Get ahead for your brand and understand the Australian proposed privacy law changes.

Australian privacy laws are highly likely to change in the near future.

In this article, we’ll look at the background of the laws in Australia, why they’re changing, and why that matters to marketing teams.

We’ll also take a look at a few of the proposals and dig a bit deeper into why ignoring these potential changes could be a big organisational risk.

Before we do, there’s one thing we need to call out. This article is not legal advice. Ah, damn! Yep—it’s important we call out that this article is for information purposes only and is written within a marketing context, not a legal one. You shouldn’t rely on any of this information as legal advice, but you can nerd out with us about what the proposed changes might mean for us as marketers.

OK, now that we’ve got that out of the way, let’s look at some of the proposed changes!

What’s changing?

Australia’s Privacy Act became law in 1988 and has always applied to the public sector. In 2001 it was changed so it applied to private sector businesses. It’s been altered since, once in 2014 to expand its coverage and again in 2018 to include mandatory data breach notifications.

But what’s being proposed at the moment would be the most significant change to the law since it was established.

Attorney General, Mark Dreyfus, has said that ‘the Privacy Act is out of date and in need of reform for the digital age’. And his department has released a Privacy Review Report, which includes numerous proposed changes to the legislation.

This all comes during a time when digital privacy is an intense topic of public discussion across the globe. In 2018, the European Union introduced the General Data Protection Regulation—or GDPR for short. It’s a data protection law that has profoundly changed the way the world thinks about digital data.

How does this all apply to marketing?

The truth is, privacy laws are already applicable to marketing teams.

The current Act, for instance, says that certain organisations are required to protect their customers’ personal information. It also says that when you no longer need your customers’ personal information you must destroy or de-identify it.

That’s highly relevant to any team within an organisation that collects data from customers.

Although the changes are only proposals at the moment, at least some are likely to become law. And many of them will affect processes, policies, and practices that marketing teams abide by or engage in every single day.

There’s another reason why marketers should be all over these developments, and it relates to brand and the risk that comes from reputational damage. But we’ll get to that in a moment.

When will the changes come into force?

We don’t know for certain, but they’re a high priority for the federal government. The Privacy Review Report was written in 2022 and released in February 2023. The deadline for feedback has passed.

What are the proposed changes?

There are a lot.

The Privacy Review Report includes 116 proposals. We won’t go into each one here, but we can give a sense of their general intention. The Attorney General’s Department has said that each proposal aims to answer or clarify one of three broad questions:

• What information should be protected, and who should protect it?
• What privacy protections should apply?
• How should breaches of privacy be enforced?

A few examples.

Let’s concentrate on just a couple of the proposals as a way of looking more closely at how these changes might affect marketers.

Removing the small business exemption.

The current act doesn’t apply to some businesses, including organisations with an annual turnover of $3 million or less.

The new proposal recommends removing this exemption, although only after consultation with small businesses.

For marketing teams in small businesses, that means you may need to be well aware of the requirements and obligations from which you were previously exempt.

Getting ahead and preparing yourself will only help your future self and your organisation to ensure the appropriate policies and practices are being discussed and in place.

Introducing ‘controllers’ and ‘processors’.

Remember we mentioned the European Union’s GDPR earlier? It was, and remains, extremely influential, and some of the proposals in the Privacy Review Report borrow terms or entire ideas from it.

‘Controllers’ and ‘processors’ are two examples. Under the GDPR:

• A controller determines the purposes and means of processing personal data. This could be a business entity, for example.
• A processor is responsible for processing personal data on behalf of a controller. This might be a third party you’ve entered into a contract with. They perform operations on personal data on your behalf.

The idea is to create a distinction between types of entities dealing with data and to impose different obligations on such organisations depending on their designation.

It is worth noting, however, that an organisation can be both a controller and processor of the same data.

Controllers and processors—an example.

A practical example is where you, as the business, engage a marketing agency to help you improve your messaging, and audience attraction, and run some campaigns.

Let’s say the work involves the creation of a form to capture contact details of the people interested in your products.

In this instance, you may be considered the controller of the data because you’re determining the purpose and means of processing the personal data.

The marketing agency may be considered the processor of the data as they are managing the website for you, and are also managing the databases to collect the information you’re requesting on the campaign form.

Introducing a ‘fair and reasonable’ handling test.

One proposal recommends introducing a ‘fair and reasonable’ test for the handling of personal information.

The test asks ‘whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances’. It also covers the ‘kind, sensitivity and amount of personal information being collected, used or disclosed’.

That’s all very legalistic, but the broad aim is to ensure businesses operating online are subject to the same obligations as other organisations under the Australian Privacy Principles. This is because the Office of the Australian Information Commissioner (OAIC) has recognised that the protections for individuals’ personal information have been eroded in the online space.

To illustrate this point, an organisation might be complying with Australian privacy law by disclosing that they collect personal information for research in order to use their app when you download it. If that organisation secretly then sells your personal information to research or political organisations, or even advertisers, it’s possible that they’d be in breach of their obligations under the proposed changes.

The OAIC offers some good examples in their discussion on their website.

What’s it got to do with your brand?

If the law changes, businesses have to make adjustments. Marketers will have to be aware of procedural changes they’ll need to make.

But they also need to take brand considerations into account.

Many of the proposals put forward are just common sense changes that bring the Privacy Act into a post-digital revolution world. Although there are nuances and qualifications to all of them, on the whole, they are changes that strengthen individuals’ privacy rights.

A good marketing team won’t just adapt to the law, but consider it from a customer’s perspective. They’ll act with empathy, not resistance.

If I want my personal information deleted, for example, I probably have a good reason for it. And even if I’m requesting it on a whim, that’s my business. It’s extremely unlikely to be an accident, and in any case, it’s not for a business to decide whether it’s the right or wrong decision.

Smart marketers will make erasure requests easy and seamless.

Think of the range of experiences you’ve had trying to unsubscribe from a mailing list (unsubscribe links in emails, by the way, are mandated under the Spam Act, not the Privacy Act).

Now think of how you feel about an organisation after hitting ‘unsubscribe’, getting a ‘Sorry to see you go…’ message, and being immediately removed from the list. It might be no feeling at all—totally neutral or indifferent—but that’s vastly better than the alternative…

We all know how frustrating it is to hit unsubscribe and then find we have to go through some elaborate process to get our email removed. Checking multiple tick boxes or even entering our own address into a field. And that’s only more frustrating when we realised it hasn’t worked for some reason. This is a terrible user experience, especially when it’s the last experience someone might have of your brand. It suggests that an organisation is being deliberately difficult. And it’s precisely this sort of thing that can damage a brand.

But it’s not just about inconvenience or annoyance to the customer—or even about that customer telling family and friends about the poor experience. It’s about a broader perception of competence, propriety, and brand experience.

It would be easy to imagine, from a customer’s perspective, that a company doing the right thing regarding privacy laws—an organisation that respects users’ rights and makes procedures and processes that easily allow consumers to control their own data—would likely be doing the right thing in other areas, as well.

Being prepared for and amenable to these changes mitigates risk for organisations. It helps companies avoid reputational damage brought about by non-compliance or reluctance to put the customer first.

Get ready.

So that’s a summary of just a handful of possible changes to the Privacy Act. But what about the proposals as a whole? How should you approach them?

Well, our suggestion is pretty simple:

For a start, it’s important to be ready and informed. Not knowing or understanding the changes that may apply to your business aren’t excuses. So keep reading and learning. And keep thinking about privacy and data security through the eyes of your customer—this is as much about the security of personal information as it is about the brand experience.

As Animals Australia has shown by shifting from a client-side to a server-side analytics configuration, there are numerous potential advantages that come from an increased focus on data ownership and control.

If you want to sharpen your marketing principles and process for your organisation, get in touch. We can help with that.

Before you go, just as we mentioned at the start of this article—none of this content should be read or relied upon as professional legal advice. We’ve written it for information purposes only and within a marketing context, not a legal one. If you have specific questions about your organisation and company policies, we suggest you have a chat with your corporate or external legal counsel so they can give you a hand.