An acute analysis of regulatory failure - ongoing inaction by the OAIC - is provided in 'Australia’s Forgotten Privacy Principle: Why Common ‘Enrichment’ of Customer Data for Profiling and Targeting is Unlawful' by Katharine Kemp.
The author states
Many companies are not satisfied with collecting only the personal information that customers provide during a transaction or sign-up, or even the additional personal information they collect about the customer’s activities on the company’s own website or app. Instead, there is a common practice of companies adding to the profiles they compile on each of their customers by collecting extra information about the customer from third parties, including other unrelated retailers, loyalty programs, data analysts and data brokers. The industry euphemism for this practice is ‘data enrichment’. Extra information collected by companies ranges from the customer’s age and income to health, family situation and purchases from other companies online and offline.
The further personal information is not necessary for the transaction or provision of the service in question, and its collection is not visible to the consumer. Nonetheless, many companies seem to consider they are entitled to collect this further information in pursuit of the power to create more detailed consumer profiles, predict the consumer’s actions and intentions, precisely target advertising and influence consumer behaviour (collectively, ‘profiling and targeting’).
This paper argues that much of this collection of personal information is already unlawful in Australia. Organisations are forgetting – or overlooking – a critical obligation about when personal information can be collected from third parties rather than from the individual themselves.
Australian Privacy Principle 3.6(b) is the forgotten privacy principle. The essence of this rule is that personal information should be collected directly from the individual concerned (‘direct collection’), rather than from third parties or other sources.
For organisations, the only exception to the general rule requiring direct collection is if it would be ‘unreasonable or impracticable’ for the organisation to collect the personal information only from the individual- eg, when an individual is being investigated for suspected fraud, or where legal documents must be delivered to an individual who has changed address. The exception to direct collection does not apply simply because an organisation seeks more personal information for profiling or targeting but does not wish to ask the individual for it directly for fear that the individual would object.