Privacy Risk in Australian E-Commerce

E-commerce businesses are, in the most literal sense, data businesses. The entire operating model depends on the collection, analysis, and commercial deployment of personal information at scale. Personalised recommendations, targeted advertising, dynamic pricing, abandoned cart recovery, loyalty mechanics, and conversion optimisation are only effective with massive amounts of data.

E-commerce privacy risk is structurally different from most other sectors. The data collection is not incidental to the business model; it is the business model. Further, the third-party data ecosystem that most e-commerce operators depend on is, from a privacy governance perspective, almost entirely uncharted territory.

Canva: A Global Breach from an Australian Platform

In May 2019, Canva suffered a data breach that exposed user records including usernames, email addresses, names, cities of residence, and salted password hashes. The attacker claimed to have accessed approximately 139 million user records.

What Canva’s Response Got Right

The aspects of Canva’s breach response that distinguished it from more costly responses seen in other Australian breaches are the outputs of proactive governance investment, not reactive scrambling:

• Detection: Canva detected the attack quickly because its monitoring systems were calibrated to identify unusual data access patterns; detection capability built before a breach, not during one.

• Notification: Canva knew what data was affected, which users were involved, and how to reach them; outputs of a structured data mapping exercise.

• Response plan: Canva had a documented incident response plan its team could execute within the critical first 72 hours.

Being prepared meant the OAIC monitored the response by Canva, but did not take any regulatory action against Canva because of the breach.

The Scale Problem in E-Commerce

Canva had approximately 30 million active monthly users when it was breached. By 2026, it has more than 260 million active monthly users globally. The personal information held by major Australian e-commerce and SaaS platforms has grown at a rate that privacy governance frameworks have, in many cases, not kept pace with. That is not an indictment of the very hard-working privacy professionals in these organisations, it is simply the business reality when deployment of new products and practices is much faster than regulatory action.

For Australian e-commerce businesses experiencing rapid growth, the privacy audit function needs to scale alongside the business. What this looks like in practice is:

• executives and boards understanding that privacy risks are human risks, asking questions and leading the conversation in the business

• structured privacy reviews at growth milestones, not just when a breach occurs or when a regulator puts out a press release

• embedding privacy risk assessment in project teams to identify risks early when they are cheaper to mitigate, and

• investing in privacy like the competitive advantage it is, not the blocker it is perceived as.

The Advertising Technology Ecosystem: The Undisclosed Breach Surface

For most Australian e-commerce businesses, the greatest undisclosed privacy risk is not in their own systems. It is in the advertising technology ecosystem that surrounds them.

A typical mid-sized Australian e-commerce operation using standard marketing technology might share customer data through pixels, cookies, tags, and API integrations with a dozen or more third parties without its customers having any meaningful awareness. These may include Meta, Google, TikTok, Klaviyo, Shopify, Afterpay, Criteo, and session recording tools.

Each of these platforms receives personal information about customers. Each of those disclosures is, under the Privacy Act, a secondary use of the personal information customers provided when they made a purchase. Many of these disclosures are not accurately described in the privacy policies of the e-commerce businesses involved. Many involve overseas data transfers that have not been assessed against the APP 8 reasonable steps requirement.

The Collection Notice Problem

Under APP 5, Australian businesses must give individuals notice at or before the time of collecting their personal information. For e-commerce businesses, the practical question is whether the privacy policy customers were directed to when they created an account accurately describes the advertising technology ecosystem that has been deployed since. In most cases, the answer is no.

This is why collection notices must be used in conjunction with a privacy policy. A collection notice is designed to contained specific information on a single or small number of data handling activities. For example, we will collect your name and address then use that information to process your order before disclosing that information to Australia Post to deliver your order.

Privacy policies in e-commerce are frequently outdated, generic (describing “advertising partners” without identifying specific recipients), and inaccessible. The privacy audits we conduct routinely reveals significant gaps between the disclosures actually occurring and the notice provided to customers.

The Meta Pixel Risk

The deployment of the Meta (Facebook) pixel on e-commerce sites has become a specific area of legal risk in Australia and internationally. The pixel can, depending on configuration, transmit personal information about website visitors to Meta’s servers in real time, including in health or pharmaceutical e-commerce contexts, information that may constitute health information under the Privacy Act. It is true that the Meta Pixel is often configured to not collect names, however website usage, clicks, session time, purchases, registrations and search history all combine to create user profiles that are just as effective as a name at identifying an individual. If it wasn’t, no one would use it.

Australian e-commerce businesses, in particular in health, pharmacy, fertility, and mental health sectors, that have deployed the Meta pixel without a privacy impact assessment, without an APP 8 overseas disclosure assessment, and without accurate collection notices are carrying a specific and identifiable legal risk.

The Fulfilment and Logistics Supply Chain

E-commerce logistics depends on sharing personal information, delivery addresses, contact details, with third-party fulfilment providers, courier companies, and last-mile logistics operators. In many cases, these third parties further share information with subcontractors and overseas processing services.

This creates a supply chain privacy risk with the additional complexity that the information being shared is typically the customer’s home address. In some cases, this information carries personal safety implications such as instances of domestic violence, witness protection, or targeted harassment. In our experience, standard logistics agreements rarely meet APP 8 and APP 11 requirements.

As an e-commerce business, you need to ensure you are taking reasonable measures to ensure the security of personal information. This includes your supply chain. Contracts and regular auditing of your supply chain are key tools to not only ensuring you are compliant with the law but also protecting your customers.

What Australian E-Commerce Businesses Should Do Now

So where do you start? Ultimately it comes down to knowing your business and what is happening within it. We recommend starting with the following:

• Conduct a data mapping exercise covering every customer touchpoint and every third-party integration that receives personal information

• Conduct a privacy impact assessment for every new technology, platform integration, or data initiative before it is deployed

• Review and update your privacy policy and collection notices to accurately describe your current technology stack and data disclosure practices

• Implement data retention schedules for inactive customer accounts and historical purchase data

• Audit your logistics and fulfilment supply chain for APP 8 and APP 11 compliance

E-commerce businesses that treat privacy governance as a competitive advantage and invest in trust as a brand asset are better positioned commercially, regulatorily, and reputationally than those that treat it as a compliance cost to be minimised.

Enigma Law is a privacy law firm based in Melbourne, advising e-commerce and technology businesses across Australia on privacy audits, advertising technology compliance, data governance, and regulatory response. Contact jon@enigmalaw.com.au