To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.
The Office of the Australian Information Commissioner (OAIC) has made it abundantly clear that the staggered approach to privacy reform will not slow enforcement efforts. Since gaining new powers in tranche one (December 2024), the regulator has taken a proactive stance, using existing legislation to tidy up Australia’s privacy landscape.
For marketers, the OAIC’s newly released FY26 regulatory priorities serve as a reminder that standard marketing practices are under scrutiny. The regulator has both the means and the motivation to enforce privacy compliance, and these priorities show exactly where their focus lies.
When announcing the priorities, Australian Information Commissioner, Elizabeth Tydd, recognised the contribution of community confidence and trust in positively impacting the economy.
“The OAIC is focusing its resources on the things that matter most and on the regulatory problems that pose the most harm. Our vision is to increase public trust and confidence in the protection of personal information and access to government-held information.”
The new regulatory priorities include:
Rebalancing power and information asymmetries
Rights preservation in new and emerging technologies
Strengthening the information governance of the Australian Public Service
Ensuring timely access to government information
To reinforce the office’s privacy efforts that seek to redress power imbalance for consumers, Australian Privacy Commissioner, Carly Kind, has said
“We're specifically focussing on practices that deprive consumers of control and where extractive approaches to personal information collection and use disempower individuals.
Excessive collection and retention of personal information will be a focus of our regulatory work, including where entities are collecting more personal information than is reasonably necessary for their functions and activities, and failing to take reasonable steps to destroy information they no longer need.”
In short, the OAIC is zeroing in on preventing privacy harm, particularly where consumers are subject to power imbalances, and upholding the community’s access to information rights.
The OAIC’s 2025-26 regulatory priorities directly target sectors, technologies, and practices that marketers rely on every day. For digital marketing teams, that means being proactive in reviewing your data collection, targeting tools, and governance practices before the regulator reviews them for you.
Priority one - rebalancing power and information asymmetries – is the most impactful to marketers and marketing practices. Our article on [sage’s article] priority two - rights preservation in new and emerging technologies – examines the impact that the rapid development of technology can have on marketing practices
Priority one - Rebalancing power and information asymmetries
This priority targets sectors and technologies that compromise privacy rights and create information imbalances between organisations and individuals. The OAIC has specifically singled out:
The rental property, credit reporting, and data brokerage sectors
Advertising technology including pixel tracking
Practices that erode information access and privacy rights in AI applications
Excessive collection and retention of personal information
Australian Privacy Commissioner Carly Kind has been particularly vocal about the privacy risks posed by ad tech, especially tracking pixels, and their potential to erode public trust.
“Many of these tracking tools are harmful, invasive and corrosive of online privacy. This is a real concern in the community with our Australian Community Attitudes to Privacy Survey 2023 finding that 69% of adults did not think it fair and reasonable that their personal information was used for online tracking, profiling and targeted advertising, with that rising to 89% when material was targeted at children.”
Marketing impact: This priority directly touches core digital marketing practices. If you’re using tracking tools for profiling or targeted advertising, the OAIC expects privacy-by-design configurations, minimal data collection, and clear consumer consent. The release of its tracking pixels and privacy obligations guidance last year gives marketers a detailed roadmap of what good looks like.
Practical steps for compliant, responsible marketing
With the OAIC sharpening its focus on privacy practices, marketers have a clear opportunity to demonstrate leadership in compliance. These practical steps align with both the Privacy Act and the OAIC’s 2025-26 regulatory priorities, helping to reduce risk while maintaining consumer trust.
Audit your tracking pixels
Review your use of tracking pixels across social media and digital platforms. Keep only those that are strictly necessary, and configure them to protect privacy. Regularly check they remain compliant with your privacy obligations and privacy commitments you’ve made to your customers.
Honour anonymity (APP 2)
Wherever practical, give customers the option to remain anonymous or use a pseudonym. This isn’t just a legal obligation but signals respect for consumer choice.
Minimise data collection (APP 3)
Only collect the personal information absolutely necessary for your marketing functions. Ask: Can we achieve this without collecting personal information, or with less of it? With the OAIC flagging excessive collection of personal information as a top priority, implementing data minimisation across all collection points is critical.
Be upfront about your data practices (APP 5.2)
Provide a clear, jargon-free privacy collection notice explaining what you collect, why, how, and who you share it with. Transparency meets your legal obligations and builds trust.
Keep your privacy policy current
Your privacy policy isn’t the same as your collection notice. Review and update it to ensure it accurately reflects existing collection, use, and disclosure practices, especially around pixel tracking.
Limit use and disclosure (APP 6)
Only use or share personal information collected via pixels for the purposes you’ve disclosed — unless a specific exception under APP 6 applies.
Know your direct marketing obligations (APP 7)
If you’re using personal information for targeted online advertising, make sure you understand when consent is required, provide opt out facilities, and don’t use or disclose personal information for direct marketing purposes if a customer has opted out.
Don’t store what you don’t need (APP 11.2)
The more personal information you keep, the greater your compliance and security risks, and your costs. Audit your holdings and securely destroy personal information you no longer need.
By embedding these practices into your marketing operations, you’re not only staying ahead of regulatory enforcement, you’re also building consumer confidence in your brand. In an environment where privacy is a competitive advantage, good compliance is good marketing.
Want to feel confident in your compliance obligations?
To build your skills and future-proof your brand, explore our regulatory course offering including online short courses and our in-depth Privacy and Compliance for Marketers program.
To explore the full Privacy Series, click here.