IAB and ADMA submissions reveal the privacy gulf between industry and government; consumers are even more hardcore on personal data and surveillance; who wins?
Two industry associations at the heart of the debate over Australia's new privacy regime – IAB and ADMA – have a fundamental disagreement with the government over how de-identified and unidentified data should be treated. They are also diametrically opposed to government on its plans to limit targeting and segmentation. But consumers, at least from what we can tell from available surveys, take an even more hardcore view of personal information and their tolerance for commercial surveillance than the government's proposed framework. The next few months should provide an indication of whether the government aligns with industry, or an increasingly confident and articulate consumer rights alliance.
What you need to know:
- On the issue of opts out for targeting and segmentation, the data marketing and digital publishing industry bodies reject the proposed changes in the Privacy Act.
- Both argue that the focus should be on privacy harms not broader consumer or advertising regulatory issues.
- Both want personal information treated differently to de-identified or unidentified information.
- Consumers, whose privacy the proposed laws are intended to protect, have an even more robust view of what constitutes personal information and how it should be used than the government, and those views are deeply embedded and long held, according to surveys.
- The right to be forgotten – erasure – is also causing industry grief, not so much conceptually, but practically in terms of costs, process, and the potential for new regulatory risks.
The reasonable person in the street would think targeting means that the advertising industry or an advertiser is sending me an ad based on me as an individual person, they're targeting me individually. But that is not the definition that the AGD (Attorney General's Department) has framed.
During the first two decades of digital publishing, the advertising technology sector convinced itself that consumers were along for the ride. But then came Cambridge Analytica, and more recently a series of high profile privacy breaches at companies such as Optus and Medibank which gave lie to that belief.
Are marketers about to discover that same signal in the noise?
The vast gulf between how the federal government says it wants to manage consumer privacy as it relates to digital behaviour and what advertisers and their platform providers believe they should be allowed to do with consumer data has been revealed as responses to the proposed privacy regime roll in.
While publicly both the IAB and ADMA present their concerns about the Government's proposed new privacy regime as a matter of degrees, rather than one of significant opposition, the submissions by both organisations tell a very different story.
Bottom line
The bottom line is that two leading industry associations on the front line of digital marketing believe the government should not regulate to allow consumers to opt out of targeting when that targeting occurs based on de-identified or unidentified data. Likewise they do not want consumers to be able to opt out of being segmented – now a fundamental in data-driven marketing. Both consider the proposed privacy model as regulatory overreach.
IAB philosophically comes from a position that the focus of the privacy regime should be on reducing privacy harms and not extending into consumer or other regulatory issues more broadly, for instance regulating consumer or advertising issues. Getting down into the specifics IAB, for instance believes that targeting opt out provisions should be restricted to one-to-one targeting. It believes the proposed privacy regime will make it theoretically possible for consumers to opt out of any kind of segmentation.
ADMA's top level view is that the government should focus on regulating bad privacy behaviour rather than all behaviour, and says that while each recommendation in isolation makes sense, their collective effect will cause problems – and may be unworkable. (For instance, how can someone who is only visible to a brand as an unidentified data point opt out if they can't be identified?)
While the government defines what personal information means for the purposes of the Act, its view — and the view of both industry associations — is vastly more limited than how consumers themselves regard personal information, according to a recent study by the Consumer Policy Research Centre. That survey was designed with the proposed new privacy regime in mind. It found that consumer's take a much broader view of personal information to include issues such as financial information (72 per cent), phone contacts (70 per cent), income (68 per cent), photos (64 per cent), messages (62 per cent) and location data (61 per cent).
It also revealed a significant mismatch between how the digital economy currently works and what consumers want. The report found that while whole industries currently exist to trade in consumer data, 79 per cent of those surveyed believed that a company should not sell people’s data under any circumstances. And even though companies commonly monitor what consumers do online, on their own websites as well as across the internet, 70 per cent of people said they were not comfortable with companies monitoring their online behaviour.
Nor is the CPRC study unique. A survey conducted by Which-50 in July 2019 into consumer views of digital advertising capabilities —likewise based on a survey of 1000 consumers — found huge levels of hostility to common, everyday ad tech behaviours such as retargeting.
Say-do gap?
Asked about the consumer sentiment against targeted digital advertising, Sarah Waladan, Director of Policy & Regulatory Affairs at IAB Australia told Mi3, that there is often a disconnect between what consumers want and what they say they want.
"This has been referred to in a number of government reports as this privacy paradox where consumers say, 'we don't want that, we don't want anyone to have any data on us whatsoever.' But then they also say they want personalised services when they get online and free services when they get online. So that doesn't work. Somehow those things have to be married up."
According to Waladan, "What we're trying to say is ... you can actually have both. The question is, how do you achieve that? We think one of the ways is by focusing on these privacy by design techniques to try and get those two things of sitting together a bit better."
She noted a survey by the OIAC in 2020 which found half of consumers polled said that if they did have to receive advertising, that they would prefer that it be personalised and relevant to them.
Opt out fears
The biggest gap between the government and both the IAB and ADMA relates to opt outs for targeting and segmentation. Both organisations consider those proposals far too board in scope. They are warning of a raft of unintended consequences.
"I think the reasonable person in the street would think privacy relates to an individual and would think targeting means that the advertising industry or an advertiser is sending me an ad based on me as an individual person, they're targeting me individually. But that is not the definition that the AG [Attorney General] has framed. And that's not how the advertising industry generally works, either," per Waladan.
"A lot of the industry's work is done by segmenting large groups of individuals into buckets and that's what AG is trying to regulate. So for example if you're in a group of people who are aged between 20 and 30, who own a cat or something, and if that group is targeted ... [the consumer] might think I'm being targeted as an individual. But that's not actually what's happening. They're not being targeted as an individual at all, they're being targeted as a member of a group. Nobody would be able to identify them as an individual."
When you read the report, and you read the recommendations in isolation and in silos, they all make sense including the ones that we are opposed to. Where we find the difficulty is when you start applying certain proposals, and then you understand that in order to fulfill what the government is requesting in the proposal, it now has a domino effect ... and it becomes almost impractical to be able to actually put in to practice. And what ends up happening is that the burden of compliance becomes great on the business, but without any real perceived improvement on privacy protection of the consumer.
ADMA attacks
Like the IAB which represents digital publishers and increasingly adtech vendors, ADMA which represents brands, believes the opt out provisions for targeting and segmentation are too broad. It also disagrees with plans to treat the de-identified and unidentified data the same way for the purposes of regulating targeting and segmentation.
And as with its peer association, ADMA finds plenty of things in the report it either agrees with or believes can be improved through consultation. Its submission actually supports the majority of almost 50 pf the privacy proposals that it comments on. But like IAB, it opposes core aspects of the proposal around targeting, segmentation, and opt-outs.
According to Sarla Fernando Head of Regulatory & Advocacy Advisory, ADMA, "When you read the report, and you read the recommendations in isolation and in silos, they all make sense including the ones that we are opposed to. Where we find the difficulty is when you start applying certain proposals, and then you understand that in order to fulfil what the government is requesting in the proposal, it now has a domino effect ... and it becomes almost impractical to be able to actually put in to practice. What ends up happening is that the burden of compliance becomes great on the business, but without any real perceived improvement on privacy protection of the consumer."
Fernando said that before preparing its response, ADMA hosted a number of round tables not only with its own members but into a wider set of expertise beyond marketing to see if there was any consensus. That process seems to have confirmed ADMA's view that it does not make sense to treat de-identified and unidentified information in the Act the same way as personal information.
ADMA does however agree that it makes sense for it to be addressed in the Act. "And it does make sense that they tried to clarify it because currently in the Privacy Act de-identified information is considered to be a static thing. Under the current Act it looks like once it's de-identified that's how it remains. The government wants to change it to be something that is actually moving, so it's a process rather than a static concept, [that] is not incorrect."
Cleanroom cruncher
ADMA's problem is that it believes the definitions are far too broad.
"Even though they're saying 'in the current context' there's some questions that arise when you put it into practice," said Fernando.
There is also a lack of clarity around even common use cases, per Fernando, who cited cleanrooms as an example.
"In that cleanroom, I'm coming in with de-identified information and [another] brand is coming in with some information. The problem is that there is a possibility that the information can become re-identified. So where does the government sit on that? We're not saying no, what we're saying is that there's no clarity. If there is no clarity or no understanding of what they mean, then you're going to find that businesses are going to stop using de-identified information because they're going to [think there's] no point. They're going to stop worrying about using privacy-enhancing technologies, because it's not really doing the job anyway."
Fernando fears the government's approach goes far beyond the practice in other jurisdictions that are commonly compared to Australia, such as the UK, Europe, Canada, and Singapore.
"Every other regime basically governs and covers personal information. We're saying de-identified and identified absolutely should be addressed, but it shouldn't necessarily being part of personal information."
Not just marketing
"We all agree that the laws need to be evolved," said Fernando. "They absolutely need to be evolved. Data is at the core of business now. It's not a side arm of marketing. It's not only used within the marketing department. The systems that hold data influence all business planning around buying decisions, ecommerce web sites, web optimisation, and supply chain management. A lot of the time this data is actually improving services and improving or pricing – a lot of things beyond just marketing."
There is no room for ambiguity in these systems, said Fernando, because the systems need to be defined for compliance. "Any lack of clarity creates a potential cost to the economy. The failure to understand the role of data, not just in marketing, but from the whole business perspective could actually be more extreme than the government is targeting right now," she warned.
"We understand that the government wants to try and rule out bad things. And we're saying let's try and find out what those activities and those things are, and regulate that. It's the abuse of data, not the use of data [that should be in the regulatory frame]," she said.
Using data to provide a better service and provide targeted advertising and providing things that people want is not actually the problem, according to Fernando. "But because of the language that's used in the marketplace, the consumer immediately assumes that targeting is doing all of the negative things like discriminating against them," she said. "But it's actually not."
Industry bodies have now aired their grievances, with the two-week extension granted by the Attorney General for submissions now passed. Whether they have done enough to sway government, or whether consumer rights lobbyists have the AG's ear, will soon become apparent.