Credit: Claus Grunstaudl via Unsplash. https://unsplash.com/@w18
Australian advertisers face new regulatory constraints under privacy reforms set to take effect in December, with the OAIC introducing new requirements around automated decision-making, pixel tracking and data collection.
IAB Australia's 2026 Privacy and Data summit unpacked what this means for Australian advertisers.
Tanvi Mehta Krensel, partner for data privacy, cyber security and digital assets at Squire Patton Boggs, said the automated decision-making (ADM) legislative changes would affect the majority of advertisers.
She explained the reforms to the legislation would encompass advertisers who arranged for the use of technology related to decision making, even if they did not supply the technology themselves.
"Personal information is used when you operate the computer program, then voila, you have got new transparency requirements under your privacy policy, and specifically you have to disclose those," said Krensel.
"The point of this provision is to flush out the use of ADM by an organisation, so think of these next six months as your time to think about whether these decisions exist within your organisation.”
She said advertisers needed to consider if they were comfortable disclosing their use of ADM to consumers in their privacy policies, or “if you want to reject things so you don't meet the threshold, and the disclosures aren't required."
Krensel said the new threshold would go further than the GDPR's, which only applied to decisions made solely by automated means.
She said Australia's reforms would extend to decisions made “substantially” through automated means, meaning human review alone may not exempt advertisers from the policy.
"That's really interesting, because it suggests to me that if you use a computer program, or any form of AI, to produce any kind of recommendation about the kinds of people that you should target for a specific advert and if a human reviews that, but doesn't materially change that recommendation, you are potentially, firmly, in the scope of new ADP 1.7."
She said Pixel tracking was also flagged as an area of heightened risk, with the OAIC requiring consent for pixel-based data collection involving sensitive information.
"If you are collecting sensitive information through the use of pixels, then you really need an individual's consent," said Krensel.
She said the OAIC had used pixel tracking a visit to a mental health website as an example of potentially sensitive information requiring consent.
Krensel said advertisers participating in direct marketing now needed to align with the regulatory standard of "a child's best interests."
"The consent that you use needs to be collected directly from a child, and you need to have either theirs or, depending on their age, a parent or carer's consent to conduct that direct marketing," she said.
"It's not quite a prohibition, but there's a lot of hoops to jump through there, and particularly that concept of best interest."
Sarah Kruger, director of policy and regulatory affairs at IAB Australia, said the Children's Online Privacy Code reforms would extend to any advertising services children might have access to, creating a compliance conundrum for businesses trying to determine whether the code applied to them.
"How do I know whether my service is likely to be accessed by children unless I collect data about my users, and then I'm collecting personal information, which I'm not allowed to do if they're children, so you've got a circularity there, which is potentially problematic," said Kruger.
Kruger said the code also significantly narrowed what data could be collected by default.
"The only personal information you are allowed to collect under the children's code by default is information that is strictly necessary, and that is much narrower than what we currently have under the Australian Privacy Principles, which allows you to to collect a broader range of personal information," she said.
Krensel added that the OAIC's updated guidance on data collection had broadened the definition of what constituted collection itself.
"Data brokers are potentially a no-no, because we can't make out that collecting data for enrichment by a data broker is necessary under APP 3.62,” said Krensel.
“This is the new world.”
Krensel stressed the importance of transparency and robust contracts across the data ecosystem.
"OAIC has been clear that the disclosures you make need to be meaningful and accessible, but also comprehensive.
Kruger said the best way to stay compliant moving forward was data minimisation and deletion, collecting only what was necessary and deleting it once the original purpose had been served.
“If you are not minimising the data you collect, if you are not deleting it when the purpose you collected it for has ended, there is a risk that, that will not be considered reasonable or fair and reasonable,” said Kruger.
“New ways of implementing existing law are going to be increasingly important.
“Just because you did something last year and it was okay will not mean it's okay to do again.”
Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au
Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.