Woolworths’ New Privacy Policy: Making privacy simple?

The Woolworths Group have updated their Privacy Policy. The new policy is good but could it have been better?

Why do we care?

I’ve not shopped on-line with Woolworths or used their rewards program since 2017 but I received a friendly email today, as has probably everyone in the Woolworths database.  It was from the Woolworths CEO, advising of their updated privacy policy and cookie notice.  Letting me know that, because my privacy is important to Woolworths (of course it is!), they’ve recently made some changes to those documents to make them ‘clearer, easier to read’ and ‘to better explain the parts that are most relevant to (me).’

This from the company that was found to have breached spamming laws more than 5 million times (and ordered to pay the largest fine ever issued by the Australian Communications and Media Authority) last year[1]. The same Woolworths who strongly believes there is “no demonstrable consumer benefit” in being transparent about its’ offshore data processors[2].

In spite of this, it is always encouraging to see industry leaders taking a step toward advancing the protection of privacy, especially a brand as well-known as Woolworths. Woolworths has a unique opportunity to influence change and nudge other Australian organisations towards reconsidering their attitudes toward privacy protection.

But how well have they done?  Has Woolworths really made my understanding of how Woolworths collect, hold and use my personal data as simple as ordering an online home delivery?

What we like

Woolworth’s has a privacy vision contained in an easy-to-understand paragraph. Supporting the vision statement are  three clear, easy to understand statements of principle, that are engaging and easy to understand

  • We’ll put you first;
  • We’ll keep it simple; and
  • We’ll keep your data safe.

Each of these statements is presented in accessible font, with icons alongside them to increase their visual impact. There is more detailed information easily accessible via click through, for those who wish to obtain further information on a specific section of the policy.

The use of clear and concise language, icons and multi-layered presentation are all acknowledged best practices, recommended by multiple data protection authorities worldwide to enhance the transparency of organisational privacy obligations.

The contact details for the Woolworths Group Privacy Officer are now visible at the top of the landing page, including all the different channels through which the Privacy Officer can be contacted. This is an improvement on the earlier version of the policy that required users to scroll through a page to locate contact details.

What we don’t like

Although the new Privacy Policy pages are much easier to read than previous versions, the sections are difficult to navigate. If you wish to obtain further information and navigate away from the landing page, you have three (3) options:

  1. Click on the Why we collect your information page;
  2. Read the full Woolworths Group Privacy Policy; or
  3. Review the Cookie Statement.

 

Notice of Collection: Why we collect your information

The “Why we collect your information” section is designed to comply with the Australian Privacy Principle (APP) requirement to provide notice of collection (APP 5), rather than providing clear and precise information about purposes of collection.

As an example, Section 3 of the policy advises:

“We also collect information via our apps on mobile devices, for example the current location of your device, as allowed by your device permissions.”

Given the potentially high risk nature of location data, customers should have detailed information about this collection such as the point in time at which the location data is being collected, particularly if the data is being collected all the time as a default setting, or if it is only collected when the app is accessed, and exactly how the data is being collected.  Additionally, the policy should advise users of how they can manage the collection of location data, or any other data collected through mobile apps, either by limiting the collection or by opting-out altogether.

More detailed information is available in the Woolworths Group Privacy Policy.

Woolworths Group Privacy Policy

Given Woolworths’ investment in engaging their customer base and crafting clear but captivating messages to do that, it’s a shame that more of their creative capture techniques were not applied to the wording of both the announcement and the new policy itself, both very generic in nature. The Woolworths Group Privacy Policy ticks all the boxes in terms of  mandatory disclosure, but provides the very minimum amount of information necessary.

There seems little attempt to really put the customer first or to assure their customers that their personal information is in safe hands.

How many times have you heard ‘At XYY, your privacy is extremely important to us.’ Enough times to think that if they can’t come up with something more original than my privacy isn’t really that important…

The wording is vague and lacking in detail, leaving customers without much of an idea of what the Woolworths Group does with their personal information, or who they share it with. For example, when informing customers of the purpose of collection, the policy states:

We may use your personal information for purposes which are incidental to the sale and promotion of our goods and services, or for other purposes which are within your reasonable expectation or permitted by law.”

A recent incident involving Woolworths’ disclosure of customer information collected via their loyalty program to the NSW Department of Health for contact tracing purposes serves as a great example of why the definition of “other purposes” required further elaboration. Even though a secondary disclosure in this instance falls under the scope of what is  “permitted by law”, customers should be made aware that the personal information they provide in order to access a loyalty program, may also be shared with authorities in the event of a permitted health situation. Woolworths have now updated their collection notice to include the sharing of Everyday Rewards data linked to customer information for the purpose of contact tracing[3].

With regard to sharing personal information with third parties, the policy reads:

Some of our service providers, including data storage and technology service providers, may be located or use locations outside of Australia…… Our service providers or their data storage servers may be located, and may store your personal information from time to time, in a number of countries, including New Zealand, Switzerland, the United Kingdom, United States, India and Japan.”

This generic statement provides customers very little detail in terms of locations where personal information may be transferred and a very broad description of the purpose of transfer. Customers are left unaware of the basis of the transfer or the safeguards in place to ensure the security of the data being transferred.

To further improve the updated Privacy Policy and increase customer accessibility and ease of use, Woolworths could consider including the following:

  • A clear, summarised description of exactly what information is being collected about customers, clearly visible on the landing page;
  • A clear, summarised description of exactly what each information set is being used for available on the landing page;
  • A simplified access link to customer account settings to allow customers to manage the information Woolworths collects about them and to decide what they are permitted to do with it. An all-inclusive solution for updating necessary consents and un-subscribing would also allow customers an avenue to exercise their individual rights with greater ease, rather than having to manually un-subscribe from each individual service signed up for.

Everyday Rewards

Most loyalty programs that collect your personal information will go on to use it in ways you may not expect, particularly if you do not take the time to carefully review the terms and conditions of the program every time they are updated.

Recognising both the study conducted on the high number of Australians who participate in loyalty programs[4] and the large amount of personal information gathered and analysed as part of those programs, the Office of the Australian Information Commissioner (OAIC) reviewed the Woolworths Everyday Rewards loyalty card program in 2016.[5] Although no major issues were identified with the way the program operated, the OAIC made some recommendations, including:

  • Providing more information about the countries where customer personal information may be disclosed, recommending Woolworths provide a list of those countries in an appendix to its privacy policy rather than in the body of the policy, or include a link to a regularly updated list of those countries; and
  • Providing further detailed information about privacy matters in the Woolworths Everyday Rewards program terms and conditions, including the adoption of a layered approach to provide a summary of key matters, with a hyperlink to more detailed information, and improving navigability through the use of a hyperlinked table of contents.

The updated Privacy Policy covers all Woolworths Group operations, including the Everyday Rewards program. Given the above recommendations by the OAIC, changes in the areas referred to might have been anticipated.  But it seems they were only implemented in part.

The policy continues to provide only very broad descriptions regarding overseas transfers of personal information and has not used the layered approach other than via the Notice of Collection referred to already.

An example of some of the areas where further information could have been provided:

  • Complete details of types of information collected. For example, the OAIC report found that the following information was being used for data analytics: “basket contents, store location, register number, date, time and any offers used by the customer”.  The updated policy fails to disclose all of these details.
  • Further information on how collected personal information is used, including whether it is aggregated, ‘enhanced’ or otherwise modified through integration with other information.
  • Detailed information of the parties with whom customer personal information may be shared including the Everyday Rewards partner organisations, and what information is share.
  • Whether any automated profiling activities are being undertaken;
  • Increased transparency around the periods of retention of customer personal information.

Conclusion

Woolworths can be commended for going through the process of updating their privacy documents and informing their customers of the changes made.  Both their vision and statement of core principles are well-considered and the language used is for these purposes is largely clear, concise and engaging.

However, the Woolworths Group have perhaps missed the opportunity they had to  position themselves as a thought leader in providing clear and easy to understand information to their customers, together with the tools and resources they need to manage the ways in which their personal information is handled to suit their requirements.

Unfortunately it appears that yet another Australian organisation is prepared to do just enough to meet their legal requirements, albeit with a small gesture toward meeting community expectations, but without the significant shift required in truly putting the privacy of their Australian customers first.

Notes:

Some guidance on how to get a layered approach is provided by this paper: ten_steps_to_develop_a_multilayered_privacy_notice__white_paper_march_2007_)

[1] https://www.abc.net.au/news/2020-07-02/woolworths-hit-with-million-dollar-fine-for-spamming/12414750

[2] https://www.itnews.com.au/news/woolworths-still-reluctant-to-list-all-companies-than-handle-its-data-559520

[3] https://www.woolworths.com.au/shop/discover/about-us/collection-notice

[4] According to the OAIC, a study by First Point Research and Consulting found that 88% of Australian consumers over the age of 16 are members of a loyalty program. First Point Research and Consulting, For Love or Money? 2013 Consumer Study into Australian Loyalty Programs, viewed 4 August 2015, Australian Marketing Institute website <www.ami.org.au>.

[5] Loyalty program assessment: Woolworths Rewards — Woolworths Limited — OAIC

 

Want to receive updates like this in your inbox? Subscribe

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.