08 May 2026

The OAIC warns ‘set and forget’ privacy is over for marketers

This article is not written, or presented as legal advice nor opinion. Readers should neither act, nor rely on opinion(xas) in this article and linked materials without seeking legal counsel.

In summary

• What: Exclusive OAIC responses to Louder reveal how privacy expectations are shifting across ad tech, AI and modern marketing infrastructure.
• Why: Tracking pixels, AI tools and increasingly automated advertising systems are creating more complex governance and data handling risks.
• How: Regulators are placing greater focus on due diligence, ongoing system reviews and whether data use is genuinely “fair and reasonable”.
• When: The shift is already underway, with proactive compliance activity continuing and broader Privacy Act reforms expected throughout 2026.

Ongoing governance is now the expectation

There’s still a tendency in marketing to think privacy can be “implemented” once.

A policy gets updated. A consent banner goes live. Legal signs off. Everyone moves on.

The problem is the systems underneath rarely stay still.

Platforms evolve constantly. Vendors get added. AI features quietly roll out. Tags change. Integrations expand. Consent frameworks break. Ownership shifts between agencies, tech teams and marketing departments.

Over time, organisations can end up with customer data moving through environments nobody fully understands anymore.

That’s the shift sitting underneath the exclusive responses Louder received from the Office of the Australian Information Commissioner (OAIC) for Privacy Awareness Week 2026.

The regulator’s language is becoming noticeably more operational.

Less focused on privacy policies themselves, and increasingly focused on how organisations actually govern the systems handling personal information underneath.

And for marketers, that’s a much bigger shift than it sounds.

The real privacy risk is increasingly operational drift

One of the clearest signals from the OAIC was the expectation that organisations conduct “regular, ongoing reviews” to ensure systems handling personal information remain “configured appropriately” over time.

That might sound straightforward. But most modern marketing environments are anything but.

A typical stack now includes ad platforms, CDPs, analytics tools, server-side infrastructure, AI-powered optimisation systems, attribution layers, clean rooms and multiple third-party vendors all connected together in different ways.

The industry still largely behaves as though privacy can be implemented once and maintained passively, despite those systems changing continuously underneath.

That’s where the risk is starting to emerge. Not necessarily through deliberate misuse of data, but through operational drift.

Legacy pixels continue firing years later. Consent signals stop passing correctly after updates. Vendors accumulate access over time. AI systems expand how customer information is activated underneath platform interfaces. Data flows become harder to explain internally.

The result is environments where organisations technically “comply” on paper, while operational visibility quietly erodes underneath.

The OAIC is putting tracking infrastructure under the microscope

The OAIC again reinforced its position on third-party tracking technologies, referencing its 2024 guidance on tracking pixels.

Importantly, the regulator made clear that responsibility still sits with the organisation deploying the technology.

“The guidance makes clear that it is the responsibility of the organisation seeking to deploy a third-party tracking pixel on their website to ensure it is configured and used in a way that is compliant with the Privacy Act,” the OAIC told Louder.

That matters because many marketers still assume responsibility largely sits with platforms or vendors once technology is implemented.

The OAIC’s position suggests otherwise.

And increasingly, regulators appear less interested in whether organisations simply have privacy disclosures in place, and more interested in whether teams actually understand what their systems are doing.

The OAIC also stressed the importance of conducting due diligence before deploying tracking technologies, warning that failing to do so can expose organisations to “a range of privacy compliance risks”.

In practice, that could mean:

• customer information being unintentionally shared with platforms
• sensitive data captured through URLs or form fields
• consent signals failing across connected systems
• duplicated or poorly governed tags collecting more data than expected
• organisations losing visibility over where customer data is ultimately flowing

Modern marketing systems are increasingly behaving less like discrete tools and more like interconnected infrastructure.

A single implementation gap can now affect targeting, optimisation, attribution, audience matching and measurement simultaneously.

“We got consent” may no longer be enough

Another important signal from the OAIC relates to the proposed “fair and reasonable” test under Tranche 2 Privacy Act reforms.

The regulator confirmed its support for the proposal, noting that organisations may increasingly need to consider:

• an individual’s reasonable expectations
• the amount of personal information involved
• whether privacy impacts are proportionate to the benefit gained

That potentially changes the privacy conversation quite significantly for marketers.

Historically, much of the industry focused on disclosure and consent mechanics. If a user technically consented, many organisations treated that as sufficient.

The direction of travel now appears much broader.

Increasingly, organisations may need to justify not just whether consent was obtained, but whether certain targeting, enrichment and data activation practices are reasonable in the first place.

That’s a very different governance question.

AI is making governance murkier, not cleaner

The OAIC also referenced its guidance relating to commercially available AI products and the different ways organisations may handle personal information when using them.

That’s becoming increasingly relevant as ad platforms rapidly embed AI-driven optimisation into almost every layer of campaign execution.

Many systems now automatically:

• model behaviour
• infer intent
• optimise audiences
• expand targeting
• automate creative delivery
• connect data across environments

The problem is many marketers can still see the outputs, but can’t always fully explain the decision-making underneath.

And as automation layers become more sophisticated, the governance challenge shifts from simply understanding what data enters a platform to understanding how that data is being activated once optimisation systems take over.

Privacy is moving closer to infrastructure

One of the more notable aspects of the OAIC’s responses is how frequently the language references systems, infrastructure and ongoing operational review.

That’s significant.

Because it suggests privacy regulation is moving much closer to how marketing environments actually function underneath, particularly as platforms become more automated and interconnected.

The OAIC encouraged organisations to take a “complete approach to privacy”, considering not just policies themselves, but also how data is “collected, processed, stored and utilised or disclosed through processes involving digital systems and infrastructure.”

That moves privacy well beyond legal review alone.

It places privacy much closer to platform governance, procurement, measurement infrastructure, implementation quality and operational oversight.

The regulator also strongly encouraged organisations to conduct Privacy Impact Assessments (PIAs) for projects involving personal information.

Again, the implication is operational.

Privacy considerations are increasingly expected during implementation and system design, not after platforms are already live.

What good privacy practice looks like now

According to the OAIC, organisations operating in digital marketing and advertising environments should stay closely aligned with evolving developments, including the Children’s Online Privacy Code and broader Privacy Act reforms expected throughout 2026.

But more broadly, good privacy practice now appears to be shifting toward ongoing governance maturity.

That means organisations need to move beyond static compliance reviews and build stronger visibility into how their systems actually operate day to day.

Louder’s recommendations

At Louder, we believe the organisations adapting best to this shift will be the ones treating privacy as an ongoing operational capability, not a one-time compliance checkbox exercise.

• Conduct regular reviews of tracking, tagging and consent infrastructure
• Improve visibility into vendor integrations and data-sharing pathways
• Run Privacy Impact Assessments for major martech, AI and measurement projects
• Review whether data collection practices genuinely align with customer expectations
• Align marketing, legal and technology teams earlier in implementation decisions
• Treat privacy governance as part of platform and measurement governance overall

Keep in touch

Sign up to Louder’s newsletter to receive the latest industry updates straight to your inbox.