How one simple rule change could curb online retailers’ snooping on you

Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW, UNSW

I spent last week studying the 26,000 words of privacy terms published by eBay and Amazon, trying to extract some straight answers, and comparing them to the privacy terms of other online marketplaces such as Kogan and Catch (my full summary is here).

There’s bad news and good news.

The bad news is that none of the privacy terms analysed are good. Based on their published policies, there is no major online marketplace operating in Australia that sets a commendable standard for respecting consumers’ data privacy.

All the policies contain vague, confusing terms and give consumers no real choice about how their data are collected, used and disclosed when they shop on these websites. Online retailers that operate in both Australia and the European Union give their customers in the EU better privacy terms and defaults than us, because the EU has stronger privacy laws.

The Australian Competition and Consumer Commission (ACCC) is currently collecting submissions as part of an inquiry into online marketplaces in Australia. You can have your say here by August 19.

The good news is that, as a first step, there is a clear and simple “anti-snooping” rule we could introduce to cut out one unfair and unnecessary, but very common, data practice.

Deep in the fine print of the privacy terms of all the above-named websites, you’ll find an unsettling term.

It says these retailers can obtain extra data about you from other companies, for example, data brokers, advertising companies, or suppliers from whom you have previously purchased.

eBay, for example, can take the data about you from a data broker and combine it with the data eBay already has about you, to form a detailed profile of your interests, purchases, behaviour and characteristics.

The problem is the online marketplaces give you no choice in this. There’s no privacy setting that lets you opt out of this data collection, and you can’t escape by switching to another major marketplace, because they all do it.

An online bookseller doesn’t need to collect data about your fast-food preferences to sell you a book. It wants these extra data for its own advertising and business purposes.

You might well be comfortable giving retailers information about yourself, so as to receive targeted ads and aid the retailer’s other business purposes. But this preference should not be assumed. If you want retailers to collect data about you from third parties, it should be done only on your explicit instructions, rather than automatically for everyone.

The “bundling” of these uses of a consumer’s data is potentially unlawful even under our existing privacy laws, but this needs to be made clear.

Time for an ‘anti-snooping’ rule

Here’s my suggestion, which forms the basis of my own submission to the ACCC inquiry.

Online retailers should be barred from collecting data about a consumer from another company, unless the consumer has clearly and actively requested this.

For example, this could involve clicking on a check-box next to a plainly worded instruction such as:

Please obtain information about my interests, needs, behaviours and/or characteristics from the following data brokers, advertising companies and/or other suppliers.

The third parties should be specifically named. And the default setting should be that third-party data are not collected without the customer’s express request.

This rule would be consistent with what we know from consumer surveys: most Australian consumers are not comfortable with companies unnecessarily sharing their personal information.

There could be reasonable exceptions to this rule, such as for fraud detection, address verification or credit checks. But data obtained for these purposes should not be used for marketing, advertising or generalised “market research”.

Can’t we already opt out of targeted ads?

Online marketplaces do claim to allow choices about “personalised advertising” or marketing communications. Unfortunately, these are worth little in terms of privacy protection.

Amazon says you can opt out of seeing targeted advertising. It does not say you can opt out of all data collection for advertising and marketing purposes.

Similarly, eBay lets you opt out of being shown targeted ads. But the later passages of its Cookie Notice state:

your data may still be collected as described in our User Privacy Notice.

This gives eBay the right to continue to collect data about you from data brokers, and to share them with a range of third parties.

Many retailers and large digital platforms operating in Australia justify their collection of consumer data from third parties on the basis you’ve already given your implied consent to the third parties disclosing it.

That is, there’s some obscure term buried in the thousands of words of privacy policies that supposedly apply to you, which says that Bunnings, for instance, can share data about you with various “related companies”.

Of course, Bunnings didn’t highlight this term, let alone give you a choice in the matter, when you ordered your hedge cutter last year. It only included a “Policies” link at the foot of its website; the term was on another web page, buried in the detail of its Privacy Policy.

Such terms should ideally be eradicated entirely. But in the meantime, we can turn the tap off on this unfair flow of data, by stipulating that online retailers cannot obtain such data about you from a third party without your express, active and unequivocal request.

Who should be bound by an ‘anti-snooping’ rule?

While the focus of this article is on online marketplaces covered by the ACCC inquiry, many other companies have similar third-party data collection terms, including Woolworths, Coles, major banks, and digital platforms such as Google and Facebook.

While some argue users of “free” services like Google and Facebook should expect some surveillance as part of the deal, this should not extend to asking other companies about you without your active consent.

The anti-snooping rule should clearly apply to any website selling a product or service.

With lockdowns barring many of us from visiting physical shops, we should be able to make purchases online without being unwittingly roped into a company’s advertising side hustle.The Conversation

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Author

  • Dr Katharine Kemp is a Senior Lecturer at the Faculty of Law, UNSW Sydney, and Academic Lead of the UNSW Grand Challenge on Trust. Katharine’s research focuses on competition law (particularly misuse of market power), consumer protection and data privacy regulation. She has published widely in these fields, including "Misuse of Market Power: Reform and Rationale" (Cambridge University Press, 2018), "Competition Law of South Africa" (LexisNexis) with PJ Sutherland, and numerous peer-reviewed journal articles. Katharine is the Co-Leader of the "Data as a Source of Market Power" research stream for The Allens Hub for Technology, Law and Innovation, with Dr Rob Nicholls of the UNSW Business School. She is also the convenor of the new postgraduate course, "Financial Law and Regulation in the Age of Fintech" (LAWS8174), and lectures Contracts at UNSW Law. Before joining the faculty, Katharine was a Research Fellow on the UNSW Digital Financial Services Research Team, conducting in-depth research into the regulation of digital financial services in developing countries in particular, including through fieldwork in these countries. She has also practised as a commercial lawyer in major law firms, as a barrister in Melbourne, and consulted to the Competition Commission of South Africa during the six years that she lived and worked in South Africa. She is a Member of the Centre for Law and Market Regulation, a Member of the Australian Privacy Foundation and a Member of the Advisory Board of the Future of Finance Initiative in India.

    View all posts