Explainer: What marketers need to know about the proposed privacy law changes

A complete rethink of personal information, changes to how organisations collect, disclose and use consumer data, stronger online privacy protections and higher penalties for non-compliance are some of the transformative changes Australia’s new privacy law proposals could present marketers.

Over recent weeks, two significant pieces of legislative work around Australia’s privacy landscape landed on desks: The Online Privacy Bill Exposure Draft; and the even more widely impactful Privacy Act Review Discussion Paper.

While both have been expected by the marketing, media and advertising industry, what has surprised the experts is the more extensive scope they represent. This could raise an array of potential complexities, issues and risks for organisations should they find day-to-day activities captured under these ground-breaking changes.

To try and understand the hefty obligations the draft and discussion paper could put increasingly data-driven marketers and organisations under, CMO sat down with IAB Australia director of policy and regulatory affairs, Sara Waladan, and CEO, Gai Le Roy, as well as ADMA’s regulatory affairs chief, Sarla Fernando, to gather first impressions.

As Le Roy put it, the majority of marketers will be drawn to the Privacy Act review – and rightly so. From broadening the definition of ‘personal information’ to greater requirements around collection, disclosure and usage of such data, changes are far-reaching.

But it would be a mistake to ignore the scope of the Online Privacy Bill Draft Exposure, Le Roy continues. The big factor here needing consideration is the looser definitions of those organisations potentially captured under the bill: Namely, data brokerages and those monetising their data as well as online platform providers.

Here, we detail some of the big changes being proposed, how these are being interpreted by the industry’s big associations, and how marketers could be affected.

What has been released

Two main legislative proposals are up for consideration, both connecting into Australian privacy law and enforcement.

The first released by the Attorney-General’s department is the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Bill) Draft Exposure. This is a pre-cursor for proposed legislation to create a code around online privacy practices in Australia.

Coming off the back of the Digital Platforms Inquiry in 2019, the aim of the bill is to introduce a binding online privacy code for social media and certain other online platforms. This will be supported by increased penalties and enforcement measures.

The Online Privacy Bill is open for consultation until 6 December 2021. From there, submissions and feedback will be used to create the bill introduced to Parliament.

The second and potentially more explosive legislative proposal is the Privacy Act Review Discussion Paper. This paper is about long-term amendments to Australia’s privacy laws and includes a wide-ranging set of matters for review. These extend from the definition of personal information and permitted situations and settings around the collection, use and disclosure of such personal information, through to ensuring the Privacy Act goes far enough to protecting consumers’ rights, consent, data breach notifications and management, enforcement powers and other compliance measures.

The new Discussion Paper follows on from an earlier issues paper released in October 2020, which invited individuals and industry to submit suggestions for amendments to Australia’s Privacy Act. While a few steps further away from being realised in law, it’s indicative of the Government’s position and the huge changes being considered.

ADMA head of regulatory and advocacy advisory, Sarla Fernando, sees this as most important review taking place currently.

“There are many that have come from the Digital Platforms Inquiry from 2019, but they also reference or quote how important the Privacy Act review is,” she tells CMO. “If the drafting is done correctly, it has to interact and sit alongside key regulations out there, including the Consumer Data Right.”  

The big driving force for change is that the definition of ‘personal information’ hasn’t kept up with all of technology advancements and digitisation of consumer privacy and interaction.

“Responsible marketers don’t want to break the laws, they want to follow them. But right now, the law isn’t clear in and of itself,” Fernando says. “This makes this an extremely important review that will have huge impact on even day-to-day activities of marketers. And I mean all marketers - everyone is a data-driven marketer.”

Submissions and feedback on the Privacy Act Discussion Paper are due by 10 January 2022.

What the Online Privacy Bill is proposing

While the first objective for the OP code is a requirement for a new social media code, the Exposure Draft is much broader than social media players. It ultimately aims to do two things: Give clarity around how online operators interpret the privacy obligations, such as what needs to be included with any privacy policy or practice, plus new rules around things not currently covered. These include applying online privacy requirements to children or vulnerable people.

1: Extension of providers captured

As well as social media platforms, the Exposure Draft proposes the online code of conduct extend to data brokers. Four companies are listed as examples – Quantium, Acxiom, Nielsen and Experian – however, this could also stretch to organisations whose business models are based on trading personal information collected online, or information derived from such personal information, such as data derived from rewards or loyalty programs.

The third type of organisation captured under the proposed OP code is an ‘online platform provider’. This is defined as any platform with at least 2.5 million users in the past year. Companies like Spotify are listed, but 2.5 million users could encompass many retailers, banks and publishers too.

“What has intentionally been created to capture one larger end of the market, or the Googles or Facebooks, has the potential to capture other online participants that may not have necessarily been the focus of the draft,” Fernando comments. “That’s where attention from the marketing industry needs to focus.

“It’s very important brands look at this and do express any concerns at this early stage. There is always that possibility that unless there is actual argument against it or ask for more clarity, this will become the law.”

Waladan notes businesses located outside of Australia will also be required to comply by the act should this approach be introduced into legislation. “Any organisation carrying on business locally will be captured, even if they have data stored on servers overseas or collect information in another country,” she says.  

2: A binding code of conduct

The OP bill is also about putting a binding code of conduct in place, created either by industry or the information commissioner. This is similar to the process taken around the News Media Bargaining Code. This OP bill makes it imperative a code is introduced within 12 months. A key requirement is abiding by the current Australian Privacy Principles, which focus on three key elements: Disclosure, consent and notice.

“What this code does is make it a lot clearer on how you handle these three components,” Fernando says. “Then it’s saying there are some new things we require. A big one is around the vulnerable and children; the draft is asking industry to take a much stronger approach.

“You also need to be sure of the age of people you are dealing with. If they fall under a particular age, you need to verify consent by parents. That’s going to have a flow-on effect.”  

Fernando points out this isn’t your standard approach to privacy. “Normally, the approach would be to take the minimum amount of data you need to do anything. But this is following more under security. It’s going to be an interesting conversation in that regard,” she says.

While the Exposure Draft has stronger imperatives for social media platforms, it still poses questions for the other types of organisations captured in its net.

“We have already had questions from ADMA members asking how does it apply when they’re dealing with under-16s and offers that incorporate them? How do they verify, and do they have to? This consultation will be very important for getting industry opinion on how that plays out,” Fernando says.

3: Right for consumers to be forgotten

A further component to the OP bill is clarifying that if a consumer asks an online organisation to stop communicating with them, the organisation takes all necessary actions to do that. While this already sits within the Privacy Act, the OP proposal explicitly states companies must take all reasonable steps to achieve it.

According to Fernando, the language of the Exposure Draft doesn’t go as far as European privacy laws, which include the ‘right to be forgotten’. Instead, the Australian Government has opted for ‘fair and reasonable’. This should ensure organisations requiring data to provide a product or service, such as credit card collection, can continue to.

Fernando says interpretation and application of what seem to be small changes could again be significant.

“Look at the SPAM regulations, which changed recently – while these were minor changes and probably considered reasonable to those drafting it, when you take it out to market, some organisations saw it as going against all these security options they put in,” she says. “How that then applies is a key consideration for industry. There is a balancing that will need to take place with the Exposure Draft.”

4: Stronger enforcement and penalties

The second part of the OP Bill Exposure Draft deals with enforcement and penalties. These changes will see penalties for non-compliance increase from $1 million to up to $10 million, as well as new criminal penalty provisions for multiple or repeat offenders. There’s also increased information sharing power between the OAIC and the eSafety Commissioner, along with greater ability for the OAIC to conduct assessments around whether people are complying, as well as fines for those not complying fast enough.

To a large extent, regulatory experts saw these as a sensible alignment with Consumer Protection laws.

“There are high-level penalties sitting in the GDPR that don’t get enforced because there’s no real resources available. Having higher penalties doesn’t have the impact if the commissioner isn’t resourced well enough to actually pursue them,” Fernando says.  

It also makes sense to share data between enforcement parties. “This should make it more efficient to deal with things like cyber bullying or cyber abuse, as well as image complaints coming through,” Fernando says.

Summary and next steps

While many aspects of the Exposure Draft weren’t surprising, expansion of the data brokerage and large online platform providers needs careful consideration by the marketing and media industry.

“In drafting of the code that comes into play, it could surprise us in how it changes our day-to-day application and activities as marketers,” Fernando says. “We have these views and frameworks we believe social media players need to operate it. But when they leak out to other businesses, is it still something that makes sense for these businesses?”

What the Privacy Act Review is proposing

The industry knew a Privacy Act review was on its way, but as Waladan put it, “The more I read, the more the ramifications could be massive.”

The Discussion Paper is not legislation, but a step back. Nevertheless, it has the potential to completely change data collection and use for all organisations.

At one level, Waladan identifies some benefits. “The refreshed Privacy Act would have requirements that would help EU companies sharing data with subsidiaries in other countries such as Australia,” she says. “Under GDPR, these companies have to ensure the country’s laws are adequate before they can transfer data. So one benefit is easier data flows across jurisdictions potentially.”

But there’s equally no doubt proposed changes will increase a company’s primary obligations with respect to protecting consumer privacy. Heavier compliance burdens, associated costs and greater risks for companies who get it wrong through increased penalties are on the cards.

“Companies will need to review and potentially update existing policies, data handling processes, as well as things like contracts with partners and how they share personal information,” Waladan says.

1: Broader definition of personal information

Arguably, the biggest change proposed is an expanded definition of ‘personal information’. With much broader definition comes broader ability to apply these obligations around collection, use and disclosure to data utilisation.

At the moment, ‘personal information’ only applies to information where someone is identifiable. Under the new changes, this would change to ‘relates to’. This could apply to when an individual can also be distinguished from others, or has a profile associated with an online identifier or pseudonym, even if they’re not named.

“What that does is captures a greater range of information from which an individual could be identified, especially technical information,” Fernando says. “That starts to include location, psychological, mental and genetic data sets.”

Even if you need another piece of information to then be able to identify the information, that will fall under this new scope of ‘personal information’, Waladan agrees.

“Identifiers will be the big issue for marketers and advertisers here, as things like IP addresses, identifiers, location data all could fall under this extended definition,” she says. “It will make things clearer around identifiers, which were previously a grey area. An example in the Discussion Paper is third-party cookies: If you collect information on a user’s browser activity on third-party websites via tracking tech to infer their interests, such as religious beliefs or socioeconomic status, then use these cohort-style profiles to target with specific advertising, this would now be classified as personal information. This means all the other and more restricted obligations around using personal information would apply.”

For example, if you’re targeting people based on medication they buy, it’s potentially a problem, Waladan says.

“Another big issue is at what point inferences are actually drawn, especially with automated technologies. There is a lot of uncertainty in the context of AI, analytics and algorithms – that will make it hard to work out when obligations are triggered.”

For Le Roy, the approach illustrates how important it’s going to be for marketers and those communicating with consumers to be clear on when, how and why their organisation is collecting and using data.

“Marketers will need to learn how to communicate in simple language to clarify this,” Le Roy says. “First-party data and usage might be tricky to explain but doable. But the further it gets from a primary relationship, the harder and harder it will be to nail why it’s being collected.” 

2: Being fair and reasonable

Overlaying use of such personal information is a ‘fair and reasonable’ requirement. This would permit companies only to collect content, use or disclose personal information in a reasonable and fair manner that’s within the individual’s reasonable expectations and doesn’t cause harm. According to the Discussion Paper, harm could include triggering direct or indirect financial loss, physical or psychological harm, losing access to benefits or other services such as health or credit.

“That is very broad. That will have to be narrowed and some practical solution brought in here,” says Waladan.

In addition, this raises questions around companies who increasingly use personal information to protect both children and those more vulnerable. Just think of the way data may be used by a telco to suppress sales messaging to people affected by bushfires or who are vulnerable, or a betting firm suppressing communications to problem gamblers.

The Paper highlights several factors to consider when determining whether the fair and reasonable test is met. One is that collection is within the reasonable expectations of the individual. If you’re a marketer or organisation only using data in way that’s consistent with these, you should be fine.

“It’s again part of the push to lessen the burden on the consumer and shift burden to business, government and legislation, and an attempt to state when something is ok versus when it isn’t,” Waladan says.

The problem IAB recognises, and which was made plain from the recent consumer privacy survey undertaken by Ipsos, is it’s very hard to meet consumer expectations.

“That survey showed 70 per cent of respondents didn’t make the connection between free websites they like to access and want to stay free and what is funding them. These expectations shift over time as well,” Waladan says. “There is work there for the industry to make that more transparent. There will be a point in time where that is within the reasonable expectations of consumers. In the interim, we have to work what we have to do legally. That’s a bit tricky.”

3: Put control in the hands of consumers

The Privacy Act overhaul is about consumers having better control over their data. Express consent plus notices on how you plan to use personal information are the cornerstones of privacy regimes around the world. They’re also what set the framework of compliance in Australia.

Yet IAB and ADMA regulatory leaders agreed it’s hard to list every reason for everything you’re doing with data upfront. Consumers also have to provide that information in order to use many platforms.

“We are living in such different times that consent and notice is no longer a feasible, practical framework in and of itself. The whole concept of consent fatigue and being able to in a privacy notice to provide all usage around what you are planning to do is a huge challenge,” Fernando argues.

“When the Privacy Laws were written, the kind of marketing we were doing made it easier to provide that notice: We had collection notices, printed privacy policies or links. But in a social media world, notice and consent has been difficult to obtain. People are communicating in a way that addresses very short attention spans. So does that notice remain meaningful?”

Pro-privacy defaults are another part of proposed Privacy Act changes. One option is having the most restrictive settings as the default - opt-in rather than opt-out. The other is to require easily accessible privacy settings.

4: Data sharing and exchange

Data sharing is also in the government’s legislative sights. The Discussion Paper posits stricter requirements for an organisation not directly collecting information to still take reasonable steps to satisfy itself the original collector has done so in a lawful and fair manner. Additionally, new guidelines around restricted and prohibited practices targeting profiling and behavioural advertising are detailed.

“For example, the Paper says targeted advertising knowingly directed at children should just be prohibited. And for adults, it should be more restricted with special rules to apply – so it’s being seen as a high-risk practice,” Waladan says.

These changes are again problematic given increasing sophistication in targeted advertising and personalised communications.

“We need to do a better job communicating why we need this data to offer value-based exchanges,” Le Roy says in response. “Contextual advertising will become more and more important. Having a direct relationship or environmental understanding will be more important, too.

“In a weird way, this period of tech change with the demise of cookies and Apple’s iOS changes is helping marketers get ready for what’s coming in the Privacy Bill. We are working with less signals and needing more clarity.”

And increasingly, as they’re working with vendors or partners, marketers will need to understand how all that is going to be patched together. “Marketers may need to look to ensure those agreements are fit-for-purpose going forward, plus data ownership, storage and processing,” Le Roy says.

Fernando points to instances where organisations are working with technology or processes that see them captured by the new-look Privacy Act but which make it difficult to know what to include in any disclosure.

“Technology moves so fast; you may be collecting information or have data captured within the tech you haven’t understood or worked out. If you don’t know it’s there or you don’t know how you’re using it, it’s now being captured in the definition of ‘personal information’. Because it’s now not just about the individual, but also information that refers to the individual,” Fernando says.

“Unless done correctly, we may find businesses wind back any acts they would have done in the past that they’re not quite sure are being portrayed and made transparent to consumers. For example, in the Discussion Paper, it talks about a weather app. It makes sense for a consumer to provide their geographic information to understand their local weather. But there may be other technical information collected around that, that’s being passed to other parties to do certain things.” 

5: Direct marketing redefinition

In addition, direct marketing is getting a review. At the moment, existing provisions state organisations can’t use or disclose information for direct marketing purposes unless it’s collected directly from consumers and used within their reasonable expectations. Under proposed Privacy Act changes, this would be removed. Instead, with tracking and profiling, companies would need to notify and be transparent they are collecting personal information for the purposes of influencing behaviour or decisions.

“Organisations are going to have to be a lot more detailed and clearer around exactly what they are doing - it will need to be made clear in the privacy policy plus the types of personal information being used to influence a person’s behaviour,” Waladan says. “That, combined with a broader definition of personal information, makes for significant change.”

According to Fernando, the paper’s language makes it clear the onus around personal information collection, use and disclosure can’t be contracted away either.

“You can’t just write T&Cs that override the basic principle of fair and reasonable. It will have to apply,” she warns. “If it’s something that’s unreasonable or fair, you can’t just put it into the T&Cs to say to a consumer you agreed to that.”

Early conclusions and next steps

While IAB and ADMA are still working their way through ramifications of the changes, both associations agree the two proposals show an Australian Government that’s keen to be more aligned with other jurisdictions including the EU/GDPR. The adoption of ‘fair and reasonable’ language as an overlay is a nod to privacy legislation existing in Canada, India, Singapore and the UK, which all have a baseline protection that looks at ‘fair and reasonable’ practices.

For Fernando, the detailed and comprehensive Privacy Act Discussion Paper also shows the Government has considered the more than 200 submissions received to its initial paper. And there is no denying we have to expand the definition of personal information and privacy.

“In today’s environment of how we communicate, collect data and the type of data we collect is moving so fast. How we expand in a way that still protects privacy, but doesn’t stifle industry, and which acknowledges but doesn’t constrain people from innovating, is key,” Fernando says.

As a marketer, it’s going to be very important to consider what that all means for the way you’re using data, Fernando advises.

“It’s about understanding what will be able to be taken on, and what’s stopping the bad actors without stopping innovation in businesses. What will protect consumers but still provide them with the kinds of services they are expecting to receive?

“This is where the difficulty lies. How do you explain to people in simple language what it is you’re planning to do with their data? It’s the sort of thing businesses are going to need to step up and help the regulators to work out.”

To get there, the IAB is working with the MFA, AANA and others to ensure the industry understands the flow of responsibility and where the problems may lay. ADMA is also planning to conduct sessions and workshops with members involving privacy legal experts to dive into the new scope and future ahead.

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page