Legal Insights

Proposed changes to the Privacy Act and the implications for digital advertising

By Gregory Palumbo, Tara Dhanushkoti

• 06 May 2022 • 5 min read
  • Share

We outline the key proposed changes to the Privacy Act that may impact the Ad Tech industry and what steps you can take to best prepare.

What is Ad Tech?

The term Ad Tech is short for ‘advertising technology’. While relatively broad, the term as it is used today refers to the technology, software and tools that help marketers and brands target, deliver, manage and analyse the performance of their digital advertising efforts.

One of the most impactful developments for this industry has been the ability to use data about an individual to better target advertising to that individual based on their preferences and past behaviours (which can be done using, for example, various online behavioural advertising technologies such as cookies, pixels, ad tags and web beacons).

Ad Tech also helps brands to make the most of their digital advertising budget and maximise their return on investment by delivering content to an engaged audience that is likely to be interested in their products and services.

What’s been happening in this space in Australia?

Between 2017 and 2019, the Australian Competition and Consumer Commission (ACCC) conducted the Digital Platforms Inquiry, which looked into the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in the media and advertising services markets.

The Digital Platforms Inquiry made a number of recommendations in relation to a range of competition, consumer and privacy issues, which led to:

  • the development of the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which was released in October 2021; and
  • proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act) as part of the Australian Government’s ongoing review of the Australian privacy law framework (Privacy Act Review), which began in 2019.

In summary, if enacted, the Online Privacy Bill would:

  • enable the introduction of a binding online privacy code (Code) for social media and certain other online platforms and data brokerage services; and
  • increase penalties and enforcement measures for privacy interferences and other breaches of the Privacy Act more generally (such that the increased penalties and enforcement measures would apply to all organisations subject to the Privacy Act and not only those subject to the Code); and
  • the Privacy Act Review, which was initiated by the government in 2019 and is still ongoing, seeks to review, and significantly enhance protections under, the Privacy Act.

Some of the key proposed changes to the Privacy Act that may impact the Ad Tech industry include the following proposals.

1. Changes to the definition of personal information

    One proposal in the Privacy Act Review is to broaden the definition of personal information, including to incorporate identifiers, location data, online identifiers and other technical information (such as IP addresses, device IDs, account names and social media handles), which are commonly used in digital advertising programs.

    2. Increases to obligations on collecting, using and disclosing personal information for the purposes of direct marketing, targeted advertising and profiling

      There are various proposals in the Privacy Act Review that deal with direct marketing and targeted advertising, including:

      • a proposed requirement for an organisation to take steps to identify and mitigate any privacy risks if an entity wishes to engage in “high risk” restricted activities (such as direct marketing or online targeted advertising on a large scale);
      • a proposed obligation for organisations to notify individuals if they wish to use or disclose personal information to conduct direct marketing activities; and
      • a proposed right for individuals to object to the collection, use or disclosure of their personal information for the purposes of direct marketing.

      3. Increases to fines and enforcement powers

      The proposals would significantly increase the Office of the Australian Information Commissioner’s (OAIC) enforcement and regulatory powers, which would include, for example, an increase to the maximum civil penalty available for a serious or repeated interference with an individual’s privacy. Noting the current is limit is $2.22 million for serious or repeated interference with the privacy of an individual, the maximum penalty would increase to the greater of:

      • $10 million;
      • 3 times the value of the benefit obtained directly or indirectly by the organisation from the serious or repeated interference with privacy; or
      • if the value of the benefit under the above point cannot be discerned, 10% of the relevant turnover of the organisation during the 12 month period prior to the interference (where the relevant turnover would include all supplies with a connection to Australia that the organisation, or any related body corporate, have made or are likely to make during a 12 month period).
      What can you do now?

      While it is not clear if (or when) the Online Privacy Bill may be passed or which (if any) of the proposals in the Privacy Act Review will be enacted, there are a number of steps we recommend you begin considering (and if appropriate, taking) in order to prepare for any changes that may be implemented as a result of the proposed changes to the Privacy Act mentioned above.

      • 1. Future proof your contracts

        With respect to any important existing contracts or any contracts that you may enter into in the future, we recommend that you consider whether there is anything that you can do now to ensure that these contracts provide the rights and protections that may be needed in the future to address the proposed changes to the Privacy Act, particularly for contracts where you may be sharing, licensing or procuring large amounts of personal information.

        There are a number of impactful contractual rights and positions that you can include now that will provide you with:

        • the flexibility that is needed to adjust to the changing regulatory landscape; and
        • the protections that may be needed should issues arise in the future as a result of any change in the privacy framework.
      • 2. Assess any direct data collection or any data sharing, licensing or procurement arrangements

        In addition to any contractual arrangements (including where you may be sharing, licensing or procuring any third party data), we also recommend that you review your data collection practices. We recommend that you consider what types of data you collect (including various types of technical information), from where you are getting your data (especially any personal information) and think about whether there is a need to update your collection notices and privacy policy to more clearly outline the types of data being collected (including any data that may, in the future, be considered to be personal information), from where you are sourcing the data (if not directly from the individual) and how this information is being used and disclosed, especially with respect to any targeted advertising that you may be undertaking.

      • 3. Review and update your privacy compliance regime, including your governance practices, privacy policy, terms and conditions and/or collection notices, as necessary

        We recommend that you consider the type of data being collected, whether that data is (or may in the future be) personal information, whether there may be a need to obtain any consents for such data (and if so, we recommend future proofing such consent processes) and what internal and external governance is required to properly protect (and provide access to) such data and mitigate or remediate any potential issues or risks. This may be particularly relevant for organisations currently planning new projects and/or updates to their policies, consents or notices.

      • 4. Conduct Privacy Impact Assessments (PIAs), as necessary

        Finally, we recommend that you adopt a ‘privacy by design’ approach and consider whether it is necessary to conduct a PIA for any of your Ad Tech or digital advertising projects, especially any new projects in your business pipeline. This process will assist in identifying privacy risks associated with those projects and help to implement controls to mitigate those risks. When you are doing so, we recommend that you contemplate the potential new privacy framework and try to ensure that the PIA considers the relevant issues that may be presented in the future as a result of any potential changes in the privacy framework.

      Need further information on the proposed changes to the Privacy Act?

      By Gregory Palumbo, Tara Dhanushkoti

      • Share

      Related articles

      Online Access