New Australian Laws Proposed for Direct Marketing, Targeting, & Data Analytics: Privacy Act Review Report Deep Dive Part 3

We’ll continue our deep dive into Australia’s Privacy Act Review report in this article. We plan to cover the proposed changes to Australian law relating to personal information used in marketing.  

New Definitions for Direct Marketing, Targeting, and Trading 

The Australian Privacy Act Review Report proposes introducing definitions for direct marketing, targeting, and trading, as follows:  

Direct Marketing: “the collection, use or disclosure of personal information to communicate directly with an individual to promote advertising or marketing material.” 

Targeting: “the collection, use or disclosure of information which relates to an individual including personal information, deidentified information, and unidentified information (internet history/tracking etc.) for tailoring services, content information, advertisements or offers provided to or withheld from an individual (either on their own, or as a member of some group or class).” 

Trading: “the disclosure of personal information for a benefit, service or advantage.” 

Reforms Propose to Give Individuals More Choice and Control in Australia 

Beyond providing clarity in the form of new definitions, the proposed changes would provide individuals with more choice, more control, and increased rights relating to direct and targeted marketing.  

Proposed Opt-Out for Direct Marketing 

The Privacy Act Review Report proposes to introduce a right for individuals to opt-out of their personal information being used or disclosed for direct marketing purposes.  

The proposed changes would allow entities to collect personal information (excluding sensitive information) for direct marketing without consent. However, covered entities would need to provide individuals with the ability to opt-out.  

This approach is less privacy-centric than what we’re seeing being introduced in other jurisdictions. Europe’s GDPR, as well as the privacy laws in New Zealand, Canada, India, Brasil, Japan and South Korea all introduced opt-in consent requirements. And we would argue that opt-in consents are fairer to consumers who wish to exercise their right to privacy.   

Proposed Opt-Out for Targeted Marketing 

The Privacy Act Review Report also proposes to introduce a right for individuals to opt out of targeted advertising.  

The report notes that it should be relatively easy for individuals to make this choice and several ‘dark patterns’ are cited as being design features organisations should avoid when implementing opt-outs, specifically entities should not:  

  • Repeatedly request individuals to make a certain choice.  
  • Introduce barriers to service for individuals who elect to not receive targeted marketing.  
  • Make electing to opt-out more difficult or time-consuming to access.   

Again, we found the report’s proposal to introduce an opt-out (not opt-in) framework a little perplexing. The report cites pages of potential drawbacks of targeted advertising, including a significant majority of consumers being uncomfortable with it, alongside the potential for social harm, the negative impact on individual rights, harm to vulnerable people, and the risk to the democratic process. In contrast, the report cited economic benefit in support of targeted marketing. In our opinion, those significant drawbacks present a strong case for consumers to opt-in to targeted advertising.   

Proposed Consent Requirements for Trading in Personal Information 

The Privacy Act Review Report also proposed changes relating to trading in personal information. It suggests introducing a requirement that individuals provide consent before entities can trade their personal information.  

 The consent must be voluntary, informed, current, specific and unambiguous. This would require organisations to transparently and clearly disclose details about where information is traded, as well as what information is being traded.  

Proposal to Prevent Harmful Marketing to Children 

The report also proposed to prohibit direct marketing to a child other than if the personal information collected:  

  • Was collected from the child directly; and 
  • Is used to deliver direct marketing that is in the child’s best interests.  

Similar prohibitions were proposed to prohibit targeted advertising to children and trading in the personal information of children.  

Data Analytics & Privacy: Proposed Changes 

The final piece of the puzzle we’ll cover in this article is the proposed changes to the definitions and use of data analytics in Australia’s privacy law reform proposal.  

The report suggests updating the definition of ‘collect’ to make it clear that inferred information can be (and is) collected. This includes information collected (or inferred) through data analytics or a machine-learning process.  

Then, the report raised the value of limiting the use of data analytics in the context of voting. Specifically, it reflected on the use of a ‘fair and reasonable’ test to determine whether data analytics should be used to engage with voters. 

How to Prepare for These Proposed Changes to Australia’s Privacy Law

While these are proposals now, it may be a good idea to start planning to comply with these changes since some of the changes can take time to implement.  

Here are some things you can do:  

  1. Update your privacy policy to clearly detail any trading in personal information.  
  2. If you haven’t already, plan to implement a privacy centre or user dashboard that allows individuals to quickly and easily manage their privacy settings (including opt-ins and opt-outs).  
  3. Learn about dark patterns and implement policies in your privacy programs to avoid using them.  

How can we help?  

If your organisation needs assistance developing a ‘plan of attack’ to respond to Australia’s changing privacy laws, reach out. Our privacy team would love to assist.   

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.


Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.