27 August 2025

OAIC guidance is law: Privacy compliance, enforcement and the new governance era

In summary

• OAIC guidance is legally binding. Enforcement is no longer theoretical.
• Compliance scans are already targeting pixels, tags, loyalty programs, data enrichment and geo-targeting.
• The Attorney-General’s “fair and reasonable” test will soon demand proof that data use genuinely benefits individuals.
• This is no longer a marketing side note, privacy is a board-level governance and productivity issue.

Guidance isn’t advice, it’s law

When the Office of the Australian Information Commissioner (OAIC) issues guidance, it isn’t best-practice advice. It’s a binding legal interpretation of the Privacy Act 1988 and the Australian Privacy Principles (APPs).

Our earlier piece on OAIC’s tracking-pixel guidelines made the case for minimisation and consent. Today, those principles aren’t just recommended, they’re being enforced, with real-world fallout for brands who get it wrong.

Since late 2024, the OAIC has made it clear: all measurement technologies, from pixels and SDKs to server-side tags, APIs, and clean rooms, come with legal obligations to minimise, disclose, and protect personal data.

In practice, that means:

• Minimise collection (APP 3): only gather what you need.
• Obtain explicit consent: an obligation for sensitive data.
• Disclose tracking (APPs 1 & 5): in plain English.
• Limit use (APP 6): only for the purpose you disclosed at collection, or a related purpose the individual would reasonably expect, unless you have consent for something else.
• Maintain data sovereignty (APP 8): ensure that any overseas transfers comply with the APPs, and you remain accountable for the destination’s handling of data.
• Respect opt-outs (APP 7): including direct marketing preferences.

These are not optional hygiene steps. They’re enforceable requirements.

Enforcement is already here

Privacy Commissioner Carly Kind has been unambiguous: “We’re certainly not sitting around waiting for tranche two… I’ve got a pretty clear-eyed vision of how to achieve some of the same ends through quite robust enforcement.”

Her enforcement radar includes:

• Tracking pixels and their data-sharing behaviours
• Loyalty programs
• Data enrichment and brokering
• Geo-targeting

The OAIC isn’t waiting for complaints; it is running proactive compliance scans to establish benchmark cases that will set the tone for the market. And the consequences are already visible.

This isn’t a future threat. It’s happening now.

Enforcement from the OAIC isn’t the only threat, the media and technology platforms have their own compliance and technical restrictions that are impacting marketers, and the fallouts of these platform policies are already biting. Louder has observed:

• a brand had their multi-million dollar ad spend account suspended due to a misconfigured consent tool while accidentally blocking Google’s AdsBot crawler. These bots check web page ad quality and scan for abuse or malware. Blocking them meant ads were disapproved at scale, and ultimately the account was flagged unsafe and suspended.
• Misconfigured tags have surfaced highly sensitive information, names, addresses, even credit card details.
• Tag placed on pages have inadvertently shared sensitive data with third-party platforms.
• Many businesses still carry legacy tags from past campaigns, quietly sending data to commercialisation and black-box media products.

Reform curveballs: dual-track and “fair and reasonable”

In our recent article on the future of privacy, we outlined the Productivity Commission’s proposal for a dual-track model: either a consent-first framework or an outcomes-based “best interest” pathway.

While that debate is still unfolding, businesses can’t afford to pin compliance strategies on hypotheticals. The real game-changer is already in motion: the Attorney-General’s second tranche of reforms, introducing a “fair and reasonable” test.

This raises the bar beyond consent. Even with user permission, practices like lookalike modelling, hashed email targeting, or data clean rooms may fail the test if they can’t be shown to serve an individual’s genuine best interests. Consent alone will no longer protect you.

From marketing hygiene to boardroom governance

“Pixels” may be the current poster child for enforcement, but the APPs apply across the entire marketing data ecosystem. It doesn’t matter whether personal information comes from your own collection or through partners and enrichment providers, if you use it, you’re accountable. Digital or offline, the obligations follow the data, and so does the liability.

And this is not just a marketing problem. It’s a governance problem. Boards, directors, and all C-level executives carry liability.

The fines and penalties are real:

• Suspended ad accounts and lost revenue
• Reputational fallout and customer churn
• Mandatory breach notifications
• Legal and financial penalties

Privacy now belongs alongside financial reporting and cybersecurity as a board-level governance responsibility. The winners will be those who embed privacy into corporate culture, not those who treat it as a side project.

Louder’s recommendations

We’ve been pressure-testing scenarios with global platforms, guiding clients through these changes for a number of years. What we’re observing is a widening gap between regulatory expectations and business readiness - you only need to look quickly at “Privacy Officer” roles on LinkedIn; they nearly outstrip the number of certified legal professionals in the Australian Market.

Here’s where to start:

• Audit your stack: map every pixel, the interoperability between platforms, tags, SDK, API, and clean-room integration.
• Own your technology: Take ownership of platforms that contain your data, and appropriately govern the access to these from third parties - Agencies, Contractors, Internal teams
• Embed privacy by design: conduct Privacy Impact Assessments before campaigns and new tools.
• Update notices, preferences, and consent management: be explicit and transparent about what you collect, why, and who you share it with.
• Tighten third-party contracts: don’t just own the technology licence, ensure that you own the data, access and governance - hold vendors accountable for APP compliance, especially for cross-border data compliances.
• Limit and delete: retain personal data only as long as necessary, communicate, and document deletion practices.

Get in touch

Get in touch with Louder to discuss how we can assist you or your business and sign up to our newsletter to receive the latest industry updates straight in your inbox.