Privacy and regulatory update: Banks, retailers, brands, loyalty operators, publishers face ‘substantial’ tightening on CX data, martech, adtech use as consumer groups wedge business lobby in Canberra on privacy review’s 'personal information'
Forget cookies, regulatory risk is live and legal for marketers, publishers and the media, martech and adtech supply chain. Peak industry groups are responding to economic analysis commissioned by the Attorney General's department on the cost to implement what some say are hardening privacy reforms, including tightening rules on geo-location and what constitutes personal information. Data brokers like Woolworth's-owned Quantium, however it may protest to the contrary, will also find out within weeks if not days whether their arguments hold regulatory water – and it will likewise be an anxious wait for loyalty operators and their retail media progeny as privacy and consumer advocates successfully displace industry within Canberra's sphere of influence. Across the pond, the US Justice Department and Federal Trade Commission have seemingly decided to try and break up Google in a series of lawsuits. So if you're planning major martech, CX, adtech and data investments, privacy experts suggest holding fire – and get to grips with what is about to hit. There's massive change in play, with day-to-day movement. Here's the latest from experts Peter Leonard, Ricky Sutton, Laurel Henning and Chris Brinkworth – with least regrets actions for brands, publishers and pretty much any business turning over north of $3 million.
What you need to know:
- Despite intensive lobbying from loyalty scheme operators and beyond, Australia’s sweeping privacy law overhaul remains on course to land this year – with massive implications for just about every business.
- “It's now clear that we will see a substantial broadening of what is regulated as personal information,” according to Data Synergies Principal, Peter Leonard. “That will include use of online tracking codes and techniques such as fingerprinting, which enable the targeting of individual consumers – and I think we will see that regulation encompassing not only online targeted advertising, but also targeting of content.”
- Which gives publishers something to ponder – especially those making major martech investments, says Civic Data’s Chris Brinkworth. Across all sectors, Brinkworth warns companies are leaking data on a wholesale basis “in a way that contravenes current Australian Privacy Principles let alone future Australian Privacy Principles”.
- The broadening of personal information definitions will also govern use of CX data within martech stacks, effectively limiting what banks and retailers, for example, can do with customer data unless they can explain it to “someone of below average intelligence,” per Leonard - and provided it passes a test of ‘fair and reasonable’ use. If not, prepare to fall foul of the Privacy Act, face class action lawsuits and massive fines.
- The Feds, warns Leonard, are getting firmer on their position, and industry is not being heard “at the same level that privacy advocates and a number of the consumer organisations are being heard in Canberra”.
- Meanwhile, the ACCC’s probe of data brokers is expected back from Treasury as early as this week, with fallout likely for Australia’s marketing supply chain. “We’re all talking about Meta and Google hoovering up data, but I think the biggest operator in terms of data brokerage in Australia is Woolworths’ Quantium,” per Laurel Henning, Legal and Regulatory Affairs Correspondent at Capital Brief.
- But across the pond, Google now faces genuinely existential challenges, says Future Media’s Ricky Sutton, as the US Justice Department and Federal Trade Commission “have both said that what they're seeking is a breakup of Google. So there are big changes ahead.”
- Governments, he say Sutton, have decided enough is enough, big tech is about to cop it – and the impacts will market-wide.
- There's always more in the podcast. Get the full download here.
Any form of differentiation of audiences – for example, I want to serve content only to women, not to men – that would be a form of targeting of content that would be regulated under these new rules.
So much for subtlety
The Federal Attorney General kicked off 2023 by outlining the biggest overhaul of Australia’s privacy regime in two decades. At that point, the marketing supply chain realised just what was at stake – cue major lobbying.
Then last September the Federal Government set out its policy response, dumping some provisions – but broadening what constitutes personally identifiable information, with significant implications for brands, publishers, adtech and martech firms and just about anybody doing any form of targeting.
Since then, suggests Peter Leonard, Professor of Practice, UNSW Business School and Principal, Data Synergies, there’s been some horse trading going on. But he thinks business is still being bested in Canberra by consumer advocates – and time is running out to influence big ticket items. That may change if industry can convince government that its proposals will have too deep a financial impact – hence peak advertising and marketing industry groups are engaging in a joint cost analysis exercise.
Irregular apocalypse
“The current process is quite unusual in that we had the government setting out its policy response and since then we've had the Attorney General’s department in industry roundtables really developing – and in some respects changing – what the government said last September. And we're about to go into a further phase of a bunch of economists doing a cost benefit analysis of what the government is proposing.”
Leonard said those economists are likewise going through industry round tables asking industry, for example, what the cost – i.e. economic losses – would be of law changes to online targeting as proposed versus any benefits.
“So we're going through this rather odd process.”
Leonard thinks that may partially be political, given small businesses with less than $3m in turnover will no longer be exempt from Privacy Act obligations. SMBs, he says, represent “a lot of voters … and we’ve got an election coming up next year.” But he suggests there has been heavy lobbying at the top end of town as well.
“I think there's also been some sectors of the economy, financial services sector, perhaps customer loyalty schemes, where there have been comments made that what the government is proposing is going to fundamentally change their business models and what they can do, and that it would have significant costs to the Australian economy,” says Leonard. “So the government, I think, is wanting an economist to look at those claims and see whether the suggested costs make sense or not.”
But while those developments may yet see some softening of Privacy Act specifics, Leonard suggests the core principles are firming up – with implications for publishers as well as marketers.
“It's now clear that we will see a substantial broadening of what is regulated as personal information – and that will include use of online tracking codes and techniques such as fingerprinting which enable the targeting of individual consumers,” says Leonard.
“I think that we will see that regulation encompassing not only online targeted advertising, but also targeting of content. So we will see new regulation that requires a much higher level of transparency around how and why targeting is being used online – both of content and in relation to advertising – and then a higher level of regulation of online targeted advertising, including likely an opt out requirement being offered to consumers so that they can opt out from receiving online targeted advertising. So quite significant changes affecting adtech martech and indeed other forms of targeting of content online.”
For publishers, the proposals “as currently stated” would effectively require them to disclose “how and when they are targeting content, including any use of AI or algorithms, to work out how and when they target content to particular audience segments”, per Leonard.
“And there is no definition proposed so far of how small the segment needs to be before you're considered to be targeting. So any form of differentiation of audiences – for example, I want to serve content only to women, not to men – that would be a form of targeting of content that would be regulated under these new rules.”
You may be able to do everything that you were doing today, but only if you can explain it in a way that you're not currently required to. And you potentially have to also justify that what you are doing is fair and reasonable – and that justification has to not only convince the Privacy Commissioner, but potentially, it can be litigated in the courts by, amongst other things, class action lawyers ... So it is a very significant change.
Limiting factor
Changes to the definition of personal information are also a concern for businesses personalising customer experiences – especially those now mulling major investments in martech before the government finalises its position.
That’s because the proposed definition of personal information is no longer purely about whether individuals can be identified – a loophole that has effectively let many businesses argue that they do not need to comply with the existing Privacy Act because they know pretty much everything but the individual’s name. But that is about to change.
“The government is now saying that within the new definition of personal information would be information that does not identify an individual but enables an entity to act on individuals with differentiation,” says Leonard.
“So in other words, if you have the capability to single out a group of people or particular individuals for different treatment, through the use of, for example, online tracking code, or fingerprinting, or device identifiers, then it doesn't matter whether you can identify the person or not, you're within the scope of regulation.”
Which means businesses using that kind of data to personalise, target or otherwise treat one group of people differently to another must explain very simply what they are doing and why they are doing it. I.e. in language that someone ‘of below average literacy” can understand. Which means opaque terms and conditions can no longer act as a blanket get out clause – and effectively means that businesses can only do what they can very simply explain.
And even then, there’s another caveat: businesses must also demonstrate that such practices are ‘fair and reasonable’. “So you might fail that test, and then you become in breach of the Privacy Act and potentially subject to all of the penalties that are associated with that,” per Leonard. And one person’s – or lawyer’s – definition of fair may differ from another’s, introducing legal risk for businesses operating close to the margins.
So what does that mean in practice for banks, retailers and anyone else using such data to tailor offers or target individual groups and segments?
“The short answer is you may be able to do everything that you were doing today, but only if you can explain it in a way that you're not currently required to. And you potentially have to also justify that what you are doing is fair and reasonable – and that justification has to not only convince the Privacy Commissioner, but potentially, it can be litigated in the courts by, amongst other things, class action lawyers,” says Leonard. Plus there is the spectre of heavy fines. “So it is a very significant change.”
Government is listening to consumer organisations, privacy advocates and the ACCC, and they are loud voices in Canberra.
Bad for business
While government is now awaiting independent cost benefit analysis, Leonard – who as a UNSW Business School Professor and consultant tends to lean closer to business interests – has consistently warned that industry is losing the battle to a co-ordinated and increasingly savvy pro-privacy lobby. He thinks Federal government is hardening its position rather than easing up.
“I think they are firming and I think that industry is not being heard at the same level that privacy advocates and a number of the consumer organisations are being heard in Canberra. So I think industry needs to sharpen its act on explaining to Canberra what good regulation should look like, and be ready to adapt views in the knowledge that we are going to see new privacy legislation,” says Leonard. Though he warns industry to pick its battles.
“Too much resistance will likely just lead to industry's views being overwritten or ignored – because government is listening to consumer organisations, privacy advocates and the ACCC, and they are loud voices in Canberra.”
We all talk about Google and Meta hovering up data, but I think the biggest operator in Australia in terms of data brokerage is Woolworth’s Quantium.
Data brokers next
Major data breaches from Optus, Medibank and others have hardened government’s position and strengthened privacy advocates’ hand, per Laurel Henning, Legal and Regulatory Affairs Correspondent at Capital Brief. Moreover, she thinks the ACCC is using consumer law to circumvent its weaker hand in competition law.
But the problem for businesses, she says, is that there is now so much overlapping regulation coming at the same time – and in the case of the Privacy Act, even small businesses are now having to “almost come up to the level of a Meta or Google in terms of the consent that they are giving consumers and in terms of how they are managing and securing their data,” says Henning. “And that is a huge ask for the economy.”
But on the flip side, she says, regulators must now also walk the walk in terms of reining-in practices that have to date been left largely unchecked.
“If none of this stuff is being enforced, it's not really worth anything.”
Henning, who covered competition law, data privacy, white collar crime and criminal cartels for a decade at MLex before joining Capital Brief, thinks Treasury’s response to the ACCC’s data broking report, due any day now, will give a strong indication of how government plans to regulate a sector now integral to digital marketing.
While much of the current regulatory focus locally and internationally is on how to curb big tech’s data oligopoly, Henning thinks the data broking report will land much closer to home.
“We all talk about Google and Meta hovering up data, but I think the biggest operator in Australia in terms of data brokerage is Woolworth’s Quantium.”
Quantium, however, insists it “does not operate as a data broker” and “does not share or sell personal information or any other information on persons to third parties”. The ACCC has concluded otherwise, naming it among CoreLogic, Equifax, Experian, Illion, LiveRamp, Nielsen, PropTrack and Oracle as the companies whose business activities it is probing. Meanwhile, the increasingly co-ordinated consumer-privacy advocacy flotilla is pushing just as hard for data brokering regulation as it is in every other battleground.
We see so many examples of where data is currently leaving a website – and it's doing it in a way that contravenes current Australian Privacy Principles, let alone future Australian Privacy Principles, because people don't have a handle on what tags and pixels and cookies do.
Martech rug pull?
Until the Privacy Act legislation appears in its final form, companies investing in new martech have a problem to ponder, says Chris Brinkworth, Managing Partner at consultancy Civic Data and a co-chair of the IAB Data Council.
“[They] don't know if [they are] allowed to still use this software when the new legislation goes into play. Will the tech I'm investing in now for this big digital transformation project still work based on the legislation that goes through?” says Brinkworth.
“Anyone who's going through the pain of putting in a customer data platform, or any kind of marketing transformation, already knows how hard it is [to get over the line], let alone suddenly the rug being pulled out from underneath you and being told [by government] ‘actually, we’ve changed our minds…”
That said, Brinkworth warned that businesses across the economy are already in breach of existing regulations – they just don’t know it.
“We see so many examples of where data is currently leaving a website – and it's doing it in a way that contravenes current Australian Privacy Principles, let alone future Australian Privacy Principles, because people don't have a handle on what tags and pixels and cookies do.”
He says even basic form filling can leak data when individuals forget to tick a box. While the brand or publisher site will flag that the box hasn’t been ticked and direct users to tick it to ensure consent, “someone's email address, someone's phone number, someone's first name, whether it's hashed or not, has in that moment left and gone out to a big tech company somewhere”, per Brinkworth. “It’s disappearing into Google Analytics – even though Google Analytics says don't send this to us, we don't want it, it's still going. It's going to places because that box was never ticked [when the form was submitted and fired off into the internet before the prompt to consumers was then flagged]. But there's no hope in hell of allowing someone to update their consent preferences in the future if they don't know where that data is going right now.”
Brinkworth urges industry to get a grip on the basics, “to just start to understand the differences in the technologies you have at the moment”. Crucially, he says, “get to know your privacy leader” within the organisation.
“Most people wouldn’t know who that is. But that is a good place to start, because you need to let them know yours really high profile projects – you don’t want them cut off at the knees in six month’s time.”
No matter what happens in these cases, whether Google wins or loses, there's going to be years of appeals. But what we have today is going to change. And what the US Federal Trade Commission, and the Department of Justice have both said is that what they're seeking is a breakup of Google. So there are big changes ahead.
US gunning for Google
While Australia is taking a consumer route to regulation, the US is gearing up for a major competition battle. Google is firmly in the crosshairs, says Future Media’s Ricky Sutton, with three big antitrust cases landing in rapid order. However they land – likely after every appeal and delay tactic in the book – he thinks “what we have today (i.e. the way the ad industry operates) is going to change.”
Ultimately, says Sutton, the US government has decided enough is enough.
“After twenty five years of pushing the [data] envelope, eventually you come up against a barrier and that barrier is going to be government – because there is no other way to stop a juggernaut like that,” says Sutton.
“So we're now seeing antitrust actions and it's notable that these are in the US.”
Until now, he says, “the US has avoided taking action against these big companies, because it's been good for America to be the best in the business at this. But now it's too much – too much money, too much power, too much data, too much fear – and AI becomes an accelerant to what they've already done. And so what we're seeing is that we've got three antitrust cases currently underway against Google.”
The first, Google versus US states over the Play app store was settled last year for $700m, though Fortnite maker Epic Games is hoping to take it further. The second, a Justice Department case on search dominance – in front of a judge – kicked off last September. “We’re expecting a first announcement from the judge on his view on that within three weeks,” says Sutton. “But it won’t end there, no matter what decision is taken – Google has $1.7 trillion [worth of] reasons to fight this as long and as hard as possible.”
Later this year comes “the biggest one of all”, per Sutton, when the Justice Department takes on Google in an adtech antitrust case in front of a jury. (The case makes many of the same claims as covered by Mi3 here around allegations of market manipulation, bid rigging and killing header bidding, though is less forthright on allegations of collusion with Facebook).
“No matter what happens in these cases, whether Google wins or loses, there's going to be years of appeals. But what we have today is going to change. And what the US Federal Trade Commission, and the Department of Justice have both said is that what they're seeking is a breakup of Google. So there are big changes ahead,” says Sutton.
“I think the government has frankly had enough … and when companies get this big and powerful, there is only one thing that stops them – and that is governments.”
Don’t blink
In the meantime, Sutton says other countries are watching Australia’s own attempts to bring a semblance of law and order to the free market data-privacy economy – and urges the government not to fold to lobbying from both local and international oligopolies.
“I'm in the UK at the moment speaking at a conference and people look at Australia as the canary in the coal mine. They're thrilled about the stuff that we're doing. They actually think that we're a global leader, so we shouldn't doubt ourselves,” says Sutton.
“The era of unregulated data has to end, privacy has to come to the fore – and we're taking action.”
There's always more in the podcast. Get the full download here.