Close

What the new ADM privacy rules mean for digital advertising

Australia’s new automated decision-making (ADM) privacy rules are designed to improve transparency, not disrupt everyday marketing practices. For most marketers, the focus is on understanding where personal information is used and whether any automated decisions have a meaningful impact on individuals’ rights or interests.

What Marketers Need to Know 

  • New ADM privacy rules focus on transparency, not restricting everyday marketing activity
  • Obligations only apply where personal information is used in automated decisions that significantly affect individuals’ rights or interests
  • Most common marketing activities, like audience segmentation, targeting, and programmatic buying, are unlikely to be in scope
  • The key test is whether an automated decision has a meaningful real-world impact on a person, not just whether automation is used
  • Marketers need to identify where personal information is used across their systems and partners

Automated decision-making (ADM) refers to decisions made by computer systems – often using algorithms – that rely on personal information to produce outcomes without direct human involvement. ADM powers today’s digital advertising ecosystem and is now firmly in the regulatory spotlight. 

The Privacy and Other Legislation Amendment Bill 2024 (the Bill) introduces new transparency requirements around ADM under Australian Privacy Principals (APP) 1.7 to 1.9.  

In simple terms, businesses will need to clearly explain how they use personal information in automated decisions that significantly affect people’s rights or interests. 

The Office of the Australian Information Commissioner (OAIC) has privately sought feedback on how these new provisions should apply in practice.  

ADMA has engaged directly with the OAIC to ensure the rules are interpreted in a way that reflects how automated systems actually operate in  the real world of digital advertising and marketing. Here’s what marketers need to know. 

Automation and digital advertising 

Automation powers most online experiences. From the ads we see, to how content is prioritised, to which offers land in our inbox. Algorithms are constantly working in the background. 

As many marketers know, automation often involves audience segmentation. For example, ads might be shown to a group inferred to be men aged 20 to 35, who are likely to be interested in grooming or fashion. That process is automated, but it does not automatically mean it triggers the new transparency obligations. 

The key question under the new law is this: Is personal information being used in an automated decision that significantly affects someone’s rights or interests? 

If the answer is no, the new transparency requirement should not apply. 

Not all automated decisions are equal 

Not every automated decision will trigger the new rules. The Explanatory Memorandum to the Bill gives examples of decisions that may be considered significant, including:

  • Decisions affecting children or vulnerable individuals
  • Decisions affecting access to essential services, such as healthcare
  • Differential pricing for significant goods or services
  • Loyalty discounts at a supermarket are widely understood and expected by consumers.
  • Showing an ad to people in NSW but not Victoria is standard commercial practice.
  • Targeting based on broad segments does not usually amount to a significant impact on rights or interests.

ADMA’s position is that most automated decisions in digital advertising do not meet this threshold.

For example:

  • Loyalty discounts at a supermarket are widely understood and expected by consumers.
  • Showing an ad to people in NSW but not Victoria is standard commercial practice.
  • Targeting based on broad segments does not usually amount to a significant impact on rights or interests.

On the other hand, using personal information in automated decision-making to refuse someone for a loan or deny access to a health service could be significant and may fall within scope. 

It is important that the new rules focus on genuinely impactful decisions. If interpreted too broadly, privacy policies risk becoming more complex, more technical and less helpful for consumers. 

When does personal information come into play? 

An important distinction is whether an entity is actually handling personal information. If an organisation has the capability to identify an individual, it is handling personal information and is subject to the Australian Privacy Principles.

However, if tracking technologies are set up in a way that ensures individuals are not reasonably identifiable, then the new ADM transparency requirements should not apply.

Within the digital ecosystem:

  • Many online merchants handle personal information because they can identify customers through accounts and transaction records.
  • Some adtech and martech intermediaries may handle personal information. Others operate with governance controls that ensure effective anonymisation.

Only a subset of these entities will be using personal information in automated decisions. An even smaller subset will be making decisions that significantly affect individuals.

Who controls automated decisions in programmatic advertising? 

Control in programmatic advertising is often shared. Platforms typically decide what targeting options are available, such as age, gender, geography or content category. Advertisers then select from those options. For example:

  • Age range 30 to 40
  • Female
  • Lifestyle content rather than sport

The platform’s algorithms then determine how bidding and ad placement occur. The level of control available to advertisers varies depending on the platform. In practice, responsibility for automated decision-making is distributed across multiple participants.

How is data shared across the ecosystem? 

The OAIC asked how personal information used in automated decision-making is shared across the digital advertising ecosystem. While there are many variations across the ecosystem, here are some of the most common models. 

- Walled gardens

Platforms such as Meta, Apple, Amazon and Snap operate closed ecosystems where they:

  • Own the ad tech infrastructure
  • Control how ads are bought and sold
  • Manage the first-party data collected from users

Advertisers may upload their own first-party data or use audience segments created by the platform. If an advertiser uses its own customer data, transparency obligations will generally sit with the advertiser. If the platform’s data is being used, obligations will generally sit with the platform.

- Open programmatic and Open RTB 

In open programmatic advertising:

  • Advertisers use a DSP (demand-side platform) to bid on inventory.
  • Publishers use an SSP (supply-side platform) to sell inventory.
  • Auctions happen in milliseconds.

 Multiple parties may contribute data to inform bidding and personalisation decisions: 

  • Advertisers may upload first-party data.
  • DSPs may use their own data or partner data.
  • SSPs may also use data to determine how inventory is supplied.


Agencies and other intermediaries may also be involved.

- Other programmatic models

There are also hybrid arrangements, including:

  • Programmatic direct deals, where advertisers and publishers negotiate directly using automated tools.
  • Programmatic guaranteed deals, where price and volume are fixed but the transaction is automated.

Each model involves different degrees of automation and data use.

The bottom line for marketers

Automation is fundamental to digital advertising. Data is shared in many ways across a complex ecosystem.

However, the new APP 1.7 transparency obligation should only apply where:

  • Personal information is involved, and
  • It is used in automated decision-making, and
  • The decision can reasonably be expected to significantly affect someone’s rights or interests.

Marketers should review where personal information is being used in automated systems and assess whether any decisions could reasonably be considered significant. Most automated processes that simply facilitate advertising transactions will not meet this bar.

ADMA will continue working with regulators to ensure the new requirements are applied proportionately and in line with both the intent of the legislation and the practical realities of digital marketing. We will keep industry updated as guidance evolves.


Want to sharpen your privacy and compliance skills?
Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.