Priya Dev has a clue on how political spam ended up in her inbox during the 2025 federal election campaign.
Like many Australians, Dev endured an unwanted flood of Trumpet of Patriots text messages – Clive Palmer has admitted to sending 17m of them. But it was email spam from one of the major political parties that she thought she could do something about.
Political parties are exempt from privacy law, so they have no obligation to tell individuals how they find your data, and there is no way to opt out.
But the Australian National University data science academic had a clue: the emails were addressed to a fake name she had used for online purchases years ago – a name also used when she received spam from one of the minor political parties in 2020.
“It looks like it’s come from a transaction,” she says. “It would likely be some sort of online e-commerce transaction, or energy transaction or something like that.”
Tracking down how organisations gain access to individual contact information is “really hard with political parties because they just ignore you,” Dev says. “If I can find out the origin of my data from this mission, it would be really amazing.”
It’s the second time Dev has attempted to track how someone got her data, working through the labyrinthine web of data brokers who – often without our awareness – buy and sell information on the public to advertisers or others who want to know more about us.
Last year, after receiving dozens of unwanted calls, Dev was able to track who held her phone number back to real estate giant CoreLogic Australia, who told her they had been able to legitimately buy her data from another data broker firm in 2023, who had bought her data from another data broker in 2016.
That company told her it obtained her data through a 2014 marketing campaign and had probably passed on her information to at least 50 other companies.
Dev’s experience is not an isolated one. Crikey reported in April that a child’s email address that was signed up for a charity fundraiser more than a decade ago received Liberal party political spam at the most recent election.
How did you get my number?
The answer to how marketers and others find out your contact details and other personal information is a complicated one.
Katharine Kemp, an associate professor who leads the public interest law and tech initiative at the University of New South Wales, says it often occurs through a data-matching service that joins up your personal information across different service providers who then sell that via data brokers.
Kemp said she had the experience where a mortgage broker had called her asking if she was in the market for a mortgage – she suspects they got her information from a real estate agent during an open house visit.
But finding out how they got that information can often be hard, Kemp says.
When she asks those who contact her where they got her details, “they will obfuscate or sometimes just immediately hang up or … give a silly answer, and then when you press them, they very quickly end the call.”
The federal privacy commissioner, Carly Kind, describes the data broking industry in general terms as “very opaque”, with “a very complex value chain of personal information”.
“So because people don’t really know what’s going on, they’re not really empowered to complain about it,” she says.
“I think people find it creepy, the way in which their personal information has been passed around through data brokers and ends up in places that they don’t expect.”
Who are data brokers, and what do they collect?
One global data broker organisation has described its work as “enabling the exchange of information between businesses in the consumer interest and in the support of Australian corporates and small businesses,” according to a 2023 submission to the Australian consumer watchdog’s inquiry into data brokering.
The kinds of information collected includes names, addresses, age, browsing behaviour, purchasing behaviour, financial status, employment, qualification, tenancy history and other socioeconomic and demographic information.
A Reset.Tech Australia report last year found the types of data bought and sold by brokers could include location and movements over time, sexual interests, financial concerns, banking and utility providers, personal problems, gambling or drinking habits, and recent online purchases.
Data broker companies include credit reporting companies, fraud and identity verification companies, news corporations, property companies, tenancy data brokers, marketers, loyalty programs, and social media platforms.
Australians ‘uncomfortable’ with personal information being sold
The Australian Competition and Consumer Commission found in its report last year on data brokering that privacy policies used by companies to allow the sharing of data can use “ambiguous language”, making it hard for consumers to identify who their data is being shared with and for what purposes. They also make it harder, the report found, for people to figure out who holds their data and to opt out of its collection.
The average number of words in a typical privacy policy is 6,876 and it would take 29 minutes to read, the report found.
Research conducted as part of the report found 74% of Australians are uncomfortable with the idea of their personal information being shared or sold.
Some companies seek to downplay concern and privacy obligations – such as providing data held on a person by request – by de-identifying the data collected on consumers. Consumer group Choice found last year data brokers claimed to not hold data on consumers who were members of their loyalty programs, with names taken off the data held.
Kind, the privacy commissioner, says the assertion that de-identified data may not be considered personal information under the Privacy Act could be “creative interpretation” of the law by the companies collecting such data.
The ACCC said de-identified data still carries risks of consumers being identified when combined with data points from other sources.
Kind, speaking generally and without naming any companies in particular, said many Australians would find some of the practices of some data brokers to be “quite uncomfortable to say the least, and often veering on affronting or outrageous”.
“The data is changing hands numerous times. So it is a very complex space, and I think undoubtedly, a big chunk of it is legitimate and in compliance with the [privacy] act. But that’s quite fuzzy – where that stops and where less legitimate activity starts.”
Regulator could flex its muscle
The ACCC report did not make any recommendations, but supported the implementation of strengthened privacy laws in Australia.
Kind says the ACCC’s work has cleared the way for her office to begin looking into the practices of the sector, saying the Privacy Act today “has many elements which could be applied to data brokers to rein in their practices”.
“It’s an issue that I’m keen to prioritise and my regulatory team is currently looking into potentially using our powers in this space,” Kind says.
Dev says there needs to be a debate about extending the privacy obligations to political parties, which would force them to be transparent with the public about how they acquire personal data.
The exemption means that political parties do not have to respond to her requests about what data they hold on her, Dev says.
Kemp says she thinks there is some prospect of tighter rules around data brokering, but there will be no appetite from politicians to change the law on political party obligations.
“But I don’t think we should give up on it as an issue in an area that requires reform.”
