Privacy Awareness Week 2025 comes at a moment of real change in Australia’s regulatory landscape. Tranche 1 of reforms to the Privacy Act 1988 are now largely in effect, with more far-reaching changes expected in Tranche 2. Already, organisations must grapple with strengthened requirements and regulatory expectations around transparency, data management, security, and for the first time in Australia, the introduction of a new statutory tort for serious invasions of privacy.

At the same time, the Spam Act 2003 continues to operate as a parallel and complementary regime regulating how organisations can engage with individuals via electronic marketing. The two frameworks are increasingly converging where they focus on consent, transparency, and individual control, and both are now being more actively enforced. The ACMA actively pursues organisations that breach consent and unsubscribe requirements, while the OAIC is stepping into its expanded role with new enforcement powers and clearer expectations.

From compliance to value preservation

Privacy and marketing compliance is no longer just about staying off a regulator’s radar, it’s about preserving and growing brand value, customer trust, and long-term business resilience.

Leading organisations are treating privacy, data governance and consent management as strategic disciplines – ways to differentiate themselves in the market, reduce friction in customer journeys, and demonstrate respect for individuals’ autonomy.

The opportunity here lies in getting privacy right. Done well, designing strong data management and consent practices can build engagement, reduce complaints and compliance costs and risk, and deliver better quality data and stronger commercial outcomes. Organisations that are getting this right are increasingly treating privacy and consent as a core business asset and brand differentiator, not a friction point.

What meaningful consent looks like in 2025

Under the Privacy Act 1988, consent is only required in limited situations — for example, when handling sensitive information, or where information is used or disclosed for a secondary purpose outside of reasonable expectations. Under the Spam Act 2003, consent (either express or implied) is always required for electronic marketing.

Both regulators — the OAIC and ACMA — have signalled that express consent is the standard they expect organisations to obtain. That is consent that is informed, voluntary, current and specific, given by someone with capacity, and able to be withdrawn at any time.

Why does this matter in practice?

• Express consent gives organisations more flexibility in marketing than inferred consent (which is limited to goods and services directly related to an existing relationship).
• Express consent is easier to demonstrate if challenged.
• It may also support more robust targeted advertising practices considering anticipated reforms.

Looking ahead, Tranche 2 of Privacy Act 1988 reforms is expected to bring major changes to the rules on targeting, profiling and direct marketing. These may include:

• a legal right to opt out of personalised marketing;
• a prohibition on targeting children under 18 (except in limited circumstances);
• a broader definition of “targeting” that captures behavioural and inferred traits;
• a new “fair and reasonable” test to apply to targeting activities; and
• a ban on targeting using sensitive information (unless for a clear benefit).

These changes will require a fundamental rethink of how organisations use customer data in advertising and engagement.

Technology can help — but policy still matters

Many organisations are investing in consent management platforms, suppression tools and preference centres to meet these evolving standards. These tools can be highly effective — but they must be supported by:

• clear internal policies and governance;
• employee training across key business units; and
• accurate and centralised records of consent and customer preferences.

These tools are not a substitute for sound governance. Without clear policies, cross-functional accountability, and a culture of privacy, even the best technology can fall short of regulatory and customer expectations.

Looking ahead: AI, automation and the new consent paradigm

Finally, as AI becomes more integrated into customer experiences, from recommendation engines to digital agents, the concept of consent is evolving again. Transparency in this context requires a deep understanding of how AI systems use and infer personal information, and how decisions are made or influenced.

To meet the transparency obligations around automated decision-making from the Tranche 1 updates to the Privacy Act 1988 and align with emerging AI regulatory guidance, organisations must be able to explain:

• how a system processes personal information;
• what inferences are being drawn; and
• how this information is being used to target, personalise or automate decisions.

As AI becomes more embedded in customer engagement, organisations will need to lift their technical and legal literacy — not only to meet emerging compliance standards, but to maintain stakeholder trust.

Where to from here?

For customer-facing businesses, like banks, insurers, retailers, and digital platforms, this is a critical time to revisit how consent, personalisation, and marketing practices intersect with compliance obligations. The organisations that succeed will be those that embed respect for privacy into their engagement strategy — not just their terms and conditions.

Now is the time to assess whether your consent and marketing practices:

• reflect the current legal requirements;
• are consistent across platforms and teams;
• are technically and operationally supported; and
• are ready for the next wave of reform.

How we can help

At HWL Ebsworth, we help clients navigate complex privacy and marketing laws with clarity and confidence. Our advice is practical, strategic and tailored to your risk profile and customer engagement model.

We can support your organisation with:

• Privacy Act 1988 and Spam Act 2003 compliance audits, including customer journeys, marketing practices and data handling processes;
• consent and preference management reviews, with practical guidance on when consent is required, and how to obtain and document it effectively;
• design and implementation of privacy governance frameworks, including internal policies, suppression rules and cross-business training;
• advising on targeting, profiling and personalisation strategies, including in the context of marketing and digital product design;
• regulator engagement, including responding to OAIC and ACMA inquiries and investigations; and
• preparation for Privacy Act 1988 reforms, including tailored advice on the Tranche 1 changes now in effect and proactive planning for Tranche 2.

Whether you’re seeking to elevate your privacy posture, reduce regulatory risk, or design marketing strategies that respect and retain your customers’ trust, our team is here to support you.

Please get in touch if you would like to explore how we can assist your organisation.

This article was written by Amber Cerny, Partner and Lucy Hannah, Special Counsel.