Privacy pending – how marketers can prepare for Australia’s imminent privacy law changes.

The plethora of major cyberattacks and data breaches making headlines in the news recently has made the Australian public lose faith in the current privacy law framework and the accountability that businesses take in their data management practices. That’s why public sentiment over how their personal information is collected, used and disclosed has been one of the key driving factors in the largest ever review of Australia’s key privacy legislation.

Since commencing the review of Australia’s federal Privacy Act 1988 (Cth) (Privacy Act) in late 2020, the extensive process now appears to have reached the stage where it is ready to be implemented, with Federal Attorney General, Mark Dreyfus announcing the updates will be introduced into the House of Representatives this coming August. As a legislation that has remained largely unchanged since its inception in the late 1980s, there will be vast changes introduced to bring it in line with today’s needs, particularly from a digital perspective.

There are a number of reforms that will impact marketing operations. The greatest of all being the broadening of the scope of the Act by tweaking the definition of what is considered ‘personal information’. A small amendment to the wording of the current definition (replacing the word ‘about’ with ‘relates to’) will have significant impact on how the Act applies, and what businesses will need to do in relation to the way they collect, manage, use, disclose, store and dispose of the personal information they gather. Businesses will also need to reconsider how they provide notice for their intended use of data, how they obtain consent (and allow for a user to withdraw that consent) , plus a new overarching concept – which will position Australia as being different to the rest of the world – of whether the collection, use and disclosure of data is Fair and Reasonable. This is a fundamental shift in thinking, because just having ‘consent’ will not guarantee a business can use the data if for any reason the use is deemed to not meet the overarching test. In short – a business cannot ‘consent their’ way into any activities that would not meet this ‘pub test’. Marketers need to also be aware of new definitions that are likely to be included – that of ‘direct marketing’, ‘targeting’, ‘targeted advertising’ and trading.

With the likelihood of the reforms being legislated as early as February 2025, marketing leaders and their teams should begin to prepare for the impending changes now, and ADMA is here to help.

Why prepare now?

The upcoming reforms in privacy are an opportunity for your business to do a deep clean and audit of your business – the kind of ‘cleanse’ that only ever comes with an investigation and/or after a data breach. With the changes in law coming now, businesses have no choice but to get their houses in order. They will need to invest the time (and money) to ensure

compliance. To keep your business out of the spotlight and to avoid suffering regulator scrutiny, irrevocable brand damage from a data breach or fines, stringent adherence to the soon-to-be updated Privacy Act is paramount.

The Government is still deciding upon the transitional arrangements, including staged commencement of certain provisions, the phase-out of certain exemptions, and have suggested a 12-24 month (from enactment) timetable to full operation. What that means is likely that once the Privacy Act reforms are passed, businesses may have to comply immediately with certain provisions of the Act (especially in the way it obtains any new information) and will only have two years to ensure their processes and practices for their existing data sets are compliant. Two years may sound like a long time, but the impact of the changes on all businesses will see that time fly and the risk of incurring hefty fines will be greater with the regulator powers and resources having increased as part of the reform. With the extent of the changes ahead of us, this will not be a simple task to complete. Being proactive and preparing for these changes now will allow you to act swiftly and hit the ground running once the updates are legislated.

Other than the financial implications, there are other benefits in preparing now including giving your business a competitive edge. Your commitment to privacy will reengage the invaluable trust of your customers in your brand, particularly when the concern for privacy by the consumer has been such a driving force behind the reforms. Seeing your business committed to protecting customer data and complying with the new reforms will invariably deepen the relationship and strengthen loyalty with your customers.

If you’re from a smaller organisation, you need to get on the front foot as it is worth noting that the ‘small business exemption’ will be removed. Previously, businesses with an annual turnover of less than $3m were exempt, however moving forward, privacy is now everyone’s responsibility and the exemption will no longer apply. This means that SMEs have quite a bit of work ahead of them to prepare their business for the changes in their current practices, or lack thereof, if they do not already factor in protection of personal information and consent.

What are the key changes that will impact marketing operations?

While the Privacy Act review has been extensive, and we have touched upon some of the changes that can be expected, here is a deeper dive into some of the key changes that will impact marketers and their collection, use and disclosure of customer data.

An expanded definition of personal information

A key proposed reform is the expanded definition of personal information. Currently, the Privacy Act defines personal information as information or an opinion about an identified

individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and, whether the information or opinion is recorded in a material form or not.

With the change of the word ‘about’ to ‘relates to’, i.e. information or an opinion that relates to an identified individual, plus a non-exhaustive list of what is considered personal information, there is little room for ambiguity. In other words, there will be more types of data being captured by the expanded definition, and therefore subject to regulation. That in turn means there is greater risk to businesses of privacy being compromised. So at a bare minimum in preparing for these changes, a thorough understanding of your current data practices including what, where and how personal information is collected and stored is crucial.

Understanding if your data practices are fair and reasonable

As we edge closer to reform, the Government continues to propose that the Fair and Reasonable test will apply irrespective of whether consent has been obtained. This test will be considered in determining whether an individual would reasonably expect their personal information to be collected, used or disclosed in the circumstances. A business will also need to consider the kind, sensitivity and amount of personal information being collected, used or disclosed. This might lead to businesses changing their approach in collecting data and shift towards a ‘data minimisation’ model instead. If this is the outcome for your business, it should be noted that there will also be other details to get across and be consulted on in this respect to ensure compliance.

To help businesses determine if their collection and use of customer data is in fact ‘Fair and Reasonable’, a list of considerations will be included in the updated Privacy Act explanatory guides.

Preparing for changes in direct marketing and targeting

Marketers who use online marketing tools should also prepare for changes in direct marketing and targeting, plus the trading of personal information. The Government is aiming to provide individuals with more control in how they are targeted and marketed to. A definition for ‘targeted advertising’ has been introduced and the Government has also re-introduced an adapted approach to its original proposal allowing for an opt-out of targeting. As it stands, the Government is proposing for all “individuals to be able to opt-out of receiving targeted advertising”. A significant change here is that businesses do not require that opt-out to be unqualified, or to make the consumer “not targetable”. Instead, a business is not required to provide all products or services to an individual who has opted out of receiving targeted advertising provided that this exclusion is fair and reasonable. For example, a business might withhold gated content or member benefits. This is all very much subject to the new “Fair and Reasonable” test. We expect that there will be guidelines from the Privacy Commissioner as to what “Fair and Reasonable” means.

Strengthening your data breach notification plan

There is also a requirement (and opportunity) here to review and strengthen your customer notification plan should a data breach occur. The Government is proposing to impose a 72 hour time limit to replace the current statutory requirement that notification occur ‘as soon as practicable’ after an eligible data breach. Hopefully this is not a plan you will need to action, but having a plan in place, which would help your business to respond somewhat immediately, will undoubtedly help mitigate the branding backlash and soften the customer impact should it happen.

These are just some of the key changes that marketers need to be across for the upcoming reforms. Stay tuned to ADMA as we break down more of the expected changes in a way that applies to marketers.

For now though, start to get your business and your team prepared. Don’t hold off – ADMA has created a list of the key steps your marketing team can take now in preparing for privacy reform, click here.

Want to know more? Consider taking the ADMA Privacy and Compliance for Marketers course which is discounted for ADMA Members and is also available as a bespoke team training session.

There is also a wealth of material available to members on our website including toolkits, factsheets, compliance advice and so much more. For more information contact ADMA today at [email protected]