Controversy over a shopping mall app raises broader questions about tracking, meaningful disclosure and consent when privacy policies run to thousands of words and impatient smartphone users seek instant digital gratification.
Westfield's recently made-over Newmarket mall comes with an attractive offer: two hours free parking, or four if you see a movie.
That's tasty, in an area where people kill for spaces.
But there's a catch: First you have to install the Westfield Plus app on your phone, and turn on location tracking.
This is partly so you can register your number plate and credit card, the better to simply drive out if you're under your two hours, or get automatically billed if you're over (which can sting, but that's another story).
Westfield cameras, working with the GPS on your phone, mean you can just drive in and drive out, with no faffing around with ticket machines.
But early adopters have spied some fine print in the terms and conditions, that they've found a little creepy - because they seem to say that Westfield Plus cannot only track your parking, but every shop you enter, and everywhere you go, as you wander Newmarket mall.
So are Westfield Plus users right to be paranoid? In short Westfield says right now it does not track your every footstep around the mall at the moment, but that's what Plus users have agreed to.
Did people know what they were signing up for?
Westfield points to a pop-up screen during the installation process that says "To get the most out of this app, we need to know your location while the app is open." Another says "Your location is used to enable features based on your nearest Westfield Centre." But given it's heavily promoted as a free parking app, not every user is going to register the fact that they're consenting to pervasive tracking beyond that.
It's difficult to see a parent with two screaming kids in the back plowing through the best part of 1000 words as they scramble for a park. Or indeed, anyone. Being no lawyer, I gave up and out-sourced the job to Edwards' office, who summarised:
"In order for a consumer to qualify for the powerful incentive of two hours free parking at Westfield [Newmarket], they have to agree to Westfield's getting access to a lot of personal information including:
• email address
• car number plate
• payment details
• mobile number
• device information
• specific location tracking (if inside a Westfield Mall)
• non-specific location information (if outside a Westfield Mall)
Westfield fulfils its legal obligations under Principle 3 of the Privacy Act to let people know that information is being collected; the purpose of its collection (in Westfield's case to enable the mechanics of its free carparking offer; to study shopper behaviour and enhance service); and the intended recipients of that information (the Westfield spokeswoman said no Westfield Plus information would be sold to third-parties. "We do not sell any information collected at any point by Westfield Plus, nor do we have the right to do so." There is an opt-in for marketing from Westfield).
"The app has been designed with New Zealand's privacy legislation at its core and each step of the onboarding process reflects this," the Westfield spokeswoman said.
"The app was also reviewed by third party privacy experts prior to market release. The Westfield Plus app launched in August 2019 as part of our customer experience strategy to keep delivering what our customers want. Customer feedback has been overwhelmingly positive."
But Edwards also raised the broader issue that, "Lengthy, legalistic and complicated privacy statements do not automatically mean that an agency has taken adequate steps to ensure that an individual is aware of what information is being collected and what the information will be used for."
Westfield is not alone in having a epically long privacy statement with no quick-summary that's easily digestible.
"A central issue for us is whether consent for the app to harvest a lot of consumer information is meaningful," Edwards said.
The Westfield Plus app's installation screens do include a line, immediately after repeating its free parking offer, that says "This app requires access to your location services" - but it doesn't detail what for beyond to enable un-specified features to "get the most out of every visit."
Once the app is loaded, its hamburger menu does feature a link to a FAQ (frequently-asked questions section, which in turn links to a Privacy and Security section, which in turn links to the full Westfield Plus Privacy Collection statement.
It's a standard tactic of many apps, and software and services released by big tech companies. A Carnegie Mellon survey found it would take the average person 25 days to read the privacy statements of every website and piece of software they use in a year. Then there are the additional problems that the policies are often confusing to a lay-person. And with services like Facebook and LinkedIn, they're forever changing.
Help on the way?
"Privacy statements should reasonably inform people about why their personal information is being collected, what it is being used for and when it will be disclosed to others," Edwards says.
"We will be able to take action if we find that a privacy statement does not do its job in conveying this key information to the consumer.
"We will have regulatory powers to compulsorily require information from the company to assist our review if we think a privacy statement is not up to the job."
The new law did not give Edwards his desired ability to throw around $1 million fines, but he can still slap a company with a compliance notice.
"If we find a company's privacy statement has not met the required standard of 'reasonable steps to ensure the individual is aware' - for example by being overlong, obscure, or couched in legalese - this is a breach of the Privacy Act and we will be able to issue a compliance notice requiring amendment. A compliance notice is enforceable in the HRRT [Human Rights Review Tribunal], with non-compliance attracting a fine of up to $10 000," the Commissioner says.
Stats that could help
There have not been any complaints about the Westfield Plus app.
But if a complaint is laid about any given app's policy, then there are a couple of questions the Privacy Commissioner can ask to help gauge whether it constitutes meaningful consent. One is what percentage of users have clicked through to read a policy. Another is how long each spent reading it. (The Herald asked both questions of Scentre about Westfield Plus. No immediate data was provided.)
'Time to raise your game'
Edwards' hope is that more organisations follow "privacy by design."
"Our advice to companies when they introduce a new way of collecting and using personal information is to allow people to opt-in meaningfully – and if they do, to be able to choose a level of privacy that they are comfortable with by opting-out of sharing information they are less comfortable with giving away," the Privacy Commissioner says.
Discussing those sorts of issues in public is one of Edwards' main weapons, and will remain so after the revamped Privacy Act goes into force. The Privacy Commissioner got some items on his wish-list into the modernised legislation, such as mandatory data breach disclosure, but not others, such as the ability to levy substantial fines on organisations who violate privacy rules.
And he doesn't always see the same level of inter-agency support that occurs across the Tasman.
A recent example is the Australian Competition and Consumer Commission filing a Federal Court case against Google for allegedly misleading consumers over location tracking (the ACCC alleges Google's instructions made it appear a one-stop process when in fact a second step was required to disable tracking). Here, the Commerce Commission is keeping a "watching brief."
But although he won't get his desired ability to levy million-dollar fines, Edwards will be able to issue compliance notices to organisations in NZ and offshore who break privacy rules - which could cause considerable embarrassment and damage to their reputation.
His advice is for organisations to get their act together now ahead of the new law.
"It's time to raise your game," he says.
As for me, a Westfield customer as well as a journalist, I was disappointed it took me several phone calls and emails to work out what the Westfield Plus app actually does.
I found it distastefully invasive, once its full scope was revealed. But I also left it installed. At the end of the day, I was willing to trade a bit of my privacy for free parking. I just wish Westfield had been more upfront.