AdFixus’ response to the Australian Privacy Act Review Report
August 3, 2023
August 3, 2023
In a recently published, well-researched article by the team at Mi3, AdFixus has been quoted on taking a reasonably hard stance on the privacy changes.
Telstra, Woolworths, big banks urge privacy rethink on loyalty, targeting, personal information definitions, trading, use; consumer groups urge Attorney General to hold harder line
26th July 2023 | By Arvind Hickman & Andrew Birmingham
In the article it was expressed that:
‘Adfixus founder via Marko Markovic is one of the few private company executives to agree with the proposition that re-identifying de-identified information should be a criminal offence. Most organisations avoided the question altogether, although, individual submissions from the general public are overwhelmingly in favour.’
We stand by this proposition; where: The party does not have a direct relationship with the customer (i.e. it is not the first-party), or, where the party is the first-party, and, when gaining consent they committed to storing and using the information in a de-identified state.
Real-world scenario of ‘first-party with no consent’
To explain this line of thinking, let's look at a scenario and examples of how personal information is shared in the off-line world, and how this works in the digital world.
Imagine that you visit a tailor to get a suit made as you have a big event coming up. You happily give the tailor personal information such as your name, email, phone number, measurements, interests, style, fabric and brand preference details. You are happy to provide this information as it will assist in the making of your suit, it is required.
In a digital world, the scenario outlined above is the equivalent to a first-party gathering information to support the primary purpose of the site and to fulfil the customer’s legitimate need. As long as this information is used solely for the tailoring of the suit, this is fine.
Now let’s look at three more alarming examples that involve sharing of information with others (third-parties), and how they relate to the digital / online world:
Example 1 – First-party to third-party with no consent
As per the scenario above, you trust the tailor and you happily give them your personal information within the context of getting a suit made.
The tailor then passes your information to another company, so that they can target you for advertising. The tailor is paid or rewarded for this, as the information provided will allow advertisers to precisely target you, driving sales. Yet, it is unlikely to stop there, your information will likely become openly traded between other third-parties now. You don’t know who has it, what they intend to use it for, or how they are profiting by selling your information, and you have no practical means to stop the sharing of your data.
This is very common in the online world. It occurs when an eCommerce site in which your personal information (i.e. email, mobile phone number/id etc) as well as your browsing history (online behaviour) is passed onto another retailer or manufacturer (which you have not shared you information with), so that they can target you with direct advertisements.
Example 2 – Third-party without first-party approval (programmatic activity) without consent
As per the initial scenario above, you visit the tailor and provide your personal information.
While you are there, there is another person there promoting leather boots and belts. The tailor leaves to get a coffee and this person takes a photo of the details the tailor has gathered about you (i.e. name, email, phone number, measurements etc). This person then sells your information without you knowing. Like the last example, you have lost control over your personal information, others are now likely to be openly compiling and trading your information for their gain.
This would be the equivalent of you visiting an eCommerce site, seeing an advertisement provided by a third-party. Even without you clicking on the advertisement, the advertiser can use third-party cookies or browser signals (fingerprinting) to identify you and collect data about your browsing history, then merge this with data gathered elsewhere, creating a detailed profile of you that is then openly traded without your consent.
Example 3 – First-party to third-party with consent (GDPR)
Again, you visit a tailor and prior to then serving you, they ask you to sign a long legal agreement providing them with consent to gather and use your personal information. This is the tenth store you have visited today, and all of them have presented you with similar agreements – it is simply not viable for you to read all of them in detail. So, you figure that they need this information to serve you, so you sign the agreement and get served by the tailor.
By signing the agreement, you have given the tailor the right to pass on your information, and they proceed to pass it onto 15 other companies. The 15 companies add your personal information into their own databases, and then one of these companies trades your data for their gain, and it is not long before your data is soon being openly traded and out of your control again.
In the online world, this is akin to your reaction when you are constantly presented with cookie consent forms, it is only a matter of time before you provide consent to an agreement that allows your information to be shared with a business that profits through the gathering, compiling, and selling of information, typically for advertising purposes. These businesses may obscure your identity, opting to put you into cohorts of ‘like’ people, then selling this cohort on, yet this is enabled only through the capture of your personal information.
Summary of examples
You can see from these three examples that if this occurred in the physical world instead of the digital world there are very few people who would be comfortable with this. The fact that this is happening to almost everyone multiple times per day without their knowledge, understanding, consent and/or ability to prevent it is where we believe things need to change.
Summary of Mi3 article
As reported by Mi3 there have been over 300 responses to the Privacy Act Review Report all with varying views –
“banks fear crimping of automated decisioning, retailers want people to have to opt-in to targeting to get loyalty perks and telcos warn that services could be disrupted if consent is required to use geolocation and device data. The digital ad industry says free content is at risk and consumers will suffer for questionable gains. Consumer groups disagree – and urge lawmakers to hold the line.”
At AdFixus, we protect consumers and enable companies that want to provide consumers relevancy without compromising privacy. We will continue to support laws the provide greater online privacy, putting consumers in control of their information. We believe that consumers should be able to manage their identity, knowing that they can grant, track and revoke access to their information with ease.
If you are looking to read our full submission you can do so here:
Government response to the Privacy Act Review Report | Response 73969967
It has been four decades since the Australian Privacy Act has been updated. There is, and there will continue to be, a lot of debate around the terms within the Act and its ramifications across various industries.
We believe that now is the time to act to make reforms for the future, even passing laws to penalise incorrect behaviour, making it a criminal offence to share information, while implementing highly secure solutions that avoid the use of complex, consent-based mechanisms - the law is meant to protect not burden individuals.