What you need to know:

• Brands are investing heavily in first party data architecture to replace systems built over two decades upon the use of third party cookies
• Data clean rooms and data brokers are seen as the solutions to tracking, segmenting and targeting.
• But consumer advocates are questioning the definition of personal information and the technologies used to anonymise that data, as well as how it is traded – for cash or otherwise..
• A new paper from the Consumer Policy Research Centre (CPRC) authored by Katharine Kemp, Chandni Gupta and Marianne Campbell argues consumers are not making informed consent, and frankly can't given they don’t understand key types of information companies — including brands, publishers and data brokers — can use to track, profile, and monitor them. 
• And they don't know the meanings of terms that typically found in corporate privacy policies.
• According to the paper, "Most consumers feel they have little or no control over what personal information businesses collect about them from other businesses (72 per cent) and businesses sharing their personal information with other businesses. (71 per cent)"
• The authors give short shift to the argument by some market participants that they are not selling data saying they "still supply your data to others as part of commercial deals even if there’s not a payment of money."
• The want personal information definitions expanded, for the government to enforce existing laws, and for first party to genuinely mean first party.
• Evidence so far suggests Canberra is listening.

Data privacy specialists have long warned marketers and the sprawling media supply chain that an increasingly aligned consumer advocacy flotilla has Canberra’s ear as Australia’s lawmakers approach the pointy end of privacy reforms.

Peter Leonard, Professor of Practice at UNSW Business School and Principal, Data Synergies, two years ago warned the Sydney Programmatic Summit that informed consent will largely govern what can and can’t be done under the new regime. In simple terms, ‘informed consent’ means being able to explain to somebody with below average levels of literacy everything that is being done with all the data hoovered up, shaken and blended – regardless of the tools being deployed to anonymise that data in a bid to comply with the incoming post-privacy regime.

One of the consumer advocacy flagships has now issued another paper suggesting the industry is miles away from the definition of informed consent – with potentially major ramifications for much of the digital advertising and data broking industries ahead of the ACCC's data broking review, expected by the end of this month.

Major players including CoreLogic, Equifax, Experian, Illion, LiveRamp, Nielsen, PropTrack, Oracle, and Quantium – alongside Woolworths and Commbank – were name-checked in the regulator's data broking discussion paper. 

The Consumer Policy Research Centre (CPRC) thinks there is every reason to question some of those business models. Its latest paper, Singled Out: Consumer Understanding – and Misunderstanding – of data broking and data privacy, and what it means for them, reveals a deep level of consumer mistrust and implies an industry operating in a grey, unenforced area at best.

“Australians do not feel in control of their personal information,” per the report, based on a survey 1,000 people last September. “Only a third of consumers feel they have at least moderate control over whether businesses use their personal information to create a profile about them.”

The data suggests that 72 per cent of consumers believe they have very little or no control over what information is collected from other businesses while almost the same number (71 per cent) believe they have very little or no control over businesses sharing their personal information with other businesses.

More importantly, in the context of the upcoming data broking report from the ACCC, arguments about the primacy of first-party data, and claims by industry participants that they “don’t sell data” are unlikely to wash with the public.

The fact that a privacy policy has been published on a website or linked to an app, per the report, does not mean that the consumer has made an ‘informed decision’ to allow their personal information to be disclosed to other retailers and/or data brokers for additional commercial purposes – whether these data sharing deals carry an overt monetary value or otherwise.

Managing consent

At the time the data broking discussion paper was released mid last year Chris Brinkworth, managing partner at Civic Data, argued that the focus on the data broker industry creates new potential risks beyond those already identified in the debate over privacy law – data ethical responsibility and data education. 

He warned that brands need to fully understand their data landscape and supply chain to have any chance of fully understanding its sources and consents and he urged brands to "own direct data as an asset class" or risk major fallout, because their risk compliance is only as strong as the weakest link in the data chain.

"It’s clear that brokers often cannot tell you the exact source or consent of the data that makes up derivative products being purchased by their agencies or partners – and that’s critical for brands to know."

According to the CPRC paper’s authors, Katharine Kemp, Chandni Gupta, Marianne Campbell, there is a wide set of common data marketing behaviours and tactics employed by brands that fail the privacy compliance test from a consumer point of view.

“Most consumers feel it is unacceptable for businesses they are not directly in contact with to use data including their search history, location data, information about their device, device identifier, cookie data, or hashed email address,” as Kemp and her colleagues point out. Yet, “data brokers, data analysts and other ‘data partners’ not in direct contact with consumers commonly use such data.”

Why does it matter what Kemp and co. think? In the October 2021 Privacy Review Act discussion paper – the precursor to last year’s Government Response | Privacy Act Review Report, Kemp’s views feature in the footnotes 38 times, while the CPRC gets a call out 61 times. Anna Johnston, founder and principal, of Salinger Privacy who comes at the issue from a similar pro-consumer stance as Kemp and the CPRC – and who reviewed the current CPRC report’s survey design – was referenced 109 times. By contrast industry association ADMA was mentioned at least 33 times but the IAB not at all. The balance was somewhat restored by the time of the 2023 paper where ADMA was mentioned more than forty times and IAB more than 20.

Fear and loathing

The Singled Out report states: “Consumers feel a lack of trust, frustration, anxiety and/or anger about their inability to control how their information is collected and used.”

Kemp, Gupta, and Campbell argue that things like privacy notices are notoriously difficult for consumers to understand, and this lack of clarity undermines arguments that consumers are making informed choices.

They say their research suggests most consumers have no understanding of terms commonly found in industry privacy notices.

“Most consumers either don’t know or think it unlikely, that ‘pseudonymised information’ (70 per cent), a ‘hashed email address’ (60 per cent) or ‘advertising ID’ (50 per cent) could be used to single them out from the crowd, when in fact they can,” per the report.

Yet these are some of the fundamental tools being positioned to deliver personalisation, targeting and measurement in the post-cookie, post-privacy landscape.

Specifically on data broking, the report warns that a consumer’s data can and is used against them – and that personalisation is a double edged sword.

“Businesses can use your data to make more profit at your expense, including by charging you a higher price; preventing you from seeing better offers; showing you ads related to a private medication, health condition or grief; reducing the priority you’re given in customer service; or creating a profile (which you’ll never see) to be provided to a prospective employer, insurer or landlord,” per the report.

Singled Out also gives short shrift to those companies who argue they don’t sell data, noting that doesn’t stop them from supplying a consumer's data to other businesses “as part of commercial deals even if there’s not a payment of money.”

Companies that profit from what the authors describe as harvesting and monetising data often argue consumers have given their consent to the practice.

“However, the mere fact that a privacy policy has been published on a website or linked to an app does not mean that the consumer has made an informed decision to allow their personal information to be disclosed to other retailers and/or data brokers for additional commercial purposes. The purported notices and consents are generally presented to consumers as take-it-or-leave-it terms where the use of data for the purpose of providing the service is bundled with additional purposes in the fine print: if they use the service, the organisation considers they have consented to all purposes, no matter how vague or broad.”

In the EU, Meta has taken a similar interpretation to GDPR, essentially saying that those who do not sign-up to a paid model for Facebook and Instagram have by default consented to Meta using their data largely as it likes via the free service. It now faces multiple lawsuits as a result.

Who wants to tell them?

Attitudes to the use of personal data by third parties seem to especially rankle consumers.

For example, 87 per cent of those surveyed oppose companies they are not directly in contact with using their driver’s licence details for marketing purposes or to create profiles.

The use of mobile numbers, email addresses, full name, IP addresses, and search history for these purposes are opposed by more than 70 per cent of consumers, per the survey.

“Most consumers feel it is unacceptable for businesses they are not directly in contact with to use data including their search history, location data, information about their device, device identifier, cookie data, or hashed email address.

“However,” as the report notes, “data brokers, data analysts and other ‘data partners’ not in direct contact with consumers” – i.e. much of the marketing supply chain – “commonly use such data.”

The authors tabled a comprehensive package of remedies for government to consider such as making unfair data practices illegal, ensuring data is dealt with in the interest of Australians and – crucial as far as the marketing supply chain is concerned – updating the definitions of both ‘personal information’ and ‘de-identified information’ in the Privacy Act and enforcing what is known as the direct collection rule. I.e. only those that have directly collected the data from the user and have consent to use it for specific purposes can actually use it.

They implied a lack of enforcement is perhaps why many businesses to date have taken a ‘better to ask forgiveness than seek permission’ approach to data gathering, profiling, matching and targeting.

"While some aspects of the Privacy Act may be outdated, the law presently provides a valuable protection by requiring organisations to collect information from the individual themselves unless it is unreasonable or impracticable to do so,” per the report. “Impracticable means ‘practically impossible’. However, this law has not been enforced in the context of consumer tracking, profiling, and targeting, and no explanation has been provided for the absence of compliance or enforcement."

Cue, the ACCC's data broking review, due before March 31 – and a potentially sobering wake-up call.