It’s high time marketers squared up to the “dead data sets and processes” they’re still using in campaigns and figure out if the ROI from potentially iffy practices and consent is still worth the risk of regulatory scrutiny, says Qantas head of legal, cyber and data privacy, Kate Friedrich. Because tougher enforcement is exactly what she sees coming sooner rather than later.

The aviation compliance chief was speaking on an ADMA panel at this week’s SxSW following the release of the Federal Government’s first tranche of Australian privacy reform last month. Other panellists included Choice consumer data advocate, Dr Kate Bower, along with ADMA director of regulatory and advocacy Sarla Fernando.

“Halloween is coming up: Bring out the dead data sets, bring out your dead processes, look at them and go, what’s the return on investment,” Friedrich advised marketers. “Work with agencies to understand if you are getting the same cut through you got in the previous world order, and think about what new opportunities the new [privacy] acts will give you if you embrace fair and reasonable tests, and simplify and provide transparency in notices and privacy statements. Frame it as an as an opportunity, and it’ll be a lot easier to get in front of what we expect to see coming through in tranche two.”

As reported by Mi3, the first tranche of long-awaited privacy reform hit the Australian market last month. It was nowhere near as all-encompassing as first expected by the industry – even Privacy Commissioner Carly Kind was underwhelmed. But that doesn’t mean it doesn’t have bite. From new transparency requirements across automated decisioning to greater penalties, there are step changes in the mix that should keep marketers pumping the gas on compliance, data and privacy notices. They’re also street signs to the bigger, heftier changes coming in tranche two.

ADMA panellists agreed Australia’s privacy Act 2, while not expected until after the Federal election mid-2025, will still carry all the weight the marketing industry has been warned is on its way. Most notably are wider definitions around the concept of ‘sensitive information’; more stringent requirements around data collection in and of itself; a new fair and reasonable test that will be world-first in its scope; larger penalties for serious data misuse; and the removal of small business exemptions.

“Before it was about collecting as much data as we can for that single customer view. Now we have to think upfront about what it is we think we’re going to do with data, so legal teams can put it into the privacy notices,” Fernando told attendees. “Sensitive information will become more fluid. Things like de-identified information aren’t necessary going to remain that way.

“What data we have and how we collect it is number one; number two is the context for which it’s used – all things we have to think about as marketers. We can’t just leave it to the compliance teams.”

The industry can’t leave it until later either. Both Friedrich and Dr Bower, warned the risk of regulators cracking down on the smaller, non-compliant breaches is a growing threat now.

“With more penalties coming in, the focus for the regulator will no longer be just cyber breaches or data breaches like Medibank's, it’s going to be a lot more about more contraventions, privacy statements that are non-compliant,” Friedrich warned. “If we look to ACMA and the infringement notices issued recently, it’s no surprise the Privacy Commissioner is saying they want to become an enforcement regulator and we then start to see more activity in that space.”

Since the start of 2024, infringement notices issued by ACMA include a $2.5m fine for Pizza Hut Australia for sending marketing emails without consent, contact details and a sufficient unsubscribe facility; a $1.5m fine for Telstra for failing to send a notification to customers making it clear how identity authentication processes were used either immediately prior to or immediately after undertaking a high-risk customer transaction; and a $1.5m fine for Luxottica Retail Australia for sending emails without consent and without a functional unsubscribe facility.

“Even with the reforms on the table now, we are seeing a shift in regulators towards a stronger enforcement position,” Dr Bower agreed. “Don’t think it’s something you can necessarily wait on. We might see some change from strengthened regulator shorter term.”  

A question raised was how much knowledge is enough for marketers versus what’s in the realm of the compliance and legal teams.  

“It’s important to have an awareness, understanding and be educated in a way that’s proportionate to the data you handle,” Friedrich responded. “If you’re coming up with campaigns that you know use include sensitive information, you probably need to familiarise yourself to a greater extent than someone who is using basic contact details to email.

Rethinking database growth

The other very real situation panellists recognised marketers are in is balancing the needs of compliance and more transparent and informed consent against years of conditioning that have teams KPI’d on bigger contactable database and leads to the sales teams. The big shift in reform provides an opportunity to think differently about consent, said Dr Bower.

“If you’re worried about the size of your databases, it says more about the governance, board and leadership level and support for privacy. It’s up to marketers to say if we do this, we are going to have a more honest relationship with our customers, but we probably are going to have fewer people signing up to marketing – have fewer people sharing information with us,” she said. “That is just going to have to be the cost of having a genuine and honest relationship.

“I understand marketers do have list KPIs… and it’s challenging to have those. We want to lead them to the light. It’s an opportunity to build genuine trust and not expect consumers to spend hours and hours reading things or ticking things they don’t understand.”

Friedrich went further, labelling the fair and reasonable test as “a very exciting development” to Australia’s privacy architecture and one that should open up more innovative ways of brands engaging with consumers.

“If we look at it as a pressure valve being released, it’s using that test to not only meet technical compliance, but as an innovation mechanism. What sorts of things can you do, looking at your customer group, that perhaps will make you a market leader?” she asked.

“Put yourself in the place of the consumer, and think about collection statement, privacy policy, secondary purposes, which have to be clear under new legislation. Would you expect that to be the outcome of a brand using data in that sense? There’s real value in putting yourself in the place of the consumer and working out what that looks like.”

On a technical level, Friedrich then urged brands to data map. “You don’t know what the risks are if you don’t know what data you have. What consent are you relying on, what are you using it for? Are you still getting the same return on investment as when you collected the data? Are there any processes, marketing approaches where you can replace or complement your data-driven marketing with contextual advertising?”

And remember data is ultimately about people, said Fernando. “When we collect that data as businesses, we sometimes forget there’s a human being at the end of that data.

“Some of the least trusted brands over the last year are the brands that had data breaches or problems with data. Consumer trust, which we do everything for as marketers, is directly related to our digital marketing practices. If we realise that, we’ll probably sacrifice those few people who won’t opt in, because we’ll be keeping the people that want to talk to you.”