Privacy expert Peter Leonard (pictured) has said that the advertising industry “has only itself to blame” for the perception that targeted digital advertising is creepy and the sweeping changes proposed in the Privacy Act Review Report.
“[The] industry in one sense, has only itself to blame for the government hearing that targeted advertising is a creepy and excessive use of personal information,” Leonard told B&T.
Speaking after his panel discussion about privacy, data and cybersecurity at the Australian Data and Insights Association (ADIA), Leonard said that adland had not properly explained how online advertising works to legislators and consumers.
“Industry hasn’t explained how much audience segmentation-based advertising is actually done and can be done or should be done using privacy-enhancing technologies, data clean rooms and without identification of the relevant consumers targeted.
“Industry has not engaged with the regulators or the policymakers as to what good targeted marketing practices might look like.”
Leonard, who is a principal at Data Synergies Pty and a professor of practice, UNSW Business School added that the industry needs to re-engage with regulators to avoid the existential threat of the Privacy Act reforms.
“The industry needs to engage with Canberra and explain why Canberra should not be regulating the use of de-identified information and, indeed, how that regulation use of de-identified information might actually be counterproductive. [Regulation] may lessen the incentive for organisations to use proper de-identification techniques in order to target particular audience segments,” he explained.
Fellow panellist and global and Asia Pacific cybersecurity consulting leader at EY, Richard Watson added that to consumers “perception is reality.
“The challenge in this space is that we’re dealing with such complex technical terms and the average consumer doesn’t appreciate it or take the time to appreciate and so perception has overtaken reality,” he explained.
“There needs to be another look at the way in which companies communicate with their customers in terms of what they are doing… dumbing down the messaging and making it a mainstream value proposition of an organisation or product of communicating in layperson’s terms.”
The proposed changes to the Privacy Act include sweeping redefinitions of targeting and data trading and would effectively outlaw any online user segmentation — even exclusion targeting to prevent wagering ads being shown to problem gamblers or ads for alcohol being shown to children. Numerous industry bodies have been up in arms about the proposed changes that go further than any similar regulations from overseas.
“The broad thrust of the reforms is, as I would have expected, more restrictive and demanding as to organisations handing data and, in particular, the data used for marketing proposes,” said Leonard.
“The most unusual aspect is the proposal to extend regulation of targeted marketing to include the use of de-identified audience segments for segmented offers. That is very unusual in global terms,” Leonard explained.
“The only place that regulates targeting in that way is the European Union in its new regulation of the global data platforms and then only in respect of those give declared global digital platforms… It is unusually restrictive and not in line with international good regulatory or legislative models and is, arguably, excessive.”
The Privacy Act reforms also look into cybersecurity which, following the Optus, Medibank and Latitude data breaches, has become a hot-button issue in Canberra. The affected brands’ reputations suffered greatly in the weeks following the breaches but, according to Watson, this damage could easily have been mitigated.
“People forgive data breaches until they hear that it was a result of a basic error. There is a certain minimum standard that we expect these big organisations to have and when they don’t show that they have taken due care, that’s when we get upset,” he said.
Watson said that communication with customers was key in the first week or two after an incident and that much of the communication strategy could be planned in advance.
“To handle that period well, you need to have prepared well in advance. You need to have been through the simulations, you need to have an executive board agreement on the approach that will be taken. You need to have all these statements prepared so they are not written in the heat of battle and you need to be as transparent as possible as quickly as possible,” he added.
In fact, of the high-profile data breaches Leonard said that only the New South Wales Department of Customer Service handled the post-breach period well.
“Its communication with affected individuals probably reflected the fact that Victor Dominello, the then-minister had set himself up as somebody very concerned with responsible data practices and transparency to citizens. It seems an odd thing to say that maybe a New South Wales government department did it better than any of the very large and sophisticated corporate actors.”
Watson added that as the breaches happened in turn, the “furore” around each declined.
“The first bore the brunt of it but there was a collective learning on how to put a unified front together and a pragmatic approach to solving issues. Frankly, the Optus one wasn’t the worst in terms of its consequences but they got the most heat which some might say was unfair.”
However, the one thing no brand should ever according to Leonard is to say “We take data privacy and data security seriously” as it prompts a “sceptical” reaction.
“Organisations need to think more creatively about how they engage with their customers as to their data practice,” he explained.
Google and Facebook’s “use of videos, cards, animations and the use simplified explanations of what they do” are, in his mind, the gold standard that brands should be looking to achieve.
Lead image credit: UNSW
