Proposed amendments to Australia’s privacy laws will be introduced in draft form to the federal parliament next month.
Lyndall Spooner (pictured), CEO of strategic data consultancy Fifth Dimension Consulting, has warned that many businesses are unprepared for the significant operational impacts these changes will entail.
“The proposed changes to the Privacy Act are some of the biggest reforms we have ever seen in the area of consumer privacy. They aim to put the power back into the hands of consumers to decide where and how their personal data is used,” she said.
Spooner said a key aspect of the new legislation is its emphasis on informing consumers about their rights regarding the collection and use of their personal information by organisations, from small businesses to major corporations and government departments.
“The scope of the new realms of augmented privacy control extends into the area of anonymised information and consumer cohort trends, which effectively eliminates the ability for businesses to engage in the manipulation and interrogation of big data to create granular insights and predictive modelling without the receipt of specific consumer approval,” she said.
Spooner highlighted three critical aspects businesses need to consider regarding the impending privacy law changes.
First, businesses must conduct a thorough internal review of their data usage for sales and marketing to ensure they have the necessary permissions.
“Some leadership teams may not be completely aware of just how much data is being used across their business for a multitude of purposes, including the requirement of data for streamlining digital interactions and services,” Spooner said.
Second, as businesses seek informed consent from their customers, consumers will become more aware of the extent to which their data has been used, including sales to third parties.
“Consumers are not completely ignorant that their data is used to market to them, but they will be surprised just how much of their data is being used to influence their choices and to provide seamless digital interactions and that could impact their perceptions of the integrity of the businesses they deal with,” Spooner said.
Third, a significant portion of consumers may refuse to allow companies to use their data beyond necessary functions, potentially reducing the effectiveness of automated sales and marketing activities.
“The new legislation will address the clarity of collection notices and consent requests to improve consumer comprehension. There will also be an enhanced legislative definition of consent, which will require that consent be voluntary, informed, current, specific, and unambiguous,” Spooner said.
She highlighted that many Australian businesses are not prepared for these changes and may mistakenly believe they have already secured the necessary consents. The new laws will apply to all businesses, including small enterprises.
Spooner noted that the expanded definition of personal information under the new laws will encompass technical data such as IP addresses and inferred data like behavioural predictions, increasing the regulatory burden on businesses.
“It also restricts what brands can do with consumer information without their explicit approval. With the removal of cookies, businesses have turned to insights to interrogate and model how consumers might behave [to] deliver more meaningful and relevant offers,” she said. “Without consumer approval, collecting and using any type of consumer information even in an anonymised form into a dataset to create patterns, insights, and other forms of modelling including predictive outcomes will not be tolerated, and serious fines can be imposed.”
She also expects the new legislation to introduce a fair and reasonable use test to determine the necessity and proportionality of data collection and usage for marketing purposes.
“Consumers will have the right to object to their data being used for marketing purposes. Even if approval is given, businesses must provide a mechanism for people to easily opt-out of marketing communications. They will even have a right to erasure. Consumers can request the deletion of their personal data. Business’ databases, whether they be in house or via a third party, will need to be capable of promptly erasing personal information upon request, complicating long-term data retention strategies,” she said.
Spooner noted that the new privacy legislation will enforce stricter data deletion requirements, reducing the risk of data breaches. The MediSecure cyberattack in May, which compromised the data of over 12.9 million Australians, underscored the need for such measures.
She said many companies will need to review their data storage practices and update their systems to ensure consumer data can be promptly erased upon request, which will entail significant costs.
She also explained that the new privacy laws will require improved security measures, including advanced cybersecurity measures and regular security assessments.
“If marketing data is transferred overseas, businesses must ensure compliance with new regulations including using standard contractual clauses or transferring data only to whitelisted jurisdictions,” she said. “In case of a data breach affecting marketing data, businesses must report to the OAIC within 72 hours, necessitating quick response and mitigation plans. Increased penalties for non-compliance mean that breaches of privacy regulations, including improper use of data for marketing, can result in significant fines. Enhanced powers for the OAIC mean more rigorous enforcement and potential audits of marketing practices.”