Posted: 14 Jul. 2020 5 min. read

Contact data and consent: There’s no such thing as a free lunch

I was in a café at the weekend, and as is the new norm, I had to provide my details for contact tracing. In this case, I used a QR code. Intrigued, I took a screenshot of the page the code landed me on to enter my details. There was nothing there telling me how my data would be used. No T&Cs. No privacy statement. Nothing for me or other diners to educate ourselves on how our data would be collected and used.

Make no mistake, this is entirely at odds with some of the most basic privacy principles.

There was worse to come. When I dug deeper, by putting the provider name into a search engine, I found that the business behind this ‘free service for cafes and bars’ was a data company that was all about providing marketing services to its customers.  When I had a look at their privacy policy I was gob-smacked to see that they reserved the right to share your data with ‘related or associated companies, marketing and advertising agencies, third parties with whom they had a relationship’ and the list went on.. Now I can't be sure that they were actually doing any of this with the tracing data they were collecting, but I had to wonder...do cafes and bar owners genuinely want to be exposing their customers to the potential of this type of creepy privacy invasion?

This year, our Australian Privacy Index revealed 60% percent of surveyed respondents had backed out of purchasing a product or using a service, or closed an account completely, due to privacy concerns in the past. So, it’s no surprise that the general public are openly expressing concern about their contact tracing data. People are asking questions; worried their private details are exposed to other customers, or third parties online. Diners are equally uncomfortable with their details being visibly available on paper for all to see. While some may say they’ve nothing to hide, that’s no deterrent for opportunists to use personal details in an undesirable or even criminal manner. For example, someone takes a photo of a restaurant check-in sheet and then uses the names to look up social media accounts. If you think this is unlikely, have a look at recent news articles, or consider the last time you used the internet to have a ‘sneaky stalk’… you might not have stolen details to do so, but you get my point.

Now, if you’re a business owner, you may find yourself liable for the theft of contact tracing information. It’s arguable that should someone suffer harm as a result of your negligent handling of their information, you’ve breached your duty of care to your customers. Even if your business is too small to be covered by our privacy laws – you may still be subject to litigation.

Sadly, it appears that some data collection companies are exploiting people by means of COVID-19. Abusing both fear and trust, they collect information to make money rather than to protect. And it’s entirely unethical. These companies are undermining trust at a time when we all need to trust one another – and destroying trust for the businesses out there who are trying to survive by doing the right thing. There needs to be action against this – and I’ll get to that. But what can you do right now if you’re a business owner?

  • Decide on the most effective, legal and ethical means to collect data for contact tracing for your business.
  • Do your research.  If you’re using a digital provider, make sure the company collecting data on your behalf is doing the right thing – by law.
  • Be wary of ‘free’ technologies that may have actually been developed to exploit the situation.
  • Don’t accept the first app you find and don’t use something just because it’s free; remember the adage, ‘If something is free, you or your customers are likely the product’.
  • If you’re using pen and paper, make this hygienic and designed in a way that doesn’t reveal customer details (shared pens sound like a great way to give your customers COVID on entry!).
  • You must have a plan to destroy the data after 28 days or in-line with your state’s legislation, public health orders and/or COVID-Safe Plan.

You can’t be complacent. Collecting customer information is purely for contact tracing (should it be required) and not for any other reason. Cost, lack of clear direction on how to execute, not understanding the relevant state or federal privacy legislation, or assuming it doesn’t apply because of the size of your business, are no excuse. Even if you don’t have a regulatory risk you still have a duty of care to your customers. By law, the data must be destroyed after a certain amount of time, and if you want to be trusted, under no circumstances should it be used without express, singular, opt-in permission, for any other purpose including marketing or sold to third parties. Furthermore, insurance companies should be checking on their business clients – because if their clients are negligent in how they go about handling their patrons’ information and someone suffers harm as a result, this could lead to a successful claim for damages in civil lawsuit, which insurance companies may have to wear.

When it comes to contact tracing for COVID-19, the current methods aren’t ideal. And unfortunately, when margins are so tight, free options look attractive and will remain attractive, even though some providers are doing the wrong thing with their customers’ data. Australians are generally willing to comply because we understand the importance of contact tracing to protect our communities and the economy, but for how long if these practices are not tightened up? Current execution is not great. Perhaps the government can work toward or subsidise a solution, or a reputable brand can look to run a platform that is genuinely, and not at the expense of privacy, run for free. There is an enormous opportunity here to step up and create a secure and ethical capability for venue attendance tracing – if it’s not happening already, it needs to be on the menu.

This year we have examined the behaviours of the top 100 brands in Australia where they operate using ‘consent’ as the basis for processing personal information. We have then compared this behaviour against what 1000 Australian consumers told us constitutes meaningful consent to them. Find out more by downloading the full report or get in touch.

More about the author