At the beginning of 2018 in New Zealand there was a competition to design the Privacy Trust Mark for the Privacy Commission. This trust mark was to be used online
to highlight excellent privacy practice in a product or service
The winner was a graphic design artist from Christchurch and the final design is very nice. Then the first two recipients of the trust mark were announced. One was a government led initiative to prove your identity online called RealMe. The other is a New Zealand online auction site called Trade Me. They deal with a lot of personal information as defined by the Privacy Commission.
Personal information is any information which is about an identifiable individual. In other words, it’s anything which tells us something about a specific individual. The information does not need to name the individual, as long as they are identifiable in other ways, like through their home address.
Curiously there appears to be no definition of personal information in the 1993 Privacy Act itself. Although there are some definitions of specific personal information in the schedule for information sharing between government departments. Either way, does Trade Me actually deserve the Privacy Trust Mark? Having it in the news will cause a lot of people to trust them and not to read their privacy policy. So what does that policy say about the information they gather and how they deal with it?
Information gathered by Trade Me
- Browser used
- CV details in Trade Me jobs
- Delivery addresses
- Demographic information if required
- Device used and information about it
- EXIF data from photos
- Firearms license number if needed
- Geographic location when using
- IP Address
- Information from third parties about you
- Listed content including after the listing has expired
- Mobile device performance analysis, usage behaviour, technical information about the device, firmware and carrier.
- Operating System used
- Partial Credit card details
- Phone call recordings for six months
- Registration details – name, gender, address, email address, etc..
- Use of website including viewings and searches
- URL you came from
- URL you are leaving to
What they use it for – The really long list
- Accounting
- Allow advertisers and recruiters to contact you about jobs
- Allow advertising clients to place remarketing cookies
- Allow Google to target ads to you
- Automatically populate your Trade Me Job Profile
- Behavioural analysis
- Contact members
- Create your Trade Me Jobs Profile
- Customer relationship management
- Deliver information and fresh content specific to the users interests
- Display your CV information to selected recruiters and advertisers
- Enable third party access through API
- Enforce or apply their terms and conditions
- Ensure Afterpay can enforce any contractual rights given for Afterpay’s benefit under the Afterpay terms for Trade Me sellers.
- Facilitate payments under the Afterpay Service
- Give seller your address with permission
- Help display advertising to the user
- Help process a refund, chargeback and/or reversal having used the Afterpay Service
- Help with resolution of a dispute having used the Afterpay Service
- Identify users abusing the Trade Me service
- Improve the experience of using Trade Me
- Internal research purposes
- Make services relevant and personalised to your interests
- Marketing
- Other parties under the Buyer Protection Policy
- Personalise the experience
- Promoting and marketing other Trade Me products and Services
- Protect the rights, property, or safety of Trade Me Limited its users or others
- Provide Trade Me with research information
- Promote listed content
- Promote affiliated partners
- Protect members
- Publish listed content (eg; an auction)
- Recommend jobs to the user
- Remarket relevant ads to you after you leave our website (including using your Google Account information if you have one)
- Report suspicious or potentially fraudulent activity on the Website in connection with the Afterpay Service
- Send opted in emails
- Share credit card details with DPS or Paystation
- Share information with Index Exchange, Rubicon Project or Pneumatic
- Share information with Salesforce DMP
- Show you ads that are specific to your interests while you browse Facebook
- Target Adwords advertising
- Third Party services
- To better understand the use of photos on our site and to help us provide a safe marketplace
- To provide the service
- To tie their information with third party services
- To stop fraud
- Track users on Trade Me
- Use third parties to display or use listing content
- Used to deliver the right content to you (cookies)
- Verification of firearms license
- Verify your identity
Apologies for the long list but there was a lot of information in their privacy policy. I have highlighted some of the worst offenders in my eyes. It has taken two hours to get to this point and this is precisely the reason the Privacy Trust Mark is so important. Because people aren’t going to go through the policy, they are going to look at the trust mark logo and assume Trade Me protects their privacy. And maybe it does, but they are exposing your device to third party cookies, third party information gathered through the API, and providing Google with information. Gathering information to provide a better service to the user does not involve using that information to target advertisements at the user. If they are letting third parties advertise to you using your information then they aren’t providing a service to you, they are providing a service to someone else.
Of course, they didn’t receive the Privacy Trust Mark for their privacy policy. In fact Trade Me didn’t receive the privacy tick for their website. They were awarded it for one particular product which was their Transparency Reporting. This wasn’t widely reported in the media. To show a couple of the headlines you would think the entire site had been awarded the mark.
- Trade Me and Real Me awarded Privacy Trust Mark
- Privacy Commissioner launches certification for sites designed with privacy in mind
- New Zealand’s first Privacy Trust Marks awarded to Trade Me and RealMe
- Trade Me given the big tick by Privacy Commission
Only one of the above articles specifies it was Trade Me Transparency Reporting that received the tick. It was a media coup for Trade Me Auctions with thousands of people reading they had received the mark. They didn’t. And if you look at the list above you can see why. In the end it was just fake news.