The Federal Government’s much-anticipated Privacy Act Review Report puts forward a total of 116 proposals in an effort to strengthen and modernise Australian privacy law.
Nine of the proposals relate to advertising and marketing activities, including where there is no personal information involved. The Government proposes increased regulation of direct marketing, online targeted advertising and trading in personal information. This would prohibit some currently common activities and otherwise have potentially significant compliance implications for advertising and marketing activities in Australia.
The current position with respect to the use of personal information for advertising and marketing purposes is set out in Australian Privacy Principle 7 (APP 7) contained in the Privacy Act.
Under APP 7, organisations can generally use personal information (other than sensitive information) for direct marketing, if the personal information was collected directly from the individual, the individual would reasonably expect direct marketing, and the organisation provides a simple was to ‘opt-out’ (and the individual has not opted-out). There are also options for use with the individual’s consent and for sensitive information, although care needs to be taken.
Why is reform needed for direct marketing?
APP 7 and the concept of direct marketing was originally included in the Privacy Act in 2014 as a discrete privacy principle, rather than treated as a secondary purpose under APP 6, because of the community interest about the use and disclosure of personal information for the purpose of direct marketing.
The ways in which personal information is handled for advertising and marketing purposes, and the privacy risks and harms for individuals associated with these activities, have changed dramatically since the APPs were first introduced in 2014.
The proposed reforms in the Report are in response to the significant community concern with respect to direct marketing activities, particularly with respect to advertising targeted at children. The proposals seek to address the change in practices and increased risk of privacy harm that result, by prohibiting high risk practices and otherwise increasing transparency and control. A number of the proposals also align with international data protection standards, again, particularly with respect to children.
Top 5 proposed changes for direct marketing
The proposals in the Report, if all are implemented, would have a significant impact on the direct marketing industry, and how organisations engage in direct marketing, targeting online advertising, profiling and data sharing (or data matching).
The five proposed changes to the APPs that would have the most impact are:
- Clarify opt-out applies to targeted online advertising
Individuals would have an unqualified right to opt-out of the use or disclosure of their personal information for targeted online advertising. This would codify the current guidance of the Office of the Australian Information Commissioner (OAIC) that APP 7 applies to sharing personal information with a social media platform for the purposes of delivering targeted ad to individuals. - Targeting to be regulated, even if no personal information used
There would be restrictions on ‘targeting’ that apply to a broader range of information relating to individuals, including de-identified and unidentified information (such as internet history and tracking data). An extension of APP 7 to targeting based on information that is not personal information would be a significant change, with commercial and operational impacts, and compliance costs, for organisations. - Prohibit targeting of children
A welcomed reform, the proposals include a prohibition on direct marketing and targeting to children, and trading in the personal information of children. There are proposed exceptions where the direct marketing or targeting is “in the best interests of the child”. There will need to be clear guidance to help guide organisations determine what this means (and doesn’t mean). - Prohibit use of sensitive information, even with consent
Direct marketing using some categories of sensitive information will be prohibited (ethnicity, religion, sexuality, health or disability), unless it is for socially beneficial content. It is also proposed that targeting based on sensitive information and sensitive traits in deidentified and unidentified information relating to individuals be prohibited. - Data sharing will require consent
If the data sharing involves ‘trading’ of personal information with another, then consent will be required. ‘Trading’ would be defined to capture the disclosure of personal information for a benefit, service or advantage, and broader than the sale of information. For example, reciprocal data sharing/matching, even where not for a fee, would be ‘trading’ in personal information.
‘Consent’ is also proposed to be clarified as part of the reforms by codifying the current guidance from the OAIC as to what constitutes valid consent: that is, consent must be voluntary, informed, specific, current and unambiguous, given with capacity and able to be withdrawn at any time.
But wait, is it “fair and reasonable”?
While not only applicable to direct marketing, one of the key proposed reforms is the requirement for all handling of personal information to be “fair and reasonable”.
If this change recommended by the Government (and publicly endorsed by the Federal Information and Privacy Commissioner) is introduced, it would require the organisation to ensure that any collection, use or disclosure of information which relates to an individual, including personal information, deidentified information, and unidentified information for tailoring services, content, information, advertisements or offers provided to or withheld from an individual (either on their own, or as a member of some group or class) is fair and reasonable in the circumstances (see Report at page 218).
Don’t forget the spam
APP 7 does not apply, to the extent the Spam Act and Do Not Call Register Act apply.
While it appears a simple concept, this creates a complexity for marketing and privacy teams operationalising compliance. This is because each of APP 7, the Spam Act and Do Not Call Register Act contain slightly different requirements for consent and, for privacy and spam, opt-out or unsubscribe. For organisations looking to manage consent and communication preferences, and opt-outs, in a centralised database across multiple channels, this can be complex to navigate (although there are technology tools that can assist).
The Report does not, unfortunately, contain proposals to help harmonise the requirements under the three Acts, but it does suggest further consultation (similar to the position with respect to the small business exemption).
What happens next?
The Report is open for public consultation until 31 March 2023. It will be some time before these proposed reforms make their way into law. (Although, if the speed with which the Government was able to pass significant reforms to the Privacy Act in 2022, it may be sooner than anticipated.)
It may also be that not all the proposed reforms to APP 7 are enacted. But it is clear through this lengthy review process, that community expectation (and that of the OAIC) is that certain commonly-practised direct marketing activities are not unacceptable. For other activities, they should only be undertaken with the consent of the individual, or at least on a transparent basis, with choice (and control) for the individual. Organisations that fail to “read the room” on the change in expectation, risk alienating customers (at best), reputational and brand damage, and potential regulatory interest.
Marketers and organisations can make use of the time before the actual reforms are known by reviewing current direct marketing activities, consent and preference management policies and tools, contracts with adtech and martech providers, and data sharing arrangements. And generally getting data warehouses and data governance in order.
