The closure of Dick Smith Electronics will be the stuff of case studies in years to come. From hobbyist’s playground to consumer electronics flop it has amassed a large database of customers over the years. But can the receivers sell that data as part of the company fire sale?
Under the Australian Privacy Act of 1992, there are two conditions that have to be met in order for customer data to be sold.
- The seller has the consent of the individuals whose data is being sold prior to the completion of the sale
- The sale of the customer database is authorised/required by law
According to the Office of the Australian Information Commissioner, those provisions of the Privacy Act don’t apply if the business is changing ownership. However, in the case of Dick Smith, there’s no ownership change. The receivers see the customer database as an asset, just like all the TV, computers and other gizmos they are selling.
So, in short, Ferrier Hodgson, Dick SMith’s receivers, are within their legal rights to sell customer data as long as they comply with the law and get the consent of each person in the customer database.
That means customers will be getting a communication from the receiver asking for explicit permission to include their data in the sale. If you were a Dick Smith customer, keep an eye out for that email and make sure you respond accordingly.
[OAIC guidelines for selling customer data]
Did you just catch yourself wondering if something was legal or not? Let us know and we may be able to answer it in our next Is It Legal? feature.
Comments
4 responses to “Is It Legal For Dick Smith To Sell Its Customer Data?”
what are the chances you agreed for them to sell it when you first handed the data over, no one reads the terms and conditions after all especially if they are implied during a mouth to mouth cash register exchange
If people don’t reply does this still entitle them to sell it? Can consent be assumed?
In many cases the form you sign when you buy something includes wording to the effect that your data can be passed to “business partners”, “marketing partners” or similar; there is normally an opt-out box at that point. (That most people ignore.)
That portion of their database can be sold without privacy worries.
For everybody else, AFAIK consent CANNOT be assumed. They have no way of knowing that your email address or phone number is accurate, if it ever was, so failure to respond cannot be construed as consent to a contract (i.e. the agreement to redistribute your details) that you never signed.
OTOH (a) IANAL and (b) we live in a world serving up a summons via Facebook has occasionally found to be legal, but (c) the incremental value of a few extra names on a mailing list (a few cents) is probably not worth the risk, since the people who get paid are the creditors, but the person assuming the risk is the administrator.
TLDR; probably too risky for the administrator, except for those who already gave consent.
Dear Ferrier Hodgson,
What part of ‘NO’ are you having difficulty with when it comes to flogging my data?
The part where they dont get money when you say No.
I just logged into my Dick Smith online account, changed my name to Jack Smith, removed my address, and changed the email to a mailinator email. Done. Gone. You can’t delete a account, but you can spoof it. I assume the database that they will sell will be the most recent data dump, so there’s probably going to be a lot of Jack Smith’s.
Except that’s not the way the database works. Changing details does not write over the top of the old entry. It creates a new child “contact” attached to the original parent contact.