The proposed privacy regulations in Australia are set to be on par with the stringent GDPR laws enacted in the European Union. Just as agencies faced significant hurdles in complying with GDPR when it was first introduced, Australian businesses can anticipate similar challenges, media agencies told AdNews.
Regulations surrounding consent management and data usage for targeted advertising, the potential expansion of the definition of personal information, Apple’s restriction on identifiers and the eventual deprecation of third party cookies are likely to be pain points for the industry, insiders say.
“Australia has had the benefit of experiencing the rolling out of GDPR which has had a far reaching impact on how the industry advertises and buys media in Australia, particularly how we target, measure and attribute an outcome,” Omnicom Media Group chief operating officer Philip Pollock told AdNews.
“Most global advertising platforms have had to raise their privacy standard to similar levels as GDPR, regardless of the jurisdiction they are operating in, due to the risk of falling foul."
The major challenge agencies faced at the time was the speed of change, particularly in the removal of certain identifiers that were being used to attribute and measure, he says.
“The proposed changes in Australia have taken learnings from GDPR, like consent fatigue, and are more considered on the adverse impact that GDPR had on areas such as research.”
Pollock says the industry is still reviewing the potential impact the proposals will have on personalised ads and the ability to exclude certain audiences, such as advertisers who operate in regulated or sensitive categories.
“Although we do expect change and are working closely with our clients to adapt to ensure compliance, the impact of GDPR, Apple’s restriction on identifiers and eventually the deprecation of 3rd party cookies will have a greater impact on how advertisers buy and measure media.”
The new laws will unequivocally shift power to consumers, granting them the right to protect their data from being used for targeted advertising without their explicit consent, This is Flow chief strategy officer Catherine Rushton says.
“Companies will need to implement robust consent management systems and ensure transparency throughout the entire data supply chain to demonstrate compliance.
"While this of course is a challenge for agencies including investment in new technologies and training, it should be one we welcome if it means we are giving consumers more control over their own data. This is the only way we can ensure a sustainable future industry."
For Rushton, it’s clear the regulations surrounding consent management and data usage for targeted advertising will present pain points for agencies and brands. They will need to obtain explicit consent from consumers before leveraging their data for advertising purposes.
Intermediaries in the supply chain will face heightened scrutiny, necessitating complete transparency about how they handle and utilise customer data within their operations, she says.
“Brands will also need to explore privacy-compliant attribution strategies and prioritise collaborations with entities that are able to comply with the laws forcing more transparency in partnership.
“It will also question how these laws will be enacted by the Government when the digital ecosystem is dominated by a few companies with large market share over Australians data.”
Australia has lagged behind other major markets in implementing comprehensive privacy laws, Rushton believes.
“Despite consumers making it clear that privacy is of paramount importance to Australians, our regulations are only now catching up with global standards. The new privacy regulations align Australia with other regions that have already enacted robust data protection measures, such as the GDPR in the EU, which has challenged the existing monopolies in the industry,” she says.
“Australia now has an opportunity to lead by example in safeguarding the data privacy rights of Australians through actionable enforcement of these new laws."
Bench Media strategic partnerships manager Laura Kleiman says with the benefit of hindsight from the GDPR's implementation, many brands and agencies in Australia have proactively developed solutions to address these changes, alongside preparations for third-party cookie deprecation.
"However, the challenge remains significant, particularly for smaller businesses that lack the resources to keep up with evolving regulations," Kleiman says.
“The process involves navigating multiple reviews, draft legislations, and ongoing proposals. Currently, several measures are still under review, requiring extensive consultation with stakeholders across various sectors.
“The risks of not being prepared for these changes are substantial. Non-compliance can result in hefty fines and potentially devastating business impacts, such as losing valuable customer databases and facing operational disruptions.”
She says it's imperative that individuals have control over their personal data and that companies entrusted with this information prioritise its protection and responsible handling.
“At the same time, a strong online advertising industry is essential to sustaining a free internet and the availability of diverse content.
“Finding a balance between stringent data privacy safeguards and the operational needs of the digital advertising ecosystem is crucial. This balance not only preserves the benefits of a free and open internet but also upholds consumer trust and privacy.”
When the GDPR came into effect in 2018, it became the world's most stringent data privacy regulation, Kleiman says.
The immediate impact on agencies included a decline in available data for targeting, increased compliance costs, and decreased performance in some marketing campaigns.
However, it also presented an opportunity for advertisers, agencies, and tech vendors to find better ways to leverage first-party data, enhance data quality, and build consumer trust.
“The potential expansion of the definition of personal information could substantially impact data management practices,” Kleiman says.
“Requirements for clear and unambiguous consent for data collection and usage could also complicate digital marketing strategies and require significant changes to existing processes.”
The removal of exemptions for small businesses in particular, may place huge pressure on resources and require legal expertise to meet these new compliance requirements, she believes.
“And the introduction of more severe penalties for non-compliance will increase the risk for agencies and brands alike, creating the pressing need for meticulous compliance efforts to avoid significant financial repercussions.”
According to Kleiman, the Australian Privacy Act is robust but is generally seen as less stringent and comprehensive than the GDPR.
It aligns more closely with privacy laws like Canada’s PIPEDA and New Zealand's Privacy Act 2020, offering strong protections without the extensive reach and rigorous requirements.
“The main differences between Australia's privacy regulations and GDPR lie in their scope, comprehensiveness, and enforcement mechanisms. GDPR has broader scope, applying to all EU member states and any organisation worldwide that processes the data of EU residents, ensuring consistent and stringent data protection,” she says.
“In contrast, Australia's Privacy Act primarily applies to federal agencies and larger private entities, with less stringent requirements and lower penalties. Unlike the GDPR, Australia does not mandate the appointment of data protection officers (DPOs) for certain organisations and has less rigorous breach notification rules.”
Kinesso Australia audience and data partnership lead Natalie Hatch says while both GDPR and the proposed Australian reforms champion individual rights concerning personal data, they also share an emphasis on accountability and transparency when to comes to how organisations use the data they collect and data security measures.
For agencies, this means fines have become real; significantly, both reforms impose stringent penalties for non-compliance, she says. GDPR is renowned for its significant fines, and Australia's proposed reforms include the introduction and continued enforcement power for OAIC to govern and enforce privacy breaches.
"The enactment of GDPR has had significant impacts on media agencies across Europe, prompting them to adapt their practices and prioritise data privacy, and the same will be seen here. Australia's shift to explicit consent isn't just a legal change; it's a seismic disruption to data collection strategies.
"The days of assuming user intent are over. Agencies must rapidly upskill to understand the nuances of explicit vs. implied consent or risk losing scale. For clients, websites and apps must now prioritise clear, unambiguous consent mechanisms - the role of UX becomes critical for balancing continued growth of data vs consent optimisation."
New privacy laws also thrust Data Processing Agreements (DPAs) into the spotlight. Hatch says agencies must urgently clarify their role.
"Are they data controllers or processors? This isn't semantics; it's a legal distinction with serious consequences. Controllers dictate how data is used, while processors act on their behalf," she says.
"Each role carries unique responsibilities under the law. Ignorance is not bliss here; it's a liability. Agencies must swiftly assess their position and ensure DPAs are air-tight, reflecting their true role in the data ecosystem."
While there is still some uncertainty on final reforms and therefore impacts, Hatch says the biggest pain points from these regulations will include the revised definition of personal information.
"The expanded definition of 'Personal Information' is a game-changer, putting online identifiers and tracking technologies under the microscope. Get ready to treat every cookie, device ID, and online fingerprint with the same caution as a name or phone number," she says.
"The scope of data requiring protection just exploded, overwhelming current systems and practices. Agencies are going to face a mountain of work to achieve compliance, which they need to brace for being costly and complex, ensuring that appropriate safeguards are in place."
As well as the new and enhanced rights for individuals, Australia's privacy overhaul prioritises consumer control, Hatch says.
"And while the industry is in the majority aligned with this need, are they ready for the potential fallout? Enhanced rights for individuals, while positive, create logistical landmines for media agencies.
"An individual’s right to request access to their data and understand exactly what data agencies hold on them, will require systems that are able to navigate the complex data partnerships and data flows that are necessary to meet this requirement."
She says the ‘right to erasure’ is also going to cause waves as this seemingly simple right clashes with the realities of data-driven advertising, where information is often aggregated, anonymized, and shared across multiple platforms.
"This reform will also cause agencies to audit their partnerships. Data partnerships are essential for agencies, but also a vulnerability. Agencies will need to work closely with their partnered data brokers and publishers to ensure they are ready to comply with these new rights. The fines are too important to fall into collaboration chaos," Hatch says.
According to Hatch, Australia's current Privacy Act (1988) is relatively outdated compared to global standards. While the introduction of important privacy principes was an important step, in areas such as the definition of personal information, rights for individuals and enforcement, Australian has lagged, she says.
"The proposed reforms, which are being tabled in Parliament in August of this year, aim to bring Australia closer to global standards like GDPR, signalling a significant step towards aligning with global best practices in privacy protection.
"Importantly for media agencies, there is risk is just waiting around for legislation to pass. There are immediate actions that businesses and agencies should be taking."
Implement a Privacy and Data audit, Hatch says, to understand how information is collected, stored, used and disclosed across your organisation and identify where compliance risk currently exists.
"Review and update the company’s data breach response plan, ensure it addresses how to respond to OAIC requests for information, considering their enhanced powers and greenlight to operate before legislation is tabled, agencies don’t want to get this wrong. If you don’t have a data breach response plan, create one immediately.
Review third-party risks and contracts, services or outsourcing arrangements that involve third parties storing and/or processing data on the organisation's behalf will need to be audited to ensure compliancy. The fines are too great not to ensure you are collaborating with partners on privacy."
Australia's proposed regulations should be designed to be in the best interests of the consumer, focusing on empowering consumers to make informed decisions rather than making decisions on their behalf, Honeycomb Strategy managing director John Bevitt says.
“Our recent findings on data privacy and brand integrity indicated that 77% of Australians prefer privacy over personalisation, reflecting a significant trust crisis.”
Bevitt says consumers are more mistrusting of brands regarding their personal data, especially after high-profile breaches like those at Optus and Medibank.
“This distrust is compounded by a perception that businesses are not providing adequate value in exchange for personal data.”
The need for transparent and ethical data practices is more critical than ever. Nearly 88% of Australians demand greater clarity on data usage intentions, and a substantial portion will switch brands if they feel their data is mishandled, he says.
“This sentiment is echoed by the ACCC’s concerns around data sharing and the impending Privacy Act reforms, which underscore the necessity for informed consent and robust data protection measures.”
Consumers expect organisations to prioritise transparency and provide clear, accessible information on how their data is used, Bevitt says.
They also demand robust security measures to protect their personal information. Trust is built through proactive communication, he says, and a demonstrated commitment to data protection.
Younger demographics, while slightly more tolerant of data use for personalisation, still overwhelmingly favour privacy and transparency.
“Ultimately, consumers will decide with their wallets. If they feel that brands misuse their data and fail to provide value, they will switch to competitors.
“Therefore, while regulations should protect consumer interests and promote transparency, they should also allow for a meaningful value exchange. The power to decide should remain firmly with the consumer, ensuring that informed choices can be made and that trust is maintained.”
Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at adnews@yaffa.com.au
Sign up to the AdNews newsletter, like us on Facebook or follow us on Twitter for breaking stories and campaigns throughout the day.