The Privacy Act Review Report is equivalent to the decade’s biggest TV premiere to someone like me, whose career is grounded in privacy regulations, compliance and digital marketing. The full raft of changes proposed are a much-needed glimpse into how this industry will evolve, and particularly how our government is choosing to address a number of issues that marketers are currently grappling with. 

However, for many, myself included, this report will take some time to digest. I would urge everyone to take the time necessary to fully absorb what this report means. It is important. After all, it’s not every day that the Privacy Act gets reviewed. In fact, this piece of legislation hasn’t been reviewed, to this extent, since its inception. It’s best we engage now, understand it, pull it apart and question it than do the alternative and skim it, miss something and then complain if it becomes law. 

At the outset, it is interesting to see this report following the general trend our Federal governments have taken to find an ‘Australian way’ to approach digital regulatory development. The industry had come to refer to the GDPR as ‘the gold standard’, with some (quite vocal)  marketers expecting Australia to take a ‘mini me’ approach to that. I am glad to see ADMA’s expectation, that Australia would forge its own path, come to fruition in this report, however the extent to which that path can be applied to business in some circumstances remains to be considered thoroughly. 

From my initial reading of this report, there are three clear C’s I see coming into play - Clarity, Consent and Consumer trust. The plans set out here are relevant for every business, and more importantly, are going to be crucial to understand.  

Clarity 

First things first - let’s all take a deep breath, because we’ve started off on the right foot. The report is comprehensive and well structured - this tells me that the government has taken the time to read submissions, and have absorbed the insights into the report. The proposals have created a mostly fully formed package, though there will be a few more (short) consultation periods to help fine tune. 

There are still some significant loose ends, such as legitimate interests and the right to be forgotten, as well as some further thought and revision needed on ‘de-identification and effective anonymisation, direct marketing, targeting and trading’. However, the major takeaway is that the report leans towards providing much needed clarity in an increasingly uncertain environment.  

Put simply, it aims to create certainty for anyone working with customer data about the do’s and don’ts. Once the nuances are worked through, it will be a valuable tool for navigating both existing grey areas and those which will emerge as technology advances and capabilities evolve. 

We can’t overstate how valuable this is in establishing a non-negotiable baseline for best practice. Most marketers have good intentions when striving to be ‘responsible’, yet uncertainty around what is and isn’t within scope of the Act generates gaps.  

Too often, marketing gets judged as a whole by the actions of some bad actors, and even the mistakes of the good ones are highlighted in headlines. Many proposals in this report offer the chance to establish a baseline of behaviour and a chance to prove those are the exception, not the rule. The clarity provided by the report makes it easier than ever for marketers to actually have a voice for an Act that will shape many of our jobs. 

What is almost a certainty is that the objects of the Act are being finetuned to clarify that this legislation is about the protection of personal information –an Act about Data Privacy not  privacy more broadly. The Report proposes that while continuing to protect the individuals data privacy rights, there was a need for modernised privacy legislation to promote digital trust and therefore it is proposed that the objects of the Act be amended to recognise the ‘public interest’ in protecting privacy. This is somewhat of a nod to the fact that businesses that use data in a fair and responsible way are likely to serve the public interest indirectly and deliver benefits to individuals, the broader economy and their own commercial interests. The protection of the individual doesn’t have to mean no commercial interest, so long as the Act can continue to  address instances where privacy affecting practices can have undesirable public policy outcomes. 

Also a given is that the definition of personal information is to become broader. A subtle word change in the current definition (changing the word ‘about’ to instead read ‘relates to’) widens the scope of what is classified to be ‘personal information’ to now include a number of identifiers that brands had perhaps hoped no one would notice were attributable to an individual (things such as IP addresses, location data, inferred information). While it may make a brand wince, let’s be honest – no one is surprised by this expansion, its been in the ‘grey’ for longer than expected so clarity was required. Brands will need to start considering what that means in practice. It may not be what all marketers want, but it is what consumers would expect. Clarity will help with compliance. It is important to remember that just because this is now captured by the definition of personal information it doesn’t stop a brand from being able to use this information (with the right consents not having been withdrawn), but it does need to apply the Privacy principles to its use. Some of those applications will require focus to identify if there are operational issues that the government needs to be informed of prior to reform. 

Consent 

This report suggests that the Act won’t be moving towards a consent-based model, and avoids imposing responsibility on the customers (data subjects) to both understand privacy settings that impact them and guard their own privacy.  

Instead, the proposal is aimed at businesses looking to improve their privacy disclosures (ie., having easier to understand, more transparent, and clear privacy notices and policies), as well as improving practices around privacy consent. 

The report makes it clear that dark patterns and other gaming choice architecture is a big no no. While this seems common sense, the report seems to understand that common sense is not that common, and to that end, states it explicitly.  

The report also indicates a move away from requiring consent upfront (which is the way the GDPR operates with a requirement to obtain unambiguous express consent). Instead, Australia’s report favours a benchmark model in the form of responsibility and accountability. This benchmark model would support businesses to be ‘fair and reasonable’ in the way in which they collect, use, handle, manage and disclose personal information.  

Of course, this has its own kinks to work out. After all, what is ‘fair and reasonable’ is subjective. There can be no ambiguity around this model, otherwise bad actors will find a loophole to exploit and responsible marketers may find that application is near-impossible. As an industry we must carefully consider various use cases to see the impact it will have operationally and see if the outcome is what was actually intended. 

There are some welcome distinctions made in the report in this regard - for a start Direct Marketing, Targeting and ‘trading’ are assessed differently, allowing users to make decisions as to how their data is used without making blanket decisions. Although again, it is in the details that we may find that the distinction (with the introduction of de-identifiable data in the scope of personal information) is not quite that distinct. 

While the methodology of withdrawing consent in relation to direct marketing is not completely new, there are some new considerations. Direct Marketers who use more traditional channels, such as email and SMS, may experience some circumstances where personal information for targeting may reach the threshold of direct marketing. For example, using customer emails to target advertisements on social media to known individuals.  

In this situation, if a person chooses to opt-out of use and disclosure of their personal information for direct marketing, then the business would not be able to use that person's personal information for targeted advertising. The essence of this, especially once it is clear what direct marketing is defined to be, is something that data subjects (customers) are already familiar with, given that they have been used to withdrawing consent under the framework set by the SPAM Act over 17 years ago.  

What is new in this report is the proposal of an “unqualified right to opt out” from receiving targeted advertising. This is much more complicated than it sounds, as this proposal extends to de-identified information to the extent the information is used for targeted advertising. This raises difficulty about how and when any form of audience segmentation remains both data-driven and algorithmically enabled digital marketing. 

Furthermore if the proposal goes ahead and data subjects are able to opt out of receiving targeted advertising, will they properly understand the expansive spectrum that this covers? In order to withdraw consent, consumers have to know (be informed and understand) what they’re withdrawing from in the first place.  

Unfortunately, Australia is not a mature enough market yet, and therefore not in a position where that is possible. There needs to be a significant education piece around what targeting really means. It can be judged on a sliding scale from “serve me content that aligns to my interests” all the way to using behaviour, preferences and patterns to influence perceptions, actions and beliefs in ways that may encroach their rights in more harmful ways.

A blanket opt-out of targeting that buckets all aspects of targeting isn’t the solution marketers (or consumers) need - instead, there needs to be a more multifaceted approach that perhaps allows people to withdraw consent from specific uses of data for specific targeting purposes. Further consideration also needs to be given to the impact on customer loyalty programs. This is addressed but not with nearly as much clarity as marketers need to understand the full impact in the various layers within customer loyalty programs (and to the extent that meets customer expectations). 

Peter Leonard, Principal and Director of Data Synergies and Chair of ADMA’s Regulatory and Advocacy Working Group warns  “The proposal if taken forward as is outlined in the Report would require substantial changes to existing business practices in targeted marketing and advertising (and therefore the digital advertising industry at large). This is an area which requires greater thought, intense focus and discussion over the next few months. The proposal also goes significantly further than any comparable jurisdiction”. The digital marketing and advertising industry, privacy professionals and regulators need to ensure that there is a workable and clear path to achieving the goals of this proposal within the Act. 

Consumer trust 

I strongly believe in regulation where regulation makes sense. But above all, I believe in best practice, because that’s going to help set a business up for compliance and a journey towards consumer trust. 

We all know consumer trust has taken a battering over the past few years. Our technology evolved so fast that we were all playing catch up - and there were some casualties of this rush. But this report is a chance to rebuild bridges. 

Before we move forward, we need to look back - particularly at modernising certain marketing practices. As mentioned above, the report specifically points out direct marketing as something the Act may try to redefine.  

In its quest for more transparency, the Report is mirroring what regulators worldwide are demanding and what our customers are rightfully expecting. Transparency has become the minimum standard of responsibility expected today. Clearer notices, and avoidance of dark patterns was always going to be wrapped into improving transparency but some marketers may be surprised with the extent to which the reform hopes to achieve that transparency, including the proposal that there be more transparency by way of privacy policies setting out the types of personal information used in “substantially automated” decisions which have a legal or similarly significant effect on an individual's rights. This means businesses need to understand how decisions are made and if it falls within scope, explain that to their customers clearly in their Privacy policy.  Consultation will take place as to what the parameters of ‘substantially automated’ ought to be. 

There also needs to be a mindset shift when it comes to customer data. For too long, companies have viewed customer data as their own. They classified the data itself as their greatest ‘asset’ and that’s been a key driver of issues in this space for years. The one and only owner of personal information is the consumer. We need to prove we understand this to consumers - it will be a key step in reforging their trust. 

Overall, I believe this report has taken a positive approach and is a great jumping off point for a better understanding of what eventual regulation should look like and consider, but there are definitely some kinks to still work out. We need to closely examine the elements that are likely to become law in the short term, whilst considering the things that are suggested to become law. Consultation will still be required for a number of proposals, including the removal of small business exemptions, but the good news is, for now, the guessing games are reduced or further fine tuned. 

We have been given a report with well articulated, specific proposals to consider carefully with the understanding that unless there is a reason to absolutely object - they will become law.  

There are elements that we need to dissect and apply to day to day operations as we know it today, and assess whether it is the proposal or our operations that need to be tweaked. I suspect in many cases it will be both. 

While we have some time to consult with the government, now is the time to buckle down, discuss the possibilities with our colleagues, listen to their points of view and then form an opinion to help inform the next stage of development. We aren’t at the stage of the law having changed yet… but we have never before been closer to it.

Hopefully stronger privacy protections will see Consumer Trust improve in a way that also makes commercial sense. It may seem like the Holy grail but isn’t it worth the effort to try to get as close to it as possible.  Time, and our industry, will tell if these suggestions will work in practicality. One thing is for certain - consumer privacy will look very different by the end of 2023.