Regulating unsolicited communications
I would like to thank Chris Owen and the Australian Market and Social Research Society for the opportunity to speak with you tonight. We welcome engagement with your sector at this critical juncture where the needs of privacy must be balanced with the needs of an innovative and well-functioning democracy.
First, I would like to begin by acknowledging the traditional owners and custodians of the land on which we meet today, the Wurundjeri people of the Kulin Nation. I pay my respects to their elders past, present and emerging.
To set the scene, according to the World Economic Forum, the 4th wave of the industrial revolution is upon us: Artificial Intelligence, the Internet of Things and big data – the convergence of the physical, digital and biological. Machine consciousness looming.
I was asked recently if I was an optimist or pessimist in relation to this 4th wave. Was there promise or peril in them there hills…
The optimist in me says “promise”. The digital economy can improve our lives and not at the expense of humanity.
As a realist, however, I know that the promise cannot be delivered by itself. Our privacy concerns outrank previous safety considerations that bought about seat belts and smoking bans. Industry won’t bring about these safeguards on their own. There is and will be a role for Government.
Recent modelling suggests that over the next few years demographic and technological changes will lead to a 60-70% increase in the amount of data consumed by the average Australian household.
As we consume more data we become more valuable as a commodity rather than a consumer. We become more vulnerable to those engaged in crime and deceit. Today’s cyber criminal is yesterday’s car thief. It is the crime de jour and will only become more prolific.
Take the case of Alan – he received a scam call from the ATO – the calling number presented as a legitimate ATO phone number that was spoofed (or overwritten). Alan had just started his business last year, so he was relying on his accountant to sort out all the mandatory business reporting. So he engaged.. and was told he’d go to jail for five years if he didn’t contact the ATO about an outstanding debt of $9,000.
It was a very convincing call. During the call, Alan was asked for his accountant’s number for a three-way conference call with a fake member of his accountant’s practice who said that his usual accountant was at another meeting. This convinced Alan that there really was an error in his tax and fall for the scam.
Every day, regulators get reports of these types of scams going on – the organisations being targeted might change, but the threat and impact remains.
You might think, oh well Alan should be able to tell the difference between a real ATO employee and a fictional one. Perhaps, but I think that the growing sophistication of digital technology is making it increasingly difficult to know what to believe, to be able to tell what is real, and what is fake.
Let me show you this video.
Fake news and the ultimate propaganda machine. Sometimes you cannot believe what you see or hear. It raises the question of disclosure. Should we have the right to know what is real and what is fake. Should it be declared if we are talking to a machine rather than a human? Do you know?
The ACMA’s priorities in this shifting environment include ensuring there is both public confidence and trust in communications and media services, as well as a regulatory framework that anticipates change and is flexible enough for us to act quickly when needed.
Tonight I want to speak to you about:
- some key aspects of the ACMA’s work and the points of intersection with the research community;
- recent ACMA research on unsolicited calls that informed our report to the Minister on our unsolicited comms functions (in response to the government review of the ACMA); before finishing with
- some observations about the broader data privacy environment and the opportunity for regulatory reform of the unsolicited comms arrangements.
ACMA’s role and points of intersect with research community
Let me first say something about the ACMA’s role in relation to unsolicited comms.
I’m sure you’re aware that the Spam Act, Do Not Call Register Act and Telemarketing Industry Standard regulate how marketers engage with consumers via commercial electronic messages and telemarketing calls.
Telemarketing and eMarketing from charities, government, political parties, electoral candidates and independent members of parliament, and educational institutions is generally exempt from the obligation in both acts.
However, all telemarketing is covered by the Telemarketing Industry Standard that sets out permitted calling times and what information must be provided during a call. Notably, research and opinion calling are also covered by the Industry Standard.
To give you some idea of the scale of community interest in the Do Not Call Register alone - there are currently 11.68 million consumer numbers on the register, and that number grows by approximately 400,000 annually.
In the last financial year we received over 43,000 complaints about unsolicited comms and we have been significantly stepping up our enforcement actions.
In the past 12 plus months, the ACMA has given significant penalties for breaches of telemarketing and spam rules as part of a campaign against non-compliance. That has included issuing multiple Do Not Call Register and Spam infringement notices, including the largest infringement notices issued to date:
- TPG paid a 360 thousand dollar infringement notice for breaches of the Spam Act
- Lead My Way paid a 285,600 dollar infringement notice– for making telemarketing calls to numbers on the Do Not Call Register
The level of consumer concern about unwanted telemarketing supports the strong enforcement action the ACMA is taking in this area.
You’ll be pleased to know only a small number of these complaints and breaches concern the activities of the research industry, and these generally related to alleged breaches of the calling times. I will note, however, that ‘lead generation’, that can sometimes have blurred lines with market research, remains a significant concern to consumers and the ACMA. A market research call that ended with a prompt for whether consumers would like a return call or visit in relation to a product or service would likely fall under the Do Not Call Register rules.
ACMA Review and research undertaken to inform the ACMA’s report
The Department of Communications and the Arts released its Review of the ACMA in May 2017. The Review recommended the ACMA’s remit be expanded to cover all four layers of the communications market including infrastructure, transport, devices, content and applications, including potentially where we may not currently have coverage (e.g. online material).
As I will discuss, that has implications for the regulation of unsolicited comms, including where rules around key consumer issues – like consent – vary according to the channel and/or device upon which the marketing activity is delivered.
One recommendation called on the ACMA to examine the potential for industry self-regulation of the ACMA’s telemarketing, spam, Do Not Call Register, and Integrated Public Number Database functions.
This meant undertaking a thorough examination of the regulatory framework for unsolicited comms which we finalised in May this year. The report was published on 3 December.
A key input into our report on the potential for self-regulation, was the consumer research which we are here to speak about tonight.
Research is the foundation of much of the ACMA’s work. It informs our decision-making processes; it takes us beyond the anecdotal evidence and media speculation that too often can skewer the reality; it enables us to examine and weigh up the merits of both consumer and industry viewpoints.
So, in December 2017 the ACMA commissioned the Social Research Centre to conduct qualitative and quantitative research to investigate the Australian consumer experience with unsolicited calls.
What did the research tell us?
My colleague Wendy Paterson will go into more detail about the results, but some top-level findings were:
- there is significant consumer concern about telemarketing, with two in five people more concerned about telemarketing than five years ago
- there is significant consumer concern about scams, and a view that not enough is being done to protect individuals from scam calls
- consumers are confused about how their data was obtained and if they gave consent.
These findings reaffirm research findings in previous years - (2012 and 2016)- and but also indicate that consumers are more concerned than they were five years ago about unwanted calls.
Based on the level of consumer concern about the impact, combined with limited industry support for deregulation and our compliance data, our report to the Minister found that there was no case for self-regulation of the functions.
On the subject of scams, from January to August this year, scams increased by 44%, costing Australians nearly 84 million dollars. And you can imagine at this time of the year scams are on the rise and consumers have had enough.
The ACMA’s newly announced Scam Technology Project will bring together experts from industry and government to investigate what can be done to disrupt scam activity.
The Project will consider consumer and network-based solutions like call blocking and what network operators can tell us about the calls carried on their network. For example, high volume, short duration calls may indicate a ‘Wangiri’ scam. This is where the scam aims to entice a consumer to reply to a missed call message, and the calls are then routed to a premium rate service that automatically charges them a large sum of money.
Network authentication technical protocols have the potential to allow telecommunications networks to determine what is a legitimate communication and what isn’t – based on its signature – and therefore to block the calls on this basis.
We will be looking at all scam types delivered over telco networks - phone calls, SMS and email scams. A reference group will be set up with representatives from the ACMA, the Australian Competition and Consumer Commission and the Australian Cyber Security Centre. It will also tap into industry expertise and experience. There is much more work to be done in this space.
The broader data privacy environment
Consumer confidence is a prerequisite for participation in the new digital environment which is evolving so rapidly that it is hard - I want to say impossible - for many to keep up. Naturally this impacts how people go about their lives and their businesses.
Not surprisingly, marketing to mobile phones is increasing, but the regulatory regimes for telemarketing calls to a mobile phone and commercial SMS to the same device are very different. The telemarketing call is permitted, unless you’re on the Do Not Call Register and have not consented; while the SMS is generally prohibited, unless you’ve consented. No wonder people are confused.
The regulatory framework for communications has not kept pace with the seismic shifts occurring in technology and the commercial world. The old world has not kept up with the new world and this can leave our most vulnerable most exposed and increase the gap between the haves and have nots.
This isn’t just limited to the unsolicited comms and research worlds. It is a wider issue that we are seeing right across the communications and media landscape.
Internationally we are seeing how the approach to privacy crosses many jurisdictions, as well as national borders. It is no longer something that can be managed in isolation - privacy protection including how individuals can access and share their data is an issue common to consumers around the world.
We are also seeing a growing understanding among consumers and governments of the reach and the power of data-driven services such as the Facebook, Apple, Amazon, Netflix, and Google – the FAANGs – of this world. With that understanding has come an increased consumer demand for personal agency and accountability.
Our research showed recent issues such as targeted marketing using third party data accessed without consent, have resulted in a greater community expectation that governments will step in to protect their citizens.
The recent Cambridge Analytica case demonstrates the threats and dangers of the consent issue. Generally, users must consent to giving apps their data but in Cambridge Analytica case, the data was obtained without explicit consent. This data was then sold to make “psychographic” profiles about voters.
As a reaction to the call for increasing consumer protection, the EU have strengthened data rights in new General Data Protection Rules – data must not be publicly available and cannot be used to identify a subject without explicit, informed consent. Consent can be revoked at any time. Previously the EU had separate privacy rules governed by individual countries which varied considerably.
Closer to home, the Productivity Commission is advocating for a Consumer Right. A goal of this work is to develop a clear form of joint control with data collecting firms and agencies for data sharing, to engender more trust in the integration and sharing of data.
As the then Productivity Commissioner Peter Harris AO noted, trust is vital in this area as we have seen this play out in the recent My Health record debate.
Almost 6 million Australians have a My Health record. However, despite the potential benefits of the system, they may be unaware that this record brings together health information generated by the patient, their health care providers and Medicare. The recent public debate (culminating in the opt-out timeframe being extended to January 2019) confirms a level of concern about who and how personal information is accessed.
Certainly, as our research – along with our complaint data – shows, consumers are confused about when they are giving their consent and want to know how their information is shared.
Giving informed consent can be difficult when consumers are faced with pages of intricate legalese to read and sign before they have access to even the simplest digital service or product.
According to a 2017 survey into Australian community attitudes to privacy conducted by the Office of the Australian Information Commissioner, 69% of Australians are more concerned about online privacy than they were five years ago, while only 29% of people read privacy polices online.
For whatever reason – no time to read the contract, digest the intricate legal language - 71% of consumers are not reading privacy policies about the use of their data and any trade-offs they are making in the process. The balance is out of kilter. People want their privacy respected but privacy policies are not always respectful.
There is no simple, nor single answer to these issues.
Regulating the boundaries of consumer consent is an area that we will be increasingly looking at going forward.
A big challenge will be how to simplify the question of consent so that both consumer and the market know exactly where they stand. Informed consent must be the goal.
Opportunities for regulatory reform of unsolicited comms
In this broader context, we have identified a range of factors that suggests opportunity for broader reform of the current unsolicited comms regulations. These include new and emerging:
- communications technologies, evolving market practices and convergence on the communications network layers of content, application and transport
- pressures related to the current policy and legislative framework, and
- consumer behaviour and expectations.
The ACMA’s report to the Minister raises broader reform options for government to consider, including potential drivers for a new unsolicited comms regulatory scheme. Such a scheme could provide a consistent set of consumer safeguards across all communications platforms that is technology-agnostic and aligned under a single set of unified privacy principles.
This would ensure consumers have improved control over and understanding of the use of their data, while providing greater clarity to industry. Maybe an ‘opt-in’ approach to all marketing, and only upon provision of clear and specific consent from consumers. Such a consent-based model would essentially give control to consumers over their data and make the Do Not Call Register redundant.
Take for example the privacy model developed by Toby Walsh – Professor of AI at UNSW. For every company, for every consumer engagement across every app, every website, every platform, four choices could apply:
- We keep no information on you
- We keep information on you for these purposes [e.g. to improve our offering to you]
- I agree that my information can be shared with these other entities [insert entities]
- I agree that my information can be made public.
The minimum privacy setting could potentially be fixed at level two with consumers able to opt into a preferred setting, either more stringent or more relaxed – informed consent?
We will continue to actively monitor these issues and work on developing solutions that will address consumer harms. In saying that, it is important to note that as the regulator we are always looking to balance the rights of consumers without shackling the innovations of the marketplace. And of course it is critical to ensure that objective, accurate and timely information is available to support public policy objectives and to ensure a well-functioning democracy. We appreciate the work you are doing in this space.
I would like to now introduce Wendy Paterson, Senior Research Analyst at the ACMA who will give us more detail on the consumer experience research.