Get ahead as a marketing team and understand the proposed Australian privacy law changes
(part 2).

Privacy reforms are on the way. The Australian privacy landscape is about to change and there are five areas of reform you need to be aware of as a marketing leader.

Back in February 2023, the Attorney-General’s Department released a Privacy Act Review Report containing 116 recommendations for reform.

In the first part of this two-part series, we looked into the background of the laws in Australia, why they’re changing, and why that matters to marketing teams.

Now, the Federal Government has released a response indicating broad approval for reform: 68 were agreed ‘in principle’ and 38 were agreed without qualification. This signals the likelihood of significant impending reform from the Department.

I recently caught up with Ella Cannon, Principal at Hive Legal, to discuss and understand some of the proposed reforms and their implications for marketers, organisations, and individuals.

There are five areas of reform that we are specifically focusing on in this article because we think they are most relevant to marketers. Let’s take a look at them in a bit more detail.

1. New rights for individuals to object to data collection.

Proposal 18.4 of the report proposes new rights for people to object to the collection, use, and handling of personal information.

Under the new proposal, organisations will be required to consider each objection and provide a written response to the objector. This response will need to highlight why certain practices conducted by the organisation are compliant (or non-compliant) with the Privacy Act.

This proposal will likely have two consequences:

1. While it won’t be an absolute right, and therefore does not require the organisation to stop whatever is being objected to, organisations will have to justify their practices in using personal information. Depending on the amount and nature of personal objections, organisations will have to resource the effort associated with responding to each individual objection.
2. Questionable privacy practices will likely fade away—especially those which have been technically permissible but are dubious from an individual’s perspective (i.e. does it pass the pub test)—because of these rights and the organisational burden associated with continually justifying such practices.

It’s important for marketing leaders to be aware of this proposal because brand experience and perception for your clients and customers ultimately play a role here, along with risk mitigation. You can still provide someone with an on-brand and memorable experience even when that person is contacting you to object.

Knowing that this change may come means you can get on the front foot and consider how you would respond to an objection. Now’s the time to plan the words you and your team use, and how you communicate your message, to ensure a great experience for someone, even as they submit an objection.

2. Right of erasure.

Proposal 18.3 of the report proposes a new right of erasure. This gives individuals the ability to request the deletion of their personal information held by agencies or organisations.

During my conversation with Ella, she rightly noted that, to prepare for this proposed reform:

“As marketers, you’ll need to ensure your organisation has processes in place to erase all personal information in the event an individual requests deletion.”

This goes beyond the spreadsheet, database or other data repository you may be working with day-to-day, and includes all backups and any data shared with any third parties. If information is disclosed to third parties, it’s incumbent on your organisation to contact them and confirm it is erased where reasonable to do so.

This proposal would require your team to build out processes that promote transparency between your organisation and any third-party entities using personal data. The nature of these processes is likely to be formalised in legislation but we’re not sure yet when that may happen.

As a result—and due to the amount of time it takes to build these types of processes—organisations should start considering their approach to this requirement now. You can get ahead of this now by starting to itemise how personally identifiable information is collected, stored, used, and shared in your organisation, including context as to why.

This is a valuable activity for assessing compliance, even if this proposal is not implemented in the reforms.

3. Defining ‘high risk practices’.

Proposal 13 of the report proposes the identification and regulation of ‘high risk practices’.

Given there’s a proposal to formalise this definition, it’s important that marketers understand the concept of ‘high risk privacy activity’. This is not currently defined within the existing Privacy Act.

When speaking with Ella, she described high risk practices as those practices that “are likely to entail any activities that will have a significant impact on the privacy of individuals.” Mass collections of personally identifiable information, for example, may well fall into the scope of ‘high risk practices’ because of the sheer volume of people who can be impacted in the event of malicious activities if the data is compromised.

Determining high risk activities will require privacy impact assessments (commonly referred to as PIAs). These assessments will have substantially more rigour than we’ve seen previously and there’s likely more reading to be done in this area if defining high risk practices may impact your organisation.

Currently, there is no requirement to conduct privacy impact assessments within the Australian commercial sector. For those companies that do conduct them, there’s no requirement to provide the results to the Information Commissioner, unless the Commissioner uses their powers to compel information under the Privacy Act.

This will likely change with the formalising of high risk practices.

Marketers can again mitigate risk and get ahead by examining how their organisation collects personally identifiable information, for what purpose, and whether it may fall into the high risk category—especially if it’s mass collection.

4. Stricter regulations for targeting and trading of personal information.

Proposals 20.2 to 20.4 recommend a variety of reforms, including more comprehensive regulation of direct marketing. Particularly in regard to expressed governance of targeting and trading.

The reforms include:

• New defined terms for ‘targeting’ and ‘trading’ (i.e. swapping customer lists).
• An unqualified right to opt out of targeted advertising and prevent the use of information for tailoring services, content, information, advertisements, or offers.
• Requirement to obtain consent before trading information.

Targeting in direct marketing

Targeting in marketing has traditionally fallen through a legislative loophole. This is because targeting activity generally relies on de-identified data to an extent: a person’s name is removed in targeting in most cases and the activity relies on IP addresses only. However, there are often still ways to follow chains of information and ultimately identify individuals.

Despite this, the Privacy Act doesn’t currently explicitly govern these practices. This will likely change with the proposed reforms, based on the fact there’s a proposed update to acknowledge that trading and targeting are differentiated from direct marketing.

Currently, all of these activities are folded into one single category—direct marketing—and it’s only governed in instances where marketers use directly personal, personally identifiable information.

At this stage, the nature of the definitions and restrictions is unclear, aside from the fact they will be formalised. The government response has only agreed in principle, which means there will be further consultation with a range of entities that are likely to be impacted by the reforms.

The impact for marketers will really depend on the details of the legislation. However, the early signs are that we are on the path towards clarity and distinction between direct marketing and targeting, which is good.

From my conversation with Ella, we expect there will be tightened restrictions associated with targeting vulnerable individuals, or people who are likely to be more vulnerable to the impact of targeted marketing. For example, children or people living with cognitive disabilities.

Trading in direct marketing

Previously, there have been loopholes under Australian regulation that have enabled the trading of customer lists and personal information, if customers might reasonably expect such trading. As long as the lists do not include sensitive information or health information, this practice is generally permitted under the Privacy Act so long as other standard requirements are met around the collection being necessary, lawful and fair.

For most people, it’s likely unwelcome news that personal information—including contact details and date of birth—can be sold commercially between organisations for the purpose of direct marketing without their consent.

From the individual’s perspective, these reforms will likely be welcomed. For marketers, they will provide clear guidance and clarity as to what can and cannot be done with personal information.

5. Distinction between controllers and processors.

Proposal 22.1 proposes to introduce the concept of ‘controllers’ and ‘processors’ into the Privacy Act.

This is conceptually aligned with the General Data Protection Regulation (GDPR)—which you can read more about here—and is an exciting development that will provide greater clarity on the responsibility for different entities involved in processing or handling personal information.

The controller is the entity that has the primary relationship with the individual or end user. Controllers are typically primarily responsible for what happens with the individual’s personal information.

The processor is any kind of service provider or other organisation who uses that personal information on behalf of the controller (generally as a service provider).

Let’s say you lead a marketing team and you are collecting names and email addresses from customers and potential customers for your newsletter. You engage a marketing agency to help you create and send those newsletters each month. In this example, your organisation would be considered the data controller because you hold the primary relationship with the individual whose data you’re collecting. The marketing agency would be considered the data processor as they are using that collected data in order to deliver the services you are engaging them for.

From a privacy perspective, delineating between these two entities is important and logical. From a marketing perspective, it provides you with clarity and further enables you to make informed decisions about how you will handle personal information.

Under the current Act, organisations in the typical processor role—those who don’t have a direct relationship with the individual or end-user whom they’re collecting or using information about—find it difficult to comply. For example, it’s particularly difficult to provide a collection notice to the individual if you are in the processor role.

Ella notes:

“The proposed reforms reflect the fact that we cannot continue to apply equal governance to all entities and expect equal compliance. Varying organisations involved in digital service delivery have very different relationships with individual end-users.”

As a result of this reform, entities will have distinct responsibilities and powers that reflect the nature of their relationship with the individual end-user, and impact what they can and cannot do with information.

From our conversation, we expect there will likely be three main outcomes if this reform proceeds:

1. A reduction in the compliance burden of understanding obligations that aren’t relevant to certain organisations.
2. Improved governance from marketers and organisations when engaging third parties in the context of data processing arrangements, including clarity and contractual clauses that itemise responsibilities between parties.
3. More formalised practice and understanding of Data Processing Agreements in Australia. These are commonplace for risk mitigation overseas and many organisations dealing with offshore service providers will already be familiar with them. Currently, there is no real accepted industry practice in Australia, but this will likely change following the proposed reforms.

As an organisation, now is the time to prepare.

While we’re still waiting to see what the Government’s response will look like in practice—and therefore do not yet know the specific details of some of the reforms—one thing is clear: it’s time to start preparing for what seems to be inevitable change coming our way.

It’s highly likely we’ll see a shift towards increased protections for individuals, which means the obligations and responsibilities of organisations collecting personal information will change.

It’s crucial that you understand the changes and how you may be affected by them. Equally, it’s important to start preparing right now by controlling what you can: mapping existing processes, reviewing how and why you collect or manage specific information, and more.

If you’re interested to chat about the best way your marketing team can prepare for the changes and protect against risk, we’d love to help you get ahead of the curve.

Get in touch using the August website contact form or give us a call today: 9445 0326.

If you’d like to seek more formal legal advice, Ella is always happy to have an initial chat too. You can find her on LinkedIn or by contacting Hive Legal.