How much information are you willing to give up simply because a retailer simply demands it?

There have been a few posts in the past about online retailers requesting copies of credit cards or government-issued ID before accepting orders. These requests are usually met with condemnation, and rightly so.

I now find myself in an interesting situation with The Warehouse, where they are demanding I disclose personal information before providing me with a refund.

Prior to the COVID debacle, I complained about a product not being suitable for its intended purpose. After months of follow-up e-mails (sent only when their television and online advertising indicated things were up and running again) and finally creating a second support ticket after my e-mails were continually ignored, they eventually agreed to the refund.

They requested my bank account details for a direct credit, which I considered a reasonable thing to do. I provided my details exactly as they appear on my bank statements, with first and middle initials, which is also consistent with the name that appears on my account with The Warehouse, where I use only my first initial and surname.

While they haven’t gone as far as requesting copies of my ID, Customer Service are now demanding I provide them with my full name, and are refusing to process the refund unless I do. While some of you may think that is a reasonable request, I do not. They haven’t just asked for my first name, they are demanding my full name; information I would only provide to organisations that are legally required to collect and verify primary ID, not a mere retailer. In the 24 years I’ve been buying online, I have never provided an online retailer/marketplace with more information than my first initial and surname, nor am I about to start.

Through further contact with Customer Service, I have been able to ascertain that there is a systems issue which prevents them issuing a refund via the original payment method. By their own admission, they would not require further information but for that issue. The sole justification for requesting my full name appears to be an internal form Customer Service needs to fill out for their Accounts Team. The form asks for it, so Customer Service is sticking to their guns and demanding it. I suspect what the Accounts Team actually wants is just a name, and the details provided would suffice, but Customer Service have also refused to assist with putting someone from the Accounts Team in contact with me so I can provide them with the information they actually require.

This got me wondering a few things.

At what point does a systems issue or internal process override basic privacy?

Surely, it should be up to the business to fix their systems or processes, not make undue demands for information just because they want to do things a certain way. It seems every organisation (including government departments) are now streamlining their processes, and we are expected to do things their way, no matter how absurd. As soon as something doesn't fit in a certain box, we're expected to run around and fix it. Enough! Use some common sense!

How much protection do we really have against rogue organisations demanding personal information?

The Privacy Commissioner actually recommended Privacy Principle 1 be updated to explicitly include a reference to anonymity. The Law Commission in their analysis considered this unnecessary as Privacy Principle 1 already provides for this case, requiring information collected must be necessary. Because of this requirement, relative anonymity is also provided for by the same Principle. The Law Commission even used online trading, a situation in which complete anonymity is next to impossible with goods being traded, as an example of an instance where anonymity may be desired.

Privacy Principle 4 also covers obtaining information by unfair means. I consider withholding a not-insignificant amount of money to which I am legally entitled, unless I give in to their demands, to be unfair.

So, in theory at least, we have a right to anonymity. In practice, however, as highlighted by the Law Commission review, the lack of a specific anonymity clause may cause agencies to overlook this.

The Warehouse has a Privacy Officer, so I dutifully sent a complaint to their Privacy@ e-mail address. More than two weeks later, that complaint hasn’t even been acknowledged, except by their automated system. As this is the same system as their Customer Service uses, I expect my complaint has likely been filed in /dev/null.