Priya Dev suspects she knows why political spam inundated her inbox during the 2025 federal election campaign.

Like many Australians, the developer endured an avalanche of unwanted patriotic text messages—Clive Palmer himself admitted to sending 17 million of them. However, it was the email spam from one of the major political parties that caught her attention.

Political parties are exempt from privacy laws, meaning they aren’t required to inform individuals about how to access their data, nor is there an option to opt out.

Nonetheless, clues surfaced for the Australian National University Data Science Academic. The email was sent to a pseudonym she used for an online purchase years ago—also employed in 2020 when she received spam from a minor political party.

“It appears to originate from a transaction,” she stated. “It could likely be from some online e-commerce deal, or energy trading, etc.”

Tracing how organizations access personal contact details is “extremely challenging for political parties because they often ignore inquiries,” Dev notes. “If we could uncover how this data was sourced, it would be groundbreaking.”

This marks the second time Dev has tried to trace how her data was accessed. Data brokers frequently buy and sell information to advertisers and other entities seeking insights into people without their consent.

After receiving numerous unwarranted calls last year, the developer tracked down who had her phone number. She returned to the real estate giant CoreLogic Australia, which informed her in 2023 that her data had been legally obtained from another data broker.

The company explained that it retrieved her data through a marketing campaign from 2014 and shared her information with at least 50 other companies.

Dev’s situation isn’t unique. Reports indicate that a child’s email, registered in a charity fundraiser over a decade ago, also received political spam from the Liberal Party during the recent election.

How did you get my number?

Understanding how marketers and others acquire your contact details and personal information is complex.

Katherine Kemp, an Associate Professor at the University of New South Wales leading the Public Interest Law and Technology Initiative, explains that this often occurs through data matching services that merge personal information from various service providers, subsequently sold via data brokers.

Kemp mentions she has encountered mortgage brokers in the mortgage industry.

Yet, discovering how they obtained that information can be quite elusive, Kemp adds.

When she inquires where people got her details, she often hears, “They either evade the question or abruptly hang up… providing vague answers, and if pressed, they quickly end the call.”

Federal Privacy Commissioner Carly Kins described the data-broking sector as “extremely opaque” and possessing “a convoluted value chain of personal information.”

“Thus, people are left in the dark, lacking authority to voice their concerns,” she states.

“Many find it unsettling. I believe it’s concerning how personal information is relayed through data brokers, landing in unexpected places.”

Who are the data brokers and what do they collect?

A global data broker organization claims it will “facilitate the exchange of information for consumer benefit and support to Australian businesses and small enterprises,” as stated in a 2023 submission to the Australian Consumer Watchdog’s data brokerage survey.

Information collected can include name, address, age, viewing habits, purchasing patterns, financial status, employment background, qualifications, tenant history, and other socio-economic and demographic details.

According to Reset.Tech Australia, last year’s report highlighted the types of data purchased and sold by brokers, including location tracking over time, financial details, tendencies related to gambling and drinking, and recent online purchases.

Data broker companies include credit reporting agencies, identity verification firms, news organizations, real estate companies, tenancy data firms, marketers, loyalty programs, and social media platforms.

“Unpleasant” Australians whose personal information is sold

The Australian Competition and Consumer Commission uncovered in last year’s data broker report that privacy policies often use “ambiguous language,” complicating consumers’ ability to identify data sharing practices. This makes it tougher to ascertain who has their data and opt out of such collections.

The average privacy policy contains 6,876 words, and it reportedly takes 29 minutes to read.

A survey featured in the report indicated that 74% of Australians are uncomfortable with the idea of their personal information being shared or sold.

Some companies attempt to downplay privacy concerns by outlining data collection to consumers and offering access to information held upon request. A consumer group found last year that a data broker claimed it didn’t retain data from loyalty program members.

Privacy Commissioner Kins noted that claims from data-collecting companies suggesting that personal information falls under the Privacy Act could be a “creative interpretation” of the law.

According to the ACCC, identified data, when aggregated with data points from other sources, still poses a risk of consumer identification.

Overall, without naming specific companies, many Australians expressed that some practices within the data brokering industry feel “very uncomfortable at best, often indicating serious breaches of trust.”

“Data transfer often occurs multiple times, creating a complicated environment. While much of this is legal, [privacy] practices remain vague and often reside in a gray area with minimal legitimate actions.”

Regulators can flex their muscles

Although the ACCC report didn’t issue any recommendations, it endorsed the strengthening of privacy laws in Australia.

Commissioner Kins indicated that the ACCC’s work could pave the way for her office to investigate practices in the sector, stressing that current privacy laws contain “various elements that could restrict practices applicable to data brokers.”

“I want to prioritize this issue, and my regulatory team is currently contemplating how to utilize our authority in this realm,” Kins remarked.

Dev emphasizes the need to discuss expanding privacy responsibilities for political parties to ensure they transparently disclose how they acquire personal data.

The current exemption allows political parties to bypass her inquiries concerning what data they hold, according to Dev.

Kemp believes there’s potential for stricter laws concerning data brokering, but expresses little desire to alter the legal obligations of political parties.

“However, I don’t believe we should abandon discussions on reform in this area.”