If it wasn’t enough for organisations to have to contend with the death of the 3rd party cookie, brands are now having to turn their attention to sweeping changes to the Australian Privacy Act. Should the many proposed changes be enacted, it is said that Australian privacy regulation could be even stronger and more stringent than GDPR.
The changes come in response to a number of factors including;
The rising influence and negative impacts of social media on the youth of Australia
A significant shift in consumer sentiment around brands collection and use of their personal data
Outdated regulation which is no longer fit for purpose in a rapidly evolving digital economy
The many proposed changes have far reaching implications for every business - and that’s why we’ve created an extensive and practical Q&A guide to help you to break down what’s happening (in simple terms) and understand the potential issues, risks and challenges your brand may face.
Catch me up, why is this such a hot topic?
In the last month, the government made a significant leap in its endeavours to overhaul privacy regulation in this country. In October, we saw the release of an exposure draft for a new Online Privacy Bill. This new bill would enable the creation of a new binding online privacy code for social media and other online platforms, as well as significantly increased penalties and enforcement measures for all organisations found in breach of the Privacy Act 1988. In addition, an extensive Discussion Paper has also been released by the Attorney-General’s Department as part of its ongoing review into the Privacy Act, which follows a high-level Issues Paper published in October 2020.
Has anything been legislated yet?
No, the Online Privacy Bill is open for feedback and submissions until the 3rd of December. These submissions will be considered as part of finalising the Online Privacy Bill which will be introduced to Parliament. Submissions are also being sought for the Privacy Act Discussion Paper and these are due by the 10th of January. This means we are likely to see the Online Privacy Bill introduced before we see changes enacted to the Privacy Act.
What is the Online Privacy Bill and how does it differ to the Privacy Act?
The Online Privacy Bill would enable the creation of an online privacy code which will apply to social media services, data brokers, and certain large online platforms operating in Australia. Service and platform providers subject to the code will need to comply with an additional set of privacy requirements, including stronger protections for children.
Whilst not an exhaustive list, some of key elements of the proposed code include;
Requirement for social media services to take steps to verify their users' age, obtain parental consent for collection of personal information of users under the age of 16, and others.
Prescriptive details around how privacy policies, notices and consents are to be drafted and delivered in order to make them more consumer friendly.
A requirement for organisations to provide visibility of when consent will be valid and, for sensitive information, when it needs to be renewed.
How it expects organisations to deal with user requests to cease handling of personal information. This will bring requirements more in line with GDPR where consumers have the right to erase information.
We are not a data broker or a social media platform so we will be exempt from the Online Privacy Bill, right?
Not so fast, the broad inclusion of “large online platforms” means that the bill has far reaching implications for organisations with a sizeable eCommerce presence or user base. This category will capture any organisation that has at least 2,500,000 end-users in Australia and collects information about those end-users in connection with providing access to goods or services by the use of an electronic service. This means banks, major retailers with digital offerings and online publications are likely to be slapped with the code.
What changes are being proposed to the Privacy Act?
There are a multitude of areas that are being scrutinised, which is why the reform is expected to significantly increase the compliance burden on organisations. Some of the proposed changes include broadening of the definition of what is classified as personal information and permitted situations and settings around the collection, the use and disclosure of personal information, ensuring the Act adequately protects and captures consumers’ rights, consent and more.
So the definition of personal information might change. How?
According to a recent privacy report by Deloitte Digital, 89% of consumers think that information used to track them online should be protected by the Privacy Act. At present however the Privacy Act only applies when information about someone is identifiable. Under the proposed changes we are likely to see this definition expanded in line with consumer sentiment so the Act covers a user’s metadata or online identifier, location data and pretty much everything in between.
Will we need to change the way we engage with consumers when it comes to collecting data?
In 2020, the Office of the Australian Privacy Commissioner (OAIC) released a study on Australian attitudes and sentiment towards privacy. The study found that only 1 in 5 Australians (20%) read and are confident they understand privacy policies on internet sites. The main reasons why Australians do not read privacy policies include the length and difficulty of the policies.
As a result, proposed changes would see the need for brands to move away from complex long-winded legal jargon filled statements within privacy policies to policies which are slimmed down to include simple, meaningful language so that consumers of average literacy can understand what they are agreeing to. The use of icons might also be allowed in the future to help provide clear explainers for consumers. These potential changes reflect consumer sentiment in the OAIC study which found consumers would like to see simple language (87% support) and the use of icons (73%) as indicators that certain activities are undertaken, for example, if data is stored overseas.
Can we expect to see a crackdown in areas of personalisation and online targeting?
Direct marketing is being looked at with more scrutiny within the Privacy Act Discussion Paper. When it comes to direct marketing, targeted personalised advertising in particular was highlighted as a key area of concern. Submissions to the Discussion Paper highlighted concerns around how data that is collected and used for the purpose of profiling, as well as how that data is shared with third parties in order to enable targeted advertising. Submissions to the Discussion Paper also highlighted potential harms including targeting of inappropriate content at children, profiling of political views to enable misinformation to be directed at vulnerable individuals, and predictions about product eligibility based on socioeconomic status.
As a result of concerns raised, we are likely to see substantial changes in;
How consent for direct marketing is captured
What brands need to disclose to consumers with respect to how a brand intends to influence an individual’s behaviour or decisions with the data collection
The need for brands to be transparent around whether the entity uses third parties in the provision of online marketing materials.
Is AI under the microscope in the Privacy Act review?
The 2021 Privacy Index by Deloitte has shone a light on how consumers feel in relation to the use of AI by brands. The study found just 6% of consumers trust a decision made by a computer more than a decision made by a human and 58% are concerned about the use of AI in society. The Discussion Paper reviewed transparency and regulation around AI and has recommended that privacy policies more overtly stipulate whether personal information will be used in automated decision making (ADM) which has a legal, or similarly significant effect on people’s rights.
What if we are a foreign entity? Will changes to the Privacy Act impact how we operate and does the Privacy Act apply to us?
Like is the case with GDPR, there are proposed changes that may see businesses handling personal information offshore subject to the Privacy Act which are changes proposed as part of the Online Privacy Bill. This would mean that foreign organisations who carry on a business in Australia will generally be subject to the Privacy Act, even if they do not collect or hold personal information directly from a source in Australia.
What else should I be aware of?
The ramifications for non-compliance is also changing. Despite the Online Privacy Bill’s name, and its primary focus on online platforms, it has significant ramifications for any organisation bound by the Privacy Act 1988. The Bill amends the maximum penalty for corporations that engage in a serious or repeated interference with privacy to:
AU$10 million;
three times the benefit of the misconduct; and
10% of the organisation’s turnover in the 12 month period up to the conduct.
There are many other impending additional and proposed changes outlined in the Exposure draft and Discussion Paper. Whilst it is unclear where we will land, brands don’t only have a legal obligation, but a moral one to contend with. While many brands will adopt a wait and see mindset, those who are in tune with changing consumer sentiment will look to start evolving now with the aim to take proactive steps to evolve in order to better meet consumer expectations and needs. It is those that do so that will be best placed to meet new obligations under the Act when changes are legislated, because it is not a matter of IF, but simply a matter of when.
If you need a hand building a strategy to address these changes in privacy, get in touch with us. We would be more than happy to help!