With the privacy act reform in Australia, we wanted to deep dive into how data folks and marketers can continue to do their jobs. This is a practical exploration of the new privacy act reforms, how it will change the marketing landscape in Australia, and how marketers can continue to ‘market’ with the new reforms in place.
The content of this article is provided for informational purposes only and is not intended as legal advice. If you need legal advice, contact a lawyer. If you need marketing advice, contact us.
Privacy Reform Timeline
The global shift towards more stringent data protection began with the European Union’s General Data Protection Regulation (GDPR) in 2016, followed by California’s Consumer Privacy Act (CCPA) in 2020. These regulations set new standards for data privacy, limiting how businesses collect, store, and use sensitive consumer data. Now, Australia is following suit with the Privacy Act reform with proposed amendments to the Privacy Act 1988.
Privacy Act Reform Timeline
Australian Privacy Act reform will be introduced soon following the ACCC’s Digital Platforms Inquiry Report in 2019.
- Jul 2019: ACCC issues Digital Platforms Inquiry Report
- Oct 2020: Privacy Act Review Issues Paper
- Oct 2021: Privacy Act Review Discussion Paper
- Sep 2023: Government Response
- Aug 2024: Privacy Act Reform to be introduced
- 2026?: Privacy Act Reform to take effect
Marketers not ready for Privacy Act reform
Recent studies indicate that many Australian marketers are underprepared for Australia’s Privacy Act reform.
A recent survey by Arktic Fox revealed that only 29% of marketing, digital, and ecommerce leaders believe their organisations are effective at activating data to deliver impressive customer experiences. Even fewer (22%) are confident in their organisation’s data management and maintenance practices.
This lack of readiness is concerning, given the potential consequences of non-compliance. The Office of the Australian Information Commissioner (OAIC) has flagged that it will impose fines on organisations that fail to meet the new standards.
The Australian Community Attitudes to Privacy Survey 2023 found that data privacy is the third most important factor for consumers when choosing a product or service, after quality and price. A staggering 92% of respondents said they would like businesses to do more to protect their personal information.
Changes to Australia’s Privacy Act
Australia’s Privacy Act was recently amended in 2022. The new Privacy Act Review Report was released in February 2023. A new version will be released by the end of the year.
Data privacy landscapes continue to change to protect personal information. Brands must keep up to date with them! This is not a one time implementation. Data governance and compliance requires dedication.
The Attorney-General’s Department has put forward 116 proposals to amend the Act, with the federal government already agreeing or agreeing in principle to all but 10 of these proposals. Legislation is expected to be introduced and passed quickly in the coming months, signalling a rapid shift in the regulatory landscape.
Privacy Act Reform
The Australian Privacy Principles (APPs) are the cornerstone of the privacy protection framework within the Privacy Act 1988. They apply to any organisation or agency the Privacy Act covers.
The APPs give an organisation or agency flexibility to tailor their personal information handling practices to their business model and the diverse needs of individuals. They are also technology neutral, which allows them to adapt to evolving technologies.
Upcoming changes to the Privacy Act
The Australian Government is set to introduce significant Privacy Act reforms, with draft legislation anticipated to be tabled by August 2024. This follows a comprehensive review of the Privacy Act that identified 116 recommendations for reform, of which 38 have been accepted in full and are likely to be included in the upcoming legislation.
Key expected changes in the Privacy Act Reform
- Alignment with GDPR: Australian laws to mirror GDPR, increasing business obligations regarding data privacy.
- Enhanced Individual Rights: Greater rights for personal information, including limited deletion rights and direct actions against privacy breaches.
- Stricter Privacy Policies: More stringent requirements for privacy policies with detailed disclosures.
- Shortened Data Breach Reporting: Reporting timeframe reduced from 30 days to 72 hours.
- Expanded Regulatory Powers: Enhanced powers for the Office of the Australian Information Commissioner (OAIC) to enforce compliance.
At the heart of these changes is an expanded definition of Personally Identifiable Information (PII). This broader interpretation will likely include modern forms of personal data such as location information, IP addresses, and device identifiers. It may even extend to inferred information about an individual’s preferences or predicted behaviours.
For marketers, these changes signify a shift away from reliance on third-party data and towards a greater focus on first-party data. This transition will necessitate changes in targeted advertising practices. For instance, social media platforms such as Facebook and TikTok can no longer simply check which users meet specific demographic criteria and push ads to their feeds based on third-party data. Instead, they must rely on first-party data and more sophisticated targeting methods.
These Privacy Act reforms reflect the government’s recognition of the need to modernise privacy protections in response to technological advancements and growing public concerns about data privacy. Further updates will be provided as the August 2024 bill progresses.
Privacy Act Reform Australia: How Marketers Can Continue To Work
Let’s dive into the key proposals of the Privacy Act Reform and learn what marketers can do to continue marketing in this evolving landscape.
Expanded definition of personal information
One of the key proposals included in the Privacy Act Reform is to expand the definition of personal information.
Key proposal: Expand the legislative definition of personal information to cover information or opinion that relates to (rather than is about) an identified or reasonably identifiable individual.
What to do next: Consider how an expanded definition of personal information will impact your data practices including those that rely on the use of technical data (e.g. in the context of targeted advertising).
Enhanced individual rights
Another key proposal included in the Privacy Act Reform is enhanced individual rights.
Key proposal: Introduce GDPR-inspired rights for individuals including to obtain explanation about, or object to, the handling of their information, have their personal information erased where no longer needed and extend correction rights to generally available publications controlled by an APP entity.
What to do next: Consider systems, processes and resources needed to respond to individual’s exercise of their new and enhanced rights.
Governance and risk management
Another key proposal is around governance and risk management.
Key proposals:
- Require privacy impact assessments to be conducted prior to undertaking activities with high privacy risks, which may include some activities involving targeted advertising, individual profiling, sensitive information, children, automated decision making and sale of personal information.
- Require entities to determine and record the purposes for which they collect, use and disclose personal information.
What to do next: Develop or enhance privacy impact assessment processes and templates. Develop or enhance approach to governance and compliance records and documentation, such as a privacy management plan and record of personal information holdings.
Strengthened consent and notice requirements
There are three key proposals in the Privacy Act Reform around strengthened consent and notice requirements.
Key proposals:
- Amend the Privacy Act to reflect the OAIC’s current guidance that consent (where required) must be voluntary, informed, current, specific, unambiguous, and easily withdrawn.
- Require entities to provide additional information to individuals about their data handling practices, including in relation to overseas disclosures, high privacy risk activities and retention periods.
- Expand the circumstances where consent is required (e.g. to collect, generate, use, or disclose geo-location tracking data, or trade in personal information).
What to do next:
- Consider required uplift of notices and consent practices, including for entities that rely on implied and/or ‘bundled’ consent (where consent is sought for a single document such as a privacy policy or terms and conditions, which deals with multiple activities).
- Consider timing of consent changes, balancing ‘future proofing’ against commercial impacts.
- Consider mechanisms to enable individuals to withdraw consent, particularly in respect of data sets you plan to use in the medium to long term.
- Ensure that the circumstances relating to overseas disclosures, high privacy risk activities and retention periods are understood internally, in preparation for needing to provide greater transparency about these matters.
“We all talk about Google and Meta hovering up data, but I think the biggest operator in Australia in terms of data brokerage is Woolworth’s Quantium.” — Laurel Henning, Legal and Regulatory Affairs Correspondent, Capital Brief.
Can you explain to someone of “below average intelligence” what you do with their data?
Fair and reasonable use and disclosure of personal information
Key proposal: Require that the collection, use, or disclosure of personal information be fair and reasonable in the circumstances, regardless of consent, having regard to legislative factors such as reasonable necessity, individual reasonable expectations, the kind, sensitivity and amount of personal information, and impact on individuals.
What to do next: Identify and assess activities that are more likely to be considered unfair or unreasonable, and consider potential mitigations.
The ACCC considers that this is currently not achieved by many data brokers. For example, it flags the use of ‘take-it-or-leave-it’ style agreements seeking bundled consents to complex or vague privacy policies, which enable firms to obtain unreasonable rights to use and share consumer data. These may lead consumers to unknowingly allow their data to be on-sold or provided to other firms for a broad range of barely-disclosed uses, such as targeted marketing to a personal address or phone number.
Would your justification convince the Privacy Commissioner, or class action lawyers?
Impacts on AI and automated decision-making
Key proposal: Require entities to inform individuals when relying on substantially automated decision-making based on personal information where there is a legal effect or other significant effect for the individual.
Some uses of AI involving personal information may also be captured by the reforms relating to ‘high privacy risk activities’, which will require entities to conduct a privacy impact assessment.
What to do next: Consider required updates to notices, policies and privacy impact assessment processes, and the implications of other upcoming changes to AI regulations on your use of personal information (including to train AI algorithms).
Direct marketing, targeted advertising, and profiling
Key proposals:
- Introduce an unqualified right to opt out of direct marketing.
- Prohibit targeting of individuals based on sensitive information (unless socially beneficial) or targeting of children (unless in their best interest).
- Require transparency about the use of algorithms and profiling in advertising.
What to do next: Consider the impact of the proposed changes on your promotional activities and ability to leverage data when engaging with customers. Consider interaction with other marketing laws, such as the Spam Act and Do Not Call Register Act.
And there is no definition proposed so far of how small the segment needs to be before you’re considered to be targeting. So any form of differentiation of audiences – for example, I want to serve content only to women, not to men – that would be a form of targeting of content that would be regulated under these new rules.
Data security and data breach notification
Key proposal: Require organisations to meet baseline data security outcomes (e.g. confidentiality, integrity, availability – to be confirmed), adopt data breach response plans and notify the OAIC of eligible data breaches within 72 hours.
What to do next: Develop or enhance your data breach response plan. Ensure it is tested for effectiveness (e.g. training and data breach simulations). Assess the sufficiency of other cyber security and cyber resilience measures, including security controls and contractual data security protections.
Data retention
Key proposal: Require organisations to document minimum and maximum retention periods for different types of personal information held, and provide further information about data retention in privacy policy.
What to do next: Develop or update a data retention policy, having regard to applicable statutory minimum data retention periods (e.g. under tax, corporate, employment, environment and other laws), litigation requirements, limitation of action periods and Privacy Act justifications for ongoing use of personal information. Prioritise analysis of high-risk and older records.
Overseas disclosure
Key proposals:
- Make standard contractual clauses available to APP entities for use when transferring personal information outside Australia.
- Introduce a mechanism to recognise countries and certification schemes as providing substantially similar protection to the APPs.
What to do next: Once the standard contractual clauses are made available, assess whether and when to adopt them for overseas transfers, and how to integrate them into existing contracts and templates. If on the receiving end, consider the extent to which the clauses can be accepted.
Controller-processor distinction
Key proposal: Introduce a controller-processor distinction in the Privacy Act, similar to the EU GDPR and data protection regimes in many other jurisdictions.
What to do next: Consider your organisation’s role(s) in the new regime, and prepare for updating contractual arrangements and procedures relating to supply chain management and data breach response.
Privacy Act Reform conclusion for marketers
You may be able to do everything that you were doing today, only if you can explain it in a way that you’re not currently required to. And justify that what you are doing is fair and reasonable
– and that justification has to not only convince the Privacy Commissioner, but potentially, it can be litigated in the courts by, amongst other things, class action lawyers … So it is a very significant change.” — Peter Leonard, Principal, Data Synergies
Enforcement and penalties
If you cannot convince the Privacy Commissioner you stand to face serious penalties.
- $50,000,000 for serious or repeat breaches for Corporates and Organisations, OR;
- 30% of adjusted turnover for the period, OR;
- 3X any benefit gained, (whichever is greater)
Individuals, sole traders and partnerships may be fined up to $2,500,000 for serious or repeated breaches.
Key takeaways for marketers
Transparency & accountability
Organisations must have a clear privacy policy that outlines how personal information is managed. This includes informing individuals about why their information is being collected, how it will be used, and their rights regarding their data.
Informed consent
Organisations must notify individuals at the time of collection of personal information, providing clear details about the purpose of collection and how the information will be handled.
OAIC compliance
Ensure compliance with Australian Privacy Principles by adhering to the guidelines provided in OAIC website.
Act now to remain compliant
The Australian Government is set to introduce significant Privacy Act reforms, with draft legislation anticipated to be tabled by August 2024 including alignment with GDPR, enhanced individual rights, stricter privacy policies, and more.
Act now
Marketers need to act now to ensure they won’t be in breach of the new Privacy Act Principles with the latest Privacy Act Reform.
Download our free resource on cookies and data privacy to learn how to prepare.
Are you a travel marketer? We have a more specific guide for you on data privacy and cookies to download, with additional information for travel marketing.
What’s next?
In data we trust, and that data has to be safeguarded properly. We help you define your data governance by building a collection of processes, templates and frameworks for your team to use.
Ensure that data is properly managed, secure, and used for its intended purpose with effective data governance. Get a free consultation.
