Australian Privacy Commissioner Carly Kind’s latest statements are a clear warning to Australian businesses: the time to prepare for regulatory change is not after tranche 2 lands – it’s now.

As reported by Mi3, Kind recently signalled that while the timeline for changes in legislation is still uncertain, her office will move ahead with proactive enforcement using the powers already granted under tranche 1 of the Privacy and Other Legislation Amendment Act 2022. Or as she put it: “We’re certainly not sitting around waiting for tranche 2.”

What’s emerging is a clear intention to use these powers to correct non-compliance and potentially seek judicial interpretations that clarify long-standing ambiguities in the Privacy Act.

The implications for marketers are significant and timely.

The message is clear: the Privacy Commissioner has stated her office now has everything they need to begin issuing penalties. Australian businesses should be treating privacy as a strategic, board-level concern. Marketers can no longer assume de-identified data, clean rooms or assumptions around pixel tracking offer blanket protection.

As Kind highlighted, de-identification must be robust and if individuals are still ‘reasonably identifiable’, privacy laws may still apply.

These practices are now in sharper regulatory focus.

Act now

Many businesses may have been tempted to interpret the recent delay of tranche 2 as a reprieve from the pressures to optimise for privacy, leading to a softening of internal momentum and resourcing around privacy initiatives.

But the slowing of legislative movement shouldn't be mistaken for a reason to pause. The foundations for stronger enforcement are already in place, and now is a good time to start building internal momentum.

We now know that The Office of the Australian Information Commissioner (OAIC) does not need new legislation to take action – tranche 1 has given the OAIC the ability to test and enforce the law as it currently stands.

In doing so, the OAIC may use enforcement cases to bring about judicial interpretations of terms like “personal information” and “consent”, which are sometimes hard to interpret across industry. This is a strategic move that could shift the privacy compliance landscape substantially and swiftly.

For marketers and customer-focused teams, this is something to take keen note of. Those businesses which have adopted a “watch and wait” approach should begin to shift gears and begin proactively implementing privacy-safe measures.

It will not necessarily be enough to say, “we’re not collecting personal information” or “the data is de-identified”. As Anna Johnston, Partner at privacy advisors Helios Salinger told Mi3: “It is a lot harder to de-identify data to the point where the privacy laws no longer apply.”

Tracking pixels

Among the first areas flagged for active enforcement are website tracking technologies – specifically, the use of tracking pixels, with the OAIC probing how companies are using pixels and whether they are in breach of existing privacy laws for the last year. These tools, which underpin vast portions of the digital marketing ecosystem, are under increasing scrutiny for how they collect, transmit and share data – particularly where health, financial or other sensitive information may be involved.

Importantly, the OAIC is focused not on the tech platforms supplying these tracking tools but on the organisations implementing them. In other words, if you own the website, you are responsible for how data is collected and disclosed.

This includes cases where that data may be shared – intentionally or not – with platforms like Google, Meta, TikTok, X and Snapchat via embedded code.

For marketers, this raises pertinent questions. How many third-party tags are running on your website? Who installed them? What information are they collecting and where is it being sent? If your teams or agencies can’t answer these questions, you may already be exposed to compliance risk.

Ending ambiguity

It’s important to recognise that the OAIC’s enforcement strategy is not intending to “catch out” businesses, but rather to promote greater compliance and remove the grey areas that have allowed questionable practices to persist.

The goal is a more transparent, consistent data governance environment – one where privacy is integrated from the start and embedded in every marketing and data decision.

This means marketers must collaborate more closely with legal, compliance and data governance teams. They must understand the full lifecycle of the data they use–- from collection and consent to storage, sharing and deletion.

Just as importantly, they must ensure their teams are educated on privacy risks and equipped to apply privacy-by-design principles in campaign planning and execution.

What next

As the Commissioner made clear, brands can’t count on a grace period, which means there is no more time to wait. The risk of non-compliance is rising – not just in terms of potential financial penalties but in reputational risk and customer trust.

Marketers must take the lead in reviewing current practices, auditing data flows, tightening consent processes and questioning assumptions – including around de-identified data, data sharing, and AI training practices.

This isn’t just about staying on the right side of the law. It’s about demonstrating to customers, boards and regulators that your business takes privacy seriously and is prepared to act.

When the OAIC does come knocking, those who’ve taken this approach will have nothing to fear and everything to gain.