Marketers and emerging tech: How to stay ahead of the OAIC’s regulatory priority

Marketers need to pay close attention to the release of the Office of the Australian Information Commissioner’s (OAIC) 2025-26 regulatory priorities due to their direct impact on marketing practices. In particular, the OAIC has signalled they will protect and uphold privacy and information access rights in relation to new and emerging technologies with high impact. In other words, the OAIC will enforce that as businesses and their marketers use the latest tech, consumers’ personal data and information rights are prioritised. 

So what does this mean for the industry? The OAIC has identified several high-impact technologies that raise particular privacy concerns. These include:

•    Facial recognition technology (FRT) and forms of biometric scanning
•    New surveillance technologies such as location data tracking in apps, cars and other devices
•    The preservation of privacy and information access rights in government use of artificial intelligence (AI) and automated decision making.

In this article, we’ll unpack each of these technologies and look at real-world case studies and examples of how they’re being used and what they mean for marketers.

Facial recognition technology and biometric scanning

FRT involves capturing a digital image of an individual’s face and turning their distinct features into a biometric template. Think of this as a digital fingerprint of their face – it’s completely unique to that individual. The company that collects the biometric template then uses it for verification or identification purposes, by comparing it against other existing biometric templates.

Biometric information scanning occurs when a company captures an electronic copy of your biometric information, or your unique physical traits, such including your face, fingerprints, iris, palm, signature or voice, and uses the information for purposes such as:  

•    Facial verification which refers to ‘one-to-one’ matching. It involves determining whether a face matches a single biometric template. For example, unlocking your phone with Face ID.

•    Facial identification which refers to ‘one-to-many’ matching. It involves determining whether a face matches any biometric template in a larger database. For example, scanning a crowd to find a known individual.

The Privacy Act considers biometric templates and biometric information that is to be used for the purpose of automated biometric verification or biometric identification to be sensitive information, which is afforded a higher level of protection under the Act. As such, organisations that process biometric templates and biometric information have additional obligations to consider, compared with other forms of personal information.

Case Study: Breaching privacy through the use of Facial Recognition Technology

In 2024, the OAIC found that a large Australian homeware supplies retailer breached Australians’ privacy by collecting their personal and sensitive information via FRT. The system, via CCTV, captured the face of every person who entered relevant stores where the system operated. The Privacy Commissioner found that the retailer collected individuals’ sensitive information without their consent, did not notify the individuals about the facts, circumstances and purposes of collection, and the consequences of not collecting that information , failed to take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs, and did not include required information in its privacy policy – in breach of several Australian Privacy Principles from the Privacy Act.  

The important takeaway from the OAIC’s determination is to undertake a comprehensive privacy impact assessment for any privacy-impacting technology. This allows you to identify potential privacy impacts as well as recommendations to manage, minimise or eliminate them.

For marketers, this highlights that rushing to adopt “shiny new” technologies without considering privacy obligations can lead not only to regulatory breaches but also serious reputational damage.

Surveillance technologies

Surveillance of a person’s location via data tracking can threaten their privacy. The OAIC has published privacy rights around surveillance including biometric scanning, drones, ID scanning, security cameras, and workplace monitoring.  The 2025-26 regulatory priorities make it clear that surveillance and monitoring via location data tracking in apps, cars and other devices will receive the full scrutiny of the Privacy Commissioner. 

For marketers, common practices like geotargeted advertising and location-based personalisation are in the cross hairs of the OAIC — and need to be handled with care.

An example of surveillance technology: Connected cars

A connected car is a vehicle equipped with internet access and a networked communication system that allows it to send and receive data with other devices in real time.

The data collected by connected cars can be used in isolation or combined with additional data collected to make inferences or form an opinion about an individual, which may include sensitive information. For example, location data can be used to infer a person’s place of work, religious beliefs, or visits to medical providers. 

Australian Privacy Principle 3 from the Privacy Act provides that an organisation may only collect personal information that is reasonably necessary for their functions or activities, and personal information must only be collected by lawful and fair means. In practice, before collecting personal information, businesses need to ask: is it necessary, and is the reason for collection proportionate to any impacts on privacy? 

For marketers, this highlights that location and behavioural data may look like valuable sources of insights for personalisation. However, be warned that the regulator plans to interrogate about reasonable collection, particularly where the information pertains to location tracking data.

Artificial intelligence and automated decision making

Automated systems are computer systems that make decisions or recommendations without (or with minimal) human input. They follow programmed rules or use more advanced algorithms to reach conclusions. 

Automated systems range from traditional rules-based systems which simply follow fixed, pre-defined rules set by humans (such as a system that calculates a rate of payment using a fixed formula) through to more specialised systems which use automated tools to predict and deliberate, including through the use of machine learning, which improve their performance over time by learning from patterns in data.  

Privacy considerations when using automated systems 

Companies should follow the OAIC’s guidance on developing generative AI tools,  guidance on privacy and the use of commercially available AI products,  and adhere to the relevant APPs when developing and implementing AI tools and automated systems.

For marketers, this means that when using automated systems and AI technologies to personalise campaigns, create content, or analyse customer behaviour you must comply with your obligations under the Privacy Acy, when these systems process personal information. If you don’t, you risk both breaching your obligations under the Privacy Act, and eroding customer trust.

Case study: AI De-Identification

AI tools are now part of many business operations and often require the processing of personal information. Due to their need to be trained on large datasets, careful oversight is required to ensure that users’ personal information is handled in accordance with the privacy principles.

In September 2024, the OAIC became aware of allegations that an Australian radiology company had disclosed patient data, including medical imaging scans, to a third party, to train their diagnostic AI model.  

This practice raised concerns about the company’s compliance with APP 6, which requires APP entities to only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose if a valid APP 6 exception applies or where consent has been obtained. 

In the determination, the Privacy Commissioner was satisfied that the patient data shared with an external AI health company was de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act.

In publishing her findings, the Privacy Commissioner made it clear that  de-identification may not completely remove the risk that an individual can be re-identified. There may, for example, be a possibility that another dataset could be matched with the de-identified information. The risk of re-identification must be actively assessed and managed to mitigate this risk.

For marketers, the lesson is clear: even when data is de-identified, there’s always a risk of re-identification — and the privacy regulator expects you to actively assess and manage that risk, not just assume de-identification is sufficient in all contexts.

Takeaway for marketers

Advanced technologies can offer businesses powerful opportunities to drive growth. However, privacy risks should always be considered before their adoption and use. This is where a privacy impact assessment proves invaluable, aligned with the Privacy Commissioner’s privacy by design approach.  

Before adopting technologies like facial recognition and automated decision-making systems, businesses must question whether less intrusive alternatives could achieve the same outcomes. Adoption without strict compliance risks not only financial penalties but also lasting reputation damage. The latter of which is the responsibility of the marketer.

Those who fail to put privacy first won’t just face regulatory action — they’ll lose the trust that makes growth possible.

Want to feel confident in your compliance obligations?
To build your skills and future-proof your brand, explore our regulatory course offering including online short courses and our in-depth Privacy and Compliance for Marketers program.