By Chris Brinkworth, managing partner, Civic Data
Australia’s media and marketing sector remains largely unaware of major privacy changes that took effect in December 2024, even as global evidence shows regulators can enforce new laws within days.
A previous IAB Australia “State of the Nation 2024” report revealed 87% of advertising decision-makers were only “somewhat confident” in their privacy readiness going into the holidays.
With those decision makers coming back after 4 weeks of holidays, the shortfall becomes alarming given the Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December, introducing immediate obligations for data handling and compliance.
Seven weeks into these ‘live changes,’ alarm bells should be ringing if you look at other regions. California issued enforcement letters on day one of the CCPA, Brazil pursued legal action within three days of the LGPD, Portugal’s CNPD fined a health business two months after GDPR took effect and Thailand imposed penalties two weeks after its privacy law commenced.
Expecting the Office of the Australian Information Commissioner (OAIC) to behave differently is risky, given its firm guidance and recent actions.
Chris Brinkworth
How did many miss this?
The reforms arrived amid a frenetic legislative session passing 32 bills on 29 November in one evening.
Industry reporting of that sitting focused on Australia’s social media ban for under-16s, with AU$49.5 million penalties, overshadowing the equally significant privacy amendments that passed and granted the OAIC enhanced powers.
The marketing and media industry now faces a stark reality. Compounding the low awareness of privacy changes, a 2024 Yahoo study revealed that only 12% of advertising professionals in Australia and Southeast Asia prioritised privacy solutions. This alarmingly low figure is mirrored by a 9% rise in Australian data breaches reported by the OAIC for the first half of 2024. Clearly, stronger privacy measures are urgently needed and the OAIC are aware of that.
In contrast, they (the OAIC) have demonstrated ‘upskilling in marketing and tech’ and a commitment to enforcing measures through several recent actions. These include issuing landmark guidance on tracking pixels, a significant determination regarding Bunnings’ use of facial recognition technology, and pursuing legal action against Medibank and Australian Clinical Labs. These actions showcase the OAIC’s in-depth technical knowledge and its determination to hold companies accountable for privacy breaches. This sends a clear message to the industry: the OAIC has the tools and the will to enforce privacy laws, and companies must take compliance seriously.
Looking ahead, the OAIC’s expanded powers include penalties for serious or repeated breaches, plus administrative fines for poor “privacy policy hygiene.” If global trends hold, businesses betting on a slow rollout may face a rude awakening. Early enforcement could target tracking pixels, children’s data misuse, or lax third-party data-sharing. Modern privacy laws rarely grant grace periods, and with the OAIC’s next enforcement report due in late 2025, waiting is perilous.