19 June 2024

The new Privacy Act

In summary

• The proposed changes to the Privacy Act 1988 are coming soon and its going to have a big impact on digital business
• Louder discusses what the industry is talking about how businesses can prepare themselves for the proposed privacy reforms

Proposed privacy reform

Barely a day goes by where we don’t hear some contained uproar around the proposed privacy reforms and the effects it will have on businesses, particularly in the advertising and marketing world.

The Australian Government has vowed to go hard on proposed reforms to the Privacy Act 1988. The Australian Information Office (OAIC) are leading this charge, and the main contenders include Mark Dreyfus, the Attorney General, and Carly Kind, the new Privacy Commissioner, who has recently moved to back to Australia after 15-years in the EU/UK.

With this in mind, we can expect some similarities to GDPR integrated into the new Australian legislation as the government grapples with business requirements versus consumer privacy demands.

The reality of tracking and privacy in financial services

Last week, I had the privilege of taking part in a panel discussion at a Financial Services Marketing 2024 event hosted by Dianomi. Over a hundred financial marketers gathered at UTS to discuss what Financial Services Marketing looks like in 2024 and beyond. 

I spoke in a panel discussing the ‘reality of tracking and privacy’, a topic that’s very much at the forefront of business priorities today, as the government brings the parliamentary review of the new Privacy Act forward to August.

Joining me on the panel were:

• Ori Gold - Media Agency Owner
• Sam French - Marketer for Motley Fool
• Tim Burrowes (moderator) - Founder of Unmade

Do Australians actually care about privacy?

The question on everyone’s lips - do Australians actually care? I believe they do but, they haven’t really been able to do much about it. Europe enforced their privacy changes over six years ago, so why has it taken Australia so long to follow?

Over the last 15 years we have immersed ourselves into a digital economy with data at its heart; everyone collects it, everyone uses it, and the acceleration of AI is expediting the importance of it. This increased data usage has also made it extremely valuable and has allowed big tech companies to become exceptionally profitable off the back of collecting and using our data. It’s very evident that we can no longer ignore the perils of unrestricted data access and usage.

The Australian Government is taking action

In 2020 the Australian Government decided it was time to and asked the ACCC to conduct a series of inquiries into digital platform services. The eighth report within these inquiries was released in March this year.

Targeting the middleman

This report focusses on the middlemen - companies who collect our data for a business purpose, but often pass that data onto third-parties for a fee. The report delves into why these companies collect it, how it is being used, and if they are passing it on to profit from a data partnership. The inquiry includes a wide scope of digital platforms that gather intimate information from us including banking and financial services, telecoms, insurance, rental and housing platforms, as well as advertising and marketing technologies.

This article focusses on the latter with an emphasis on the collection and use of personal data used to segment audiences to deliver a relevant user experience. The main concerns centre around people’s choice, knowledge and control over this data collection and use.

Privacy policies are full of jargon

74% of Australians are uncomfortable with the idea of their data being shared or sold to other companies without their permission. However, only 21% read any privacy policies on a regular basis, and there’s a good reason for this [1]. These policies are often extremely lengthy with the average being 6,876 words. The wording is often complex and ambiguous, making it difficult to understand who retains what data, for how long, and what can be done with it.

Furthermore, even if the consumer does understand this, in many cases, there is little that can be done about it if they wish to proceed with the product or service. As the report identifies, many companies wrap up their policies in ‘take-it-or-leave it’ terms, bundling consent options into legal jargon that the average person will not read or fully grasp.

This lack of choice and control is particularly highlighted in the ‘Rentek’ industry, where estate agents wrangle for even more control over tenants data and their position of power between the owners. Paper applications are now replaced with a raft of digital providers, each promising more and more data to the real-estate company in return for their contract. Renters have little choice but to comply in such a tough housing market and pass increasing amounts of personal data on, which is often sold onto other service companies. 

Tim Burrowes wrote an interesting take on this data diversification of the rental market in his daily publication of Unmade on 27 May 2024.

Consumers need help to protect themselves

Protecting consumers has been the intent of the Australian regulator since 2020. Alongside data leaks and increasing financial fraud and scams, the Attorney General feels that the “personal privacy of citizens is under attack” as we are increasingly asked to share our personal information online, in what is currently considered an unregulated environment.

The rhetoric makes concerning reading for marketers today, particularly in an industry that relies on buckets of data to target their audiences and measure campaign effectiveness. In his key note speech at the Privacy by Design Awards in May, the Attorney General spoke strongly around the value of personal data;

“It is clear that personal information has immense value – not just to individuals, but to those engaged in marketing, research, product development and advertising. It’s past time we stopped treating the most personal and private information of Australians as an asset that entities hold.”

Third-party cookies have already been given the death-nail following the increased privacy regulations in Europe. The focus now is on first-party data; how companies will need to protect this and how they will be able to use it based on the consent of their customers.

The opt-in / opt-out discussion is paramount to how brands will acquire their customers’ consent. Previously Australians had to actively opt-out of receiving communications that involved storing and sharing data such as emails, however there were no restrictions at all for the use of third-party cookie data.

The Privacy Commissioner was particularly passionate against the unwarranted use of our browsing data and the current struggle we have to control that,

“Our daily interactions with online and offline attempts to acquire our personal information are like death by a thousand cuts, wearing down our ability to meaningfully engage with privacy policies, terms and conditions and consent notices.” [2]

However, one of the concerns raised at the event was the experience of the customer, navigating through all of the pop-up consent frameworks and tick boxes. It isn’t the best experience with your morning coffee, and it can get quite annoying. We couldn’t agree on a solution to that, except perhaps with time, the population as a whole will become more educated on the consent frameworks, and the pop-up reminders can become less frequent.

Further changes are coming

Other notable changes proposed within the Privacy Reforms are less impactful on marketing and advertising teams in practical terms, but will still have big impacts on the businesses where they work.

The proposed removal of the exemption of the Privacy Act for businesses with an annual turnover of less than $3 million will mean that smaller businesses need to address their privacy policy, and may be bound by similar obligations as larger businesses.

This is not a cost small business owners wish to concern themselves with at the moment, but by building a privacy impact assessment into all new business processes, they will relieve hurdles and be in line with future regulations as they continue to develop.

Secondly, any data breaches must be reported immediately. There are proposed reforms that a company should have a designated employee and process to deal with such an occurrence. Having a disaster recovery plan in place to initiate a quick response to any data leakage will help adhere to legislative requirements and have a lasting impact on a brand’s reputation.

Where does this leave marketers today and tomorrow?

It’s a human trait to often leave things until the last minute, particularly when they are not an immediate priority. Many businesses have failed to move quickly believing things will fall into place as the changes are made. And as we noted at the event, this is mainly due to the fact that the goal posts keep changing. There hasn’t been a clear indication of what will happen and whilst we know that change is needed, we all need to be on the same page as far as the consumer is concerned.

The impacts of the privacy reforms will be further reaching than anything the industry has seen in the last two decades. If businesses do not start to have these conversations with their customers, when the consent policies come into play they can anticipate losing at least 50% of their audience for advertising purposes. 

There has been much discussion around privacy by design and how businesses should start to adapt and communicate this (some of our recommendations were highlighted in our newsletter a couple months ago).

Companies must start to prepare for an entirely different data use and management strategy which puts customer consent at the heart of their operations. Access to data must be centralised within a business with security a main priority. This strict adherence to data ownership and access has always been the case in the Martech world where customer data is stored in the form of names, emails addresses, telephone numbers and so forth.

Up until now, the ad-tech world has relied on the anonymous third-party cookie to target and communicate with the customer, but soon this will no longer be the case.

Introducing De-Identified Data

With third-party cookies vanishing completely next year the advertising industry is relying on the introduction and systematic use of de-identified data, otherwise referred to hashed data#. 

De-identification’ refers to the process of transforming personal identifiable information (email address, phone number) into code that is no longer about an identifiable or reasonably identifiable individual. The use of de-identified data may have some benefits for consumers’ privacy. For example, it may lessen the amount of personal information that may be compromised in the event of a data breach.

However, where the data has been de-identified, there is a risk of it being re-identified. An experiment around this was carried out by the CTO of Louder at the end of last year, and reversing the hashing of an email, was not a particularly tough job. 

It appears that for the moment, the government will not be banning the transfer of de-identified data in its current state. There is a balance to be made in allowing businesses to continue operating in a digital world, which the government needs to take into consideration. Industry lobbying has argued that an entire ecosystem is at risk, should we remove the ability to understand a customer and deliver a connected experience. Regardless of this it will all come down to customer consent, and without that, the transfer and use of customer data will become extremely challenging.

Louder’s recommendation

We finished our panel discussion contemplating where companies should focus their energy and resources first. And, of course, this is depends on the vertical; the approach for an ecommerce store would be very different to a financial investment firm.

What we did agree on:

• Try to operate your business more cohesively - no more silos from a data perspective. Marketing, IT and legal need to sit in the same room and have the same game plan regarding to data, where it is held and how it is managed and used. 
• Make the most of new technologies that help to store data in a safe and compliant way whilst respecting customer consent and privacy.
• Do not ignore your customer. Inform and educate them on the upcoming changes and this transparency should help them feel more assured about giving you their data in the future.

If you have any questions about the changes to third party cookies, the privacy reforms and how your business will be impacted, get in touch with Louder for a chat.

Don’t forget to subscribe to our newsletter to receive all the latest industry news and platform updates straight to your inbox.

References

[1] Digital Platform Services Inquiry interim report - March 2024, ACCC

[2] The Australian opinion piece, OAIC