What Marketers need to know about new Privacy Act compliance: #ADMAGlobalForum

Changes to Australian privacy legislation are currently before parliament and will become law soon.

When the law changes, most businesses will have to change the way they are handling customer data. “Privacy reform directly impacts on your teams and your work,” ADMA’s Sarla Fernando told delegates at today’s ADMA Global Forum.

It’s not just the IT team that is responsible for privacy. Marketers, sales people, advertisers and company boards must also engage with the responsible use of customer data so their company is not at risk.

The 1988 Australian Privacy Act was enacted when the type and amount of data collected was different from today. What was collected then has led to breaches in today’s regulatory environment.

“The Australian government has gone through a lot of inquiries and processes, we are at the pointy end of legislative reform now, there are a lot of changes coming,” said Fernando.

The Draft Privacy Bill will be submitted to Parliament any time now, then there will be a transitional period of 12-24 months for marketers to become compliant.

Are you already ready? asked Fernando. “You may think so, but you probably aren’t,” she said, then went on to explain some of the key areas where marketers need to check what they are doing with customers’ personal information.

The scope of the Act is broadening and the definition of personal information is changing. Any information ABOUT a person, expands the scope of what the information applies to, so the word ‘about’ in the Act has changed its definition. Also redefined is the word COLLECTION, which used to be about the information collected, but now it has broadened to also include any additional information you generate about a person through AI or data aggragation, not just what you collected directly from them.

The SME business exemption will also change, to will apply to more businesses and also now to employee records.

New definitions will also be added, such as: children, sensitive information such as health data and de-identified information.

Currently ‘de-identified’ information is outside the scope of the Act, but now it may be included because information can be reconstructed in new ways that could re-identify someone.

There will also be new definitions for Direct marketing, Trading (such as customer loyalty programs) and Targeting (targeted advertising).

Advertising is not illegal, but if your customers opt out of targeted advertising or promotion you may be in breach with certain types of direct mail or social campaigns. Collecting location data is not illegal, but combining it to identify where and when your customer goes to the shopping centre and to send them targeted ads for that centre is not allowed. “Marketers will now need to make sure they have customer consent to target them.”

Fernando commented that customers are usually comfortable to give some of their data to brands they trust, as long as the way it is used is not “creepy” and doesn’t appear to be too invasive.

The Australian privacy reform act is different from Europe’s GDPR legislation, so even if your company is prepared for GDPR it may not be enough in Australia to meet “the pub test of fair and reasonable.”

Also changing is accountability. There will now be a ‘direct right of action’ where customers could take a company to court or could combine with others to take class actions. Customers will also have the right to know what data you have and to know what you plan to do with that data.

Notifications of data breaches will tighten, now needing to be made within 72 hours.

Fines have increased to percentages of any benefit obtained or a percentage of your company turnover.

Start your stakeholder assessment now, check what consent you already have and if you need changes to the data you already have, make them before the Act brings in the new legislation, urged Fernando.

ADMA has a range of resources to help marketers to be prepared for the changes.

Tags: | | |