Online identifiers under threat as Australia bids to trump GDPR on privacy – brands, publishers, media supply chain face consent, data tracking and sharing overhaul as fines, class actions loom
The definition of what counts as personal information is set to change in Australia, with online identifiers even down to geolocation under review, alongside use of loyalty and credit card data. The upshot is that the ad industry has to change everything it has done to date. The rules about how consent is gained are also under the microscope – and it looks like Australia is going to go harder than GDPR. The risks are large; those that flout incoming law changes may find themselves open to class actions as well as regulatory punishment. Lauren Solomon, CEO of the Consumer Policy Research Centre, former deputy New South Wales Privacy Commissioner Anna Johnston, Peter Leonard, professor of practice at UNSW's Business School, and Guardian MD, Dan Stinton unpack what’s coming down the track for brands, publishers, tech platforms and the media supply chain.
What you need to know:
- Brands, publishers, media owners, agencies and platforms are facing an upending of current data and consent practices with Australian lawmakers and regulators aiming for a set of data protection laws that are tougher than GDPR.
- As well as a major overhaul of consent to use consumer data – which will require consumers of average literacy to understand in very simple terms how their data is being collected and used – companies operating in Australia will have to apply a ‘fair and reasonable’ test to everything they collect, use or disclose.
- Meanwhile, the very definition of what constitutes personal identifiers is under review – and pretty much everything the digital marketing supply chain uses now is within scope, from standard online identifiers and customer numbers through to geo-location data.
- Firms will no longer be able to assume that if they cannot identify someone through their IP address, for example, that the Privacy Act does not apply to them. Under lawmakers’ proposals, it will.
- As well as the threat of stiffer penalties, the proposals open up the prospect of class actions – which could prove expensive for those found to be flouting new laws.
There was this assumption that just because an organisation didn't know who someone was, they couldn't possibly do them privacy harm. That assumption no longer holds true. So the law is kind of catching up with the online world.
Full refund
Last week, the Federal Attorney-General finally dropped two long-awaited privacy papers that have far-reaching ramifications for brands and the digital ad industry.
In short, what most companies are doing in terms of data collection, consent and use now may not be allowed in the future – or will face significant tests and compliance hurdles. Experts think the Australian government is going harder than GDPR – and their early read suggests the frameworks open up brands, publishers and big tech to potential class actions as well as regulatory penalties.
The papers put data brokers in the frame, and pose serious questions over the use of loyalty and credit card data for advertising purposes – with even identifiers like location data under scrutiny.
In other words, the huge market in trading customer and audience data is under microscopic review, which means everyone in the marketing supply chain needs to take note – and prepare to take action.
What's brewing on the legislative front will shape much of what brands, tech platforms, data houses, media companies and agencies will be allowed to do in tracking, targeting and turning prospects and customers into bucks.
Consumer centric? Not right now
Consumer advocates say the reforms are long overdue. Lauren Solomon, CEO of the Consumer Policy Research Centre, has been deeply involved in the submissions to the Privacy Act Review, and her work is regularly cited by ACCC Chair Rod Sims and referenced with ACCC papers.
CPRC research consistently underlines that consumers are being effectively forced into sharing their data and the few that understand labyrinthine privacy policies proffered by websites and apps via insistent, binary consent forms have little control over what they are sharing.
For brands that talk about putting the consumer at the heart of everything they do, these findings should be cause for concern.
“There are three key planks that have come through in our research over and over again. The first is centred on choice and control, the second is around the level of comfort with the current practice, and the third is really around fairness and safety – general expectations that people will be treated fairly and safely by companies and the data practices that they are implementing,” says Solomon.
Our research shows 70 per cent of consumers saying they are accepting [consent] terms even if they are not comfortable with them. When we ask them why, three quarters are saying it's because it's the only way to access the product. There isn't actually any way for consumers to express the preferences that they have and to acquire products that meet those preferences – because it's a take it or leave it proposition.
Choice and control
Current privacy policies and terms of service are undermining meaningful choice, says Solomon.
“That's a problem for consumers, and it's also a problem for competition: Our research found 94 per cent of Australians say they haven't read privacy policies that apply to them, and we all know they're far too long,” she says.
“There's a lack of meaningful information in the policies themselves. So even if you try to read them, the lack of clear and transparent disclosure about what's going on is an issue. The length and the complexity is an issue, and there's no real way for consumers to actually even express their preferences if they wanted to.”
In most cases, she says, consumers have to “take it or leave it”, which CPRC research finds is leading 70 per cent of consumers to say they are accepting terms even if they are not comfortable with them.
“When we ask them why, three quarters are saying it's because it's the only way to access the product. There isn't actually any way for consumers to express the preferences that they have and to acquire products that meet those preferences – because it's a take it or leave it proposition.”
More than 90 per cent of Australian consumers are uncomfortable with how their data is collected and shared, and they're pretty disempowered to do anything about it – and they want government to intervene and protect them.
Comfort with the current practice, fairness and safety
Consumer Policy Research Centre research consistently shows "more than 90 per cent of Australian consumers are uncomfortable with how their data is collected and shared, and they're pretty disempowered to do anything about it,” says Solomon.
“The other aspect is that they want government to do something about it: over 90 per cent of Australians actually want government to intervene and protect them,” she adds.
“They want more meaningful ways to receive information about what's being collected. But they also want protection against misuse.”
Those three issues, she says, are “at the heart of a lot of the reforms that we look at – from the privacy perspective, consumer protection perspective and competition perspective.”
Solomon dismisses long-held views by sections of the ad industry that consumers say they want one thing but do another – and from big tech and publishers that claim people are happy to hand over their data in return for free services. She says they have no other choice.
“That behaviour is there because there is no other option. If there were other options, maybe consumers would be choosing different products and services. And that's a real problem for competition, too. So if there aren't meaningful choices, consumers actually aren't able to get in there [to access services in any other way]. And the market actually isn't able to deliver the sorts of products and services that consumers want to need,” says Solomon.
“So it's about how to ensure data is used in a way which is actually pro-consumer, pro-community and is used in the public interest, and also make sure that we have the appropriate guard rails to protect against misuse.”
They have said inferred data is in online identifier information that can individuate people – so be able to distinguish one person from another – such as your online behaviour, pattern data, location data. All of that is within scope.
What might change – identifiers under the microscope
Alongside moves to ban manipulative choice architecture – where people are nudged to hand over consent through ‘dark patterns’ – Solomon is pleased to see the core definition of what constitutes personal information under the microscope, with the Privacy Act discussion paper signalling a tightening of terms that encompasses a user’s metadata or online identifier, to location data and pretty much everything in between.
“We see over 80 per cent of consumers saying they don't want things like their unique IDs shared with other parties, they don't want their phone contacts and other health information, or inferred information being shared with other parties as well,” says Solomon. “So that tightening of the definition is really important from our perspective.”
Former deputy New South Wales Privacy Commissioner, Anna Johnston, now principal of advisory firm Salinger Privacy, agrees redefining personal information will have major implications for brands and media – because legal definitions mean firms will not be able to skirt the rules.
Under the current Privacy Act, “all of the privacy obligations on organisations hang off when [companies are] handling personal information. So we see a lot of argument about whether a particular piece of data meets the [current] threshold legal definition of personal information or not – because if it doesn't, an organisation can say ‘we don't need to comply the privacy principles in the [current] Act’. So actually clarifying what's within scope in that definition is really important,” says Johnston.
“They have said inferred data is in online identifier information that can individuate people – so be able to distinguish one person from another – such as your online behaviour, pattern data, location data. All of that is within scope.”
We know that individuals can be tracked online, targeted for advertising, targeted for misinformation campaigns. Too many of those kind of behaviours have escaped regulatory action because today they've been able to say, ‘Well, we didn't know who the person was at the other end of that IP address that we were targeting. Therefore, our Privacy obligations don't exist’. That's the big change.
Consent – when yes means no, because there is no choice
The Attorney-General’s paper suggests the definition of consent will be beefed-up and enshrined in law, so that “when an organisation is relying on someone's consent, what you need to achieve that consent needs to be voluntary, informed, specific, current, and it needs to be an unambiguous affirmation,” says Johnston.
It means that consent policies will need to be slimmed down to simple, meaningful language so that consumers of average literacy can understand what they are agreeing to.
“We're getting to standardisation and comprehension testing. So basically, instead of having a 20-page document, you're coming down to something that's much shorter, simpler. You can use icons potentially, but it's tested in terms of readability.
“I don't underestimate the challenge associated with doing that,” says Johnston. “But that's certainly a lot better than where we're at the moment, where we've got very vague terms, very broad brushstroke ability for business to really enact a whole range of different data sharing without consumers actually really understanding what on earth that means or whether it's being used in their best interests.”
While the paper also states that some routine business activities will not need consent, there is also a “flip side” proposal to add “a new overarching fair and reasonable test over practices that collect, use or disclose personal information,” Johnston points out.
“So as an organisation, you have to meet that fair and reasonable test before you can do anything else. And my understanding is you can't ask your consumers, your customers, your citizens, whoever, to consent away the requirement of being fair and reasonable in the first place,” says Johnston.
She thinks that approach will give consumers the ability to lodge complaints if they feel brands or platforms have acted unfairly or collected data in a “covert” manner – and means all businesses operating in Australia will have to apply a “fair and reasonable test to whether or not you can collect or use someone's information”.
Johnson believes that will have significant implications for Australia’s digital media companies and advertisers.
“They'll need to apply that decision-making to online behavioural tracking, for example, or pulling together things into your customer profiling, making decisions about how we profile our customers, how we market to them, how we spend our advertising dollars.
“All of that will need to go through this fair and reasonable filter. So in the past, companies might have said, ‘if we don't know who the customer is – Facebook knows, but we don't know who they are, we don't need to worry about privacy’. There was this assumption that just because an organisation didn't know who someone was, they couldn't possibly do them privacy harm. That assumption no longer holds true. So the law is kind of catching up with the online world,” warns Johnson.
“We know that individuals can be tracked online, targeted for advertising, targeted for misinformation campaigns. Too many of those kind of behaviours have escaped regulatory action because today they've been able to say, ‘Well, we didn't know who the person was at the other end of that IP address that we were targeting. Therefore, our privacy obligations don't exist’. That's the big change.”
The Bill has been expanded to cover so-called data brokerage services – defined in such broad terms that I'm not sure how to interpret who is not a data brokerage ... As well as complying with your obligations under the Privacy Act, you've got to develop a code which goes into detail about the disclosures that you will make and the transparency of your disclosures ... And if you don't come up with it fast enough, then the Commissioner is empowered to develop a code and impose it on you.
Online Privacy Code: Impacts for loyalty programmes, data brokers, everyone else
The Online Privacy Code paper name-checked the likes of Quantium, Acxiom, Experian and Nielsen when flagging incoming changes to how data can be used. It also signalled a tightening of how loyalty data can be used within the media supply chain – and expanded its remit to include, not just Big Tech, but all online platforms with more than 2.5m users.
Peter Leonard, professor of practice at UNSW's Business School, advisor to Gilbert and Tobin and principal at Data Strategies, warns the Online Privacy Code could spell trouble for data brokers – and pretty much everybody else. He smells another stoush brewing.
“Somewhere between the [initial] discussion in Senate estimates [in April] and today, the Bill has been expanded to cover so-called data brokerage services – defined in such broad terms that I'm not sure how to interpret who is not a data brokerage,” says Leonard.
“In essence, what the bill says is as well as complying with your obligations under the Privacy Act, you've got to develop a code which goes into detail about the disclosures that you will make and the transparency of your disclosures in respect of your acts and practices. And if you don't come up with it fast enough, then the Commissioner is empowered to develop a code and impose it on you,” says Leonard.
“So in that sense, it reflects the approach that the government elected to take with the news bargaining code.”
'Tougher than GDPR'
Leonard thinks what is ultimately being proposed for Australia is “beefed-up GDPR”, that is, Australia’s data privacy rules will be stronger than Europe’s, which means greater risk for businesses to manage.
“It removes some of the silly elements of GDPR and the Privacy Directive around cookie consent… But then it ‘super adds’ elements including ‘no go zones’, high levels of requirements as to transparency of privacy affecting acts and practices, including in respect of online behavioural advertising and other forms of profiling,” says Leonard.
“[It also includes] new provisions relating to so-called higher risk profiling, which reflects some of the current proposals in the European Parliament but haven't yet found their way fully into GDPR,” he adds.
“All of that in the Australian context does create some real potential exposures for businesses, particularly in respect of digital advertising practices. Because each time there is a requirement for higher levels of transparency as to disclosures, particularly in relation to highly technical processes such as use of online identifiers – online tracking codes that may not be associated with individuals – it's very hard to make those disclosures without leaving something out and explaining them in a way that they are capable of comprehension, applying the standard that they have to be comprehensible to a person of below average literacy.”
If you add together the elements of the fairness and reasonableness test, ‘no go zones’ – i.e. advertising directed at children – the level of transparency that is required, not only of data brokers, social media organisations, large digital platforms, and potentially, when these proposals are enacted, other organisations, that would create a higher level of obligation and restriction than is currently the case under GDPR.
Risk averse will walk away
In short, says Leonard, every time transparency requirements are cranked up, “even if consent is not required, there is significant jeopardy created through the potential for an organisation to get it wrong, to make it incomplete – and that of itself creates exposures under Australian consumer law as well as under Privacy Act.”
He thinks the upshot is that companies fearful of getting consent wrong will walk away from some practices taken for granted today.
“When you have fairness and reasonableness [requirements] coupled with a high level of transparency required as to disclosures, there's real jeopardy created for organisations in their Privacy affecting acts and practices. And we might expect, therefore, to see significant winding back of privacy affecting acts and practices by organisations, even though they're not subject to expanded consent requirements.”
The ‘fairness and reasonable test’ being mooted by lawmakers will ply to both primary and secondary use of individuals data – hence the supply chain implications. Leonard thinks there is much for businesses and their compliance teams to worry about.
“If you add together the elements of the fairness and reasonableness test, ‘no go zones’ – i.e. advertising directed at children – the level of transparency that is required, not only of data brokers, social media organisations, large digital platforms, and potentially, when these proposals are enacted, other organisations, that would create a higher level of obligation and restriction than is currently the case under GDPR.”
But Leonard doesn’t think the new rules will necessarily spell the end of things like online identifiers and geolocation tracking.
“No, that will not be prohibited. But a much higher level of transparency disclosures as to these practices will be required…There would be more clear disclosures up front as to what is happening and then an ability for individuals to opt out from direct marketing using those kinds of individuating practices.”
Our industry is largely operated [on the basis of] as long as you can't really identify someone, you're fine. I think what's quite clear from these proposed changes is that that's no longer the case. And so everyone's going to have to really rethink the way that they operate.
Prepare to change the way you operate
For publishers, brands and the media supply chain, The Guardian Managing Director Dan Stinton thinks there is a single standout – and it means the digital ad industry is going to have to change.
"The key thing that our industry needs to understand is that the definition of what is personal information is going to become much broader,” says Stinton.
“Our industry has largely operated on the premise that you can collect as much consumer data as you want as long as you can't re-identify an individual. The problem is that that's only one of the potential harms. Probably the more significant harm is that individuals can be ‘individuated’ – and that means putting them into advertising segments or cohorts where they can be unfairly discriminated against.”
He cites smokers as an example, where those who have an interested in smoking cessation could be “negatively targeted for nefarious purposes.”
“Our industry is largely operated [on the basis of] as long as you can't really identify someone, you're fine. I think what's quite clear from these proposed changes is that that's no longer the case. And so everyone's going to have to really rethink the way that they operate.”
The Guardian, he says, is already operating to GDPR principles given it is UK-headquartered. He thinks the privacy proposals will bring Australia up to speed.
“This broadening of the definition of personal information is long overdue and just that one change alone will bring Australia's Privacy Act up to adequacy with GDPR and others around the world.
He says the publisher commends the fair and reasonable test for collection of data, and hopes it will remove the need for consent pop-ups “littering the internet”.
“It’s probably reasonable that a consumer who comes to The Guardian would expect that we are going to see what they're reading and put them into an auto intenders category, or a travel contenders category or whatever else, and therefore the need for us to ask for consent in that circumstance, given that there is no material risk of consumer harm, goes away. And that's a really good thing,” says Stinton.
He says the publisher also backs proposals to tighten the purpose limitations test – which he thinks will make it harder for credit card purchase data, for example, to be used for targeted advertising on a publisher websites.
“We think that is for the good. Others might disagree, but we think most consumers would think that is a pretty unreasonable use of their consumer data.”
Meanwhile, Stinton thinks that purpose limitations in conjunction with the ACCC’s mooted data separation plans will also stop the likes of Google from using data collected across its various apps and services to give it an advantage in digital advertising.
“I think these two things in concert will have a really significant impact on curbing the data arms race and stopping everyone basically trying to track everything you do online for the purposes of building up a huge profile about you that can be used for a whole bunch of ends that the consumer wouldn't expect,” says Stinton.
Crime, punishment, class actions
The Guardian's Stinton says for any of the privacy plans to work the regulators must be given the financial resource to enforce.
“Without that, we're not going to see a huge amount of change… People will be able to get away with what they're doing now.”
Peter Leonard agrees that the Office of the Australian Information Commissioner will need proper funding if it is to succeed where GDPR has failed. But he points out that the discussion paper also opens the door to consumer class actions, arguing the potential for even higher penalties as a result “could be quite a powerful disincentive on organisations”.
Whether the Online Privacy Bill let alone the broader Privacy Act makes it to parliament before the next election is doubtful. But Australia’s ad industry has been served notice of what is coming – and would do well to start preparing now.