Don’t wait for Tranche 2: The privacy reckoning has already started
 

Too many marketers think data privacy stops at their own front door. Peter Leonard, Chair of ADMA’s Regulatory and Advocacy Working Group, explains how responsibility now spans your entire data ecosystem and why action can't wait for Tranche 2.
 

With the federal government’s Tranche 2 privacy reforms on the horizon, many marketers seem to be holding their breath in anticipation of tighter rules, increased scrutiny and an overhaul of how to use personal data.

And yet, despite growing consensus on the need for reform, the precise timing and final details of Tranche 2 remain uncertain.

In this state of anticipation, marketers could be forgiven for feeling as if they are in limbo: unsure whether to take action now, or wait for new legislation to dictate the next move.

But a wait-and-see approach creates real legal risk.

While Tranche 2 is still in development, the Office of the Australian Information Commissioner (OAIC) has made it abundantly clear it expects organisations to be lifting their compliance with existing privacy obligations.

The OAIC has signalled that it is now adopting a more active enforcement stance. The regulator has issued multiple privacy determinations and updated guidance materials that specifically address current digital marketing practices - including digital tracking, third-party pixels and sharing profiling data. An additional area of concern is the lack of transparency in data-sharing practices that have come to characterise parts of the martech and adtech ecosystem.

Use of tracking pixels and similar tools embedded across websites and campaigns is a particular focus. These technologies form the backbone of modern marketing, enabling measurement, personalisation and retargeting at scale. But they also expose organisations to significant compliance risk, particularly when personal or sensitive information is being collected without transparent notice or appropriate consent.

The Privacy Commissioner’s recent investigation into a major social video platform concluded that the existing provisions of the Privacy Act were inadequate in addressing some opaque aspects of sharing profiling data associated with third-party pixels. 

However, the Commissioner emphasised that media publishers and other operators of websites that permit the deployment of third-party pixels and tracking codes to collect personal information about users of their sites, for the purpose of sharing with others, are now on notice: they may already be breaching existing law requiring clear disclosure as to those practices.

In fact, in many instances, marketers themselves may not know exactly what data is being captured, where that data is going, or who that data is being shared with. This is not just a technical or ethical issue – it’s a legal liability. Under Australian privacy law, not monitoring or ‘turning a blind eye’ to what other parties in a marketing data ecosystem are doing is not a defence.

The good news for marketers is that despite the absence of a refreshed legal framework, the Privacy Commissioner has made expectations clear regarding the collection and sharing of profiling data. When using pixels and other tracking codes and device identifiers to collect and share data that could reasonably identify individuals, businesses must ensure those practices are transparent and compliant.

The OAIC’s guidance confirmed that even in the absence of new legislation, organisations must conduct due diligence to ensure their use of third-party pixels complies with the Privacy Act. The OAIC also made clear that covert or poorly disclosed data collection - particularly where sensitive information may be involved – will constitute a privacy breach.

Legal liability does not end once marketing operations are outsourced. Businesses can still be held responsible if a subcontractor or service provider breaches privacy obligations that are outsourced.

Even where the subcontractor or service provider did not comply with provisions in the outsourcing contract requiring them to ensure data privacy compliance. That’s because, in many cases, third-party service providers act as agents, making their conduct legally attributable to the business that engaged them.

This is a critical point for marketers, who often work in complex digital ecosystems involving agencies, publishers, platforms, vendors and intermediaries. Even if data handling is delegated, the legal duty remains.

Compounding this issue is the time it takes to fix it. Changing digital data flows, reconfiguring tracking technologies, updating privacy policies, renegotiating vendor contracts and rolling out governance frameworks is not an overnight exercise. These kinds of changes can take 12-18 months to fully implement.

That means the time to act isn’t when Tranche 2 arrives - it’s now. If your organisation is already skating close to the line, your organisation may be in the firing line for enforcement of the current law, and ‘tranche 2’ reforms are likely to up the data governance required to ensure compliance.
 

What marketers can do now

There is still time to act. The OAIC’s existing guidance provides a clear roadmap of what marketers can do today to prepare:

● Map your tracking ecosystem. Understand where pixels and similar technologies are deployed, what data they collect and where that data is sent.

● Minimise data collection. Configure tracking tools to capture only what is necessary for a defined purpose, avoiding over-collection.

● Ensure transparency. Update privacy notices and consent mechanisms to clearly explain who is collecting data, what it’s being used for and who it’s being shared with.

● Address sensitive data risks. Take particular care where tracking could relate to health, politics, or other sensitive categories - these require explicit consent.

● Review third-party relationships. Include privacy compliance obligations in contracts with vendors and establish audit rights or assurance mechanisms.

● Clarify internal accountability. Don’t assume your agency, platform or publisher has it covered. Ensure your organisation knows who is responsible for what.

● Treat clean rooms as compliance tools, not loopholes. If using data clean rooms, ensure they are designed and documented as part of a privacy-by-design strategy - not simply a way to argue information falls outside the Act.

Ultimately, Australia’s privacy laws are evolving but the expectations of regulators, and indeed the public, are already changing.

The organisations that invest in responsible data governance now will not only stay ahead of legal requirements, they will also be better positioned to build sustainable, trust-led relationships with their audiences.

That’s not just good compliance. That’s good marketing.