It sounds like a good deal at the time — signing up as a member of a store to collect reward points or a $10 discount — but consumers are being warned of the hidden cost of giving away their personal information.
In a recent report, the Consumer Policy Research Centre (CPRC) claims it's a widespread practice for businesses to trade information about customers with other companies.
Even if they don't identify people using their name, this still allows businesses to build a profile of a person, which could impact what they pay for products in the future.
"They can create a profile about you — it can shape what you see online, what offers you may be excluded from or included in, and even what price you may pay for products and services," CPRC's digital policy director Chandni Gupta said.
Gupta said if companies were asking for personal information, they could be swapping customer data — including a person's search history and location — with other companies.
They can create a profile about you - it can shape what you see online, what offers you may be excluded from or included in, and even what price you may pay for products and servicesConsumer Policy Research Centre digital policy director Chandni Gupta
Even if a company is not asking for data, they may be trying to access it from a third-party business with which the consumer has no direct contact.
"The practice is quite widespread," Gupta said.
How businesses obtain your data
Each time someone signs up to a store reward or loyalty program, or is asked to register with a website, it creates a profile that can then be used to track their activity.
When using the internet, people are often asked to "allow cookies" when they open a webpage. Cookies are small pieces of data that can be used to identify a computer. They enable websites to remember a user, their logins and what's in their shopping cart.
"Some cookies are there to help you use the site in a way that works for you — functional cookies — but then there are cookies there purely to collect information about you, what you're browsing, what you're seeing, what transactions you're making," Gupta said.
"They're collecting that information for potential marketing purposes and also for data sharing purposes as well."
Another way people could be tracked is through apps.
"Say you've downloaded a particular app, you could delete the app but then the app could potentially have already added trackers or linked up with other apps that you use, because there is data sharing that is happening between particular services that you would not be aware of," Gupta said.
"So many times the data is being collected by businesses that you actually as an individual, have never even heard of."
How Woolworths customer data can be used
Many businesses, including supermarket giants Coles and Woolworths, also gather data through reward programs such as Flybuys (Coles) and Everyday Rewards (Woolworths).
In its recent report Singled Out, the CPRC and the University of NSW looked at Woolworths' data analytics business Quantium, which it argues may be acting as a data broker and dealing with people's personal information, something Quantium denies.
Woolworths provides data from its Everyday Rewards loyalty program to Quantium, which can include information on what people are buying. Quantium says it does not deal with "personal information" because Woolworths generates a unique code for each person instead of using their name.
The CPRC is not convinced this protects people's identities. It points to the Quantium privacy policy that notes de-identified data provided by its clients uses a code that enables the person to be "associated with the data sets made available to Quantium by different Quantium clients".
Gupta explains that the process Woolworths uses to generate the unique code could be the same process that other Quantium clients use. So if a different client had the same customer in its database, it's possible the individual could be given the same unique code and this would allow Quantium to build a better profile of the individual. Quantium could then provide further information about the person's attributes and likely behaviour to its clients.
"Quantium is apparently making its profit by providing extra information about an individual knowing that its clients can identify, influence, and address that individual from the information provided, even if Quantium uses a code for that individual," CPRC's report states.
SBS News asked Woolworths Group to respond to the claims in the report, and the supermarket chain provided comments from a Quantium spokesperson, who said the centre's report is inaccurate and misleading.
Woolworths provides data from its Everyday Rewards loyalty program to its data analytics business Quantium.
"This code is never shared by Quantium to other Quantium clients or third parties, nor is it used by Quantium to link data about any individual across its different products and services," the spokesperson told SBS News.
Quantium says it uses the data to provide insights to Woolworths’ suppliers about the performance of their products in stores.
"The insights are about product performance or cohort purchasing trends, not individuals," the spokesperson said.
A spokesperson from Everyday Rewards said it did not provide Quantium with its customers' personal information.
"We have agreed strict rules with Quantium about how our data can be used such that the suggested scenario (of a person being linked through the same unique code being used) would not happen," she said.
Call for better privacy protections in Australia
The CPRC does not believe the Privacy Act 1988 adequately protects the personal information of consumers and that it needs to be updated.
Gupta points out that even the definition of "personal information" was developed before the arrival of the internet in Australia.
According to the Act, personal information is considered to be information or an opinion about an "identified individual", although this can also include data about a person who is "reasonably identifiable".
It does not include de-identified information, which is data that has had details such as name and date of birth removed, as well as rare characteristics that could allow the invididual to be recognised.
The CPRC believes claims that information is de-identified require scrutiny because removing certain personal information does not always guarantee the individual won't be re-identified.
This is particularly in cases where information is matched with another dataset, something that is becoming easier with advances in machine learning and where businesses are using common pseudonyms for a customer.
"Many companies are trying to argue that the data they use is not actually covered by the Privacy Act when they allocate a unique code to each individual to track and profile them across most areas of their life. This makes a mockery of the objectives of privacy law," report co-author University of NSW Associate Professor Katharine Kemp said.
Terms regularly used by companies in their privacy policies such as "pseudonymised information" are also not defined under Australian law, creating a lack of certainty.
Companies are trying to argue that the data they use is not actually covered by the Privacy Act when they allocate a unique code to each individual to track and profile them across most areas of their life. This makes a mockery of the objectives of privacy lawUniversity of NSW Associate Professor Katharine Kemp
"We need to modernise what it means to be identifiable," Gupta said.
"We need governments to be saying, if a person can be singled out from a crowd — that's personal information."
The not-for-profit consumer think tank wants Australia to introduce a ban on unfair business practices so companies can't collect data in a way that leaves people worse off, something that other countries in the European Union and the United States have done.
This would put the responsibility for protecting people's privacy back on companies, and not on consumers, who are obligated to sign up to complicated privacy policies in order to access services.
We need governments to be saying, if a person can be singled out from a crowd — that's personal informationConsumer Policy Research Centre digital policy director Chandni Gupta
Federal government response
In 2022 the Attorney-General's Department reviewed the Privacy Act and proposed a new "fair and reasonable" test for the handling of personal information, and also suggested adding a definition to the Act so data collected for marketing purposes, including de-identified information, is covered.
In its response to the review in 2023, the federal government agreed in-principle to amending the Act to clarify that personal information could include things such as IP addresses and device identifiers. It acknowledged a person could be reasonably identifiable if they were able to be distinguished from all others, even if their legal identity was not known.
Attorney-General Mark Dreyfus's department is looking at better data privacy protections for Australians. Source: AAP / Lukas Coch
The government also agreed in-principle to introduce a requirement in the Privacy Act for the disclosure of personal information to be "fair and reasonable" in the circumstances. It's exploring further options to reform consumer law following public consultation in late 2023.
'Care and respect' needed in handling people's data
The CPRC believes the Office of the Australian Information Commissioner (OAIC) should use powers it already has to ensure that personal information is only collected directly from an individual, unless it is unreasonable or impractical to do so.
A spokesperson for the office of Attorney-General Mark Dreyfus told SBS News the OAIC is an independent regulator, and its preferred approach is to facilitate voluntary compliance.
However, the government has agreed to reforms to strengthen the commission's enforcement powers, including introducing additional investigation powers; lower penalties for less serious breaches to allow for more targeted responses; and clarity over what conduct amounts to a "serious" breach.
Rather than just notifying the consumer and obtaining their sign-off on complicated privacy statements, Gupta said the collection, use and sharing of people's data should be handled with care and respect.
"I can't at the moment comfortably say that that's happening," she said.
"At the moment the onus is very much on the consumer as an individual to go through the privacy policy to say 'yes'. What we want ideally is a baseline of standards that everyone has to meet."
