Trade Me is in hot water with the Privacy Commissioner after it decided that an "opt-out of marketing" checkbox did not cover its own in-house advertising messages - and sent them to all members anyway.
In December last year, Privacy Commissioner John Edwards began an investigation into the Trade Me policy change - introduced by the site new the previous month. (Trade Me says the move was a "regular review" and not tied to its new private equity ownership.)
At the time, Edwards said it wasn't clear that the changes were in line with the law.
Overnight, he delivered his finding that Trade Me had fallen short of its legal obligations.
It was a step-down for the company which, under its previous local ownership, earned a rare "Privacy Mark" commendation from Edwards for its transparency in reporting.
Lesson for all
"What this shows is that businesses that collect personal information need to be clearer about why they are doing so and what they will do with the information," Lowndes Jordan partner Rick Shera told the Herald.
"Here and overseas, regulators are saying that vague generalisations are no longer good enough - privacy policies need specifics.
"This becomes even more important with the introduction of New Zealand's new Privacy Act in December this year, which adds an overriding principle that personal information should not be collected at all unless it is necessary," Shera says.
"Hoovering up personal information just because it might be useful in the future is not acceptable. The purpose for which it is being collected and used must be explained clearly."
The new Privacy Act comes into force on December 1. Unlike the current legislation, which limits the Commissioner to giving companies a stern ticking off, it introduces criminal offences and fines.
Covid-19: Morgan says Govt could, and should, roll out txt service within days
Huawei-built data centre allowed undetected eavesdropping: report
$50m rural broadband top-up: Detail lacking outside Northland, advocates say
Edwards said Trade Me did not fully meet its obligations under the Privacy Act to take all reasonable steps to ensure that its members were aware of the purpose for which their information was being collected and how their preferences to "opt-out" of marketing would be given effect.
And although the soon-expiring current Privacy Act is toothless in terms of fines, Edwards still has the power to embarrass. He noted that falling short of customers' privacy expectations caused reputational damage.
Changes to the opt-out policy
In September 2015, Trade Me provided members with the ability to opt out of targeted advertisements.
In early 2019, a team within Trade Me queried whether the existing practice of excluding members who had opted out from targeted onsite advertising about Trade Me services was consistent with the opt-out policy.
Trade Me reviewed the application of the opt-out policy and concluded that it had been overly broad in its application.
The update clarified that Trade Me may use personal information provided by members to target advertisements to members about Trade Me services. The update included members who had earlier elected to opt-out from their personal information being used for marketing or advertising purposes.
Targeted advertisements – opt outs
Of the approximately 4.8 million Trade Me memberships, 320,823 opted out of receiving targeted advertising of some description. Some users believed that the opt-out acted as a limitation on the ability for Trade Me to target its own advertisements to its members.
"Trade Me's targeted advertising opt-out was positive and privacy-protective and looks to respect the preferences of members. There is a clear demand for privacy-enhancing solutions as demonstrated by the number of individuals who used Trade Me's opt-out."
But Edwards said Trade Me did not take all reasonable steps to communicate how members' information would be used.
"Trade Me failed to clearly inform individuals of the purpose for which their information was being collected and who the recipients of that information would be. This caused confusion and a backlash among some members who had used the opt-out," he said.
Response from Trade Me members
Edwards said the responses his office received about this inquiry from affected members highlighted the need to communicate clearly with members.
The feedback received during the inquiry reflected Trade Me members' high expectations of privacy from the online trading platform – particularly in view of the company's privacy-conscious reputation as a Privacy Trust Mark holder for its transparency reporting work.
"The lessons learned here are applicable to all businesses; there could be reputational harm to a business if it fails to meet its customers' privacy expectations. I encourage all organisations and businesses to consider how they can better design their services to be privacy-enhancing for their customers."