August 1, 2023 ↘︎

Asbestos or oil? Why it’s time to walk away from third-party data as government guns for brokers

As the digital platform services inquiry turns its attention to third party data brokers, businesses would be right for thinking data opportunities are on par with the risks.

“Insecure data is the new asbestos.” So said Paul Dorey, director of research company CSO Confidential. His comments usurped British mathematician Clive Humby who in 2006 called it the “new oil”. 

Humby’s view was that data’s value lies in its potential. Like oil, it’s not useful in its raw state. It needs to be processed. On the other hand, Dorey suggested data that isn’t stored and managed safely exposes companies to major health risks. 

Over the intervening years, both phrases have become clichéd, their meaning lost in endless misappropriation and over-use. Yet, somewhat paradoxically, both are still as true today as they were when first said. 

Right now, Australian organisations are sitting on mountains of data with untold potential. But unless that data is managed properly, the potential for risk could be worth even more than untapped revenue.  

The challenge for businesses today is how to collect, process and refine data so it’s useful while protecting it, meeting privacy legislation requirements, and somehow convincing customers to give it to you in the first place.  

How the heck do you do that? 

Walk away from third-party data 

As part of the ongoing digital platform services inquiry, the ACCC has now turned its attention to third-party data brokers.  

Commission chair Gina Cass-Gottlieb says Australians are “in the dark” about their data being collected and on-sold.  

Looking at the Privacy Act Review Report’s Spectrum of Personal Information with this lens, even data with a low-risk classification of de-identification could be protected. 

If you haven’t already cut your supply to third-party data and instead pumped your investment into collecting first-party data, this is a great reason to make the leap.  

Unsure if you’re working with first, second or third-party data? Here’s how you can tell.  

First-party data is data you collect from your customers directly. It could be sales data or information about how they navigate your website.  

Second-party data is bought directly from organisations that collected it. While you at least know its provenance and how it’s collected, often it’s behind a marketing-proof fence. The data Facebook lets you use to target campaigns is an example. 

Third-party data, on the other hand, is data you buy from outside sources. Aggregators purchase huge swathes of data and use it to categorise people demographically, psychographically and behaviourally.  Increasingly it’s out of date or inaccurate. And to make matters worse, there are no global guidelines, rules, or agreed approaches on how to collect it. So it may not be what you expect it to be.  

Long before the ACCC started noticing, we’ve been advising businesses to be careful with third-party data. 

Ask your media agency where they are getting their data 

Even if you’re well down the track of first-party data collection, take the time to revisit how you’re collecting data and where it’s stored.  

Specifically, ask your media agency how they are creating target audiences. 

With Quantium (and its partners CommBank and Woolworths) included in the ACCC’s hit list, right now, I wouldn’t make a song and dance about being associated with any aggregated data services. That includes payment data. 

As this 2015 study demonstrated, it takes just three or four transactions to be 90 per cent successful in finding a match when combining anonymised payment data. Now it seems the ACCC has figured that out, too. 

Instead, invest your martech budget in systems that will protect your customer data. This includes a move to server-side tagging for full control of where cookie data is sent.  

Stop collecting every piece of data  

It may seem obvious, but it’s important to decide in advance what you’re going to do with the data you collect. The days of collecting everything and worrying about its use case later have long passed. 

As customers become warier about what companies collect and how they use it, showing the data exchange value is good practice.  

Spell out what your customers get by providing you with their information.  

Thinking about this now will also help with your messaging once privacy legislation in Australia becomes stricter. 

Don’t take a band-aid approach 

As you’re no doubt aware, sweeping changes are coming following the Attorney-General’s Department light read, the 314-page Privacy Act Review Report 2022

Broadly there are two options in the proposal relating to consent for data collection and use: 

  1. Opt-in – the route the European Union took with GDPR asking for permission before you collect data. Cue cookie pop-ups when visiting European websites. 
  2. Opt-out – the Californian CCPA route where a “Do Not Sell or Share My Personal Information” link or button must be provided on the homepage of the website. This means users are opted in by default and granular opt-outs from specific sales of personal information can be provided. 

Many businesses have applied a band-aid approach by installing consent management tools to keep up with the implementation in these two markets.  

However, these tools often fail to meet compliance due to poor configuration or lack of technical capability.  

The result is a gap between perceived and actual compliance. For example, just because you have a tool such as a cookie pop-up or consent management tool on your website, doesn’t mean it’s working as intended. 

In the EU, thousands of businesses unknowingly remain non-compliant with GDPR leaving both consumers and businesses vulnerable. 

Between 2020 and 2021 the number of reported GDPR violations increased by 113.5 per cent while the number of GDPR fines grew by 594 per cent.  

A total of €1.64b ($2.6b AUD) in fines were issued by European data regulators in 2022 alone, with ad-tech and behavioural advertising as top enforcement priorities. 

This resonates with Matthew Hauk, COO of global cyber security firm Ensighten.  

Speaking to Digital Balance clients recently, he said, “Australian businesses have had the benefit of a longer runway before the global trend of regulating personal information on the internet arrives at their shores. But that is no excuse for kicking the can further down the road. 

“The future of marketing and customer loyalty will rely heavily on how consumers perceive brands and how trustworthy they deem them to be. Those who make efforts to safeguard and protect their customers will be rewarded with more access and greater commercial advantage.” 

While we still don’t know which route the Australian government will take, the Privacy Act Review does not propose increasing the circumstances in which notices should be provided or consent obtained. Which could be a clue that the opt-out approach is preferred. 

Either way, Australian businesses need to ensure they aren’t merely applying a band-aid when the time comes to act. 

Secure your data. Now 

Finally, if you’re collecting customer data but don’t have specific website security controls in place, your business is vulnerable to data leakage.  

As the examples of Medibank, Optus and Latitude Finance have shown us, security needs to be a priority for you and, most importantly, your customers. Otherwise, all the work you’ve put into managing your greatest asset will be for nothing. 

While I’m loathe to continue the cliché, it’s clear data retains its status as the new oil. The potential is massive. But it also remains the new asbestos.  

It took years for people to realise and accept the risks of dealing with the dangerous building material. Let’s learn from history and not drag our feet with data; we don’t need to endure the same asbestos-like pain in recognising its dangers. 

DB logo
DB logo
DB logo