What you need to know:

• According to new consumer research from Honeycomb Strategy, 77% of Australians value their privacy over a personalised experience.
• They’re also more mistrusting of brands regarding their personal data than ever before off the back of the whopper data breaches across organisations such as Optus and Medibank that affected millions of Australian consumers.
• It’s a similar narrative from the latest ACCC Digital Platform Inquiry Report on Data Products and Services, which found 74% of Australian consumers aren’t comfortable with their personal data being shared or sold and feel little to no control over the situation.
• Yet the playing field is not even – depending on industry, inherent levels of bias and trust exist that can help or hinder brands to build consumer trust in the modern world of privacy and data breaches.
• With the accelerated tabling of Australia’s newly overhauled privacy legislation set for August, poor consumer sentiment about the way personal data is being used should be sounding alarm bells for brands looking to pass the "fair and reasonable" test they’re inevitably expected to face under the new laws.
• But where they can take action, consumers will. More than one in three respondents to Honeycomb’s survey would switch companies if they had a data breach while they were customers – even if their data wasn’t compromised.
• There is demographic nuances however, in views on personalisation. As per Bevitt: “Young people are relatively less concerned with data privacy, and value personalisation more”.
• In preparation for a new world of data scarcity, Bevitt also sees some brands starting to think laterally about sourcing proxies for pieces of personal identifiable data. An example in the retail space is replacing birthdays with celebrating your anniversary for signing up. “It’s still an event and a brand-related connection, but you’re not having to source something personal or private in order to give that reward,” says Bevitt. “It’s about getting more creative and rethink what we’re doing without necessarily getting that personal information.”

More than three in four Australians value their privacy over a personalised experience, says a new survey from Honeycomb Strategy. They’re also more mistrusting of brands regarding their personal data, full stop. That’s even as they exhibit apathy in the face of the growing number of data breaches they’re being exposed such as the Optus breach affecting 9.8 million consumers, and Medibank’s subsequent breach impacting 9.7 million Australians.

Take the fact 84 per cent agree their personal data is at risk no matter the size of the company. Or that 59 per cent have accepted they have little control over what companies learn about them online. Or that nine in 10 want more transparency around how brands intend to use their personal data.

Yet the playing field isn’t an even one for brands. Inherent levels of trust and belief in the rigour of data and privacy practices in some verticals versus others means the baseline for your brand could well be vastly different to that of another’s.

Those are just some of the top-line figures from a fresh survey of 1000 Australian consumers conducted by agency, Honeycomb Strategy. The findings come as the ACCC’s newly released Digital Platform Services Inquiry (DPI) Report on Data Products and Services also lays bare concerns both consumers and the Government are voicing around the murky way personal data is being collected, used and shared by companies today. As the Privacy Commissioner put it at a recent event, brands should be worried.

Regulatory risk is live and legal for marketers, publishers and the media, martech and adtech supply chain.

Trust crunch

According to Honeycomb’s Brands Beyond Breaches 2024 report, produced with the help of PureProfile, social media is the least trusted industry by Australian consumers for protecting their personal data – both the brands on social (72 per cent) plus the platforms themselves (70 per cent).

However, distrust pervades every single industry out there, with media companies (65 per cent), search engines (58 per cent) and market research firms (50 per cent) rounding out the top five list. Not far behind are ecommerce companies (49 per cent), industry trade publications (48 per cent), online services (48 per cent), health and fitness companies (48 per cent) and technology brands (45 per cent).

It’s obvious those high-profile data breaches of the last few years have taken their toll on consumer sentiment. Top reasons consumers say give them a heightened distrust of businesses include if they’re known to sell customer data to third parties (46 per cent), if they collect more personal data than seems necessary (45 per cent), and if they’ve heard about data leaks or security incidents in general, even if small (44 per cent). A company having a well-known or significant data breach came in fourth (43 per cent), while the fifth-highest trigger for distrust is sending too much spam (42 per cent).

In a similar vein, a 2023 survey by the Consumer Policy Research Centre (CPRC) cited by the ACCC’s new DPI report number 8 found 74 per cent are uncomfortable with the idea of their personal information being shared or sold (Source: Not a fair trade: Consumer views on how businesses use their data, March 2023). As was also quoted in the ACCC report, another 2023 CPRC study, Data Privacy Perspectives, found more than 70 per cent of consumers believe they have little or no control over what personal information online businesses share with other businesses.

Notably, 13 per cent of respondents to Honeycomb’s survey said they simply don’t trust any brand with data security, regardless of who they are. What should further alarm marketers is that one in three see ‘too aggressive marketing communications’ as a sure sign of a business they should distrust with their personal data.

It’s a paradoxical situation, says Honeycomb Strategy managing director, John Bevitt. What struck the agency leader first was the lack of control consumers are feeling around data breaches.

“It’s become so normal now consumers are almost disempowered to feel anything but apathy – if they were to be emotional about every data breach they’d have a breakdown every day,” he comments. “Obviously some are more impactful than others depending on what data is on hand.”

But it’s equally clear consumers will take action where they can. While several experts will tell you the jury is out on whether brands really do suffer long-term losses from data breaches, Honeycomb’s survey does indicate being impacted by such an incident leads to consumers walking away.

More than one in three (36 per cent) respondents said they switched providers after the Optus breach, and the same percentage said they switched brands after the Medibank breach. A further 30 per cent and 23 per cent, respectively, said they planned to switch. Across all categories, 34 per cent of respondents said they’d switch companies if they had a data breach while they were customers – even if their data wasn’t compromised.

Extrapolated out, the Optus and Medibank data breaches over the last two-and-a-half years indicates 7 million consumers will never trust Optus again, and 5 million won’t trust Medibank.

The uneven ground industries stand on when it comes to trust

Asked what brands should do if they do have a data breach, Honeycomb’s research found the majority of consumers want them to increase security over personal data (79 per cent), provide services to those affected to re-secure their data (67 per cent) and financially compensate those affected (66 per cent).

But it’s complicated. Another factor in the mix influencing how consumers view brands and their ability to protect personal data and privacy is inherent trust or mistrust in the rigour of data protection across certain sectors. Several industries have a higher starting baseline for consumer trust, with the common thread those holding the most sensitive consumer data in the first place. Consumers simply expect them to be protecting their information due to stricter data protocols.

Healthcare institutions are the number one most trusted industry with personal data in 2024 (61 per cent), followed by banks and financial institutions (56 per cent), then government departments and organisations (52 per cent). After a huge gap come utility and service companies (35 per cent) then insurance companies (31 per cent). By contrast, three in four consumers don’t trust airlines, one in four don’t trust the telcos or ISPs, and one in five don’t trust either loyalty / rewards cards or supermarkets.

“Something I hadn’t considered was the level of distrust that exists for an industry across the board, creating a baseline for brands. That means not everyone is working at the same level,” comments Bevitt. “If you’re a government, healthcare or financial services provider, that baseline is higher than a social media company. That therefore impacts how you handle comms, your level of flexibility with what data you have on hand, and how you manage conversations on breaches.”

Enter another paradox – and there are a few, continues Bevitt. “Consumers say yes, I know, my behaviour is not the best in terms of how I behave online with my data. But I still put that accountability on organisations,” he says.

For example, one in two don’t know how to secure their personal data, while two in three don’t know what to do if their data is compromised.

“A lot of what we’re advising brands now do is spend time educating and helping consumers develop those right behaviours,” Bevitt says. “T&Cs is a good example. We’re so focused on being part of the journey and outcome, that the default is to shortcut it, even though you know that what you’re doing could potentially cause trouble in the long term.”

As pointed out in the ACCC’s DPI report, it would take consumers 46 hours on average to read every privacy policy they encounter in full, with each carrying more than 6800 words.

“Understandably, many consumers do not engage with privacy policies, and in any event, usually have no choice but to accept the terms and conditions of use in order to access a product or service. This raises the question of whether this can be considered informed consent,” the ACCC report authors state.

Honeycomb labels this acceptance of T&Cs without full comprehension as a mix of present bias, default bias and cognitive strain.

“It’s about trying to demystify and design things like T&Cs in a way that empowers rather than disempowers consumers,” Bevitt says. “Consumers aren’t seeing the benefit. The default is to either just accept a minimal standard or run through it without expectation of return. When you ask them directly what is their choice, the preference is privacy over personalisation.”

Personalisation under fire

Should Australia’s upcoming Privacy Law overhaul come into effect with all the ‘fair and reasonable’ and targeting curbs promised, there’s a huge question mark hovering over personalisation as marketers know it. In the battle of personalisation over privacy, Honeycomb’s research found 77 per cent of Australians agreeing they value data privacy over a personalised experience, up 5 per cent year-on-year.

It’s worth noting what people consider is sensitive personal data. Honeycomb found the most sensitive data in 2024 includes bank / credit card details (91 per cent), identification documents (87 per cent) and biometric data (82 per cent). Similarly, CPRC’s research last year a driver’s licence number (91 per cent), mobile number (86 per cent), full name (83 per cent), email address (79 per cent) and IP address (81 per cent) to be the top pieces of information consumers find most unacceptable when it comes to building profiles of them.

Location data isn’t kosher either. The CPRC found 87 per cent of Australians believe tracking an individual’s location when not required for a location-based service was not fair and reasonable. Along with consent, it’s these very markers brands will have to meet in order to apply targeting to engagement. More than half of respondents to a 2023 OAIC survey also said websites, apps and devices that tracked their location was one of the biggest privacy risks they face today.

But there are demographic nuances in views on personalisation, Bevitt tells Mi3. “Young people are relatively less concerned with data privacy, and value personalisation more,” he says.

For instance, those under 35 years of age are significantly less likely to say, ‘I value data privacy over a more personalised experience’ although two-thirds of them still lean to privacy (67 per cent versus 78 per cent of Gen Xers and 86 per cent of boomers).

Gen Z and the majority of millennials are significantly less likely to see a company monitoring behaviour online across websites or recording it without their knowledge as a misuse of data. They’re also less inclined to frown upon companies using their personal data for a newsletter, or to send personalised offers. In addition, they’re significantly less likely to be concerned about having their identity stolen (62 per cent of under 35s versus 75 per cent or more of older consumers).

“As a result, younger people don’t secure their data as much as their older counterparts,” Bevitt says.

Like passwords: While six in 10 consumers over 55 keep track of passwords, only 42 per cent of under 35s do the same. Younger consumers are more likely to use basic passwords or the same password across platforms, and to connect to public WiFi networks.

“Interestingly, despite all this, they are most confident when asked: ‘’I’m confident my personal data won’t be stolen’,” says Bevitt. “Younger people are less likely to claim to have had their data breached, though their response if they have is different to older people.”

The caveat is older people are more likely to be unsure of whether they’ve been breached or not. Cut by generation, millennials are most likely to have been breached (44 per cent), then Gen X (42 per cent), Boomers (34 per cent) and Gen Z (30 per cent).

Even so, young people are most likely to switch or plan to switch when it comes to those who have been breached – even if it wasn’t their own data affected but they were still a customer.

“But in the same breath, they are more forgiving of brands subject to breaches. Young people are significantly more likely to say about Optus and Medibank ‘I trust them less than I used to, but they might win it back’,” Bevitt says.

Managing the conversation and proxies in an era of data scarcity

So with all this in mind, what can brands and marketers do given nefarious cyber actors and privacy changes are inevitable?

“It’s about managing the conversation, both during and after a breach, but also exhibiting consumer-centric, data-driven behaviour,” Bevitt says. “There is a lot of apathy and scepticism around brands not making the most of the data they have on hand, so why should they have it if they’re not making the most of it and providing benefit to the giver?

“Outside of breaches and going back to Cambridge Analytica, the selling of people’s data, credential stuffing –all these other things aren’t a cyberbreach, but they are a breach in privacy. And brands are expected to have some accountability for that.”

For Bevitt, a new era of data scarcity has arrived. “We have been in the situation where brands have such an abundance of data… Think about the gold rush: During the period where there was an abundance of gold, it was easy to find it. Getting to the back end, it was a lot more scarce, stressful, not everyone was able to get it and not everyone was winning. I think we’re dipping into that scarcity phase,” he says.  

“I am hearing brands are already starting to think about low-hanging fruit methods where they can source a proxy for a piece of personal identifiable data. An example in the retail space is asking your birthday – the rationale being to give you a discount or gift. We don’t necessarily need that, we could celebrate your anniversary for signing up. It’s still an event and a brand-related connection, but you’re not having to source something personal or private in order to give that reward.

“It’s about getting more creative and rethink what we’re doing without necessarily getting that personal information.”

There is the broader question of data ownership Bevitt posits too, pointing to Open Banking as a kick-off point.

“There are conversations around that in the health space, where you as the consumer own your data and you choose who you provide it to, as opposed to it being hoarded and owned by a brand. That immediately shifts the weight of power and forces brands to step up their game to say here’s why we deserve the data you’re giving us, as opposed to taking all the data and doing whatever we want with it,” he adds.