Privacy & Data Compliance
Data & TrackingAlso: Data privacy · GDPR · Privacy Act · Consumer data rights
Quick definition
Privacy and data compliance in marketing covers the legal obligations and ethical standards for collecting, storing and using consumer data. In Australia, the key framework is the Privacy Act 1988 and the Australian Privacy Principles (APPs), with the Consumer Data Right (CDR) expanding individual control over financial and energy data.
Where it shows up in the data
13 principles that govern how organisations with annual turnover above $3M (and some others) handle personal information. Cover collection, use, disclosure, storage and access.
The basis on which you collect and use personal data. Consent must be informed, specific and freely given. Pre-ticked boxes and buried privacy notices do not constitute valid consent.
Australian businesses covered by the Privacy Act must notify the OAIC and affected individuals when a data breach is likely to result in serious harm. There are strict timelines and content requirements.
Software that collects, records and manages user consent for cookies and data processing. Required for businesses with international users under GDPR and increasingly expected in Australia.
What it actually means
Every time you collect an email address, install a tracking pixel or build a retargeting audience, you are processing personal data. Privacy law determines what you can and cannot do with that data. For marketers, the practical implications are: you need consent before sending marketing emails, you need to disclose how you use tracking cookies, and you need a process for responding when someone asks you to delete their data.
Privacy is not an IT problem or a legal problem. It is a trust problem. And trust is the foundation of every marketing relationship.
How it shows up
Privacy compliance shows up in consent rates on your cookie banner, email unsubscribe rates, email list growth (opt-in vs imported), cookie consent rate in GA4, and whether your ad platform audiences are built from consented first-party data or inferred data.
The Australian context
Australia's Privacy Act currently exempts businesses with under $3M annual turnover from most provisions, but this is under review. The proposed reforms would remove the small business exemption entirely. Additionally, Australia's Spam Act 2003 applies to all businesses regardless of size and requires express consent for commercial electronic messages.
Where people get this wrong
Related terms
Common questions
Does the Australian Privacy Act apply to my small business?
The Privacy Act currently exempts businesses with annual turnover under $3M, with some exceptions (health service providers, businesses that sell or buy personal information). However, the Spam Act applies to all businesses. And the proposed Privacy Act reforms may remove the small business exemption entirely.
What is the difference between GDPR and Australian privacy law?
GDPR is European regulation that applies to any business processing EU residents' data, regardless of where the business is based. Australian Privacy Principles (APPs) apply to eligible Australian businesses. If you have European customers, you likely need to comply with both. GDPR is generally stricter than current Australian law.
Keep exploring
About New Rebellion
New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.
How we think →