Until a few decades ago, companies had limited opportunities to gather information on consumers other than through avenues such as subscriptions, loyalty cards or competitions.

But now, thanks to the digital revolution, online retailers can gather more data about visitors to their sites – often without their knowledge of just how much information is being collected.

A 2014 survey for the Privacy Commissioner found 80 percent of respondents were concerned about the security of their personal information online.

Professor Miriam Lips, chair in e-Government at Victoria University of Wellington, says: “A lot of people feel way too much information is being asked about them online. And, also, they think a lot of the information they’re asked to provide is of little relevance to the actual transaction.”

The grapevine

Professor Lips says people are aware information is being collected about them but “they don’t have a clue on how it’s happening, who is doing it, who’s processing it and so on”.

When browsing online, you may actively hand over personal data. If you buy an item from an online retailer, you’ll likely supply your credit card number and shipping details. You may volunteer further information if you set up an online account, sign up to a loyalty scheme or fill out a satisfaction survey.

However, data can be observed and collected by companies via cookies and other technology (see Tools of the trade) even if you don’t buy anything. This data can include:

  • your location (your IP address)
  • the products you viewed
  • the device you viewed them on
  • other sites you visit.

Beyond your desktop, a number of electronic devices can also transmit your data. Mobile phone apps can track your location, smart TVs can observe your viewing habits and fitness trackers can monitor your activity levels. There’s even a term for all this information generated by connected devices: the internet of things.

Knowledge is power

On the plus side, consumer data can be used to develop new and improved products and services.

For example, a clothing designer may use the browsing and purchase history of its customers to inform new season designs and serve up products tailored to individual tastes (“you may also be interested in …” messages). It may also use website analytics – such as the time it takes customers to navigate its billing process – to fix snags.

But the most recognised use of consumer data is for advertising. Online advertising includes:

  • Paid for search: where a retailer pays for its website to be listed in search results.
  • Display advertising: where a retailer pays to have banners and videos pop-up on other organisation’s sites (see Tools of the trade).

Marketers argue targeted advertising is beneficial: consumers are more likely to receive relevant content – and retailers more likely to make a sale – if ads are based on individual preferences. However, a survey in July 2014 by the UK’s Royal Statistical Society found many consumers did not like the practice: 71 percent of respondents thought online retailers shouldn’t look at the browsing history of their customers and send targeted ads.

The collection of personal data also has potential downsides for consumers. Fraud is the most obvious drawback, but price discrimination is another. Here, some people are charged a higher price than others for the same product. The online clothing designer could theoretically charge a consumer more if he or she has a history of costly purchases.

Some forms of price discrimination are already widely practiced by businesses – and accepted by consumers. Consider loyalty schemes, such as Countdown’s Onecard, which gives members access to discounts in exchange for personal details and continued business. But what if you were made to pay more for a product and you didn’t know about it?

Price discrimination based on personal data is technically possible (see Airline pricing) but finding evidence it’s happening is another matter. In June 2015, the UK’s Competition & Markets Authority published the results of a call for information on the commercial use of consumer data. It received no clear examples of price discrimination being used to the detriment of consumers.

Your rights

Usually a company’s data collection practices are set out in its privacy policy. However, sometimes these policies can leave a lot to be desired. Some are packed with legalese whereas others are ambiguous. Clauses such as “we may share your data with third parties for purposes including analysis” give retailers maximum wiggle room to reuse personal information.

Professor Lips says her survey research (see Kiwis online) found only 25 percent of New Zealanders typically read and understand privacy policies. Most of us simply “tick the box” if that’s what’s needed to proceed with a transaction. “People are signing off their rights, but they don’t really understand what they’re doing.”

According to Professor Lips, most of us are privacy pragmatists: “we know we have to give up information in order to get a service.”

But she says many people feel companies ask for too much information about them. So what rules should a company follow when collecting personal information and what are your rights?

Under the Privacy Act 1993, “agencies” (organisations such as online retailers) must stick to certain principles. For instance, they must:

  • take all reasonable efforts to tell people if their information is being collected and for what purpose
  • only collect personal information where it’s needed for a specific purpose and only use the information for the purpose it was collected
  • ensure the information is protected against loss, misuse or unauthorised disclosure.

You also have certain rights under the Act. You can:

  • ask an organisation to confirm if it holds any information about you
  • apply for a copy of the information it holds
  • request information is amended where necessary.

While the Privacy Commissioner can investigate and mediate a privacy complaint, it can’t fine, prosecute or order an organisation to pay compensation. However, it can refer your complaint to the Director of Human Rights Proceedings if it believes you’ve suffered an “interference of privacy”. The director will decide whether to take your complaint to the Human Rights Review Tribunal.

You can also take your complaint to the tribunal, but only if you’ve tried and failed to resolve it through the Office of the Privacy Commissioner.

Changes afoot

In 2014, former Justice Minister Judith Collins announced reforms to the Privacy Act. Among the proposed changes, organisations will have to report data breaches to the Privacy Commissioner and notify affected individuals in serious cases. Organisations that fail to notify the Commissioner of a data breach – or obstruct an investigation by the Commissioner – could be fined up to $10,000. The same penalties apply to those who impersonate someone to gain access to personal information.

These reforms are intended to “give people greater confidence that agencies are handling their information appropriately”. But do they go far enough?

Professor Lips has doubts: “As personal data becomes more valuable, well, it becomes a more attractive target for thieves etc. So we need stronger protections. Part of that is about providing the Privacy Commissioner with more intervention mechanisms if something goes wrong. And I’m not sure whether the Privacy Commissioner has been given enough teeth.”

In Australia, reforms to privacy law came into effect in March 2014. The reforms give the Office of the Australian Information Commissioner the ability to seek civil penalties up to A$1.7 million in cases of serious or repeated breaches of privacy.

Report by Luke Harrison.