The ‘carrot and a stick’ central to these reforms is the introduction of a “privacy tort”, which presents an opportunity (carrot) for companies to strengthen consumer trust by using a very big ‘stick’ in the shape of class action and litigation.

It’s crucial to understand that these changes represent just the beginning of a broader reform agenda. This is the first tranche of agreed recommendations from the Privacy Act Review, with consultation on a second tranche of reforms likely to come in 2025. Forward-thinking businesses have a unique opportunity to get ahead of the curve by embracing these initial changes.

With a 25-year career in targeting and tracking hundreds of millions of people using billions of pieces of behavioural data, identifiers, pixels, cookies, and more, I must emphasise the profound impact these partial reforms will have on basic current business practices. Many entities and their marketing partners are unknowingly using tools and data in ways that could expose them to legal action within six months. The early warnings are already evident in published comments from the OAIC, ACCC, and legal academics.

Attorney-General Mark Dreyfus articulates the context succinctly: “The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.”

This statement underscores the delicate balance between the marketing industry’s desire for better targeting, measurement, and identity resolution and the need to protect personal privacy. The introduction of a new privacy tort, set to take effect in six months, represents a strategic approach to reforming data practices in the digital economy, potentially reshaping how businesses approach these marketing objectives.

The reach of this new tort is extensive and should not be underestimated. While many may be quick to point out the failure to implement the vast majority of the proposed privacy reforms, we must give credit where it’s due. The Attorney-General’s department has clearly thought strategically about how to significantly reform unethical and risky privacy practices in the digital economy through the use of the tort, a tool that has been in discussion for many years. This targeted approach, rather than rushing through wholesale reform just before an election, shows a measured response to a complex issue.

Do not be fooled into thinking partial reform means ‘no teeth that can bite’. The growing dependence on data and changes in global regulatory frameworks have led to a significant increase in privacy-related legal actions, providing plenty of examples of where to focus attention.

Privacy Commissioner Carly Kind has previously highlighted the extent of data collection: “Social media platforms and other websites receive personal information about internet users as they browse the web. This data can range from basic site visits to more detailed personal information like email addresses and mobile numbers.” She has also noted that “most people wouldn’t reasonably expect household brands, medical providers, or news sites to disclose details about site visits, duration, and content consumption to social media platforms,” describing such practices as “harmful, invasive, and corrosive of online privacy.”

The new tort could potentially apply to various business practices, including excessive tracking and profiling, unauthorised mixing of personal data across business units, misleading privacy disclosures, risky data sharing practices, use of deceptive identifiers, lack of genuine user choice in data collection, and attempts to circumvent user privacy preferences.

Business leaders need immediately to ask themselves what our teams and technology partners are doing with customer data and are we aligned with reasonable consumer expectations? Are we inadvertently crossing lines that could expose us to legal action under the new privacy tort? Remember, the Privacy Commissioner has recently also noted that “most people wouldn’t reasonably expect household brands, medical providers, or news sites to disclose details about site visits, duration, and content consumption”

Kind has previously warned that “Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms,” underscoring the sophisticated nature of current tracking technologies and the need for robust regulation.

Dreyfus emphasises public sentiment driving these changes: “We know Australians are concerned about the protection of their personal information, and of the risks associated with the misuse or mismanagement of their information.” He adds, “Australians... expect that when they do [share their personal information], their information will be protected and that they will maintain control over it.”

For businesses, these reforms necessitate a thorough review of data practices. The introduction of the privacy tort means that companies must discuss with their Legal and Privacy teams the need to conduct Privacy Impact Assessments on every technology touching their customer data lifecycle, overhaul processes, and ensure comprehensive staff training.

As Commissioner Kind has previously asserted, website providers “have an obligation to ensure that sharing web browsing data with social media platforms is in line with what internet users might reasonably expect.” This sets a new standard for transparency and user consent in data collection and sharing practices.

While these reforms pose challenges, they also present an opportunity for businesses to lead in consumer trust. Marketing leaders should pay close attention, as these changes demand a reevaluation of data-driven practices and swift discussions with Legal and Privacy teams about conducting Privacy Impact Assessments on current tools and processes.

While these reforms may not represent a complete overhaul of Australia’s data protection landscape, the Tort signals a significant shift towards greater accountability and transparency in data practices that will impact many businesses’ practices.

However, the complexity of modern data ecosystems and interwoven stacks, products and data partnerships means that internal reviews will not be sufficient. Without getting ahead of this through specialised audits and reviews that scrutinise data flows, tools and consents, businesses risk having these issues uncovered not by themselves or their BAU agency partners - but instead by litigators in the courtroom. The choice is clear: invest in expert-led Privacy Impact Assessments of your activity now, or potentially face costly legal battles and reputational damage later.

Chris Brinkworth is managing partner at Civic Data.

More related stories

The Growth Agenda

Booktopia digs into Aussie heritage for its new chapter

Online bookseller Booktopia is back with a new owner and an aggressive growth strategy to take on Amazon by doubling down on its Aussie heritage.

Read more

The Growth Agenda

People before profits key to supermarkets regaining trust

Coles and Woolworths have hit record lows for brand distrust, but can these supermarket giants regain consumer trust and reinvigorate their once-loved brands?

Read more