Collecting and handling personal information to enhance the profiles of potential advertising and marketing targets raises distinct privacy issues.
Questions may arise around the nature of the information, and in certain circumstances, it may be unclear whether and how certain Australian Privacy Principles (APPs)apply. For instance, it may at first glance be unclear whether information being collected is actually “personal information”, or whether the information could later take on the character of personal information. Care also needs to be taken in this area with respect to the drafting of privacy policies and collection notices.
Potential problems can arise when, for example, an organisation discloses personal information to a marketing service provider which then “washes” or de-identifies the personal information and discloses it to a third party. It’s an increasingly common practice: washed data is then matched and combined with third party data about the same individual in order to develop a more detailed profile of the individual.
The organisation that disclosed the data to the marketing service provider may not think the information is personal information because it will be washed by the service provider before being sold and used elsewhere. But, in legal terms, the information is personal information when disclosed prior to the washing so it falls under the APPs. The fact that the information may subsequently cease being personal information in the hands of the service provider should be relevant only to the handling of that information after its conversion.
This means the organisation must ensure that its disclosure to the service provider that washes the personal information also complies with the APPs. In particular APP 7 (described below) applies when the personal information is used by organisations in their direct marketing, including building more detailed individual profiles. The organisation should also require that the service provider contractually agrees to comply with the APPs if the service provider is located overseas.
Similarly, organisations need to be cautious about information that is not personal information at the time of collection, but which may become personal information when combined with other data. For example, when organisations like hotels and airports offer free public Wi-Fi to visiting customers, they may collect the IP and MAC addresses of individuals in range, even before those individuals connect to the Wi-Fi network. Those IP and MAC addresses alone will not be able to identify individuals; however, they will be capable of doing so when combined with other information like the names and email addresses users provide to login to the Wi-Fi network. The APPs therefore apply to the handling of IP and MAC addresses.
Similarly, an internet user’s pseudonym and the user’s comments, like those in a comment stream in an online newspaper, may be personal information covered by the APPs when combined with other information that identifies the user.
Organisations using targeted online advertising -- especially those that rely on enhanced individual profiles containing personal information collected by a third party -- should be careful when preparing privacy policies and collection notices. It may not be enough to state that an individual’s personal information may be used for “marketing purposes” or even “direct marketing purposes”.
APP 7 prohibits the use or disclosure of personal information for direct marketing purposes except where (among other things) the individual reasonably expects the information to be used or disclosed for that purpose, or where (if practicable) an individual has given his or her consent for the information to be used or disclosed for direct marketing.
Organisations should rethink using broad terms such as “marketing purposes” or “direct marketing purposes” in a notice or consent. This language is potentially problematic because:
- the practice of targeted online advertising, particularly one that uses enhanced user profiles, is a fairly novel form of marketing that individuals who are more used to traditional forms of marketing may not understand or expect;
- the broad language suggests the use and disclosure relates only to personal information collected by the organisation from the individual, not information collected from a third party. The individual’s reasonable expectation and consent may not extend to the use and disclosure of the third party information; and
- in any event, as enhanced individual profiles include personal information acquired from third parties, APP 5(b) is likely to require that collection notices state the type of information collected and how that information is collected.
It is therefore best practice for a relevant notice or consent to state that personal information (including information obtained from a third party) will be used and disclosed for the purposes of tailoring online advertising to the individual. It should also state if personal information will be provided to a third party to obtain an enhanced individual profile.
It is not always easy to identify what information is, or could take on the character of, personal information under the Privacy Act. The issues and challenges that can arise highlight the importance of closely scrutinising how you collect, use and disclose information to ensure you comply with the APPs.