Together, we uncovered ways brands and businesses can prepare for the reform’s sweeping impact, moving forward from a place of proactivity while keeping the consumer at the heart of everything.
The current state of privacy in Australia
The Privacy Act was first introduced to Australia in 1988 before the digital age was upon us. Its most recent review occurred in 2020, following recommendations by the ACCC (Australia's competition regulator and national consumer law champion) to address key issues, regarding a digital platforms inquiry in 2019.
Since, the digital landscape in Australia has faced game-changing challenges, forcing brands to adapt their tracking solutions to ensure they comply with new and evolving regulations. Earlier this year, the Australian Attorney-General's Department released its highly anticipated review of the Privacy Act, recommending 116 potential reforms.
The reforms cover an expansive range of issues, from implementing new limits on targeted advertising (particularly, ads aimed at children) to including a suite of individual privacy rights, like the “right of erasure”, and deindexing search results with sensitive or inaccurate information, among others.
The large-scale Optus and Medibank breaches in late 2022 have taught brands that data breaches are only made worse by holding onto personal information they don’t have a legitimate interest in and/or are well past its expiration date. To minimise the risk of harm, the collection and retention of personal information should be kept to a minimum.
The industry remains underprepared for looming privacy changes
Significant change is looming on the privacy regulatory front, but it appears Australian brands aren’t as prepared as they could be.
According to the Arktic Fox Digital and Marketing In Focus Report, developed in conjunction with Six Degrees and in partnership with Amperity, less than one in four respondents (23%) suggested that a focus on improving their compliance with data privacy was a priority.
Meanwhile, less than half (41%) of brands indicate they have their house in order when it comes to privacy and consent, suggesting many brands will be caught off-guard by the magnitude of change that will bear down on the industry. Concerningly, only 11% of businesses from the study say they have a ‘clear plan and path’ they are implementing when it comes to evolving and adapting to changes in privacy and consent.
This finding suggests that leaders may not fully grasp the extent of the changes that will occur and the urgency of preparing for them.
Even more, a capability gap in data and analytics skills is holding back businesses and remains a key barrier to effective technology adoption. Data and analytics is the biggest technical skills gap identified within teams, consistently topping the list for three consecutive years, with measuring performance and outcomes also featuring prominently in the list of skills gaps. In fact, almost half (47%) say that data and analytics are the biggest technical skills gaps in their team, and only 35% of leaders believe data literacy is strong within their teams.
However, more than half of leaders say customer data strategy and better utilisation of first-party data is a key priority. In fact, 59% say they are still trying to embed a more data-driven approach to marketing, and half of the respondents (55%) say building a customer data strategy and better utilising first-party data is a top priority. This demonstrates a significant gap between business priorities and capabilities to adapt to the rapidly shifting data-driven marketing landscape.
Where’s the data?
Helping companies build a business case to invest in technology used to sit around the ROI that would derive from an increase in conversions. Whereas now, it’s been positioned as an ‘insurance policy’ of sorts – a position I wholeheartedly agree with.
Organisations and brands need to know where their customer data resides. On top of that, they must know how to map that back to an individual. That’s every marketer’s dream — the unified view of customers, how to target them and communicate better to improve the experience. Without that, marketers fall behind.
A recent article in the Australian Financial Review (AFR) highlighted that it costs a company roughly $2,200 just to erase a single customer’s data. If you get 10 new customers a week, that’s going to cost the business more than $22,000 a week just in deleting customer data.
“That’s frightening, but it makes sense when you spend time looking at how organisations manage personal information,” Sperti says. “It’s fragmented, it’s siloed, and I think one of the biggest blind spots is going to be de-identified and unidentified data – where is that residing? How are they going to remove that if they need to for an individual?”
Simply, brands and organisations need to perform an audit. They must understand not just where the data resides but also, how they’re using that data. Being able to provide that data to the customer when requested will help to position them strongly in light of tightening privacy regulations.
Getting the C-suite on board
Data privacy is at a level where it should no longer sit only within the marketing or IT teams. It is the responsibility of the CEO. As Sperti points out, it can be challenging to get the C-suite and leadership teams on board when they don’t necessarily understand the detail or the impact these new regulations are set to have.
The easiest way I can think of is to communicate this by touching on the three metrics that a business operates on net profit, net revenue retention and cost to acquire a customer. If you look at how they’re calculated, they all have customer data at the heart of them.
Stephensen adds that it’s also a good opportunity to introduce a duty of care angle. “The board and leadership teams have obligations to not engage in acts or practices that would cause harm to individuals or cause the business to enter into a state of non-compliance,” she says.
Bring up major recent data breaches with the C-suite, too, she advises. “The failure to understand the impact of a data breach, not just to the business from a compliance perspective but the flow on impact to the community whose information was leaked in the first place, puts the business at risk,” Stephensen says.
“You’re likely not going to get the board members and executive team to care about all the line-level details, but you will get them to care about the risk.”
Sperti adds, “Find the levers that your executives and board care about most. It might be brand reputation, trust and the impact on brand health right through to the bottom line. Look to link the need for change to those levers.”
Privacy is changing, but consumers still want the same thing
The customer still wants the experience. They still want to be treated like you know them as opposed to a stranger. However, brands and businesses can’t personalise when they don’t know who their customers are.
This is why identity (ID) resolution is so important — it turns scattered data into concrete customer information. And without it, it’s virtually impossible to treat your customers as the unique individuals they are. Identity is the foundation for true personalisation.
Once that’s established, they must have a universal view of the customer in a safe, privacy-compliant environment with different views for different teams to make the most out of that data.
Practical steps to start now
This privacy reform is huge. It’s going to have a massive impact on brands and businesses and how they use and collect customer data, Sperti says. Being proactive today, however, will help to position them for a better tomorrow.
1. Review your privacy policies: Businesses must review their current terms and conditions as well as their privacy policies. And if they don’t have privacy policies, now is the time to create them.
Privacy is the new brand battleground. Apple started positioning itself to be ready in this new landscape about two years ago, with the removal of Apple tracking on email. So start thinking about what these new privacy measures mean to your brand.
2. Provide a compelling value exchange: Consumers want a very clear value exchange as to why they're going to share their information with you and what it means for them. If your business or brand is unclear on why customers would give you their customer data, then the customer will be confused too.
3. Audit your systems: The thing with these new privacy regulations is, nobody is saying that you can no longer use customer data — you just have to use it in the right way. So audit the systems you have that ingest customer data and figure out what that data is being used for. And, importantly, understand your reliance on digital advertising networks, which are no longer going to operate in the same way.
4. Build a new foundation on first-party data: There are a number of small and mid-sized businesses that looked at digital advertising networks as the ‘holy grail’ to find new customers. If that’s your business, you need to start looking internally, figuring out how to build your own foundation.
5. Safeguard customer data: With a foundation built upon first-party data, you can start understanding who your customer is. Treat customer data as if you were its custodian. Remember, you don’t own that data – you’re simply the safe keeper of it. And how you use it all goes back to the value exchange.
A new era of privacy regulation
As a new era of privacy regulation dawns in Australia, brands and businesses must rise to the challenge and take a leading role in shaping the future of the digital marketplace. The clock is ticking, and the time for action is now.
Despite the challenges, it's clear that the need for privacy reform is greater than ever. Consumers are becoming increasingly concerned about the safety and security of their personal data, and it's up to businesses and brands to demonstrate their commitment to protecting this data.
In the end, the proposed reforms represent a crucial opportunity for brands and businesses to get their houses in order and demonstrate their commitment to data privacy. Those that do so successfully will not only be better equipped to navigate the changing regulatory landscape but will also be more likely to win the trust and loyalty of consumers in an increasingly privacy-conscious world.
Discover more insights in the Arktic Fox Digital and Marketing In Focus Report
Breaking down Australia’s privacy reform: the highlights, the impact and how brands can prepare
- Personal information: The current Privacy Act considers personal information to be information about an individual, including name, phone number, date of birth, sensitive information, etc. However, the proposed amendments seek to evolve this definition. “Whilst this seems like a small change, the shift in the definition is significant,” Sperti explains. “It will mean that data not previously viewed as personal information like location data and behavioural data may now come under the act.”
The impact: Many brands have only a lacklustre level of understanding about what personal information they collect, Stephensen says. “Many also have only a low-level understanding of the various data flows that are associated with that information, whether it’s within the organisation or to external parties like vendors, suppliers and contractors,” she points out.
“Unless we have a really clear understanding and records of what personal information we ingest and what we do with it, brands and businesses are going to struggle to activate a number of these proposals.”
How to prepare: Stephensen says if this proposed reform goes through, brands and businesses are going to have to implement new dedicated and descriptive processes to comply. This is especially true for big brands because, as she says, “the bigger the brand, the more data it has.”
- Marketing requirements: The proposal recommends the introduction of clearly defined definitions for both direct marketing and targeting to remove ambiguity within the act. For direct marketing, it is proposed that the definition covers the handling of personal information to communicate directly with an individual to promote advertising or marketing material for targeting.
The reform seeks to clarify what data is covered under the act. When used for targeting purposes, it is proposed to cover not only personal information but also de-identified information as well as unidentified information like internet history tracking. “And that’s not all,” Sperti says. “For both direct marketing and targeted advertising, the proposed changes recommend individuals have the right to opt-out of receiving advertising and other one-to-one communications beyond email and SMS.”
The impact: For brands and businesses that trade in data for commercial gain, like data brokers and loyalty programs, it is proposed that those entities would be required to seek consent for trading personal information. This consent would need to be voluntary, informed, current, specific and unambiguous.
Additionally, these entities would also need to provide individuals with information about the third party’s information that will be disclosed. It’s evident these reforms are aimed at giving consumers more control over what they’re receiving as well as regulation around how data is being used for marketing purposes.
How to prepare: This is where the value exchange comes in. Make it compelling for customers to want to share their data with you.
- Direct right of action for individuals who have suffered hurt, loss or damage as a result of an interference with their privacy. This would allow individuals and representative groups to seek compensation in the federal court directly and is in addition to the current complaints process that runs through the office of the Australian Information Commissioner, Sperti explains.
The impact: This proposal could open up brands to extensive legal battles and class action suits. If this passes, brands must really rethink how they compensate for loss or damage from a privacy breach.
“The spate of cyber security breaches in 2022 really shone a light on the relaxed approach organisations have been taking to data retention,” Sperti points out. “Organisations have been storing data for upwards of a decade, if not longer.”
How to prepare: The proposed changes recommend that entities covered by the Privacy Act must define minimum and maximum periods for which data could be retained — something that must be outlined in a company’s privacy policy.
- New privacy rights for the individual: The report proposes a swag of expanded and new rights for individuals, which has been modelled after GDPR, Sperti shares. “It includes things like the ability for an individual to request access to information, relating to them as well as an explanation of how that information was collected and why it was useful.”
They also include the ability for individuals to request to have their data of any type be erased and the ability to request correction of information — and in the case of search engines, request for the de-indexing of information from online search results.
The impact: Recent research demonstrates that it costs a company roughly $2,200 just to erase a single customer’s data. This could end up costing a business a fortune. Consider if the company got 10 new customers a week – it could cost the business more than $22,000 a week just in deleting customer data.
How to prepare: Brands and organisations need to perform an audit. They must understand not just where the data resides but also, how they’re using that data. Being able to provide that data to the customer when requested will help to position them well in light of tightening privacy regulations.
- Privacy collection notices: These are also under review. The proposed change seeks to ensure that, moving forward, collection notices are clear, up-to-date, concise and understandable.
How to prepare: Brands and organisations must ensure their privacy collection notices are written in plain language, making it easy for individuals to comprehend. Appropriate accessibility measures would also need to be in place.
- Notifiable data breach scheme: In 2017, the Privacy Act was amended to add the notable notifiable data breach scheme. This stipulates when personal information is accessed or disclosed without authorisation or is lost. One must notify affected individuals of the breach and the office of the Australian Information Commissioner when it is likely to result in serious harm.
The impact: At present, organisations have 30 days to assess whether a data breach is likely to result in serious harm before notifying individuals affected and the Office of the Australian Information Commissioner (OAIC). The proposed changes recommend that tighter timeframes for notifiable data breaches are established. This would require an organisation to make the OAIC aware of the breach within 72 hours of it occurring, ensuring rapid action is taking place to minimise harm of affected individuals.
How to prepare: Large-scale breaches like Medibank and Optus have showcased the importance for brands to only hold onto personal information they have a legitimate interest in that is up to date. So, think data minimisation. Keep the data you need and get rid of the data you don’t.
- Introduction of a fair and reasonable test: Today, it is believed that entities have too much discretion over determining what information they collect, Sperti shares. “As such, a new fair and reasonable test has been proposed to determine whether the collection, use and disclosure of personal information is necessary for an organisation to function or undertake their activities,” she says.
The impact: The report also proposes a series of factors that will be potentially outlined in the act to guide organisations and assist them in determining whether collection use or disclosure is fair and or reasonable.
How to prepare: Consider factors like whether an individual would reasonably expect their personal information to be collected, used or disclosed in certain circumstances, the sensitivity and amount of information being collected, used or disclosed, and whether an individual is at foreseeable risk of unjustifiable adverse impacts or harm as a result of the collection and collect accordingly.
ABOUT THE AUTHOR
Billy Loizou has 15-plus years of experience in design, technology and marketing. He has worked with some of the world's most renowned and respected brands, helping them improve their customer experience and drive profitability.
About Amperity
Amperity delivers the data confidence brands need to unlock growth by truly knowing their customers. We help brands build a first-party data foundation to fuel customer acquisition and retention, personalise experiences that build loyalty, and manage privacy compliance. Using patented AI and ML methods, Amperity stitches together all customer interactions to build a unified view that seamlessly connects to marketing and technology tools. More than 400 brands worldwide rely on Amperity to turn data into business value, including Alaska Airlines, DICK’S Sporting Goods, Endeavour Drinks, Planet Fitness, Seattle Sounders FC, Under Armour and Wyndham Hotels & Resorts. For more information, visit amperity.com or follow us on Linkedin, Twitter, Facebook and Instagram.
About Arktic Fox
Arktic Fox is an Australian digital advisory firm that partners with brands to drive growth and tackle tomorrow's challenges. We are specialists in digital transformation, eCommerce and capability development, assisting organisations to re-invent and disrupt themselves.
Arktic Fox has partnered with leading brands such as Coles, Beyond Blue, Bega, Carpet Court, Leukemia Foundation and many more to accelerate growth, improve performance and shine.
We understand that in an era of change, the path isn’t linear. We like to think of ourselves as part advisors and part coaches to help you along your journey. As people are at the heart of most strategic initiatives, we empower leaders and teams with knowledge in order to drive their own future and create sustainable change.
Visit https://www.arkticfox.io/ for more information, or follow us on LinkedIn.
