28 October 2024

The alchemy of data brokers

Jonathan Gadir
Senior Consultant

elevenM’s Jonathan Gadir unpacks what it is that data brokers actually do, and how they manage to fly under the radar of privacy law.

Earlier this year the ACCC published its Digital platform services inquiry Interim report 8: data products and services – how information is collected and used by data firms in Australia.

What this report makes clear is that there is a flourishing and profitable industry in the trade of personal information. Yet, paradoxically, many of the key players in this industry claim that they do not to collect, use or disclose personal information.

In this blog, we’ll look at what data brokers do, the privacy impacts associated with the data broking market, and ways for consumers and businesses to understand and responsibly manage and reduce risks. Let’s start by looking at how the data broker business model works, and how it is that data brokers can claim that they don’t collect, use or disclose personal information.

What data brokers do

Data brokers are companies that buy and sell information to help companies know more about their consumers or potential customers. This includes data enrichment, profiling, and segmentation (i.e. data to sharpen marketing and advertising and intelligence about consumers), data to enable risk management (e.g. for identity verification and fraud detection), and property purchase data from governments and conveyancing platforms for businesses in the real estate and property development sector.

It is a footnote on page 55 of the ACCC report, but it really is worthwhile pausing to consider some of the data types that go into the data brokers’ products. They include:

  • Publicly available data on company structures, ownership and directorship details, shareholder data, financial data, business-to-business payment data, and business size and turnover data.
  • Personal data including names, email addresses, phone numbers and dates of birth.
  • Demographic data including age, gender, education, occupation, household income, ethnicity and marital status.
  • Location data including consumers’ location history and the geographic area they live in.
  • Financial and transaction data including spending and purchasing behaviour.
  • Psychographic data include information on consumers’ attitudes, interests, activities, lifestyle and values.
  • Behavioural data including information on social media use and engagement with TV and radio programs or particular advertising campaigns.
  • Search history data including online search terms, IP addresses, device or advertising IDs and device fingerprints.
  • Advertising-related metadata, such as what video and audio a person is watching or listening to and for how long.
  • Property-related metadata including details of when and how they access a property listings website (e.g. browser and device type, IP address and date and time of access).
  • Property-related personal data including the financial history of prospective tenants or home loan applicants. Postcode-level demographic data may include school, hospital and property zoning information, nearby public transport facilities and data on supply and demand in the suburb where a property is located.
  • In a risk management context, device attributes data including whether an individual’s device details match those of any devices used in known fraudulent activities.
  • Biometric data including facial recognition data.

How do data brokers get their data?

While some data brokers were keeping their methods close to their chest, it’s clear from submissions to the ACCC that they often pay other companies or come to commercial deals with entities that have large volumes of consumer data.

What emerges is that there is so much data available from publicly available sources (e.g. census data, property market data) that it is possible to create detailed datasets of personal information by stitching together bits and pieces from a multitude of different sources. The Australian Consumer Policy Research Centre (CPRC) called them “data alchemists of the modern world”, mining and refining all sorts of data about us and then curating it and selling it to the highest bidder.

Experian provided the ACCC with some further information, which can be used as a rough guide to what the others are doing. They say they get their data from:

  • consumer competitions
  • consumer research groups
  • software development kits (tools provided to app developers for free in exchange for the information that can be collected from the apps once they are released into users’ hands)
  • mobile apps (based on user permissions)
  • pixels (based on user permissions).

The last three are the most problematic from an individual privacy perspective because they are based on the fiction that when people download an app or browse the web, they are consciously giving some kind of meaningful permission based on the fine print in the terms of use.

And if someone does engage with the conditions of consenting to an app or website, they are unlikely to understand or even be able to track the complex web of data sales that go on.

What are the privacy impacts of data broking?

Some datasets contain personal information as defined by the Privacy Act (like a name or possibly an email address). However, many of these datasets don’t – for example a certain credit card that has transacted at certain retailers.

Despite the seeming innocuousness of each dataset by itself, when combined, the data can have serious impacts on individuals. On the low end of the scale, large datasets can be used for targeted advertising. At the high-end of the scale, they can be used to charge an individualised pricing, based on a fine-grained analysis of individua’s buying habits, income and inferred willingness to pay – what is known as surveillance pricing.

Ultimately, most people are in the dark about how (and how much) data is collected about them, combined to make inferences, and sold to other companies. Indeed, it can be all but impossible to track down every instance of your data in a dataset and have it removed.

Here we realise how limited our current definition of personal information is. Because the concept is tied to information about individuals who are reasonably identifiable, information that can be used to target an unidentified individual may escape the protections afforded by the Privacy Act. Indeed, the Attorney-General’s Department has recommended amending the Privacy Act to place limitations on how ‘deidentified information’ and ‘unidentified information’ may be used to target individuals — a proposal which has received a somewhat mixed response from the Government, and which has not been addressed in the upcoming ‘first tranche’ of privacy reforms.

Future-proof your reliance on data products and services

Ultimately, companies should be considering how they can achieve their marketing, advertising and consumer research goals in a way that isn’t considered creepy or invasive by the public.

Direct consent and internally managed lists and analytics are one approach that we have seen, as is a more robust approach to deidentification of datasets. Whatever approach you take, it’s important to future-proof potentially expensive data-driven strategies from a tighter definition of personal information that might be coming. Or just from customer backlash.

Contact us

elevenM has provided detailed advice on this to some of Australia’s biggest consumer brands and has developed a deep expertise in privacy-compliant use of consumer data and data broker products and services. If you’re interested in learning more about implementing robust privacy controls, get in touch.