Published 7 December 2021
Your data-driven world is about to change – don’t be caught out by regulatory changes
The digital economy has expanded at a phenomenal pace in the past decade. Unfortunately, this means the extent of harm consumers experience is also growing.
While internationally, governments have made some progress – like the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US – in protecting consumers, Australia has been seen to be lagging behind.
Now, new proposed reforms to privacy laws are set to change that, bringing our compliance in this space in line with the digital age. This is a great step forward and it's critical for the long-term sustainability of the industry and business – it will protect consumers and build trust by filtering out bad actors in an otherwise well-intentioned marketing and advertising sector.
As a CMO, you need to get across these changes fast. Boards are likely to start asking if you’re prepared and what steps have you taken to get ahead of this. You might need to assess if your digital teams have the capacity and capabilities to put the things in place that will ensure compliance and improve the quality and integrity of your data and data practices. I know leaders who have had to employ an extra resource to address the changes.
These proposed law reforms are among the most important reviews taking place now. It impacts the outcome of other digital platform inquiries as well as recent legislative developments, including the Consumer Data Right.
Right now, there are two main consultations that will impact Australian Privacy Law. If you aren’t across it, you will face serious consequences.
The Online Privacy Bill Exposure Draft targets a category of businesses that will be classified as “OP organisations” the definition of providers may be of concern to businesses that may not have expected to fall within the definition provided – making them subject to the proposed Code. The Exposure draft of the Bill also looks to increase enforcement powers of the Information & Privacy Commissioner and introduce harsher penalties (including up to $10million fines for breaches , and even criminal penalties for multiple or repeat offenders). This is a good indication that government is taking online privacy seriously – and aligning the online legislation with existing consumer protection laws.
The Privacy Act Review Discussion Paper looks in detail to a much broader range of issues including a proposal to expand the definition of ‘personal information’. If approved, the definition will go beyond identifiable information and include technical information.
The wording of the definition in the legislation would also change from being ‘about an individual’ to ‘relating to’ the individual. This will expand the data falling under the definition further.
The only personal information not captured by the Privacy Act will be ‘anonymous’, rather than simply de-identified information. If the proposed reforms are passed, the anonymising data is an extra step businesses will need to take for data to fall outside of the Act.
This new definition will bring more clarity around what you can and can’t do – but it’s imperative you understand what it means for your business as it affects how you collect, use and manage personal information.
Another key component revealed in the Discussion Paper is that Businesses will be expected to apply a ‘fair and reasonable’ test upfront. This means that before you even consider ‘consent’ , ‘permissions’ or ‘notice’, you will need to make sure your intent for using the personal information complies with what is considered to be fair and reasonable – and that it will not cause harm. Details of what the Government considers to be ‘fair and reasonable’ have not yet been outlined but all APP entities will be watching this unfold as it will greatly impact their compliance frameworks and potentially their marketing strategies.
These proposed changes are a great sign that privacy is taking front and centre stage. If your business is more mature, you have likely started moving in this direction already to comply with stricter privacy laws like the GDPR. However, Australian laws will not exactly mirror those of the EU, so you will still have to consider compliance with regulations in both regions.
If you are yet to implement industry best practice, it’s time. These proposed reforms could soon become law, so you need to understand how implementation could affect your current practices and you need to do it before it’s too late. Remember, there are many resources ADMA members have access to, including courses and workshops, so make sure you get support if you need it.
You shouldn’t fear these changes, but understand and embrace them. Responsible marketers are advocates for transparency and developing frameworks that build fair and responsible practices. As long as you understand the value of managing data and expectations, the privacy laws are going to help your brand build consumer trust – and that's what marketing is all about.
ADMA will continue to advocate for regulation that is fair and does not stifle innovation – so we can continue to build a responsible industry that can thrive well into the future.
If you have any questions or concerns, reach out to ADMA’s Regulatory team today. Email [email protected].