In the US apparently it is ... but could it happen here?

In yet another example of what is becoming more and more commonplace, came a throwaway line in an article about a US based retailer who bought the brands and intellectual property of bankrupt sports retailer Sporting Authority.  The article indicated that the biggest win for the purchaser was not the trade marks or brands etc. but the 114 million customer files which included around 25 million customer email addresses.  

Dick's Sporting Goods, the purchaser (and yes that's actually its name) now has the right to leverage those customer details to drive its sales.

More companies are starting to understand the value of data, including customer's personal information, as a significant business asset.  It is also an asset, which like other more tangible assets, can be sold or transferred. 

But this couldn't possibly happen to me I hear you say - New Zealand and Australia have strong privacy (and unsolicited electronic correspondence) laws.  

While that is true, the restrictions may not always stop sharing or leveraging customer data, which includes your personal information.

Briefly, the Australia and New Zealand:

Privacy Acts: contain a number of privacy principles restricting a company's (or other organisation) use or disclosure of your personal information.  However, both privacy regimes allow companies to use and disclosure of your personal information where you have consented to, or otherwise authorised, any such use and disclosure.  This is of course, provided the company meets the other privacy requirements - such as protecting your information against loss or misuse, and allowing you access to and the ability to correct your information.  While the default position in both Acts is that your personal information cannot simply be sold as an unfettered asset, consent as part of your agreement to a company's trading terms can override those restrictions. 

'Spam' Acts (which is actually the name of the Australian Act): provide that a company can send you commercial emails (i.e. emails trying to sell you things you probably don't really need) provided you consent to it doing so, it identifies itself and provides an option for you to unsubscribe. 

And that's assuming that those Acts all apply.  Most online retailers are based overseas – think ASOS, Book Depository or Amazon, and some which you may come into contact with are headquartered in ‘tax efficient’ jurisdictions with little or no privacy protection.

Even if an online retailer located here, or in another jurisdiction that respects privacy, realistically when shopping online how many people will actually read the retailers terms and privacy policy before making a purchase?  The answer will probably be virtually none.

Sports Authority's privacy policy, which was posted on its website, stated: “We may transfer your personal information in the event of a corporate sale, merger, acquisition, dissolution or similar event.”.As such Sports Authority’s consumers had, in all likelihood unwittingly, consented to the sale of their information to Dick’s in this case.

Provided a company's terms and privacy policy make it clear that your personal information can be used to sell you products or can be transferred or sold, then it can probably do so, and in all likelihood so could another entity that buys consumer data from it.  The onus will be on you to rescind any consent.

The main takeaways from this are:

To all those out there who buy from online retailers, and I include myself in this boat, the old adage of caveat emptor (albeit with a slightly different bent) still applies.

For companies who collect personal information, well we suggest you get in touch to check that your terms and privacy policies are not only compliant with the New Zealand and Australian Privacy Acts, but also allow you to extract the value from a still emerging asset class.