Until a few decades ago, companies had limited opportunities to gather information on consumers other than through avenues such as subscriptions, loyalty cards or competitions.
Join today and get instant access to all test results and research.
But now, thanks to the digital revolution, online retailers can gather more data about visitors to their sites – often without their knowledge of just how much information is being collected.
A 2014 survey for the Privacy Commissioner found 80 percent of respondents were concerned about the security of their personal information online.
Professor Miriam Lips, chair in e-Government at Victoria University of Wellington, says: “A lot of people feel way too much information is being asked about them online. And, also, they think a lot of the information they’re asked to provide is of little relevance to the actual transaction.”
Professor Lips says people are aware information is being collected about them but “they don’t have a clue on how it’s happening, who is doing it, who’s processing it and so on”.
When browsing online, you may actively hand over personal data. If you buy an item from an online retailer, you’ll likely supply your credit card number and shipping details. You may volunteer further information if you set up an online account, sign up to a loyalty scheme or fill out a satisfaction survey.
However, data can be observed and collected by companies via cookies and other technology (see Tools of the trade) even if you don’t buy anything. This data can include:
Beyond your desktop, a number of electronic devices can also transmit your data. Mobile phone apps can track your location, smart TVs can observe your viewing habits and fitness trackers can monitor your activity levels. There’s even a term for all this information generated by connected devices: the internet of things.
On the plus side, consumer data can be used to develop new and improved products and services.
For example, a clothing designer may use the browsing and purchase history of its customers to inform new season designs and serve up products tailored to individual tastes (“you may also be interested in …” messages). It may also use website analytics – such as the time it takes customers to navigate its billing process – to fix snags.
But the most recognised use of consumer data is for advertising. Online advertising includes:
Marketers argue targeted advertising is beneficial: consumers are more likely to receive relevant content – and retailers more likely to make a sale – if ads are based on individual preferences. However, a survey in July 2014 by the UK’s Royal Statistical Society found many consumers did not like the practice: 71 percent of respondents thought online retailers shouldn’t look at the browsing history of their customers and send targeted ads.
The collection of personal data also has potential downsides for consumers. Fraud is the most obvious drawback, but price discrimination is another. Here, some people are charged a higher price than others for the same product. The online clothing designer could theoretically charge a consumer more if he or she has a history of costly purchases.
Some forms of price discrimination are already widely practiced by businesses – and accepted by consumers. Consider loyalty schemes, such as Countdown’s Onecard, which gives members access to discounts in exchange for personal details and continued business. But what if you were made to pay more for a product and you didn’t know about it?
Price discrimination based on personal data is technically possible (see Airline pricing) but finding evidence it’s happening is another matter. In June 2015, the UK’s Competition & Markets Authority published the results of a call for information on the commercial use of consumer data. It received no clear examples of price discrimination being used to the detriment of consumers.
Professor Lips says her survey research (see Kiwis online) found only 25 percent of New Zealanders typically read and understand privacy policies. Most of us simply “tick the box” if that’s what’s needed to proceed with a transaction. “People are signing off their rights, but they don’t really understand what they’re doing.”
According to Professor Lips, most of us are privacy pragmatists: “we know we have to give up information in order to get a service.”
But she says many people feel companies ask for too much information about them. So what rules should a company follow when collecting personal information and what are your rights?
Under the Privacy Act 1993, “agencies” (organisations such as online retailers) must stick to certain principles. For instance, they must:
You also have certain rights under the Act. You can:
While the Privacy Commissioner can investigate and mediate a privacy complaint, it can’t fine, prosecute or order an organisation to pay compensation. However, it can refer your complaint to the Director of Human Rights Proceedings if it believes you’ve suffered an “interference of privacy”. The director will decide whether to take your complaint to the Human Rights Review Tribunal.
You can also take your complaint to the tribunal, but only if you’ve tried and failed to resolve it through the Office of the Privacy Commissioner.
In 2014, former Justice Minister Judith Collins announced reforms to the Privacy Act. Among the proposed changes, organisations will have to report data breaches to the Privacy Commissioner and notify affected individuals in serious cases. Organisations that fail to notify the Commissioner of a data breach – or obstruct an investigation by the Commissioner – could be fined up to $10,000. The same penalties apply to those who impersonate someone to gain access to personal information.
These reforms are intended to “give people greater confidence that agencies are handling their information appropriately”. But do they go far enough?
Professor Lips has doubts: “As personal data becomes more valuable, well, it becomes a more attractive target for thieves etc. So we need stronger protections. Part of that is about providing the Privacy Commissioner with more intervention mechanisms if something goes wrong. And I’m not sure whether the Privacy Commissioner has been given enough teeth.”
In Australia, reforms to privacy law came into effect in March 2014. The reforms give the Office of the Australian Information Commissioner the ability to seek civil penalties up to A$1.7 million in cases of serious or repeated breaches of privacy.
Report by Luke Harrison.
Cookies are pieces of data that websites store on your computer or mobile device. They allow websites to “remember” your actions or preferences.
You can ask your browser to delete or block cookies: simply search online for “cookies” + the name of your internet browser (eg “Google Chrome”) for step-by-step instructions.
If you block all cookies, you’ll find some websites won’t work properly – consumer.org.nz is one. A less restrictive option is to block third-party cookies only. These are the cookies used to track your browsing history for marketing purposes.
Web beacons are invisible tags embedded in web pages or emails.
When you load a page with a beacon, it notifies the website’s server you’ve opened it. This allows the site to gather statistics such as who opened the page, when it was opened and the number of times it was opened.
Behavioural advertising is where a consumer’s online activity is used to serve up targeted ads. If you’ve ever wondered why the skirt you like on site A is advertised on site B, the answer is behavioural advertising. Here’s an example of how it works:
Of 467 participants, 87 percent had bought a product or service online in the past year. While carrying out these transactions, most people handed over their name, home and email addresses, credit/debit card details and billing address. But others had also provided:
Survey participants trusted banks, health institutions and government agencies the most out of the organisations that collected their personal data. Online dating agencies (both here and abroad) and online gaming companies were the least trusted.
The five most common online data protection tools and strategies employed by survey participants were:
Men were significantly more likely to delete cookies than women (77 percent vs 67 percent); use a pseudonym (30 percent vs 18 percent); and delete their online search history (68 percent vs 50 percent).