Data privacy in digital marketing: why compliance = performance in Australia
AI search has been the talk of the town lately, but don't let that distract you from data privacy changes happening behind the scenes.
With tranche 2 of the Privacy Act reforms on the way, now is the time to get your data, privacy and consent strategy in place.
Data privacy no longer stops at the front door of the marketing team. That responsibility now runs across your entire data ecosystem, not just your website.
Privacy Act reforms and Tranche 2: why marketers can't afford to wait
The federal government has already passed the first tranche of Privacy Act reforms, including tougher penalties, a new statutory tort for serious invasions of privacy and stronger OAIC powers.
Tranche 2 is where many of the "thorny" marketing and adtech issues will land, such as:
- A new "fair and reasonable" test for data handling
- Tighter consent rules and direct marketing provisions
- New individual rights, including a potential right to be forgotten
- Expanded definition of "personal information" to capture online identifiers and targeting data
- Removal or modification of small business and employee exemptions
Timing for Tranche 2 remains up in the air. Commentators now expect it sometime in 2026 at the earliest, and that will depend on the political cycle
So yes, there is uncertainty about the final shape and timing of the reforms.
However, what is certain is that there will be more accountability, more enforcement and higher expectations on how marketers collect, share and use personal data.
Technical data, personal information and the limits of "anonymous" tracking
While Tranche 2 is still being drafted, the OAIC (Office of the Australian Information Commissioner) has quietly done something that matters a lot more for day-to-day marketing: it has published detailed guidance on tracking pixels and privacy obligations, and it has started building that guidance into its enforcement posture
The November 2024 guidance on tracking pixels makes a few key points that every marketer should treat as baseline:
- Pixels are not banned. The Privacy Act does not prohibit pixels, but it does regulate how they are configured and used.
- Technical data can still be "personal information". IP addresses, URL paths, device IDs and hashed emails can all be personal information if they can reasonably identify an individual once combined with other data.
- Data minimisation is mandatory. You should configure pixels to collect the minimum data necessary for a clearly defined purpose.
- Sensitive information is a red line. You must not disclose health, political, religious or other sensitive information to third party platforms via pixels without explicit consent.
- Covert tracking is unfair. Collecting data without clear notice is likely to breach the requirement that information is collected in a fair and transparent way.
- Overseas disclosure rules still apply. If your pixel sends personal information offshore, you are responsible for taking reasonable steps to ensure the recipient does not breach the APPs.
- Direct marketing obligations still apply. If you are using pixels for targeted advertising, individuals must have a simple way to opt out.
- "Set and forget" is no longer acceptable. You are expected to regularly review what tags and pixels are deployed, what data they collect and whether those practices remain compliant.
Australian Privacy Commissioner Carly Kind has been blunt about why this matters, describing many tracking tools as "harmful, invasive and corrosive of online privacy" and signalling a more enforcement-based approach while reforms are finalised.
In other words: you do not need Tranche 2 for your pixels to be a problem.
The TikTok pixel inquiry: a warning shot for marketers
The OAIC's preliminary inquiries into TikTok’s use of marketing pixels were a good case study in how the current law struggles with modern tracking.
The OAIC found that:
- TikTok's pixels were capable of harvesting detailed behavioural and technical data across the web
- There was no "obvious and clear contravention" under the existing Privacy Act that would justify a full investigation
- Yet the Commissioner described tracking tools as harmful and called for faster reform, including a clearer definition of personal information and a fair and reasonable test for data handling
The message is subtle but important:
Pixels and profiling are already on the regulator's radar. The main barrier is the age of the law, not a lack of concern.
At the same time, the Commissioner has been explicit that entities deploying pixels on their own sites are responsible for how those pixels collect and share data, even when a large platform provides the code.
So if you are a brand or publisher letting third party pixels fire across your properties, "we did not know exactly what it collected" will not be a safe line to run.
Liability follows the data across your whole ecosystem
Many marketers still think liability stops at the point where they hand work to an agency, a publisher or a vendor.
The Privacy Act already cuts across that assumption:
- Third party vendors often act as your agent in handling personal information
- You remain responsible for taking reasonable steps to ensure their practices are compliant
- Under the new tiered penalty regime and statutory tort, more types of privacy interference can attract serious penalties
- Individuals now have more direct avenues to bring claims, not just OAIC-led actions
For marketers, that means:
- Outsourcing campaign delivery does not outsource liability
- Poorly governed martech stacks and opaque data-sharing chains are now legal risks, not just operational risks
- Contract clauses that say "vendor will comply with privacy law" are not enough if your actual governance is weak
Your responsibility now spans your entire data ecosystem, from media publishers and ad networks through to analytics, CDPs, data brokers and AI tools.
From performance marketing to privacy first marketing
There is a tendency to frame all of this as a box ticking exercise. It's not.
Three shifts matter for performance:
- Stronger penalties and enforcement powers
The combination of Tranche 1 reforms and OAIC guidance means a higher chance of:- Investigations into your tracking stack
- Statutory tort claims where individuals feel they have been unfairly tracked
- Significant civil penalties for "serious" and even "non-serious" interferences with privacy
- Rising public expectations
Consumers are more aware of tracking, consent and data sharing. Dark patterns, vague privacy policies and opaque profiling erode trust, brand equity and conversion rates. - Signal quality and platform performance
Clean, consented, well-governed first party data is becoming the main competitive advantage in paid media. Privacy-by-design setups tend to:- Improve match rates for conversions API setups
- Reduce platform "noise" from illegal or low-value events
- Make experimentation easier because your data is reliable
Fixing this is not an overnight exercise. Re-working data flows, renegotiating contracts, reconfiguring tracking and rolling out governance can take many months in a mid-sized organisation. That is exactly why waiting for Tranche 2 is such a risky strategy.
What marketers should do now
There is still time to move, but the window is not unlimited. A practical playbook looks something like this.
1. Map your tracking and data ecosystem
Create a live inventory of:
- All pixels, tags and SDKs deployed across your sites and apps
- All key events, parameters and audiences being captured
- All destinations the data flows to, including ad platforms, analytics, CDPs, email tools, clean rooms and data partners
- All third parties who can access that data, directly or indirectly
Use this to identify unknown tags, legacy pixels and undocumented data-sharing arrangements. The OAIC's pixel guidance and related checklists are a useful benchmark for what "good" looks like.
2. Reclassify what counts as personal and sensitive data
Work with legal and privacy teams to review what counts as personal and sensitive information.
- Personal information
Includes not just names and emails, but also IP addresses, device IDs, URLs, cookies, hashed identifiers and any data that can be linked back to a person.
Just the other week we identified personally identifiable information (PII) in UTM parameters being fed into Google Analytics by a third party vendor that one of our clients has been using. We caught it early, but it could have turned into a much bigger problem down the line. - Sensitive information
Health data, political or religious views, union membership, sexual orientation and other categories with higher protection.
Then identify any flows where sensitive information could be inferred from URLs, page content or events and is being passed upstream to platforms.
3. Minimise and reconfigure tracking
Once you know what you have, start reducing and tightening:
- Remove pixels that are no longer needed or that provide marginal value
- Limit event parameters to what is genuinely required for measurement or optimisation
- Avoid passing direct identifiers unless you have a strong legal basis and explicit consent
- Tune server-side tagging and conversions API setups to support data minimisation, not just work around browsers
This is where marketing performance and compliance often align. Cleaner event sets tend to improve optimisation and reduce platform confusion.
4. Refresh transparency and consent
Your privacy notices and consent flows should now explicitly address:
- Which third party pixels and platforms you use
- What categories of data they collect
- What you use that data for, including profiling, targeting and data matching
- Whether data is sent offshore, and to which types of recipients
- How people can opt out of targeting or withdraw consent
Avoid vague language like "we may share your information with selected partners". The regulator and your customers both want clear, plain English.
5. Tidy up contracts and vendor governance
Review your arrangements with:
- Media agencies and publishers
- Analytics, CDP and marketing automation vendors
- Clean room providers and data enrichment partners
Contracts should now include, at minimum:
- Clear allocation of privacy responsibilities
- Data processing and sub-processor obligations
- Restrictions on re-use of your customer data
- Audit rights or assurance mechanisms
- Breach notification requirements that line up with your own obligations
Then back this up with actual governance, not just paper. For example, periodic tag audits and vendor questionnaires rather than blind trust.
At Lemonade we review all tags for clients regularly, and perform in-depth audits of tags at the start of each new year.
6. Treat clean rooms as governance tools, not loopholes
Data clean rooms, hashed emails and lookalike audiences are all now in the regulator’s sights. The OAIC’s pixel guidance and industry commentary is clear that simply hashing emails or using an “anonymous” environment does not take you outside the Privacy Act if individuals remain reasonably identifiable.
If you use a clean room, treat it as:
- A structured environment with strong access controls and documented use cases
- A tool to support privacy-by-design experiments, not a way to stretch the definition of personal information
7. Clarify internal accountability
Finally, make privacy and data governance part of how you run marketing:
- Assign a clear owner for marketing data governance
- Train marketing, media and analytics teams on the basics of the Privacy Act and OAIC guidance
- Build privacy checks into your campaign briefing and sign-off process
- Report privacy risks alongside performance metrics to senior leadership and the board
Privacy is no longer just for the legal team or IT. It is now a core responsibility for marketing teams as well.
Do not wait for Tranche 2
Australia's privacy laws are changing fast, but the expectations of regulators and the consumers have already shifted.
The brands that invest in responsible data governance now will:
- Reduce their legal and enforcement risk today
- Be better positioned when Tranche 2 lands
- Build stronger, more durable, trust-led relationships with their audiences
- Improve the quality of the data signals that actually drive performance across channels like Google and Meta Ads
Useful resources:
