Skip to main content
Deep Dive 21 Feb 2023 - 15 min read

‘Data is the new asbestos’: Privacy reforms pit ‘underwhelmed’ consumer advocates with industry preparing for ‘radical change’, heavy data compliance burden; Geo location, ad targeting, data trading face new consent rules

By Paul McIntyre, Brendan Coyne & Andrew Birmingham

People power: "This is a sweeping set of changes that need to be taken seriously. Every company that has a relationship with customers...that collects and manages people’s data will soon experience a new set of rules," says REA's Josh Slighting.

Seismic change? Here's Mi3’s first sweep of responses to the Federal Attorney General’s drop last Friday of a 300-page document outlining the biggest overhaul to Australia’s privacy regime in two decades. The marketing, tech and media sectors are broadly bracing for fundamental change to how they do digital marketing, advertising, targeting and personal data collection – among the most aggressive proposals are explicit consent requirements for geo-location tracking and for the trading of personal data, which have been expanded widely versus current privacy law. Targeting for advertising purposes, for the first time, falls under the proposed Privacy Act overhaul and will set off huge compliance burdens and require new skills and capabilities for firms which will need to explain in the language of a person with “below average intelligence” how their data is being used. If not, they can't use it. Industry will also have to deal with an “unqualified right” for individuals to opt out.  

What you need to know:

  • Individual consent has to be voluntary, informed, unambiguous and specific – and it needs to be current and explainable to a person with "below average intelligence". Withdrawing that consent for an individual will have to be as easy as granting it.
  • The definition of personal information is expanding to include IP addresses, device IDs and geo-targeting. 
  • New identity platforms, clean rooms and complex hashing processes will no longer keep you beyond the reach of the privacy regulators and de-identifying data no longer gives a free pass. It raises new challenges in some cases, as the practice of matching hashed emails - a common approach when data moves out of a brand's marketing technology and into parts of the adtech ecosystem - will likely be treated as a ‘high risk’ activity.
  • The right to be forgotten is a qualified right but the right to withdraw targeting consent is unqualified.
  • Conversely, consent is also less important in one important regard: if the requirement for collecting data does not meet the "fair and reasonable" collection and use test, then consent is irrelevant. 
  • Crucially, companies will not be permitted to deny service to those that decline consent to use their data for tracking and targeting. That may bust some business models.
  • Industry bodies such as ADMA and IAB are generally supportive of the changes although there are likely to be fights over targeting. No wonder - companies can keep collecting and using individual data for targeting purposes – provided they are not showing targeted ads to consumers that have opted out of seeing them, per UNSW's Dr Katherine Kemp. She thinks that is a cop-out.
  • However, there is a a lot more accountability and compliance on business, and tougher sanctions for bad behaviour – including criminal penalties for repeated breaches.
  • Loyalty companies that are using their customer’s data to effectively build media and marketing channels will need to change how they seek permission. They also face potentially huge costs if the Right to be Forgotten actually means customer data needs to be entirely deleted. More commonly today, companies just make it impossible to search on a customer’s data after they have opted out.
  • Back to the future: The additional risks and costs of targeted advertising could rekindle interest in contextual advertising. Analytic Partners MD Paul Sinkinson said that is actually a big win for brands.

 

It's going to force us to stop doing some things that we probably shouldn’t have been doing anyway. We as an industry have not always been the best practitioners.

Maurice Riley, Chief Data Officer, Digitas (Publicis Groupe)

Sizzle or fizzle?

At first glance it appears there are seismic shifts coming fast for the marketing, media, advertising and tech sectors from last week’s proposed reforms of the Privacy Act from the Federal Attorney General. If the proposed reforms proceed, targeted advertising now falls officially under the Privacy Act, requiring an unqualified right for an individual to opt out and simple explainers on how an individual is tracked and how their data can be used. More concerning for some operatives are the proposals for geo-location data and the trading of personal data between companies to require “explicit consent”. 

IAG’s head of Data & AI, Willem Paling, cites a colleague who says data is no longer the new oil but the “new asbestos”. 

The impact of these reforms has split privacy law experts. Pro-consumer advocates say the fine print delivers possible exemptions that could let many companies maintain the status quo on their personal information tracking and trading practices while others say these reforms crimp digital marketing, data collection and the surveillance economy as we know it – and to expect class action law firms to be the early movers on privacy breaches.   

UNSW Business School Professor of Practice, Peter Leonard, says if the proposed reforms are implemented “they would fundamentally change digital marketing and advertising in Australia.” But his colleague at UNSW’s Law & Justice faculty, Dr Katherine Kemp, described the overhaul as “underwhelming” and buried in the detail are possible exemptions which could see some of the “main offenders” in targeted ad tracking and those trading personal information escape. 

Any existential threat “might be putting it to strongly for anyone at this point,” Kemp says.

Still, some in industry see it as a new threshold. “It's going to force us to stop doing some things that we probably shouldn’t have been doing anyway,” says Maurice Riley, Chief Data Officer at Publicis Groupe-owned Digitas. “We as an industry have not always been the best practitioners…”

IAG’s Paling is comfortable with the proposals but says it will put pressure on parts of the digital marketing and media supply chain. 

If anyone was still thinking they could use new identity platforms, clean rooms and complex hashing processes to avoid being subject to the privacy act, they’ll need a new approach very soon.

Willem Paling, Head of Analytics & AI, IAG

Hashing, mashing and class action lawsuits

“If anyone was still thinking they could use new identity platforms, clean rooms and complex hashing processes to avoid being subject to the privacy act, they’ll need a new approach very soon,” per Paling.

The Australian reforms avoid Europe’s messy GDPR regime which has caused widespread angst by putting the onus of consent on individuals who are now served with dozens of pop-up consent boxes for firms which are now being ruled as illegal. Instead, the Australian Federal government has opted for compliance to rest with business – the upside is opt-in individual consent remains the default, except for existing sensitive information definitions and the new additions of geo-location tracking and trading in personal information. 

“The sort of radical thing in this proposal really is the extent to which it steps back from an EU GDPR cranking up of consent requirements and instead says 'let's go to transparency and through transparency, give consumers the opportunity to opt out if they wish', says Leonard. "So imagine a world which says you have to be transparent; that is, how you are targeting people and that transparency has to be in terms that are intelligible to a person of below average intelligence.”

Leonard also expects class action law firms to be the early drivers of compliance before any punishment and penalties are handed out by the Privacy Commissioner.

"There to be a much broader debate about things like do we give individuals a direct right of action...when individuals consider that a particular practice is not reasonable," said Leonard. "And that's where the direct right of action becomes much more worrying, or should become much more worrying for industry, because the gatekeeper doesn't become the privacy commissioner anymore. The gatekeeper potentially becomes whether a plaintiff class action law firm thinks it's worth taking on a case and suing on behalf of 300,000 people who deal with the Commonwealth Bank."   

Here's the early views from a selection of key players:  

Key takeouts

Dan Stinton, Managing Director, The Guardian:

We're supportive of the modernisation of the definition of Personal Information. This is the most important change to bring Australia up to adequacy with GDPR and acknowledges that the collection of data about individuals that the internet has enabled should be protected, while also recognising that data that is inferred about individuals can also be highly personal and sensitive. 

We're very supportive of the proposed fair and reasonable test. This has two potential benefits. Firstly, data collection that is fair and reasonable does not require consent except when collecting sensitive data, so this should go some way to reducing the burden on consumers to consent to complex privacy policies that very few bother to read. Secondly, data collection processes can simply be outlawed even with consent when they are not fair and reasonable, which should at last put some guardrails on the more invasive data collection practices that can take place in our industry.

We are concerned about the proposed statutory tort for serious invasions of privacy. We have seen the impact of this overseas, and a tort is almost always used by the rich against media outlets to impede reporting that is in the public interest. This obviously makes it much harder for journalists to do their jobs, and goes a lot further than a more measured direct right of action for breaches of the privacy act.

Every company that has a relationship with customers, every company that plays in the digital ecosystem, every company that collects and manages people’s data will soon experience a new set of rules – and that will come with a large, irrecoverable compliance cost.

Josh Slighting, Head of Product, Media, REA Group

Josh Slighting, Head of Product, Media, REA Group

If the proposals are passed undiluted, “we’re in for a rude shock and a bumpy ride. Businesses are going to be held accountable, there is a lot more risk – they are proposing criminal penalties for repeated breaches,” says Slighting.

“This is a sweeping set of changes that need to be taken seriously. Every company that has a relationship with customers, every company that plays in the digital ecosystem, every company that collects and manages people’s data will soon experience a new set of rules – and that will come with a large, irrecoverable compliance cost that you cannot pass on to consumers,” he says.

That gives brands an opportunity to walk all of the talk on customer centricity.

“Now everything has to pass the sniff test: Does it benefit the person who’s data we are collecting? Because we will be held accountable by law.”

Maurice Riley, Chief Data Officer, Digitas Australia (Publicis Groupe):

"I didn't think it would be as broad as ambitions as it is; I thought it would mostly be a level set versus a pace set. In some areas it is pace setting. It's hard to know where it's going to go since it is so broad – what is actually going to get to draft legislation. So it's really hard to have a point of view because it is ambition and it's great. Being a bit cynical with how things work in Australia.  It's going to force us to stop doing some things that we probably shouldn’t have been doing anyway. We as an industry have not always been the best practitioners…where our clients and consumers trust us. So I'm hopeful. I'm trying to reframe all of my thinking here to not what it's preventing me from doing, but how it's going to enable me to do things differently and better."

Willem Paling, GM, customer Experience (Acting); Head of Analytics & AI, IAG

If anyone was still thinking they could use new identity platforms, clean rooms and complex hashing processes to avoid being subject to the privacy act, they’ll need a new approach very soon.

It's a relief to see that the regulators are looking to avoid the barrage of consent pop-ups that we saw with GDPR, retaining the principles based approach in the existing law – which means a lot of dependency on what is “fair and reasonable”. But rather than leaving us to wade through the ambiguity and wait for test cases, they are proposing to provide examples to improve clarity. These will illustrate what adequate consent looks like, including templated designs and examples of what is and isn’t personal information or sensitive information.

As with GDPR this isn’t focused on the ad industry. It’s about protection of personal data. Especially sensitive information such as medical records, and personal information that could place people at risk of identity theft. If you don’t need to be holding onto it, it’s a liability. A very smart colleague of mine recently quipped that “data is the new asbestos”.

For the ad industry there are a few big changes.

  1. An expanded definition of personal information that will capture online identifiers that have often been treated as anonymous and therefore not subject to privacy regulation.
  2. A deliberate effort to avoid a post-GDPR style proliferation of consent pop-ups, with the onus placed on businesses to “act fairly and reasonably” – a standard that we’ll get more clarity on as we start to see the first test cases come through the courts.
  3. Improved definitions, building on the dated definition of direct marketing with more a specific definitions of direct marketing, and new definitions of targeting and trading.

Consent is explicitly required to trade in someone’s personal information – that is now clearly opt-in. The improved definitions of direct marketing and targeting remove any ambiguity on whether targeted digital advertising was subject to the Privacy Act. Similarly, the expansion of the definition of personal information from information that is “about” an individual, to information that “relates to” an individual, deliberately captures anonymous identifiers used in third party cookies, and in any alternative identity solutions. It appears that most alternative identity solutions would come under the definition of direct marketing. The report states that to be the case when an email address is the source of a match, even when that match is hashed (they point to the example of Facebook).

The real question for industry is, could they live with what is now proposed, and in particular, the breadth of the opt out rights that are proposed in this regulation?

Peter Leonard, Professor of Practice, UNSW Business School, Principal, Data Synergies

Peter Leonard, Professor of Practice, UNSW Business School, Principal, Data Synergies

"They’re walking an interesting tightrope and the tightrope is avoiding over reliance on [consumer] consent…and giving consumer advocates greater transparency and control in relation to both direct marketing in its broader forms. That is, not only targeted advertising, but other forms of direct marketing," said Leonard.

"In that regard, the proposals are not radical but I think, if they were implemented in the form that they currently are, they would fundamentally change digital marketing and advertising in Australia … they would have radical effects on the business of digital advertising. And the real question, I think, for industry is, could they live with what is now proposed, and in particular, the breadth of the opt out rights that are proposed in this regulation?" he added.

"Just to be clear how broad those rights are, in essence, what the report says is even if you use fully de-identified information to create an audience segment – so you have no means of knowing who the person that you're segmenting on the basis of inference about their attributes, even if you can't identify them – you have to be transparent that you are differentiating between audiences based on inferences about characteristics or preferences." Plus, "you have to give people the opportunity to opt out from you dealing with them in that way".

Sarla Fernando, Head of Regulatory & Advocacy Advisory, ADMA

Based on an initial reading of the paper ADMA’s Sarla Fernando, Head of Regulatory & Advocacy Advisory, said, “I actually think this is a very positive approach that has been taken. I'm very comforted by the way the actual report has been structured.” 

While there appears to be little radical change to the principles and the intent of the Privacy Act, she said the approach is likely to provide more clarity for organisations. 

“There are some nuances, there are certain recommendations that are completely new things that need to be addressed. I'm not going to talk about any of those [at the moment]

“But if you take the actual scope of the Act, and the little nuances that have been provided, a lot of that is just providing clarity, and clarity actually allows for better compliance.” 

Sarah Waladan, Director of Policy and Regulatory Affairs, IAB

IAB Australia’s Sarah Waladan said her initial impression is that the regulators are  implementing most of what they said in the discussion paper. “It's going to be a strict regime as we expected. There's going to be more specific requirements. Some of these things are already in place under the existing law but they are not as necessarily as specific. So, I think things will be a bit more detailed.”

She said responsibility is shifting onto organisations rather than leaving things to consumers, with ultimately, less ambiguity.

“One of the positives, the OAIC talks about assisting with template forms and privacy policies, that will be fantastic for organisations. It's always really hard to do a template that actually meets everyone's legal obligations, but that will be super helpful for everyone.”

You have to cater for an audience of average intelligence and explain to them how you're washing the Do Not Call register list against a Facebook audience to determine whether and how you're going to target on Facebook. You try and explain that in words that any normal human being can understand. It's really, really difficult.

Peter Leonard, Professor of Practice, UNSW Business School, Principal, Data Synergies

Consent

Peter Leonard, Professor of Practice, UNSW Business School, Principal, Data Synergies

"The starting point is you don't need opt-in consent, you just need to be transparent to consumers about what you're doing, and that transparency needs to be also fair and reasonable. So you can't play dark patterns, games with choice architecture, all of that kind of stuff," said Leonard.

"If you are transparent, then it's for the customer to decide whether they might want to opt out from you targeting them. But you don't need them to consent upfront, you don't need them to opt in. So the sort of radical thing in this proposal really is the extent to which it steps back from an EU GDPR cranking up of consent requirements and instead says, no, let's go to transparency, and through transparency, give consumers the opportunity to opt out if they wish."

Leonard said bringing together transparency in what companies plan to do with data upfront – and putting into terms that "are intelligible to a person of below average intelligence" removes current consent loopholes and heads off concerns that consent without understanding is invalid, which currently puts companies at risk of falling foul of misleading and deceptive conduct laws.

"So you can't [now] take some hypothetical pretty smart person who can sort their way through stuff," said Leonard. "You have to cater for an audience of average intelligence and explain to them how you're washing the Do Not Call register list against a Facebook audience to determine whether and how you're going to target on Facebook. You try and explain that in words that any normal human being can understand. It's really, really difficult.

"I think that is kind of the main challenge of this new regime as it's currently proposed: Transparency. People think it's a lot easier than it really is. The nature of ad tech targeting synthetic audiences is really technically complex. By defining a requirement of full transparency through your policies and notices about this stuff, you don't actually need to impose an additional requirement of obtaining people's full and informed consent."

In other words, if it cannot be simply explained, companies won't be able to do it.

The report says that consent might not be required if dealing in that information is reasonably necessary for the functions or activities of the company. That is potentially a broad carve out. The more you trade in personal information, the more likely you are to be able to say ‘this is reasonably necessary for my business’.

Katherine Kemp, UNSW Law & Justice faculty academic

Katherine Kemp, UNSW Law & Justice faculty academic

Dr Katharine Kemp, a specialist in competition law, consumer protection and data privacy regulation, described the proposals as “underwhelming”. She said they would do little to rein-in “surveillance” advertising businesses while leaving the door open for data brokers to trade personal information without consent.

She pointed to proposal 20.4, which states an intention to ‘Introduce a requirement that an individual’s consent must be obtained to trade their personal information’. 

“But then the report adds that consent might not be required if dealing in that information is reasonably necessary for the functions or activities of the company,” per Kemp. “So they have raised a possible exception. You can imagine data brokers will say it is reasonably necessary for their function or activities to deal in personal information so they don’t need consent. That is potentially a broad carve out.”

That exemption could be used “not just by data brokers but loyalty [providers] and everybody else,” said Kemp “All the ‘main offenders’. The more you trade in personal information, the more likely you are to be able to say ‘this is reasonably necessary for my business’.” 

Which means suggestions of an existential threat to those trading in personal data “might be putting it too strongly for anyone at this point.”

Sarla Fernando, Head of Regulatory & Advocacy Advisory, ADMA

ADMA’s Sarla Fernando praised what she described as a shift away from an upfront consent model towards more of a benchmarking model of what constitutes fair and reasonable use – which will be ultimately determined by the courts. But she agreed with Katherine Kemp that wriggle room could be exploited.

“They are moving towards a benchmark model, which is fair and reasonable. But they need to tweak it so it's less subjective. ADMA’s view is we need that to be a bit clearer – because to anybody who's doing something [believes] that is reasonable," said Fernando. "Even the worst act, to somebody who's doing something, is justified.”

As regulators are moving to more of a benchmark-based approach, then organisations automatically will be pushed towards being more responsible in the way they operate because there is a benchmark, she said. In other words will want to be the first legal test case.

Anna Koleth, head of product and content marketing, APAC, Tealium

Tealium's Anna Koleth agreed that the fair and reasonable requirement will ultimately weed out bad actors. “This test will prevail over consent requirements. So, if a consumer provides consent, but the requirement for collecting data does not meet the fair and reasonable test, then consent is irrelevant. Consent can't cure the fact that the fair and reasonable test has not been met.”

Consent has to be voluntary, informed, unambiguous and specific – and it needs to be current. If you obtained it six months ago, that consent may no longer be valid – and withdrawing that consent will have to be as easy as granting it.

Josh Slighting, Head of Product, Media, REA Group

Josh Slighting, Head of Product, Media, REA Group

“If the ACCC’s Digital Platforms Inquiry was geared towards social media and big tech,” said Slighting, “these changes affect everyone in Australia. Anyone that collects data from a person and uses it, you’re now on the hook”.

The upshot of the proposals is “consent is king, queen and everything in between". While others suggest businesses will try and skirt the rules and justify that they do not need consent under fair and reasonable carve outs, Slighting thinks most businesses will not want to take that risk.

“Consent has to be voluntary, informed, unambiguous and specific – and it needs to be current. If you obtained it six months ago, that consent may no longer be valid – and withdrawing that consent will have to be as easy as granting it.”

Slighting said the widening of personal information definitions is the first standout: “IP, device, geo targeting is in there and it’s far more focused on opting in than opting out. That is wider than what is being covered in GDPR and they are removing ambiguity around consent – which is at the heart of all of this.” 

Rather than Apple trying to stop people working around its ATT changes with little or no punishment, “now it’s set to become the law … fingerprinting is getting a real look in.” Inferred data will also be classified personal information, “which is a big shift.” 

The focus on simplicity is another key pillar.

“The proposals remove ambiguity. It will need to be just as easy to opt-out as to opt-in and the report indicates that will be heavily prescriptive and policed,” says Slighting. “They are talking about issuing consent templates for the market to use, even icons and imagery,” says Slighting. “That is a huge undertaking.” 

Third standout is the AG’s focus on transparency.

“The proposals specifically call out that if you are sharing data with a third party, you have to be very clear – at point of collection – who you will be sharing that data with and how and why it is being used for both primary and secondary uses,” says Slighting. If third parties come into that chain, policing consent becomes “extremely hard.”

Anna Koleth, head of product and content marketing, APAC, Tealium

Tealium's Anna Koleth noted the proposal for a fair and reasonable test to be introduced. “This test will prevail over consent requirements. So, if a consumer provides consent, but the requirement for collecting data does not meet the fair and reasonable test, then consent is irrelevant. Consent can't cure the fact that the fair and reasonable test has not been met.”

She describes this as an additional threshold test that brands will need to meet, but said that there are questions about whether sharing de-identified data under the existing Privacy Act is actually legal, given it is linked to a unique identifier – which is personal information because it is then linked to an individual that is reasonably identifiable ... The proposals, therefore, could provide greater clarity and codification regarding the types of data that can be regulated under the Privacy Act.

While the proposals outlined plans to beef up regulatory enforcement powers, Koleth said the key issue is giving regulators such as the OAIC the funding to do their job properly in the first place.

A lot of big customer-facing companies were preparing for opt-in consent and for that to happen everywhere. Instead there's a whole new category of disclosure for which they previously didn't necessarily have to provide an opt out.

​​Willem Paling, GM, customer Experience (Acting); Head of Analytics & AI, IAG

​​Willem Paling, GM, customer Experience (Acting); Head of Analytics & AI, IAG

Willem Paling thinks the document shows strong intent to remove ambiguity around what is fair and reasonable.

He says that sidesteps the challenges that have bogged down GDPR, where companies sat back to wait for case law to unfold.

"It looks to me like we've got examples of templates of what good consent looks like and good privacy notifications look like – they're going to provide examples that make it easier for businesses to work with and understand," said Paling. 

"A lot of big customer-facing companies were preparing for opt-in consent and for that to happen everywhere. Instead there's a whole new category of disclosure for which they previously didn't necessarily have to provide an opt out. So they'll have to do audits of pixel-firing to enable behavioural advertising and ensure that they know what's going on – and any data that's being collected to enable targeting on their own sites or targeting on third party sites through advertising includes that opt out."

Chris Brinkworth, Managing Partner, Civic Data

“Businesses that can locate details at a line-item level for each customer on file with the notice and consent attached to each data point, will be in a stronger starting place than those brands that cannot,” per Civic Data's Chirs Brinkworth.

He thinks very few Australian businesses are in that position, even those with a CDP. “That will become problematic with rights to erasure, as much as it will be for targeting and measurement.”

Brinkworth also said sees similar issues for businesses like large loyalty programs engaged in data trading and for those involved in data aggregation and brokering services, with data governance and the ability to discover, orchestrate and enforce consent across all data sets becoming critical.

“When that task is completed, it's clear that the ability to use and understand data collaboration tools (such as data clean rooms) and planning/targeting methodologies (such as algorithmic buying) in a compliant way will become commonplace.”

Targeted ads regulation

 

Sarla Fernando, Head of Regulatory & Advocacy Advisory, ADMA

“With targeting I’d say there’s two things: They’re saying people can choose to opt out and withdraw their consent. [But] to withdraw consent, people have to be properly informed as to what they're withdrawing," said ADMA's Sarla Fernando.

“There's a problem with that when it comes to targeting because there's a huge education piece that needs to be done before people are properly informed as to what that targeting means. Targeting has such a sliding scale, everything from ‘tell me a little bit more about my interests and stuff that I want to hear about’ right down to the level of harm, for want of a better word, that starts to encroach on other laws. For instance if you’re using my behaviours and my patterns to discriminate against me or to do something that's more sinister.”

Rather than an approach that buckets all aspects of targeting she said it would be better to allow people to withdraw consent from specific uses of data for specific targeting purposes.

The proposals around personalisation are quite underwhelming. It means businesses can keep collecting information about that consumer to create lookalike audiences, for the purposes of tracking down others like them. For a lot of people, the objection is not just ‘do I see the targeted ad or not, but is my personal information being used to fuel that targeted advertising business'.

Katherine Kemp, UNSW Law & Justice faculty academic

Katherine Kemp, UNSW Law & Justice faculty academic

Katherine Kemp said the overall proposals were “weak”, and singled out regulation of targeted ads as a missed opportunity. “The proposals around personalisation are quite underwhelming,” said Kemp. She pointed to recommendation 20.3: ‘Provide individuals with an unqualified right to opt-out of receiving targeted advertising.’

That proposal effectively allows companies to keep collecting and using individual data for targeting purposes – provided they are not showing targeted ads to consumers that have opted out of seeing them. “So they can keep collecting information about that consumer to create lookalike audiences, for the purposes of tracking down others like them,” said Kemp.

“It seems like the government does not want to rock the boat… and is only willing to play around the edges. If a consumer has an objection to their behaviour continuing to be used to build a profile and be tracked for the purposes of building a targeted advertising business, this is not a solution,” said Kemp.

“For a lot of people, the objection is not just ‘do I see the targeted ad or not, but is my personal information being used to fuel that targeted advertising business… when I want to be free of that surveillance.’

“The report is making it clear that the government doesn’t propose a consent requirement to be used for targeted ad purposes other than not showing that particular individual a targeted ad.”

Chris Brinkworth, Managing Partner, Civic Data

According to Brinkworth, "At both an enterprise and a small business level, a lot of the 'custom audiences' and '3rd party cookies' being used to retarget and remarket may not be allowed based on the current report, as it stands."

He said that at both an enterprise and small business level, a lot of the 'custom audiences' and '3rd party cookies' being used to retarget/remarket may not be allowed based on the current report. 

"Many of these [techniques] are already dwindling," he said. "Everyone needs to remember that advertising will always find a way to survive. If another agency or marketer finds a safe way to honor the customer's privacy and abide by the law (however it lands), it won't be long until that knowledge is circulating within the industry via talent or products being sold." 

Brinkworth also noted contention in the market after the report was released about what gets classed as "de-identified" as well as criticisms in some quarters that the report doesn't understand the difference between anonymous versus de-identified data."  His view is that this demonstrates the need for an Australian regulatory sandbox, an idea Civic Data included in its last submission. 

The biggest compliance costs will fall on those making the most money out of loyalty data … those with the biggest databases that they are trying to convert into media channels – because their business proposition is based on getting data and permission. They didn’t need permission before, now they do.

Tim Tyler, Managing Partner, Ellipsis

Loyalty

Tim Tyler, Managing Partner at specialist loyalty consultancy Ellipsis

“The proposals allow customers to participate in loyalty programs but opt out of being targeted, which means the loyalty programs that are marketing channels in disguise will have to be much tighter in seeking permissions,” says Ellipsis’ Tim Tyler. 

Plus, loyalty operators will have to allow members to delete data. “I’m not sure they will be happy with members that opt out of targeted ads and ask them to delete data,” says Tyler. “All of a sudden, that value proposition is no longer there.”

There are two “loyalty worlds”, per Tyler – the contractual and non-contractual. One has the privacy proposals largely covered, the other probably doesn’t.

The former applies to the big players, such as banks, which operate “where customer identity is already known and the value exchange is paying for tenure of wallet and paying for share of data. Because the bank already knows who you are and where you spend – and the reputational damage if privacy is violated in the banking environment is already real,” per Tyler.

“In the non-contractual environment, where customers are anonymous and loyalty is established to get identity and enable tracking, the proposals are more impactful – because if a customer asks to delete their data, you no longer have the means of recouping your outlay.”

Supermarket sweep

Tyler thinks the biggest compliance costs will fall on those “making the most money out of loyalty data … those with the biggest databases that they are trying to convert into media channels, because their business proposition is based on getting data and permission. They didn’t need permission before, now they do.” 

Will that make retailer media more expensive? “Yes, potentially. But overall, what we don’t yet know is how interested the Australian public actually will be. The Europeans haven’t seemed that interested. Not many are opting out [via GDPR].” 

Do Australia’s proposals put the brakes on the post-cookie rush to build out loyalty programs? No, says Tyler, because people realise that alternatives via the big platforms are drying up. “But [loyalty operators] will have to get much sharper in proving the value of targeting … And compliance cost is the biggie – because there are enough activists in the community to make sure that the legal recourse is real.”

The bright side?

Tyler says it could be worse. Under the Californian privacy regime (CCPA), regulators are actively targeting loyalty programs.

“Their position is that if loyalty programs offer rewards, they are paying for data either through discounts or rewards, and must make that explicit to the consumer.  So they are sending ‘please explain’ compliance letters to operators asking them to document how they are telling members what their data is worth. California is classifying loyalty as a financial proposition that therefore comes under the compliance rules that apply to financial products,” says Tyler.

“I think every loyalty operator in Australia would be quivering about that kind of requirement – how would they calculate that value, let alone report it to the customer?”

If a loyalty program was forced to find every trace of where that person has shown their card over the past few years, and every bit of transactional data and delete it, the costs would be huge.

Phil Hawkins, former COO, Flybuys

Phil Hawkins, former COO, Flybuys

Loyalty programs have been subject to their own review and the OAIC report makes frequent references to loyalty.

Yet despite the potentially huge impact on loyalty programs, especially national programs that actively trade data, neither Qantas’ Frequent Flyers nor Coles’ Flybuys made submissions to the enquiry and Flybuys declined to comment when contacted by Mi3. The third of the big three – Woolworths Every Day Rewards does have a voice in the report, with its submission referenced frequently.

Phil Hawkins, COO of Flybuys until he retired 18 months ago told Mi3 that one of the big issues for loyalty programs could be the costs incurred when customers ask to be removed from the program and effectively forgotten. The report makes it clear this will be a qualified right. But Hawkins said there are legitimate reasons for holding some information and suggested it may be much simpler for a loyalty program to remove any way to contact a former member – and effectively classify their membership as not having an owner – than to delete them entirely.

“If a loyalty program was forced to find every trace of where that person has shown their card over the past few years, and every bit of transactional data and delete it, the costs would be huge.”

It’s saying quite clearly that you can’t just hash and salt data and say ‘that’s it, it’s de-identified’. That will fall foul of the proposals ... They are going to focus on where the accountability and responsibility lies. ID partners, DSPs, SSPs, clean rooms, data processors, publishers, agencies – anyone who touches [that data] will be accountable.

Josh Slighting, Head of Product, Media, REA Group 

Hashed emails: Fallout ahead

 

Josh Slighting, Head of Product, Media, REA Group 

The wording around identification and re-identification of data suggests standard industry practices for targeting and matching audiences – i.e. using hashed emails or other identifiers – will need far more serious consideration, per Sighting.

“It’s saying quite clearly that you can’t just hash and salt data and say ‘that’s it, it’s de-identified’. That will fall foul of the proposals,” he says, pointing to the table on p33 of the document that suggests matching hashed emails will be treated as a ‘high risk’ activity.

Privacy - hashed ids

“They are going to focus on where the accountability and responsibility lies. ID partners, DSPs, SSPs, clean rooms, data processors, publishers, agencies – anyone who touches [that data] will be accountable,” says Slighting. “It won’t be enough to say ‘it’s hashed and salted’. If you have not resolved consent, if you have not been clear with the consumer on permissions, it will be looked at very closely – and most people don’t understand that. They think they can just partner with an ID provider, encrypt the data and it’s done. But that data can always be re-identified, because someone always has a key.”

ID providers’ tech – the likes of Liveramp, UID and the rest – “remains valid,” per Slighting. “But the onus will now be on the individual business, the brands and the media companies using that ID partner. The process and compliance cost is the hard part and I think that will make businesses a little more hesitant [about using alt IDs].”

There are thousands of adtech companies and publishers using hashed emails. Getting consent across all of those consumers may be mission impossible.

Vivian Zhou, co-founder, Karlsgate

Vivian Zhou, co-founder, Karlsgate

Vivian Zhou, co-founder of ‘clean stream’ ID exchange platform Karlsgate, agreed hashed emails being classified as personal information and therefore requiring consent for trading leaves adtech and publishers facing major disruption. But she’s not surprised at the regulator’s stance.

“It's very easy to link those two data sets together and then re-identify the personal information. So that proposal is going to have a big impact on existing industry practices.”

Zhou said companies using hashed emails could still use them – with the proviso they can make it harder to re-identify the data – and ensure consent is gained for secondary purposes, i.e. targeted advertising and marketing. “That’s the biggest challenge for the whole of adtech,” says Zhou. “There are thousands of adtech companies and publishers using hashed emails. Getting consent across all of those consumers may be mission impossible.”

As a result data supply chains may shorten. Either way, Zhou thinks clean room providers will increasingly integrate consent management to their platforms.

Meanwhile, should proposals that mirror GDPR on data controllers and data processors become law, the entire digital supply chain in the firing line should things go wrong, warned Zhou.

“Based on the new definition, agencies will be considered a data processor – they process data on behalf of a brand who is a data controller. If there is a breach, who is going to take the consequences? The data processor. So they might need to add terms to their contracts to at least try to mitigate that risk.”

Contextual advertising returns?

 

Willem Paling, GM, customer Experience (Acting); Head of Analytics & AI, IAG

Contextual targeting "is definitely on the comeback," per Willem Paling. He says even Elon Musk has cottoned on to that fact as he bids to drive ad revenues at Twitter.

"So in a platform that can do quite good targeted advertising, Musk is saying he’s got to bring in contextual. For the digital natives, contextual is foreign – it's seen as a bit old world and old man," Paling suggests. Any wholesale contextual shift will require media planners and buyers to fully understand media versus technology, he adds.

"To be able to buy and plan contextual well you need to understand where an ad is running; you need to understand the sites, who's going there and the psychology. It's going to require a level of rigour in marketing that's been lost over the last two decades."  

Maurice Riley, Chief Data Officer, Digitas Australia (Publicis Groupe)

Digitas' Maurice Riley said contextual has been rising up the client radar since the threat of cookie deprecation first raised its head.

"Even with all the data-driven products that we have as an agency group that we provide our clients, contextual has been part of our plan."

Paul Sinkinson, managing director, Analytics Partners

Analytic Partners MD, Paul Sinkinson agrees stricter privacy laws make it more likely that brands will swing back to contextual targeting. He's pleased – and thinks advertisers will ultimately win.

“This idea of chasing people around the internet has never really been the best way to do it. What we've always seen is that contextual advertising works better than any other sort of targeting," per Sinkinson.

“Literally versus any other type of targeting, contextual is 1.2 to 2.5 times more effective anything else.”

That holds true "versus prospecting, versus retargeting, versus affinity, versus audience likes versus absolutely anything," he said. "If you could choose only one form of advertising, contextual would be the way to go."

"So one of the 'downsides' of all this might be that it forces marketers to do better things.”

Skill sets: Missing

Willem Paling, GM, customer Experience (Acting); Head of Analytics & AI, IAG

"We’ll need a deeper understanding of data in marketing and how to navigate the internal functions like engaging with data privacy and with legal and so on," per Willem Paling. "That's going to become a much more rigorous exercise everywhere. That's been hard for marketers in the past. They've got an understanding of how to do digital but they don't necessarily have the depth of understanding to really understand the flows of data and whether it's personal information or not. So I think that will need a pretty significant uplift."

Cheryl Hayman, a non-executive director

Cheryl Hayman, a non-executive director on a number of ASX boards including Ai-media and Becton Global Food Company, said directors are well versed on the cyber security aspects of data.

But when it comes to the use of that data in systems rather than its protection she said it's a different story. 

“Unless you are running in a highly regulated environment in the context of APRA for instance, and therefore you are across every single changing regulation, there will be a lot of companies that are not at this level.”

 

Tim Tyler, Managing Partner, Ellipsis

"Gartner has said that one in three businesses that do not currently have a loyalty program will have one within five years. But I’m not sure they have through the implications of that in terms of finding the people and analysts with the necessary skill sets. Now you can add the privacy requirement on top, which makes the job even harder.”
 

Maurice Riley, Chief Data Officer, Digitas Australia (Publicis Groupe):

Digitas' Maurice Riley said the agency undertakes data privacy training every six months, but the new proposals will likely require a significant broadening in scope – "and not just for the data team staff, but for our entire organisation".

More broadly, he thinks agencies are already shifting toward the new regime. 

"We don't need all the data anymore. We need the data that matters and we need the data that people feel comfortable giving us permission to use – and we have to give them that value exchange in order to receive that permission. That's already part of our campaign data strategy. But understanding new consent laws and requirements around that value exchange – that's training that needs to happen now." 

What do you think?

Search Mi3 Articles