Australian businesses ‘not ready’ for privacy law changes

Businesses are concerningly unaware of how changes to the new privacy laws would drastically impact their operations, future and viability, according to a consulting and research firm.

Founder and chief executive of Fifth Dimension, Lyndall Spooner, said the power consumers will gain through the impending laws is a significant concept all businesses need to understand.

“The proposed changes to the Privacy Act are some of the biggest reforms we have ever seen in the area of consumer privacy,” she said.

“They aim to put the power back into the hands of consumers to decide where and how their personal data is used.”

According to Spooner, there are three legal points businesses must consider, as they could profoundly impact how businesses collect and use data for marketing purposes.

First, businesses will be required to conduct internal reviews of how they use consumer data for sales and marketing purposes.

It will also need to be proved that businesses have the required consumer permission to use this data.

Spooner said some business owners will be shocked at the amount of consumer data they tap into.

“Some leadership teams may not be completely aware of just how much data is being used across their business for a multitude of purposes, including the requirement of data for streamlining digital interactions and services,” she said.

Following this, businesses will then need to understand consumers will become “brutally aware” of how much companies are using their private data and how it is sold to third parties.

Spooner said consumers will also be surprised by how much their data is being used to influence their decisions, seamless digital interactions and perceptions of integrity they have with businesses.

Third, businesses will need to understand if one in every five customers refuse to allow companies to use their data beyond what is necessary, a significant decline in the effectiveness of automated sales could be experienced.

This will result in businesses having to “go back to the fundamentals of marketing” to reach potential audiences.

Spooner said all businesses would need to quickly grasp the new changes.

“The reality is that many Australian businesses are not ready and nor do they understand what they need to be ready for, or naively think they have already captured consent from their customers,” she said. “This is a fundamental shift.”

Spooner provided a further breakdown of the changes to the new privacy laws to enlighten businesses on how they can interpret them and adjust their systems accordingly.

Expanded definition of personal information equals reduced capacity to synthesise and customise

The new privacy laws will expand the definition of what is considered “personal information.”

This means IP addresses, behavioural predictions and other data used in marketing will be classified as personal information, increasing the regulatory burden on businesses to ensure compliance.

Spooner said the responsibilities on businesses to obtain, clear, informed and specific consent for collecting and using personal data will be significant.

“Marketing practices must be transparent, with clear disclosures about how personal data will be used.”

“Consent for data usage, especially for high privacy risk activities, must be clearly stated.”

Is the use of personal information warranted?

With the introduction of the new legislation, it is likely a “fair and reasonable test” will be enforced to ensure data collection and usage are necessary and proportionate to the marketing purpose.

Businesses will need to balance their data needs against the privacy expectations and potential impacts on individuals, Spooner said.

“Businesses databases, whether they be in-house or via a third party, will need to be capable of promptly erasing personal information upon request, complicating long-term data retention strategies.”

Sophisticated record keeping, documentation and security

According to Spooner, businesses are not grasping the fundamental shift in paying more attention to whose information is being used and determining what benefit can be extracted from it.

“Businesses must keep detailed records of the purposes for which personal data is collected and used.”

“This includes documenting any secondary purposes, which is common in marketing where data might be repurposed for different campaigns.”

Serious consequences for businesses

Spooner said the changes to the privacy laws will prove a challenge for some businesses as they will be required to update their core systems to ensure consumer data can be updated and deleted as required.

Though “far-reaching impacts” will be felt by businesses, Spooner said the impending laws would benefit consumers.

“Importantly, these new changes will likely force businesses to delete consumer data they no longer need to hold which will reduce the chances of that data being hacked.”

“Consumers should not be concerned data they have given a company for a specific purpose more than a decade ago still exists on a database somewhere.”