Dr Katharine Kemp is a Senior Lecturer at the Faculty of Law, UNSW Sydney, and Non-Resident Research Fellow at Loyola University Chicago Consumer Antitrust Studies Institute.
Many companies don't just collect personal data directly from consumers when they make a purchase or sign up as a user. Instead, they approach other retailers, data brokers and loyalty schemes to get extra information about the customer, such as their age range, income, marital status, health and whether or not they have children. The advertising industry calls this 'data enrichment'.
These companies could ask customers for these details directly, but they probably realise that most customers would refuse. So instead they collect this extra data from third parties behind the scenes, without giving customers a chance to opt out. They can then use the data to profile the customer, more precisely target them with ads, and potentially draw inferences about their weaknesses and vulnerabilities.
These companies could ask customers for these details directly, but they probably realise that most customers would refuse
The extraordinary thing about this third-party collection is not that there are Australian companies unfairly collecting personal information about their customers – it's that there's already a law that makes much of this data enrichment illegal. It just hasn't been enforced.
That law says that organisations "must collect personal information about an individual only from the individual", unless doing so would be unreasonable or impracticable (I call this 'the direct collection rule').
In a research paper released today, I explain why this direct collection rule makes much data enrichment for profiling and targeting purposes unlawful in Australia. I also explain why our federal privacy regulator should take action as a matter of priority against organisations that unlawfully collect personal information from third parties.
The direct collection rule
The direct collection rule is found in Australian Privacy Principle 3.6(b) in the federal Privacy Act, which applies to most companies that have a yearly revenue of more than $3 million.
The rule has received very little attention in the decade it has been on the books. No court has considered the provision and there's only one published determination on it by the privacy regulator. That case didn't relate to data enrichment practices and we're not aware of any investigation into these practices by the privacy regulator.
Information is clearly not collected 'only from the individual' when it's bought from a data broker or obtained as part of a data exchange between two organisations
The general requirement for 'collection only from the individual' would be met in common situations where consumers fill in the organisation's online forms, respond to their surveys, buy something from them, use their service, or talk with a representative of the organisation on the phone.
But information is clearly not collected 'only from the individual' when it's bought from a data broker or obtained as part of a data exchange between two organisations.
Businesses generally don't give consumers clear information about what data they collect from third parties.
This third-party data collection is only lawful if the 'unreasonable or impracticable' exception applies. This exception was intended to apply to a narrow range of circumstances, which might include situations where collection is necessary to:
- prevent fraudulent use of a platform; or
- correct an address provided for delivery of purchased goods.
The 'unreasonable or impracticable' exception does not apply simply because an organisation wants to collect more personal information about a customer, but realises the customer would probably regard the request as intrusive and refuse.
Who's collecting personal information from third parties?
Companies generally don't give consumers clear information about precisely what personal information they're collecting from third parties, nor who those third parties are. But many companies with large customer bases include vague terms in the fine print of their privacy policies about the fact that they collect personal information from third parties.
Companies generally don't give consumers clear information about precisely what personal information they're collecting from third parties, nor who those third parties are
Amazon Australia, eBay Australia, Google, Meta, Twitter, News Corp Australia, Nine and Seven West Media are among the many large organisations with third-party data collection terms. Here are some examples.
Amazon Australia Interest-Based Ads Notice: "Some third-parties may provide us pseudonymised information about you (such as demographic information or sites where you have been shown ads) from offline and online sources that we may use to provide you more relevant and useful advertising."
There are many other companies with similar terms in their privacy policies (my paper extracts numerous examples), as well as others that probably fail in their obligation to notify consumers about these practices.
As is typically the case, none of these terms are specific about which third parties the companies collect information from, nor is the consumer given any way of opting out.
Collection from third parties continues even though the consumer survey evidence clearly shows that most Australian consumers:
- regard it as a misuse of their information for digital platforms to collect that information from third parties; and
- consider it unfair for companies to collect information that's not necessary to provide the relevant service.
What information are third parties selling?
Most companies don't say precisely what personal information they're buying from or exchanging with third parties. But we can get some idea from the advertisements of data brokers.
For example, here's how Oracle Australia explains its data enrichment offer to companies:
"You may have a database full of customers who have signed up for your newsletter or signed into an account on your website, but you don't know much about them. Oracle's data enrichment improves your understanding of these customers by adding demographic data to each profile, along with information about their buying behaviour and other helpful clues about their lifestyle or identity…"
Oracle Australia promises clients it can "[c]reate a true customer 360-degree view with a wide array of known customer attributes".
Oracle's website offers various ways to 'enrich' customer data. Source: Oracle Australia.
Experian promises clients they can use its data enrichment services to: "Enrich audience data based on a combination of demographic, geographic, financial and market research data – both online and offline data."
This appears to include data as diverse as household income, life stage, children, age, wealth, property type and number of bedrooms, whether the individual has recently moved house, and even "pool & solar indicators".
These data companies don't explain how this third-party collection would comply with the direct collection rule.
This data enrichment doesn't fit the exception to direct collection
The Office of the Australian Information Commissioner (OAIC) has given some guidance as to when the 'unreasonable or impracticable' exception to the direct collection rule would be met. It gives potential examples of the exception in what are clearly narrowly defined situations, such as the investigation of unlawful conduct or updating an address for delivery of legal documents. It also lists factors to consider in deciding when the exception would apply.
In light of the factors listed in the OAIC guidance, the exception should not apply to data enrichment for targeting or profiling for the following reasons:
- Organisations can ask consumers directly for their various demographic details, interests and the like, and consumers can give that information if they wish.
- Collection from the individual wouldn't jeopardise the purpose of the collection as it would in a fraud investigation. Consumers can decide for themselves what information they want known for profiling and targeting.
- Even where consumers make use of a 'free' digital service, knowing that the supplier collects and uses information about their use of the service, this does not extend to a reasonable expectation that further data will be collected from data brokers or third parties well beyond the relevant service.
- Collection from third parties is not within consumers' reasonable expectations: survey evidence shows that consumers regard this as a misuse of their information. The fact that organisations go behind consumers' backs to do this also shows their awareness that consumers would probably object.
- Consumers' privacy is infringed by their lack of control (or even knowledge) of the precise types of information collected from others, and who those others are.
- The combination of fragments of information from various sources also increases the risk that the data – or inferences drawn from it – will expose the individual's vulnerabilities, weaknesses and other details that they wouldn't wish to share.
- The time and cost involved in seeking the information from the individual doesn't make direct collection 'unreasonable or impracticable', especially where the organisation has a relationship with the customer and/or their contact details.
- Where the time and cost of direct collection would be excessive, this may simply be an indication of the unreasonableness of a company with relatively little connection to the individual collecting so much unnecessary information about them.
'Consent' given to the collecting organisation is not an exception
A critical point about the direct collection rule is that it contains no exception based on consent from the individual to the collecting organisation.
This is clear from the wording of the rule, which makes it an exception for government agencies to get consent from the individual, but doesn't provide the same exception for private organisations.
Organisations can't rely on the vague terms in their privacy policies to claim that the customer gave implied consent to their third-party data collection, thereby making it lawful
This means organisations can't rely on the vague terms in their privacy policies to claim that the customer gave implied consent to their third-party data collection, thereby making it lawful.
Consent given to the disclosing organisation is not an exception
The direct collection rule imposes the obligation on the collecting organisation, in addition to the obligations on disclosing organisations. Although genuine consent given to the disclosing organisation will be relevant to whether it would be 'unreasonable or impracticable' for the collecting organisation to gather it only from the individual, that consent is not an exception in itself.
Much will depend on the broader circumstances of the collection, such as whether or not the collection was actively and specifically requested by the individual for their benefit – for example, if a person asks their lawyer in a property settlement to collect their financial information directly from their accountant, or asks their music streaming services to import their playlists from another music streaming service for their convenience.
The information is 'personal information'
Most organisations seem to recognise in their privacy terms that the data they collect from third parties is 'personal information' and therefore covered by the Privacy Act.
But some may try to argue that this information was in fact 'de-identified' (sometimes 'anonymised') and therefore not covered by the Act. Companies have, for example, made claims to consumers that certain practices involve only 'de-identified' or 'anonymous' information, even while boasting in the advertising press about the extent to which they're able to track individual consumers' behaviour.
That said, marketing methods labelled 'privacy-compliant' may nonetheless collect and use 'personal information', with the result that the obligations under the Privacy Act apply.
Organisations often combine information concerning a given consumer by using the same 'hashed' email address or other unique identifier to connect information that the organisations respectively hold on that consumer, rather than using their legal name or email address. (A hashed email address is essentially a unique string of letters and numbers created by both parties applying a certain formula to the email address.) The combined data reveals more information about the individual to each of the organisations involved. This should be treated as personal information.
It's a simple step to recognise that collected data that's connected to a hashed email address is information about the individual who's connected to that same hashed email address in the organisation's own database. As the federal court has held in interpreting the concept of 'personal information' under the Privacy Act, "even if a single piece of information is not 'about the individual' it may be about the individual when combined with other information".
Time for action
The direct collection rule has been almost entirely overlooked in the 10 years it's been in force – possibly because these data practices are so opaque and companies have assumed that they could argue that this data sharing was permitted because it was mentioned in their privacy policies.
It's time for the regulator to examine these third-party data collection practices and take action against contraventions of this law
Three years ago, the Australian Competition and Consumer Commission (ACCC) recommended substantial reforms to privacy law in an attempt to address the information asymmetries and imbalances in bargaining power between consumers and the large organisations that use their personal data. Consumers await the outcome of the ACCC's recommendations.
But some of these imbalances and injustices could be addressed right now if only our privacy regulator enforced the existing direct collection rule. It's time for the regulator to examine these third-party data collection practices and take action against contraventions of this law.
Stock images: Getty, unless otherwise stated.