Privacy Act overhaul: Customer data, social media, dating apps, data brokers, rewards and loyalty programs face heat as Attorney General proposes changes to privacy laws
“We know that Australians are wary about what personal information they give over to large tech companies," Attorney General Michaelia Cash said.
The Federal government yesterday released two long-awaited privacy papers that mean how marketers, publishers and agencies collect and use customer data - and profile consumers online - will likely soon face far-reaching and more restrictive laws. Australia is moving a step closer to Europe's GDPR legislation - with lessons on what hasn't worked like "consent fatigue" - that govern social media companies and any enterprise that collects, uses or trades personal information. Blue chip marketers and data houses like Quantium, Nielsen, Experian and Acxiom have been named in the Federal Attorney General's new privacy proposals.
What you need to know:
- The government has released a long awaited discussion paper canvassing changes to the Privacy Act that could have a profound impact on marketers, agencies and data brokers.
- It also released draft legislation that will create an Online Privacy Code, managed by the Australian Privacy Commissioner, that will impose harsh penalties on data breaches.
- The Online Privacy Code will mean social platforms, dating apps, messaging services and even data brokerage companies like Nielsen, Quantium, Experian and Acxiom, named yesterday in the Attorney General's Discussion Paper, will need to adhere to strict new data sharing rules.
- The Privacy Act discussion paper flags widespread changes to current laws, including changing the definition of personal information and creating broader statutory privacy infringements.
Key data players in the digital marketing industry will be subject to a strict new privacy code imposing major penalties on the misuse of personal information.
The Federal government released two documents on Monday: a discussion paper exploring changes that would bring Australia’s privacy laws more in line with Europe’s General Data Protection Regulation (GDPR), and draft legislation that would create a binding Online Privacy code for social media companies and other platforms.
They both could have serious implications for how marketers, agencies and publishers use data.
Online Privacy Code
The Online Privacy code legislation was flagged back in 2019 in response to the Facebook/Cambridge Analytics data harvesting scandal in March 2018. The legislation allows the Australian Information Commissioner to create a binding code, with input from the industry, that covers “particular privacy challenges posted by social media and other online platforms that collect a high volume of personal information”.
Social media services companies like Facebook, Instagram, TikTok and Snapchat, dating apps like Bumble and Tinder, online content sites like Only Fans, online blogging sites like Reddit, and online videoconferencing platforms like Zoom and WhatsApp will be covered by the new code.
But the new Online Privacy code will also impact “data brokerage services”, like Quantium, Acxiom, Experian and Nielsen. This includes any company whose business model relies on data from rewards and loyalty programs. The Attorney General's definition of a data brokerage service is "intended to capture organisations whose business model is based on trading in personal information collected online, or information derived from such personal information, such as data derived from rewards or loyalty programs."
Any organisation that collects personal information and has 2.5 million end users in Australia will also be covered by the code.
The code will mean an individual can request that an organisation not use or share their personal information. While this doesn’t go as far as some privacy laws, which give users a “right to erasure”, it does mean a company must stop sharing the user’s personal information for marketing purposes.
The code will also strengthen protections for children using social platforms. Social media services must have consent from parents before using any data from a child under 16, and try to verify the age of people using the service.
The laws would give the Australian Information Commissioner a powerful enforcement role, meaning the Commissioner could:
- Impose penalties of $10 million – or more – on organisations,
- Issue hefty fines for failing to answer questions,
- Impose criminal penalties for noncompliance,
- Share data with law enforcement authorities.
Australian Information and Privacy Commissioner Angelene Falk welcomed the changes, which bring privacy law close to competition and consumer penalties.
“This legislation is an important step towards the OAIC having more of the regulatory tools we need to take a risk-based approach to preventing harm," Falk said.
Changes to the Privacy Act
Since late 2019, the Attorney General has been reviewing the Privacy Act 1988, the law that governs and protects the privacy of Australians.
Since releasing Terms of Reference and an Issues Paper a year ago, the government has received 200 submissions from big tech companies, government agencies, academics, industry bodies and privacy advocates. On Monday, the government released a 217-page paper exploring those submissions.
It includes pages of proposed changes to the Privacy Act, some innocuous, some profound. For example: The discussion paper proposes changing the definition of personal information, which could include a user’s metadata.
It also proposes adding a clear requirement that privacy notices must be “clear, current and understandable”, possibly with standardised layout, wording and icons.
The Privacy Act proposals also include:
- A right to object to any collection or use of personal information for targeted advertising, profiling and direct marketing.
- Changing "de-identified" to "anonymised" in the Act, meaning for information to fall outside privacy laws, even the holder of the data could not re-identify it.
- Requiring privacy policies to include whether personal information is used in “automated decision-making”.
- A statutory tort of privacy, that would allow individuals to take legal action after a serious breach of privacy.
This protects the kids, government says
Attorney General Michaelia Cash released the documents, along with a media release with Assistant Minister to the Prime Minister for Mental Health and Suicide Prevention David Coleman.
“We know that Australians are wary about what personal information they give over to large tech companies. We are ensuring their data and privacy will protected and handled with care. Our draft legislations means that these companies will be punished heavily if they don’t meet that standard,” Cash said.
Coleman directly linked the legislation to the Facebook whistleblower Frances Haugen’s revelations that the company’s internal research showed Instagram’s harmful effects on teenagers.
“In Australia, even before the COVID-19 pandemic, there was a consistent increase in signs of distress and mental ill-health among young people. While the reasons for this are varied and complex, we know that social media is part of the problem,” Coleman said.
“The recent leak of Facebook’s own internal research demonstrates the impact social media platforms can have on body image and the mental health of young people.”
Mi3 will publish a podcast and Deep Dive feature next week with industry and privacy experts on the key implications for the marketing supply chain.
