The ACCC’s final report into digital platforms, released on 26 July 2019, was extremely critical of how digital platforms, and the broader business community, deal with consumer data and protect privacy. The ACCC believes that Australian privacy laws have not kept up with the growth of the information economy and let business exploit consumers, by collecting their information without appropriate consent.
The ACCC makes a number of key recommendations to give control back to consumers. The reach of these recommendations goes well beyond digital platforms. If implemented, the recommendations will impact all businesses that collect consumer information. Here’s what you need to know right now.
The ACCC has recommended:
- expanding the definition of ‘personal information’,
- requiring businesses to notify consumers each time they collect personal information, and
- requiring businesses to obtain consent to each collection, use and disclosure of personal information.
Overhaul of the definition of personal information
The ACCC believes that the Privacy Act’s definition of ‘personal information’ does not match consumer expectations. Consumers expect that your date of birth, your photo, your telephone number and location information about you, should be protected by privacy law. But under the current state of the law that is not always the case. To address this concern, the ACCC recommends we adopt the EU’s GDPR definition to include technical data and online identifiers.
Concern about relying on deidentification and aggregation tools
The ACCC also expressed concerned about the use of deidentification and aggregation tools to avoid the Privacy Act. They say that data analytics tools already make it possible to re-identify information and these tools will only get better as time goes on. The ACCC has not made any recommendations on this topic yet, but we can expect this will be considered as part of the broader reform of Australian privacy law recommended by the ACCC.
Move to a mandatory real-time notification and consent model
- Privacy policies that deal with hypothetical collection, use and disclosure cases are “long, complex, vague and difficult to navigate”;
- Consumers’ privacy preferences change over time; and
- Consumers cannot conceive of the future value of their information or all the ways a business may use it.
What does it mean for you?
If implemented, the ACCC’s recommendations will present a huge compliance challenge. Businesses will need to weigh up the benefit of information collection against the compliance cost. Immediate compliance steps will include:
- determining what information falls within an updated definition of personal information,
- developing notification and consent tools that are linked to information collection, and
- moving from an opt-out to an opt-in model.
Beyond this, the ACCC thinks the reforms will increase competition on the basis of the privacy and data security offered to consumers. Businesses that rise to the challenge can expect to reap the rewards of consumer trust.
Authors: Hannah Bragge and Michael Caplan