Australian Privacy Act Reform and Its Impact on Loyalty Programs





Early last year the Australian Government released the Privacy Act Review Report1; Its aim is to strengthen the protection of personal information and the control individuals have over their information, effectively bringing the Privacy Act into the digital age. It will replace the current Act, which was signed into law in 1988, so it is timely if not rushed.

In our white paper ‘The Future of Loyalty Programs’ we predicted the proposed changes will dramatically restrict how customer data can be harvested for digital marketing and directly impact the loyalty program industry. How much will depend on two factors: the volume of customer data you already have, and how well you know how to use it.​

Below we share some of the expected changes in the Privacy Act that may affect your loyalty program.


Information handling

Currently, management of personal information is the responsibility of the consumer, and this assumes they understand each brand’s privacy policy and the different methods of data collection across the many brands we do business with. The Australian Government believes that many consumers do not understand the risks, and they have very limited control over their personal information. The updated Privacy Act aims to help protect individuals now that the collected of data has become more sophisticated through technological advancement, such as screen scraping and AI.


Security of personal information

With the increasing volume of data captured and the rapid pace of technological advancement, data breaches have become more frequent. The changes to the Privacy Act will address the need for more security and proper destruction of personal information. It’s believed businesses that are holding personal information for longer than is necessary, are increasing the risk of data breaches and allowing systems to be compromised. In the Notifiable Data Breaches scheme businesses have 72 hours to notify the Information Commissioner, and to take steps to respond to the data breach, including to customers.


Targeted direct marketing

The proposed new Privacy Act recommends clearer distinctions between traditional forms of direct marketing such as email and SMS communications and the targeting of personalised content and advertising online.

Consumers will have the right to opt-out of their personal information being used or disclosed for direct marketing purposes. Businesses will also be asked to outline the use of algorithms and profiling to recommend content to individuals. These measures will give consumers more choice and control over their personal data.


Improve transparency

Currently, individuals are provided limited transparency and control over their personal information. It’s now expected that individuals can access meaningful information about how their personal information is handled. It’s believed that current concerns consumers have are often poorly handed. Standardised icons, layouts, and phrases could be introduced to support consumers better.


Individual rights

Consumers will have the right to access personal information that any business holds about them. If the information is inaccurate, outdated, incomplete, irrelevant or misleading, the business must take reasonable steps to correct the information. Individuals may also…

  • Request an explanation of what personal information is held and what is being done with it through an enhanced right to access.

  • Challenge the information-handling practices of an entity and require the entity to justify how its information handling practices comply with the Act.

  • Require an entity to delete (or de-identify) personal information through a right to erasure.

  • Request correction of online publications over which an entity has control.

  • Require search engines to de-index certain online search results.


The Government also believes that individuals should be able to seek compensation via ‘a direct right of action’ for data breaches as a step to help improve individuals’ control over their personal information. Currently, businesses with an annual turnover of $3 million or less are exempt from certain privacy regulations. The proposed changes will ensure that all businesses, regardless of turnover, are responsible for protecting consumer data.


While many new restrictions are outlined for businesses, at Ellipsis, we believe these changes create new opportunities. Loyalty programs allow businesses to start collecting first-party data and use it more efficiently by identifying when customers are ready to buy again. This data helps better understand customer needs, moving away from mass discount offers.



We are Ellipsis, the Loyalty Experts. We help you measure, manage and grow customer loyalty​. We’re here to help, please get in touch




1. Government response to the Privacy Act Review Report

Sign Up to receive our latest news and white papers