What you need to know:

• UNSW’s Dr Katharine Kemp has written a paper arguing Australian Privacy Principle 3.6(b) is the “forgotten privacy principle”. APP 3.6(b) states that organisations must collect personal information directly from individuals unless it is “unreasonable or impracticable” to do so.
• This puts the practice of “enriching” or “enhancing” first party data sets with third party data under a microscope. But, Kemp notes, the regulator – the Office of the Australian Information Commissioner – has barely used the clause. 
• Kemp outlines why it is not “unreasonable” or “impracticable” for brands to collect information like age, marital status, salary, location and behaviour directly from consumers. She argues the main reason brands don’t go direct is because consumers likely wouldn’t share it willingly.
• She says a critique may be that it is hard to collect this much data at scale, causing pop up fatigue in the minds of consumers, but suggests that doesn't wash: “This argument seems a little like explaining that you picked someone’s pocket to save them the trouble of getting out their wallet”, per Kemp.
• Kemp is not stating that third party data providers and data enrichment companies are breaching privacy laws – they are the 'disclosers' of information. Rather, the obligation is on the brand, the 'collector', to gather data directly from customers.
• She will focus on data brokers in a forthcoming paper.

Enrichment crunch

Brands that “enrich” or “enhance” their understanding of consumers by adding information from third party data brokers – a widespread practice in digital advertising – may be in breach of Australian privacy laws.

A new paper from UNSW’s Dr Katharine Kemp argues that a line in Australia’s privacy principles, or APPs, has been “forgotten” and makes the “common practice of companies adding to the profiles they compile on each of their customers by collecting extra information … from third parties” unlawful.

In essence, APP 3.6(b) says that personal information should be collected directly from the individual concerned, rather than from third parties or other sources, unless it is unreasonable or impracticable to do so. Kemp named Flybuys, Experian, Oracle Australia and Informatica as examples of organisations that provide this third party data. There are many others. 

“This paper argues that much of this collection of personal information is unlawful in Australia,” she wrote.

“Not that it should be unlawful, or that the law should be reformed to make it so, but that it is already unlawful under the existing privacy legislation. Organisations are forgetting – or overlooking – a critical obligation about when personal information can be collected from third parties rather than from the individuals themselves.”

Deep data 

Brands can add data sets to their own first party data to get a more complete picture about their customers – it has been happening for years. Experian, for example, offers to enrich data with where consumers live, their finances, what they enjoy, life stage, children and age.

Informatica stated that brands can add details like age, marital status, affluence, occupation, ethnicity, commuter patterns and vehicle ownership “with just your customers’ existing address information”. 

Mi3 contacted Flybuys, Experian, Oracle and Informatica. Oracle did not respond, Flybuys declined to comment as it had not seen a full copy of the paper and Experian did not provide a response before deadline. 

A spokeswoman for Informatica said its Data Enhancement software "does NOT provide or otherwise target personal information about an individual. The software we provide today enables customers to verify certain forms of contact information of their customer." She said the specific product information quoted in Kemp's paper – which was live on the website yesterday – was "obsolete" and had since been removed. 

In her paper, Kemp argued consumers would be unlikely to share the level of data brands can purchase through enrichment providers. 

“It is entirely possible for a company to cost effectively and accurately collect personal information for profiling or targeting directly from the individual concerned,” Kemp wrote.

“This collection is far from impracticable, that is, unmanageable, intractable or ‘impossible in practice’. A person could provide most of these details about themselves in a matter of minutes. It is highly likely that companies do not seek this information directly from the individual because most individuals would refuse to provide it, regarding the request as intrusive and unnecessary for the transaction or service in question. But consumers’ general aversion to revealing excessive information about themselves does not make it unreasonable or impracticable to seek the information from the individual themselves.” 

There are two words describing exceptions to so-called ‘direct collection’: That it would be “unreasonable” or “impracticable” to collect the information directly. “The words ‘unreasonable’ and ‘impracticable’ are not defined by the Act,” Kemp wrote.

"The exception is clearly not met where a company would like to obtain further personal details to build profiles on its customers, create new ‘audiences’ or more precisely target them with advertisements but realises that most of its customers would not want to reveal that information to the company. That is, common data ‘enrichment’ practices are already unlawful."

‘Forgotten’ – even by regulators

There has been just one determination published by the Office of the Australian Information Commissioner (OAIC) relating to APP 3.6 since it came into effect in an amendment in 2012. It related to a government body investigating a former soldier for selling items online.

“No court has considered APP 3.6, and the provision received relatively little mention in the Explanatory Memorandum to the legislation which introduced the APPs,” Kemp wrote.

“An organisation clearly does not collect information only from the individual when it receives further personal information about that individual from third parties... This collection of information from third parties will only be lawful if it is ‘unreasonable or impracticable’ to collect such information only from the individual.”

The paper has been informally reviewed by academics from UNSW, Australian National University and the University of Melbourne's Melbourne Law School, as well as Anna Johnston from Salinger Privacy. Kemp said she has never asked for so much feedback before publishing a paper, and that the response to date has been broadly positive. 

‘Implied’ consent won't cut it

One critique of Kemp’s argument could be that a person gave permission for their data to be shared – i.e., if Flybuys collected data about a person and that person consented to their data being shared. But that is not a viable answer, Kemp said. A “consented data set” does not take away a brand or media owner’s legal responsibility under APP 3.6 to collect personal information from the individuals themselves.

“Consent given to the disclosing entity per se is not sufficient for the collecting entity to fulfil its obligations,” she wrote.

“It might be asked whether this approach presents issues at scale. Some may argue that if every company that currently ‘enriches’ its customer data actually asked its customers for the information directly, consumers would be fatigued by constant pop-up requests for personal information. This argument seems a little like explaining that you picked someone’s pocket to save them the trouble of getting out their wallet.”

Kemp is not saying in this paper that third party data providers and data enrichment companies are breaching privacy laws by providing the service – they are the 'disclosers' of information. Rather, the obligation is on the brand, the 'collector', to gather data directly from customers. Brands are more at risk of breaching APP 3.6(b), she wrote. But she stops short of alleging unlawful conduct by specific brands. 

Against consumer wishes

Kemp pre-emptively outlined her case that enriching first party data with third party data sets would not meet the threshold for “unreasonable or impracticable” with four key arguments.

First, individuals wouldn’t reasonably expect the information being shared to be collected by a third party. The majority of Australians have said, in surveys by the ACCC and the Consumer Policy Research Centre, that they (83 per cent) consider it unfair for a company to collect information about the consumer from other companies and (81 per cent) believe it would be a misuse of their personal data if digital platforms add other companies’ data to their own.

Second, collecting the information directly would not jeopardise the purpose of collection or the integrity of the information they collect. Unlike, for example, where someone is under investigation for fraud and the Tax Office needs information to complete an investigation.

Third, there is a clear risk to privacy and potential exposure of sensitive information with both parties sharing it.

And finally, the time and cost of collecting the information does not make it unreasonable or impracticable, Kemp argued.

Privacy policies and third party data

In the paper’s appendix, she lists examples of brands that state in privacy policies that they use personal information from third party data sources. 10 Play Viacom CBS, ABC, Bunnings, David Jones, Nine / Sydney Morning Herald, Seven West Media, Telstra, Ticketek, Twitter and Woolworths are named as examples. 

"Organisations in Australia tend not to be candid with consumers about the specific types of information they collect from third parties for profiling and targeting," Kemp wrote.

"Further, we are yet to discover an organisation that permits customers to make a choice about whether they agree to the organisation collecting personal information from third parties for profiling or targeting."

Kemp has been writing on the topic of privacy and consumer law for years. Earlier this year, she published a paper that argued media owners like Nine, Seven and News Corp could be in breach of Australian Consumer Law for describing their data as “anonymous” or “de-identified”.

While Kemp's latest research focuses on the brand-side of the data exchange, she plans to focus specifically on data brokers, data analysts and data providers in “a forthcoming paper”.