Buyer Beware: Managing The Risks of Data From Data Brokers

Data brokers play a significant (and extremely personal information-intensive) role in Australia’s business ecosystem. However, while the use of data from data brokers is a widespread practice, it’s not without risk. And given proposed reforms to Australia’s privacy laws, the risks may be about to increase. 

Why use data brokers?

It’s usually your marketing team who are going to be keen on data brokers.  So, what do they do? And why use a data broker.

 Data brokers gather data from lots of different sources, including social media sites, government records, retailers, banks and credit card companies. Data collected might include emails, phone numbers, location details, as well as other information about you.  Other Common data points collected include demographics, interests, financial status, and health records.  The ‘legality’ of this data gathering depends largely on where it happens and the relevant privacy laws that apply. In the US, there are few restrictions around the collection and use of publicly available information, or the selling or sharing of consumer information between retailers and brokers. The position is entirely different in the EU, Brazil and even Australia.

Data brokers will aggregate and analyse the data they’ve collected to create profiles (which may or may not be linked to a name).  These profiles can then be packaged for targeted advertising, risk assessment purposes, or to support market research.   

Profiling helps with micro-targeting, which means being able to pinpoint very specific groups and interests, which is a bonus for any advertiser. For a full rundown on how the targeted advertising industry works, check out the Future of Privacy Forum resources here.

Profiling may also be used as part of ‘data enrichment’ – when you want to know more about particular contacts.  For example, you can provide a phone number to a data broker and they will ‘enrich’ your current data holding by sharing with you everything they have connected to that phone number.

And of course, your profile information can be used for other purposes as well. The Washington Post has reported that politicians are using commercial data brokers. And Mozilla has also reported on the use of microtargeting in politics.

Is this happening in Australia? Yes it is. Data brokers active in Australia include Experian and Equixfax. Reset Australia released a report in December 2023 Australians for Sale: Targeted Advertising, Data Brokering and Consumer Manipulation detailing the ways that profiles of Australian consumers are broken down into micro-categories based on socio-economic status and spending habits and then sold to advertisers.

There is also a website devoted to keeping an eye on global databrokers – Data Broker Watch | DataBrokersWatch.org.

Privacy Issues With Data From Data Brokers

A range of privacy issues can arise for organisations using data from data brokers. Here are some of the primary considerations: 

Permitted use

Are you confident that the data broker is permitted to share the information with you in a manner that aligns with the Australian Privacy Act? 

If the data was not collected and shared in a way that complies with Australian privacy laws, there is a risk that you will open yourself up to a messy and protracted privacy complaint. 

Purpose For Collection

Do you have a proper purpose for collecting the data from the data broker? Under Australian privacy law, organisations must have a clear and lawful reason for collecting personal data, and the data collected must be reasonably necessary to fulfil that purpose. 

If your organisation is purchasing data that would require consent, are you confident that consent has been provided? Ideally, you would receive notice of collection alongside documents detailing express consent when you purchase personal information from a data broker – though this is not a common practice. 

Transparency Obligations Under APP 1

APP 1 notes that organisations are better placed to meet privacy obligations if they embed privacy protections in the design of their information handling practices, including planning and explaining how the information will be handled before it is collected. 

APP 1 requires APP entities to:

• “take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and any binding registered APP code, and is able to deal with related inquiries and complaints (APP 1.2)
• have a clearly expressed and up-to-date APP Privacy Policy about how the entity manages personal information (APP 1.3 and 1.4)
• take reasonable steps to make its APP Privacy Policy available free of charge in an appropriate form (APP 1.5) and, upon request, in a particular form (APP 1.6).”

Your organisation should consider how it will comply with APP 1 if it plans to buy data from a data broker. 

It will also need to think about how it will meet its APP 5 Notice of Collection obligations.

Risks of Using Data From Data Brokers

While privacy risk management is essential, many of the issues relating to purchasing and/or using data provided by data brokers are also likely to impact your reputation and your bottom line. These include: 

• Privacy concerns: 90% of Australians surveyed in the OAIC’s Australian Community Attitudes to Privacy Survey 2023 believed they should have a right to object to specific data practices, including the selling of their personal information. Meanwhile, 83% did not want their personal information shared without consent. These issues are meaningful to Australias, which means that the practice of buying and using data to target Australians (especially those who are unfamiliar with your company) may harm your reputation. 
• Security concerns: The OAIC highlights that “an individual’s risk of having their information compromised in a data breach can also increase as their personal information or de-identified data is disseminated and stored by a larger number of entities.” As always, the more data your organisation holds, the higher the risk stemming from a data breach, and the more stringent (and expensive) your cyber security needs to be. 
• Accuracy and reliability: Data from data brokers is often inaccurate and unreliable, leading to poor decision-making and business outcomes.  This is especially true when the data is aggregated without consent from the individual. 

And Don’t Forget SPAM Laws

You must comply with SPAM laws before using any data obtained from a data broker for direct email or SMS marketing. Here’s what the ACMA said about consent for marketing in its recent guidance: 

“Do not assume third parties working with you will keep/obtain records of consent and marketing. You need to have oversight and assurance processes in place to ensure these records are reliably kept and maintained by those third parties or yourself. If these records are required by the ACMA using its compulsory information-gathering powers, they must be produced. 

Records should include the method by which the consent was obtained, the terms that applied and the date and time it was obtained.” 

We’ve created a downloadable guide to privacy considerations for marketing teams you can review for more information. 

Potential Reforms to Australia’s Privacy Laws

Australia’s government has agreed in principle to a host of privacy reforms that could impact how data brokers operate in Australia and increase the risk for organisations using purchased data, including:

• Stronger notice and consent requirements. 
• Fairness limitations for collection, use, and disclosure that cannot be avoided through consent. 
• Introducing a right to erasure. 
• Mandatory privacy impact assessments for high-risk activities. 
• Restrictions on direct marketing, advertising, and trading in personal information. 

Learn more about the potential reforms here. 

Checklist For Organisations Using Information From Data Brokers

Here are some questions you should consider before purchasing and/or using personal information gathered from data brokers: 

• Are you certain that there is a reasonable purpose for the collection of data from the broker?
• Is there another way to achieve the same purpose without the data from the data broker/s?
• Are you okay with a segment of the individuals targeted using information acquired from a data broker being frustrated with your business or finding your practices ‘creepy’? 
• Is the data accurate, reliable, and reasonably recent? How do you know? 
• Did the data broker comply with relevant privacy laws in the collection and selling/sharing of the data? How do you know?
• Will you be able to provide notice of the data collection in accordance with the APPs? 
• Do you have appropriate security measures in place to protect the data? 
• Are you aware of the legal risks of collecting, using, and storing data from data brokers? 
• When and how will you delete the data? 
• Is the data representative of your target audience? What gaps exist in the data? 
• Are there any restrictions on how you can use the data? Should there be? 
• Does obtaining and using the data align with your organisation’s values, ethics, and reputation? 

Improved Privacy Hygiene With Privacy 108

Privacy 108 offers a comprehensive suite of privacy legal and consulting services, delivered by our team of privacy and security experts.

Our privacy services include:

• Privacy management programs;
• Privacy impact assessments;
• Privacy legal services;
• Privacy by Design;
• Privacy policy review;
• Privacy technology; and
• Training and awareness programs.

For assistance with your organisation’s privacy practices, reach out.