15july online privacy hero

Online privacy

Until a few decades ago, companies had limited opportunities to gather information on consumers other than through avenues such as subscriptions, loyalty cards or competitions.


Choose what’s right for you with confidence

Join today and get instant access to all test results and research.

But now, thanks to the digital revolution, online retailers can gather more data about visitors to their sites – often without their knowledge of just how much information is being collected.

A 2014 survey for the Privacy Commissioner found 80 percent of respondents were concerned about the security of their personal information online.

Professor Miriam Lips, chair in e-Government at Victoria University of Wellington, says: “A lot of people feel way too much information is being asked about them online. And, also, they think a lot of the information they’re asked to provide is of little relevance to the actual transaction.”

The grapevine

Professor Lips says people are aware information is being collected about them but “they don’t have a clue on how it’s happening, who is doing it, who’s processing it and so on”.

When browsing online, you may actively hand over personal data. If you buy an item from an online retailer, you’ll likely supply your credit card number and shipping details. You may volunteer further information if you set up an online account, sign up to a loyalty scheme or fill out a satisfaction survey.

However, data can be observed and collected by companies via cookies and other technology (see Tools of the trade) even if you don’t buy anything. This data can include:

  • your location (your IP address)
  • the products you viewed
  • the device you viewed them on
  • other sites you visit.

Beyond your desktop, a number of electronic devices can also transmit your data. Mobile phone apps can track your location, smart TVs can observe your viewing habits and fitness trackers can monitor your activity levels. There’s even a term for all this information generated by connected devices: the internet of things.

Knowledge is power

On the plus side, consumer data can be used to develop new and improved products and services.

For example, a clothing designer may use the browsing and purchase history of its customers to inform new season designs and serve up products tailored to individual tastes (“you may also be interested in …” messages). It may also use website analytics – such as the time it takes customers to navigate its billing process – to fix snags.

But the most recognised use of consumer data is for advertising. Online advertising includes:

  • Paid for search: where a retailer pays for its website to be listed in search results.
  • Display advertising: where a retailer pays to have banners and videos pop-up on other organisation’s sites (see Tools of the trade).

Marketers argue targeted advertising is beneficial: consumers are more likely to receive relevant content – and retailers more likely to make a sale – if ads are based on individual preferences. However, a survey in July 2014 by the UK’s Royal Statistical Society found many consumers did not like the practice: 71 percent of respondents thought online retailers shouldn’t look at the browsing history of their customers and send targeted ads.

The collection of personal data also has potential downsides for consumers. Fraud is the most obvious drawback, but price discrimination is another. Here, some people are charged a higher price than others for the same product. The online clothing designer could theoretically charge a consumer more if he or she has a history of costly purchases.

Some forms of price discrimination are already widely practiced by businesses – and accepted by consumers. Consider loyalty schemes, such as Countdown’s Onecard, which gives members access to discounts in exchange for personal details and continued business. But what if you were made to pay more for a product and you didn’t know about it?

Price discrimination based on personal data is technically possible (see Airline pricing) but finding evidence it’s happening is another matter. In June 2015, the UK’s Competition & Markets Authority published the results of a call for information on the commercial use of consumer data. It received no clear examples of price discrimination being used to the detriment of consumers.

Your rights

Usually a company’s data collection practices are set out in its privacy policy. However, sometimes these policies can leave a lot to be desired. Some are packed with legalese whereas others are ambiguous. Clauses such as “we may share your data with third parties for purposes including analysis” give retailers maximum wiggle room to reuse personal information.

Professor Lips says her survey research (see Kiwis online) found only 25 percent of New Zealanders typically read and understand privacy policies. Most of us simply “tick the box” if that’s what’s needed to proceed with a transaction. “People are signing off their rights, but they don’t really understand what they’re doing.”

According to Professor Lips, most of us are privacy pragmatists: “we know we have to give up information in order to get a service.”

But she says many people feel companies ask for too much information about them. So what rules should a company follow when collecting personal information and what are your rights?

Under the Privacy Act 1993, “agencies” (organisations such as online retailers) must stick to certain principles. For instance, they must:

  • take all reasonable efforts to tell people if their information is being collected and for what purpose
  • only collect personal information where it’s needed for a specific purpose and only use the information for the purpose it was collected
  • ensure the information is protected against loss, misuse or unauthorised disclosure.

You also have certain rights under the Act. You can:

  • ask an organisation to confirm if it holds any information about you
  • apply for a copy of the information it holds
  • request information is amended where necessary.

While the Privacy Commissioner can investigate and mediate a privacy complaint, it can’t fine, prosecute or order an organisation to pay compensation. However, it can refer your complaint to the Director of Human Rights Proceedings if it believes you’ve suffered an “interference of privacy”. The director will decide whether to take your complaint to the Human Rights Review Tribunal.

You can also take your complaint to the tribunal, but only if you’ve tried and failed to resolve it through the Office of the Privacy Commissioner.

Changes afoot

In 2014, former Justice Minister Judith Collins announced reforms to the Privacy Act. Among the proposed changes, organisations will have to report data breaches to the Privacy Commissioner and notify affected individuals in serious cases. Organisations that fail to notify the Commissioner of a data breach – or obstruct an investigation by the Commissioner – could be fined up to $10,000. The same penalties apply to those who impersonate someone to gain access to personal information.

These reforms are intended to “give people greater confidence that agencies are handling their information appropriately”. But do they go far enough?

Professor Lips has doubts: “As personal data becomes more valuable, well, it becomes a more attractive target for thieves etc. So we need stronger protections. Part of that is about providing the Privacy Commissioner with more intervention mechanisms if something goes wrong. And I’m not sure whether the Privacy Commissioner has been given enough teeth.”

In Australia, reforms to privacy law came into effect in March 2014. The reforms give the Office of the Australian Information Commissioner the ability to seek civil penalties up to A$1.7 million in cases of serious or repeated breaches of privacy.

Report by Luke Harrison.

Tools of the trade

Cookies are pieces of data that websites store on your computer or mobile device. They allow websites to “remember” your actions or preferences.

Online retailers use cookies for different purposes. Some use cookies to keep track of items you’ve placed in an online shopping cart. Others use them to deliver ads relevant to something you’ve searched in the past.

You can ask your browser to delete or block cookies: simply search online for “cookies” + the name of your internet browser (eg “Google Chrome”) for step-by-step instructions.

If you block all cookies, you’ll find some websites won’t work properly – consumer.org.nz is one. A less restrictive option is to block third-party cookies only. These are the cookies used to track your browsing history for marketing purposes.

Web beacons are invisible tags embedded in web pages or emails.

When you load a page with a beacon, it notifies the website’s server you’ve opened it. This allows the site to gather statistics such as who opened the page, when it was opened and the number of times it was opened.

Behavioural advertising is where a consumer’s online activity is used to serve up targeted ads. If you’ve ever wondered why the skirt you like on site A is advertised on site B, the answer is behavioural advertising. Here’s an example of how it works:

  1. An online retailer partners with an advertising agency.
  2. When you visit the retailer’s site, the agency’s cookie is tagged to your browser.
  3. Now, the agency can follow you as you browse other sites within its network.
  4. The agency builds a profile of your searches, the sites you visit and the ads you click on.
  5. The agency then uses this profile to serve up targeted ads from its clients in advertorial space on other websites.

Kiwis online

Men tend to be more cautious about leaving behind a digital footprint than women. That’s one finding of a March 2014 Victoria University survey on online privacy behaviour.

15july online privacy and pricing kiwis online

Of 467 participants, 87 percent had bought a product or service online in the past year. While carrying out these transactions, most people handed over their name, home and email addresses, credit/debit card details and billing address. But others had also provided:

  • mobile phone numbers
  • personal tastes and opinions
  • citizenship or visa information
  • employment details
  • relationship status.

Survey participants trusted banks, health institutions and government agencies the most out of the organisations that collected their personal data. Online dating agencies (both here and abroad) and online gaming companies were the least trusted.

The five most common online data protection tools and strategies employed by survey participants were:

  • installing antivirus software
  • restricting the amount of personal information disclosed
  • blocking unsolicited emails such as spam
  • employing a firewall
  • using security-protected WiFi.

Men were significantly more likely to delete cookies than women (77 percent vs 67 percent); use a pseudonym (30 percent vs 18 percent); and delete their online search history (68 percent vs 50 percent).