What you need to know:

• NAB, Telstra and Woolworths are pushing back against proposals that threaten key planks of their marketing operations, amid hundreds of responses to the Attorney General’s Privacy Act proposals.
• Woolworths fears allowing people to be members of a loyalty program and get the benefits but opt-out of letting the retailer monetise their data through targeted advertising undermines its economics.
• Loyalty data from 14m Everyday Rewards members has become a mainstay in targeted advertising while Cartology, Woolworths' retail media operation, relies heavily on the data to attract hundreds of millions in annual ad spend from FMCGs.
• Banks say the privacy overhaul could restrict automated decisioning, increasingly used by the majors – including Commbank and NAB – to push relevant services and offers to customers and prospects.
• Telstra warns that setting privacy proposals to the “most restrictive by default” could undermine operation of its core network services let alone marketing and advertising.
• The digital ad industry suggests the Attorney General is overstepping its remit and risks harming consumers by putting free, targeted ad-funded services at risk. Only lawyers will benefit from letting individuals seek legal redress for privacy breaches under the new regime, per the IAB.
• Consumer advocates urge lawmakers not to be swayed. They say businesses need to shoulder responsibility and foot the bill for long overdue reforms.
• The department received 498 submissions in total, and many of these are yet to be posted online. Some won't be as people and organisations can choose to make their submissions confidentially.

The Federal Attorney General’s privacy proposals aim to curb non-consensual targeted advertising, widen the scope of what is classified as personal information and give people much more say in how their data is collected and used, while raising the threat of class actions against firms deemed not to have done so fairly.

Fearing a massive compliance and cost burden – and for parts of the digital ad industry, existential threat – brands, publishers the digital media supply chain are collectively pushing back.

But consumer advocates say businesses need to step up and take responsibility for how they use and make money from personal data – and not attempt to dilute an overhaul long overdue.

The Australian Institute’s Centre for Responsible Technology said the reforms are the first significant upgrade of privacy laws in four decades.

“In the intervening period the business models around the commercial exploitation of personal data have grown exponentially as have the human consequences of these models. These changes do not just compromise the privacy of individuals, they are undermining the structures of our civil society, with increases to polarisation and the undermining of the public realm,” per the NGO.

“Any attempt to water down reforms proposed by the Attorney General would fundamentally undermine the integrity of this broader package of reforms.”

The Centre for Responsible Technology called on media companies that argued for the public interest in mitigating the growing monopoly power of big tech to also endorse the privacy measures, but many will likely fear that their own increasingly sophisticated targeted advertising revenue lines could be crimped.

Consumer advocates Choice supported virtually every proposal put forward, adding that businesses should bear the burden of identifying and mitigating privacy risks in their practices – not individuals.

“Businesses should work in the best interests of those whose data they collect, use or disclose,” per the group. “Currently, only 12 per cent of consumers trust companies to use the data they collect about them responsibly and in their interests.”

But businesses fear compliance could be unworkable, resulting at best in people being bombarded with irrelevant ads and clunky services and at worst putting key infrastructure operations at risk.

Below is a summary by sector.

Finance: Harm warning

None of the Big Four banks currently has a published a response AG’s discussion paper leaving the Australian Banking Association to represent the views of the sector.

NAB’s response was originally visible but has subsequently been removed.

While it was still visible, it showed that NAB supports introducing a requirement for consent to trade information but that the law needs to be specific enough not to inadvertently capture “other legitimate information processing activities that are securely and ethically conducted by third parties on the controller’s behalf.”

The bank plays a straight bat on the issue of the treatment of unidentified or de-identified information, but argues the Privacy Act the wrong place to address the issue as it is fundamentally tied to protecting personal information. “Expansion of the Privacy Act to regulate the use of data that is not personal information is likely to lead to significant unintended consequences and runs the risk of increasing overlap between legislative regimes.”

NAB baulks at the prospect of fines running to 30 per cent of adjusted turnover saying this is “significantly higher than the strictest regimes in other jurisdictions.”

It warns that if the fines are too high, they may act as a deterrent to breach disclosures – but agrees with the Attorney General’s proposal that in circumstances where no benefit could be determined, a $50 million penalty would apply rather than 30 per cent of adjusted turnover.

In the absence of submissions from the other major banks, the response from the Australian Banking Association – which represents the big four and 20 banks in total – is one of dismay.

The ABA says the Privacy Act is not fit for purpose to regulate de-identified and targeting data and, if that is the Government's intention, far-reaching amendments will be required to make sure that it does so effectively.

Increasing the scope of the Privacy Act to cover de-identified data will also have significant unintended consequences without addressing the key harms, warned the ABA.

It warned lawmakers to proceed with caution – and not create new laws that overlap with existing ones.

“Historically, the Privacy Act has been fundamentally tied to protecting personal information. While we support the policy intent underlying the proposals relating to de-identified data, the regulation of this information would fit more appropriately within other legislation already in existence,” per the submission.

"The report proposals related to consumer protection, such as the direct marketing and targeted advertising proposals, should be harmonised with obligations under the Do Not Call Register Act and the Spam Act … At present, the laws appear to cover the same or similar ground but on non-technology (nor non-channel) neutral grounds.”

Automated decisioning

The bankers made the same point about automated decisioning – where the majors have invested heavily.

“As a general principle, the ABA considers that there are real risks in regulating discrete aspects of automated decision making (ADM) in a privacy context, without considering the broader implications and potential ADM regulatory framework which we expect to be developed and introduced in the near future. Imposing privacy specific ADM obligations may cut across future parliamentary intention and create a piecemeal and overly complex ADM framework, with unintended consequences.”

Big tech: missing

Public responses from big tech – which potentially have the most to lose – were notably absent.

Meta and Microsoft are missing, as is Google owner Alphabet whose local VP had some choice words about Australian regulators last week.

Likewise big martech. Adobe, Salesforce, Sitecore, Hubspot are all missing in action. Oracle, however, has not been shy, blasting rivals, particularly Google and urging the regulator to go hard. “Without urgent reform, the egregious behaviour of Google and other digital platforms which Australians cannot avoid in their daily lives and online interactions will continue,” per the enterprise software giant.

“The ways the platforms collect, use, and monetise personal information erodes Australians’ trust in the digital economy and is inconsistent with the objectives of the Privacy Act.”

Of the tech firms that made submissions, companies like Amazon Web Services and Infosum mostly seem concerned with ensuring the government treats data controllers (themselves) differently to the data processors (brands and platforms, though in fact some can be both).

There are also suggestions that the treatment of what constitutes personal information may be better tackled outside of the Privacy Act – and that Australia risks moving out of step with other jurisdictions such as the EU.

Cleanroom provider Infosum argues the proposed definition of targeting is overly broad saying the current proposal goes further than the definition of personal information to include segmentation even where no individual is reasonably identifiable. “This goes further than GDPR,” per the firm. InfoSum suggests that where personal information is aggregated so that it is not reasonably capable of re-identification, it should no longer be personal information and should not be subject to the Act.

Criminal proceedings

Adfixus founder via Marko Markovic is one of the few private company executives to agree with proposition that re-identifying de-identified information should be a criminal offence. Most organisations avoid the question altogether, although individual submissions from the general public are overwhelmingly in favour.

According to Markovic, “There should be a criminal offence for re-identifying information where: The party does not have a direct relationship with the customer (i.e. is not the first-party), or the party is the first-party, however, when gaining consent they committed to storing and using the information in a de-identified state.”

Privacy specialist Civic Data, which describes itself as the first regulatory-fluent Marketing ecosystem auditor tabled a regulatory sandbox as a means of protecting innovation from an overly prescriptive privacy regime. “[These] have been very successful in driving compliant innovation and investment in the fintech sector, which is in many ways analogous to the martech and adtech markets,” per the firm.

Forget it

The Australian Information Industry Association (AIIA) supports removing the exemptions for small business as a way of building nationwide data security and resilience. But it expresses concerns about the Right to be Forgotten, arguing that it will be hard for the “technology sector to be able to comply in a practical sense with the right of erasure. Data is collected and stored in modern systems, and full implementation poses difficulties.”

It's rival, the rapidly emerging Tech Council of Australia identifies a swathe of proposals where “further consideration is needed”, disagreeing with much of what has been tabled around automated decision-making, direct marketing, targeting and trading. It also wants further clarity on exemptions to individual rights as well as employee records exemptions.

Retail: Loyalty, media damage

Woolworths Group submitted a detailed response. It doesn’t have an issue with people opting-out of targeted advertising across its owned media platforms – though said that risks customers being served irrelevant ads, cows milk to vegans for example – but draws the line on loyalty schemes. 

It argues that a qualified opt out should apply for loyalty schemes because they are “voluntary, non-essential and have no barriers to exit”, plus the whole purpose of a loyalty scheme is to personalise customer experience (through advertising and direct marketing) and reward members with perks in return for using their data to deliver those ads and offers. Its Everyday Rewards program has more than 14 million members and its cards are scanned 20 million times each week. That data is the cornerstone of Woolworths retailer media business, Cartology, a unit with “a lot of upside” per CEO Brad Banducci. Estimated to have booked $300m in FY2021, Woolworths has since reported double digit top line gains for its media operation.

Allowing people to opt out of targeted advertising while still receiving loyalty perks is therefore a problem for Woolworths. People should be made to give consent it they want to get the rewards, per the firm’s submission:

“In this context, it is reasonable for an organisation to require an individual to consent to receive targeted advertising or have their personal information used for direct marketing in order to participate in (and ultimately, give effect to) the loyalty membership scheme.”

Without that carve out, loyalty scheme economics are challenged, experts warn, though it depends how many people actually opt out.

“Loyalty programs that are marketing channels in disguise will have to be much tighter in seeking permissions,” Tim Tyler, Managing Partner at specialist loyalty consultancy Ellipsis, told Mi3 when the proposals were published.

“I’m not sure they will be happy with members that opt out of targeted ads and ask them to delete data. All of a sudden, that value proposition is no longer there,” he added.

“[But] what we don’t yet know is how interested the Australian public actually will be. The Europeans haven’t seemed that interested. Not many are opting out [via GDPR].”

Geolocation, trading, brokerage

Woolworths has concerns that requiring consent notices for geolocation tracking, trading, plus opt-outs for direct marketing and targeted advertising could annoy customers and lead to ‘consent fatigue’. It could also hamper its ability to provide updates on shopping deliveries and click and collect, per the firm. There are similar concerns about notifications of privacy rights at the point of data collection. It would prefer a centralised approach to privacy notifications.

The retailer also wants proposals around data trading narrowed. Requiring consent for data brokerage makes sense, per the firm, but current wording risks cutting across sharing data with third parties such as delivery drivers for shopping, or with Qantas so that loyalty customers can redeem their rewards or convert points.

Leave small firms out of it

The National Retail Association, which represents more than 60,000 retailers, does not want the current small business exemptions to the Privacy Act removed in the new legislation. It also wants further clarity on what is ‘fair and reasonable’ use, and much clearer definitions to determine what ‘de-identified’ information is permissible for marketing. The industry body wants to avoid “unforeseen consequences” on existing online advertising activity. It added that a “proposed expansion to de-identified or aggregated information, such as ‘customers like you’ [i.e. lookalikes] within the Act definition is an overreach”. 

Telco: Dial it back

Telstra urges for proportionality in tightening of the privacy rights of individuals while ensuring they don’t place unnecessary red tape on businesses for little benefit, arguing that the Privacy Act proposals, in some cases, are more stringent that the EU’s GDPR.

The telco has warned that if privacy settings are set to the “most restrictive by default” it could lead to a proliferation of opt-in consent notices that could hamper service delivery – i.e. device and location data that helps it run its telecoms networks – as well as direct marketing, and lead to consent fatigue. 

It also wants clarity around the direct marketing proposals, including how personal information can be used for direct marketing, targeting and trading. As targeted advertising falls under the definition of direct marketing, Telstra argued “it is unclear how an entity would give effect to an individual’s request to opt out of direct marketing but not targeted advertising".

Digital media supply chain: Leave targeting alone

The Interactive Advertising Bureau (IAB), representing the digital ad supply chain, platforms like Google and Meta, plus publishers such as Nine, Seven and News Corp, issued a broadside.

It’s particularly aggrieved about how online targeting of ads goes “beyond addressing the privacy of individuals and regulates the use of data and advertising”.

It suggests consumers will end up paying a high price for questionable benefits.

Per the IAB: “In our view, what is proposed would severely restrict digital advertising and the availability of free content and services online, and would disincentive privacy by design processes, technologies and practices, which are important to Australia’s future as a leading digital economy.”

It argues the definition of ‘targeting’ is far too broad, goes beyond the scope of privacy concerns, and is not necessary when there are already provisions to opt out of direct marketing, which by its nature includes targeted ads. 

For example, a local pizza shop might use geographical targeting on social media to serve ads to people in its delivery catchment area, or an NGO might use demographic data to target a public health campaign; neither of which the IAB argues are privacy issues.

The IAB wants only segmentation that “reasonably identifies individuals” to be covered by privacy laws.

It also opposes amendments that require opt-in consent notices, citing “consent fatigue”. It does not believe the proposed definition of “trading” of data should require consent, and should be amended to instead specifically cover the “sale of personal information”. 

Enabling individuals and collectives to take firms to court over breaches will only benefit lawyers, per the IAB.

Either way, most of the big firms that responded to the proposals want a phased approach and a multiyear grace period to comply, given the scale of what they are currently facing.

See the full list of responses here.