Disclaimer: This post is not legal advice. For specific compliance decisions, engage a privacy lawyer. What follows is our professional view on what’s changed and what it means for marketing operations.
On 13 May 2026, Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), rewrote their guidance around collecting personal information by updating APP 3 (Australian Privacy Principle 3). It is the first major update in over a decade, and it has landed right in the middle of how modern marketing works.
The short version: a lot of things your martech stack does automatically, things you may have never even thought of as “collecting data,” are now seen as data collection. The big change is that the OAIC has now made it clear that these activities are, in fact, collection events. That matters because data collection comes with legal obligations. And here is the part that should stop you mid-scroll: these changes will shrink the audiences you can market to and make your campaigns less effective.
This post is not a guide on exactly what to do about it. It is a plain-English breakdown of what has changed and why you need to care.
Here is what the regulator now considers data collection under the new guidance:
- Using AI to predict things about your customers (their likelihood to buy, churn risk, interests)
- Building audience segments based on those predictions
- Buying data about people from a third party and adding it to your own records
- Matching your customer list against an external database to fill in gaps
- Tracking people’s behaviour on your website or app via cookies
- Collecting inputs from chatbots or AI assistants
- Recording and transcribing meetings using AI tools
- Scraping publicly available information from the web
- Using customer data to train an AI model
- And more
If your business does any of the above (it does), read on.
Why this will hurt your marketing performance
Let’s start with the business impact, because this is ultimately what matters to you.
When people are given a genuine, easy choice about whether to share their data, fewer of them say yes. When the EU introduced similar privacy rules (GDPR), some businesses lost up to 70% of the audiences they could previously market to. Australia will likely see smaller losses, but the direction is the same. Fewer people consenting means smaller audiences, weaker targeting, less accurate campaign measurement, and ads that are harder to optimise.
Marketing teams are already losing between 30 and 50 percent of their attribution signal, just from existing privacy settings. These changes tighten that further. Weaker attribution means worse bidding, lower-quality lookalike audiences, and degraded behavioural modelling across the board. The brands that have already been building genuine, trust-based relationships with their customers will feel this least. The brands that have been relying on hidden defaults and sneaky opt-ins to grow their data will feel it most.
Using AI to predict things about your customers is now regulated
Many marketing tools automatically generate predictions and scores about your customers. Which ones are likely to leave. Which ones are ready to buy. What their age or income bracket probably is. Under the old guidelines, this was seen as simply processing data you already had.
Under the new guidance, generating that kind of prediction is itself classified as collecting data, and it comes with obligations. You need to be able to show that producing each prediction was genuinely necessary, that the benefit outweighs the privacy cost, and that it would not come as a surprise or feel unfair to the person it is about.
Data enrichment just got much harder to defend
Many businesses buy lists, use data enrichment services to append extra details to customer records, or match their data against wider databases to build a richer picture of who their customers are. The new rules close a loophole that previously made this easy to justify.
“We bought it from a supplier who said it was fine” is no longer a sufficient answer. If the person whose data you are using did not consent to it being used in the way you are using it, that is now your problem, not your supplier’s.
Your cookie banner needs to actually give people a real choice
The regulator has explicitly called out the tricks that many consent banners use: making “accept all” big and obvious while hiding “reject all,” pre-ticking boxes, wrapping everything into a single yes-or-no when people should have separate choices for separate uses.
The test is no longer whether someone technically clicked a button. It is whether they were genuinely given a free, informed, and easy choice. For best practice, your accept and reject options need to look and feel the same, people need separate controls for different types of data use, and any pre-selected boxes need to go.
Publicly available data is not a free pass anymore
If your team scrapes public websites, uses social listening tools that link posts back to individual people, or uses customer data to train a custom AI model, the new rules apply.
“It was already public” is no longer a complete defence. You still need to show that using it was genuinely necessary and that a reasonable person would consider it fair.
The platforms will not fix this for you
The tools you use, your consent management platform, Google, Meta, your email platform, will all make surface-level updates. But they will not do the hard work for you.
The responsibility for being able to justify each piece of data you collect, where it came from, what you are using it for, and why that is fair, sits with you.
What you actually need to think about
The regulator is now asking one central question of every piece of data in your marketing operation: was collecting this genuinely necessary, fair, and something the person would reasonably expect? If the honest answer is “probably not,” that is where your risk sits.
Again, this post is not here to tell you exactly what to do. But if you want to work through where your biggest exposures are and what actually makes sense to do about them, we are here.
Get in touch with us for an audit
And if you need the full detail to share with your CEO or board, the original analysis by Paul Hewett covers the regulatory specifics in depth:
Your martech stack is a collection engine. The OAIC just said so. (paulthinks.com)
