The Future of Digital Advertising in the Post Digital Platforms Inquiry World

(this is the content of a presentation given by Stephen von Muenster on 20 November 2020 at the Mumbrella 360: Reconnected conference)

Who could imagine weathering this COVID-19 pandemic without the innovations and connectivity brought by digital platforms. The benefits of digital platforms to society have been immense and have also enabled efficient and effective advertising, and facilitated connections with consumers.

However, with this innovation came the ‘dark side’ of this technology where consumer interests have become obfuscated. Following high profile data breaches, the Australian Competition and Consumer Commission (ACCC) launched its Digital Platforms Inquiry in July 2019. The consequences of this inquiry and the changes to the regulatory landscape will, in our view, be almost be like a COVID-19 for digital.

This article will provide an overview of the Digital Platforms Inquiry (DPI) and follow-ons, highlight the focus on the protection of consumers and their privacy/personal data, touch on current Regulator Court actions relating to consumer privacy and data, and what the future may hold. This article is part of a series that we will be releasing where we navigate these issues in more depth and provide updates and insights as the law and regulation evolve.

Overview of the DPI & follow-on Responses, Reports & Investigations


The ACCC is the independent Commonwealth statutory authority whose role is to enforce the Competition and Consumer Act 2010 (Australian Consumer Law) a piece of federal legislation which focusses on the protection of consumers.

In December 2017 the ACCC, directed by the Federal Government, was asked to consider the impact of search, social and content on all stakeholders and consequently conducted their DPI.

Digital Platforms Inquiry Final Report

Released on 26 July 2019, the DPI Report spans 600+ pages and confirms law and regulation have not kept pace with technology and commercial practice. The DPI Report places a particular focus on the protection of consumers’ privacy and data, standards of consent, and transparency of data handling.

In this report, a Digital Platforms Branch was recommended and is now established to conduct investigation and prosecution.

The DPI Report has deliberately targeted the ad tech supply chain and interaction of digital platforms, online advertising and ad tech services. The recommendations have ramifications for businesses in programmatic advertising including advertisers, media agencies, ad tech platforms and publishers.

Government Response

On 12 December 2019, the Federal Government responded to the DPI Report with a detailed roadmap for policy and law reform. This is now the beginning of intense investigations, court cases, and law reform that will likely occur over the next decade.

Ad Tech Inquiry

In March 2020, the ACCC released an issues paper  for inquiry into the tech stack. Many agencies and advertisers responded, including the MFA. The ACCC seems to be zeroing in on the complexity and opacity of ad tech and ad agency services –stating that “… online display advertising practices certainly warrant some digging.

The ACCC must provide its final report to the for Federal Government by 31 August 2021, and then there will be new law enacted most likely with a transparency focus.

Interim Report

On 23 October 2020, the first interim report was released by ACCC. This report focused on consumer protection issues of messenger services including Facebook Messenger, WhatsApp, iMessage & FaceTime.

Consumer Protection – Privacy & Personal Data – Choice, Consent, Control

The ACCC’s view

The ACCC places significant importance on consumer’s being able to make ‘informed choices’ about the handling of their data. They are of the view that the current practice of platforms means that consumers are unable to assess the current and future consequences of providing their data.

In the ACCC’s view the practice of using clickwrap agreements, take it or leave it consents, and bundling numerous consents is very problematic and results in legally questionable consumer consent.

They also consider that Privacy Policies that are too long, complex, vague and difficult to navigate are problematic and furthermore it is an issue that consumers may not be made aware about targeted advertising and third-party data sharing within these Privacy Policies.

Businesses with Privacy Policies that ostensibly protect consumers, but where the policies are not followed in practice, are in the ACCC’s view also problematic.

Generally, it is the ACCC’s position that Australian privacy regulation should be more closely aligned with the GDPR’s higher standards of protection.

The OAIC’s view

The Office of the Australian Information Commissioner (OAIC) is the national privacy regulator and has supported many of the ACCC’s recommendations in the DPI, and has suggested additional protections for consumers.

The OAIC believes that the threshold for consumers providing their consent should be aligned with the GDPR’s standards and enable graduated consent (consent to different uses over time) and tiered consent (consent to giving more PI in exchange for different products or levels of services).

The OAIC is of the view that there should be a right to object by individuals for specific data collection purposes, and that there should be compensation under the Privacy Act 1988 (Cth) (Privacy Act) for interference with privacy.

They also challenged anonymous and de-identified data as a PI protection method due to AI and data analytics technologies and think that the law should treat all data as PI (see below our Big Bets).

Current regulator Court actions relating to consumer privacy & data

Court actions – privacy & data

Below are some examples of current regulator court actions. There is a pervading theme throughout these cases where the issue is one of the consumer being given the opportunity to make an informed choice, provide informed express consent, and retain control. In such cases we see that the ACCC and the OAIC are increasingly willing to bring actions against companies.

The ACCC’s offensive actions

Stealing a march on the OAIC and not waiting for new law to fall out of the DPI process, the ACCC is using misleading and deceptive conduct provisions under the ACL to bring businesses with data as their center of gravity to heel.

On 20 August 2020, Health Engine was found liable for collecting and disclosing users’ personal data and patient information to insurance brokers without consent and for publishing misleading patient reviews and ratings and was issued a $2.9 million fine.

On 29 October 2019 in proceedings against Google the ACCC claimed that Google breached Australian Consumer Law through misleading conduct and false representations made via phone screens about the sensitive and valuable personal location data it collects, keeps and uses (for numerous purposes). This was largely (in part) due to the fact that the consumers were unable to make an informed choice on sharing this data with Google.

On 27 July 2020, further proceedings were brought against Google  with the ACCC alleging misleading conduct by Google in obtaining consumer consent to expand the scope of PI that Google could collect and combine about internet activity for various purposes including targeted advertising. The ACCC alleges Google misled consumers when it failed to properly inform consumers and due to the fact that there was a failure to obtain explicit informed consent.

If Google is found liable, the fine is likely to be many millions and the precedent will have a profound impact on data and PI collection, use and disclosure by businesses.

The OAIC’s offensive actions

Sensing a move into its territory and not to be outdone, the OAIC has now launched its own action against a tech giant.

On 9 March 2020 the OAIC issued proceedings against Facebook alleging it committed serious and repeated interferences with privacy in breach of the Privacy Act.

The allegation is that PI of Australian Facebook users was disclosed to the “This is Your Digital Life” app (and possibly Cambridge Analytica) for a purpose other than its disclosed purpose of collection. It alleged that there was an inability of users to exercise reasonable choice and control about how their PI was disclosed.

In this case, the OAIC is seeking a penalty for each act of disclosure of PI and consequently, the penalty could theoretically be as high as $500 billion. The precedent that this may set will also have a profound impact on data and PI collection, use and disclosure by businesses.

The Future?

The DPI Final Report, ACCC’s recommendations, Federal Government response, establishment of the Digital Platforms Branch, current inquiries and prosecutorial vectors of the ACCC and OAIC point to a significant future impact on any business with data and PI as their center of gravity.

Significant court cases are already underway against the big platform players even before DPI Report spawned laws have hit the statutes.

All businesses involved in programmatic services will be impacted – advertisers, media agencies, publishers and suppliers in the middle layers of the ad tech stack (SSP’s, DSP’s, DMP’s, Ad X) as will businesses that rely on consumer data driven business models eg sale of segment data for targeted advertising or customer loyalty schemes.

Here are some of our Big Bets on what is coming in the future:

  • Consumer Data Rights are now in play, and regulation has already started in the banking sector;
  • The Media Bargaining Code for tech giants to pay for news content comes in December 2020, stay tuned for updates on this;
  • Significantly increased regulation of Ad-tech industry, advertising and media agency services;
  • The Privacy Act will be amended to align with the GDPR and there will be the introduction of increased penalties;
  • OAIC Privacy Code for Digital Platforms will become enforceable;
  • Privacy Act definition of ‘personal information’ will be broadened to include technical and location data, IP addresses and cookie tracking and businesses that previously relied on using so called “anonymized” data will have to be reduced;
  • Stricter notice and consent requirements for use of data, and thereafter businesses will need to upgrade their methodologies for acquiring consent in their Privacy Policies; and
  • There will be a new individual right of action for interference with privacy/cyber harm.

Businesses that engage with and embrace the change will have the commercial advantage, in particular businesses that:

  • Engage with and have a consumer rights and respect focus;
  • Have technological ability and agility;
  • Are transparent with compliance as part of their business model;
  • Have auditability;
  • Have strong contracts with suppliers;
  • Have very fair and transparent contracts with consumers;
  • Ensure data hygiene in terms of full disclosure and express unbundled consent via active opt-ins; and
  • Have modern collection disclosures and Privacy Policies which are simple to understand with no bundling of consents and are actually followed by the business.

Concluding remarks

Businesses need to start immunising themselves now and prepare for the changes to come. Aligning practices, disclosures, and consents with the GDPR would be a good place to start in the absence of specific new law at present.

von Muenster Legal will continue to provide updates and guidance to the industry as the nature and extent of changes to the law become known.

Article by Stephen von Muenster, Partner and Founder of von Muenster Legal.