What you need to know:

• The ACCC is investigating the potential harms to consumers and small businesses from the operations of the data brokering sector.
• Major players including CoreLogic, Equifax, Experian, Illion, LiveRamp, Nielsen, PropTrack, Oracle, and Quantium are name checked in the paper, as are Woolworths and Commbank.
• The Commbank reference matters, because, as the ACCC confirmed to Mi3, the regulator's review is not restricted to just the nine named brokers. Bank insiders disagree that CommBank iQ – the bank's joint venture with Quantium, which also uses Woolworths data – is a broker.
• The paper looks beyond privacy harms outlined in the proposed changes to the privacy act, but it's  hewing closer to the much wider interpretation of what constitutes personal information under the newly proposed rules, than to the definition in the existing act.
• De-identified, anonymised, or aggregated data will be treated as personal data – which signals where both the consumer-competition regulator and privacy lawmakers are heading.
• ACCC chief Gina Cass-Gottlieb said the industry lacks transparency and suggested some people have little idea how their data is collected, collated, packaged up and sold on. Many of those that are aware are "uncomfortable" with industry practices.

The major players making up Australia's data broking sector – CoreLogic, Equifax, Experian, Illion, LiveRamp, Nielsen, PropTrack, Oracle and Quantium – have been singled out by the ACCC for scrutiny, in its newly announced review into the third-party data brokerage sector.

However, the regulator confirmed to Mi3 that the list is not exclusive – and more firms may ultimately be probed.

Commbank for instance, through its joint venture with Quantium, avoided a specific call out as a stand-alone data broker, although its business is likely to fall under the review. The section of the report specifically referencing Quantium, notes, “Its CommBank iQ service, a joint venture with Commonwealth Bank, offers access to 'Australia’s largest aggregated and de-identified transaction banking dataset'.”

An ACCC spokesperson told Mi3: "The nine data brokers named are key suppliers of those identified data products and services. The ACCC considers them to be examples of the largest and most sophisticated and well-known data brokers offering these types of products and services in Australia. We do not suggest that this list is a comprehensive list of all third-party data brokers operating in Australia."

The spokesperson also confirmed that the regulator is not excluding from other firms (and the data products and services they offer) from the scope of the review on the basis they are not named in the issues paper.

"We have specifically named Quantium as a provider of data products and services in Australia. We understand that CommBank iQ is a joint venture between the Commonwealth Bank and Quantium. We understand that Quantium receives de-identified real-time transaction data from the Commonwealth Bank (comprising over 30 per cent of all Australian transactions), which they then use to develop a range of data products and services for clients. "

"While we have not specifically named CommBank iQ as a separate data broker in the issues paper, the data products and services they offer, as well as their data collection practices are intended to be captured."

The bank may beg to differ on at least one key point. Mi3 understands Commbank executives do not consider Commbank IQ to be a data broker. But that may not matter, as the review appears to be investigating the data broking ecosystem, not just the brokers.

Woolworths also gets a reference, (though as a data supplier, not a broker) in the Quantium section with the paper noting that Quantium also offers the ‘Q.Checkout’ platform, with insights into an estimated 10 million Australian consumers via Woolworths data.

The businesses that are out of scope are those that collect data on their own customers and use that within their own business, or sell or share that data with others (first-party brokers).

The ACCC says its preliminary analysis has identified a range of products and services from the sector including customer and audience profiling, data analytics, consumer purchasing data, risk and fraud management products, data validation, enrichment and cleaning services, and identity verification services. Brokers using social media usage data, search histories, loyalty program, card payment provider data, location data, and data scraped from web pages are all in the frame, according to the discussion paper.

Little transparency

“There is little transparency and awareness of how data brokers operate in Australia despite the vast amounts of information they collect about Australian consumers and the central role they play in enabling the exchange of information between businesses,” said ACCC Chair Gina Cass-Gottlieb.

“Some Australian consumers may not be aware that their information is being collected, stored, and sold by third-party data brokers with whom they have no direct relationship.”

The report goes further, noting “Many consumers appear to be uncomfortable with the kinds of data-handling practices used by businesses such as data brokers.”

It quotes a survey by the Consumer Policy Research Centre which found that 74 per cent of Australians say they are not comfortable with companies sharing or selling their personal information, and that “less than 10 per cent were comfortable with targeted advertising based on the tracking of online behaviour or personal characteristics without express permission.”

The CPRC – an independent think tank part-funded by the Victorian government – suggests there’s a major mismatch with how the digital economy currently works and what consumers want. Per the report:

"Whole industries currently exist to trade in consumer data yet 79 per cent of Australians agree that a company should not sell people’s data under any circumstances. Even though companies commonly monitor what we do online, on their own websites as well as across the internet, 70 per cent of people are not comfortable with companies monitoring their online behaviour.”

The CPRC paper was published specifically to inform the Attorney General’s overhaul of Australian privacy law. Its reference by the ACCC underlines that the Attorney-General lawmakers consumer regulator are now working in lockstep.

Well equipped

Despite the apparent data-privacy pincer movement, larger data brokers will likely be better equipped to meet tightening rules given their operations across global markets and regulatory regimes, per Sarla Fernando, director of regulatory and advocacy at ADMA, which represents both marketers and the marketing data supply chain.

However, she said smaller, older brokers, especially those operating exclusively or mostly in Australia, may find the emerging landscape harder to handle.  

ADMA has not yet given any official response to the discussion paper – it is already working on responses to an AI paper and to the ongoing privacy review, which it has warned could "fundamentally change the data-driven marketing and advertising industry" – although Fernando said the association welcomed the paper.

"One risk is that businesses may have been relying on data brokers that don’t have the right processes and procedures for data collection or use, such as the right consents. [They] may find the data they have is unusable," she said.

“While some brands may find that looking closely at data brokers runs a level of risk around the usability of the data they get from data brokers - it’s an important risk for brands to identify and understand. There's never been a better opportunity for brands to get their data story in order, whether that's their own data or partner data," she said.

Fernando told Mi3 that third party data still has an important role to play for some brands despite the need to develop first party data with things like the deprecation of third-party cookies. “In a world where brands have to practice data minimisation, first party data may only go so far and some brands may need to also use third party data and in those cases they need to ensure they are partnering with the right partners in the right ways. It’s imperative to maintaining consumer trust."

IAB CEO Gai Le Roy backed that view, implying that without them, Australians may end up suffering other harms – i.e. having to pay for things that are currently 'free'.

"Data brokers play a critical role in the digital economy. They are part of the supply chain that enables the delivery of freely available content and services online," said Le Roy, with IAB now digesting the detail of the report before considering its response.

'Rogue pixels'

According to Chris Brinkworth, managing partner at Civic Data, the focus on the data broker industry creates new potential risks beyond those already identified in the debate over privacy law – data ethical responsibility and data education.

He said the consultancy – which specialises in data-privacy compliance – regularly finds breaches hiding across the marketplace when it audits firms.

"Too often we find ‘share this’ style tools and ‘rogue zombie pixels’ from firms that monetise that data," he told Mi3. 

He warned that brands must take action to mitigate risk by ensuring that they fully understand their data landscape and supply chain to fully understand its sources and consents. He urged brands to "own direct data as an asset class" or risk major fallout, because their risk compliance is only as strong as the weakest link in the data chain.

"It’s clear that brokers often cannot tell you the exact source or consent of the data that makes up derivative products being purchased by their agencies or partners – and that’s critical for brands to know."

Brinkworth suggested data brokers that get ahead of regulatory tightening can offset the cost of compliance by using 'cleanskin' status as competitive advantage.

"We see this as an opportunity for data brokers. It allows for a re-assessment and, potentially, a reshaping of data broker practices that could ultimately lead to more sustainable and ethical business models including transparency, consent and clarity."

Embracing transparency will lead to greater trust between the data industry, brands and consumers, he added, enabling future-proof business models with data protection a key selling point, enabling both early mover advantage and reputational gains.

He also noted, "It’s interesting that they look to be focused on major players who create derivative products from third party data, rather than first party data, But the data broker system is broken primarily because of the lack of transparency and control – and that makes sense. I don’t think it will stop there."

Potential harms

The regulator wants to address a number of specific issues relating to the potential harm to consumers and small businesses. These include;

• What benefits do data broker products and services provide to consumers and small businesses?
• What consumer harms may arise from the collection, processing, analysis or storage of information by data brokers? Which consumers are most likely to be harmed and why?
• What consumer harms may arise from the use of data products and services sold or provided by data brokers? Which consumers are most likely to be harmed and why? 
• What processes and controls do data brokers have in place to protect consumers? This may include efforts around the de-identification and aggregation of data, data verification processes to ensure data is accurate, or measures to protect stored data. a) Are these controls adequate? What more could/should be done? 
• To what extent are consumers aware that their data is being collected and used by data brokers? How are they are made aware? 
• What steps can consumers currently take to inspect and/or remove the data that is held about them or to otherwise raise a complaint with data brokers? 
• What bodies or resources exist to assist and support consumers in their dealings with data brokers? What more could be done to better educate and empower consumers? 

And finally, the review is looking for specific examples where people say they have experienced any harm, including financial loss or differential treatment, as a result of a product or service provided by a data broker. The regulator wants to understand what actions were open to the consumer address the issue, and whether the issue was resolved? 

Privacy review

The new review notes that while the practices of data brokers may also raise privacy-related harms, the report will not review the operation of Australian privacy laws, which is outside the scope of the Inquiry.

That said, the new paper demonstrates how the review of the Privacy Act, released earlier this year, is already having an impact even before new legislation is drafted – and brands are taking note.

As Benjamin Will, manager, group paid media at Virgin Australia commented, the discussion paper’s description of anonymised PI “…is interesting too as it has been adopted from the proposals of the Privacy Act Review.”, something the report’s author’s themselves highlight.

"For the purpose of the report, ‘personal or other information on persons’ includes information about an identified individual or an individual who is reasonably identifiable, as well as information about an individual that has been de-identified, anonymised, or aggregated. This definition is broader than the definition of personal information in the Privacy Act 1988 (Cth)."

Globally the role of brokers is attracting greater scrutiny from the courts. Oracle, one of the nine vendors identified by the ACCC is currently being sued in the US by privacy advocates under US laws such as the Federal Electronic Communications Privacy Act and the California Invasion of Privacy Act. The litigation stems from comments then CEO (and now chairman) Larry Ellison in 2016 at Oracle World boasting the company had over 5 billion names in its ID Graph.