The privacy firestorm for Australian advertisers and marketers

Jason Pollock
By Jason Pollock | 17 May 2023
Peter Leonard.

The federal government’s Privacy Act Review has set off a firestorm of commentary with industry bodies highlighting how the proposed changes would affect advertising, marketing and media. 

Advertisers say the proposed privacy restrictions on advertising could be actually be harmful.

And the ability of advertising-backed online publishers to provide free content and services could be severely restricted by proprosals in the Privacy Act Review Report from the Attorney General's Department, according to the IAB (Interactive Advertising Bureau).

Peter Leonard, principal of Data Synergies and professor of practice at UNSW Business School who was recently named the chair of The Australian Data and Insights Association’s Privacy Compliance Committee, said the state of privacy, data and security in Australia at the moment is in a very significant transition with major challenges among the advertising and marketing sectors.

The key shift, I think, is away from so called notice of consent towards new requirements for organisational responsibility and accountability in relation to data practice,” said Leonard. 

Leonard says this creates significant issues for entities in how they design their systems and processes for management of personal information.

A good example is that the notice of consent framework provided incentives for organisations to game consumer behaviour by making disclosures in a way that consumers might not fully understand, and as a result of those disclosures, arguing that they'vcomplied with the privacy rules.  

Whereas where the law is now very clearly going is to say you start from the concept of what responsible and fair data collection and use is and then ask has the organisation put in the appropriate controls and safeguards in order to ensure that the data is only used in that way? 

As soon as you start to introduce concepts like fair and reasonable data use, it shifts the focus away from what you tell the consumer towards what is it that the organisation ought to be doing to control the way personal information has been used.” 

Leonard said that Australia is adopting a uniquely Australian approach to privacy reform, using a mix and match method from other regulatory frameworks and bringing them together with some Australian elements.

A good example is we're now talking about a fair and reasonableness test, which is actually derived from the Canadian Privacy Act,” said Leonard. 

We're talking about requirements for privacy officers and privacy impact assessments that are significantly the same as GDPR. We're talking about a new concept of a senior responsible officer having responsibility for privacy compliance within an organisation, which is actually derived from a current UK proposal. There are elements around organisational accountability that we've taken from the Singapore Privacy Act. 

“If all of the current proposals were enacted, it would be a distinctly Australian approach to privacy law and would be directly comparable in terms of the level of requirements that organisations have to meet with the major regimes overseas. 

There is one area of proposed regulation - uses of de-identified data - that is significantly different and would be very impactful if it were implemented. That's one area Australia is proposing to go further than other regulatory regimes. 

Richard Watson, global and Asia Pacific cybersecurity consulting leader at EY, said that the principle of further evolving privacy regulation is consistent with what's happening around the world and is another example of a sovereign state putting a stamp on data that is generated there.  

It does just add to the complexity and headache for organisations that need to run across many different geographies,” said Watson. 

Consistent with the trend of deglobalisation that we're seeing, each country is having its own spin to these rules. Whereas perhaps four or five years ago, it was looking like GDPR was going to become the sort of global standardit's not quite the case now. 

With the impending retirement of third-party cookies by Google on the horizon, the move is set to have an outsize effect on the advertising, marketing and media industries, as demonstrated both by research from Adobe and industry leaders interviewed by AdNews 

Leonard said the end of third-party cookies will result in an increase in the value of first-party data, as well as towards the use of privacy-enhancing technologies to enable anonymisation-based sharing of consumer transaction data for marketing purposes. 

It's still unclear as to who will be the beneficiaries of that trend and what business models will be compliant in these new regimes, but I think that will be an inevitable response to the new regulation and restrictions in availability of data from the global digital platforms,” said Leonard. 

Leonard said that advertising returning to a contextually-based environment once cookies have disappeared is a likely interim response, but alternatives to cookies that involve anonymisation-based targeting will continue.  

There'll be a shift towards contextual advertising unless and until the new regulatory framework becomes clearer and the appropriate privacy-enhancing technology and clean room response for that environment becomes settled," said Leonard.

Part of the reason we're having so many data breaches is that organisations are collecting identifying information and sometimes think they have to do that to verify attributes of individualsfor example, can I serve this advertisement to this user or are they a child, and therefore not an appropriate recipient of an ad relating to this issue? 

One of the key areas for change in the next couple of years is going to be a movement to federalised or other systems for identity verification or attribute assurance that don't involve individual organisations collecting all this information that then potentially can be exposed through a data breach. 

Richard Watson

Watson (pictured right) said that as a result of the data breaches last year, there was a huge scramble across corporate Australia to understand what level of information organisations were collecting. 

Some pretty senior executives I worked with didn't know, for example, whether their company did 100-point data checks on identification and it’s becoming so difficult to control the spread of data - how do we remove data we no longer need, subject to legislation requiring us to keep it?” said Watson. 

“This over collecting of data and storing of data has become a real challenge and obviously, if you don't have the data, then you're not going to find yourself in the headlines for breaching it. 

‘What is the minimum amount of data we need to collectwill become and is already a focus, whereaperhaps ihadn't been considered in the same priority as it is now. 

Leonard said that we all know the problem with personal information in the last couple of years has been major data breaches among other things, but if you do a root cause analysis of those breaches, it will reveal that while they were caused by malicious actors, or in some cases, the carelessness of internal operators, it's often over-collection, over-exposure or over-retention of personal and other sensitive information about individuals that is truly to blame. 

By over-exposure, I mean the grants of access that are far too broad for too many people in relation to too much information rather than restricting information on a need-to-know basis – for example, picking out personal identifiers and subjecting them to particular controls before they can be joined back to information about those individuals,” said Leonard. 

If you do that kind of basic information security hygiene within an organisation, it significantly reduces the exposure to prospective bad actors. You're also in compliance with privacy laws that increasingly sayyou should only be collecting information when it's necessary to fulfill a stated purpose and you should be making sure that that information is not used for any other purpose.

The marketing databases and customer-related information is often not very well controlled in organisations. They've recognised the problem and addressed it in relation to other databases but often haven't addressed it in respect of their marketing databases. 

Watson echoed those sentiments, saying that identity, access management and limiting access to data to those that need it – the principle of least privilege – is a key implementation for organisations to enact, but that companies also need to think about aspects like passwords and multi factor authentication too.

“It’s about recognising that most failures are probably in the frontline of your workforce, so how do you get the average daily worker to be thinking about cybersecurity in everything that they're doing?” said Watson. 

In the marketing team, that means not sending unencrypted spreadsheets over email or sharing information and campaign data – until that is the first thing someone thinks about, you're always going to be on the back foot, because you can't put technology controls in front of everything.  

“We need to make it akin to a safety mentality - no one would deliberately do anything to jeopardise safety at work, so they need to be thinking about cybersecurity in the same context. 

Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at

Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.

comments powered by Disqus