A spotlight on Australia’s privacy reform: The future of online advertising regulation in Australia

Written By

james hoy Module
James Hoy

Special Counsel
Australia

I am a Special Counsel in our Sydney office and I specialise in media and technology disputes and advice with a particular focus on privacy and data protection matters.

On 28 September 2023, the Government published its response to the Privacy Act Review Report (Report), including the proposed reforms affecting online advertising. 

There are a number of important considerations for businesses that use online advertising tools and some associated practical steps to keep in mind as your business prepares for these privacy reforms. 

Changes to the definition of personal information

Perhaps the most significant proposed reforms for online advertising are those relating to the definition of ‘personal information’.

There are proposals to change the word ‘about’ in the definition of personal information to the words ‘relates to’, and to include a non-exhaustive list of information that may be personal information.  If enacted, this will likely mean that there will no longer be any argument as to whether online identifiers and behavioural data relating to identifiable individuals constitute personal information.  Nor is there likely to be any argument as to whether information relating to identifiable individuals which is inferred or generated as part of user profiling constitutes personal information if the proposal to amend the definition of ‘collection’ to expressly include inferred or generated information is implemented.  The removal of such uncertainty would, on its own, be likely to have significant ramifications for the adtech ecosystem in Australia, requiring businesses to carefully examine their use of cookies and other tracking technologies.

It is unclear whether user data which is only linked together by pseudonymous online identifiers will be treated as reasonably identifiable, assuming that the proposed changes to the definition of personal information are implemented.  However, the Government response to the Report states that ‘the Government considers that an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known’, indicating that such user data may indeed be caught.

Consent and online privacy settings

Any change that would have the effect of requiring online service providers to enable pro-privacy settings by default, or preventing online service providers from making access to content conditional on the receipt of online advertising, would also have major impact on the use of online advertising tools.

In relation to the former, while online service providers will no doubt have been relieved to see that the proposals do not include any express requirement that pro-privacy settings be enabled by default, the Report indicates that the proposal to introduce a requirement that personal information handling be fair and reasonable in the circumstances, may have a similar effect when added to existing requirements.  When combined with the proposals that the Office of the Australian Information Commissioner develops guidance on how online services should design consent requests, and that online privacy settings should reflect the ‘privacy by default’ framework of the Act, such reforms may have the practical effect of requiring opt-in consent to online advertising in many cases.

Further, the proposal to amend the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous, if enacted, will likely have the practical effect of preventing the ‘bundling’ together of multiple consent requests, a practice which is common despite guidance from the regulator indicating that it has the potential to undermine the voluntary nature of consent.  This proposal may also call into question the ongoing viability of business models which make access to content conditional upon the receipt of online advertising.

The Government response to the Report also indicates that the proposed fair and reasonable requirement is expected to help protect individuals from the use of practices, called ‘dark patterns’, which nudge users towards consenting to more intrusive privacy practices or which encourage them to choose more privacy intrusive settings.

Direct marketing, targeting and trading

The proposal to require entities to provide individuals with an unqualified right to opt-out of targeted advertising is unlikely to proceed at this stage, which will no doubt have come as a relief to businesses that use online advertising tools.  However, the Government response to the Report suggests that it will be considering alternatives to give individuals more choice and control in relation to the use of their information for targeted advertising, including layered opt-outs and industry codes.  

While the separate proposal to require entities to provide individuals with an unqualified right to opt-out of their personal information being used or disclosed for ‘direct marketing’ purposes will generally apply to more traditional forms of direct marketing, if enacted, the Report indicates that there are some circumstances where the use of personal information for ‘targeting’ would also fall within the definition of direct marketing.  For example, the Report indicates that the use of customer emails to target advertisements on social media to known individuals, a practice commonly referred to as ‘customer matching’, would fall within the definition of direct marketing with the result that there would need to be an unqualified right to opt-out.  The same may also apply to other forms of targeted online advertising to the extent that they involve the use or disclosure of personal information. 

There is also a risk that the proposal to require entities to obtain individual consent to ‘trade’ their personal information may have the effect of requiring opt-in consent in a range of online advertising contexts.  For example, the use of cookies and other tracking technologies, as well as customer matching technologies, may be considered to involve the trading of personal information if personal information is disclosed in exchange for receipt of those services.  However, the Government has foreshadowed further refinement in terms of what constitutes ‘trading’, which will hopefully mean that such outcomes can be avoided.

While subject to exceptions, the proposed prohibitions on direct marketing to a child, targeting to a child, trading in the personal information of children and targeting individuals based on sensitive information each have the potential to significantly impact online advertising.  For example, the proposed prohibitions in relation to children have the potential to be problematic in contexts where the identity and age of users are not known.  Equally, the proposed prohibition in relation to targeting based on sensitive information has the potential to be problematic in the context of goods and services which are typically purchased by users with a sensitive characteristic, though the proposal does include an exception for ‘socially beneficial content’.   
There is also the proposed requirement that targeting be fair and reasonable in the circumstances and, while it remains to be seen how this will be applied, if enacted, the Report suggests that it is intended to provide a flexible mechanism by which to address targeting which ‘seeks to manipulate or exploit or undermine autonomy’.

Five steps your business may wish to take now

Of course, the devil will always be in the detail, and much will ultimately depend on how the various proposals discussed in this article are implemented. 

In the meantime, you may wish to consider taking the following five steps now:

  1. getting clear on what data your business handles and the extent to which this data might fall under the expanded definition of personal information;
  2. undertaking a review of your business’ consent practices and online privacy settings and considering whether any changes might be needed; 
  3. considering whether your business’ online advertising activities are fair and reasonable and, if not, what changes might be needed; 
  4. getting clear on what types of online advertising tools your business currently uses and whether such use is likely to comply with the proposed new requirements; and
  5. socialising the key proposals impacting your business with key stakeholders and, if practicable, starting to plan potential solutions.

The Australian Privacy and Data Protection team at Bird & Bird has advocated on behalf of clients throughout the Privacy Act Review with a particular focus on the proposed reforms in relation to online advertising.  If you have any questions or want to get in touch to discuss these reforms, please reach out to one of the contributors. 

Overviews of the Report and Government response, respectively, are available here and here.

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line green background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line yellow background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More