What you need to know:

• IAB Australia has highlighted significant concerns with many of the changes proposed by the Federal Government in its discussion paper exploring the Privacy Act.
• Some of the changes go too far – further than GDPR, in some cases – and would have material impacts on the digital advertising ecosystem, IAB Australia says.
• Representing some of the country’s biggest publishers, agencies, platforms and ad tech firms, the IAB said while consent fatigue is an issue, some of the changes risk destroying the services delivered by the digital advertising ecosystem that consumers have come to expect.

The IAB has warned ambiguous consent changes, limiting location information, and default pro-privacy settings flagged by a review of Australia’s Privacy Act could torpedo the digital advertising and analytics industry entirely.

In its new submission on behalf of the digital advertising industry to the Government’s Privacy Act Review Discussion Paper, IAB Australia says it has serious concerns and the current proposals would “detrimentally impact on the industry’s ability to function effectively”.

The changes raised in the discussion paper, which include changing the definition of ‘personal information’ and restricting access to online identifiers and geolocation, cast the regulatory net “too wide”, the IAB said.

“The proposals go further in terms of restricting legitimate digital advertising practices than any other jurisdiction, including the EU under the GDPR,” the organisation said.

The IAB’s submission is a crucial voice in the Privacy debate. It is the peak body for digital advertising and represents 150 media owners, platforms, agencies and ad tech firms, including News Corp Australia, Google, Nine, Seven West Media and Guardian News & Media.

“If we want to be a leading digital economy and society, the law should not be restricting legitimate uses of data that are not harmful, are within consumers’ expectations and are necessary to support online business,” Gai Le Roy, CEO of IAB Australia, said in a statement. “The regulatory framework should address harmful practices without slowing down the digital economy or the advertising that funds it.”

Some of the changes the IAB flagged as concerning were mentioned in a panel discussion Mi3 hosted in November.  

The IAB said “consent fatigue” is a real issue and the burden of consent should be minimised, left for “high risk” privacy situations instead of routine personal information.

A change that would make collecting, using or disclosing personal information “fair and reasonable” is “broad and ambiguous”, the IAB submitted. “It could at a minimum disrupt – or at worst be interpreted by courts to outright disallow – beneficial business uses of data, even if they are within consumers’ expectations,” it wrote. The broad definition could deem audience segments, data processing, measurement and analytics – currently key pillars of the digital advertising system – “unreasonable” or “unfair”.

Amending the Act to include location information as personal information would add a consent burden on consumers, and while location may be intrusive, most is used for “ordinary business purposes” like relevant search results. It could impact the Out of Home industry as well.

The Discussion Paper also raised the possibility of default pro-privacy settings or a single button that turns the device to its most restrictive settings. The IAB said the former would be overly restrictive and be “inconsistent with consumer expectations in many cases”.

The organisation made several recommendations aiming to minimise the impact and burden on digital advertising companies, summarised below.

The changes the IAB would like to see:

Scope of information regulated

• The Privacy Act should not name specific identifiers or technologies so it is “technology neutral” and adapts to an evolving ecosystem.
• The Act needs a “more targeted approach” to the definition of personal information, rather than explicitly including information that can be inferred about a person.
• There is no need to change “deidentification” to “anonymisation”.
• The IAB does not support reclassifying a user’s location data as personal information.

Approach to consent

• The fair and reasonable requirement is “broad and ambiguous”. It could disrupt or outright disallow what the industry currently does, including audience measurement and analytics and audience segmentation.
• Rather, the Act should include a “legitimate interests” ground for processing data.

Other proposals

• Proprivacy settings should not be turned on by default as this would be “inconsistent with consumer expectations”. While the IAB supports easily accessible privacy settings, it does not support prescriptive requirements to set it automatically.
• The IAB does not support a “right to object” as it is framed, but rather a more limited scope like that used by Europe’s GDPR.