The Privacy Series: Understanding Consent

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

The proposed overhaul of the Privacy Act in Australia has stemmed from a number of developments. Rapidly changing technologies, changing business practices and consumer behaviours in light of these, has also led to shifting consumer expectations about how personal information is used. This has in turn put pressure on governments to modernise privacy laws, and to provide consumers with increased transparency and accountability in relation to how businesses collect, use and protect consumer data. In Australia, there has been a push to align with international laws and standards that have responded more quickly than ours, such as the General Data Protection Regulation (GDPR), and to update our legislation to better reflect and suit the intricacies of the modern digital age. 

As part of these developments, the Privacy Act reforms are proposing to make a number of changes which impact on consent.  

These changes are aimed at providing individuals with greater transparency and control over their personal information and the data that is collected about them from their online interactions. As consumers, it’s easy to appreciate the importance of these changes.

However, as marketers, they also come with significant impact on our data practices. That’s why it’s imperative that marketers understand these changes, including the full spectrum of consent as well as other obligations and processes that are needed to not only comply, but to implement best practice.

In this article, we will focus on some key concepts under existing law that are important to understand when considering your obligations when it comes to consent, and begin to explore some of the changes that have been proposed by Government. 

What are the different types of consent under existing law?

In Australia’s privacy laws, there are two types of consent which are known as express/explicit and inferred/implied consent. As the name would suggest, express consent refers to consent that has actively been granted by an individual for a specific purpose. It can be given orally or in writing, has no time limit, i.e. the consent stands until it is withdrawn, and is obtained at the point of collection, like ticking a box, filling out a form etc. Some examples of express consent would be opting in and subscribing to a brand or business newsletter, or giving express permission to a business to share your personal information with a third party for marketing purposes. 

Inferred consent, on the other hand, is a little more nuanced. This is when consent is implied by an individual based on the circumstances they are in, or actions that they have taken. In other words,  consent may be assumed to be granted if it’s considered reasonable in the context. For example, an individual attending a public event may be photographed and generally those images may be used to promote the event. Another example is when purchasing something online, an email address is likely supplied and follow-up communication regarding the order including delivery and product review requests, or even information about similar products, will generally be able to be sent to that email based on inferred consent. There are also professional settings where inferred consent will generally be implied, like through B2B list suppliers, or even with publicly listed work email addresses which you have opted in to marketing information based on your role. If you use a B2B list supplier, it is essential that the supplier also provide you with auditable consent records. Reputable vendors will have no issue with this. Inferred consent is less certain than express consent, can be tricky to navigate, and should not be relied upon as a method for collecting consent to avoid obtaining express consent. Both the current Australian Privacy Principles (APPs) and the upcoming broadening scope of Australia’s Privacy Act demand that any inferred consent should be clearly justifiable and reasonable in the circumstances.

Understanding the type of consent needed for your marketing activity is crucial to ensure your operations are compliant with legislation. Noting that this is particularly important when it comes to sensitive personal information – a category of personal information requiring heightened privacy protection such as health data, government identifiers, race, religion, sexual orientation and so on – the collection, use or disclosure of sensitive personal information generally  requires express consent. If in doubt, obtaining express consent over inferred consent and implementing rigorous record keeping processes of how, when and where consent was collected, will position you for consent best practice. 

So what is changing under the proposed reforms?

While the two key types of consent discussed above will not change under the proposed reforms, there are a few proposed changes that will impact on consent under the Government’s proposals. Below are the top three changes worth highlighting and a brief explanation of how they will impact whether a business has valid consumer consents:

A new definition of consent will be included in legislation 

A change to the definition of consent in the Privacy Act will provide that consent must be ‘voluntary, informed, current, specific and unambiguous’.  

This isn’t a huge change from the status quo in the sense that, the Office of the Australian Information Commissioner’s (OAIC) guidance already provides that these elements are required for a consumer’s consent (whether express or implied) to be valid. However, it will mean that these elements of consent are expressly set out in the law, rather than simply guidance materials, leaving less room for ambiguity about what is required. 

The application of the individual elements of this definition to specific scenarios is probably worthy of a separate newsletter discussion. 

Transparency requirements

The Government is also proposing to increase transparency requirements further, including for example by:
•    Introducing an express requirement that collection notices be clear, up-to-date, concise and understandable;

•    Requiring additional matters to be included in Australian Privacy Principal (APP) 5 collection notices, including around uses of Personal Information (PI) for high privacy risk activities, how consumers can exercise their rights under the Privacy Act, and the types of PI that may be disclosed to overseas recipients.

•    Requiring privacy policies to set out the types of PI that will be used in ‘substantially automated decisions which have a legal or similarly significant effect on an individual’s rights (note: this requirement passed the Parliament in 2024 but will not commence until December 2026 to give industry time to implement the change). 

The idea is that increased transparency in these areas will lead to increased understanding of how personal information is being used in the digital economy, and ultimately, more informed consumer consent. Once these changes are in place, if a businesses’ privacy policy fails to include these matters, that may impact on whether your consents are valid or not – depending on the context and other surrounding circumstances. 

New ‘fair and reasonable’ test

In addition to a new legal definition of consent and increased transparency requirements, the Government is also proposing to introduce a new ‘fair and reasonable test’, so that all collections, uses and disclosures of personal information will also need to be ‘fair and reasonable’. This requirement is being proposed to apply regardless of whether you have a consumer’s consent. In other words, businesses won’t be able to “consent their way to compliance”. The idea behind this requirement is essentially to shift some of the legal responsibility for privacy that currently falls on consumers, onto businesses. How exactly this requirement will be considered by regulators and courts alongside consent requirements is not yet clear (and we will probably remain so until we see how these concepts are dealt with once legislated and in specific scenarios). 

The impact on processes and what marketers can do now

Consent may seem like a minefield, but it doesn’t have to be. The current privacy reforms provide an opportunity for both marketers and businesses to reset and start afresh when it comes to data practices. The best way to ensure that your consent and data practices are compliant moving forward, is to get your house in order. This is particularly important because, even though the changes to consent outlined above have not yet come into law (and may not come into law for some time yet), the OAIC has clearly indicated that it is not waiting for further legislative change before increasing its focus on enforcement under existing laws.  It already has significant additional enforcement and penalty options available to it under the changes introduced over the last couple of years, and we can expect it to start using these.

In light of this, we would recommend investing in the resources you need to manage compliance effectively, whether that be time, money, people or technology. Work together with your internal teams, including legal, to agree the best approaches for your business to appropriately manage its risks under the law. By getting your data and your processes squeaky clean, your business will not only be compliant but ready to grow and thrive in the evolving privacy landscape. 

Look at your data and purge any data you do not need for your operations. This includes any data that “might be useful” at some point. If you are not using it and do not intend to actively use it in the immediate future, delete it (Note:  APP 11 requires you to take reasonable steps to destroy or de-identify personal information when it is no longer necessary to be retained for the purpose for which it was collected). Not only will this mitigate the overall risk of non-compliance or a potential breach, it will also reduce the amount of data where a consent audit trail has not been recorded. 

Working on your consent record keeping process as a next step in order to develop a consistent and comprehensive audit trail for your data is also a crucial task. Moving forward, when collecting consumer data, marketers and their businesses should be keeping a clear record of capturing consent. This could include making a note of the date and time, the method/medium i.e. online, verbal, written etc, what data is being collected and why, the privacy policy version accepted, and finally any third parties that may also access the data. It would also be worth noting if the consent is express or implied, and any relevant information to indicate how the consent meets the requirements of the legislative definition. We recommend businesses opt for express consent in striving for best practice as well as minimising business risk. Be sure to also maintain these logs with any changes over time, such as a customer modifying or withdrawing their consent.

Reviewing your opt-in and opt-out processes is also recommended. It should be very clear in your data set whether consent is currently active or not, that is, whether the customer has deliberately opted-in to marketing activity and agreed to your business collecting their personal information. When opting in, there should not be any pre-ticked boxes that automatically provides consent by the consumer. Instead, the customer should knowingly and intentionally opt-in themselves. Then when a customer wants to opt-out, the process should be equally as easy as opting in. There should be no requirement to log in to or make an account to opt-out, or to call a customer service representative to first answer a string of questions regarding disengagement. Go through the process yourself and if you can’t easily opt-out as a customer as when you opted in, then your process is in need of review.

Considering the way in which consent is collected by your business is also advised. The privacy reforms outlined above will put the practice of ‘consent bundling’ on even shakier legal ground. That is, the practice of seeking and requesting consent for a number of actions in a single step. For example, requesting a customer to provide consent for the collection of personal information, participating in marketing analytics and sharing their data with third parties. This creates issues with determining consent due to lack of specificity and the amended Privacy Act will likely include a definition of consent that requires it to be specific for each distinct purpose (and, as noted above, this requirement is already contained in existing OAIC guidance, indicating that the regulator already considers this to be law). The risk for businesses that do bundle consent is that, if there is a component that a customer does not agree to, you will likely not have valid consent, even under existing law. When broken down into options, consumers will likely provide consent for the options they are comfortable with.  Compliance aside, this approach may mean access to some customer data rather than none at all.

In summary, consent and consent processes should not be overlooked or rushed. It is paramount that marketers evolve and adapt with these changes and embrace the opportunity to set themselves up for successful and compliant business growth. Once all the hard work is done and your revised and refreshed data practices and processes are underway, be sure to conduct regular audits and reviews. A periodic review of your consent management processes will ensure overall compliance, and that data records are up to date, removing the guesswork if consent is active or not.