Katharine Kemp, Associate Professor, Faculty of Law & Justice, UNSW Sydney

Australian consumers don’t understand how companies – including data brokers – track, target and profile them. This is revealed in new research on consumer understanding of privacy terms, released by the non-profit Consumer Policy Research Centre and UNSW Sydney today.

Our report also reveals 70% of Australians feel they have little or no control over how their data is disclosed between companies. Many expressed anger, frustration and distrust.

These findings are particularly important as the government considers long-overdue reforms to our privacy legislation, and the consumer watchdog finalises its upcoming report on data brokers.

If Australians are to have any hope of fair and trustworthy data handling, the government must stop companies from hiding their practices behind confusing and misleading privacy terms and mandate fairness in data handling.

We are all being tracked

Our activities online and offline are constantly tracked by various companies, including data brokers that trade in our personal information.

This includes data about our activity and purchases on websites and apps, relationship status, children, financial circumstances, life events, health concerns, search history and location.

Many businesses focus their efforts on finding new ways to track and profile us, despite repeated evidence that consumers view this as misuse of their personal information.

Companies describe the data they collect in confusing and unfamiliar terms. Much of this wording seems designed to prevent us from understanding or objecting to the use and disclosure of our personal information, often collected in surreptitious ways.

Businesses can use your data to make more profit at your expense. This includes

• charging you a higher price
• preventing you from seeing better offers
• micro-targeting political messages or ads based on your health information
• reducing the priority you’re given in customer service
• creating a profile (which you’ll never see) to share with a prospective employer, insurer or landlord.

Anonymised, pseudonymised, hashed

Businesses commonly try to argue this information is “de-identified” or not “personal”, to avoid running afoul of the federal Privacy Act in which these terms are defined.

But many privacy policies muddy the waters by using other, undefined terms. They create the impression data can’t be used to single out the consumer or influence what they’re shown online – even when it can.

Privacy policies commonly refer to:

• anonymised data
• pseudonymised information
• hashed emails
• audience data
• aggregated information.

These terms have no legal definition and no fixed meaning in practice.

Data brokers and other companies may use “pseudonymised information” or “hashed email addresses” (essentially, encrypted addresses) to create detailed profiles. These will be shared with other businesses without our knowledge. They do this by matching the information collected about us by various companies in different parts of our lives.

“Anonymised information” – not a legal term in Australia – may sound like it wouldn’t reveal anything about an individual consumer. Some companies use it when only a person’s name and email have been removed, but we can still be identified by other unique or rare characteristics.

What did our survey find?

Our survey showed Australians do not feel in control of their personal information. More than 70% of consumers believe they have very little or no control over what personal information online businesses share with other companies.

Only a third of consumers feel they have at least moderate control over whether businesses use their personal information to create a profile about them.

Most consumers have no understanding of common terms in privacy notices, such as “hashed email address” or “advertising ID” (a unique ID usually assigned to one’s device).

And it’s likely to be worse than these statistics suggest, since some consumers may overestimate their knowledge.

The terms refer to data widely used to track and influence us without our knowledge. However, when consumers don’t recognise descriptions of personal information, they’re less likely to know whether that data could be used to single them out for tracking, influencing, profiling, discrimination or exclusion.

Most consumers either don’t know, or think it unlikely, that “pseudonymised information”, a “hashed email address” or “advertising ID” can be used to single them out from the crowd. They can.

Most consumers think it’s unacceptable for businesses they have no direct relationship with to use their email address, IP address, device information, search history or location data. However, data brokers and other “data partners” not in direct contact with consumers commonly use such data.

Consumers are understandably frustrated, anxious and angry about the unfair and untrustworthy ways organisations make use of their personal information and expose them to increased risk of data misuse.

Fairness, not ‘education’

Simply educating consumers about the terms used by companies and the ways their data is shared may seem an obvious solution.

However, we don’t recommend this for three reasons. Firstly, we can’t be sure of the meaning of undefined terms. Companies will likely keep coming up with new ones.

Secondly, it’s unreasonable to place the burden of understanding complex data ecosystems on consumers who naturally lack expertise in these areas.

Thirdly, “education” is pointless when consumers are not given real choices about the use of their data.

Urgent law reform is needed to make Australian privacy protections fit for the digital era. This should include clarifying that information that singles an individual out from the crowd is “personal information”.

We also need a “fair and reasonable” test for data handling, instead of take-it-or-leave-it privacy “consents”.

Most of us can’t avoid participating in the digital economy. These changes would help ensure that instead of confusing privacy terms, there are substantial, meaningful legal requirements for how our personal information is handled.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Katharine Kemp, Senior Lecturer, Faculty of Law & Justice, UNSW Sydney

New research reveals serious privacy flaws in fertility apps used by Australian consumers – emphasising the need for urgent reform of the Privacy Act.

Fertility apps provide a number of features. For instance, they may help users track their periods, identify a “fertile window” if they’re trying to conceive, track different stages and symptoms of pregnancy, and prepare for parenthood up until the baby’s birth.

These apps collect deeply sensitive data about consumers’ sex lives, health, emotional states and menstrual cycles. And many of them are intended for use by children as young as 13.

My report published today analysed the privacy policies, messages and settings of 12 of the most popular fertility apps used by Australian consumers (excluding apps that require a connection with a wearable device).

This analysis uncovered a number of concerning practices by these apps including:

• confusing and misleading privacy messages
• a lack of choice in how data are used
• inadequate de-identification measures when data are shared with other organisations
• retention of data for years even after a consumer stops using the app, exposing them to unnecessary risk from potential data breaches.

The data collected

The apps in this study collect intimate data from consumers, such as:

• their pregnancy test results
• when they have sex and whether they had an orgasm
• whether they used a condom or “withdrawal” method
• when they have their period
• how their moods change (including anxiety, panic and depression)
• and if they have health conditions such as polycystic ovary syndrome, endometriosis or uterine fibroids.

Some ask for unnecessary details, such as when a user smokes and drinks alcohol, their education level, whether they struggle to pay their bills, if they feel safe at home, and whether they have stable housing.

They also track which support groups you join, what you add to your “to-do list” or “questions for doctor”, and which articles you read. All of this creates a more detailed picture of your health, family situation and intentions.

Confusing or misleading privacy messages

Consumers should expect the clearest information about how such data are collected, used and disclosed. Yet we found some of the messaging is highly confusing or misleading.

Some apps say “we will never sell your data”. But the fine print of the privacy policy contains a term that allows them to sell all your data as part of the sale of the app or database to another company.

This possibility is not just theoretical. Of the 12 apps included in the study, one was previously taken over by a drug development company, and another two by a digital media company.

Other apps explain privacy settings using language that makes it almost impossible for a consumer to understand what they are choosing, or obscure the privacy settings by placing them numerous clicks and scrolls away from the home screen.

Keeping sensitive data for too long

The major data breaches of the past six months highlight the risks of companies holding onto personal data longer than necessary.

Breaches of highly sensitive information about health and sexual activities could lead to discrimination, exploitation, humiliation or blackmail.

Most of the apps we analysed keep user data for at least three years after the user quits the app – or seven years in the case of one brand. Some apps give no indication of when user data will be deleted.

Can’t count on ‘de-identification’

Some apps also give consumers no choice regarding whether their “de-identified” health data will be sold or transferred to other companies for research or business. Or, they have consumers opted-in to these extra uses by default, putting the onus on users to opt out.

Moreover, some of these data are not truly de-identified. For example, removing your name and email address and replacing it with a unique number is not de-identification for legal purposes. Someone would only need to work out the link between your name and that number in order to link your whole record with you.

When supposedly de-identified Medicare records were published in 2016, University of Melbourne researchers showed how just a few data points can connect a de-identified record to a unique individual.

Need for reform

This research highlights the unfair and unsafe data practices consumers are subjected to when they use fertility apps. And these findings reinforce the need for Australia’s privacy laws to be updated.

We need improvements in what data are covered by the Privacy Act, what choices consumers can make about their data, what data uses are prohibited, and what security systems companies must have in place.

The government is seeking submissions on potential privacy law reforms until March 31.

In the meantime, if you’re using a fertility app, there are some steps you can take to help reduce some of the privacy risks:

1. when launching the app for the first time, don’t agree to tracking of your data, or you can limit ad tracking via iPhone device settings
2. don’t log in via a social media account
3. don’t answer questions or add data you don’t need to for your own purposes
4. don’t share your Apple Health or FitBit data
5. if the app provides privacy choices, opt out of tracking and having your data sold or used for research, and delete your data when you stop using the app
6. bear in mind that every article you read, and how long you spend on it, and every group you join and comment you make there may be added to a profile about you.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

In the recently released Privacy Act Review Report, the Attorney-General’s Department makes numerous important proposals that could see the legislation, enacted in 1988, begin to catch up to leading privacy laws globally.

Among the positive proposed changes are: more realistic definitions of personal information and consent, tighter limits on data retention, a right to erasure, and a requirement for data practices to be fair and reasonable.

However, the report’s proposals on targeted advertising don’t properly address the power imbalance between companies and consumers. Instead, they largely accept a status quo that sacrifices consumer privacy to the demands of online targeted ad businesses.

Capturing personal information used to track and profile

Obligations under the existing Privacy Act only apply to “personal information”, but there has been legal uncertainty about what exactly constitutes “personal information”.

Currently, companies can track an individual’s online behaviour across different websites and connect it with their offline movements by matching their data with data collected from third parties, such as retailers or data brokers.

Some of these companies claim they’re not dealing in “personal information” since they don’t use the individual’s name or email address. Instead, the matching is done based on a unique identifier allocated to that person – such as a hashed email, for example.

The report proposes an expanded definition of “personal information” that clearly includes the various technical and online identifiers being used to track and profile consumers. Under this definition, companies could no longer claim such data collection and sharing are outside the scope of the Privacy Act.

Improved consent (when required)

The report also proposes higher standards for how consent is sought, in cases where the act requires it. This would require voluntary, informed, current, specific and unambiguous consent.

This would work against organisations claiming consumers have consented to unexpected data uses just because they used a website or an app with a link to a broadly worded privacy policy with take-it-or-leave-it terms.

For example, companies would need to demonstrate the higher standard of consent to collect sensitive information about someone’s mental health or sexual orientation. The report also proposes that some further data practices, such as precise geolocation tracking, should require consent.

However, it specifically states consent should not be required for some targeted ad practices. Yet surveys show most consumers regard these as misuses of their personal information.

‘Fair and reasonable’ data practices

The report proposes a “fair and reasonable” test for dealings with personal information in general.

This recognises that consumers are saddled with too much of the responsibility for managing how their personal information is collected and used, while they lack the information, resources, expertise and control to do this effectively.

Instead, organisations covered by the Privacy Act should ensure their data handling practices are “fair and reasonable”, regardless of whether they have consumer consent. This would include considering whether a reasonable person would expect the data to be collected, used or disclosed in that way, and whether any dealing with children’s information is in the best interests of the child.

Prohibiting targeted ads based on sensitive information

The report proposes the prohibition of targeting based on sensitive information and traits. However, it’s not always easy to draw the line between “sensitive” information or traits, and other personal information.

For instance, is having an interest in “cosmetic procedures” or “rapid weight loss” a sensitive trait, or a general reading interest? Companies may exploit such grey areas. So while prohibiting targeting based on sensitive information is appropriate, it’s not enough in itself.

Another loophole arises in the report’s proposal that consumer consent should be necessary before an organisation trades in their personal information. The report leaves open an exception to this consent requirement where the “trading” is reasonably necessary for an organisation’s functions or activities.

This may be a substantial exception: data brokers, for example, might argue their trade in personal information (without consumers’ knowledge or consent) is necessary.

Opt out only, not opt in

Both the ACCC and the UK Competition & Markets Authority have recommended consumers should opt in to the use of their personal information for targeted advertising if they wish to see this content.

But the report proposes individuals should only be allowed to opt out of “seeing” targeted ads. This still wouldn’t stop companies from collecting, using and disclosing a user’s personal information for broader targeting purposes.

Even if a consumer opts out of seeing targeted ads, a business may continue to collect their personal information to create “lookalike audiences” and target other people with similar attributes.

Although having the option to opt out of seeing targeted ads gives consumers some limited control, companies still control the “choice architecture” of such settings. They can use their control to make opting out confusing and difficult for users, by forcing them to navigate through multiple pages or websites with obscurely labelled settings.

Are targeted ads necessary to support online services?

This limitation of consumers’ choices was partly explained by the view of the Attorney-General’s Department that targeted ads are necessary to fund “free” services. This refers to services where consumers “pay” with their attention and data (which companies use to make revenue from targeted advertising).

However, many companies using customers’ personal information for targeted ad businesses aren’t providing free services. Consider online marketplaces such as Amazon or eBay, or subscription-based products of media companies such as NewsCorp and Nine.

Meta (Facebook) and the Interactive Advertising Bureau Australia argued that if consumers opt out of targeted ads, a company should be able to stop offering them the service in question. This proposal was rejected on the basis that a platform can still show non-targeted ads to such consumers.

Inconsistently, the report failed to question broader claims that targeted advertising – as opposed to less intrusive forms of advertising – must be protected for online services to be viable.

Real change is needed

The reform of our privacy laws is long overdue. The government should avoid watering down potential improvements by attempting to preserve the status quo dictated by large businesses.

The government is seeking feedback on the report until March 31. It will then decide on the final form of the reforms it proposes, before these are debated in Parliament.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

A little-known provision of the Privacy Act makes it illegal for many companies in Australia to buy or exchange consumers’ personal data for profiling or targeting purposes. It’s almost never enforced. In a research paper published today, I argue that needs to change.

“Data enrichment” is the intrusive practice of companies going behind our backs to “fill in the gaps” of the information we provide.

When you purchase a product or service from a company, fill out an online form, or sign up for a newsletter, you might provide only the necessary data such as your name, email, delivery address and/or payment information.

That company may then turn to other retailers or data brokers to purchase or exchange extra data about you. This could include your age, family, health, habits and more.

This allows them to build a more detailed individual profile on you, which helps them predict your behaviour and more precisely target you with ads.

For almost ten years, there has been a law in Australia that makes this kind of data enrichment illegal if a company can “reasonably and practicably” request that information directly from the consumer. And at least one major data broker has asked the government to “remove” this law.

The burning question is: why is there not a single published case of this law being enforced against companies “enriching” customer data for profiling and targeting purposes?

Data collection ‘only from the individual’

The relevant law is Australian Privacy Principle 3.6 and is part of the federal Privacy Act. It applies to most organisations that operate businesses with annual revenues higher than A$3 million, and smaller data businesses.

The law says such organisations:

must collect personal information about an individual only from the individual […] unless it is unreasonable or impracticable to do so.

This “direct collection rule” protects individuals’ privacy by allowing them some control over information collected about them, and avoiding a combination of data sources that could reveal sensitive information about their vulnerabilities.

But this rule has received almost no attention. There’s only one published determination of the federal privacy regulator on it, and that was against the Australian Defence Force in a different context.

According to Australian Privacy Principle 3.6, it’s only legal for an organisation to collect personal information from a third party if it would be “unreasonable or impracticable” to collect that information from the individual alone.

This exception was intended to apply to limited situations, such as when:

• the individual is being investigated for some wrongdoing
• the individual’s address needs to be updated for delivery of legal or official documents.

The exception shouldn’t apply simply because a company wants to collect extra information for profiling and targeting, but realises the customer would probably refuse to provide it.

Who’s bypassing customers for third-party data?

Aside from data brokers, companies also exchange information with each other about their respective customers to get extra information on customers’ lives. This is often referred to as “data matching” or “data partnerships”.

Companies tend to be very vague about who they share information with, and who they get information from. So we don’t know for certain who’s buying data-enrichment services from data brokers, or “matching” customer data.

Major companies such as Amazon Australia, eBay Australia, Meta (Facebook), 10Play Viacom and Twitter include terms in the fine print of their privacy policies that state they collect personal information from third parties, including demographic details and/or interests.

Google, News Corp, Seven, Nine and others also say they collect personal information from third parties, but are more vague about the nature of that information.

These privacy policies don’t explain why it would be unreasonable or impracticable to collect that information directly from customers.

Consumer ‘consent’ is not an exception

Some companies may try to justify going behind customers’ backs to collect data because there’s an obscure term in their privacy policy that mentions they collect personal information from third parties. Or because the company disclosing the data has a privacy policy term about sharing data with “trusted data partners”.

But even if this amounts to consumer “consent” under the relatively weak standards for consent in our current privacy law, this is not an exception to the direct collection rule.

The law allows a “consent” exception for government agencies under a separate part of the direct collection rule, but not for private organisations.

Data enrichment involves personal information

Many companies with third-party data collection terms in their privacy policies acknowledge this is personal information. But some may argue the collected data isn’t “personal information” under the Privacy Act, so the direct collection rule doesn’t apply.

Companies often exchange information about an individual without using the individual’s legal name or email. Instead they may use a unique advertising identifier for that individual, or “hash” the email address to turn it into a unique string of numbers and letters.

They essentially allocate a “code name” to the consumer. So the companies can exchange information that can be linked to the individual, yet say this information wasn’t connected to their actual name or email.

However, this information should still be treated as personal information because it can be linked back to the individual when combined with other information about them.

At least one major data broker is against it

Data broker Experian Australia has asked the government to “remove” Australian Privacy Principle 3.6 “altogether”. In its submission to the Privacy Act Review in January, Experian argued:

It is outdated and does not fit well with modern data uses.

Others who profit from data enrichment or data matching would probably agree, but prefer to let sleeping dogs lie.

Experian argued the law favours large companies with direct access to lots of customers and opportunities to pool data collected from across their own corporate group. It said companies with access to fewer consumers and less data would be disadvantaged if they can’t purchase data from brokers.

But the fact that some digital platforms impose extensive personal data collection on customers supports the case for stronger privacy laws. It doesn’t mean there should be a data free-for-all.

Our privacy regulator should take action

It has been three years since the consumer watchdog recommended major reforms to our privacy laws to reduce the disadvantages consumers suffer from invasive data practices. These reforms are probably still years away, if they eventuate at all.

The direct collection rule is a very rare thing. It is an existing Australian privacy law that favours consumers. The privacy regulator should prioritise the enforcement of this law for the benefit of consumers.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Consumers using online retail marketplaces such as eBay and Amazon “have little effective choice in the amount of data they share”, according to the latest report of the Australian Competition & Consumer Commission (ACCC) Digital Platform Services Inquiry.

Consumers may benefit from personalisation and recommendations in these marketplaces based on their data, but many are in the dark about how much personal information these companies collect and share for other purposes.

ACCC chair Gina Cass-Gottlieb said:

We believe consumers should be given more information about, and control over, how online marketplaces collect and use their data.

The report reiterates the ACCC’s earlier calls for amendments to the Australian Consumer Law to address unfair data terms and practices. It also points out that the government is considering proposals for major changes to privacy law.

However, none of these proposals is likely to come into effect in the near future. In the meantime, we should also consider whether practices such as obtaining information about users from third-party data brokers are fully compliant with existing privacy law.

Why did the ACCC examine online marketplaces?

The ACCC examined competition and consumer issues associated with “general online retail marketplaces” as part of its five-year Digital Platform Services Inquiry.

These marketplaces facilitate transactions between third-party sellers and consumers on a common platform. They do not include retailers that don’t operate marketplaces, such as Kmart, or platforms such as Gumtree that carry classified ads but don’t allow transactions.

The ACCC report focuses on the four largest online marketplaces in Australia: Amazon Australia, Catch, eBay Australia and Kogan. In 2020–21, these four carried sales totalling $8.4 billion.

According to the report, eBay has the largest sales of these companies. Amazon Australia is the second-largest and the fastest-growing, with an 87% increase in sales over the past two years.

The ACCC examined:

• the state of competition in the relevant markets
• issues facing sellers who depend on selling their products through these marketplaces
• consumer issues including concerns about personal information collection, use and sharing.

Consumers don’t want their data used for other purposes

The ACCC expressed concern that in online marketplaces, “the extent of data collection, use and disclosure … often does not align with consumer preferences”.

The Commission pointed to surveys about Australian consumer attitudes to privacy which indicate:

• 94% did not feel comfortable with how digital platforms including online marketplaces collect their personal information
• 92% agreed that companies should only collect information they need for providing their product or service
• 60% considered it very or somewhat unacceptable for their online behaviour to be monitored for targeted ads and offers.

However, the four online marketplaces analysed:

• do not proactively present privacy terms to consumers “throughout the purchasing journey”
• may allow advertisers or other third parties to place tracking cookies on users’ devices
• do not clearly identify how consumers can opt out of cookies while still using the marketplace.

Some of the marketplaces also obtain extra data about individuals from third-party data brokers or advertisers.

The harms from increased tracking and profiling of consumers include decreased privacy; manipulation based on detailed profiling of traits and weaknesses; and discrimination or exclusion from opportunities.

Limited choices: you can’t just ‘walk out of a store’

Some might argue that consumers must not actually care that much about privacy if they keep using these companies, but the choice is not so simple.

The ACCC notes the relevant privacy terms are often spread across multiple web pages and offered on a “take it or leave it” basis.

The terms also use “bundled consents”. This means that agreeing to the company using your data to fill your order, for example, may be bundled together with agreeing for the company to use your data for its separate advertising business.

Further, as my research has shown, there is so little competition on privacy between these marketplaces that consumers can’t just find a better offer. The ACCC agrees:

While consumers in Australia can choose between a number of online marketplaces, the common approaches and practices of the major online marketplaces to data collection and use mean that consumers have little effective choice in the amount of data they share.

Consumers also seem unable to require these companies to delete their data. The situation is quite different from conventional retail interactions where a consumer can select “unsubscribe” or walk out of a store.

Does our privacy law currently permit all these practices?

The ACCC has reiterated its earlier calls to amend the Australian Consumer Law to prohibit unfair practices and make unfair contract terms illegal. (At present unfair contract terms are just void, or unenforceable.)

The report also points out that the government is considering proposals for major changes to privacy law, but these changes are uncertain and may take more than a year to come into effect.

In the meantime, we should look more closely at the practices of these marketplaces under current privacy law.

For example, under the federal Privacy Act the four marketplaces

must collect personal information about an individual only from the individual unless … it is unreasonable or impracticable to do so.

However, some online marketplaces say they collect information about individual consumers’ interests and demographics from “data providers” and other third parties.

We don’t know the full detail of what’s collected, but demographic information might include our age range, income, or family details.

How is it “unreasonable or impracticable” to obtain information about our demographics and interests directly from us? Consumers could ask online marketplaces this question, and complain to the Office of the Australian Information Commissioner if there is no reasonable answer.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

This week the federal government announced proposed legislation to develop an online privacy code (or “OP Code”) setting tougher privacy standards for Facebook, Google, Amazon and many other online platforms.

These companies collect and use vast amounts of consumers’ personal data, much of it without their knowledge or real consent, and the code is intended to guard against privacy harms from these practices.

The higher standards would be backed by increased penalties for interference with privacy under the Privacy Act and greater enforcement powers for the federal privacy commissioner. Serious or repeated breaches of the code could carry penalties of up to A$10 million or 10% of turnover for companies.

However, relevant companies are likely to try to avoid obligations under the OP Code by drawing out the process for drafting and registering the code. They are also likely to try to exclude themselves from the code’s coverage, and argue about the definition of “personal information”.

The current definition of “personal information” under the Privacy Act does not clearly include technical data such as IP addresses and device identifiers. Updating this will be important to ensure the OP Code is effective.

Which organisations would be covered and why?

The code is intended to address some clear online privacy dangers, while we await broader changes from the current broader review of the Privacy Act that would apply across all sectors.

The OP Code would target online platforms that “collect a high volume of personal information or trade in personal information”, including:

• social media networks such as Facebook; dating apps like Bumble; online blogging or forum sites like Reddit; gaming platforms; online messaging and videoconferencing services such as WhatsApp and Zoom

• data brokers that trade in personal information, including Quantium, Acxiom, Experian and Nielsen Corporation

• other large online platforms that collect personal information and have more than 2.5 million annual users in Australia, such as Amazon, Google and Apple.

The OP Code would impose higher standards for these companies than otherwise apply under the Privacy Act.

Higher standards for consent – maybe

The OP Code would set out details about how these organisations must meet obligations under the Privacy Act. This would include higher standards for what constitutes users’ “consent” for how their data are used.

The government’s explanatory paper says the OP Code would require consent to be “voluntary, informed, unambiguous, specific and current”. (Unfortunately, the draft legislation itself doesn’t actually say that, and will require some amendment to achieve this.)

This description draws on the definition of consent in the European Union’s General Data Protection Regulation.

In the EU, for example, “unambiguous” consent means a person must take clear, affirmative action – for instance by ticking a box or clicking a button – to consent to a use of their information.

Consent must also be “specific”, so companies cannot, for example, require consumers to consent to unrelated uses (such as market research) when their data is only needed to process a specific purchase.

Requests to stop using and disclosing personal information

The ACCC recommended we should have a right to erase our personal data as a means of reducing the power imbalance between consumers and large platforms. In the EU, the “right to be forgotten” by search engines and the like is part of this erasure right. The government has not adopted this recommendation.

However, the OP Code would include an obligation for organisations to comply with a consumer’s reasonable request to stop using and disclosing their personal data. Companies would be allowed to charge a “non-excessive” fee for fulfilling these requests. This is a very weak version of the EU right to be forgotten.

For example, Amazon currently states in its privacy policy that it uses customers’ personal data in its advertising business and discloses the data to its vast Amazon.com corporate group. The proposed OP Code would mean Amazon would have to stop this, at a customer’s request, unless it had reasonable grounds for refusing.

Ideally, the code should also allow consumers to ask a company to stop collecting their personal information from third parties, as they currently do, to build profiles on us.

Increased protections for children and vulnerable groups

The draft bill also includes a vague provision for the OP Code to add protections for kids and other vulnerable people who are not capable of making their own privacy decisions.

A more controversial proposal would require new consents and verification for kids using social media services such as Facebook and WhatsApp. These services would be required to:

• take reasonable steps to verify the age of social media users

• obtain parental consent before collecting, using or disclosing personal information of a child under 16

• ensure its data practices are “fair and reasonable in the circumstances”, with the best interests of the child as the primary consideration.

What is ‘personal information’?

A key tactic companies will likely use to avoid the new rules is to claim that the information they use is not truly “personal”, since the OP Code and the Privacy Act only apply to “personal information”, as defined in the Act.

The companies may claim the data they collect is only connected to our individual device or to an online identifier they’ve allocated to us, rather than our legal name. However, the effect is the same. The data is used to build a more detailed profile on an individual and to have effects on that individual.

Australia needs to update the definition of “personal information” to clarify it includes data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual or to interact with them on an individual basis. Data should only be de-identified if no individual is identifiable from that data.

Increased penalties and upgraded enforcement

The government has pledged to give tougher powers to the privacy commissioner, and to hit companies with tougher penalties for breaching their obligations once the code comes into effect.

The maximum civil penalty for a serious and/or repeated interference with privacy will be increased up to the equivalent penalties in the Australian Consumer Law.

For individuals, the maximum penalty will increase to more than A$500,000. For corporations, the maximum will be the greater of A$10 million, or three times the value of the benefit received from the breach, or (if this value cannot be determined) 10% of the company’s annual turnover.

The privacy commissioner could also issue infringement notices for failing to provide relevant information to an investigation. The maximum penalty will be A$2,644 for individuals or A$13,320 for companies.

Such civil penalty provisions will make it unnecessary for the Commissioner to resort to prosecution of a criminal offence, or to civil litigation, in these cases.

Don’t hold your breath

Once legislation is passed, it will take around 12 months for the code to be developed and registered.

The tech giants will have plenty of opportunity to create delay in this process. Companies are likely to challenge the content of the code, and whether they should even be covered by it at all.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The Australian Information Commissioner this week called for a ban on police accessing QR code check-in data, unless for COVID-19 contact tracing purposes.

State police have already accessed this data on at least six occasions for unrelated criminal investigations, including in Queensland and Western Australia — the latter of which has now banned this. Victorian police also attempted access at least three times, according to reports, but were unsuccessful.

The ACT is considering a law preventing police from engaging in such activity, but the position is different in every state and territory.

We need cooperation and clarity regarding how COVID surveillance data is handled, to protect people’s privacy and maintain public trust in surveillance measures. There is currently no consistent, overarching law that governs these various measures — which range from QR code check-ins to vaccine certificates.

Last week the Office of the Australian Information Commissioner released a set of five national COVID-19 privacy principles as a guide to “best practice” for governments and businesses handling personal COVID surveillance data.

But we believe these principles are vague and fail to address a range of issues, including whether or not police can access our data. We propose more detailed and consistent laws to be enacted throughout Australia, covering all COVID surveillance.

Multiple surveillance tools are being used

There are multiple COVID surveillance tools currently in use in Australia.

Proximity tracking through the COVIDSafe app has been available since last year, aiming to identify individuals who have come into contact with an infected person. But despite costing millions to develop, the app has reportedly disclosed only 17 unique unknown cases.

Over the past year we’ve also seen widespread attendance tracking via QR codes, now required by every state and territory government. This is probably the most extensive surveillance operation Australia has ever seen, with millions of check-ins each week. Fake apps have even emerged in an effort to bypass contact tracing.

In addition, COVID status certificates showing vaccination status are now available on MyGov (subject to problems of registration failure and forgery). They don’t yet display COVID test results or COVID recovery status (as they do in countries in the European Union).

It’s unclear exactly where Australian residents will need to show COVID status certificates, but this will likely include for travel between states or local government areas, attendance at events (such as sport events and funerals) and hospitality venues, and in some “no jab no job” workplaces.

The proposed principles don’t go far enough

The vague privacy principles proposed by Australia’s privacy watchdogs are completely inadequate in the face of this complexity. They are mostly “privacy 101” requirements of existing privacy laws.

Here they are summarised, with some weaknesses noted.

1. Data minimisation. The personal information collected should be limited to the minimum necessary to achieve a legitimate purpose.

2. Purpose limitation. Information collected to mitigate COVID-19 risks “should generally not be used for other purposes”. The term “generally” is undefined, and police are not specifically excluded.

3. Security. “Reasonable steps” should be taken to protect this data. Data localisation (storing it in Australia) is mentioned in the principles, but data encryption is not.

4. Data retention/deletion. The data should be deleted once no longer needed for the purpose for which it was collected. But there is no mention of a “sunset clause” requiring whole surveillance systems to also be dismantled when no longer needed.

5. Regulation under privacy law. The data should be protected by “an enforceable privacy law to ensure individuals have redress if their information is mishandled”. The implied call for South Australia and Western Australia to enact privacy laws is welcome.

A proposal for detailed and consistent laws

Since COVID-19 surveillance requirements are justified as “emergency measures”, they also require emergency quality protections.

Last year, the federal COVIDSafe Act provided the strongest privacy protections for any category of personal information collected in Australia. Although the app was a dud, the Act was not.

The EU has enacted thorough legislation for EU COVID digital certificates, which are being used across EU country borders. We can learn from this and establish principles that apply to all types of COVID surveillance in Australia. Here’s what we recommend:

1. Legislation, not regulations, of “emergency quality”. Regulations can be changed at will by the responsible minister, whereas changes in legislation require parliamentary approval. Regarding COVID surveillance data, a separate act in each jurisdiction should state the main rules and there should be no exceptions to these — not even for police or ASIO.

2. Prevent unjustifiable discrimination. This would include preventing discrimination against those who are unable to get vaccinated such as for health reasons, or those without access to digital technology such as mobile phones. In the EU, it’s free to obtain a paper certificate and these must be accepted.

3. Prohibit and penalise unauthorised use of data. Permitted uses of surveillance data should be limited, with no exceptions for police or intelligence. COVID status certificates may be abused by employers or venues that decide to grant certain rights privileges based on them, without authorisation by law.

4. Give individuals the right to sue. If anyone breaches the acts we propose above for each state, individuals concerned should be able to sue in the courts for compensation for an interference with privacy.

5. Prevent surveillance creep. The law should make it as difficult as possible for any extra uses of the data to be authorised, say for marketing or town planning.

6. Minimise data collection. The minimum data necessary should be collected, and not collected with other data. If data is only needed for inspection, it should not be retained.

7. Ongoing data deletion. Data must be deleted periodically once it is no longer needed for pandemic purposes. In the EU, COVID certificate data inspected for border crossings is not recorded or retained.

8. A “sunset clause” for the whole system. Emergency measures should provide for their own termination. The law requires the COVIDSafe app to be terminated when it’s no longer required or effective, along with its data. A similar plan should be in place for QR-code data and COVID status certificates.

9. Active supervision and reports. Privacy authorities should have clear obligations to report on COVID surveillance operations, and express views on termination of the system.

10. Transparency. Overarching all of these principles should be requirements for transparency. This should include publicly releasing medical/epidemiological advice on necessary measures, open-source software in all cases of digital COVID surveillance, initial privacy impact assessments and sunset clause recommendations.

COVID-19 has necessitated the most pervasive surveillance most of us have ever experienced. But such surveillance is really only justifiable as an emergency measure. It must not become a permanent part of state surveillance.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

I spent last week studying the 26,000 words of privacy terms published by eBay and Amazon, trying to extract some straight answers, and comparing them to the privacy terms of other online marketplaces such as Kogan and Catch (my full summary is here).

There’s bad news and good news.

The bad news is that none of the privacy terms analysed are good. Based on their published policies, there is no major online marketplace operating in Australia that sets a commendable standard for respecting consumers’ data privacy.

All the policies contain vague, confusing terms and give consumers no real choice about how their data are collected, used and disclosed when they shop on these websites. Online retailers that operate in both Australia and the European Union give their customers in the EU better privacy terms and defaults than us, because the EU has stronger privacy laws.

The Australian Competition and Consumer Commission (ACCC) is currently collecting submissions as part of an inquiry into online marketplaces in Australia. You can have your say here by August 19.

The good news is that, as a first step, there is a clear and simple “anti-snooping” rule we could introduce to cut out one unfair and unnecessary, but very common, data practice.

Deep in the fine print of the privacy terms of all the above-named websites, you’ll find an unsettling term.

It says these retailers can obtain extra data about you from other companies, for example, data brokers, advertising companies, or suppliers from whom you have previously purchased.

eBay, for example, can take the data about you from a data broker and combine it with the data eBay already has about you, to form a detailed profile of your interests, purchases, behaviour and characteristics.

The problem is the online marketplaces give you no choice in this. There’s no privacy setting that lets you opt out of this data collection, and you can’t escape by switching to another major marketplace, because they all do it.

An online bookseller doesn’t need to collect data about your fast-food preferences to sell you a book. It wants these extra data for its own advertising and business purposes.

You might well be comfortable giving retailers information about yourself, so as to receive targeted ads and aid the retailer’s other business purposes. But this preference should not be assumed. If you want retailers to collect data about you from third parties, it should be done only on your explicit instructions, rather than automatically for everyone.

The “bundling” of these uses of a consumer’s data is potentially unlawful even under our existing privacy laws, but this needs to be made clear.

Time for an ‘anti-snooping’ rule

Here’s my suggestion, which forms the basis of my own submission to the ACCC inquiry.

Online retailers should be barred from collecting data about a consumer from another company, unless the consumer has clearly and actively requested this.

For example, this could involve clicking on a check-box next to a plainly worded instruction such as:

Please obtain information about my interests, needs, behaviours and/or characteristics from the following data brokers, advertising companies and/or other suppliers.

The third parties should be specifically named. And the default setting should be that third-party data are not collected without the customer’s express request.

This rule would be consistent with what we know from consumer surveys: most Australian consumers are not comfortable with companies unnecessarily sharing their personal information.

There could be reasonable exceptions to this rule, such as for fraud detection, address verification or credit checks. But data obtained for these purposes should not be used for marketing, advertising or generalised “market research”.

Can’t we already opt out of targeted ads?

Online marketplaces do claim to allow choices about “personalised advertising” or marketing communications. Unfortunately, these are worth little in terms of privacy protection.

Amazon says you can opt out of seeing targeted advertising. It does not say you can opt out of all data collection for advertising and marketing purposes.

Similarly, eBay lets you opt out of being shown targeted ads. But the later passages of its Cookie Notice state:

your data may still be collected as described in our User Privacy Notice.

This gives eBay the right to continue to collect data about you from data brokers, and to share them with a range of third parties.

Many retailers and large digital platforms operating in Australia justify their collection of consumer data from third parties on the basis you’ve already given your implied consent to the third parties disclosing it.

That is, there’s some obscure term buried in the thousands of words of privacy policies that supposedly apply to you, which says that Bunnings, for instance, can share data about you with various “related companies”.

Of course, Bunnings didn’t highlight this term, let alone give you a choice in the matter, when you ordered your hedge cutter last year. It only included a “Policies” link at the foot of its website; the term was on another web page, buried in the detail of its Privacy Policy.

Such terms should ideally be eradicated entirely. But in the meantime, we can turn the tap off on this unfair flow of data, by stipulating that online retailers cannot obtain such data about you from a third party without your express, active and unequivocal request.

Who should be bound by an ‘anti-snooping’ rule?

While the focus of this article is on online marketplaces covered by the ACCC inquiry, many other companies have similar third-party data collection terms, including Woolworths, Coles, major banks, and digital platforms such as Google and Facebook.

While some argue users of “free” services like Google and Facebook should expect some surveillance as part of the deal, this should not extend to asking other companies about you without your active consent.

The anti-snooping rule should clearly apply to any website selling a product or service.

With lockdowns barring many of us from visiting physical shops, we should be able to make purchases online without being unwittingly roped into a company’s advertising side hustle.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The Federal Court has found Google misled some users about personal location data collected through Android devices for two years, from January 2017 to December 2018.

The Australian Competition & Consumer Commission (ACCC) says this decision is a “world first” in relation to Google’s location privacy settings. The ACCC now intends to seek various orders against Google. These will include monetary penalties under the Australian Consumer Law (ACL), which could be up to A$10 million or 10% of Google’s local turnover.

Other companies too should be warned that representations in their privacy policies and privacy settings could lead to similar liability under the ACL.

But this won’t be a complete solution to the problem of many companies concealing what they do with data, including the way they share consumers’ personal information.

How did Google mislead consumers about their location history?

The Federal Court found Google’s previous location history settings would have led some reasonable consumers to believe they could prevent their location data being saved to their Google account. In fact, selecting “Don’t save my Location History in my Google Account” alone could not achieve this outcome.

Users needed to change an additional, separate setting to stop location data from being saved to their Google account. In particular, they needed to navigate to “Web & App Activity” and select “Don’t save my Web & App Activity to my Google Account”, even if they had already selected the “Don’t save” option under “Location History”.

ACCC Chair Rod Sims responded to the Federal Court’s findings, saying:

This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers.

Google has since changed the way these settings are presented to consumers, but is still liable for the conduct the court found was likely to mislead some reasonable consumers for two years in 2017 and 2018.

ACCC has misleading privacy policies in its sights

This is the second recent case in which the ACCC has succeeded in establishing misleading conduct in a company’s representations about its use of consumer data.

In 2020, the medical appointment booking app HealthEngine admitted it had disclosed more than 135,000 patients’ non-clinical personal information to insurance brokers without the informed consent of those patients. HealthEngine paid fines of A$2.9 million, including approximately A$1.4 million relating to this misleading conduct.

The ACCC has two similar cases in the wings, including another case regarding Google’s privacy-related notifications and a case about Facebook’s representations about a supposedly privacy-enhancing app called Onavo.

In bringing proceedings against companies for misleading conduct in their privacy policies, the ACCC is following the US Federal Trade Commission which has sued many US companies for misleading privacy policies.

Will this solve the problem of confusing and unfair privacy policies?

The ACCC’s success against Google and HealthEngine in these cases sends an important message to companies: they must not mislead consumers when they publish privacy policies and privacy settings. And they may receive significant fines if they do.

However, this will not be enough to stop companies from setting privacy-degrading terms for their users, if they spell such conditions out in the fine print. Such terms are currently commonplace, even though consumers are increasingly concerned about their privacy and want more privacy options.

Consider the US experience. The US Federal Trade Commission brought action against the creators of a flashlight app for publishing a privacy policy which didn’t reveal the app was tracking and sharing users’ location information with third parties.

However, in the agreement settling this claim, the solution was for the creators to rewrite the privacy policy to disclose that users’ location and device ID data are shared with third parties. The question of whether this practice was legitimate or proportionate was not considered.

Major changes to Australian privacy laws will also be required before companies will be prevented from pervasively tracking consumers who do not wish to be tracked. The current review of the federal Privacy Act could be the beginning of a process to obtain fairer privacy practices for consumers, but any reforms from this review will be a long time coming.

This is an edited version of an article that originally appeared on UNSW Newsroom.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Australia’s consumer watchdog is suing Google for allegedly misleading millions of people after it started tracking them on non-Google apps and websites in 2016.

The Australian Competition and Consumer Commission (ACCC) says Google’s pop-up notification about this move didn’t let users make an informed choice about the increased tracking of their activities.

Google uses some of this data in its targeted advertising business. It can also collect sensitive information about us from third-party websites and apps which it may use in its non-advertising businesses.

The ACCC isn’t the first to claim Google hasn’t been straight about how it uses our data, nor is this the first time it has sued Google.

But even if Google gave us the whole story, what can we actually do about growing surveillance?

Google tracks your activities beyond Google

While it would take a separate article to list all the ways Google tracks your activities online and offline, the ACCC is concerned about two of the company’s data practices in particular.

First, Google has been collecting data about what you do on websites that may not seem related to Google at all. This is combined with other data collected by Google’s own services including YouTube, Gmail, Google Maps and Chrome.

The reason Google can do this is that third-party websites and apps also use Google’s services, such as ad serving or Google Analytics.

Their agreements with Google allow it to embed its technology into the websites and apps and send your activity information back to Google, without alerting you.

Second, the ACCC is concerned Google has combined its own extensive Google account holder datasets with personal data collected by ad tech company DoubleClick, which Google acquired in 2007. This is despite Google initially claiming it wouldn’t do this without users opting in.

The data Google collects, and how it’s used

Google’s technologies are embedded in millions of third-party websites (and likely many of the ones you use).

So it’s well placed to collect data about your online activities, including research you might do on intimate topics such as depression, miscarriage, abortion, diabetes, weight loss, heart disease, divorce, erectile dysfunction and so on.

Google can then combine this data with the information it already has about you from its own services, such as where you live, what you buy, where you go and who you associate with.

Google says it doesn’t use users’ health data or other “sensitive” data for its targeted advertising business. But it does not promise it won’t collect such sensitive data, keep it, combine it with data about our other activities or use it for non-advertising business purposes.

For example, Google has made moves to enter various health services markets. And there’s speculation it may start supplying health products and life insurance in future.

Further, unless you have changed the “ad personalisation” settings in your Google account, Google can use data from third-party sites which it does not classify as “sensitive” to target you with ads. This data could include whether you’re searching for baby clothes, travel insurance, retirement living, or a house in a specific suburb.

But even if you have opted out of personalised ads, Google’s privacy policy doesn’t say it will stop collecting and retaining the data itself.

What was misleading?

The ACCC claims Google’s 2016 notification about its increased tracking was misleading. The notice led with the benign headline, “Some new features for your Google Account”, followed by:

We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.

The statements further down in the notification were arguably unclear about what Google actually planned to change. The ACCC says the notification was misleading because:

Consumers could not have properly understood the changes Google was making nor how their data would be used and so did not – and could not – give informed consent.

It claims Google also misled consumers by stating in its privacy policy that it would not reduce users’ rights under the policy without their explicit consent, but then did exactly that.

Privacy concerns warrant legal backing

In this case, the ACCC’s issue is that Google didn’t give consumers the real story about its plan to vastly increase personal data collection and use this information for commercial purposes. The ACCC’s action against Google should be a warning to all companies that currently fudge their privacy terms.

But what if Google had been transparent and the pop-up box instead said: “we are going to start collecting your personal data whenever you use third-party websites or apps that use Google technologies”?

Given the millions of websites using Google technologies, is it even possible for consumers to avoid this?

In Germany, the Federal Cartel Office last year found Facebook had abused its dominance by insisting on collecting users’ personal data via embedded technologies on non-Facebook websites and apps.

It argued Facebook’s market power gave it the ability to impose these practices on users, even against their wishes.

Australia does not have an “abuse of dominance law” to address single-firm exploitative conduct, such as raising prices or imposing intrusive privacy terms. Facebook currently collects data about Facebook users – and even non-users – from third-party websites and apps in Australia, without alerting us.

The ACCC may succeed in proving misleading conduct by Google. And it might obtain a substantial fine against Google – potentially up to 10% of Google’s turnover in Australia.

But to stop tech giants from doing whatever they like with our data, we’ll need to consider a broader law against unfair practices.

This article is republished from The Conversation under a Creative Commons license. Read the original article.