How one simple rule change could curb online retailers' snooping on you

I spent last week studying the 26,000 words of privacy terms published by eBay and Amazon, trying to extract some straight answers, and comparing them to the privacy terms of other online marketplaces such as Kogan and Catch (my full summary is here^[1]).

There’s bad news and good news.

The bad news is that none of the privacy terms analysed are good. Based on their published policies, there is no major online marketplace operating in Australia that sets a commendable standard for respecting consumers’ data privacy.

All the policies contain vague, confusing terms and give consumers no real choice about how their data are collected, used and disclosed when they shop on these websites. Online retailers that operate in both Australia and the European Union give their customers in the EU better privacy terms and defaults than us, because the EU has stronger privacy laws.

The Australian Competition and Consumer Commission (ACCC) is currently collecting submissions as part of an inquiry into online marketplaces in Australia. You can have your say here^[2] by August 19.

The good news is that, as a first step, there is a clear and simple “anti-snooping” rule we could introduce to cut out one unfair and unnecessary, but very common, data practice.

Deep in the fine print of the privacy terms of all the above-named websites, you’ll find an unsettling term.

It says these retailers can obtain extra data about you from other companies, for example, data brokers^[3], advertising companies, or suppliers from whom you have previously purchased.

Read more: It's time for third-party data brokers to emerge from the shadows^[4]

eBay, for example, can take the data about you from a data broker and combine it with the data eBay already has about you, to form a detailed profile of your interests, purchases, behaviour and characteristics.

The problem is the online marketplaces give you no choice in this. There’s no privacy setting that lets you opt out of this data collection, and you can’t escape by switching to another major marketplace, because they all do it.

An online bookseller doesn’t need to collect data about your fast-food preferences to sell you a book. It wants these extra data for its own advertising and business purposes.

You might well be comfortable giving retailers information about yourself, so as to receive targeted ads and aid the retailer’s other business purposes. But this preference should not be assumed. If you want retailers to collect data about you from third parties, it should be done only on your explicit instructions, rather than automatically for everyone.

The “bundling” of these uses of a consumer’s data is potentially unlawful^[5] even under our existing privacy laws, but this needs to be made clear.

Time for an ‘anti-snooping’ rule

Here’s my suggestion, which forms the basis of my own submission to the ACCC inquiry.

Online retailers should be barred from collecting data about a consumer from another company, unless the consumer has clearly and actively requested this.

For example, this could involve clicking on a check-box next to a plainly worded instruction such as:

Please obtain information about my interests, needs, behaviours and/or characteristics from the following data brokers, advertising companies and/or other suppliers.

The third parties should be specifically named. And the default setting should be that third-party data are not collected without the customer’s express request.

This rule would be consistent with what we know from consumer surveys^[6]: most Australian consumers are not comfortable with companies unnecessarily sharing their personal information.

There could be reasonable exceptions to this rule, such as for fraud detection, address verification or credit checks. But data obtained for these purposes should not be used for marketing, advertising or generalised “market research”.

Can’t we already opt out of targeted ads?

Online marketplaces do claim to allow choices about “personalised advertising” or marketing communications. Unfortunately, these are worth little in terms of privacy protection.

Amazon says you can opt out of seeing targeted advertising. It does not say you can opt out of all data collection for advertising and marketing purposes.

Similarly, eBay lets you opt out of being shown targeted ads. But the later passages of its Cookie Notice^[7] state:

your data may still be collected as described in our User Privacy Notice.

This gives eBay the right to continue to collect data about you from data brokers, and to share them with a range of third parties.

Many retailers and large digital platforms operating in Australia justify their collection of consumer data from third parties on the basis you’ve already given your implied consent to the third parties disclosing it.

That is, there’s some obscure term buried in the thousands of words of privacy policies that supposedly apply to you, which says that Bunnings^[8], for instance, can share data about you with various “related companies”.

Of course, Bunnings didn’t highlight this term, let alone give you a choice in the matter, when you ordered your hedge cutter last year. It only included a “Policies” link at the foot of its website; the term was on another web page, buried in the detail of its Privacy Policy.

Such terms should ideally be eradicated entirely. But in the meantime, we can turn the tap off on this unfair flow of data, by stipulating that online retailers cannot obtain such data about you from a third party without your express, active and unequivocal request.

Who should be bound by an ‘anti-snooping’ rule?

While the focus of this article is on online marketplaces covered by the ACCC inquiry, many other companies have similar third-party data collection terms, including Woolworths^[9], Coles^[10], major banks, and digital platforms such as Google and Facebook.

Read more: Here's how tech giants profit from invading our privacy, and how we can start taking it back^[11]

While some argue users of “free” services like Google and Facebook should expect some surveillance as part of the deal, this should not extend to asking other companies about you without your active consent.

The anti-snooping rule should clearly apply to any website selling a product or service.

With lockdowns barring many of us from visiting physical shops, we should be able to make purchases online without being unwittingly roped into a company’s advertising side hustle.

References

1. ^{^} here (papers.ssrn.com)
2. ^{^} here (consultation.accc.gov.au)
3. ^{^} data brokers (theconversation.com)
4. ^{^} It's time for third-party data brokers to emerge from the shadows (theconversation.com)
5. ^{^} potentially unlawful (www.oaic.gov.au)
6. ^{^} consumer surveys (cprc.org.au)
7. ^{^} Cookie Notice (www.ebay.com.au)
8. ^{^} Bunnings (www.bunnings.com.au)
9. ^{^} Woolworths (www.woolworths.com.au)
10. ^{^} Coles (www.coles.com.au)
11. ^{^} Here's how tech giants profit from invading our privacy, and how we can start taking it back (theconversation.com)