The Australian Privacy Act Review, Considerations for Digital Advertising by Oracle Advertising

On May 26, 2022

Written by June Cheung, Regional Director APAC, Oracle Advertising

Oracle Advertising recently held a Privacy and the New Era of Context event in Sydney, Australia. For those who couldn’t make it, we wanted to share a recap with you on some of the changes proposed in the Australian Privacy Act Review and the potential impact it will have on our industry.

In the past, the industry has taken consumers a little for granted.

To set the scene, I wanted to pause and reflect on the past to understand how we got to where we are today. If I was to be honest to myself and the people in the digital advertising industry, I would have to admit that as an industry we have probably taken the consumer a little for granted.

We have by default:

  • Tracked consumers past browsing behaviour to retarget them relentlessly, that pair of sneakers you’ve looked at, let us just follow you everywhere you go with it
  • By default, tracked their purchasing behaviour to punch out a report to say YAY, that impression we delivered was clicked on and the consumer made a purchase
  • By default, stored, traded, and sold consumer data probably without the explicit disclosure a consumer would come to expect

So, looking at the past we probably took things a little for granted and consumers and governments are now responding to better protect the consumer by clearer guidelines for privacy policies  for the the digital era. 

The new era of privacy centricity


Hence, it brings us here today, the now where consumers are much more aware that their data is being used in some way. The fact that there have been way too many coincidences where a conversation about “organic toothpaste” and of all are sudden “organic toothpaste” ads start appearing everywhere on their mobile devices.

The new era we are in today, is privacy centricity

  • Consumers are aware and want more control on their privacy, but it isn’t all doom and gloom, when Apple introduce the ability for consumers to opt-out of app tracking we thought no one would say yes, but a lot of us will do given the right value exchange Globally 46%, AU 37%*
  • Governments are stepping in and updating the rules of play, to bring them in line with the digital era, strengthening privacy protections for individuals and streamline compliance for businesses working across international borders
  • Large corporations have also sensed the wind changed, and they themselves have taken steps, Apple started to block safari cookies in 2017, Google announce privacy sandbox 2019 and deprecation of cookies although most recent announcement is delayed till late 2023

So, as an industry we need to come together and take a much more respectful and privacy first approach to digital advertising ecosystem and hence we are gathered today, to learn what are some of the proposed changes.

The Australia Privacy Act Review


What is the Privacy Act? It is a piece of legislation, protecting the handing of personal information about individuals. This includes collection, use, storage, and disclosure of personal information. Have you ever filled in an online form, and there’s a checkbox that say’s “I agree to Privacy Policy” of blah blah company? That’s a real-life example of the privacy act playing a role in a day-to-day life.

This Privacy Act was written in 1988 and has since remained unchanged, till a recent proposal by the government. The Privacy Act Review has been published and responses to the discussion closed January 2022. If you want an in-depth dive into how our industry responded via IAB, you can review in detail in the IAB website.

There may also be an Online Privacy Code for certain online businesses to adhere to, and just to keep things interesting the ACCC will be well armed to apply strong penalties to non-complying businesses. 

For this blog, I’m going to dive into two main topics in the Privacy Act Review that are of most concern to our industry Consent and Personal Identifiable Data. 


Consent determines if a company has a consumer’s permission to use their data. The definition of consent needs the consumer to volunteer, be informed, specific and unambiguous through clear action. Something we are most familiar with today, is ticking the box to subscribe to a newsletter, that is seeking consent.

Some elements of the Privacy Act Review around consent which we’ve raised questions are:

  • Reduce the burden of consent – with any change in legislation we need to consider balancing the need for consent versus consent fatigue, where the frequency and requirements for disclosures makes them irrelevant. We’ve already seen in real life the requirements to adhere to EU regulations such as GDPR as the copious amount of information consumers are expected to accept or decline before arriving at their desired web location. We need to ensure the Privacy Act Review does not add to this burden
  • Fair and Reasonable - The ‘fair and reasonable’ description of how we use consented data is too broad and ambiguous. We want better description and clarification because the penalties for businesses are high from a monetary perspective but also there is talk of it being a criminal charge as well. Hence our recommendation is to clarify what is defined as ‘fair and reasonable’ use of consumer data. Specific examples for our industry that we would like to seek clarification and confirmation are segmentation of audience for targeting, audience measurement, analytics, market research and product improvement to name a few. The ask in our recommendation is that we explicitly recognised what is acceptable, and the privacy regulatory framework should not require businesses to provide additional notifications to consumers
  • Legitimate Interests the current Privacy Act Review weighs heavily on consent, but our learnings from GDPR is that the strict consent requirements limit the usefulness of consent, hence many businesses in the EU lean on legitimate interest. We should consider the same for our privacy review. It is that balance between gaining informed consent and flexibility in the way our industry works for certain low risk unintrusive uses within consumer expectations

So that’s one topic of the Privacy Act Review, consent, making sure we reduce burden of consent on consumers rather than adding to it. Make sure we define and give some guards rails to ‘fair and reasonable’ use of consumer data and a way to reduce the burden of consent is using the concept of legitimate interests like GDPR.

Personal Identifiable Data 

Currently the definition of personal identifiable data is ‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable’.

Propose revision recommends broadening the word “about” to “relates to”. By broadening the term to relates, the review is considering the definition of personal information to include technical data such as IP addresses, location data, device identifiers and any other online identifiers.

On one hand, the Government is aware that these online identifiers and device identifiers are increasingly being used to track individuals. This is rivalling names and addresses as key information used to identify people, of particular concern are people discriminated based on certain health statuses, religion or unfairly target or segmented.

But the Government also recognises that technical data is often used for essential purposes to the running of the internet such as authentication, session management, security management and network routing.

Hence, we as an industry are seeking clarification and putting forward recommendations:

  • Such as by broadening the definition of personal information, may have substantial knock-on effects in other areas, such as increasing the complexity of technical information that needs to be disclosed, placing further stress upon consumer understanding of privacy policies and notices.
  • We seek better definition, clarity, purpose and use case, of what is defined as ‘personal information’

Watch this space ‘personal identifiable data’ is a key component of the Privacy Act Review that will have an impact on our digital ecosystem.

Now that you’ve arrived at the end of the blog, you would have gained some knowledge on the Australian Privacy Act and the Privacy Act Review taking place, you might wonder why should we care? Well, the outcomes of this Privacy Act Review may have profound impact on how our digital advertising industry operates.

  • How we as an industry target and serve relevant advertising
  • How we as an industry measure reach and frequency, will fundamentally change
  • How we attribute success of our digital campaigns

Hence, every one of us involved in the digital advertising ecosystem should care and be knowledgeable of the upcoming changes. We expect to hear more on the Privacy Review Act outcomes late 2022, so stayed tune for further updates.

*Appsflyer May 2022