2024 Australian Privacy Act update: 
Are you prepared to thrive (or just survive) in the new era?

Changes to the Australian Privacy Act are due in August 2024.
Here’s some of what we know so far.

How you capture, store & make PII data available will change

Over the past few months, I have been buried in reading about the planned changes to the Australian Privacy Act. My focus is to find information to support our Marketing Automation clients.

However, the impact will be industry-wide and will impact all email marketers.

Much of the focus being written about relates to future requirements of organisations of all sizes and types and their handling of PII “Personally Identifiable Information”.

Data security, safe and responsible use of AI (artificial intelligence) and proposed digital ID cards are all drawing the attention of the Attorney General’s office.

Stay ahead of the curve by subscribing to our Privacy & Governance service.

Marketing Automation is all about communicating with personalised, relevant and timely messages

The key topic we’re looking to understand before the legislation is passed is to get an idea about the impact of the data marketers generally capture and what changes may be needed.

One of the clearest indications I’ve found so far is from Gadens lawyers and their blog post from 16th June 2023 “Privacy Act Reforms – will individuals’ rights impact your business?

To comply with these six rights for individuals, the data referenced must be stored and easily accessible. The EU’s GDPR is similar in this regard.

Marketing Automation platforms may be the source of truth for profile data, i.e. name, address, phone numbers, email address etc. 

However, Marketing Automation is just one channel used to capture contact/profile data. The data is then generally passed onto your organisation’s CRM or other systems.

If you consider the Right to Erasure, simply deleting a contact from your marketing automation platform will probably not be enough; their details will have been passed to other systems.

Integration logic between systems will likely have to be reviewed. 

For example, you might delete a contact from a marketing automation platform only to have the same contact restored moments later as the synchronisation between the CRM and the marketing automation platform is triggered. The CRM is usually the source of truth for profile data.

Marketing can play a role in the Right to Access and Explanation. The data you capture today from an attribution point of view can be helpful, specifically with the “explanation” part of the right to access and explanation.

The trick will be maintaining this data in perpetuity. If a person requests an explanation about how you came to have their profile data in your systems, could you answer that question today?

The Right to Correction will prove challenging for some organisations. 

I know my bank will find this a challenge. 

Despite 8+ years of banking with them, they still mix my partner’s and my mobile numbers, and they have no idea of my partner’s correct date of birth despite multiple attempts and verbal confirmation from bank staff it has been corrected.

They have a mix of ancient banking systems, and correcting details in one system do not flow to another.

Their lack of investment in core banking could become expensive with financial penalties likely from a failure to comply with the new Privacy Act.

Gadens: “Privacy Act Reforms – will individuals’ rights impact your business?” 

“It has only been three months since the Attorney General’s Office released its report (Report) on the proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act).

The Report made 116 recommendations for reform. 

The recommended reforms are extensive and will, if implemented, have a substantial effect on how businesses regulated under the Privacy Act (APP entities) may lawfully collect, use and disclose personal information.

In this article, we [Gadens] deal with the Report’s proposals for the introduction of new rights of individuals in relation to their personal information.

Six Rights for Individuals – a challenge for APP entities

The Report has proposed six rights for individuals whose personal information is collected, used or disclosed:

  • Right of Access and Explanation – the right to know what information is held about them its sources, and what is being done with it (Proposal 18.1),
  • Right to Object – the right to challenge whether the APP entity’s handling of their personal information complies with the Privacy Act (Proposal 18.2),
  • Right to Erasure – the right to require that personal information about them is deleted (Proposal 18.3),
  • Right to Correction – the right to require that personal information held about them is relevant, accurate, complete, up to date, and not misleading (Proposal 18.4),
  • Right to De-index internet search results – the right to require that internet search results about them is de-indexed in certain circumstances (Proposal 18.5); and
  • Direct Right of Action – the introduction of a right of action for individuals who have suffered loss or damage as a result of an interference with their privacy (Proposal 26).

While privacy advocates welcome the strengthening of individual rights, APP entities may find compliance with the changes challenging – particularly the first four rights listed above.”

What is an APP Entity?

After contacting more knowledgeable friends who practise law, I was directed to the Office of the Australian Information Commissioner.

Specifically to the Australian Privacy Principles (APPs) – Key concepts A to D – APP entity.

B.2 An ‘APP entity’ is defined to be an agency or organisation (s 6(1)).

B.3 An ‘organisation’ is defined to be:

  • an individual (including a sole trader)
  • a body corporate
  • a partnership
  • any other unincorporated association, or
  • a trust.

unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State (s 6C).”

This further clarifies the point made above by Gadens, that the “Six Rights for Individuals – a challenge for APP entities”.

2024

Resources to help you navigate the pending changes to the Australian Privacy Act

Subscribe to our Privacy & Governance email updates

2024

Resources to help you navigate the pending changes to the Australian Privacy Act

Subscribe to our Privacy & Governance email updates

Top 5 Proposed Changes to Advertising and Marketing Under Reforms to the Privacy Act*

This list was initially published in March 2023 by Hamilton Locke, an Australian and New Zealand-based law firm.
 
From our reading, Sophie Bradshaw, a partner at the firm, covered five points that are still relevant today.
  1. Clarify opt-out applies to targeted online advertising
  2. Targeting to be regulated, even if no personal information used
  3. Prohibit targeting of children
  4. Prohibit use of sensitive information, even with consent
  5. Data sharing will require consent

What will the impact be on email marketers?

Until the legislation passes parliament, nothing is locked in. The list below is an indication of what we can expect:
  • Consent Requirements: Obtaining unambiguous consent from subscribers will likely be essential. This may involve transparency about how data is used and shared and clarity about where it is stored.
  • Stricter Targeting Rules: Sensitive information (like religion or health) might be restricted for email marketing, and targeting based on these attributes in anonymised data may also be prohibited.
  • Right to Unsubscribe: Subscribers might have a stronger right to unsubscribe from receiving targeted emails altogether.
  • Data Trading: Sharing email lists with other organisations (data trading) could require explicit consent from subscribers.

Overall, the focus seems to be giving your contacts more control and transparency.

It’s important to note that the proposals are still under development, and the final impact on email marketing will depend on the specifics of the legislation.

Will your Forms be a weak spot for compliance?

Forms are among the most powerful components of a marketing automation platform. They are fundamental to your data strategy and vital to the user experience

In summary

  1. The upcoming changes to Australia’s Privacy Act will likely make it more difficult for businesses to collect, use and disclose personal information for marketing purposes.
  2. The Act will introduce six new rights for individuals, including the right to access, correction, erasure and unsubscribe from marketing emails.
  3. The “Right to Erasure” will require businesses to improve data integration between systems.
  4. The focus is on giving consumers more control over their data.
  5. The final legislation is still under development, but email marketers should prepare for stricter consent requirements, data limitations and a stronger right to unsubscribe.

Do you have questions about the impact of the new Privacy Act on your marketing automation?

DISCLAIMER: Just to let you know, we’re not offering legal advice. We encourage your organisation to refer to in-house counsel or other legal service providers to ensure compliance with the impending changes being legislated by the Australian Government.