In our last post about the Privacy Act Review Report, we set out the key recommendations made by the Attorney-General’s Department.
Since that post a few weeks ago, IAB has been busy analysing the recommendations more closely and assessing the impacts on advertising and online media companies, platforms and technology companies.
We have a number of concerns with the recommendations that relate to online advertising that we propose to focus on in our submission outlined below for IAB Australia members.
In particular, our concerns relate to:
- Scope of PI covered by the Act and definition of Targeting: There are 2 main issues with the proposal in relation to “targeting”:
- Firstly, the definition is excessively broad and goes well beyond the commonly understood meaning of the term or the scope of activities that should be regulated under privacy laws, and
- Secondly, the right to opt out is unqualified.
While the proposed definition of PI in Chapter 4 emphasises the nexus between data and a ‘reasonably identifiable’ individual, the definition of targeting in Chapter 20 is inconsistent with the proposal in Ch4.
Despite that section of the report being named ‘targeting’ – the definition covers any segmentation, no matter how broad the category or the number of people included in the segment, and regardless of whether any individual is reasonably identifiable.
Incorporating any/all segmentation into the definition of ‘targeting’, even where essential for operational, technical or legal purposes, and even when based on anonymous signals – does not seem workable. Unintended consequences could include:
- Operational/technical – for example, if you can’t identify someone as a NSW resident as opposed to a Victorian resident, they could potentially receive ads for offers which are not open to residents in their State and which may not comply with the laws of their state – contrary to those laws & the ACL.
- Policy /regulatory – for example, exclusion targeting is a key way organisations implement policies to exclude children from receiving inappropriate content. If you can opt out of this, those policies (and in some cases legal requirements), will be completely undermined.
- Commercial – if companies whose business models are based on personalisation are required to provide a service to those who opt out of any form of personalisation, that company’s business model is undermined (the service will not be able to be effectively monetised) and the business may consequently become unviable. The impact on smaller companies will be greater. Ultimately, this will damage consumers due to less freely available content & services.
By including anonymised signals in the definition, it may also disincentivise privacy safe practices such as PETS and clean rooms.
This proposal also appears to go much further than equivalent jurisdictions overseas.
- Fair & Reasonable requirement
While IAB is generally supportive of a consent-centric approach, we have concerns about each and every collection use & disclosure having to meet ambiguous requirements of being both fair & reasonable.
Businesses need certainty that everyday operational & processing activities fall within the scope of the law and/or at what point those activities risk falling foul of the legislation.
A Bill has just been introduced into the UK parliament last week which clarifies a recognised list of activities considered to be legitimate interests, including direct marketing, intra-group transmission of personal data and ensuring the security of network and information systems.
We will be examining the Bill more closely in this process. In our view, if the fair & reasonable test goes ahead, a similar list of activities should automatically be identified as ‘fair & reasonable’, including things like data processing, research, analytics, security, direct marketing, intra-group transmission of PI etc.
We also question the rationale for including additional consent requirements, for example for ‘trading’ of information, in circumstances where we are trying to move away from a consent-centric approach by introducing the new ‘fair and reasonable’ requirement.
- Trading:
The definition of Trading is also extremely broad, not limited to what is commonly understood as trading of data but also appears to include any form of sharing of data or potentially even verification of data points with partner organisations or group members (this is unclear – clarification would be needed).
The proposal is that consent would be required for all activities which fall under this broad definition, which we understand goes further than equivalent provisions under GDPR. IAB will be working through the issues in more detail in coming up with our industry position. Sharing of data would of course also be captured by a range of new requirements proposed in the report, including the proposed new fair & reasonable requirement and the new requirement on collection of data from third parties (the proposed new obligation to ensure the original collection as lawful).
- Other issues we will be considering:
- Requirement that it must be ‘as convenient to opt out as to provide consent’.
- The definition of De-identification.
- Covert tracking across websites.
- Substantially automated decisions.
- Right to be forgotten.
- Children (under 18) – no targeting at all, unless “in best interests of child”.
MEMBER FEEDBACK: Please get in touch if you have any issues or examples that would help illustrate the above, or if you would like us to include any additional issues as part of the industry submission, on sarah@iabaustralia.com.au