While most eyes are on the upcoming Tranche 2 of Privacy Reform, enforcement is already underway. Peter Leonard, Chair of ADMA’s Regulatory and Advocacy Working Group, outlines what marketers should do now to ensure their data governance is fit for purpose in 2026.
For many marketers, 2025 was spent patiently waiting for clarity on privacy reform. Many of us expected Tranche 2 of the Privacy Act to follow hot on the heels of the first amendments in late 2024, but the timelines have slipped and those reading the tea leaves are pointing to movement in the first half of 2026.
But focusing too heavily on what hasn’t happened risks missing what already has, and that has been an expensive mistake for a few businesses already.
In 2025 we saw a significant turning point in how privacy and data regulation is being enforced in Australia. Enforcement activity increased markedly, interpretations of existing law expanded and digital marketing practices moved firmly into the regulator’s field of view.
Put simply, many more businesses found themselves in the regulator’s crosshairs and on the end of enforcement notices or some hefty fines for missteps which often stemmed from the marketing department.
This year, we can expect this shift to intensify.
Enforcement, not reform, defined the past year
Over the past year, both the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC) stepped up enforcement activity. The Privacy Commissioner in particular adopted a more assertive approach to interpreting and applying the existing Privacy Act – particularly in relation to digital marketing and data-driven practices.
This matters because it has significantly increased exposure for organisations with insufficiently governed marketing data. All businesses need to understand that the absence of new legislation has not meant the absence of scrutiny.
The OAIC has been explicit about its regulatory priorities - and advertising technology sits squarely among them. The regulator has specifically identified opaque adtech practices – including pixel tracking across third party websites – as an area of concern. The Commissioner is also looking at data brokerage and other practices that increase an information imbalance between organisations and consumers.
This is a clear shift for marketers to understand – that practices that were once treated as technical or operational details are now front-line compliance issues.
The law hasn’t changed - but expectations have
One of the most persistent misconceptions in this space is that regulatory risk only emerges once the law itself changes. In practice, risk often crystallises much earlier, driven by how regulators interpret existing obligations.
That is exactly what we have seen over the past year.
The Australian Privacy Principles already impose requirements around transparency, consent, data minimisation and accountability. What has changed is the regulator’s willingness to apply those principles - particularly where tracking technologies operate invisibly, dataflows are poorly understood or third-party platforms are treated as compliance blind spots.
These are situations that are unfortunately all too common in the digital marketing landscape.
The Privacy Commissioner has also made clear that organisations are expected to know how personal information is collected through digital marketing, where it goes, and who ultimately receives it.
Not knowing is no longer a neutral position. In some circumstances, it may itself point to a compliance failure.
Pixel tracking moves from background to centre stage
This shift is most visible in the regulator’s focus on pixel tracking and related adtech tools.
These technologies underpin measurement, attribution and personalisation across the digital economy. But they also facilitate large-scale data transfers to third parties, often with limited transparency and minimal consumer understanding.
Responsibility for these practices does not end with outsourcing. Where agencies, platforms or vendors act as agents, their conduct may be legally attributable to the organisation that engaged them. Legal responsibility follows the data, not the contract.
For marketers operating within complex ecosystems, this is a critical point. If you cannot confidently explain what data your tracking technologies collect, where that data flows, and how it is used, you may already be exposed – regardless of whether further reform has landed.
What 2026 will add to the mix
Looking at the next 12 months, there is little reason to expect regulatory pressure to ease.
Privacy enforcement priorities published by the OAIC last year extends well into this year, meaning scrutiny of adtech, tracking and data governance will continue.
When Privacy Act reforms are finalised, they are unlikely to soften expectations. More likely, they will codify standards regulators are already applying in practice.
At the same time, marketers will need to navigate regulatory change beyond privacy. Reforms to Australian Consumer Law targeting unfair trading practices – including subscription traps, hidden fees and manipulative digital interfaces – will have direct implications for digital marketing, UX design and growth strategies.
The result is a broader, more interconnected regulatory environment. Privacy, consumer protection and digital design are no longer separate compliance conversations.
Marketers must begin to interrogate their data architecture. Mapping tracking technologies, auditing third-party dataflows and questioning long-standing “industry standard” practices are central to control risk, not optional best practices.
Internal accountability is also a necessity now. Businesses cannot assume other agencies or platforms have compliance covered. You need to know who owns marketing data decisions, how those decisions are assessed and how compliance is monitored over time.
Perhaps most importantly, action needs to begin before enforcement compels it. Remediating data governance issues – technical, contractual or cultural – takes time. Organisations that wait for reform to force change may find themselves responding under pressure.
All organisations should invest in responsible data governance. This will not only reduce regulatory risk, it will also make you better positioned to build trust, resilience and long-term brand value.
In 2026, that will no longer be just good compliance. It is increasingly a mark of good marketing.
Want to sharpen your privacy and compliance skills?
Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.