Marketers warned to expect privacy breach crackdown as new laws enter second year
Marketers have been warned to expect a more aggressive approach from Australia’s privacy commissioner as authorities begin to crack down on breaches following the introduction of new regulations.
The Association of Data Driven Marketing and Advertising (ADMA) predicted authorities will take a harder line after spending the first 12 months bedding down, and helping companies comply with the new rules.
Changes to the Privacy Act came into force last March with the creation of 13 Australian Privacy Principles (APPs) outlining how personal information can be collected, handled, processed and used for marketing purposes.
The shake-up also gave power to Privacy Commissioner Timothy Pilgrim to investigate companies regardless of whether a complaint has been made, with each privacy breach subject to fines of up to $1.7m.
Until now, Pilgrim has adopted a softly softly approach as firms grappled with reform. But according to ADMA regulatory affairs director Jeannette Scott, that is likely to change as she warned the commissioner is likely to use those powers as reform enter their second year.
“For the first year there was an emphasis on developing guidance, answering questions and bedding down reform, not only for businesses but for the regulator. But there comes a point when the laws will be bedded down and that will free up some of the commissioner’s resources,” Scott said.
Timothy Pilgrim
“In the last 12 months we have not seen many fines or regulatory activity and while there hasn’t been a honeymoon period per se the regulatory approach has been to try and work with people to address compliance.
“But over the next 12 months you can expect to see a few more fines and investigations come to the fore. The Privacy Commissioner has got the teeth and my understanding is that while he was working initially to help businesses comply, that will change.
“I think we’ll see a tightening of the glove and I think we can expect more [investigations].”
Proactive
The Office of the Australian Information Officer (OAIC) declined to comment on the approach over the next 12 months and beyond. But in a speech earlier this year to the International Association of Privacy Professionals (IAPP), Pilgrim revealed it was soon to “conduct an assessment” on 21 companies to determine whether their privacy policies were “clearly expressed and up-to-date”.
“This demonstrates that the OAIC is proactively looking at entities’ responses to the new requirements,” he said. “We have had almost a year to settle into the changes to privacy law [and] we’d like to start talking about more than just basic compliance and shift the conversation to ongoing governance.”
Among the major changes included greater transparency, with brands required to explicitly tell people they have their data and what purposes they intend to use it for. Clearer opt-out statements are also required while marketers must be wary of identifying some through “context”.
“Something that started its journey as not being personal information might become so through context, so marketers must look at the life cycle of data, not at one particular touch point,” Scott said. “You are having to be conscious of the data the whole way through.”
Scott said ADMA members have demonstrated a “commitment” to adhere to the new policies, but suggested smaller companies – many of whom are not members of ADMA – are struggling to understand and implement the changes.
“If you own a small family business and don’t have an in-house privacy team or legal counsel or regulatory compliance how do you take the time to go through 260 pages of guidance and understand it yourself?” Scott said.
“We have gone a small way to doing our bit in that space [by providing information for non-members] but from questions I’m being asked there is still a great deal of understanding to be built at the small business end of town.
“Smaller businesses don’t tend to be part of our membership base but we have built tools that we have made available to the public, which inherently means small businesses, to try and give them a helping hand. They are the ones who are struggling.”
There is a “greater sense of frustration among smaller business”, Scott added, with the word ‘change’ giving rise to fear over the complexities, time and cost of compliance.
Confusion as to what falls under the act
She said the issue can be confusing with many concerns raised by small and medium size entities not even relating to the Privacy Act.
“The question they have about the new privacy laws actually don’t relate to the new provisions at all and in many cases don’t even relate to the Privacy Act,” Scott explained. “I’ll often hear someone say ‘I have been at an event as an exhibitor, I’ve got a copy of the attendee list can I email them?’.
“But emails don’t fall under the Privacy Act, it comes under the Spam Act. For small business it is basic principles, rather than the new changes, they are struggling with.”
Despite the challenges, Scott stressed it was imperative for firms, however onerous they find the issue, to get to grips with the laws.
“Privacy is such a topical issue because it’s emotive, and if companies hit the media as having a privacy breach it is hard to recover from that,” she said. “Even if you survive the investigation process, if there is a social media campaign against you saying don’t give your details to X, don’t deal with them because your details are insecure’, then it’s hard to come back from.”
Beyond the Privacy Policy
She said some firms are misunderstanding they can no longer rely on a privacy policy on their website but must “let people know you are collecting their personal information”.
But smart marketers can use the stricter regulations surrounding opt-outs to their advantage and create a point of difference from competitors,” Scott said.
Rather than simply creating an unsubscribe link – which will ensure compliance – firms should build preferences into their opt-outs, a practice which could mean the difference between retaining and losing a customer.
“If, as a consumer, I can unsubscribe then the company will have complied but then I won’t hear from them at all. It may well have been that I was happy to hear from them, but maybe once a week rather than every day, or monthly rather than weekly. ”
“It’s not a mandate, but if you provide preferences then you are allowing the consumer to make a choice and you are ending up with target data that is far more responsive to your communications
“It is an opportunity to create a point of distinction, and we are starting to see more and more companies do this.”
Scott said some firms “over-complicate” privacy, and ignore simple business practices that could prevent a whopping $1.7m fine.
“Sometimes sales people will come back from a business meeting and want to add a person to the newsletter distribution. But they then ask ‘ how do I get consent to do that?’ Companies need to make it a practice to ask at the time of the meeting whether you can add their name.”
Steve Jones
