How to gain a marketplace advantage by anticipating privacy law changes

1.            Changes to privacy law are coming

It seems almost certain that significant changes to privacy and spam law will happen in Australia within the next 1-2 years.

There has been a tide of significant changes to privacy law in other jurisdictions.  Most notably:

• The European Union’s General Data Protection Regulation (GDPR) took effect in May 2018. The GDPR quite deliberately “raises the bar” for privacy compliance in the EU (and for organisations dealing with individuals in the EU).
• The California Consumer Privacy Act took effect on 1 January 2020. As California is one of the world’s largest economies and home to many tech companies, the influence of this law is expected to extend well beyond California’s borders.  This law, amongst other things, gives individuals the right to “opt out” of having their personal information sold by a business and the right to sue for damages if their data is the subject of a data breach where reasonable security procedures were not implemented.

In Australia, much of the impetus for reform has come from the Australian Competition and Consumer Commission (ACCC).  The ACCC issued its final report on its Digital Platforms Inquiry in July 2019.[1]

The Commonwealth Government has stated its support for many of the ACCC’s recommendations relating to privacy law, and announced a program for developing and implementing specific responses.[2]  Most notably, the Government will undertake a review of the Privacy Act, to be commenced in 2020 and completed in 2021, “to ensure it empowers consumers, protects their data and best serves the Australian economy”[3].  For more details on the Government’s position, see our earlier article.

This article argues that it makes commercial sense for some organisations bound by the Privacy Act to take certain actions now, in anticipation of the coming changes, rather than waiting until they are finalised and implemented.  A company can actually gain a marketplace advantage over competitors by acting ahead of them.

2.            Benefits of changing your commercial practices now

2.1          Building your marketing database – opt-in versus opt-out

It is common for companies to run promotions and competitions in connection with their products.  Apart from providing a boost to sales, these activities aim to build the companies’ direct marketing databases.

In recent years, many companies have taken an “opt-out” approach to building their databases.  This might, for example, involve:

• stating in the terms of the promotion that by entering, individuals consent to join the marketing database;
• including a similar statement in the “legal copy” on any advertising for the promotion; and
• including a similar statement on the entry form where entrants complete their personal information.

The above is arguably a “robust” approach to obtaining the necessary consent for the purposes of the Spam Act 2003 (Cth), since it is an “opt-out” rather than an “opt-in” approach.  However this approach would seem (at least in our firm’s experience) to have raised very few practical issues for companies adopting it.

When a company subsequently sends direct marketing communications to a person who entered the promotion, it includes an unsubscribe message.  The company then honours any “opt-out” request by that person.

One of the ACCC’s recommendations is that the Privacy Act 1988 (Cth) is amended to strengthen consent requirements.[4]  Under the ACCC’s proposal privacy settings enabling the collection of user data would be required to be pre-selected to “off” and unbundled with consents for any data collection for the purposes of supplying the core consumer-facing service (such as offering the opportunity to enter a promotion).

Consent would require “ticking a website, actively selecting a setting that enables the collection of personal information, or another statement or conduct that clearly indicates the consumer’s acceptance of the collection, use or disclosure of their personal information”.[5]  Silence or a pre-ticked box would not suffice.

The ACCC states that “real and informed consents should always be required where the consumer’s personal information is used or disclosed for a purpose that is not in accordance with the consumer’s own interests, such as where it is used or disclosed for targeted advertising purposes.”[6]  While the ACCC speaks specifically about the Privacy Act, we assume that it intends the same consent requirements would apply under the Spam Act.

The Government supports the above recommendation in principle, and will consult with stakeholders about “strengthening existing notice and consent requirements to ensure entities meet best practice standards”[7] ahead of the review of the Privacy Act mentioned above.

Other law reform proposals are echoing the ACCC’s recommendation.  The New South Wales government recently released a consultation draft of the Community Gaming Regulation 2020, which will implement significant changes to the way trade promotions and certain other gambling-type activities are regulated in that state.  Draft regulation 14 provides that a trade promotion activity will be permitted if (amongst other requirements) “the right to participate is obtained by purchasing goods or services, with no additional cost or other actions relating to participation in marketing or other activities required to obtain the right to participate in the gaming activity” (emphasis added).[8]  Although the meaning of this wording is not entirely clear, it appears to require that the right of an entrant to participate in a trade promotion must not be associated with any obligation to participate in marketing.

The GDPR also changed the requirements for a valid “consent”.  The relevant definition in the GDPR states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.[9]

Shortly before the GDPR took effect many companies sent emails to their marketing databases, asking individuals to respond affirmatively if they wished to remain on the database.  This had to occur because the GDPR did not grant any exemption to the new consent requirement, for existing databases where consent may not have been obtained to that standard.  Many individuals (including in Australia) received a large number of these requests at around the same time, shortly before the GDPR commenced.

It seems almost inevitable that the ACCC’s recommendation for strengthening consent requirements, or something similar, will be given legislative effect in Australia within the next few years and quite possibly, in 2021.

It also seems unlikely that any “grandfathering” exemption for existing databases would apply when the change takes effect in Australia.  Otherwise, companies that have taken a “riskier” (i.e. opt-out) approach to obtaining consents up to that time would receive what some might regard as an unfair benefit, which they might be able to exploit for some years into the future.

Therefore, it would appear likely that before the change takes effect, we will see a flurry of emails by companies to their databases requesting consumers to “reply yes” to remain on the database.  A consumer receiving numerous emails of this type may well decide to ignore some or all of them.

Instead, we suggest that a company could consider changing its approach now.  If a company switches to an opt-in approach now (and clearly records which members of its database provide this opt-in consent), it will probably be able to build its database on that basis for a year or two before any change is implemented at the Commonwealth level.  It will not have to get caught up amongst the flurry of emails referred to above, when the law does change.  One might reasonably expect that the company will receive more “opt-ins” by “organically” requesting them over the next couple of years at the point of collecting a person’s data (e.g. when they enter a promotion) than in response to an email of the type referred to above, sent shortly before the change to the law takes effect.

In this way a company might obtain a material commercial advantage by switching its approach now rather than later.

Of course, switching now is not a risk-free option from a business perspective.  An argument could be made that it is better to persist with a “robust” (i.e. an opt-out) approach to obtaining consents for as long as practically possible (bearing in mind that while a change to the law within the next 2 years or so seems very likely, it is not a certainty).  This is a judgement every business will have to make for itself.

2.2          Implementing a “best practice” privacy compliance program

In a number of ways, the consequences of breaching privacy law are likely to become more serious.

(a)           Higher civil penalties for serious breach or repeated breaches

In March 2019 the Commonwealth Government announced significant planned changes to the privacy law enforcement regime.[10]

It announced that the maximum civil penalties that the Office of the Australian Information Commissioner (OAIC) can recover for a serious privacy breach, or repeated privacy breaches, will be increased from $2.1 million (for a company) to the higher of:

• $10 million;
• three times the value of the benefit obtained from the breach(es); or
• 10% of the company’s annual domestic turnover in the last 12 months.

The Government recently stated that draft legislation to implement the above will be introduced to Parliament in 2020.[11]

(b)           Infringement notices

In March 2019 the Government also announced that the OAIC will receive further enforcement powers including the ability to issue infringement notices.[12]

It is likely that the OAIC would issue infringement notices in situations where there is a privacy breach that is serious enough to warrant enforcement action, but not serious enough for the OAIC to commence court proceedings immediately.

If a company receives an infringement notice it will be required to pay the penalty stated in the notice within a fairly short period (probably a few weeks) or face the prospect of the OAIC taking the company to court and seeking a more substantial penalty.  It appears that the penalty associated with such an infringement notice will be $63,000 per privacy breach for a company.

(c)           Direct right of action for privacy breach

One of the ACCC’s recommendations is to give individuals a direct right under the Privacy Act to bring actions and class actions against organisations in court to seek compensation for an interference with their privacy.[13]  Individuals would have a right to approach the Federal Court or the Federal Circuit Court to seek compensatory damages as well as aggravated and exemplary damages (in exceptional circumstances) for financial and non-financial harm arising from a breach of the Privacy Act.

The Government supports in principle the introduction of this direct right of action,[14] which is similar to the rights individuals have under the GDPR and the California Consumer Privacy Act.  The Government has stated that it will consult further on this recommendation before implementing it.

(d)           Getting ahead of competitors with your privacy compliance program

The intention of the above proposed changes is to significantly “raise the bar” for privacy law compliance in Australia.

Since it seems very likely that these changes will be enacted within the next year or two, probably without any extended “grace period” in which organisations can adjust to the new requirements, it would appear rational for an organisation regulated by the Privacy Act to take steps now to review its privacy compliance program and ensure that it is robust.

For example, the changes would raise the risk that if your organisation suffers a data breach, a class action may be brought against you claiming compensation on behalf of numerous affected individuals.  Steps you could take now to mitigate this risk include:

• conducting a technical review of your IT security measures to ensure you are meeting the legal requirement under APP 11 to take reasonable steps to protect personal information from unauthorised access or loss, bearing in mind that what constitutes “reasonable steps” for a large volume of highly sensitive information may be a higher requirement than for a small volume of information that is already largely in the public domain;
• preparing a Data Breach Response Plan (if not already in place) to guide your staff through the steps for responding to a data breach when it arises, that is aligned with your other crisis management plans; and
• educating all of your staff on an ongoing basis about how data breaches can arise and their responsibilities to minimise risks and respond to incidents. Since many data breaches arise from human error, and many more arise through a malicious actor exploiting human weakness, it is vital that all staff become “data security aware” and understand how “phishing” and “social engineering” attacks work.

Further requirements for a best-practice privacy compliance program include:

• knowing what types of personal information you collect, where the information is stored and with whom you share it;
• pro-actively considering whether you actually need to collect that personal information;
• a program for destroying or de-identifying personal information you no longer need (many organisations fall short on this point);
• regular reporting to, and buy-in from, your organisation’s Board and senior management;
• clear designations of responsibility for privacy and security issues amongst your executives;
• compliance audits to ensure the program is practical for staff to follow and is being followed; and
• regular review since the law, technology, business activities and the behaviour of “hackers” change rapidly.

No doubt the OAIC and plaintiff lawyers will wish to test the new privacy enforcement regime shortly after the legislative changes take effect.  The author suggests that organisations need to adopt a “small target” approach, i.e. you need to ensure your organisation is not amongst the most inviting targets in the marketplace for legal action (with associated adverse publicity).  This may actually give a privacy-compliant organisation a competitive advantage over other players in the marketplace who are not so well prepared.

That is, if you implement a good-practice privacy compliance regime and your competitor does not, your competitor should be more likely than you to run afoul of the new privacy law requirements.  Since compliance programs are all about implementing a particular culture within an organisation, they generally work best when designed, implemented and refined over a period of years rather than being rushed – hence our suggestion not to await the enactment of specific legislative changes.

3.            Conclusion

In many organisations there are likely to be some stakeholders who do not wish to change until change is mandatory.  There may indeed be some commercial benefits in continuing current practices for as long as possible.

However our thesis is that we have now reached a commercial “tipping point”.  The way forward for law reform in relation to the matters outlined above is now so clear that it should make sense for many organisations to act on the anticipated changes now.  Any short term benefits of the status quo are likely to be outweighed, for many organisations, by the benefits of being fully prepared for, and aligned with, the new privacy regulatory regime that will very likely take effect in Australia in the next 1-2 years.

[1] See https://www.accc.gov.au/system/files/Digital%20platforms%20inquiry%20-%20final%20report.pdf .

[2] “Regulating in the digital age – Government Response and Implementation Roadmap for the Digital Platforms Inquiry”, 12 December 2019 – see https://treasury.gov.au/sites/default/files/2019-12/Government-Response-p2019-41708.pdf.

[3] “Regulating in the digital age – Government Response and Implementation Roadmap for the Digital Platforms Inquiry”, op. cit., page 6.

[4] ACCC “Digital Platforms Inquiry – Final Report”, op. cit., page 464.

[5] ACCC “Digital Platforms Inquiry – Final Report”, op. cit., page 466.

[6] ACCC “Digital Platforms Inquiry – Final Report”, op. cit., page 465.

[7] Regulating in the digital age – Government Response and Implementation Roadmap for the Digital Platforms Inquiry”, op. cit., page 6.

[8] The draft Community Gaming Regulation 2020 (NSW) is available at https://www.fairtrading.nsw.gov.au/consultation-tool/community-gaming-regulations.  See our summary of the proposed changes at https://www.gadens.com/legal-insights/major-trade-promotions-changes-proposed-in-nsw/.

[9] See article 4 of the GDPR.

[10] See the Government’s media release at https://www.minister.communications.gov.au/minister/mitch-fifield/news/tougher-penalties-keep-australians-safe-online

[11] “Regulating in the digital age – Government Response and Implementation Roadmap for the Digital Platforms Inquiry”, op. cit., page 18.

[12] See the Government’s media release, op. cit.

[13] ACCC “Digital Platforms Inquiry – Final Report”, op. cit., page 473.

[14] “Regulating in the digital age – Government Response and Implementation Roadmap for the Digital Platforms Inquiry”, op. cit., page 18.

Authored by:

David Smith, Partner