Apathy bites

After a year of industry engagement, the Privacy Commissioner and the Office of the Australian Information Commissioner [OAIC] yesterday officially identified the sectors and practices they will actively police and prosecute in the next 12 months: brands and their supply chain of providers – from agencies to data houses, media companies, CX vendors and critically, data sharing practices – are at the top of the hunting list. 

Former Australian Privacy Commissioner, Malcolm Crompton, told Mi3 that yesterday’s announcement made clear that both the OAIC and the Privacy Commissioner have “had a gutful of warnings that are always ignored” by industry. 

Other privacy advisors Mi3 canvassed yesterday were equally forthright – the blowtorch is about to burn on brands and business from an aggressive privacy regulator armed with new, proactive enforcement powers to protect consumers and their personal information and right to privacy.

Industry apathy to align conservatively to the 13 Australian Privacy Principles enshrined in current privacy legislation and a hitherto uncontested entitlement to collect, share and analyse even customer first party data are under unprecedented levels of being pinged by Privacy Commissioner Carly Kind, who will be anything but. 

Naughty people

“This is not a change to the law, it’s a change to the regulator’s focus and they’re saying ‘we’re focusing on the naughty boys and girls in these specific areas',” said Malcolm Crompton, a former Australian Privacy Commissioner and partner at privacy and security advisory firm IIS. “What this [announcement] is saying [to industry] is you’re collecting too much information surreptitiously and more information than you need. The Australian Privacy Principles say collect only the data you need, use it only for what you said you’ll use it for, and delete it when you’re done. It’s sending a warning shot to all the naughty boys and girls … who might be sailing close to the edge of the compliance ice: ‘You’ve been warned’. The smarter among those boys and girls will review what they are doing in the identified areas of focus and smarten up.”

The warning Crompton and others tracking consumer privacy reform speak of is a statement of “regulatory action priorities for 2025-26”, quietly released yesterday on the OAIC’s website explicitly identifying the sectors and practices squarely in focus for consumer privacy breaches by a Privacy Commissioner done with industry engagement and swiftly moving to enforcement.

No 'gotcha' until now

Carly Kind flagged precisely this in a Mi3 podcast and feature in May, saying she would set clarity for industry on definitions of personal information, consent and the collection of personal data that were aligned more closely to the ”fair and reasonable” principle diverted into delayed Tranche 2 privacy reforms by the Albanese government. Those measures put the entire onus on organisations to ensure consumer privacy compliance in a marked shift away from individual consent that’s central to Europe’s GDPR laws. 

Kind told Mi3 three months ago she did not want “gotcha” moments on company breaches – sectors under her microscope will get advanced notice of “compliance scans”. She said at the time part of her agenda was to ensure that reforms were taken “seriously in the c-suite and at the board table” by pushing benchmark cases that would serve as default precedents for what was a privacy breach.

Yesterday’s regulatory action priorities have done exactly that. “The OAIC will focus on sectors that compromise rights and create power and information imbalances,” it said yesterday. The explicit intent is to move dramatically in favour of consumer privacy protection over industry interests and entrenched practices, which many have told Mi3 over the past five years already breach privacy law. The consumer privacy enforcement era has begun. 

Power to the people

“Data has become currency in a digital economy that incentivises the collection of more and more personal data, and that concentrates power in the hands of those who know the most about us,” Privacy Commissioner Carly Kind told a UNSW Privacy & Security Regulation for Connected Cars forum in May. In yesterday’s OAIC outline “new surveillance technologies such as location data tracking in apps, cars and other devices” was one of a series of practices that puts marketing, media and customer tech on red alert as the regulator channels it resources into what it deems the “prevention of privacy harm”.

Advertising technology, data brokers and data sharing, pixel tracking, excessive collection and retention of personal information and the use of AI for customer analysis are top investigative and enforcement priorities – and the regulator said that is effective as of now. 

Pixels, or pieces of code that collect user information and enable tracking and sharing of that information between different parties, mostly without their awareness or consent, are in for a dramatic shakeout, particularly for brand websites and other forms of owned media, along with publishers. Kind said “this is a real concern” in a guidance paper on the use of pixels. She cited the regulator’s own consumer research, which showed 69 per cent of Australians “did not think it fair and reasonable that their personal information was used for online tracking, profiling and targeted advertising…”

Pixels are legal evidence

“Just assume that your pixels are collecting evidence against you as much as they are collecting insights,” Civic Data’s Chris Brinkworth said. “The internet is made up of log files that the OAIC can request under their new powers, creating a mountain of  evidence of ‘illegally collected data’. Existing law makes websites and apps liable for sending data to vendors like Google, Adobe, Meta  etc overseas, but it's deeper than that.  As a brand or a publisher, you are also responsible for their security practices; a vendor breach raises questions about your compliance – did you take 'reasonable steps' to protect that data?”

The hit list

The OAIC’s guidance on the definition of the types of personal information for privacy compliance and applicable to pixels and beyond, is onerous:

• Form inputs such as name, address, date of birth, email address and phone number
• Transaction data such as items viewed and cart additions
• Network information (such as IP address) and geolocation data
• URL information
• Other activity data such as pages visited, content viewed, session duration.

“Pixel tracking has been called out as unfair by successive commissioners starting with me as commissioner over 20 years ago,” said ISS’s Crompton. “The OAIC is implying it’s had a gutful of warnings that are always ignored. Each pixel is a unique URL that’s never been used and never will be again, so it’s absolutely unique and allows tracking of where you are, where you are going, what you are doing, but is deliberately deceptive. The warning is the OAIC is on the prowl in these areas in particular and will start enforcing the law more actively. Carly Kind has been foreshadowing more enforcement action from the moment she started over a year ago. Now OAIC is identifying where it’s focusing.” 

Data hoarders get hurt

Beyond pixels, broader excessive collection and retention of personal information by companies, data houses and those that use anonymised sharing of data are other hot spots the marketing industry should now expect high profile breaches to land by the regulator in the coming 12 months. 

“Many data service intermediaries and associated data sources have not lifted their data maturity or transparency measures to be ready to address the Privacy Commissioner’s new interpretations and expectations,” said Peter Leonard, Adjunct Professor of UNSW Law and Justice and principal of Data Synergies. “They are now on notice that they are top on the list of the OAIC’s regulatory priorities. 

“The Privacy Commissioner’s enforcement action to date, and recent guidance, illustrates the Commissioner’s view that many organisations are not lifting their game to meet the more exacting regulatory requirements as to clarity and comprehensiveness of the description of what is going on, why and for what purpose [to consumers].”

Equally, the industry stampede to first party data was not the “silver bullet” that most across industry assume, according to Civic’s Brinkworth. 

 “It just moves the regulatory microscope from the open market onto your own website. The central issue is now the vast gap between why you say you're collecting data and how you actually use it. Vague 'for marketing purposes' clauses in privacy policies are a red flag for regulators, because if you collect an email for a newsletter, you cannot then legally use it as an identifier for data enrichment or complex analytics without making that explicitly clear at the point of collection."

Now everyone's a data broker...

Brinkworth said it was “dangerous and misleading” to conflate the OAIC's focus on data brokers with a small number of companies considered data brokers. “Our interpretation is that their focus is on the pervasive activity of collection and brokerage of data that is deeply embedded in the entire adtech and martech ecosystem, often in plain sight,” he said. “When a marketer or agency uses 'targeting tick boxes' in a major advertising platform based on 'intent data' or uses 'campaign enrichment' to append data to their customer lists, they are participating in data brokerage. Our interpretation is that the OAIC's priority targets this entire supply chain, not just a few named companies.”

Leonard said overcollection and over-retention of personal data was an “unjustifiable business risk” that leads to “reputational disaster, even before the Privacy Commissioner comes knocking and asking embarrassing questions.”

Marketing-related practices were among the biggest offenders, he said. 

AI, CX tech stack a target

Even the use of AI on customer data for internal business use cases is now on the regulator’s agenda in the coming year. The seemingly harmless “AI sprinkle” in the marketing and CX tech stack was the “real focus” of the OAIC, according to Brinkworth. 

“We're talking about AI-driven [prospect] lead scoring, predictive churn models and AI-powered segmentation tools that marketers use every day without a second thought. The OAIC's announcement signals they are now looking past the obvious and are targeting the pervasive, everyday use of AI that operates under the radar but has massive privacy implications.”

Brinkworth said the core problem is twofold.

“First, it almost always represents an illegal secondary use of data; customer information collected for a primary purpose like a transaction is now being repurposed to train a model without specific consent.  Second, this AI is often trained on what companies believe is 'anonymous' first-party data per above, [but is actually also] vast data warehouses full of hashed emails and device IDs. The OAIC is now posturing to argue that these identifiers are, in fact, personal information, meaning your entire analytics infrastructure is likely a regulated data swamp that is subject to the full force of the Privacy Act."

Ultimately Brinkworth said it exposed a “massive operational failure” in most organisations – data hoarding. “AI's thirst for historical data makes the common practice of indefinite data storage a direct violation of the data destruction rules that already exist,” he said. “The OAIC's focus on AI means their questions will now cut deeper. We expect they won't just ask what your AI does, but what data it's trained on, where you got it, and most importantly, why you still have it.”

Seismic shift

WPP Media’s chief media and solutions officer, Ryan Menezes, said it was clear the OAIC is now “actively seeking out systemic privacy challenges, moving beyond a compliance-driven approach” and that the clampdown on the collection and sharing of data “represents a seismic shift from data volume to data integrity and accountability. Practices such as sharing insights about driving behaviour, passively gathering audio from smart speakers, or creating detailed profiles from combined device data without clear, specific consent raise significant concerns. The OAIC's focus on transparency and data minimisation means companies must drastically dial back this excessive collection and sharing, or face significant regulatory pushback

Ultimately,  IAB CEO Gai Le Roy said what the OAIC has signalled this week should come as no surpise. “The priorities released by the OAIC are consistent with comments from the Australia Privacy Commissioner Carly Kind to the industry over the last year, Le Roy said. “At the IAB Australia Leadership Summit last year she outlined priorities in relation to the advertising industry that match those released today.”

But not many then were listening. They might be now.