Navigating New Frontiers in Australian Privacy Law: Implications for Advertisers
Recent legislative reforms in Australia mark a significant shift in how personal data is collected, stored, and shared—changes that advertisers and agencies must adapt to. In November 2024, the Privacy and Other Legislation Amendment Bill was passed by both Houses of Parliament. This bill is the first tranche of long-overdue reforms proposed by the Australian Law Reform Commission's (ALRC) report titled "Serious Invasions of Privacy: A New Tort", published in 2019. Modernising the Privacy Act 1988 for today’s digital economy is a focus point for the incumbent Government and will continue to be for the subsequent Government, after this year’s federal election. It follows global precedent established elsewhere globally of the European Union’s GDPR act, and CCPA (California, USA).
Key Legislative Reforms
The new amendment introduces several key measures. Notably, it establishes a statutory “tort” (a civil wrong) for serious invasions of privacy, giving individuals the right to sue for breaches without needing to prove tangible damage. This measure is designed to hold organisations accountable for unethical data practices, which include intrusive tracking and misuse of personal information. While certain provisions—like updating privacy policies for automated decision-making—will take effect 24 months post-assent of the amendment, many enforcement tools, including enhanced powers for the Office of the Australian Information Commissioner (OAIC), will be operational immediately - such as enhanced investigative powers and ability to issue infringement notices.
Ad Targeting and Data Collection
For advertisers, these reforms signal a tightening of the regulatory framework around data collection. The Privacy Act Amendment now mandates that all personal data collection must be not only necessary but also conducted with explicit consent. This means that methods long relied upon—such as passive cookie tracking and aggregated behavioral data used for ad targeting—should be health-checked to ensure they align with consumers’ reasonable expectations. Advertisers will need to ensure their privacy policies secure clear consent, transparently disclose data usage practices, and offer options for opting out of targeted ads.?
My perspective is that people, often coldly dehumanised by industry simply as “users” or “data subjects”, remain starkly unaware of how many data signals are captured by tech platforms and utilised by advertisers. While in Europe, it is increasingly common to hear of tech giants like Meta being slapped with over 2 billion dollars in fines (1.3 billion Euro), Australia is still finding its frontiers in data privacy rights. It’s increasingly common to hear jokes among friends “It’s like the algorithm is listening to me!” while served a 15-second dance or trend on social media. In actuality, advertisers & algorithms simply “listening” to people is an understatement.
How long you watch for; how many times you watch it; how fast you scroll; who you search for; who they’re connected with; what you comment on; where you’re heading; what Wifi you’re using; what language you speak; what phone and browser your using, are all grossly simple signals collected in real time, on almost everyone. Privacy law is in need of reform, so user privacy is respected.
Agencies and advertisers must work together on privacy centric solutions like data hashing, secure communication, limited data handling and less wide-ranging exposure of data to unnecessary parties. They must also hold one another accountable, agencies should push back on over-targeting users and exploiting information, advertisers should remain vigilant of opaque and invasive recommendations on exactly “how” targeting will be executed.
Data Storage and Re-marketing
The storage and subsequent use of consumer data for remarketing purposes will also come under closer regulatory observation. With the introduction of new civil penalty provisions—where non-serious breaches can incur fines of up to AU$3.3 million and serious interferences up to AU$50 million—businesses must prioritise data security and retention policies. Advertisers and agencies will need to collectively assess how long they store personal data and under what conditions it may be reused. Implementing stringent technical and organisational measures will be key to mitigating risks.
Advertiser-Agency Data Sharing
Enhanced enforcement powers for the OAIC, including the ability to issue compliance and infringement notices, mean that advertiser-agency data sharing arrangements must now be more robustly structured. Parties should clearly lineate responsibilities regarding data handling, ensuring that both parties adhere to the updated legal requirements and fair practices. Transparency in these partnerships will be crucial—not only to comply with the law but also to maintain consumer trust in an era when data breaches can lead to swift and costly legal consequences.
Looking Ahead
While this first tranche of reforms is a significant step forward, the government has indicated that additional measures will follow in a second tranche—likely after the federal election in 2025. These future reforms may address more controversial issues, such as the removal of small business exemptions and further refinements to the definition of personal information. For advertisers, staying ahead of these changes by conducting comprehensive Privacy Impact Assessments and updating data handling protocols will be essential. Embracing these reforms can serve as an opportunity to build stronger, trust-based relationships with consumers, positioning brands as responsible stewards of personal data.
In this rapidly evolving regulatory landscape, proactive adaptation is not just a compliance necessity—it’s a competitive advantage in an evolving market.
Sources: