Australia’s new automated decision-making (ADM) privacy rules are designed to improve transparency, not disrupt everyday marketing practices. For most marketers, the focus is on understanding where personal information is used and whether any automated decisions have a meaningful impact on individuals’ rights or interests.
Automated decision-making (ADM) refers to decisions made by computer systems – often using algorithms – that rely on personal information to produce outcomes without direct human involvement. ADM powers today’s digital advertising ecosystem and is now firmly in the regulatory spotlight.
The Privacy and Other Legislation Amendment Bill 2024 (the Bill) introduces new transparency requirements around ADM under Australian Privacy Principals (APP) 1.7 to 1.9.
In simple terms, businesses will need to clearly explain how they use personal information in automated decisions that significantly affect people’s rights or interests.
The Office of the Australian Information Commissioner (OAIC) has privately sought feedback on how these new provisions should apply in practice.
ADMA has engaged directly with the OAIC to ensure the rules are interpreted in a way that reflects how automated systems actually operate in the real world of digital advertising and marketing. Here’s what marketers need to know.
Automation powers most online experiences. From the ads we see, to how content is prioritised, to which offers land in our inbox. Algorithms are constantly working in the background.
As many marketers know, automation often involves audience segmentation. For example, ads might be shown to a group inferred to be men aged 20 to 35, who are likely to be interested in grooming or fashion. That process is automated, but it does not automatically mean it triggers the new transparency obligations.
The key question under the new law is this: Is personal information being used in an automated decision that significantly affects someone’s rights or interests?
If the answer is no, the new transparency requirement should not apply.
Not every automated decision will trigger the new rules. The Explanatory Memorandum to the Bill gives examples of decisions that may be considered significant, including:
ADMA’s position is that most automated decisions in digital advertising do not meet this threshold.
For example:
On the other hand, using personal information in automated decision-making to refuse someone for a loan or deny access to a health service could be significant and may fall within scope.
It is important that the new rules focus on genuinely impactful decisions. If interpreted too broadly, privacy policies risk becoming more complex, more technical and less helpful for consumers.
An important distinction is whether an entity is actually handling personal information. If an organisation has the capability to identify an individual, it is handling personal information and is subject to the Australian Privacy Principles.
However, if tracking technologies are set up in a way that ensures individuals are not reasonably identifiable, then the new ADM transparency requirements should not apply.
Within the digital ecosystem:
Only a subset of these entities will be using personal information in automated decisions. An even smaller subset will be making decisions that significantly affect individuals.
Control in programmatic advertising is often shared. Platforms typically decide what targeting options are available, such as age, gender, geography or content category. Advertisers then select from those options. For example:
The platform’s algorithms then determine how bidding and ad placement occur. The level of control available to advertisers varies depending on the platform. In practice, responsibility for automated decision-making is distributed across multiple participants.
The OAIC asked how personal information used in automated decision-making is shared across the digital advertising ecosystem. While there are many variations across the ecosystem, here are some of the most common models.
- Walled gardens
Platforms such as Meta, Apple, Amazon and Snap operate closed ecosystems where they:
Advertisers may upload their own first-party data or use audience segments created by the platform. If an advertiser uses its own customer data, transparency obligations will generally sit with the advertiser. If the platform’s data is being used, obligations will generally sit with the platform.
- Open programmatic and Open RTB
In open programmatic advertising:
Multiple parties may contribute data to inform bidding and personalisation decisions:
Agencies and other intermediaries may also be involved.
- Other programmatic models
There are also hybrid arrangements, including:
Each model involves different degrees of automation and data use.
The bottom line for marketers
Automation is fundamental to digital advertising. Data is shared in many ways across a complex ecosystem.
However, the new APP 1.7 transparency obligation should only apply where:
Marketers should review where personal information is being used in automated systems and assess whether any decisions could reasonably be considered significant. Most automated processes that simply facilitate advertising transactions will not meet this bar.
ADMA will continue working with regulators to ensure the new requirements are applied proportionately and in line with both the intent of the legislation and the practical realities of digital marketing. We will keep industry updated as guidance evolves.
Want to sharpen your privacy and compliance skills?
Check out our regulatory course offering with a range of options to suit your needs. From our online short courses to our more comprehensive Privacy and Compliance for Marketers course, ADMA has your regulatory upskilling needs sorted.