‘A little alarming’: ACCC widens net on data firms creating audiences and segments from ‘non-identifying’ information, set to expand to first-party data with tougher enforcement and prosecution
Another salvo in the fast approaching privacy regime set for tabling in parliament in August was fired last week by the ACCC around how personal information is collected, used and sold by data firms – Experian, Nielsen, Publicis-owned Epsilon and Woolworths-owned Quantium were among those flagged by the competition regulator last week in its eighth interim report as part of the multi-year Digital Platforms Inquiry. But the regulator has gone much further than putting these companies in the spotlight - it originally called them ‘data brokers’ but industry players in their submissions to the ACCC protested at the descriptor because they asserted they did not trade in personal information. Rather, they enabled companies who bought their services to segment and target audiences with shared attributes through the use of information that wasn’t personally identifying. So the ACCC changed the term to “data firms” in last week’s Data Products and Services interim report and, for good measure, broadened the scope of what a data firm is to what UNSW’s Business School’s Professor of Practice and Principal at Data Synergies, Peter Leonard, says now makes “every firm in this economy a data firm.” And in the short-term, that’s not good news for most companies because their data readiness and maturity is not matched by the “fundamental change” which will force everyone to “rethink their understanding of what even defines personal information” according to ADMA’s Director of Legal and Advocacy, Sarla Fernando. Leonard and Fernando are joined by Capital Brief’s Legal and Regulatory Affairs Correspondent, Laurel Henning and Civic Data’s founder, Chris Brinkworth. And for a tantalising teaser, Future Media’s Ricky Sutton lays out the changes Google is making to its search engine which is already seeing organic referral traffic to publishers abroad drop 40 per cent – brands, he says, are facing similar declines. Here's the topline takeouts from this week’s podcast panel of experts on the ACCC’s new intent for tougher definitions, enforcement and prosecution. Listen to the podcast here, it's rich pickings.
This is no longer just about the creation of cleanrooms and ensuring that we're not disclosing personal information, identifying information to anybody else. We need to think about whether our practices are going to pass this new likely requirement of being fair and reasonable
Rude shock
To be blunt, any professional working in ecom, marketing, customer experience, digital advertising and data and analytics is going to have a rude shock for what they can do now versus what is likely in a year or perhaps a bit longer.
The problem, says ADMA’s Director of Legal and Advocacy, Sarla Fernando, is that most companies and execs affected by the intensifying position from the ACCC and the Federal Attorney General’s Privacy reform to clamp down on the side of consumer protection is that many are deferring their readiness under the argument that’s it’s still coming.
“This is fundamental change so everybody's going to have to rethink their understanding of the definition of personal information,” says Fernando. “It's a rethinking of what that will all now entail because that that lack of clarity that we've had up until now has kind of been a loophole from a marketing perspective. This shift has been coming to the marketing industry. If we go back to the beginning of the ACCC’s work, marketers were very much thinking all the data that they collected, they were just continuing to collect that data, and then think about what they would do with it. This report just absolutely clamps down on it. That’s definitely not the way that we can move forward.”
Consumer protection at all cost
For Peter Leonard the latest ACCC report enshrines the new assertiveness from the regulator to redefine and enforce consumer “harm” protections under consumer law and outlaw many of the practices common today around creating, segmenting and targeting audiences, even when they are de-identified.
“This report really zeroes in on the broader topic of how data is used by third party intermediaries in the Australian economy for a range of activities, including segmentation of audiences, for determining differential treatment of those audiences, regardless of whether or not they are identifying. And that's a really important distinction because that then leads the ACCC to say, hey, amongst other things, we need a new power to address so called unfair business practices in the Australian economy, which include as they see it, a range of consumer harms that might flow from uses of data to segment people by attributes or characteristics, even if those individuals are not identifiable.”
So in lay terms what does it all mean for companies and practioners?
“The really important point is that we are at a pivot from notice and consent to rules around what are fair and unfair practices in relation to targeting of individuals. And I mean, targeting in the broadest sense, not just behavioral advertising, but any form of segmentation of audiences to determine how or on what terms product, or indeed whether at all products or services are offered to consumers. So that's a really important change, because it means that organisations have to take a step back and say this is no longer just about the creation of clean rooms and ensuring that we're not disclosing personal information, identifying information to anybody else. We need to think about whether our practices are going to pass this new likely requirement of being fair and reasonable, as they're described on the privacy side, or not unfair business practices, as they're described in the way consumer protection legislation is likely to go.”
ACCC shift a little alarming
For Capital Brief’s Legal and Regulatory Affairs correspondent, Laurel Henning, the intent of the regulator has clearly shifted since the start of the Digital Platforms Inquiry in 2019 to protecting consumers, regardless of where industry has landed on how it deems privacy compliant practice. Consumer law and the appetite by the regulator to enforce it is a novel idea most in industry are not familiar with.
“There's quite a key takeaway in the ACCC report which is interesting and perhaps also a little alarming,” she says. “Considering how long these reform discussions have been going on for, the ACCC is saying that actually, some of these issues will only be addressed through existing consumer law…even with a strengthened Privacy Act. That goes to the location data piece perhaps and misleading consumers and where they've had [prosecution] success there previously [under consumer laws]. But it also goes to their calls and continued calls for unfair trading practices, prohibitions against things like click-wrap, take-it-or-leave-it terms or bundled consent. And so I think the fact that the regulator's live to the fact that we need to go beyond where even these [Privacy] changes that we're waiting for, are going to get us to. I think that's the real key takeaway here.”
Henning also warns there are clear signals from the ACCC to apply more scrutiny to mergers and acquisitions in the data sector. Woolworth’s deal to buy Quantium is one example that may not slide through as easily under this new consumer-first regime. “The ACCC is really concerned by the extensive merger activity in this industry…and it's going to be empowered to take much heavier or harder lines and have increased scrutiny on deals from January 2026, when it probably will have a new merger clause or a new merger regime at its disposal. That's going to change the landscape as well.”
Cleanrooms and ID hashing
For Civic Data’s Chris Brinkworth, like Leonard and Fernando, the ACCC’s latest interim report only entrenches the urgency in which companies must start preparing for an entirely different data use and management strategy which eschews assumptions of consent compliance to whether the use of data is fair and reasonable – and is explained in language that a person of below average intelligence can understand. That means material shifts in data cleanrooms, ID hashing and many techniques industry today assumes are a given.
“For anything that is used to try and remember who someone is across different separate publisher websites, you quite often need to have a mishmash of an identity jigsaw puzzle, such as a hashed phone number, or a hashed email address to understand who that user is when they come to a website. Quite often that is acquired through using data brokers. So, if you've invested in a customer data platform to create cohorts and segments, and if you've not been clear in your notice, it is not clear and transparent in regards to when you collected that information that you'll be creating different cohorts and segments to personalise content, to personalise products to that particular consumer based on that information, then that becomes a challenge here as well.”
Below average intelligence
Brinkworth says there will be material challenges to how data clean rooms operate.
“Using a data cleanroom is absolutely fine if you can prove that you have the consent and you've disclosed how you're going to be using that data. If you're using a data cleanroom as a workaround to bypass laws, then it probably won't be a great idea in the future. They’re still a great solution if you're doing everything by the book and you're being transparent and disclosing how they’ll be used. But the challenge is a lot of companies do use any and all technologies without knowledge. It's not through their own fault but it’s without knowledge of what they're really doing. It's all going to come down to clear contracts, clear notices, and clear consent. If you cannot be clear about those aspects of what you're doing, then I think that's where you're going to very challenged.”
Peter Leonard concurs on data cleanrooms – there’s a “real gap” he says in the “data maturity” of the digital ad sector, particularly.
“The basic problem with data clean rooms today is that many of them aren't clean enough,” he says. “They haven't really cleaned them up, ensured that the data is truly de-identified and there's no leakage. But the second point is that very few organisations have actually tackled the next hard point, which is how do we explain to the public how we are using de-identified information, and exactly how they are being targeted,” he says. And again, explained in a way that a person of below average intelligence can understand.
And the killer point for the entire industry lies at the tail end of the ACCC's report last week around what's coming for first party data: "The ACCC acknowledges that this report considers only a portion of the data ecosystem, that is, the data products and services offered by data firms that generally do not have a direct relationship with the consumer. Data collection by firms directly from their customers is even larger in scope. Accordingly, the ACCC considers that further work should be undertaken by government to understand the flow of data more broadly across and around the Australian economy."
So the core takeouts from this panel of experts? Those that prepare now for what is clearly fundamental regime change around personal information and it’s use will be the new winners. And listen to this entire podcast. It’s rich pickings for those not kicking the can down the road to nowhere.