By Heidi Bruce, Principal Partner 

21 June 2023

Reforms to Australia’s privacy laws under current consideration by the Government will involve a huge transformation of our privacy laws, and they include major changes to targeted advertising. The latest Privacy Act Review Report (“Report”) was released in February 2023 which gave us a clear picture of what is being planned for our privacy laws. Many submissions to the Report have significant concerns with their practical implementation. No doubt these will have dramatic impacts on the Australian advertising and media industry and companies that engage in this market. Here we give a practical rundown of what the proposed changes have in store, with a focus on targeted advertising. We cover how these changes will impact advertisers, advertising and media agencies and others in the digital ecosystem… and whether they are workable.

What is targeted advertising?

Targeted advertising is where an advertiser uses data to direct advertisements to specific audiences, which is much more effective than advertising to the internet at large. It is well known that a lot of data is collected about us online including what we are buying and searching for. Companies can collect information about people who visit their website, and can also use cookies to track user’s behavior across various websites, to gain insights into a consumer’s interests, habits, age, gender, what they are buying and thinking about buying.  If consumers sign up to a website, or social media platform like Facebook or Twitter, that operator can collect a lot of ‘profile data’, which can be used for targeted advertising. Targeting can be quite sophisticated. Advertisers and their agencies can use companies like Facebook or third parties to build custom audiences. There are advanced tools and technologies that allow for data aggregation, combining data sets to create deeply customised audiences. Targeted advertising may include:

• Behavioral targeting, which is targeting advertising based on online behavior – e.g. if they have searched for ‘running shoes’ in the past they may be shown ads for similar shoes.
• Contextual targeting, which is based on assumptions about a person’s interests from their searches – so if a person searches for ‘running shoes’ they may be shown ads for nearby gyms.
• Geotargeting – this relies on location and demographics to segment audiences, eg only showing ads in an area the business wants to reach.

The vast majority of digital media campaigns are currently delivered using some form of targeting or segmentation. Segmentation involves finding big clusters of people, using broad and basic parameters such as geographical area, eg only NSW, or basic demographics or behavioral data. Behavioral data may be inferred from someone’s browsing, e.g. if they search for cartoons, you may infer this is a parent or young child. Advertisers can bid on audiences for ad placements using certain parameters for example, an alcohol brand will want to exclude children. A lot of this data is inferred, de-identified, or unidentifiable.

What do our privacy laws currently say about targeted advertising?

Currently our privacy laws only regulate ‘personal information’ which broadly speaking is information that can be used to identify an individual. If information is de-identified or anonymized, that information is not subject to privacy laws. The information used in targeting is often not enough to identify an individual, it may just be general information about interests or the sites they visited, or their area. An organization that uses this sort of information for targeted advertising may not currently need to comply with the Privacy Act rules.

Privacy rules need to be complied with if sharing and using personal information for targeted advertising. There are various practices already being used by players such as media agencies for safeguarding privacy rights in targeted advertising, such as increasing use of ‘data clean rooms’, and ‘lookalike’ data sets, or anonymized data sets.

What changes to targeted advertising are proposed?

The Report proposes:

• It will prohibit targeting to children.

Given the broad definition here, this involves not just the use of personal information, but also the use of de-identified information and unidentified information, (such as internet tracking history), to target children.

There is an exemption here, for targeting that is in the child’s best interest. Further guidance is required on this but one of the examples noted was music streaming services that give personalised music recommendations.

• It will prohibit the use of sensitive information for targeted advertising.

This is directed at preventing targeting based on certain vulnerabilities. Sensitive information includes information about their race or ethnic origin, religious beliefs, sexual orientation or criminal record.

There is an exemption here, for socially beneficial content. There will need to be close consideration of the practicalities of excluding any such information from targeting, and where a campaign would be ‘socially beneficial’, an example noted was people with mental health conditions receiving information on mental health resources.

• Any targeting must be ‘fair and reasonable’.

This means that targeting practices that are manipulative, or exploitative, may be at risk.

• Entities must give information about targeting to individuals, including clear information about the use of algorithms and profiling to recommend content. Further guidance is required as to how this information will be given.

• It will introduce a definition of targeting.

This covers the use of any information relating to an individual including personal information, de-identified information and unidentified information (internet history/tracking etc).

This has been broadly criticised as being excessively broad. It includes de-identified and unidentified information, so includes broad segmentation data. There are real practical problems with implementing the proposals for targeted advertising, given how broadly this is defined. If advertisers need to exclude children from targeted advertising, for instance, it is going to be difficult to practically do this if targeting includes de-identified information.

• It will give individuals an unqualified right to opt out of receiving targeted advertising.

Under these changes, you do not need up-front consent for targeted advertising. The report considered this but dismissed it (because it could require consent for the use of de-identified or unidentified information which would lead to consent fatigue, and it would be technically challenging for information about an unknown individual).

However individuals will have the right to opt out of receiving targeted advertising.  Given how broad the definition of targeting is, it is very unclear how this will work in practice. In our view this is one of the most, if not the most, problematic proposals in the report and one that will cause huge issues in practical implementation.

A wide number of participants including the Media Federation of Australia (MFA), the Australian Association of National Advertisers (AANA), the Interactive Advertising Bureau (IAB), the Centre for Information Policy Leadership (CIPA) and global tech company Meta, have voiced strong objections to this proposal (as well as the definition of targeted advertising and various others).

Anisimoff Legal was honoured to be able to help the MFA with their submission to the Report, which reflected the concerns voiced by a wide range of media agencies within its member base. There has been remarkable consistency across the industry with similar concerns raised in a number of submissions.

The MFA and its media agency member base, and other media industry participants who have raised similar concerns, understand the deep intricacies of how targeting works in practice, and the technologies and practicalities involved.  It seems the Report has become a bit lost in the competing concerns and the technicalities. They have taken from various other laws developing overseas in this area, but gone a few steps further than any other market. The GDPR has an unqualified opt out right for direct marketing, but not for targeting. Some new rules in Europe introduced last year under the Digital Services Act do include some specific rules on targeted advertising (including rules on targeting of minors and with the use of sensitive data). However Australia’s proposed blanket opt out of targeted advertising goes beyond any other law that has been passed in any other country.

An unqualified opt out right may be workable for direct marketing, when you have a clearly defined company, let’s say Nike, which controls the data, who can remove a person from any future mailings from Nike. However there are completely different considerations when it comes to coordinating an opt out right for targeted advertising. If a person is browsing online and searches for ‘running shoes’, and they receive an ad for ‘Nike’ shoes, how do they opt out? Do they opt out on that website only? Or do they have to find a central place to opt out? Then if they do opt out on the website, that will not stop them receiving ads directly from Nike, or from Myer, or from some other website.

You can see also, if the person has been targeted on the basis of de-identified or non-identifiable aggregated data, big practical issues with how that opt out might be practically implemented? How will this work if a person has various online ‘profiles’ e.g. with various household members using and searching online? There are many questions here and many consider this to be unworkable.

This broad opt out right has been criticized as it could mean advertisers will not be able to use this data to comply with legal requirements, e.g. not targeting children with alcohol ads, or targeting people only in States where an offer is available.  It can also limit socially beneficial targeting such as for health or charity initiatives. Also, it may significantly threaten the viability of businesses that provide free content and services online, many of which are personalised and ad supported.

Reforms to Australian privacy laws have been a long time coming and they are clearly due for an upgrade in line with advancements in data use and data privacy laws globally. However some of these current proposals, in cherry picking from different laws and overstepping in some areas, could end up placing undue burdens for operators in Australia, and limiting businesses who provide free, or personalised online experiences and services. From what we are hearing and seeing, many of the reforms are broadly supported, however some of the details on targeted advertising will need to be carefully fine tuned to avoid practical difficulties. In any case they will bring big changes to the way the digital ecosystem works in Australia. In the meantime those who engage in targeted advertising will continue to advance and adapt.

Contact us

If you would like further information on privacy laws or reforms and how they may impact you, please contact us.