In today’s rapidly changing landscape, the urgency for Australian retailers to prioritise privacy and data protection cannot be overstated. Failure to act not only exposes them to regulatory penalties and cyber risks but also puts their entire existence at stake.

Research supports this grim tale, revealing that losing consumer trust costs brands upwards of AU$3.78 trillion per year. And when it comes to security breaches, the Australian government is coming down hard with maximum penalties set at AU$50 million or 30 per cent of the company’s Australian turnover in the breach turnover period.

The cost of lost consumer trust, both financially and reputationally, serves as a stark reminder that in today’s landscape, safeguarding privacy is not only a legal obligation but also a critical aspect of long-term success. Considering a worrisome 11 per cent of brands say they have a clear path to preparing for this sweeping change, according to recent Arktic Fox research, that means nearly 90 per cent are left woefully unprepared.

The urgency for retailers to act now on privacy

The privacy problem is nothing new. In fact, Australia’s Privacy Act was put into action back in 1988. So why the urgency now? Well, there are at least three main forces at play here, namely:

  • Global pressures: From the EU General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA), more than 120 countries around the globe have established privacy and security regulations that protect residents’ data privacy and security. This sparked the review for Australia’s Privacy Act review, which aims to better align Australia’s laws with global standards of information privacy protection and properly protect Australians’ privacy.
  • Major cyber breaches: High-profile data breaches, such as those experienced by Optus and Medibank, have significantly heightened people’s awareness of cyber security. And the continuous media coverage of these incidents serves to further reinforce their concerns and perceptions.
  • Apple’s privacy push: Privacy changes make “renting” audiences an unsustainable practice. Apple’s changes to Identifier for Advertisers and Google’s plans to remove third-party cookies by the end of 2024 mean retailers will soon face a virtually cookieless future.

Understanding the changing landscape

Chris Brinkworth, a media and marketing technology executive with a history of delivering innovative strategic projects across global markets, was recently a guest on my podcast. If you’re not familiar with his story, Brinkworth was at the forefront of the third-party cookie revolution in the ‘90s. “Dropping cookies” to collect more data and target people in new ways was a main KPI throughout the first half of his professional career.

As they say, “When you know better, you do better” and looking back, he takes issue with the way things were done to target consumers. “I’m kind of like the tobacco industry guy that suddenly realised all the harm he’s done,” Brinkworth shares. “I’m looking at everything I’ve learnt over the years, thinking how can I undo what’s been done and get involved in this privacy movement in advertising and marketing.”

He likens what’s happening in the marketing and advertising landscape of late to bookends. “On one end, global laws have changed in regard to how we conduct measurement. There’s cookie deprecation. And just the other day Apple announced removing any kind of link decoration within mail, messages and so on. This bookend is frustrating to marketers. It’s something they’re trying to come to grips with,” Brinkworth explains.

“On the other side of the coin, which is the not-too-distant future, there are changes to the Australian Privacy principles. If we were to look at that in isolation, as an industry, there’s obviously this frustration. However, if we step outside of that, we’re also humans. We have families and should be having an active conversation, becoming involved in this when it comes to the government’s requests. We must put forward what we feel is right as both citizens and industry folks.”

The compliance blame game: It’s not you, it’s your legacy systems

The frustration is there no matter how you spin it. But arguably, what’s worse is the majority of APAC retailers are simply not ready for these changes. However, for a lot of them, it’s not their fault. Change happens so rapidly that it can be challenging to keep up. At the same time, agencies aren’t providing ongoing education to keep employees up to speed.

If they’re looking to place the blame somewhere, it should fall on their legacy systems. “The hygiene of old legacy zombie tags are on their site, potentially leaking data,” Brinkworth points out. “Yet, the people in that business or brand often feel like it is their fault. They have their heads in the sand because they don’t even want to start this conversation.

“So when we go into a meeting with the head of digital media buying, CTO, head of experience, SEO expert, etc and go over the data that’s being collected on their website line by line, it’s almost a cathartic release.

“They begin to realise that it’s not their fault. It’s fascinating to see how everyone gets this renewed kind of excitement on what they’re going to stop, so they can finally go back to their risk folks and internal legal counsel to say, ‘This is what we’re collecting, and here’s why we’re doing it.’”

A customer data disaster: How you could be setting yourself up for a privacy breach, unknowingly

It’s common for retailers to have customer data that’s out-of-date, incomplete, incorrect or duplicated. However, with privacy laws tightening across the globe, this ‘messy data’ is setting them up for a customer data disaster.

Recently, New Zealand’s largest retail group found this out the hard way. It has been building out its loyalty program, already boasting one-million members strong. The retail group also has 4 million unique customer identities in its Salesforce stack.

The retail group’s confidence in the strategic advantage of “growing first-party data across all our brands” was put to the test when a journalist decided to investigate further. Under a Privacy Act request, she sought her own data but received more than just her information. Surprisingly, the data provided also included details of several other individuals who shared the same name – a privacy breach, according to the Privacy Commissioner.

The journalist knew she had shopped at the retail group 52 times in the last three years (from her credit card transactions) and it had data on:

  • 47 of these transactions, including items purchased, store, price paid, date and time
  • 38 of the purchases had been online and five had been in-store and identified through her loyalty program membership

The retail group used her customer data to send her:

  • 50 emails over three months (none of which she’d clicked, opened or purchased from)
  • 50 app push notifications (but no data on her actions on those notifications)

This was the first time this large retail group has ever had to supply data like this. And, it probably won’t be the last.

The moral of the story? Understand what data you have. Until you can confidently do that, you will be exposed to privacy breaches. A CDP (customer data platform) like Amperity can help you make sense of your messy customer data. In particular, a CDP can help you ensure compliance with Australia’s current privacy act by providing capabilities that fulfill data privacy use cases. It can help you manage access to customer data and, importantly, efficient retrieval when requested, in accordance with privacy principles.

The future of retail data compliance is ‘first-party’

Looking toward the future, the evolving privacy landscape presents several challenges but also numerous opportunities for retailers. As consumer expectations and data regulations continue to evolve, retailers have the chance to differentiate themselves by prioritising privacy and data protection.

By taking proactive steps to build trust and transparency, retailers can forge deeper connections with their customers and create personalised experiences that genuinely resonate. Embracing privacy as a strategic priority not only mitigates risks but also unlocks the potential of data-driven insights, enabling retailers to make more informed decisions and drive meaningful growth. 

Billy Loizou is APAC area vice president at Amperity.