Buying online from Bing Lee required my agreement to their T&C’s, including the Privacy Policy. After completing the purchase, I read the T&C’s much more closely, I’m alarmed at what I agreed they can do with my data. The excerpt below is some of what’s concerning me the most - it’s scarily loose and seemingly unlimited!!
After purchasing, how do Bing Lee’s online customers withdraw consent or wholly opt out, of using their data this way?
Are Privacy Policies in Australia’s well established, well known and respected companies usually so extraordinarily vast, ?
"Your personal information may also be disclosed to or collected from:
customer, product, business and research organisations;
data partners, analytic consultants and data warehouses;
social media networks where people create, share or exchange information;
publicly available sources;
clubs, associations, member loyalty or reward programmes;
third parties Bing Lee has engaged to provide financial, accounting, administrative, advertising, marketing, internet communication, analytical and technology services (“Agents”).
Whilst personal information may be provided to Agents to enable them to perform their tasks, such information remains the property of Bing Lee. By accepting the terms of this Policy, You consent to the disclosure of Your personal information by Bing Lee in accordance with this Policy."
That does appear to be well over the top, and reflects the value of customer data that they can monetise. Contact Bing Lee via their privacy officer.
‘To review and update Your personal information or to obtain a copy of this Policy, please contact Bing Lee’s Privacy Officer by email at privacy@binglee.com.au or by telephone on (02)97813000.’
Our government ‘privacy agency’ is a curious beast as one delves deeper into the nitty gritty, but here is their link
I’d suggest notions of ‘consent’ are not well understood generally, and as such are wide open for misuse and abuse.
OAIC - Australian Privacy Principles (APP) - are based in law, [Cth Privacy Act 1988] and ‘interference with the privacy of an individual’ is a breach of those, and so open for regulatory actions or penalties.
Quoting from APPs ‘Consent’ - Consent must be current and specific
"When you give consent at a particular time and for specific circumstances, an organisation or agency can’t assume your consent continues indefinitely.
When asking for your consent, an organisation or agency must explain the reason for their request and be as specific as possible. They shouldn’t ask for a broader consent than necessary. For example, you shouldn’t be asked to consent to undefined future uses or vague statements such as ‘all legitimate uses or disclosures’."
You have not given consent to Bing Lee for specific purposes and circumstances, and I suggest you raise this with the company.
One also has to wonder how the company’s policy applies to in-store shoppers. Is it specific to online, or are the same words printed on your receipt after you have paid, or is the policy stuck on a window somewhere to which nobody pays any attention?
There is also an issue of ‘informed consent’ which applies to pretty much every website. How many users actually read every website’s privacy policy, and understand how it applies in the relevant jurisdiction (international law just opens up all new cans of worms). Many of the things we do online are uninformed by website policies and practices.
Further to the APPs example above, of we ‘…shouldn’t be asked to consent to undefined future uses or vague statements…’ which are often embedded in, or part of, ‘bundles’ of statements. (see excerpt below from Australian Privacy Principles)
In practice, I suggest we all do this in myriad ways, large and small, every day. As customers, perhaps what’s most important to us, is when is our individual privacy UNreasonably ‘interfered’ with, beyond what is legitimate, what we want, or wanted when we consented, or are willing to accept.
"## Bundled consent
A bundled consent is a single request for consent from an organisation or agency that contains several requests to collect, use and disclose your personal information, and does not let you choose which ones you consent to and which you don’t.
Avoid giving bundled consent unless the request:
gives you the choice not to consent to one or more proposed collections, uses and/or disclosures of your personal information
gives you enough information about each proposed collection, use and/or disclosure
tells you the consequences, if any, of not consenting to one or more of the proposed collections, uses and/or disclosures of your personal information"
Yes, I’ll raise the issue of the necessity of accepting such unreasonably nonspecific, potentially far reaching T&Cs generally to enable me to purchase an online product from them. But their T&Cs overall seem oddly random and, decidedly porous, it’s almost hard to know where to begin.
With respect to ‘informed consent’ however, placing policies in places where no one would reasonably be expected to look, eg left side wall of a car park entry when drivers are looking and driving forward, or in font size or style or presentation people couldn’t reasonably be expected to easily read and understand, eg shopping receipts(!) assuming informed consent in these circumstances, offer little, or usually no, defence when a claim’s
raised against them.
Here’s the APPs section on ‘informed consent’:
"Since consent must be informed, an organisation or agency needs to make sure:
they presented the opt-out option clearly and prominently and can be reasonably sure you saw it
you were given the information about what happens if you don’t opt out
the opt-out option was freely available and not bundled with other purposes
it was easy for you to opt out (it took you little effort and was free or cost little)
if you fail to opt out the results aren’t serious
if you opt out at a later date, as far as practical, you’ll be in the same position as if you had opted out earlier.
Is the greater concern that over-reach is only addressed after something has gone wrong?
IE It’s OK for a business to not comply (flaunt the intent) with the Australian Privacy Act until such time as they are taken to court!
A consequence perhaps of limited enforcement and weak penalties. If common law is any guide, does one need to prove absolutely that harm has been caused and also prove the realised cost of that harm? I’ve not spent time trying to find examples or case histories.
I agree, entities with such loosely framed policies are only considered problematic when eventually, someone has the knowledge, capacity, finances and fortitude - all together! - to bring a case to court.
Nonetheless, while it grates me to accept, our information’s harvested everywhere we turn, and with every press of our keyboards, so BLs policy suggesting we’ve consented to them indiscriminately using our personal data feels as though they’re simply articulating what nearly every group, every entity we’re interacting with, and a whole lot we’re not, is just DOING.
Presumably you were presented with a link to the terms and conditions, but not with the actual terms - which seems to be how websites generally operate.
I suspect that legally they may have some difficulties given the Australian Privacy Principles; as @phb says send them an email rejecting their terms and demanding that they delete your personal information (including your email address, if that is your wish). I have found at least one place that stated they could not provide post-sales support if they deleted my account - nice try.
I have experienced many web sites where you could not complete an ecommerce order, or in some cases (share registries and super funds) even login, without accepting the T&C as a binary exercise.
A rejection or qualification is left to after the fact and ‘free form text’, but there will be a next time unless one never visits that site again so simply asking for a deletion does not resolve this form of overstep.
Most of the T&C I read are clearly aimed at monetising their customer base but the T&C have been reasonable or close enough, especially the registries and super funds where they restrict dissemination to their own systems and contractors and the specific companies in one’s ‘mix’.
Yet I am reading more closely to see if T&C are privacy or piracy conditions.
Best not to buy from Bing Lee at all.
I wont buy from them
However, can they really prove you agreed?
Our legal system is designed by dummies so who really knows?
What if there was a bump and it caused a cursor to be activated, and therefore a system consent to occur? Is that valid? I would say not.
And, because websites can change every day, how would anyone prove which terms and conditions applied at the time of sale? Anyone impartial?
I would love to see some test cases.
Many online stores, social media platforms etc have similar terms and conditions. They are hard to avoid unless one shops in a bricks and mortar store and uses cash only (without using a loyalty card).
Unfortunately with online shopping, one has to agree to the Terms and Conditions to allow a purchase to proceed (or to set up an account such as on social media). This clicking of agreement means that one has accepted the T&Cs. If one choses not to read them (unlike what @Daisy did), then this isn’t grounds to say that one hasn’t agreed to them.
The level of proof needed is more probable than not, unless its criminal in which case its beyond reasonable doubt.
The underlying assumption with the problematic T or Cs here, is that consent is enduring, when in fact the legal position is “…consent at a particular time and for specific circumstances can’t [be assumed to continue] indefinitely”, nor can it be for “undefined future uses or vague statements such as 'all legitimate uses or disclosures”. Furthermore, there didn’t seem to be any opt out options, so I could choose what I consented to, and what not, that still enabled me to purchase. This also arises to a legal issue if pursued.
In the first instance, we can request our data be removed, wholly, or not, whatever our preference, from databases, nonetheless it may already have been sold on, or used in some way we hadn’t anticipated, but nearly always, we won’t actually know what’s transpired, even if what BL did with the info can be identified.
Although our day to day privacy can be protected to a degree by the APPs, once privacy’s breached, in most circumstances it’s almost impossible to reestablish how it was.
In addition, you cannot make an online purchase without agreeing to accept ongoing marketing emails from them. My understanding was that this is supposed to be a choice, not compulsory, when engaging with a business. You can unsubscribe later, but that’s not the point if the initial requirement is illegal.
There are online businesses where you do tick a box at the same time as filling out or confirming the order details. So it’s not all online businesses that need to be called out. Should we be identifying those who do not appear to comply?
P.S.
I’ve mused previously it continues to be an issue because, there is no ACCC police force to respond to the event. It’s not a crime in a criminal sense. Otherwise one might call 000 to report a crime in progress. Shortly there after a crack team might raid the data centre and offices of said business, arrest the CEO and CIO before locking them up until bailed. It’s purely a procedural or policy failure with no body on the floor for forensics.
Is the legislation and management/enforcement system designed to promise one outcome to consumers and deliver a different one to business? There’s a privacy commissioner to filter all enquirers or complaints.
Still apt - ‘In the fullness of time, Minister’.
