The future of digital advertising in the post-digital platforms inquiry world (Part 2)
What will be the consequences of the Digital Platforms Inquiry? Stephen von Muenster of von Muenster Legal continues his explanation.
Who could imagine weathering this COVID-19 pandemic without the innovations and connectivity brought by digital platforms. The benefits of digital platforms to society have been immense and have also enabled efficient and effective advertising, and facilitated connections with consumers.
However, with this innovation came the ‘dark side’ of this technology where consumer interests have become obfuscated. Following high profile data breaches, the Australian Competition and Consumer Commission (ACCC) launched its Digital Platforms Inquiry in July 2019. The consequences of this inquiry and the changes to the regulatory landscape will, in our view, be almost be like a COVID-19 for digital.
In Part 1 we provided an overview of the Digital Platforms Inquiry (DPI) and follow-ons, and highlighted the focus on the protection of consumers and their privacy/personal data. Part 2 touches on current Regulator Court actions relating to consumer privacy and data, and what the future may hold.
This article is part of a series that we will be releasing where we navigate these issues in more depth and provide updates and insights as the law and regulation evolve.
Current Regulator Court Actions Relating to Consumer Privacy and Data
Court actions – privacy and data
Below are some examples of current regulator court actions. There is a pervading theme throughout these cases where the issue is one of the consumer being given the opportunity to make an informed choice, provide informed express consent, and retain control. In such cases we see that the ACCC and the OAIC are increasingly willing to bring actions against companies.
The ACCC’s offensive actions
Stealing a march on the OAIC and not waiting for new law to fall out of the DPI process, the ACCC is using misleading and deceptive conduct provisions under the ACL to bring businesses with data as their center of gravity to heel.
On 20 August 2020, Health Engine was found liable for collecting and disclosing users’ personal data and patient information to insurance brokers without consent and for publishing misleading patient reviews and ratings and was issued a $2.9 million fine.
On 29 October 2019 in proceedings against Google the ACCC claimed that Google breached Australian Consumer Law through misleading conduct and false representations made via phone screens about the sensitive and valuable personal location data it collects, keeps and uses (for numerous purposes). This was largely (in part) due to the fact that the consumers were unable to make an informed choice on sharing this data with Google.
On 27 July 2020, further proceedings were brought against Google with the ACCC alleging misleading conduct by Google in obtaining consumer consent to expand the scope of PI that Google could collect and combine about internet activity for various purposes including targeted advertising. The ACCC alleges Google misled consumers when it failed to properly inform consumers and due to the fact that there was a failure to obtain explicit informed consent.
If Google is found liable, the fine is likely to be many millions and the precedent will have a profound impact on data and PI collection, use and disclosure by businesses.
The OAIC’s offensive actions
Sensing a move into its territory and not to be outdone, the OAIC has now launched its own action against a tech giant.
On 9 March 2020 the OAIC issued proceedings against Facebook alleging it committed serious and repeated interferences with privacy in breach of the Privacy Act.
The allegation is that PI of Australian Facebook users was disclosed to the “This is Your Digital Life” app (and possibly Cambridge Analytica) for a purpose other than its disclosed purpose of collection. It alleged that there was an inability of users to exercise reasonable choice and control about how their PI was disclosed.
In this case, the OAIC is seeking a penalty for each act of disclosure of PI and consequently, the penalty could theoretically be as high as $500 billion. The precedent that this may set will also have a profound impact on data and PI collection, use and disclosure by businesses.
The Future?
The DPI Final Report, ACCC’s recommendations, Federal Government response, establishment of the Digital Platforms Branch, current inquiries and prosecutorial vectors of the ACCC and OAIC point to a significant future impact on any business with data and PI as their center of gravity.
Significant court cases are already underway against the big platform players even before DPI Report spawned laws have hit the statutes.
All businesses involved in programmatic services will be impacted – advertisers, media agencies, publishers and suppliers in the middle layers of the ad tech stack (SSP’s, DSP’s, DMP’s, Ad X) as will businesses that rely on consumer data driven business models eg sale of segment data for targeted advertising or customer loyalty schemes.
Here are some of our big bets on what is coming in the future:
- Consumer Data Rights are now in play, and regulation has already started in the banking sector;
- The Media Bargaining Code for tech giants to pay for news content comes in December 2020, stay tuned for updates on this;
- Significantly increased regulation of Ad-tech industry, advertising and media agency services;
- The Privacy Act will be amended to align with the GDPR and there will be the introduction of increased penalties;
- OAIC Privacy Code for Digital Platforms will become enforceable;
- Privacy Act definition of ‘personal information’ will be broadened to include technical and location data, IP addresses and cookie tracking and businesses that previously relied on using so called “anonymized” data will have to be reduced;
- Stricter notice and consent requirements for use of data, and thereafter businesses will need to upgrade their methodologies for acquiring consent in their Privacy Policies; and
- There will be a new individual right of action for interference with privacy/cyber harm.
Businesses that engage with and embrace the change will have the commercial advantage, in particular businesses that:
- Engage with and have a consumer rights and respect focus;
- Have technological ability and agility;
- Are transparent with compliance as part of their business model;
- Have auditability;
- Have strong contracts with suppliers;
- Have very fair and transparent contracts with consumers;
- Ensure data hygiene in terms of full disclosure and express unbundled consent via active opt-ins; and
- Have modern collection disclosures and Privacy Policies which are simple to understand with no bundling of consents and are actually followed by the business.
Concluding Remarks
Businesses need to start immunising themselves now and prepare for the changes to come. Aligning practices, disclosures, and consents with the GDPR would be a good place to start in the absence of specific new law at present.
von Muenster Legal will continue to provide updates and guidance to the industry as the nature and extent of changes to the law become known.
This piece reflects the content of a presentation given by Stephen von Muenster on 20 November 2020 at Mumbrella 360: Reconnected. For more from Mumbrella360: Reconnected, visit mumbrella.com.au/pro
Stephen von Muenster is partner and founder of von Muenster Legal.
