defence Force^[6] in a different context.

According to Australian Privacy Principle 3.6, it’s only legal for an organisation to collect personal information from a third party if it would be “unreasonable or impracticable” to collect that information from the individual alone.

This exception was intended to apply to limited situations^[7], such as when:

• the individual is being investigated for some wrongdoing
• the individual’s address needs to be updated for delivery of legal or official documents.

The exception shouldn’t apply simply because a company wants to collect extra information for profiling and targeting, but realises the customer would probably refuse to provide it.

Who’s bypassing customers for third-party data?

Aside from data brokers, companies also exchange information with each other about their respective customers to get extra information on customers’ lives. This is often referred to as “data matching” or “data partnerships”.

Companies tend to be very vague about who they share information with, and who they get information from. So we don’t know for certain who’s buying data-enrichment services from data brokers, or “matching” customer data.

Major companies such as Amazon Australia^[8], eBay Australia^[9], Meta^[10] (Facebook), 10Play Viacom^[11] and Twitter^[12] include terms in the fine print of their privacy policies that state they collect personal information from third parties, including demographic details and/or interests.

Google^[13], News Corp^[14], Seven^[15], Nine^[16] and others also say they collect personal information from third parties, but are more vague about the nature of that information.

These privacy policies don’t explain why it would be unreasonable or impracticable to collect that information directly from customers.

Consumer ‘consent’ is not an exception

Some companies may try to justify going behind customers’ backs to collect data because there’s an obscure term in their privacy policy that mentions they collect personal information from third parties. Or because the company disclosing the data has a privacy policy term about sharing data with “trusted data partners”.

But even if this amounts to consumer “consent” under the relatively weak standards for consent in our current privacy law, this is not an exception to the direct collection rule.

The law allows a “consent” exception for government agencies under a separate part of the direct collection rule, but not for private organisations.

Data enrichment involves personal information

Many companies with third-party data collection terms in their privacy policies acknowledge this is personal information. But some may argue the collected data isn’t “personal information” under the Privacy Act, so the direct collection rule doesn’t apply.

Companies often exchange information about an individual without using the individual’s legal name or email. Instead they may use a unique advertising identifier for that individual, or “hash” the email address^[17] to turn it into a unique string of numbers and letters.

They essentially allocate a “code name” to the consumer. So the companies can exchange information that can be linked to the individual, yet say this information wasn’t connected to their actual name or email.

However, this information should still be treated as personal information because it can be linked back to the individual when combined with other information about them^[18].

At least one major data broker is against it

Data broker Experian Australia^[19] has asked the government to “remove” Australian Privacy Principle 3.6 “altogether”. In its submission^[20] to the Privacy Act Review in January, Experian argued:

It is outdated and does not fit well with modern data uses.

Others who profit from data enrichment or data matching would probably agree, but prefer to let sleeping dogs lie.

References

1. ^{^} research paper (papers.ssrn.com)
2. ^{^} data brokers (www.oracle.com)
3. ^{^} one major data broker (consultations.ag.gov.au)
4. ^{^} It's time for third-party data brokers to emerge from the shadows (theconversation.com)
5. ^{^} Privacy Act (www.legislation.gov.au)
6. ^{^} Australian Defence Force (www.austlii.edu.au)
7. ^{^} limited situations (www.oaic.gov.au)
8. ^{^} Amazon Australia (www.amazon.com.au)
9. ^{^} eBay Australia (www.ebay.com.au)
10. ^{^} Meta (www.facebook.com)
11. ^{^} 10Play Viacom (www.viacomcbsprivacy.com)
12. ^{^} Twitter (twitter.com)
13. ^{^} Google (policies.google.com)
14. ^{^} News Corp (preferences.news.com.au)
15. ^{^} Seven (www.sevenwestmedia.com.au)
16. ^{^} Nine (login.nine.com.au)
17. ^{^} “hash” the email address (help.abc.net.au)
18. ^{^} information about them (www.austlii.edu.au)
19. ^{^} Experian Australia (www.experian.com.au)
20. ^{^} submission (consultations.ag.gov.au)
21. ^{^} major reforms (www.accc.gov.au)
22. ^{^} Amazon just took over a primary healthcare company for a lot of money. Should we be worried? (theconversation.com)