The big privacy news this week is the release of the ACCC interim report on the data brokering industry, which has thrown light onto the shady world of monetising and trading in your personal information.
This is the world in which our online activities are tracked (via logins, cookies, device identifiers, pixels, social media use and more), and matched with our offline activities (via mobile phone location-tracking, transaction data, customer loyalty data and more), in order to identify our movements and behaviour, profile and then microtarget us. The data matching between different companies’ customer datasets often happens in ‘data clean rooms’.
This data brokering ecosystem is how data services firms know precisely who amongst us walked into a Vintage Cellars shop to buy Moet & Chandon after seeing a particular ad. It is how they know who is hanging out at Bunnings or visiting their OB/GYN , who has been to see a financial lender, who is at a church or an abortion clinic, who is “up a mountain or in a grocery store”. It is how they know what you are listening to on your commute to work – and how that differs to what you listen to when you go for a run.
This intensive tracking, inference-drawing and profiling then enables data services firms to package us up for sale to brands for microtargeting as ‘fun-loving fifties’, ‘tradies’ or ‘small business owners’ – but also as ‘cardiologist visitors’, ‘people in financial distress’, ‘religious minorities’, ‘teenage girls’, or ‘people experiencing pain’.
Happily the ACCC read our submission, which explained how I had helped an acquaintance, ‘Justine’, try to figure out how a company she had never heard of could target her at home, with unsolicited marketing about a health condition. Our investigation to find out who had sold or shared her data took us through three separate companies, before the trail stopped cold.
The ACCC summarised Justine’s case study thus: “When she questioned how they had obtained this information, the data firms reportedly responded that she had supplied these details (and consented to their use for direct marketing purposes) when she entered an online competition in 2019”.
The ACCC report then goes on to refer to how T&Cs in competitions might broadly refer to data sharing – and the problems with consumer comprehension with T&Cs or privacy policies with confusing or obtuse terminology.
Yep sure, comms are definitely a problem in the industry, leading to purported ‘consents’ of questionable validity. But that wasn’t the point of Justine’s complaint.
What the ACCC didn’t mention is that our submission went on to explain that the consumer, Justine, had not consented at all.
Justine not only asserted that she had never entered a competition, but that none of the three companies, when challenged on the lawful basis for sharing her personal information, could produce any evidence in support of their claim that she had entered a competition (let alone ‘consented’ to some terms about data sharing) in the first place. No copy of a competition form, no copies of the T&Cs, no description of who ran the alleged competition – nothing.
And in fact, the evidence that was produced to Justine demonstrated the exact opposite: that she had not consented, and at least one of the data brokers knew it. It was right there, in her data file.
The records supplied to Justine by SMRTR included a dossier with three key pieces of evidence:
- details that were highly unlikely to have been included by Justine in a competition entry form, such as that she lives alone and is ‘not blue collar’
- not one but two email addresses for Justine, including an old work email address from a job she had left well before 2019, thus again a detail highly unlikely to have been included by Justine, and
- – this is my favourite detail – a code for whether or not Justine had ‘self-reported’ the data such as via a survey or competition entry, which in Justine’s case was coded ‘no’.
In other words, Justine’s chief allegation, which was included in our submission to the ACCC, was not that she was somehow tricked into agreeing with some T&Cs that were beyond her comprehension.
Justine’s complaint is that the data brokers would appear to have lied about having her consent, because we believe that there were no T&Cs to start with.
She might be over 70, but let me tell you, Justine is not some befuddled old biddy, fallen victim to dark patterns. She is, in her words, ‘infuriated’, that her data was shared without anything even pretending to demonstrate her consent.
And without her consent, the collection and disclosure of her personal information, by at least three different companies she had no relationship with, was surely unlawful under APPs 3 and 6 of the Privacy Act.
The ACCC’s report highlights other concerns raised by UNSW academics Katharine Kemp and Graham Greenleaf in their submission, about a separate allegation of widespread industry non-compliance with APP 3.6. (If you don’t want to digest the mammoth ACCC report with its copious examples, check out Katharine Kemp’s punchy article for an excellent overview.)
But all the ACCC recommended is that the government should progress the Privacy Act reforms and fund the OAIC. I agree wholeheartedly with those recommendations, but they don’t address the problem we have right now, of non-compliance with the current law, which is supposed to stop unrelated companies collecting and sharing your data, without your consent.
If the ACCC, with an industry-wide remit, is not going to grapple with allegations of the unlawful sharing of our personal information under the law as it stands today, where next for Justine – and the rest of us?
Our hopes now rest with an investigation and enforcement by the OAIC.
Six months ago, the OAIC offered Justine the opportunity to conciliate her complaint, with one of the data brokers she complained about. The alternative to a conciliation meeting was for her complaint to be closed, but referred as a ‘systemic issue’ to the Commissioner-initiated Investigations (CII) team within the OAIC.
Justine chose the latter, in the hope that the Privacy Commissioner will indeed investigate and take action, to impact not one respondent, but the whole data brokering ecosystem. But doing so meant that Justine had to give up any right she had as an individual complainant to take the matter further – or even to be informed about progress by the CII team.
So the complaint has gone into the black box of the CII team, and we will just have to wait and see what comes out of it.
And if the OAIC was to peek inside the operations of these or other data brokers and their data clean rooms … would they find clean, compliant, consented consumer data, neatly folded and smelling like lavender? Or messy piles of dirty data, ready for laundering?
It is beyond time that the data brokering ecosystem was cleaned up.
Photograph by Jan Antonin Kolar on Unsplash
