Data protection and privacy: Investigations, tips, guides and advice - ĚÇĐÄVlog /data-protection-and-privacy You deserve better, safer and fairer products and services. We're the people working to make that happen. Wed, 08 Jul 2026 07:54:20 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 /wp-content/uploads/2024/12/favicon.png?w=32 Data protection and privacy: Investigations, tips, guides and advice - ĚÇĐÄVlog /data-protection-and-privacy 32 32 239272795 Healthcare services violated privacy by enabling targeted ads /data-protection-and-privacy/data-collection-and-use/how-your-data-is-used/articles/healthcare-services-violated-privacy-by-enabling-targeted-ads Wed, 08 Jul 2026 07:54:18 +0000 /?p=1254974 The Privacy Commissioner found that two health services providers used tracking pixels to secretly collect information.

The post Healthcare services violated privacy by enabling targeted ads appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • Tracking pixels are buried deep in a website’s coding and are often shared with social media companies so they can target you with ads
  • In late 2024, the OAIC took a close look at the use of tracking pixels on 50 health services websites
  • In late June this year, the OAIC determined that the use of tracking pixels by Medmate and Monash IVF amounted to a violation of the Privacy Act

One of the ways we find out our online activity is under surveillance is when an ad for a particular activity or product we search for magically appears on our social media feed.

It probably means a third-party tracking pixel has been following us around, noting the webpages we visit and recording what we click on.

Tracking cookies can do this as well, but they can be deleted and blocked, and they’re fading out of use.

No so with tracking pixels. They’re buried deep in a website’s coding and are often shared with social media companies so they can target you with ads based on your online activity. When it’s an item of clothing or a new pair of headphones you’ve been googling , that’s one thing, but it can get a lot more personal.

Long-held privacy concerns

The Office of the Australian Information Commissioner (OAIC), which houses the Privacy Commissioner, has long held concerns about how tracking pixels can pry into our personal business, especially when it comes to matters of health.

In late 2024, the OAIC took a close look at 50 health services websites, including providers of mental health services, healthcare for children, pharmaceutical products and fertility services.

Nearly all (96%) used tracking technologies, and more than half (52%) used third-party tracking pixels. In this latter group, more than three-quarters (77%) neglected to disclose the fact that they were using tracking pixels in their privacy policies.

The OAIC, pursuing what it calls a “risk-based and proportionate approach” to regulation, then narrowed the list of 50 websites down to 12 based on the sensitivity of the information the tracking technologies were collecting and the health services being offered.

All 12 websites used more than one third-party tracking pixel, including one provided by Meta in every case. Half the sites used the TikTok tracking pixel, while a quarter used one provided by Snapchat.

Tracking your every click

Several aspects of a visitor’s browsing activity were transmitted to social media platforms via these tracking pixels, including the full URLs of the webpages visited, button clicks, website searches, and time and date stamps – the kind of data used to build profiles and direct targeted ads.

Very few people would have had the knowhow to detect that their web browsing activity was being monitored, or that their browsing activity was being shared with their social media providers.

The OAIC investigation revealed that the information transmitted via tracking pixels “can reveal incredibly intimate details about an individual’s life”, including any health conditions you may have, the support services you’re searching for (such as mental health or domestic violence support), which services are recommended, and which medications you add to your cart when shopping on a health provider website.

using telehealth for doctors appointments
The Privacy Commissioner has ruled that healthcare businesses must obtain consent to collect personal data with tracking pixels.

Companies unaware pixels were in use

When the OAIC contacted the 12 health providers, several convincingly claimed that they were not aware tracking pixels were active on their websites.

In one case, an external website design company had left 50 tracking pixels on a health provider’s website without its knowledge, which were removed once the OAIC got in touch. The company had not been aware of the type of information that was being shared with external platforms.

Other health providers knew about the tracking pixels on their websites but assumed any information they harvested from visitors was “hashed”, or turned into digital characters that de-personalise information. This was not the case.

CoCare, a community-based health service provider that specialises in mental health and chronic illness support, added Meta and TikTok pixels to its website on the advice of a marketing firm. Through these platforms, it targeted its first ad campaign at people between the ages of 25 and 30 who had visited its website in the last two weeks. It gleaned their approximate ages and other personal information via the tracking pixels.

Tracking pixels found to breach privacy

In late June this year, the OAIC determined that the use of tracking pixels by two health providers, Medmate (telehealth) and Monash IVF (fertility services), amounted to a violation of the Privacy Act because the website visitors did not consent to having their information used for advertising. The investigation took a year to complete.

… website providers must obtain consent where they’re using tracking pixels

Privacy Commissioner Carly Kind

“Australians have become accustomed to pervasive online tracking and targeted advertising, but that doesn’t mean that they’re comfortable with it,” says Privacy Commissioner Carly Kind.

“In particular when it comes to targeted advertising based on sensitive data, our community attitudes research shows that nine in 10 Australians consider it neither fair nor reasonable to be targeted on the basis of their sensitive health data.”

The OAIC’s decision “establishes that the advanced technology used for tracking and targeting in the online realm still has to be used in compliance with the Privacy Act. That means website providers must obtain consent where they’re using tracking pixels to collect sensitive information, such as data on health, political opinions, race or ethnicity”.

How to detect tracking pixels

  • Free online tools are available that will scan websites and detect the tracking technologies in use. The OAIC has highlighted , which was developed by investigative journalists. 
  • The European Data Protection Board also offers , though it requires a level of tech proficiency that some may not possess. 
  • Browser extensions can inspect websites for tracking technologies, including well-established tools such as , , and .
  • Many social media platforms allow users to view and download the data they have on them. Meta’s , for instance, allows you to see the information that other businesses have shared about you. TikTok users can access such information by selecting Settings and Privacy > Account > Download your data. You can also clear past activity on many social media accounts and adjust settings to prevent your browsing activity across the internet from being used for targeted advertising on the social media platform. 
Marg Rafferty Andy Kollmorgen and Jarni Blakkarly
Get the inside story on our investigations into consumer rip-offs and bad business practices.

Read our privacy policy

The post Healthcare services violated privacy by enabling targeted ads appeared first on ĚÇĐÄVlog.

]]>
1254974 using-telehealth-for-doctors-appointments investigation-team
Will AFCA’s new powers help scam victims get their money back? /money/banking/everyday-banking/articles/will-afcas-new-powers-help-scam-victims-get-their-money-back Wed, 24 Jun 2026 07:21:47 +0000 /?p=1231028 Starting in March 2027, the national dispute resolution service will become a one-stop-shop for scam complaints.

The post Will AFCA’s new powers help scam victims get their money back? appeared first on ĚÇĐÄVlog.

]]>
It seems a matter of common sense that scam victims would need to know who controls the accounts they sent their stolen money to.

But currently banks have no obligation to assist people who aren’t customers. It leaves people with nowhere to turn, and it’s just one of the many ways victims are hung out to dry. 

It wasn’t until March last year that the Australian Financial Complaints Authority (AFCA) even gained the power to investigate the role that banks play in allowing scammers to set up mule accounts to receive the ill-gotten gains.

Receiving banks have been central in the execution of scams from the beginning, yet even now a scammer can set up an account in another person’s name using only a stolen driver’s licence.

Currently banks have no obligation to assist people who aren’t customers, and it leaves people with nowhere to turn

In 2024, we reported on the case of a family that had sent a total of $2.5 million to scammer accounts at Westpac, ANZ, Commonwealth Bank, and Bendigo Bank. None of these banks would assist the victims, and none faced any accountability for inadvertently allowing criminals to hijack their services.

In March this year, we reported the story of a woman whose identity had been used to set up accounts at Great Southern Bank. When she contacted the bank for assistance, she received very little.

The woman in this case lodged a complaint with AFCA, but the dispute resolution service couldn’t intervene because Great Southern Bank was legally prohibited from sharing bank account information with non-customers, even if the account had been set up by a scammer. 

AFCA gets new powers help scam victims

AFCA acting chief executive officer and chief ombudsman, Dr June Smith.

But times are changing. Starting on 31 March 2027, AFCA will be the sole body responsible for dealing with scam complaints, and it will have the jurisdiction to consider the role that banks, telcos and digital platforms play in failing to prevent them.

AFCA will theoretically be able to order banks to compensate victims if they played any role in the execution of a scam and were negligent in their duty to stop it.

The designation is part of the federal government’s still-evolving Scams Prevention Framework (SPF).

“We have significant experience handling complex complaints at scale, and we’ll be using that experience to build an effective and accessible service,” says AFCA acting chief executive officer and chief ombudsman Dr June Smith.

“They are increasingly sophisticated and they leave people facing devastating financial and emotional consequences,” she says.

AFCA will theoretically be able to order banks to compensate victims if they played any role in the execution of a scam and were negligent in their duty to stop it

AFCA’s Chief Scams Officer, David Lacey, says scams “are one of the most significant issues affecting consumers today”.

Under the Scams Prevention Framework, most banks, telcos and digital platforms operating in Australia will be required to become AFCA members and be bound to its rulings from 1 September this year.

“We recognise the complex nature of modern scams and the need for fair outcomes for victims and the organisations involved,” Lacey says.

What the Scams Prevention Framework won’t cover

Last year, scammers stole a collective $2.18 billion from Australians, and much of the thievery occurred by way of phone calls and text messages – but these won’t be covered under the SPF since they don’t meet the definition of digital platforms in the legislation.

The same goes for email service providers, dating apps, online marketplaces, app stores and gaming platforms, all of which are increasingly becoming fertile ground for scammers. ĚÇĐÄVlog pointed out these shortcomings to the federal government in a submission leading up to the finalisation of the SPF.

Much of the thievery occurred by way of phone calls and text messages – but these won’t be covered under the Scams Prevention Framework

The potential damage is considerable. Australians lost $139 million to romance scams in 2025, for instance, many of which would have been perpetrated by online contacts not covered by the framework.

An AFCA spokesperson tells ĚÇĐÄVlog that the service is currently in the process of determining how it will deal with scam complaints under its SPF duties.

“Our priority now is building and designing the Scams Prevention Framework EDR [External Dispute Resolution], which will provide victims of scams an independent external dispute mechanism to consider each case and whether banks, telecommunications providers and digital platforms have met their obligations under the SPF codes,” the spokesperson says.

AFCA remains supportive of reform, recognising that the current legislative frameworks available to scam victims are insufficient

The extent to which the designated sectors will be held accountable, however, is a work in progress.

“These codes are currently subject to public consultation and remain unsettled. Nevertheless, AFCA remains supportive of reform, recognising that the current legislative frameworks available to scam victims are insufficient.”

The post Will AFCA’s new powers help scam victims get their money back? appeared first on ĚÇĐÄVlog.

]]>
1231028 doctor june smith
How much money is big tech making from us? /data-protection-and-privacy/data-collection-and-use/who-has-your-data/articles/how-much-money-is-big-tech-making-from-us Tue, 09 Jun 2026 03:16:02 +0000 /?p=1200188 According to one eye-opening analysis, our personal information is worth trillions to tech platforms and AI companies.

The post How much money is big tech making from us? appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • The Switzerland-based Web3 Foundation reports that the commercial value of an average internet user’s data over their lifetime is USD$160,000 (roughly $225,000 in Australian dollars)
  • Big names like Amazon, Alphabet (Google), Microsoft, Meta and Anthropic are especially adept at monetising our personal information
  • Meanwhile, only 4% of Australians trust AI companies to protect their privacy, and only 3% trust social media platforms

There was once a time when the internet was not dominated by a handful of increasingly powerful companies making untold billions.

But that was before we realised how much data we’ve been giving away and what the big companies were doing with it.

If you’ve wondered how much this data is really worth, a research firm has finally put a number on it. It’s a lot of money.

The Switzerland-based Web3 Foundation reports that the commercial value of an average internet user’s data over their lifetime is USD$160,000 (roughly $225,000 in Australian dollars). 

That value adds up to a much bigger amount – $745 trillion – if applied to the world’s six billion internet users over a period of 60 years, which was the researchers’ chosen timeframe. 

The modern digital economy is powered by human data, yet the people generating that value have little visibility, control or participation in the upside

Web3 founder Gavin Wood

Big names like Amazon, Alphabet (Google), Microsoft, Meta and Anthropic are especially adept at monetising our personal information.

This is not just ad revenue we’re talking about: it’s the commercial value of our online searches, clicks, locations, purchases, prompts, messages, images, preferences and behavioural signals. It’s all grist for the mill.

“For too long, the internet has operated on an implicit bargain that users do not fully understand – convenience in exchange for surveillance,” says Web3 founder Gavin Wood.

“The modern digital economy is powered by human data, yet the people generating that value have little visibility, control or participation in the upside.”

Toward a user-led internet

Web3 Foundation – which says it develops decentralised web software “with a focus on giving users greater control over their identity, data, digital assets and online interactions” – admits that the numbers are more of a benchmark than a precise calculation.

But the company’s report, The Hidden Price of Free: What Your Data Is Really Worth, comes with a detailed explanation of its methodology, which involved assessing the practices of 129 major tech companies.

“For decades, digital platforms have been built around centralised control, where users hand over their data, identity and value in exchange for access to services,” says Web3 vice president of technical operations Bill Laboon. “The internet does not have to work this way.”

For decades, digital platforms have been built around centralised control, where users hand over their data, identity and value in exchange for access to services

Web3 vice president of technical operations Bill Laboon

He adds that as “AI accelerates and data becomes even more valuable, building a more transparent, user-led internet is becoming increasingly urgent”.

The report breaks down the revenue calculations, going from lowest to highest, into ‘conservative’, ‘central’ and ‘expansive’ scenarios.

The conservative scenarios of Personal Data Annual Value are eye-opening enough: 

  • Globally – $485 per person per year
  • USA – $4816 per person per year
  • North America – $3390 per person per year
  • UK and Europe – $938 per person per year
  • Rest of the world – $155 per person per year

The Web3 report declares itself “a vital benchmark for understanding the scale of commercial value associated with personal data”.

“It shows that the current internet economy depends on a vast transfer of value from individuals to companies, usually without meaningful visibility, bargaining power, compensation or control”, the researchers write.

Only 4% of Australians trust AI

The global extrapolations of the value of our data come at a time when trust of its most powerful processor, AI, has hit an all-time low. 

According to the latest Australian Community Attitudes to Privacy Survey (ACAPS) report released by the Office of the Australian Information Commissioner (OAIC) in late May, only 4% of Australians trust AI companies to protect their privacy, and only 3% trust social media platforms. 

Australian Privacy Commissioner Carly Kind says the findings show that the AI sector has a long way to go to get the right privacy protections in place.

The survey’s findings mirror the rise in privacy complaints received by the OAIC – which have increased by 73% this financial year to date

Australian Privacy Commissioner Carly Kind

The ACAPS report “points to a community that places a high value on privacy, but does not consistently experience privacy protections as workable in practice,” Kind says.

“The survey’s findings mirror the rise in privacy complaints received by the OAIC – which have increased by 73% this financial year to date. Our efforts are delivering positive outcomes for the community, including speedier complaint timeframes, but community concern continues to grow at an alarming rate.”

  • Only 1 in 10 respondents say organisations’ online practices are usually fair, while 35% say they are mostly or always unfair.
  • Around two-thirds of Australians (68%) say they would be more likely to use digital services requiring personal information if they knew their data was handled fairly and responsibly.

The post How much money is big tech making from us? appeared first on ĚÇĐÄVlog.

]]>
1200188
How to spot a deepfake video scam /data-protection-and-privacy/protecting-your-data/data-privacy-and-safety/articles/deepfake-video-scams Thu, 28 May 2026 22:40:00 +0000 /?p=1182812 AI clones of people you might trust are harder to spot than you think. Here’s what to watch out for.

The post How to spot a deepfake video scam appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • Deepfakes are digital clones of trusted people’s faces, bodies and voices that scammers use to steal money and information
  • Research shows these synthetic talking heads are harder to spot than many Australians think
  • Being wary of suspicious online advertisements and looking for glitches on peoples’ faces in videos can help keep you safe

Could you spot an AI-generated face? Research shows many of us think we can, but actually we can’t.

This poses a risk when criminals are deploying digital clones of trusted individuals in online advertising and video calls as part of elaborate schemes designed to con you out of your savings and sensitive personal information.

Relentless advances in generative artificial intelligence (AI) technology mean these synthetic shills are looking more and more like people you might be willing to send money or information to.

On this page:

A growing threat

Gary* wasn’t fully aware of the power of generative AI when, in 2023, he came across a video ad on Facebook appearing to feature Elon Musk.

“There was nothing really in the news about anything like that and AI hadn’t really moved forward. There was Elon Musk, as far as I knew,” the NSW resident explains.

The ad saw the world’s richest man spruik an investment opportunity in cryptocurrency while other prominent individuals nodded along.

“He was surrounded by [Anthony] Albanese, [Julia] Gillard, [Gina] Rinehart and a few other well-known Australians and TV commentators, and he was saying: ‘I’m only giving this out to 45 people’.”

Gary lost money to an investment scam promoted by a deepfake of Elon Musk. Image: Cybertrace

Gary registered his interest and was soon contacted by phone. He says he and his wife were persuaded to invest hundreds of thousands of dollars into the venture.

He says he only realised it was a scam when he wasn’t able to withdraw any of their money.

Looking back, Gary admits the video had signs of being AI-generated and says he still comes across similar clips on social media.

High-profile entrepreneurs like Musk are a favourite for deepfake scammers wanting a famous face to lend credibility to their malicious schemes.

At the end of last year, NAB intervened to stop a customer from sending $100,000 to someone appearing to be Kevin Costner

And it’s not just talking tech heads drawing people in – at the end of last year, NAB revealed it had intervened to stop a customer from sending $100,000 to someone appearing to be Kevin Costner.

The bank said the customer had been speaking to an AI-generated clone of the Hollywood actor via video call and believed the money was going to help him buy property in Australia.

What are deepfakes?

Sophisticated video clones are one of the five scams ĚÇĐÄVlog is warning consumers to look out for this year.

Cutting-edge technology platforms, especially generative AI services that are accessible and cheap (or even free) to use, have delivered everyday people the ability to create digital audio and video clones of real people.

AI can generate realistic-looking images and videos of people from scratch. Image: CSIRO

But a clone is only considered a “deepfake” when the video, audio or image misrepresents that person and shows them doing or saying something they didn’t.

“A deepfake means there is untruth to what they are saying. [Scammers] are trying to portray people, individuals who might not be giving consent,” says Dr Sharif Abuadbba, a researcher studying AI and other emerging technologies at the CSIRO.

“The technology underneath is ‘deep learning’ [and] a deepfake is a particular-use case which is for malicious purposes,” adds fellow AI researcher Professor Sanjay Jha from the School of Computer Science and Engineering at UNSW.

As we’ve highlighted previously, deepfakes can be audio-only – a copy of the voice of a loved one, for example, that a scammer might use to impersonate them and plead for money via a voice message on your phone.

How are video deepfakes being used?

Video deepfakes take this method one step further and clone not just the voice, but also someone’s face and body.

A video deepfake can resemble a person you’re likely to trust in order to convince you to send money or sensitive personal details or to persuade you to believe disinformation.

They can also be made to look like the individual they’re shared with – depicted in a pornographic way in order to blackmail them.

As well as celebrities, scammers have been known to create video deepfakes of entirely fictional people who a victim might believe they’ve built a romantic relationship with.

A video deepfake can resemble a person you’re likely to trust in order to convince you to send money or sensitive personal details

Experts say criminals are targeting individuals with these deepfake videos that are tailored specifically to appeal to them.

“Let’s say you think you’re developing a romantic relationship and you start talking to [that person] on video… the deepfake can look like the picture you first saw of them that you think is genuine,” says Monica Whitty, a professor of human factors in cybersecurity at Monash University.

“Video and voice are used by cyber criminals because they develop trust with the victim,” she adds.

How effective are they?

AI platforms have become quite good at generating copies of human faces and voices or creating new identities from scratch that consumers can find difficult to identify as fake.

In research conducted last year, the Commonwealth Bank showed over 1900 Australians a series of images of human faces, some real and some generated by AI.

Almost 90% of those surveyed had said they would be able to spot synthetic faces, but in a sign of consumer over-confidence, only 42% were able to distinguish between the real and AI-generated images.

Still images from a video featuring a real actor (left) and a deepfake recreation of the same scene (right). Image: Meta

Why all AI isn’t a scam

It’s worth noting that the AI technology behind many deepfakes can also be used benevolently.

For example, Professor Jha from UNSW created his own computer program that could generate digital copies of himself to deliver legitimate lectures.

He believes the technology could be helpful in teaching in different languages and disseminating training to people in different countries.

Established advertisers are also using generative AI to create synthetic people to appear in ads for legitimate products.

How to spot and avoid a deepfake video scam

Even as generative AI platforms get better and better, there are still things you can look for, practices to be aware of and strategies to adopt to protect yourself from deepfake scams.

Be sceptical

Double-checking the source of any contact you receive online is the first barrier you can build to make yourself a harder target for scammers.

A celebrity is unlikely to ever contact you asking for money, and someone you’re building a romantic relationship with should be keen to move beyond video calls and online messaging and meet in real life.

A celebrity is unlikely to ever contact you asking for money

“When you’re dating, you need to meet that person face to face within the first couple of weeks,” says Professor Whitty. “Otherwise, you need to move on before you’re groomed [into providing money].”

If the contact is someone you have met before, but you’re suspicious, go back to them using details you’ve used previously or found yourself, even if they claim they’ve lost access to their normal phone number or social media account.

Look for technical glitches

Despite advances in AI, many synthetic copies of voices and faces are still far from perfect.

“Depending on the software they use, AI models can be very basic or very sophisticated,” says Professor Jha.

There’s a chance you’ll be able to spot some of the following tell-tale glitches that can arise in the process of making a deepfake:

Check if it looks too good: AI clones sometimes have an airbrushed, over-polished look. Make sure hair, lighting and skin tone looks believable.

Read their lips: The audio in an AI video may not always match the mouth movement of the person depicted. Watch for instances of dodgy lip-syncing.

Once more with feeling: Look for unusual facial expressions that don’t match the tone of what’s being said. Beware of unnatural blinking or flickering around the eyes.

Look at the body parts: AI struggles with hands – if these appear in the video, check that they look realistic. Look also at faces for any unusual asymmetries. Ask someone to turn their head 45 degrees to the left and right or put an outstretched hand in front of their face if you’re unsure.

Get it on the big screen

Signs of a deepfake can be hard to spot if you’re using a small screen.

These quirks can be hard to spot if you’re watching a clip or taking a video call in a small format, such as on a smartphone or a shrunk-down window in the corner of your computer screen.

Moving to a larger screen and making the image as big as possible might help to highlight some of the above-mentioned signs of a deepfake.

Know AI etiquette

AI experts creating digital copies of people consider it good practice to include a watermark or some other sort of disclaimer to make it clear to viewers when something has been made with AI. Scammers are unlikely to ever follow these sorts of protocols with their content.

It’s also worth remembering that official social media accounts of trusted organisations or individuals are unlikely to post videos or photos featuring AI-generated clones of themselves or their representatives.

Watch out for urgency

At their core, successful scams require us to throw caution to the wind and do things we wouldn’t normally do. 

Scammers will try to create a sense of panic, urgency or need to act quickly.

Video deepfakes might use a clone of a celebrity urging you to get involved in a limited investment opportunity or a loved one to play on your emotions with pleas for money or sensitive information.

As mentioned above, a successful celebrity is unlikely to spend their time making personal appeals to everyday people. 

Get set up for safety

In its survey on AI-generated faces, the Commonwealth Bank found that while 74% of respondents thought they should set up a codeword with loved ones, only 20% had actually taken this step.

Agreeing with friends and family on a word you’ll say to each other or question-answer exchange you’ll recite is a strong way to verify any urgent requests for help that might sound eerily similar to a scammer’s opening pitch.

*Last name withheld on request

Marg Rafferty Andy Kollmorgen and Jarni Blakkarly
Get the inside story on our investigations into consumer rip-offs and bad business practices.

Read our privacy policy

The post How to spot a deepfake video scam appeared first on ĚÇĐÄVlog.

]]>
1182812 Gary scam video filler 1.2 CSIRO deepfakes 2.1 Side by side deep fake 1.2 person looking at videos on smartphone investigation-team
The ads you see reveal a lot about you – and AI is watching /data-protection-and-privacy/data-collection-and-use/how-your-data-is-used/articles/the-ads-you-see-reveal-a-lot-about-you-and-ai-is-watching Sun, 17 May 2026 23:02:26 +0000 /?p=1162601 AI systems can infer private attributes by analysing the ads we're being shown – without us even knowing.

The post The ads you see reveal a lot about you – and AI is watching appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • A new academic study has revealed that AI models can figure out a lot about you from the ads you’re shown
  • Our personal traits are encoded in the algorithms that drive ads on major platforms such as Google, Meta, TikTok, and X
  • The researchers argue that policy “must evolve to address not just data collection, but what can be inferred from the content people are exposed to”

Not so long ago, your online search history and other personal data were needed for the digital masters to assemble a profile of you for advertising purposes.

Now a team of researchers from the University of New South Wales (UNSW) and Queensland University of Technology (QUT) have discovered that artificial intelligence (AI) doesn’t need such old-fashioned data points. It can suss you out just from the online ads you’re shown.

“The key point is that the ads a person sees are not random,” says lead author of the study, Baiyu Chen of UNSW. Its title serves as yet another warning about how AI can be misapplied: When Ads Become Profiles: Uncovering the Invisible Risk of Web Advertising at Scale with LLMs.

(LLMs are Large Language Models, an AI term for computer systems that can analyse and recreate massive amounts of human language and approximate thought.)

The key point is that the ads a person sees are not random

Lead author Baiyu Chen of UNSW

“Advertising systems optimise delivery based on inferred profiles and behaviours, so the overall pattern of ads shown to a user can carry signals about traits such as gender, age, education, employment status, political preference, and broader socioeconomic position,” Chen says. “Our study shows that LLMs can analyse those patterns and infer private attributes from ad exposure alone.”

The research team – which also included professor Flora Salim, professor Daniel Angus, Dr Benjamin Tag and Dr Hao Xue – are part of the ARC Centre of Excellence for Automated Decision-Making and Society (ARC ADM+S).

AI systems can build convincing profiles of us based on targeted ad data after we browse the internet for just a short while

The study is the result of the organisation’s Australian Ad Observatory project, which involved analysing around 435,000 Facebook ads seen by 891 Australian users. The findings mean AI can sift through markers of our selves we didn’t realise were there, and do it 200-times cheaper and 50-times faster than humans.

But what’s really concerning is that AI systems can build convincing profiles of us based on this targeted ad data after we browse the internet for just a short while, and they can infer personal characteristics as well as – or better than – humans.

Popular LLMs available to us all “can accurately reconstruct complex user private attributes”, the researchers write. And while the AI versions of who we are, based on the ads we see, may not capture everything, “they are often close enough to reveal meaningful insights about a person’s life stage or financial situation”.

Traits encoded in algorithms

All of this increases our risk of being scammed, since AI tools analysing ads can bypass current privacy protections, create profiles of us, and allow scammers to personalise their attacks.

Major digital platforms such as Google, Meta, TikTok, and X restrict certain sensitive categories of information from being used in targeted advertising, including an ad target’s health status, gender, sexual orientation, financial situation and political affiliation. 

But these personal traits are still encoded in the algorithms that drive the ads on these platforms, and widely available AI models can extract this information.

“Everyday tools such as browser extensions could be repurposed to quietly collect ads and build detailed user profiles — bypassing platform safeguards and leaving little trace,” the researchers report.

Everyday tools such as browser extensions could be repurposed to quietly collect ads and build detailed user profiles — bypassing platform safeguards and leaving little trace

The vulnerable extensions – including ad blockers, coupon finders, and page translators – provide “perfect cover for data harvesting”, the researchers write. It means a cybercriminal skilled at AI tools wouldn’t have to hack your device or obtain personal information from you in order to set up a targeted scam.

Policy must evolve

The researchers argue that policy and regulation “must evolve to address not just data collection, but what can be inferred from the content people are exposed to”.

Chen says platform users can reduce the risks by limiting the use of browser extensions, limiting unnecessary permissions, and using any available privacy and ad-personalisation settings in their web browser settings.

But the platforms are going to have to tackle the new privacy risks brought on by the age of AI as well.

“This is not something users can fully solve on their own, because the broader issue is systemic,” Chen says. “People cannot easily opt out of the ad ecosystem altogether, so stronger platform safeguards are also needed.”

In other words, we’re leaving digital footprints for AI to follow every time we go online, and what will be done with this record of our personal attributes is anybody’s guess.

Marg Rafferty Andy Kollmorgen and Jarni Blakkarly
Get the inside story on our investigations into consumer rip-offs and bad business practices.

Read our privacy policy

The post The ads you see reveal a lot about you – and AI is watching appeared first on ĚÇĐÄVlog.

]]>
1162601 investigation-team
Rent platform 2Apply ordered to stop demanding excessive personal info from renters /data-protection-and-privacy/data-collection-and-use/articles/2apply-ordered-to-stop-demanding-excessive-renter-info Thu, 30 Apr 2026 01:15:04 +0000 /?p=1131819 The RentTech company crossed the line by manipulating prospective tenants into providing unnecessary information.

The post Rent platform 2Apply ordered to stop demanding excessive personal info from renters appeared first on ĚÇĐÄVlog.

]]>
When ĚÇĐÄVlog started investigating the third-party rental platform industry in 2023, we unearthed a hidden world of stressed-out renters being forced to use a technology that demands huge amounts of personal information.

When we surveyed 1000 renters, 41% said they felt pressured by their rental agent or landlord to use a RentTech platform such as Ignite, 2Apply, Snug, tApp or others.

Six out of 10 were uncomfortable with the amount and type of information being collected, and 29% decided not to use the platform to apply for this very reason.

RentTech constitutes a classic power imbalance, with finding a place to live at stake. The ultimatum imposed on renters is stark: give us the information we ask for or you can’t apply for a home.

Either [renters] hand over personal and private information, including ID documents and payslips, or risk housing precarity or even loss

Privacy Commissioner Carly Kind

Now the Australian Privacy Commissioner has taken action against 2Apply after a year-long review of its practices, which included asking prospective renters’ to reveal their gender, student status, citizenship status and visa expiry, as well as details of their previous rental history – information that goes well beyond what would be needed to assess the suitability of a tenant.

“Renters often lack real choice when making rental applications. Either they hand over personal and private information, including ID documents and payslips, or risk housing precarity or even loss,” says Privacy Commissioner Carly Kind.

“This not only places them at risk that their applications will not be considered fairly and equitably, but that their personal information may be compromised in a data breach or cyber-attack.”

Manipulative tactics called out

The Privacy Commissioner took a novel approach in determining that 2Apply was violating applicants’ privacy, considering the “design, structure and way information is conveyed in the 2Apply form” as well as utilising the concept of “online choice architecture”, which is about how “the presentation and structure of choices presented to individuals can shape how they make decisions”.

2Apply was found to have been applying a variety of manipulative techniques in its rental applications, including:

  • “Confirmshaming” – the use of emotive language to make a user feel guilty or embarrassed for not taking an action that is beneficial to the information collector. 
  • “Biased framing” – presenting choices in a way that emphasises their supposed benefits or disadvantages.
  • “Bundled consent” – requesting consent for personal information to be used for multiple purposes in a single request. 

Can renters be forced to use a RentTech platform?

As ĚÇĐÄVlog recently reported, tenancy laws in some states require that renters are able to access an alternative payment and contact method.

In New South Wales and Victoria, tenants must be provided options like EFT or Centrepay. In Queensland, renters must be given a “reasonably accessible” option to pay rent.

But in practice, renters are in no position to push back against agents or landlords who breach these rules, as many do.

The essence of the Privacy Commissioner ruling is that 2Apply, which is operated by InspectRealEstate, violated the Australian Privacy Principles by collecting excessive personal information “by unfair means”, meaning prospective tenants felt they had no choice but to provide it.

The Office of the Australian Information Commissioner – which includes the Privacy Commissioner – has the power to issue fines up to $66,000, but 2Apply only had to agree to discontinue its excessive information collection, without admitting any fault.

In her determination on the case, Ms Kind emphasised the need for other RentTech platforms to note the ruling and change their information-gathering practices accordingly.

The post Rent platform 2Apply ordered to stop demanding excessive personal info from renters appeared first on ĚÇĐÄVlog.

]]>
1131819
Scams getting worse where new protections won’t apply /data-protection-and-privacy/protecting-your-data/articles/scams-getting-worse-where-new-protections-wont-apply Thu, 02 Apr 2026 02:06:22 +0000 /?p=1083025 Criminals are moving toward online contact methods not covered by the government’s Scams Prevention Framework.

The post Scams getting worse where new protections won’t apply appeared first on ĚÇĐÄVlog.

]]>
After years of a steep upward trend in the number of scams affecting Australians, reports to the authorities have begun to level off.

But we still lost more money in 2025 than in 2024, overwhelmingly due to investment scams. 

The latest report from the National Anti-Scam Centre – which combines data from Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and the Australian Securities and Investments Commission – shows that slowing down the global scams juggernaut is as challenging as ever.

Reported scam losses peaked at $3.1 billion in 2022 and have fallen about 30% since then. But last year scammers still managed to steal a collective $2.18 billion from Australians.

Scammers focus on websites and social media platforms

There were 77,365 text scams reported in 2024, when scammers barraged Australians with fake notifications about package deliveries, government notifications, bank communications and more.

This tapered off in 2025, when significantly fewer text scams were reported (29,058). The world’s criminal scam organisations now appear to be focused on websites and social media platforms, and losses increased by 21% in these areas compared to 2024.

ĚÇĐÄVlog director of campaigns and communications Andy Kelly says the changing trends puts consumers at greater risk.

The latest data shows that scammers are increasingly shifting from phone calls and text messages to online contact methods to target victims

ĚÇĐÄVlog director of campaigns and communications Andy Kelly

“The latest data shows that scammers are increasingly shifting from phone calls and text messages to online contact methods to target victims,” Kelly says. “The government cannot justify glaring holes in its proposed digital platform designation, which won’t capture email service providers, dating apps and online marketplaces.”

The federal government’s Scams Prevention Framework – which covers banking, telcos and digital platforms –  also leaves out app stores and gaming platforms, both of which have increasingly been exploited by scammers. Australians lost $139 million to romance scams in 2025, many of which would have been perpetrated by online contacts not covered by the framework. 

Global cooperation is key

Catriona Lowe, deputy chair of the Australian Competition and Consumer Commission (ACCC), says “collaboration and shared accountability” are needed both domestically and globally to gain the upper hand over the ever-evolving scams industry, adding that “scams are often described as a ‘wicked problem’ because they are complex, fast-evolving, and resistant to simple solutions”.

 â€œAs Australia and indeed the world faces increasing sophistication in scam activity through artificial intelligence and the industrialisation of criminal syndicates through scam compounds, it is clear more needs to be done, quickly and at scale,” Lowe says.

To this end, Australia joined other G7 countries in early March to endorse a Call to Action to Combat Fraud at the United Nations and Interpol Global Fraud Summit.

In addition, more than 100 organisations from around the world endorsed a Public Private Partnership Framework to encourage and improve global cooperation in the fight against scams.

Fake gambling sites target vulnerable consumers

Betting and sports investment scams also saw an increase in both number of reports and total losses in 2025, with almost triple the losses ($2.4 million) of 2024.

Most of this was attributable to a phenomenon known as “scambling”, where online gambling platforms are promoted that lead to scam websites where all bogus bets are lost to criminals.

Sports investment scams, which made up a smaller percentage of losses, involve convincing victims to invest money in fraudulent online betting systems that promise high returns.

Strikingly, there was a 91.5% increase in reports from First Nations people about betting scams and a 93.5% increase in reports from people with a disability.

Without people speaking up, we simply wouldn’t have the insights needed to track and disrupt scam activity

ACCC deputy chair Catriona Lowe

“We know losses remain high, but coordinated interventions are key to combating scams, and we will continue working together to strengthen efforts, including through the Scams Prevention Framework,” Lowe says.

Another critical factor is that Australians continue to report scams.

“Without people speaking up, we simply wouldn’t have the insights needed to track and disrupt scam activity,” Lowe says. “We encourage people to report suspicious activity so we can continue improving our understanding and response to scams.”

The post Scams getting worse where new protections won’t apply appeared first on ĚÇĐÄVlog.

]]>
1083025
Why wouldn’t the bank help this identity theft victim? /data-protection-and-privacy/protecting-your-data/data-laws-and-regulation/articles/why-wouldnt-the-bank-help-this-identity-theft-victim Mon, 30 Mar 2026 03:51:37 +0000 /?p=1078976 Her questions were left unanswered because she wasn't a customer of the bank the fraudster used.

The post Why wouldn’t the bank help this identity theft victim? appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • An identity theft victim tried to get assistance from the bank where an account was set up in her name but was told they couldn’t help because she wasn’t a customer
  • The woman’s AFCA complaint against the bank was rejected on the same grounds
  • On 12 March, after this incident, AFCA gained new powers that allow it investigate any bank involved in a scam or identity theft, whether or not the victim is a customer

When a debit card arrived in the mail in mid-January with Patricia*’s name on it she knew it wasn’t a good sign.

The card was for Great Southern Bank (GSB) – Patricia was not a customer and never had been. She realised her identity must have been stolen.

“I acted quickly to try to limit the damage – placing credit bans, reporting the matter to police, and contacting financial institutions  – but I’m very conscious that many people would not detect something like this as quickly,” she says.

Her prompt attention to the matter paid off, because the fraudster had attempted in short order to open accounts under her name with AfterPay, American Express, and Wisr (a personal loan provider). The credit ban Patricia had placed on her file blocked these applications, and all three providers quickly acknowledged that they were fraudulent.  

She eventually discovered that her new driver’s licence had been stolen before she received it, and the fraudster had used it to open the GSB account.

But GSB was less than helpful.

During multiple calls with their call centre I received inconsistent information about escalation, was refused access to the fraud team or a supervisor, and was essentially told there was nothing further they could do for me

Identity theft victim Patricia

“When I contacted the bank after discovering the fraudulent account, it was extremely difficult to get support because I was told repeatedly that I was not their customer,” Patricia says.

“Firstly, I wanted to understand how the account had been opened in my name, because that would indicate what personal information had been compromised and what steps I needed to take to protect myself. More broadly, what I was really looking for was acknowledgement and meaningful action from the bank regarding how this happened and how they would prevent it happening again, for myself and others.”

She wanted to know the email address and phone number that were used to open the account in her name. The bank’s reason for refusing to provide this may have been legitimate, but its representatives were also dismissive, unprofessional and rude, Patricia says.

“During multiple calls with their call centre I received inconsistent information about escalation, was refused access to the fraud team or a supervisor, and was essentially told there was nothing further they could do for me.”

AFCA unable to help

afca_logo_on_dark_background
As of 12 March, AFCA gained new powers to investigate all banks involved in a scam, whether or not the victim is a customer.

At this point she felt that her only option was to lodge a complaint with the Australian Financial Complaints Authority (AFCA). She called out GSB for failing to respond appropriately to her situation and for not having adequate identification checks in place to make sure people opening accounts were who they said they were. The only piece of identification used by the fraudster was her driver’s licence.

But the bank doubled down on its unhelpfulness, appealing to AFCA to have the case dismissed on the grounds that Patricia wasn’t a customer, and that only customers can lodge AFCA complaints. AFCA conceded that this aligned with its legislative charter at the time.

In fairness, GSB is not an outlier when it comes to identity verification. Most banks only require a single primary form of identification to open a bank account, such as a driver’s licence or passport.

GSB: ‘We escalated the matter appropriately’

A GSB spokesperson tells ĚÇĐÄVlog that the bank is prohibited from sharing information about scam perpetrators (including identity theft) with their victims by the both Privacy Act and the Anti-Money Laundering and Counter-Terrorism Financing Act. The bank says that it responded appropriately to Patricia’s requests for help.

“We have strong sympathy for the affected individual and have worked with her, as well as relevant organisations, to help reduce the risk of further identity theft and fraud,” the spokesperson says.

We believe we escalated the matter appropriately, but acknowledge our communications could have been clearer

Great Southern Bank spokesperson

GSB says it provided sound guidance, advising Patricia to report the incident to the police and place a ban on her credit file. (This good advice aligned with the steps she had already taken.)

But the bank admits that it could have done better.

“We believe we escalated the matter appropriately, but acknowledge our communications could have been clearer, and we are taking steps to improve how we communicate in situations like this.”

AFCA gains new powers

Had Patricia’s experience with the scam of identity theft happened in mid-March rather than mid-January, AFCA’s response to her complaint may have been different.

As of 12 March this year, AFCA’s jurisdiction expanded to allow it to investigate scam complaints involving the unauthorised opening of accounts whether or not the complainant is a customer of the bank in question.

It means that when a scammer convinces you to send money from your bank account to an account at a bank set up by the scammer (known as mule accounts), AFCA can open investigations into both banks.

“This is an important step to establishing a broader, more coordinated framework for looking at scam complaints and it reflects how scams operate in the real world,” an AFCA spokesperson says, adding that the change “strengthens transparency and accountability across the banking system by ensuring all parties involved in the movement of scam funds are accountable”.

This is an important step to establishing a broader, more coordinated framework for looking at scam complaints and it reflects how scams operate in the real world

AFCA spokesperson

As for Patricia’s case, AFCA says it “expects banks to engage with identity theft victims based on consumer expectations and good industry practice”.

Along with the AFCA complaint, Patricia also complained to GSB’s Customer Advocacy team.

“I decided to reach out in a more direct and personal way to set out the full context of what had happened and to see whether there would be any acknowledgement, accountability or rationale around the bank’s role in the situation. Unfortunately, that wasn’t the case,” Patricia says.

The bank maintained that it had made no mistakes since the fraudulent account was opened using a valid driver’s licence.

(*Editor’s note: Patricia is a pseudonym)

The post Why wouldn’t the bank help this identity theft victim? appeared first on ĚÇĐÄVlog.

]]>
1078976 afca_logo_on_dark_background
What is Grok and should Australia be blocking it? /electronics-and-technology/internet/using-online-services/articles/what-is-grok-and-should-australia-be-blocking-it Fri, 16 Jan 2026 02:55:05 +0000 /?p=936413 Elon Musk’s xAI tool has raised alarms around the world for facilitating the creation of malicious content, including deepfake pornography.

The post What is Grok and should Australia be blocking it? appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • Grok, the artificial intelligence tool developed by Elon Musk’s company xAI, was recently blocked in Indonesia and Malaysia due its ability to create malicious content
  • Britain’s media regulator, Ofcom, says sexualised images of children created by Grok users may amount to child sexual abuse material
  • Musk’s company X recently said it would prevent Grok users from editing images of real people to put them in revealing clothing in jurisdictions where this is illegal

An artificial intelligence (AI) tool developed by Elon Musk’s company xAI was recently banned in Indonesia and Malaysia and has raised serious concerns globally. It’s called Grok, and it gives users the capability to make highly sexualised images of people that look disturbingly real. 

As Indonesia’s Communication and Digital Affairs Minister Meutya Hafid recently put it, “The government sees non-consensual sexual deepfakes as a serious violation of human rights, dignity and the safety of citizens in the digital space.”

Britain’s media regulator, Ofcom, realeased a statement that says, “There have been deeply concerning reports of the Grok AI chatbot account on X being used to create and share undressed images of people – which may amount to intimate image abuse or pornography – and sexualised images of children that may amount to child sexual abuse material.”

The government sees non-consensual sexual deepfakes as a serious violation of human rights, dignity and the safety of citizens in the digital space

Indonesia Communications and Digital Affairs Minister Meutya Hafid

Grok, which is free to X users who pay for a subscription, was launched in 2023, but in 2024 an image generator feature was added that included something called ‘spicy mode’, which can generate pornographic content.

Australia’s eSafety Commissioner says the agency “has seen a recent increase from almost none to several reports over the past couple of weeks relating to the use of Grok to generate sexualised or exploitative imagery”, adding that it “will use its powers, including removal notices, where appropriate and where material meets the relevant thresholds defined in the Online Safety Act”.

Malicious content made easier

Abhinav Dhall, an associate professor at Monash University’s Department of Data Science and AI, says Grok has put powerful new technology into the hands of wrongdoers.

“Grok has made it easier to produce malicious content because it is directly integrated into X, so anyone can quickly tag it and request image edits. As it is so well integrated into the platform, the edited outputs also appear directly within the same public thread, which increases the visibility and reach of manipulated images”, Dhall says, adding that in many cases “the original poster may not even have the rights to the image they are uploading on the platform, which can make it easier for the edits to become potentially defamatory or unsafe”.

Dhall says Grok users should take steps to avoid images falling into the wrong hands.

“To reduce the risk of personal images being used to generate malicious content, users should be careful about posting clear, front-facing photos of their face, and should check and tighten privacy settings on their social media platforms,” Dhall says.

“It is also important to avoid posting children’s photos publicly. If you suspect your images have been misused, reverse image search can be applied to detect AI-generated content, and fake or harmful content should be reported to the relevant platforms as quickly as possible.”

X said in a previous statement that it removes illegal content from its platform including child abuse material and suspends the accounts of people who post it.

Musk has posted comments on the Grok backlash, saying critics of X “just want to suppress free speech”. In an X post on 15 January he said, “Grok is supposed [to] allow upper body nudity of imaginary adult humans (not real ones) consistent with what can be seen in R-rated movies on Apple TV.”

Grok has made it easier to produce malicious content because it is directly integrated into X, so anyone can quickly tag it and request image edits

Associate Professor Abhinav Dhall, Monash University

In a more recent announcement on X the company said “we have implemented technological measures to prevent the Grok account from allowing the editing of images of real people in revealing clothing” in jurisdictions where this is illegal.

But it remains unclear how the company will block certain locations from using this functionality or which locations they may be.

Will mandatory codes stop the deepfakes?

On 9 March 2026, mandatory codes come into effect in Australia which impose new obligations on AI services to limit children’s access to sexually explicit content as well as to violent material and content related to self-harm and suicide. But enforcing such codes on mammoth AI companies based in the US and other countries has proven to be a tall order for Australian regulators.

Abhinav Dhall stops short of recommending that Grok be banned in Australia, saying it’s a matter of enforcing the current rules and compelling tech companies to stop harmful content.

“Australia already has laws covering image-based abuse, so the focus should be on making the penalties clear and ensuring it is easy for victims to report abuse and have content removed quickly,” Dhall says. “At the same time, social media platforms should be required to implement stronger guardrails to stop harmful edits before they spread.”

Meanwhile, amid the outcry around the world about sexualised deepfakes, in a speech given at Musk’s company SpaceX, in South Texas, US Defense Secretary Pete Hegseth recently said that the Pentagon will embrace Grok along with Google’s generative AI engine. 

The post What is Grok and should Australia be blocking it? appeared first on ĚÇĐÄVlog.

]]>
936413
Real estate agents, chemists, car hire companies and more under new privacy scrutiny /data-protection-and-privacy/articles/real-estate-agents-car-hire-companies-under-new-privacy-scrutiny Thu, 08 Jan 2026 23:14:20 +0000 /?p=920932 Australia’s privacy regulator is reviewing the privacy policies of businesses collecting your personal data during in-person interactions.

The post Real estate agents, chemists, car hire companies and more under new privacy scrutiny appeared first on ĚÇĐÄVlog.

]]>

Need to know

  • In recent years, ĚÇĐÄVlog has conducted several investigations that focused on the far-reaching permissions privacy policies give the businesses that write them
  • In 2023, we reported on the privacy policies of rental platforms, and last year we analysed the privacy policies of Australia’s ten most popular car brands
  • This month, the Office of the Australian Privacy Commissioner begins its first full-scale privacy policy review, focusing on information demanded by businesses in person

Very few of us read the privacy policies we passively consent to when engaging with a service provider. Fewer still would understand what these privacy policies actually say.

In recent years, ĚÇĐÄVlog has conducted several investigations that focused on the far-reaching permissions these documents give the businesses we regularly interact with.

In 2023, we reported on the privacy policies of rental platforms such as realestate.com.au’s Ignite as well as Ailo, Tenant Options, Rental Rewards, Snug, 2Apply and Simple Rent.

The conclusion? These RentTech platforms collected information that went well beyond what’s needed to assess a tenant’s ability to pay the rent. The questions often seemed designed to grab as much data as possible from people who had no choice but to provide it.

In 2024, we analysed the privacy policies of Australia’s ten most popular car brands to see how the vehicles monitored and tracked their drivers. Here again we found that the harvesting of personal driver information was often excessive, and the rights the manufacturers gave themselves to share the data with third-parties were both far-reaching and vague.

The ACCC has estimated that it would take the average Australian 46 hours to read all the privacy policies they encountered in a month, the average length of which is about 6876 words.


The ACCC has estimated that it would take the average Australian 46 hours to read all the privacy policies they encountered in a month

All of this makes the Office of the Australian Information Commissioner’s (OAIC) recent announcement that it will begin its first large-scale review of privacy policies in early January 2026 more timely than ever.

What’s changing in privacy law?

The Privacy Act requires privacy policies to contain certain details, such as what information is collected, why it’s needed, how it’s used, and how it can be corrected if necessary. 

An update to the Act in 2024 means businesses will also be required (as of 10 December 2026) to specify in their privacy policies whether a computer program will be using your personal information to make decisions that could go against you, such as when an application for a rental home is rejected. 

The privacy policy sweep is … focusing on information demanded by businesses in person, such as when a real estate agent asks you for personal details when you’re inspecting a rental property or a car rental company presents you with a lengthy form before handing you the keys

In addition, the 2024 update gave the OAIC the power to issue infringement notices for Privacy Act violations without going to court. And it gives individuals the right to seek legal redress and financial compensation in certain cases for invasions of privacy or misuse of their personal information.

The OAIC’s privacy policy sweep is taking a different approach than our investigations of online privacy documents. It will occur in the real world, focusing on information demanded by businesses in person, such as when a real estate agent asks you for personal details when you’re inspecting a rental property or a car rental company presents you with a lengthy form before handing you the keys. The privacy policies of such businesses must include the above-mentioned information. 

Not having the right information in a privacy policy – or not having a privacy policy at all – could lead to fines from the OAIC of up to $66,000.

Which types of businesses will be targeted?

The privacy policy sweep will focus on sectors where the OAIC believes there are particular power imbalances – also known as information asymmetries – between the business in question and the customers being asked to provide the information.

When confronted with in-person requests for their personal information … consumers often don’t have access to all the information they might need to make an informed decision

Privacy Commissioner Carly Kind

“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” says Privacy Commissioner Carly Kind.

“This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

The OAIC says it will review the privacy policies of around 60 businesses from the following six sectors, with a particular focus in each case.

  • Rental and property – collection of individuals’ personal information during property inspections.
  • Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
  • Licenced venues – collection of identity information to enable individuals to access a venue.
  • Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
  • Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
  • Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

Transparent communication is critical

In the OAIC’s view, a business’s explanation of how it will use personal information should be open and transparent.

“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information,” Kind says.

“The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.

“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person.

“We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”


The post Real estate agents, chemists, car hire companies and more under new privacy scrutiny appeared first on ĚÇĐÄVlog.

]]>
920932