Navigating the Privacy Act overhaul in Australia: What marketers need to know?

As the industry grapples with the deprecation of third-party cookies, another significant change is on the horizon: the overhaul of Australia’s Privacy Act 1988. Unlike the cookie deprecation deadlines that keep getting pushed back, the changes to the Privacy Act are moving full steam ahead, with legislation expected to be tabled in August.

Whilst we’ve been anticipating these changes as the three-year review process concluded recently (detailed below), the recent surge in large-scale data breaches have accelerated the urgency.   

What led to the changes? 

The process began with the Australian Competition and Consumer Commission’s  (ACCC) Digital Platforms Inquiry in 2017, examining the impact of digital platforms on competition in media and advertising markets. The inquiry's 2019 final report highlighted the need for stronger privacy protections.

Following this, the Privacy Act Review started in 2020. The Attorney General’s Privacy Act Review Report, published in 2022, revealed vulnerabilities in personal information management. The government responded by agreeing to 38 proposals, agreeing in-principle to 68, and noting 10 of the 116 recommendations, paving the way for 2024's substantial legislative changes.

What can we expect? 

While the specific details will become clearer in August, the Australian Government’s response to the 116 proposals offers some hints on the forthcoming changes. Proposals that were fully agreed upon are likely to be included, while those agreed in principle may also be present, likely with some variations.
The proposals encompass a wide range of themes, some of which directly impact the advertising landscape more than others.  A few relevant themes include:

• Amending the definition of ‘personal information’ to broaden scope of the Privacy Act
• More stringent and specific requirements for the content of Privacy Policies, Privacy Notification Statements and requests for individual consent
• Mandating minimum and maximum data retention periods
• Expanding the range of entities required to conduct Privacy Impact Assessments
• Introduction of the concept of Controllers and Processors, similar to GDPR 
• New guidelines and frameworks for overseas data transfer
• Broader range of powers and penalties available to the Privacy Commissioner
  

Navigating the changes

Regardless of the speed and scope of the upcoming changes, successfully adapting to them requires a holistic approach that deeply integrates privacy-by-design principles at an organizational level.  
At Jellyfish Australia, we’ve advocated and worked with clients over the last two years to run workshops to inform and educate stakeholders on the upcoming changes, assisting in auditing and assessing impact and identifying technology solutions that facilitate transition. 

We believe that, while these changes may present challenges, embracing them will foster trust in customer relationships and drive innovation in a new privacy-centric era of marketing.