4438948
top of page

Privacy reforms reshape retail media: what you need to know now

REmade Team

In this new piece for REmade, privacy expert Chris Brinkworth, managing partner, Civic Data, outlines the impact of the new privacy legislation on the retail media sector.

Civic Data's Chris Brinkworth

The landscape for retail media networks is shifting dramatically with Australia's “Christmas Surprise" privacy reforms. 

The changes rapidly bring forward expected scrutiny to how retailers collect, use and share customer data for advertising purposes - and the implications and new powers and penalties are significant.

The era of real accountability, new financial penalties, and explicit guidance around targeting and advertising arrived suddenly last month when the Privacy and Other Legislation Amendment Bill 2024 became law. This first tranche of reforms is already reshaping data practices, while much-anticipated, more comprehensive amendments—the second tranche—are expected by mid next year.

Although some of the biggest changes have been deferred, enough is enforceable now to demand your immediate attention. If you were counting on more time or less rigorous oversight, think again. The Office of the Australian Information Commissioner (OAIC) has gained unprecedented powers, including the capacity to issue compliance notices and then costly infringement notices rapidly, similar to the rapidity of ADMA Spam notices.

Imagine a stern legal directive arriving just as your team is away for this holiday season, or worse, when your board or client start asking tough questions about readiness just as you land in Bali or off camping with the kids.

These changes are not hypothetical. Under the first tranche’s reforms, new tiered penalties and infringement notices are now in place. Misusing personal data in marketing can now trigger swift, tangible consequences. The old “we’ll deal with it later” approach will not cut it.


Even routine secondary data uses—like repurposing transaction data or loyalty information for targeting—must now align closely with original purposes or proper consent. The law has not only changed in writing; the OAIC’s recent guidance also underscores a more stringent interpretation.

Although many thought full-scale consent frameworks were not strictly required yet, adopting them now can build user trust and streamline compliance before stricter mandates, possibly including “fair and reasonable” tests and broadened definitions of personal information, arrive in tranche two.

Consider targeted advertising. Although the underlying direct marketing obligations might look similar, the combination of this new law that passed last week and recent OAIC guidance on pixels, hashed identifiers, and data matching has shifted the playing field.

The regulator is now more inclined to treat this activity as direct marketing regulated by privacy laws. Technical workarounds like hashing or using data clean rooms offer no guaranteed escape hatch. If data can be linked back to an identifiable individual, you are in scope, and if your vendor or agency partner provides breezy reassurances without taking real accountability or integrating genuinely skilled legal input, it might be time to question the advice you are receiving, as well as the tools they have deployed on your behalf as a matter of urgency.

Remember, this is just the beginning. The second tranche of reforms will probably turn more currently “anonymous” online identifiers into personal information, raise the bar further on what constitutes acceptable consent, and possibly extend regulatory scrutiny to machine learning and AI-driven profiling. By then, anyone still struggling to comply with the first tranche’s requirements and guidelines will be dangerously behind.

Remember, this is not merely a legal technicality. It is a board-level issue affecting operations, reputations, and ultimately the bottom line. The next few weeks may be your last calm window before enforcement escalates and attention from senior leadership intensifies. Resources might be scarce and deadlines tight, but doing nothing is far riskier. The bottom line is that these changes are already enforceable, and more stringent rules will follow soon. If you do not adapt now, the costs—in time, money, and trust—could be severe.


As the holiday season approaches and inboxes start to pile up, ensure your organisation understands this new privacy reality and acts decisively. Waiting for the second tranche is not an option; the law has already changed, and the OAIC is watching, and you must truly understand what is in the 'Privacy and Other Legislation Amendment Bill 2024.


Comments


Unmade-III--Square-24_edited.jpg

Curator: Cat McGinn

Unmade: Tim Burrowes 

Partnerships: Clive Prosser 

Event & Tickets: Belinda Cusack 

© 2024 by UNMADE                                                                                                                                                                             Unmade Privacy Policy

bottom of page