Ordering your dinner through a restaurant’s QR code or answering increasingly personal questions from real estate agents in hopes of getting a rental?

You’re putting your personal data on the line, and there’s no telling where it’ll end up – but you’re not alone.

A consumer watchdog report has questioned whether Australians  are able to give informed consent when signing away their data to businesses with convoluted and vague privacy policies.

The report by the Australian Competition and Consumer Commission (ACCC) highlighted consumers are typically unaware of how much data is collected, used and shared with data firms and other businesses.

“Many consumers may be unaware of the scope of data that is collected and then shared or on-sold to other data firms or unidentified third parties,” ACCC deputy chair Catriona Lowe said.

“As consumers are increasingly required to provide personal information or other data on themselves to access important services, such as applying for a rental property or receiving an insurance quote, we are very concerned that consumers may be unable to exercise choice or meaningful control over how their data is shared and used.”

Where does your data go?

Any personal information you hand over to an organisation, from your date of birth to your location data, doesn’t necessarily stay with that organisation.

University of New South Wales’ Faculty of Law and Justice associate professor Katharine Kemp told The New Daily even if an organisation promises not to sell your data, they can still disclose it as part of a business arrangement, possibly in exchange for other data.

She said there has been a consistent trend in “all kinds” of businesses asking for more information from consumers, mostly because they want to “repurpose” that information.

Examples of data that may be held on consumers. Photo: ACCC

“For instance, for targeted advertising, for sharing with other businesses, sometimes to monetise that data for an alternative business of theirs,” Kemp said.

“All of that results in a lot broader disclosure and use of personal data than the consumers were expecting.

“And in many cases, that’s without any knowledge on the part of the consumers themselves.”

Often, data will end up in the hands of data firms, who the ACCC found often refer to themselves as ‘information services companies’, ‘data and analytics businesses’, or ‘data collaboration platforms’.

This data will likely have been de-identified to protect consumer privacy, but it is entirely possible for the data to be re-identified if enough of it has been collected, or if it was de-identified improperly.

What are the dangers?

Potential consumer harms listed by the ACCC included being targeted by advertising for something as innocent as dog food, if your data has identified you as a dog owner.

But there is a dark side to this kind of targeted advertising; for example, gambling addicts identified as ‘frequent gamblers’ by their data may targeted by gambling ads.

Data can also contribute to scams or other fraudulent activity, or could result in particular consumers being discriminated against by businesses, with details from everything from income to religion up for grabs.

Australian Privacy Foundation chair David Vaile referenced respected public-interest technologist Bruce Schneier, who believes no one can promise to protect your information.

People who are fully trusting organisations to protect their data are setting themselves up to be exploited and manipulated, Vaile said.

“The other thing in all of this, it’s not just selling random data. They want to support psychographic profiling of individuals – of you – and work out, how can we change the way you think?” he said.

“How can we make you buy Product B, not Product A? How can we make you sceptical of anybody that tries to do good, or about this particular sort of social problem?

“That sounds a bit far-fetched … but in fact we’re not far from that.”

Are consumers able to give informed consent?

The ACCC highlighted that if Australian consumers fully read all of the privacy policies they encounter, it would take an estimated 46 hours per month.

It’s unlikely anyone has that extra time, and even if they did, privacy policies are designed to be confusing and unclear.

Vaile said consumers are often told to ‘take it or leave it’ while businesses reserve the right to be secretive.

“[They essentially say], ‘If you want to shop in here, or if you want to do certain things it’s not negotiable – we won’t actually tell you what we do with your data or where it goes … because we’ve just got this vague, impossible-to-read privacy policy,” he said.

“The abuse of the notion of consent, or informed consent, is at the heart of this.”

Is this conduct legal?

Kemp said while Australian consumer law prohibits misleading representations, the terms in privacy policies are often phrased in confusing ways that make it hard to figure out whether they are misleading.

“These terms are often seemingly deliberately confusing and used to throw consumers off the scent of what’s really happening with their data,” she said.

“We don’t have any clear guidelines on what kinds of confusing terms should be avoided, so pity the consumer that attempts to work out what’s happening with their information.”

Under the Privacy Act, companies must collect personal information about consumers directly from those consumers, with certain exceptions.

But Kemp said that rule has never been enforced by the privacy regulator on data brokers and their business customers.

Adding to local consumer woes is the fact that Australians have no right to sue for breach of privacy, Vaile said.

“Governments have never actually fixed the black hole that there’s no right to sue,” he said.

“In fact, there’s no enforceable right to privacy in Australia … because [political parties] quite like the idea that whatever they [or their supporters] do, they can’t be sued.”

Vaile said prevention is key; while we can’t take back the information already out there, we can choose the path of data minimisation going forward.

“Collect less, use less, store less,” he said.