Australia is no different than European countries or the USA, and the time has come for the government to review our National Privacy Law. The current law hasn’t been reviewed for 6 years, the elections are just around the corner, so it is time for a refresh; the new law will apply to any business collecting information as well as the government itself.
At this point the amends are only a proposal, but it seems most likely that the majority of them will pass. The proposal aims at defining the privacy principles under which information can be used for direct marketing and advertising (on & off line).
Just like in other countries, the review has some serious implications for marketers. Advertising and DR industry bodies are discussing with the government to influence the making of the law and ensure that the amends protect the users without being unreasonable or impossible to implement for business.
There is not a lot to worry about in the short term as the review is planned for November 2012, followed by 6 to 12 moths for business to become compliant.
However, there is a lot to worry about if the current proposal was to become a law…
So what exactly is there to worry about for marketers?
First of all, as Jodie Sangster (adma CEO) pointed it out during the adma privacy briefing (webinar coming soon), the initial purpose of the National Privacy Law was to protect individuals against identity theft and fraud. The proposal for the Australian Privacy Law is losing its main purpose and aims at covering convenience.
Secondly, the definition of personal information is very vague. “Information and opinion about an individual that can be reasonably identifiable”. This definition is very vague and the government is willing to keep it that way. It makes things risky. European countries have just adopted very strict standards and parts of the Australian Privacy Law that are kept unclear could easily default to European type standards. For instance, the proposal doesn’t clearly says if internet browsing information can “reasonably “identify a person, so shall we or shall we not apply what Europe has implemented regarding cookie collection?
About the text itself:
Anonymity and psuedonimity: In Europe individuals must have the option to delete all their information at any time.
In Australia, the proposal says that individuals must have the option to NOT identify themselves or use a pseudo unless the company can’t deal without knowing the individual (eg: e commerce delivery).
Prohibition on Direct Marketing: “if a company holds personal information the company can not use or disclose for direct marketing.” This comes with a set of clauses to explain the details. Seems fair, right? The only problem with this one, is that it is a negative statement so, not going to be easy to develop and work around. Adma is pushing to get it rephrased into a positive
Also, there is no definition of direct marketing and at this point in time doesn’t include behavioural targeting
Using third party data: The proposal informs business that they may use or disclose information collected via third party if:
– The individual has consented to the use & disclosure
– The organisation provides means to opt out
– The organisation draws attention to the individual that they can opt out: prominent opt out
– The individual has made such a request
In principle it all seems fair to the individual & the companies, but as you apply examples it appears tricky. For instance, if a company collects information via social media sites, they must provide a prominent opportunity to opt out. Think about it, Facebook apps (very often used for advertising purposes), providing a way to opt out from collecting data would add one step to the permission process + if the user opts out, very simply they wouldn’t be able to use the app at all…
In practice some of these clauses seem impossible to implement from a digital marketing standpoint. The risk is that we would go the highest level of protection: default opt out… now, try to browse the internet clearing your cookies every single time to access a site. What will you see?? Not much… horrible experience for the user, immense potential revenue loss for business
Cross boarder disclosure: This one is very simple: before disclosing data overseas, the organisation must ensure that the recipients complie with the Australian Privacy Law (i.e.: agrees to Australian law or a more secure one). If there is a breach overseas, the Australian company is responsible.
Fines & enforcement: So far, fines were applied based on complaints, the proposal allows the privacy commission to actively investigate any business.
The $1 Mill fine frame applies (like any other law), however under the Australian Privacy Law, the $1 Mill fine will apply per contravention… the definition of contravention is un clear: is it per breach? per record?
So, as the review of the Privacy Law is reaching a critical phase with serious and wide-reaching implications for direct and digital marketing and the digital economy in general, I encourage you to measure its potential impact on your business, stay informed about what is going on overseas and stay tuned to the discussions adma is having with the government.