Consumers Online:
Privacy, Security and Identity
Professor Margaret Jackson and Marita Shelly
Presentation to the RMIT Financial Literacy, Banking & Identity Conference
October 2006
Motivation for Study
 A previous study found that small business
operators often struggle to understand and
comply with their obligations to consumers
under agreements with their credit provider,
consumer protection legislation and the
Privacy Act 1988 (Cth).
 Purpose of this study was to assess the
possible vulnerabilities of consumers when
buying online.
 Data from the ABS indicates that business to
consumer electronic commerce is expanding.
Consumers Online: Privacy, Security and Identity
Slide 2
B2C Electronic Commerce

The percentage of businesses in Australia with a website grew
from 6 per cent in 1998 to 27 per cent in 2005.

The percentage of Australian adults who use the Internet to
purchase goods and services has increased from 27 per cent
in 1999 to 31 per cent in 2004/2005.

Travel, accommodation and tickets are the most popular items
ordered or purchased via the Internet.

The percentage of Australian businesses that received orders
via the Internet grew from six per cent in 2002 to 13 per cent
in 2003 and has remained steady at 12 percent in 2004 and
2005.
Consumers Online: Privacy, Security and Identity
Slide 3
Outline of the Study

Identify the privacy, security and identity issues facing both
consumers and small business in the B2C e-commerce
environment.

Websites of 20 small Australian businesses were reviewed.

The websites either sold goods and services and/or provided
information about goods and services via the Internet.

Eleven sites sold goods online, seven provided information
only and two sites allowed online ordering.
Consumers Online: Privacy, Security and Identity
Slide 4
Outline of Study cont…

Each website was checked for a privacy policy, terms of
use, a disclaimer, level of security and payment options
available.

We assessed the website content in respect of legal
obligations under consumer protection legislation, the
Privacy Act 1988 (Cth) and contracts with merchant
facility providers.

We made an overall assessment of the websites
compliance with sections of The Australian Guidelines of
Electronic Commerce relating to fair business practices.
Consumers Online: Privacy, Security and Identity
Slide 5
Good Practice Guidelines
 The Guidelines, published by the Federal
Department of Treasury, are not mandatory.
They set out guidelines to assist an online
business.
 We focused on seven sections in the
Guidelines dealing with
 Fair Business Practices
 Business Identification Details
 Contractual Information between the Business
and the Consumer
 Consumer Privacy
 Security and Authentication
Consumers Online: Privacy, Security and Identity
Slide 6
Good Practice Guidelines cont…
Findings…
 Five websites appear not to meet the minimum standard set
out in s 15 relating to fair trading.
 All 20 websites appear to meet the identification
requirements (company name, address, etc) under ss 23,
23.1 and 24 to 24.4.
 Of the 14 websites that were retail businesses, all provided
information on the cost of goods and delivery as required by
ss 25 and 26.
Consumers Online: Privacy, Security and Identity
Slide 7
Good Practice Guidelines cont…
 12 sites provided a privacy policy, all of which discussed
how personal information of customers is handled as
required by s37.
 As required by s 42.1, of the 11 sites that sold goods
online, nine provided secure payment facilities via
Secure Socket Layer (SSL).
Consumers Online: Privacy, Security and Identity
Slide 8
2003 ACCC Study
 Reviewed the top 1,000 Australian consumer websites.
 265 websites had online terms and conditions.
 50 per cent attempted to disclaim responsibility for
accuracy of information.
 50 per cent have disclaimers of warranty clauses.
 66 per cent attempted to limit liability.
Consumers Online: Privacy, Security and Identity
Slide 9
Trade Practices Act 1974 (Cth)
 Consumer protection legislation applies equally whether
the sale occurs face to face, by telephone or over the
Internet.
 The Trade Practices Act imposes certain conditions on
businesses when they provide goods or services to
consumers which are to be implied into every consumer
transaction.
 These implied terms are that the goods correspond with
their description, are of a merchantable quality and are
fit for the purpose for which they are to be used.
Consumers Online: Privacy, Security and Identity
Slide 10
Trade Practices Act cont…
Relevant Sections:






70(1)
71(1)
71(2)
68(1)
52(1)
53(1)
–
–
–
–
–
–
Goods to comply with description
Merchantable Quality
Fitness for Purpose
Implied terms within the Act cannot be excluded
Prohibited Conduct
False or Misleading Representation
 17 website had online terms and conditions.
 11 sites made reference to a Disclaimer.
 5 sites may have breached their legal obligations
to consumers.
Consumers Online: Privacy, Security and Identity
Slide 11
Example One: Disclaimer of Warranty
Customer and prospective customer access to this
website is provided on as “as is” basis and without
warranty of any kind, whether expressed or
implied including without limitation, warranties of
merchantability, fitness for a particular purpose or
title.
Consumers Online: Privacy, Security and Identity
Slide 12
Example Two: Disclaimer
To the best of our knowledge, the information
is accurate and current. However, Company A
does not make any representation or warranty
as to the accuracy or completeness of the
information.
You further acknowledge and agree that
Company A will not be liable to you or any
other person for any direct, indirect,
incidental, special, consequential or exemplary
damages, including but not limited to
damages for product liability, personal injury
or negligence resulting from use of goods or
services supplied to you, or on behalf of you,
through the website.
Consumers Online: Privacy, Security and Identity
Slide 13
Merchant Agreements
Terms and conditions are imposed on businesses
through their agreements with credit card providers,
they include
 Obtain authorisation for credit card transactions
 Kept customer information confidential
 Abide by the Privacy Act
 Keep information secure
 Specify what a merchant should place on their website
Consumers Online: Privacy, Security and Identity
Slide 14
Merchant Relationship
 The ANZ Merchants’ Agreement provides at
Clause 17 that the merchant’s website should
contain:
• a description of the good or services offered
• a returns and refund policy
• a customer service contact, including electronic
address and or telephone number, and the
merchant’s physical address
• any export or legal restrictions
• a delivery policy, including the delivery cost; and
• a privacy policy, including the Merchant’s policy on
dealing with Cardholder information.
Consumers Online: Privacy, Security and Identity
Slide 15
Merchant Relationship cont…
Using the ANZ merchant agreement which is a typical example
of an agreement, we examined whether the sites with a
Merchant Relationship had complied with other obligations
under clause 17 of the agreement.
Number of
Websites -
Number of
Websites –
Number of
Businesses –
Number of
Websites –
Number of
Websites –
Number of
Websites –
Number of
Websites –
Studied
Sell Online
Merchant
Relationship
No
Descriptions
of Goods
No Return/
No Contact
Details of
Business
No Privacy
Policy
9
0
2
0
6
20
11
Refund or
Delivery
Policy
Consumers Online: Privacy, Security and Identity
Slide 16
Consumer’s Privacy

Many of websites would not have needed a privacy policy, as a
business with a turnover of $3 million or less is exempt from
the Privacy Act 1988 (Cth).

12 websites had a privacy policy, with all policies discussing
how personal information of customers would be handled.

Five policies stated that customers would notified if the
privacy policy changed.

No business had opted in under the Act.

Five websites claimed that they were bound by the Privacy Act
or committed to complying with [their] obligations’ under the
Privacy Act, which is misleading.
Consumers Online: Privacy, Security and Identity
Slide 17
Recommendations
 Increase awareness of web designers about obligations
imposed on businesses by legislation and contract law.
 Promote the Australian Guidelines of Electronic
Commerce more widely.
 Media campaign by The Office of the Privacy
Commissioner aimed at web designers and small
business:
 Explaining the operation of the Privacy Act and its
application to small businesses.
 Designing an appropriate privacy policy.
Consumers Online: Privacy, Security and Identity
Slide 18
Recommendations cont…
 Continuing media campaigns by the ACCC aimed at
small businesses and consumers:
 Explaining the operation of the Trade Practices Act.
 Designing an appropriate disclaimer.
 Contents of terms and conditions.
Consumers Online: Privacy, Security and Identity
Slide 19
Concluding Comments
 People use the Internet because it is a convenient way
to locate information or to buy goods and services.
 Small business operators are responsible for complying
with their legal obligations to consumers under
consumer protection legislation as well as complying
with the terms and conditions of their merchant
agreements.
 Consumers are also responsible for reading a business’
privacy policy or online terms and conditions and
deciding to deal with that business.
Consumers Online: Privacy, Security and Identity
Slide 20