The Times Australia
The Times World News

.

This law makes it illegal for companies to collect third-party data to profile you. But they do anyway

  • Written by Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW, UNSW Sydney
This law makes it illegal for companies to collect third-party data to profile you. But they do anyway

A little-known provision of the Privacy Act makes it illegal for many companies in Australia to buy or exchange consumers’ personal data for profiling or targeting purposes. It’s almost never enforced. In a research paper[1] published today, I argue that needs to change.

“Data enrichment” is the intrusive practice of companies going behind our backs to “fill in the gaps” of the information we provide.

When you purchase a product or service from a company, fill out an online form, or sign up for a newsletter, you might provide only the necessary data such as your name, email, delivery address and/or payment information.

That company may then turn to other retailers or data brokers[2] to purchase or exchange extra data about you. This could include your age, family, health, habits and more.

This allows them to build a more detailed individual profile on you, which helps them predict your behaviour and more precisely target you with ads.

For almost ten years, there has been a law in Australia that makes this kind of data enrichment illegal if a company can “reasonably and practicably” request that information directly from the consumer. And at least one major data broker[3] has asked the government to “remove” this law.

The burning question is: why is there not a single published case of this law being enforced against companies “enriching” customer data for profiling and targeting purposes?

Read more: It's time for third-party data brokers to emerge from the shadows[4]

Data collection ‘only from the individual’

The relevant law is Australian Privacy Principle 3.6 and is part of the federal Privacy Act[5]. It applies to most organisations that operate businesses with annual revenues higher than A$3 million, and smaller data businesses.

The law says such organisations:

must collect personal information about an individual only from the individual […] unless it is unreasonable or impracticable to do so.

This “direct collection rule” protects individuals’ privacy by allowing them some control over information collected about them, and avoiding a combination of data sources that could reveal sensitive information about their vulnerabilities.

But this rule has received almost no attention. There’s only one published determination of the federal privacy regulator on it, and that was against the Australian Defence Force[6] in a different context.

According to Australian Privacy Principle 3.6, it’s only legal for an organisation to collect personal information from a third party if it would be “unreasonable or impracticable” to collect that information from the individual alone.

This exception was intended to apply to limited situations[7], such as when:

  • the individual is being investigated for some wrongdoing
  • the individual’s address needs to be updated for delivery of legal or official documents.

The exception shouldn’t apply simply because a company wants to collect extra information for profiling and targeting, but realises the customer would probably refuse to provide it.

Who’s bypassing customers for third-party data?

Aside from data brokers, companies also exchange information with each other about their respective customers to get extra information on customers’ lives. This is often referred to as “data matching” or “data partnerships”.

Companies tend to be very vague about who they share information with, and who they get information from. So we don’t know for certain who’s buying data-enrichment services from data brokers, or “matching” customer data.

Major companies such as Amazon Australia[8], eBay Australia[9], Meta[10] (Facebook), 10Play Viacom[11] and Twitter[12] include terms in the fine print of their privacy policies that state they collect personal information from third parties, including demographic details and/or interests.

Google[13], News Corp[14], Seven[15], Nine[16] and others also say they collect personal information from third parties, but are more vague about the nature of that information.

These privacy policies don’t explain why it would be unreasonable or impracticable to collect that information directly from customers.

Consumer ‘consent’ is not an exception

Some companies may try to justify going behind customers’ backs to collect data because there’s an obscure term in their privacy policy that mentions they collect personal information from third parties. Or because the company disclosing the data has a privacy policy term about sharing data with “trusted data partners”.

But even if this amounts to consumer “consent” under the relatively weak standards for consent in our current privacy law, this is not an exception to the direct collection rule.

The law allows a “consent” exception for government agencies under a separate part of the direct collection rule, but not for private organisations.

Data enrichment involves personal information

Many companies with third-party data collection terms in their privacy policies acknowledge this is personal information. But some may argue the collected data isn’t “personal information” under the Privacy Act, so the direct collection rule doesn’t apply.

Companies often exchange information about an individual without using the individual’s legal name or email. Instead they may use a unique advertising identifier for that individual, or “hash” the email address[17] to turn it into a unique string of numbers and letters.

They essentially allocate a “code name” to the consumer. So the companies can exchange information that can be linked to the individual, yet say this information wasn’t connected to their actual name or email.

However, this information should still be treated as personal information because it can be linked back to the individual when combined with other information about them[18].

At least one major data broker is against it

Data broker Experian Australia[19] has asked the government to “remove” Australian Privacy Principle 3.6 “altogether”. In its submission[20] to the Privacy Act Review in January, Experian argued:

It is outdated and does not fit well with modern data uses.

Others who profit from data enrichment or data matching would probably agree, but prefer to let sleeping dogs lie.

A screenshot shows six different categories of consumer data offered by Experian.
On its website, Experian claims to offer a ‘combination of demographic, geographic, financial and market research data - both online and offline’. Screenshot/Experian

Experian argued the law favours large companies with direct access to lots of customers and opportunities to pool data collected from across their own corporate group. It said companies with access to fewer consumers and less data would be disadvantaged if they can’t purchase data from brokers.

But the fact that some digital platforms impose extensive personal data collection on customers supports the case for stronger privacy laws. It doesn’t mean there should be a data free-for-all.

Our privacy regulator should take action

It has been three years since the consumer watchdog recommended major reforms[21] to our privacy laws to reduce the disadvantages consumers suffer from invasive data practices. These reforms are probably still years away, if they eventuate at all.

The direct collection rule is a very rare thing. It is an existing Australian privacy law that favours consumers. The privacy regulator should prioritise the enforcement of this law for the benefit of consumers.

Read more: Amazon just took over a primary healthcare company for a lot of money. Should we be worried?[22]

References

  1. ^ research paper (papers.ssrn.com)
  2. ^ data brokers (www.oracle.com)
  3. ^ one major data broker (consultations.ag.gov.au)
  4. ^ It's time for third-party data brokers to emerge from the shadows (theconversation.com)
  5. ^ Privacy Act (www.legislation.gov.au)
  6. ^ Australian Defence Force (www.austlii.edu.au)
  7. ^ limited situations (www.oaic.gov.au)
  8. ^ Amazon Australia (www.amazon.com.au)
  9. ^ eBay Australia (www.ebay.com.au)
  10. ^ Meta (www.facebook.com)
  11. ^ 10Play Viacom (www.viacomcbsprivacy.com)
  12. ^ Twitter (twitter.com)
  13. ^ Google (policies.google.com)
  14. ^ News Corp (preferences.news.com.au)
  15. ^ Seven (www.sevenwestmedia.com.au)
  16. ^ Nine (login.nine.com.au)
  17. ^ “hash” the email address (help.abc.net.au)
  18. ^ information about them (www.austlii.edu.au)
  19. ^ Experian Australia (www.experian.com.au)
  20. ^ submission (consultations.ag.gov.au)
  21. ^ major reforms (www.accc.gov.au)
  22. ^ Amazon just took over a primary healthcare company for a lot of money. Should we be worried? (theconversation.com)

Read more https://theconversation.com/this-law-makes-it-illegal-for-companies-to-collect-third-party-data-to-profile-you-but-they-do-anyway-190758

Times Magazine

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

From Beach Bops to Alpine Anthems: Your Sonos Survival Guide for a Long Weekend Escape

Alright, fellow adventurers and relaxation enthusiasts! So, you've packed your bags, charged your devices, and mentally prepared for that glorious King's Birthday long weekend. But hold on, are you really ready? Because a true long weekend warrior kn...

Effective Commercial Pest Control Solutions for a Safer Workplace

Keeping a workplace clean, safe, and free from pests is essential for maintaining productivity, protecting employee health, and upholding a company's reputation. Pests pose health risks, can cause structural damage, and can lead to serious legal an...

The Times Features

The Role of Your GP in Creating a Chronic Disease Management Plan That Works

Living with a long-term condition, whether that is diabetes, asthma, arthritis or heart disease, means making hundreds of small decisions every day. You plan your diet against m...

Troubleshooting Flickering Lights: A Comprehensive Guide for Homeowners

Image by rawpixel.com on Freepik Effectively addressing flickering lights in your home is more than just a matter of convenience; it's a pivotal aspect of both home safety and en...

My shins hurt after running. Could it be shin splints?

If you’ve started running for the first time, started again after a break, or your workout is more intense, you might have felt it. A dull, nagging ache down your shins after...

Metal Roof Replacement Cost Per Square Metre in 2025: A Comprehensive Guide for Australian Homeowners

In recent years, the trend of installing metal roofs has surged across Australia. With their reputation for being both robust and visually appealing, it's easy to understand thei...

Why You’re Always Adjusting Your Bra — and What to Do Instead

Image by freepik It starts with a gentle tug, then a subtle shift, and before you know it, you're adjusting your bra again — in the middle of work, at dinner, even on the couch. I...

How to Tell If Your Eyes Are Working Harder Than They Should Be

Image by freepik Most of us take our vision for granted—until it starts to let us down. Whether it's squinting at your phone, rubbing your eyes at the end of the day, or feeling ...