We outline the key proposed changes to the Privacy Act that may impact the Ad Tech industry and what steps you can take to best prepare.

What is Ad Tech?

The term Ad Tech is short for ‘advertising technology’. While relatively broad, the term as it is used today refers to the technology, software and tools that help marketers and brands target, deliver, manage and analyse the performance of their digital advertising efforts.

One of the most impactful developments for this industry has been the ability to use data about an individual to better target advertising to that individual based on their preferences and past behaviours (which can be done using, for example, various online behavioural advertising technologies such as cookies, pixels, ad tags and web beacons).

Ad Tech also helps brands to make the most of their digital advertising budget and maximise their return on investment by delivering content to an engaged audience that is likely to be interested in their products and services.

What’s been happening in this space in Australia?

Between 2017 and 2019, the Australian Competition and Consumer Commission (ACCC) conducted the Digital Platforms Inquiry, which looked into the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in the media and advertising services markets.

The Digital Platforms Inquiry made a number of recommendations in relation to a range of competition, consumer and privacy issues, which led to:

  • the development of the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill), which was released in October 2021; and
  • proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act) as part of the Australian Government’s ongoing review of the Australian privacy law framework (Privacy Act Review), which began in 2019.

In summary, if enacted, the Online Privacy Bill would:

  • enable the introduction of a binding online privacy code (Code) for social media and certain other online platforms and data brokerage services; and
  • increase penalties and enforcement measures for privacy interferences and other breaches of the Privacy Act more generally (such that the increased penalties and enforcement measures would apply to all organisations subject to the Privacy Act and not only those subject to the Code); and
  • the Privacy Act Review, which was initiated by the government in 2019 and is still ongoing, seeks to review, and significantly enhance protections under, the Privacy Act.

Some of the key proposed changes to the Privacy Act that may impact the Ad Tech industry include the following proposals.

1. Changes to the definition of personal information

One proposal in the Privacy Act Review is to broaden the definition of personal information, including to incorporate identifiers, location data, online identifiers and other technical information (such as IP addresses, device IDs, account names and social media handles), which are commonly used in digital advertising programs.

2. Increases to obligations on collecting, using and disclosing personal information for the purposes of direct marketing, targeted advertising and profiling

There are various proposals in the Privacy Act Review that deal with direct marketing and targeted advertising, including:

  • a proposed requirement for an organisation to take steps to identify and mitigate any privacy risks if an entity wishes to engage in “high risk” restricted activities (such as direct marketing or online targeted advertising on a large scale);
  • a proposed obligation for organisations to notify individuals if they wish to use or disclose personal information to conduct direct marketing activities; and
  • a proposed right for individuals to object to the collection, use or disclosure of their personal information for the purposes of direct marketing.

3. Increases to fines and enforcement powers

The proposals would significantly increase the Office of the Australian Information Commissioner’s (OAIC) enforcement and regulatory powers, which would include, for example, an increase to the maximum civil penalty available for a serious or repeated interference with an individual’s privacy. Noting the current is limit is $2.22 million for serious or repeated interference with the privacy of an individual, the maximum penalty would increase to the greater of:

  • $10 million;
  • 3 times the value of the benefit obtained directly or indirectly by the organisation from the serious or repeated interference with privacy; or
  • if the value of the benefit under the above point cannot be discerned, 10% of the relevant turnover of the organisation during the 12 month period prior to the interference (where the relevant turnover would include all supplies with a connection to Australia that the organisation, or any related body corporate, have made or are likely to make during a 12 month period).

What can you do now?

While it is not clear if (or when) the Online Privacy Bill may be passed or which (if any) of the proposals in the Privacy Act Review will be enacted, there are a number of steps we recommend you begin considering (and if appropriate, taking) in order to prepare for any changes that may be implemented as a result of the proposed changes to the Privacy Act mentioned above.