Credit: Photo by Photo by Sasun Bughdaryan on Unsplash
The advertising and media industry is preparing for the second tranche of the Privacy Reform Act which will give individuals more control over how their data is used.
The government agreed that individuals should have the right to opt out from direct marketing. It also agreed in-principle to defining direct marketing, targeted advertising, targeting and trading.
The Association for Data-Driven Marketing and Advertising (ADMA) said its members are "actively engaged".
Peter Leonard, chair of ADMA's Regulatory and Advocacy Working Group, credited the first tranche of regulations as bringing "important changes to the privacy regulatory framework and enforcement".
This included increased penalties for privacy breaches and the government reframing of how the Privacy Act is interpreted and applied, leading to "substantially higher enforcement risk in relation to many digital marketing practices than had previously been the case," he told AdNews.
"This has been coupled with an increase in investigations by the Privacy Commissioner and in the Commissioner's enforcement resources.
"The Commissioner also restated the OAIC's (Office of the Australian Information Commissioner) 'regulatory action priorities' to include a focus on sectors and technologies that compromise rights and create power and information imbalances, including the data brokerage sector, excessive collection and retention of personal information, and uses of advertising technology (ad tech), such as pixel tracking, and practices that erode information access and privacy rights in the application of artificial intelligence."
Regulatory bodies, including the ACCC (Australian Competition & Consumer Commission), ACMA (Australian Communications and Media Authority) and OAIC will be actively enforcing the legislation. Regulators are no longer just passively looking at data collection, but also how you got it and how your algorithms are potentially harming customers.
The ACCC is on the lookout for any form of "digital manipulation".
"The ACCC has announced a new focus upon algorithmic pricing practices, and continues to investigate misleading or deceptive marketing practices including uses of 'dark patterns' and other forms of 'digital manipulation'," he said.
ACMA has scaled its penalties for businesses that breach spam and telemarketing laws, enforcing companies into pricey, multi-year audits that can last up to 3 years, according to ACMA’s Court-Enforceable Undertakings register.
"The ACMA continues to actively enforce spam and do not call laws and subject entities breaching those laws to multimillion dollar penalties and requirements for exacting and expensive compliance audits and annual reviews."
As of January, the OAIC (Privacy) have been conducting "compliance sweeps", making sure businesses are following through on privacy policies.
This involved "conducting 'a targeted review of selected businesses' privacy policies to ensure they meet strict rules', and initially focused upon 'in-person requests for personal information from retailers, licensed venues, car hire companies or real estate agents'," he said.
"The renewed regulator emphasis upon choice and control for consumers as to when, how and why personal information about them is collected will impact many digital marketing practices."
ADMA is advising its members to "review compliance with privacy laws on an ongoing basis".
"In the context of this rapidly evolving regulatory environment, the Privacy Commissioner has made it very clear that a 'set and forget' approach to privacy compliance is a high-risk strategy."
Leonard recognised delays to the second reform, stating that it was "partly due to the Productivity Commission undertaking a study into Harnessing Data and Digital Technologies."
This involved consultations with ADMA.
This report was handed over to the government on December 10 and made public on the 19th.
It is currently "under consideration" by the government.
"The Productivity Commission recommended a radical rethink of possible reforms to the Privacy Act, including introduction of an overarching requirement that collection and uses of personal information be 'fair and reasonable', coupled with simplification of some of the existing requirements of the Australian Privacy Principles," he said.
"Those recommendations may lead to reassessment by the Federal Attorney-General of what the bundle of tranche 2 reforms should include. ADMA expects to be involved in consultations around development of that revised bundle.
"The Privacy Commissioner is also about to undertake a consultation on a children's privacy code, and as to implementation of new legal requirements for transparency of automated decisions, including uses of AI and algorithms for differential pricing or other terms of offer of significant products or services."
The OAIC is developing a mandatory Children's Online Privacy Code due December 10 2026, one year after the implementation of the social media ban for under 16's.
Under the Privacy and Other Legislation Amendment Act 2024, businesses also have until December to fully comply with new automated decision-making (ADM) transparency requirements.
“ADMA is already active in ascertaining digital marketing sector views and promoting good practice in these areas."
Gai Le Roy, CEO of the Interactive Advertising Bureau Australia (IAB), said the delay has created some “uncertainty”. However, it has given the government time to develop privacy reforms that are appropriate for the growing "AI-driven digital ecosystem" the industry is now navigating.
"To ensure the proposed changes remain fit for purpose in an increasingly AI-driven digital ecosystem, and to consider developments offshore such as the EU's Digital Omnibus proposals (European Commission's Digital Omnibus proposals)," she told AdNews.
The EU proposal was introduced by the European Commission in late 2025 to simplify digital regulations.
The package includes a "digital omnibus that streamlines rules on artificial intelligence (AI), cybersecurity and data, complemented by a Data Union Strategy to unlock high-quality data for AI and European Business Wallets that will offer companies a single digital identity to simplify paperwork and make it much easier to do business across EU Member States," according to the European Commission.
"If passed, the EU proposals would reshape how GDPR (General Data Protection Regulation) is applied by narrowing what counts as personal data, and easing some consent and breach-reporting requirements," she said.
"They would allow greater flexibility for AI and data use without rewriting the law itself.
"Meanwhile, the Privacy Commissioner has outlined the OAIC's (Office of the Australian Information Commissioner) first compliance sweep for 2026, focusing on whether businesses collecting personal information in person have privacy policies that clearly meet APP 1.4 requirements.
"Their focus is on transparency at the point of collection, particularly in sectors where consumers have limited choice, and where unclear or incomplete privacy policies increase the risk of over-collection and misuse of personal information."
She said the IAB will continue to work with the government and regulators and keep its members updated on the next phase of the reform.
Media Federation Australia (MFA) CEO Sophie Madden calls the review a "significant development" for the industry and said consumer privacy has always been a focus for the MFA.
"While the Government has not provided a clear timeline for its introduction, MFA members are already proactively preparing for Tranche 2, investing in new approaches such as alternative signals and decentralised data models," she told AdNews.
"As an industry collective, we have long operated under established privacy guidelines through the Australian Digital Advertising Practices (ADAPs), which include a strong focus on consumer privacy.
“These Practices were designed to evolve and as new regulations come into effect, we'll update them to ensure they remain practical, relevant and fit for purpose in the new legal and operating environment."
Agency strategy
For marketers, the question of what this will mean for how media is bought remains top of mind. Strategy has shifted towards methods that support high-performance marketing without putting a users' data at risk. This includes clean rooms, contextual targeting, and federated AI.
Ryan Menezes, chief media and solutions officer at WPP, said its agencies, which include Mindshare, Wavemaker, and EssenceMediacom, have been "proactive" in preparing for the second tranche and how it will change the industry.
"We anticipate a future where 95% of the internet is untrackable and 'de-identified IDs' (such as hashed email, IP addresses, and device fingerprinting) will be regulated out, with Australia potentially leading this global shift."
WPP will engage in multilateral data collaboration.
"We're fostering strategic alliances where data remains with its original owners, amplifying value while maintaining privacy compliance as both data controller and processor, in line with Tranche 2," he said.
The second approach utilises decentralised data models.
This is powered by data collaboration platform InfoSum, and federated AI, which helps train AI models on this connected data," said Menezes.
"This model ensures data remains with its original owner (that means it never leaves the bunker).
“WPP Media, through our InfoSum acquisition, facilitates this to enable one-to-many predictive targeting based on large marketing models rather than individual precision targeting," he said.
The third approach focuses on alternative signals.
"We are exploring contextual and geospatial data to connect with relevant audiences (that means things like postcode-level analysis)."
WPP also anticipates what Menezes calls a "supply chain shakeout". Privacy laws are becoming stricter and those who can't prove data has been collected legally will lose their place.
"We expect third-party data brokers to be at risk, needing to abide by refined data collection, for example, the right to be forgotten, and robust consent management mechanisms like voluntary, informed, current, specific, and unambiguous.
"This represents a fundamental and strategic pivot away from traditional identity-based advertising towards a privacy-by-design approach, directly addressing the core concerns of excessive data collection, transparency, and consumer consent highlighted in the reforms."
Jessica White, CEO at KINESSO Australia, part of the Omnicom group, said Tranche 2 is a “reset in how agencies and clients build scale, use data, and justify outcomes”.
The new legislation will “expose” areas within media plans that need stronger, more transparent approaches to privacy and data collection for audience targeting.
"Tranche 2 doesn't suddenly make marketing unworkable, but it does expose which parts of your current plan were propped up by opaque tracking, cheap retargeting and platform-reported performance that can't prove incrementality," she told AdNews.
"Some reach will disappear, some CPMs will rise, and some tactics that looked efficient will fail their first real test - but that's the point. What replaces them is a shift toward fewer, stronger signals: first-party data, publisher and commerce partnerships, clean‑room collaboration, modelling, and experimentation that show what drives growth."
White said advertisers might be tempted to rely on Google and Meta’s millions of logged in users in the short-term.
Google and Meta can track logged-in users across its owned platforms which include Facebook, Instagram and Threads.
This seems like an easy, efficient way to survive privacy laws changing.
White advises against this.
She said an “over-reliance concentrates risk, limits transparency and hands pricing power to the platforms.”
Instead, she encourages diversification - using tools like data clean rooms and contextual targeting to reach users on the open web.
"The advertisers who come out on top will be the ones who use this moment to diversify, rebuild targeting around data they can defend, and invest in measurement that proves business impact rather than just platform performance," she said.
"In plain terms: marketing doesn't get weaker - it gets more honest, more deliberate, and harder to bluff."
"At Acxiom, we have been operating in that reality for years, building systems designed for secure, governed data mobility that build long-term strategic advantage rather than opportunistic reach,” Natalie Hatch, head of Acxiom and data partnerships at KINESSO Australia, told AdNews.
Media agencies will also become "strategic translators” for their clients.
“The legislative changes are not merely a compliance exercise; they necessitate a fundamental rethink of strategy for both media agencies and the clients they serve,” said White.
“The old playbook is becoming obsolete.
“Agencies can no longer act as buffers between clients and complexity - they must instead be strategic translators.
“Their role must evolve from being expert activators of media to being strategic guardians of client data and architects of privacy-first marketing, shifting the conversation from “what channels can we buy?” to becoming the strategic counsel of client data."
“Instead asking “what data do we actually have, and can we defensibly use it? Agencies that upskill and help clients confront this shift early will build trust; those that paper over it will create risk.”
Hatch said Acxiom is focusing on what's real - first-party, authenticated data.
“Acxiom supports this shift by enabling agencies and clients to collaborate inside controlled, privacy-first environments, where strategy is built on what’s real, not what’s assumed,” she said.
As for how the industry should be preparing, those who are sitting around waiting for the second tranche to hit, will “fall behind”.
“The smartest brands are auditing their data foundations and third-party partnerships through privacy impact assessments, tightening ownership of first-party data, implementing data breach response plans, and asking harder questions to themselves and their partners: Where does our data go? Who touches it? Can we prove consent and purpose? Is this data usage fair and reasonable?,” said Hatch
“Acxiom has been helping organisations answer those questions for decades, because its approach assumes scrutiny is inevitable, not optional. It’s no longer an opportunity to invest in your long-term data strategies; it is now a risk if you don’t."
The future of targeting and measurement
How campaigns are targeted and measured will undoubtedly change, as years of third-party data tracking through cookies that followed users across the web, and device IDs, are regulated out by the “fair and reasonable” test.
“For years, scale has been achieved by aggregating data points from myriad sources, tracking users across thousands of websites and apps using third-party cookies, device IDs, and other identifiers, allowing the building of massive audience segments,” said Hatch.
“The combination of a broader definition of 'personal information,' the need for 'specific, unambiguous consent,' and the 'Fair and Reasonable' hurdle will cause the industry to reinvent how we create addressable audiences."
The need for stricter privacy regulations has been strongly backed by Australians.
The 2023 Australian Community Attitudes to Privacy (ACAP) survey found that 84% want more control and choice over the collection and use of their personal information and 74% of Australians feel data breaches are one of the biggest privacy risks they face today.
The study, which included 1,916 respondents 18+, also found that more than eight out of ten (84%) Australians consider targeted advertising based on sensitive information including health information, racial or ethnic origin, to not be fair and reasonable and 69% consider online tracking, profiling and targeted advertising to adults based on personal (but not sensitive) information to not be fair and reasonable.
“The pool of individuals who can be identified, targeted, and measured across different digital properties will shrink dramatically and pave the way for transparent, accurate and realistic audiences," said Hatch.
“Measurement is seeing the breakdown of user-level attribution.
“Without the ability to track a single user across different websites and over time, it becomes impossible to connect an ad impression on one site to a conversion on another.
“View-through attribution, in its current form, will cease to exist, and the "right to erasure" means that historical data used for modelling and analysis could be deleted at any time upon user request, creating gaps and skewing results.
“Measurement will see a fundamental shift, and for many clients and agencies, it already has, with MMMs (Marketing Mix Models) , lift studies and cohort analysis work replacing user-level measurement.”
The future of advertising and marketing is about prioritising consumer trust through transparent and responsible approaches that make them feel secure about how their data is collected and used.
“For the media and advertising industry, the direction of travel is clear: the era of collecting and using personal data with minimal transparency is over,” said White.
“The new regime will be significantly stricter than our current laws and will rival GDPR (General Data Protection Regulation) in its impact on business operations.
“The focus must now shift to preparing for a future built on consumer trust, transparency, and the responsible use of first-party data."
The first part of privacy laws passed in December 2024 in the Privacy and Other Legislation Amendment Bill.
Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au
Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.