Nowadays it's common knowledge that businesses are tracking everything we do, from shopping behaviour, to search histories and even how we drive our cars.

But you might not be aware of how often this data is bought and sold.

It's commonly referred to as "data broking" and it's big business. One industry insider tells CHOICE that some companies are skirting the law to monetise your data well beyond what you consent to.

Australians for sale

In December, a report released by Reset Australia titled Australians for Sale: Targeted Advertising, Data Brokering and Consumer Manipulation detailed the ways that profiles of Australian consumers are broken down into micro-categories based on socio-economic status and spending habits and then sold to advertisers.

Experts say these practices are likely just the tip of the iceberg. In the murky world of data broking, much of what goes on remains hidden.

Nine in ten adults say the trading of personal information is not fair and reasonable

Dr Katherine Kemp, deputy director of the Allens Hub for Technology, Law & Innovation at University of New South Wales says, "The average consumer would have next to no knowledge about what data of theirs is collected by data brokers, combined to make inferences about them and disclosed to other companies. They're completely in the dark."

A government survey released in August last year showed widespread community concerns about data broking with nine in ten adults saying the trading of personal information was not fair and reasonable and calling for a right to object to certain data practices.

No option to opt out

Kemp says many retailers and other 'first party data collectors' we shop with claim to have consumer consent for data to be sent to 'third parties' such as data brokers, but the so-called consent comes through long and complex privacy policies that consumers generally don't read and wouldn't understand even if they did. 

Yet we're compelled to indicate that we agree with them as a condition for continuing on the website, app or making a purchase.

Kemp questions whether consumers would consent if they were given a chance to opt out.

Chandni Gupta from the Consumer Policy Research Centre agrees that the wording of many retailers' and companies' terms and conditions are deliberately vague. 

"Businesses might use obscure terms like 'our trusted partners', but it doesn't provide much clarity or genuine choice for consumers to use a service without having to share that data with third parties," she says. 

Tricks of the trade: How companies sell your data

Kemp says many data brokers make money by collecting multiple data points on individual consumers and combining them to make an "enriched" profile of a shopper's habits, which can then be sold back to retailers or to advertisers. And while they might "anonymise" your data by removing your name, they will keep other identifying information that is useful to advertisers and other parties who buy data. 

"Sometimes the companies with data businesses will actually be claiming that they are not dealing in personal information at all, because they are using pseudonyms for the data. They may argue that the privacy act doesn't apply to them in this instance," she says. 

The industry has come up with those phrases themselves to try and make what they're doing sound legitimate

Anna Johnston, Salinger Privacy

Anna Johnston, a privacy consultant and founder of Salinger Privacy, says the distinction between first party data collectors (mostly retailers and businesses) and third party data sellers or brokers is vague. Many of the companies can be one and the same or shell companies of the other. 

"The industry has come up with those phrases themselves to try and make what they're doing sound legitimate. It is as if there's some magical world in which as long as you can call your data 'first party data' then suddenly none of the privacy rules apply," she says.

'Give me my data': Brokers not taking their obligations seriously

In an attempt to probe the depths of third party data brokers and the information they have on us, six CHOICE staff wrote to some of the biggest data broking firms in Australia.

We asked them to provide any personal data they had on us.

We requested our data from Quantium, LiveRamp, Experian, Oracle, Equifax and TEG/Ovation (better known as the owner of the ticket selling company Ticketek). 

Under the law, these companies are meant to respond within 30 days, but some of our requests went unanswered within the timeframe. In some cases Quantium responded months later saying they were not a data broking company and don't collect, store or process personal information, but were involved in data analytics.

The relevant privacy laws apply regardless of whether the company considers itself a data broker or not.  

They will take your name off the data, but give it a unique code that all the companies involved will use

Dr Katherine Kemp, Allens Hub for Technology, Law and Innovation, UNSW

Other companies responded saying they didn't hold any data on us, despite some of the CHOICE staff involved being regular online shoppers and members of loyalty programs like Everyday Rewards and FlyBuys. 

Rafi Alam from CHOICE's consumer data team, says it is "hard to believe" that these companies have so little information on CHOICE staff. 

"It's disappointing to see some data brokers not taking their obligations to consumers seriously enough," he says. "Businesses should be investing as much effort into their privacy obligations as their data broking operations." 

Kemp suggests the reason the CHOICE experiment drew a blank with many data brokers is because they put pseudonyms on the data they collect almost immediately and then can claim to not know who you are when you put in a request. 

"They will take your name off the data, but give it a unique code that all the companies involved will use. That way they can say 'I've never seen your name,' but they have been exchanging the unique code for you and building a detailed profile around that," she says. 

"Claiming that kind of practice falls outside the Privacy Act makes a mockery of the objectives of the Act."

Experts say companies 'anonymise' your data, but keep other identifying information useful to advertisers.

Industry insider speaks out 

Paul* was a long-time data analyst for one of Australia's biggest data brokers. 

He says the industry in Australia takes a cavalier approach to regulation and that the system of audits and accreditation is a "complete joke". 

"Australia has super lax laws when it comes to what you can do with data, what is stored, what it's stored for, what you can do with it. It's mostly regulated by the industry bodies themselves," he says. 

Australia has super lax laws when it comes to what you can do with data, what is stored, what it's stored for

Data analyst *Paul

All the academic experts we spoke to said that the Office of the Australian Information Commissioner (OAIC), the body responsible for overseeing privacy laws, was vastly under-resourced for the task of policing the industry. 

"Consumer data issues have grown rapidly since the Optus data breach, so we'd like to see long-term solutions in place" Alam says. 

Reforms are needed, but so is better enforcement 

The federal government is working on reforms to the Privacy Act, a move that is welcomed by the experts we spoke to. However, Johnston says that ensuring companies are held accountable to the laws that already exist is also important. 

"There's been very little enforcement and I think the data broking industry has benefited. Privacy principles are being so often forgotten in practice, and the industry is really built on widespread non-compliance with the laws," she says. 

OAIC says they welcome the Australian government's announcement last year of an in-principle agreement to introduce "fair and reasonable" obligations for personal information handling. 

"This would require organisations to only collect, use or disclose information fairly and reasonably, and would place individuals at the centre of the privacy framework," an OAIC spokesperson says. 

A public registry of data brokers as seen in California would be a step in the right direction

CHOICE senior policy adviser Rafi Alam

Alam agrees with Kemp that governments and regulators need to step up to growing challenges. 

"Despite playing with millions of people's data, there's very little public knowledge on who is a data broker and what they're doing. A public registry of data brokers as seen in California would be a step in the right direction," he says. 

"A prohibition on unfair trading in general would also strengthen any privacy guardrails on the data practices of data brokers and other businesses," he adds. 

*Names have been changed.

Stock images: Getty, unless otherwise stated.

Join the conversation

To share your thoughts or ask a question, visit the CHOICE Community forum.

Visit CHOICE Community