Australian consumers don鈥檛 understand how companies 鈥 including data brokers 鈥 track, target and profile them. This is revealed in new research on consumer understanding of privacy terms, released by the non-profit and UNSW Sydney today.
also reveals 70% of Australians feel they have little or no control over how their data is disclosed between companies. Many expressed anger, frustration and distrust.
These findings are particularly important as the government considers , and the consumer watchdog finalises its .
If Australians are to have any hope of fair and trustworthy data handling, the government must stop companies from behind confusing and misleading privacy terms and mandate fairness in data handling.
We are all being tracked
Our activities online and offline are constantly tracked by various companies, including that trade in our personal information.
This includes data about our activity and purchases on websites and apps, relationship status, children, financial circumstances, life events, health concerns, search history and location.
Many businesses focus their efforts on finding new ways to track and profile us, despite repeated evidence that consumers view this as .
Companies describe the data they collect in confusing and unfamiliar terms. Much of this wording seems designed to prevent us from understanding or objecting to the use and disclosure of our personal information, often collected in surreptitious ways.
Businesses can use your data . This includes
- charging you a higher price
- preventing you from seeing better offers
- micro-targeting political messages or ads based on your health information
- reducing the priority you鈥檙e given in customer service
- creating a profile (which you鈥檒l never see) to share with a prospective employer, insurer or landlord.
Anonymised, pseudonymised, hashed
Businesses commonly try to argue this information is 鈥溾 or not 鈥溾, to avoid running afoul of the federal Privacy Act in which these terms are defined.
But many privacy policies muddy the waters by using other, undefined terms. They create the impression data can鈥檛 be used to single out the consumer or influence what they鈥檙e shown online 鈥 even when it can.
Privacy policies commonly refer to:
- anonymised data
- pseudonymised information
- hashed emails
- audience data
- aggregated information.
These terms have no legal definition and no fixed meaning in practice.
Data brokers and other companies may use 鈥減seudonymised information鈥 or 鈥渉ashed email addresses鈥 (essentially, encrypted addresses) to create detailed profiles. These will be shared with other businesses without our knowledge. They do this by matching the information collected about us by various companies in different parts of our lives.
鈥淎nonymised information鈥 鈥 not a legal term in Australia 鈥 may sound like it wouldn鈥檛 reveal anything about an individual consumer. Some companies use it when only a person鈥檚 name and email have been removed, but we can still be identified by other unique or rare characteristics.
What did our survey find?
Our survey showed Australians do not feel in control of their personal information. More than 70% of consumers believe they have very little or no control over what personal information online businesses share with other companies.
Only a third of consumers feel they have at least moderate control over whether businesses use their personal information to create a profile about them.
Most consumers have no understanding of common terms in privacy notices, such as 鈥渉ashed email address鈥 or 鈥渁dvertising ID鈥 (a unique ID usually assigned to one鈥檚 device).
And it鈥檚 likely to be worse than these statistics suggest, since some consumers may overestimate their knowledge.
The terms refer to data widely used to track and influence us without our knowledge. However, when consumers don鈥檛 recognise descriptions of personal information, they鈥檙e less likely to know whether that data could be used to single them out for tracking, influencing, profiling, discrimination or exclusion.
Most consumers either don鈥檛 know, or think it unlikely, that 鈥減seudonymised information鈥, a 鈥渉ashed email address鈥 or 鈥渁dvertising ID鈥 can be used to single them out from the crowd. They can.
Most consumers think it鈥檚 unacceptable for businesses they have no direct relationship with to use their email address, IP address, device information, search history or location data. However, data brokers and other 鈥渄ata partners鈥 not in direct contact with consumers commonly use such data.
Consumers are understandably frustrated, anxious and angry about the unfair and untrustworthy ways organisations make use of their personal information and expose them to increased risk of data misuse.
Fairness, not 鈥榚ducation鈥
Simply educating consumers about the terms used by companies and the ways their data is shared may seem an obvious solution.
However, we don鈥檛 recommend this for three reasons. Firstly, we can鈥檛 be sure of the meaning of undefined terms. Companies will likely keep coming up with new ones.
Secondly, it鈥檚 unreasonable to place the burden of understanding complex data ecosystems on consumers who naturally lack expertise in these areas.
Thirdly, 鈥渆ducation鈥 is pointless when consumers are not given real choices about the use of their data.
Urgent law reform is needed to make Australian privacy protections fit for the digital era. This should include clarifying that information that is 鈥減ersonal information鈥.
We also need a 鈥渇air and reasonable鈥 test for data handling, instead of take-it-or-leave-it privacy 鈥渃onsents鈥.
Most of us can鈥檛 avoid participating in the digital economy. These changes would help ensure that instead of confusing privacy terms, there are substantial, meaningful legal requirements for how our personal information is handled.
, Associate Professor, Faculty of Law & Justice,
This article is republished from under a Creative Commons license. Read the .