Episode 18

When preparing for privacy reform, privacy by design is key | Chris Brinkworth, Civic Data

Civic Data managing partner Chris Brinkworth joins Anthony and Kris on to dive deep into the issues of privacy regulation, following the announcement the reform of Australia’s Privacy Act will be brought forward to August. They cover the challenges of third-party data, the “fair and reasonable” test, and why companies responding to privacy law must focus on “privacy by design.”

Topics discussed:

  • Can companies invest in technology with the confidence that the technology won’t be banned due to a privacy law?
  • Many companies have a blind spot when it comes to third-party data
  • The upcoming reform of Australian privacy law
  • What is the “fair and reasonable” test?
  • Why privacy by design is essential in a world of increasing privacy regulation
  • How he acts as a “marriage counsellor” for marketing, privacy, and procurement teams.
  • The importance of privacy impact assessments in ensuring compliance
  • The unique challenge facing small and medium businesses looking to prepare for privacy regulation.



Anthony Woodward

Welcome to FILED, a monthly conversation with those at the convergence of data privacy, data security, data regulations, records, and governance. I'm Anthony Woodward, CEO of RecordPoint, and with me today is my co-host, Kris Brown, RecordPoint's VP of Product Management. How are you, Kris, today?  

Kris Brown  

I'm excellent, Anthony.

We are both in the same continent for the first time, sitting here in Seattle.  

Anthony Woodward

Yes, indeed. And it is a sunny, lovely day here in Seattle, actually getting above 25 degrees Celsius. For those in Fahrenheit, that's a little over 70, if my math is correct. This is a guest on FILED that I've been waiting some time to have on and had a conversation with, but at a very opportune moment, we have Chris Brinkworth, who is the Civic Data director and also an IAPP member.

How are you, Chris?  

Chris Brinkworth  

I am good. I'm cold. The weather here dropped. Everyone thinks Sydney's warm, but no, my gosh, very cold. And you're English, shouldn't you like, just be able to deal with the cold? Do you know, I did find that when I moved to Australia and I got here in, oh, the original, the first time I came was a backpacker, I think in the late 90s.

Well, whenever the Beastie Boys Intergalactic album came out, that was when I was here and when Ivan Milat was around. That's when I came, and I was hitchhiking around Australia when he was around. But what I did realize, everyone would say that the Poms are whinging, but my gosh, the Australians whinge a hell of a lot more.

Especially about the weather. Like you started with the 70 degrees heat conversation. I'd get in an elevator and someone's saying, God, geez, it's hot. Geez, it's cold.

Anthony Woodward And for our American listeners, those outside of Australia, Ivan Milat is a local serial killer that Chris is referring to. Fairly well known.

Look him up at your peril.  

Kris Brown  

Like, liked a backpacker.  

Anthony Woodward

Indeed. Look, it's fantastic, Chris, to have you on FILED and I’ve really been looking forward to this discussion. So many places with your background in privacy and martech and adtech. It'd be great, I think, to give the listeners out there a little taste of that and the million things you've done.

Chris Brinkworth  

Well, other than not getting picked up by, well, actually I nearly did. That's another story for another podcast. I'm pretty certain I met him, but we'll do that at our next joint cocktail event.  

Anthony Woodward

Well, there's a seven degrees of separation. We've both met Ivan Milat and in fact, I've met his brother, and we can take that for a conversation another day.

Chris Brinkworth  

So, I mentioned I was in Australia back when I was a backpacker in a very kind of, I think it was mid to late 90s, I can't remember to be honest, but I was lucky enough to be invited back to Australia to open up, well, help open up one of the foundational teams for the first ASX listed digital media buying agency.

So that was when Yahoo! was new and everyone else was new and they were making money from selling ads on the internet. And this was an agency that was formed just to buy advertising space on the Internet on behalf of big clients. And at one point we had about 30 cents in every dollar going throughout our business of the entire digital media buying industry.

Then I went across to the U. S. after seven years and despite my accent, I was actually born in Dallas and a lot of people don't realize that, but I was raised in England to British parents, but that meant that I could go there, and

I could work there quite easily without the need from a visa perspective.

So, when I was over there, I opened up the US office for the first ever solution that managed these things called pixels and tags. And that became synonymous with the term tag manager or tag management. And that was called tag man. And where that was really useful for my career as it stands today was, I got to meet some super, super smart people.

You know what it's like over there, Kris and Anthony, you're there a lot now in the US it's just the collection and the pool of niche specialists is so, much larger than Australia, where you can go to networking events where it's full of people with your passion and your interests. And I got to meet.

The burgeoning programmatic industry and the burgeoning martech industry, all who have these tags and pixels that they wanted to put within our platform, there was live across very large brands. Now, they were companies that failed, did well, were bought by Adobe, bought by Salesforce, bought by Google. And I stayed in touch with all of those people over the years who went on to do bigger and better things or looked at the next project.

And it was very clear to me when I called them all up about three and a half years ago, when I was looking at what do I want to do next, and they were all telling me the core issue that they saw on the horizon in their specific sector was the impact of privacy. On marketing media and measurement initiatives, which is obviously where I focus to business civic data.

And if I break that down a little bit more, because I find this really interesting is in Australia and obviously on a state-by-state basis over there in the US until you get the federal law, it was very clear to me that. And no one can see this, but the people on the screen can see this, and I'll describe it for the audio listeners.

If anyone ever watched Star Wars, where you had the garbage compactor where Princess Leia tried to escape with Han Solo, and they pulled the side off of the siding off the wall, and they ended up in a garbage compactor to escape the Stormtroopers. There were these garbage compactor walls coming in.

So, on one side, I'll liken a garbage compactor wall to the changing laws globally that have impacted everyone's technology already. So, cookie deprecation, app tracking, transparency, the right to erasure and a whole bunch of other elements that have really impacted what are two of the largest areas of investment for any business, which are marketing and ICT.

So that is one wall that will not stop moving for marketers specifically. And then the other wall is. That's moving in on the right hand side is the changing regulations. So, marketers and marketing leaders, marketing technology leaders and data leaders, they're all trapped in this very confined, limited space, which is ever, ever, ever kind of getting smaller of, I really need to find new ways to target people, to track people, to measure things, to understand the effectiveness of my ad dollars.

And I'm investing in technology and transformation, but at the same time, if I do that, will I still be allowed to do it based on the new state based laws across the U. S.? What's happening from an Australian perspective here in regard to privacy reform? And will I get in trouble? Will I get heavy fines for that?

And will it still work based on the changing technology and ecosystem as well? So, it's a really complex area, but such a fascinating space to kind of sit within. So, that's kind of like where we focus, is literally where does any type of privacy impact marketing, media and measurement investments?

The Australian Privacy Act reform announcements

Anthony Woodward

A super interesting space for the listeners out there.

We actually intended to record this podcast a week ago, but we got news that during Australia's Privacy Week, which is just past a week ago, there'd be some pretty major announcements that were going to be brought forward. So, I think Chris, we probably all had a little bit of a moment to digest some of the information.

I don't know that I'd even call it detail based on what was probably announced, but some of the high level pieces, I'd really like to kind of see, understand where you think we're at in that journey, particularly knowing you touched on there, you know, the new Australian government landscape and the regulations that are coming up, but then how does that intersect with what we've seen here in, in California, we're actually sitting today in Washington state, Washington state has just completed some of his legislation through the legislature here.

And we've seen obviously things like GDPR, which has been around for a while. I'm setting some standards. Where do you see that landscape, you know, based on those announcements.  

Chris Brinkworth  

It's been a fascinating three years for anyone who's been involved in privacy here since the review of the Privacy Act started, and it's not been updated in a very, very, very, very long time.

But we were all wondering, is it actually going to happen? A lot of people did feel, and you may not agree, Anthony, that a lot of people thought this privacy reform would be kicked down the line again to the next term of the, whether it's the current or future prime minister. But what's happened over the, since Thursday last week, there was the Privacy by Design Awards here in Australia, where there was a speech by the Attorney General of Australia, Mark Dreyfus, and also the, the new incoming Privacy Commissioner, Carly Kind, here in Australia.

And it was very clear when they were saying the prime minister have asked me to introduce legislation into the house of representatives in August, that things were starting to get very, very clear and they are committing beyond just a, hey, we're going to start looking at it. So, that's the first thing is there was a taster last week, and then the thought was and that that actually happened that as of Monday, which is why we push this, then all of the embargoed interviews started to come through in the mainstream press.

And what I found really distinctly interesting was each article focused on a different topic. So, they deliberately started to talk about certain areas with certain publications. So, if you look at the AFR, they were talking about, and this might be uniquely interesting for some of your listeners, Anthony, the AFR dived really deeply into electric vehicles and the amount of data that they collect, which really was interesting to me because if you look at our first submission to, to Civic Data, put a couple of submissions into the Attorney General's review of the Privacy Act, and we were referencing the report on the review of the Privacy Act, but our first submission went really deep into there are concerns around the fact that electric vehicles could be owned by or have someone has an interest in a satellite-based business as well. So, you've got data being collected on nine or ten different sensors of a car that could include cameras outside which would be collecting bio biometric data that's also got a business interest in satellites and social media and so on.

So, we went very deep into that sort of stuff. Became clear then that as of the end of Monday, and I attended a session with the IAPP and the Privacy Commissioner, Carly Kind, that they were really doubling down on some core tenets around, well, I think the one that was the clearest in answer to your original question was around, there needs to be something very unique in Australia to handle this concept of, if you're not getting explicit consent, because that's still not going to be a requirement, is the need for explicit consent in Australia.

You're not going to see the overlays that you see such as in GDPR and CPRA etc. for the tick box. But this concept of fair and reasonable has been mentioned so, many times, and I don't know if you're seeing the same thing Anthony and Kris but this fair and reasonable. And I was talking about this where I was trying to find my notes earlier on.

I was trying to condense it down because there's not been a lot of discussion about truly what fair and reasonable means. And there needs to be a bigger discussion. And I'm almost finished creating a GPT, which is a fair and reasonable GPT that people could use to kind of dive into this kind of core tenet.

But if you look at what I've condensed here, the core focus of this fair and reasonable test is to ensure that the handling of personal information by organizations is not only legally compliant, but it also aligns with the ethical expectations and values of the Australian community, even in situations where individuals have provided consent.

So, if you break that down, okay, I've provided consent for something here, but are you doing the right thing by me? Is it fair that even though I gave consent, you're using that data in a certain way that wasn't very clear to me? And I didn't understand it. Was it clear to me that you're going to start to use that data for automated decision making in a way that wasn't very clear to me and isn't very fair, even though you've got my consent to have that data used for automated decision making, machine learning, AI projects, and so on.

Is it really fair? And are you being reasonable to me? I think everyone understands this concept. So, that's not very fair what you're doing there. And that was also... So, that has been core and all the kinds of conversations about this. There's a very unique aspect to what Australia is talking about in regard to law reform with that fair and reasonable test.

And it fits very much with the concept of privacy by design. So, if you are building something, whether it's an app, whether you're working for new marketing technology, whether you are using a pixel or a tag, or in your instance, from a RecordPoint perspective, if you are keeping hold of certain types of data for a certain period of time, is it reasonable that you need to keep that for so long?

Is it fair that you're keeping hold of it where every single additional minute of the day exposes that data to risk of some kind of breach, just from a pure timing perspective, I think that was one of the core outtakes that I took across everything is because we've had the time to learn from GDPR.

We've had to learn from all the separate state-based laws. That underpinning kind of theme of fair and reasonable can be applied to so, many areas of privacy law on any project you're doing, and almost forms part of this privacy impact assessment style conversation of, okay, let's just think about it before we do a privacy impact assessment.

Understanding the fair and reasonable test

Anthony Woodward

Let's just see if it's fair and reasonable in the first place. The lawyer in me comes out a little bit right in that you're probably aware a lot of the case law in tort and the notion of fair, just and reasonable where those tests have occurred. So, there is a lot of case law that does start to define that duty of care that's required in tort, but the kind of ways that companies have thought about data and privacy, and then the intersection of data and privacy hasn't been using those kinds of tests before.

So, it's a really interesting, I think, observation out of the last few days and what we've seen the privacy commissioner and the Honorable Mark Dreyfus actually talk about, which comes down to some specific applications of those things.

Chris Brinkworth  

But look, I have thought about those applications. So, it's clearly an absolute core part of what the messaging coming out of the OAIC here, the Office of the Australian Information Commissioner is talking about as part of the core messaging. But if you were to go out right now and try and discover content about, how do I apply this test?

What is this test? There is nothing out there truly that assists the entire industry business community in Australia about what that actually is and what that means if, and I mentioned there's been a whole bunch of kind of drip feed from what I'm seeing.  

There was an ABC interview, I think it was yesterday, with Carly Kind as well, where that's the first time I've also heard anyone from the OIIC, or the Attorney General's office suddenly start talking about the small business exemption, which hasn't been discussed for an entire week. And everyone was wondering, well, where is the conversation around small businesses? Are they going to be exempt from this? And now Carly is starting to talk about it as well.

So, I think over the next couple of weeks, we'll start to see more and more impact from what seemed like a soft conversation to this is going to be quite a hard stance. The right to erasure is very, very prominent every single conversation as well, which you probably noticed from a RecordPoint perspective, the application of all these laws from my perspective.

Remember, I'm talking about the impact of privacy on marketing, media and measurement initiatives. Just the I guess the big divide between let's take a RecordPoint. and a consent management platform. So, Civic Data doesn't have any technology. We purely an advisory and a technical consulting firm that are experts in the technology aspect from a multimedia measurement perspective and privacy.

We don't have an owned technology. Let's talk about consent management. Until now, I wasn't really out there talking much about what consent management means, what a cookie banner is, versus a preference center. And I was hosting a panel for the IAPP specifically titled Pixels, Privacy and Precautions. And pixels, as you know, are these hidden pieces of code across the customer experience layer that collect data in real time but can also activate that data and personalize content and so on.

And it was fascinating for me to see the absolute divide because the entire audience in that particular session were privacy professionals and legal experts. But the knowledge gap between what they know about back end magnetic tapes, data discovery in, in structured and unstructured data, in repositories of data.

And let's think of those as post consent elements. Cause generally you're only holding that data post consent. But a lot of these technologies that work across mobile apps and websites are pre consent. So, you're starting to have data that's real and live in real time being used to create experiences for you.

Did you give consent for that? Have you given consent for that to happen based on your browser size, your battery level, all that type of stuff. So, if we talk about that kind of divide of consent management. Versus the backend piece from a RecordPoint perspective. I'm then starting to discover that there's a lot of businesses who are focused on these areas of preference centers.

But they don't realize again, if you look at pre versus post consent, preference centers are very much about, you should have got consent already. Now you're just updating it or updating what you can do around that. That's what preference centers are. Then you look at cookie banners, and it was very clear for these presentations and the more I speak to privacy professionals, people don't understand these tags.  

The more and more complex they get, it's not just cookies that you need to manage there. Generally, you'll see that 90 percent of the data leaving your website or your app is actually going to something called a pixel or attack, and that is where you are sending information.

To a different third party and it leaves your control and goes across to a third party you've chosen to partner with, regardless of whether a cookie is set or not. So, the difference between a cookie banner versus a consent manager is also very important to understand because the cookie banner cannot stop those pieces of data, leaving the control of your website as well.

So, it's a really fascinating aspect because if you start to talk about fair and reasonable and what that means, is it fair that you've not been very clear about these pixels and tags of where data is going. Have you told them that when they come here, actually the price you're giving or the product you're creating in real time, personalized, based on their geolocation, based on their battery level, based on their browser size, based on every single signal that you're getting.

Is it fair and reasonable that you're creating that experience, that price? Have you been upfront? And when you start to talk about what is, consent for the purpose of doing business, which is generally the Australian law, is you don't have to have the explicit consent. So, long as you're kind of, it's about doing what you want to do from a business perspective, it can be proven it's in the best efforts of making your business work.

Are you going beyond that? And candidly, you'll find a bunch of listeners to this call who don't realize that there's probably a data broker pixel on their website, and that data is actually being sold. A lot of businesses in Australia rely on this new methodology of stitching identities together because cookies are disappearing.

So, they don't realize the technology they're putting in place to replace cookies because of that garbage compact tool I mentioned earlier on. In that itself they're finding technologies to fix those holes, but they don't realize it's being done with hashed copies of personal information. That is being sent to third parties and not covered in their disclosure agreements, their privacy policy and more.

So, look, it's a fascinating, fascinating area.  

Anthony Woodward

And it's fascinating on two sides though, right? Because the notion of fair and reasonable and the, and if we go back again, you know, Donoghue versus Stevenson, the things that informed those things around general duty of care, if I go back to where that language originates, the social contract which is implicit, which is really what the current legislation is formed off in Australia, but also in other jurisdictions, is around what are the responsibilities held by both the individuals and the entities towards the construct? And I think it gets really interesting in the application of that law around the data that's held and what is the responsibility then when you're getting effectively free information or free services versus paid for services and different points of that consent.

And so, there's a whole raft of different interpretations that I think eventually, unfortunately, are going to have to be thrashed out within the legal system itself, because we're not going to see a lot more definition there.  

Chris Brinkworth  

That's a really interesting, interesting point because to go back to the original question of what's happening, and you mentioned it's not being very clear, it's been very clear that reform is definitely going to happen.

There's a date when legislation will be introduced into the House of Representatives, but it doesn't yet clarify exactly what will be introduced. So, we do not yet have 116 proposals that were put forward. Of those that were agreed, there were still a bunch of agreed in principle. And will those go into legislation when it's pushed into the House of Representatives as an example, but one of the core thing, and no one knows, everyone keeps asking, I'm like, go see it for yourself.

No one knows yet. I suspect it's not finished yet. Don't you? No, it's not. And look, there's been a bunch of this. I mean, this could go for two hours. So, I don't want to go too much into it. But there are a bunch of roundtable discussions ongoing at the moment where the government has asked industry bodies, certain sectors and more to look at their estimates of what it will cost to adapt to these new legislations so, try to understand the cost of the economy to businesses and so on. But from what I'm hearing from my contacts, they are grossly, grossly underestimated, grossly underestimated as well. There is a really interesting part of this where they are proposing that there will be a direct right to action.

And for people who don't understand that terminology, like myself, because I'm not any way an academic nor a law, a student of law, but it is just think of class action lawsuits. It is the ability and prospect of instead of regulators arguing and finding, it's about the judicial system. It's about this now going into the court of law.

It's about if you are using a piece of technology that. is on your website and 50 other websites and you reach 70 percent of the Australian population with that technology and it's in breach, then that opens you up to a very large cost as well. So, that's another really interesting part, even though we don't know yet what's going in, that is, is a fascinating area is moving stuff into the actual courts of law from a judicial system perspective.

Versus the kind of quagmire and timely aspect of the regulatory side.  

How should businesses prepare for this reform?

Anthony Woodward

And I want to broaden up and probably be this conversation to where our interests align, Chris, and where I spend a lot of my time in data. And you spend a lot of time in, as you say in the marketing space and where these things intersect.

We talk about things like right to erasure, right, to be forgotten, depending on what, how you want to call these things. We spend a lot of time talking about the minimum and maximum retention periods. This all links back to the fair and reasonable test data collection's occurring, right? No matter what, for businesses to function that's happening.

So. Excellent. I think we all agree there's value in that, but where do you predict then as we look forward in these actual applications and processes of these, these technologies and the data itself is going to go? So, beyond the legislation, what do you think the business practices are that we need to start thinking about?

And I think in our space where we see this intersection of data governance and data privacy is that it all actually starts with the data and not the behaviors. So, what are the things that organizations should be thinking about there? Because a lot of what I've seen out there and probably more from that martech world that instance when you talk about preference box, that's a lot about behaviors.

You can do this, but not that you can do this, not that it's not really about the data that's collected in the utility of that data, right? It's not actually truly contemplated within those pieces. So, how do you see that evolving?  

Privacy by design is key

Chris Brinkworth  

So, I think it comes back to what's clearly been articulated by Mr. Dreyfus, the Attorney-General here in his speech, Carly in her speech, the privacy commissioner and all of the articles and speeches and everything else that I've digested, it comes down to privacy by design related to the fair and reasonable, because if you were to look at what can come under that as a subset, it would be the minimization of data when it comes to the RecordPoint world as an example.

So just the fact that if you don't need to collect data, collecting data for the sake of collecting data is just silly. Cause it opens you up to risk. If you're sitting on a bunch of data that you no longer need, minimize it. It's, it's about designing your strategy, designing your product, designing your projects in a privacy focused way, which falls under that kind of overarching theme of fair and reasonable, and under which I think privacy by design.

Technically it does fall so, from, and look, I'll let you, I don't want to dive into your product. I think the reason that when Civic Data wanted to host a cocktail party after the IAPP event here in Australia last year with RecordPoint and Ketch were kind enough as well—Ketch, one of the consent management platforms—they were kind enough to co-host.

The reason that I wanted to do that was because a really interesting area where a consent management platform starts and finishes, as I mentioned earlier on. So, if you look at that real time, pre-consent, activation of data governance of what's happening and how that data is being used at the application layer, when a customer is interacting with a mobile app or a website.

And that's very much where a consent management platform should play. But then there's also your area where you focus, which is that aspect of every single element of data a business has ever collected, how they using it. I'm going to do a terrible job of explaining your product, but what I'm saying here is.

There is a very distinct need for subject matter experts in both of them. I don't believe one company can do both. And I've learned this because, remember I've worked at, well, I've been a US office for a business that tried to do both service and product and where we lost out in the race. So, we did lose out in the race.

We didn't become the ultimate winner in tag management, but I distinctly know that we tried to focus on too many things. And please too many people. And if you try and do too many things in this world, that's always shifting and changing, you're never going to provide the optimal product for the serve, for the client that requires it.

So, I think having that ability where you've got a business like RecordPoint who can manage these changes to law from a US-specific to state-based laws and everything else, and how to kind of adapt to that post collection. But then a consent manager pre-collection is where people need to start thinking about.

But also then the element that I find really intriguing is that a lot of people don't realize and I've done this, this white paper recently distinctly lays out the difference between a pixel, a tag, a cookie, but also I've got a very basic chart in there that shows what a consent management tool is versus preference versus cookie banner.

But I discuss in there that there's this aspect called the data layer. And some people on the call may not be aware of this data layer, but as part of the original W3C, I guess, standardization of data layers back in the mid 2000s, actually it's 2011, I think, but the point of the data layer is create a uniform view of what data is being collected from this device, this user, but also what else can we pull in from external sources?

And by that, I mean, there's a lot of businesses out there that don't realize that from the early 2000, 2011, 2012 onwards, some of them may be sending API data into third-party tags and pixels, and they don't know it's still happening. They're calling from an API. They're calling from a spreadsheet.

They're calling from a Google sheet. They're using webhooks. And that is where it interacts with the work that RecordPoint do is you start to see that we need to do a really solid audit of every single piece of technology in our customer experience layer to understand, are we creating a bridge between?

Post-consent and pre-consent as well. And how do we govern that? How do we block that? How do we enforce rules on that as well? So, I think they're the areas people need to grapple with, which is why I'm, I'm stressing that I'm really happy. There are separate businesses where you've got a RecordPoint like yourselves, but then you've got the consent management aspect where they focus on that really hard to deal with aspect of pre consent.

But then you all need to understand how that works in the middle. At that kind of real-time activation, but I think one of the final pieces where I'm getting traction the most with my businesses and my business, my clients are very much household Australian brand names. So, we're actually starting to get more US and European interest now as well.

But I start every single conversation with a 90 minute session where I go in and I invite the CMO. The head of marketing technology, the head of data. And I also invite procurement. It's a really interesting reason for procurement, which I'll discuss in a second, but then the privacy lead has to come and the legal team, if they don't have a privacy team have to come because we act almost like marriage counselors.

And I mentioned before that ICT and marketing are two of the biggest costs of any business. So, when you look at these multi-million dollar transformation projects around marketing technology and so on, it's really important that the privacy team and the marketing team get on the same page, and everyone understands what's important to each other.

And they're kind of how they're rewarded within the business. Because what the marketing team don't want to happen Is a privacy leader comes down after listening to this particular podcast. And I'm promising you it's going to happen. Sorry, marketing teams, a privacy leader is going to go approach the marketing team and say, hey, have we got anything in our data layer that's going into a third party tag?

Are we sending personal information? Stop it. And the marketing team are just going to be horrified because that's one of their core pillars of strategy this year, what they're doing. And because they've not highlighted it or discussed it with the privacy team. That's why it's a surprise. So, it's all about getting people aligned in that session.

Where everyone understands you have to all work together now based on these changing laws, what it means. I mean, even from a federal over in the U S what it means from a federal perspective, let's start thinking about that now as well, how did the marketing team and the pricing team all talk about that piece and the procurement piece is fascinating because they start to realize we should be putting language within our procurement documents, our request for proposals that are related to if this particular law in this particular state goes ahead. What are three core points that you believe your product will be impacted by? And will we still be able to deliver the product as promised? Will it still work as promised? And at a technical level, if Apple changed the way that technology works, or if privacy sandbox from Chrome ever goes ahead, will your business still work the same as promised in this particular proposal, and what will we do to make good?

So, it's a fascinating, but that's what I'd suggest is everyone needs to just work together. Yeah. You're blaming Google. Isn't that the CMA's fault? Like, come on, it's not Google's fault. I'm not blaming them. I will rewind that back and you'll see that I'm very good at not blaming anyone at all. I'm co-chair of the Data Council of the Interactive Advertising Bureau here in Australia.

That's the industry body that represents the interests of publishers and data driven businesses. And the reason I do that can be is I do believe I can help create change from within. I'm in a very powerful position on Tuesday. I think it's Wednesday or Tuesday, the 15th of May, whatever that is, next week here in Sydney.

And I've got LiveRamp on the stage. I've got Google on the stage. I've got InfoSum on the stage. Three global businesses that work very, very much with data collaboration, activation and identity. All of them heavily impacted by privacy, but. I'm not going to throw a hand grenade in there with some of my questions that I would talk about over a coffee.

Not at all. So, it's, yeah, I would never say that Anthony on a public podcast about Google.  

What challenges does the martech and adtech industry face?

Kris Brown  

Very good. I'm going to jump in because we did miss an opportunity that there was a massive Star Wars reference in our podcast, and I can't just let that go. Fantastic work, Chris. Very, very good. I actually think that's probably the first one, which means that I've done really well to get nearly halfway through a second season and have not dropped one, which is even better.

I think it'd be interesting listening to the pair of you rap and there's a reason why I'm sort of jumping in now as well is I find it really, really interesting, especially that that fair and reasonable test, especially when we think about how little most of these martech departments know about the minimum and maximum retention schedules and understanding how long they should be keeping data.

They're just sort of doing it because it helps their part of the business and listen to you say those things as well. But I want to bring this back a little bit more to yourself and Civic Data, if I can, and I know we spoke a little bit about it just now, but what are the other challenges that are in that martech and tech space as it relates to privacy?

Like, I sort of think about if we do have to implement these things like right to forget, right to erasure, where are they at in terms of discovery? What's the sprawl look like in these organizations? Is that something you're seeing from your advisory or is it more that's the “see no evil, hear no evil” in this sense at the moment?

Chris Brinkworth  

There's a reason that majority of my clients to start with either made a lot of money from advertising data. So, as in, they have a lot of consumer data on file, and they use that to show ads to them. And they were very aware that if they don't get ahead of it, there's going to be a problem down the line when they started reading these reports.

But also, my other clients are heavily regulated sectors. As well as from an anti-competitive stance from a sensitive data stance from a financial stance. So, you've got from an ASIC perspective, an APRA perspective, an ACCC perspective, as much as privacy. They are the ones who already have the capability internally to understand what's happening from a privacy perspective because they have privacy experts.

They can afford to have privacy experts. The others who've not had that advice internally, and I've actually seen this on calls where someone who's in charge of millions and millions of dollars of media budget and marketing budget, I was saying, look, it's really interesting. I'm excited because on Monday, I'm off to an announcement and IAPP event around what's happening with the privacy at review.

And here's what I'm expecting. And this person on the call and they wouldn't even listen to this. I'm quite happy to say it. And I'm not going to mention the company name. We're like, oh, that sounds really fun. And that to me is a really good example of what you were just saying there, Kris, really big disconnect between people who understand the seriousness of this, where someone is not a champion internally.

And I was asked this question maybe a year ago as well. I was in a room full of people who activate marketing data and they're very big brands as well. And the question has been asked on me. So, Chris, how do you think people should go? What's the first thing they should do in regard to getting prepared for privacy or they should focus on?

And I said, let me turn this into a question. And I said, put your hands up in this room. If you use any type of first-party data, whether it's an email address or phone number or something, that's an identifier. To create products or target people and everyone put their hat, put your hand over, put their hand up, right?

Okay. Now keep your hand up. If you can tell me the name of the privacy leader within your business, there were 60 people there and there were no hands, and that's a really good example of the disconnect that I'm experiencing. And I think there's this almost. Going back to the Google conversation around something called privacy sandbox and cookie deprecation and everything else, I think there's this challenge that a lot of the people that I would normally speak to, they get their news from trade press.

And if they see that cookie deprecation has been pushed back a year, they think that's the main problem they need to worry about. And they don't think about it in other ways because no one internally is coming down yet and saying, hey, what are we doing? Which is what I mentioned about. I have this concern that marketers are going to have a rude knock on the door now and especially given So, in Capital Brief, which is a fantastic new publication here and the journalist was Laurel Henning.

She did a great article after an interview with Carly Kind that was released on Monday. Where she specifically raised the Senate estimate hearing details where Carly and the then-Information Commissioner, Angelina Falk, were being asked about TikTok and what's happening in regard to the OAIC preliminary inquiry into TikTok and the TikTok tag and data.

And she brought that back to Carly on the interview and said, will pixels become part of this? And it was very clear in that response that the Privacy Commissioner confidently said, Outside of TikTok, we are looking at pixels as a core part of where data collection and so on fits within Australian privacy outside of TikTok.

So that is an example of where if you're thinking about cookies and cookie banners and everything else, but you're not thinking about these kind of hidden tags and where that data is going. That's one example of that kind of where the privacy team are going to come knocking my white paper. I've seen who's been downloading it and given the conversation that I might be talking about.

Who's downloading it, but you can rest assured it's regulatory people who had downloaded my white paper as well about how this works. I just think people are not ready for what's coming. And especially if there's an election year coming up there, I see that this, and Anthony, tell me if you think this is the same for you or not.

I look at the messaging where they've started slow, but they've started talking about domestic violence, doxing, cyber-crime, and. To make this privacy reform sexy, to get it pushed through ASAP, they're starting to wrap around it this other overarching conversation of, well, "Hey, liberal party, you know, you know, you like domestic violence?

Why aren't you passing this privacy reform?" I think there's a really interesting way that this will be really pushed through faster and it's going to be a lot harder and harsher than everyone thinks. I really do think that, and I'm hearing that the... everyone's had their chance. To put forward a proposal, a response.

We were the only firm focused on martech and adtech that put any submission in the first time, any submission in the second time. And that's a really interesting tell to me, none other focused on what this actually means to their entire industry.  

Anthony Woodward

Yes, it's really interesting. That's probably more bullish than you.

I certainly expected the legislation to happen in this session of government. Not in subsequent governments, but you're absolutely right. The temperature has come up and the dialogue has changed considerably. And I think the thing that's very much in the favor in people's minds is we're continuing to see breaches.

We saw recently the RSL breach and people's, you know, again, basic information leaking out in a way, and I know that's quite separate to the pixel conversation. Other things we leaked from, but it's, it's the root of what people are seeing and experiencing out in the real world. Where I think this pressure is really coming from.

I think you're quite right in your prediction there and certainly what we're seeing is a real change in the dialogue around the shift that's required and the probably the jump I think that we're seeing in the Australian government to moving to the forefront of the conversation and being far more punitive and far more wide ranging than GDPR and some of the other pieces of legislation out there and not just copying it.

Because, you know, certainly what we've seen other jurisdictions, Brazil and other places, you know, I think Brazil was classic because there was even almost the typos left in GDPR out of the European parliament in the Brazilian legislation, right? Everyone was taking that template and just copying. Japan was no different.

That is very different with this legislation. It is far more wide ranging.  

Chris Brinkworth  

I've actually been deliberately doing that in some of my articles and content because I know people replicate it.  

How will smaller organizations deal with the Privacy Act reforms?

Anthony Woodward

Mental note: don't copy any of Chris's stuff. It's really interesting as these worlds come together, like you talked about earlier, around the notion of pixel tracking and these mechanical elements.

Yourself in your world and, and myself and Kris in ours, and we come from these different, almost universes that connect the elements there though, for a business, a medium-sized business, you know, a small business, being able to think about that and the processes that occur behind it is mind-boggling, complex.

It's all fine for these bigger brands, to be frank, right? There's going to be technologies and ways that you can invest in meeting and exceeding the legislative requirements. But what will these, these smaller and medium sized businesses do in, in what we're both forecasting the regime to be?

Chris Brinkworth  

I don't know. I'm going to be very honest. I'd be lying if I knew. I was hoping you had an answer because I didn't have one either, which is why I was asking the question. No one does, but I would say this, the reason that I get such great sessions at very large businesses these days for my 90 minute kind of no cost session around this is because it's very clearly a problem, but I start my email when I send out an email to introduction saying.

Legal and privacy teams respect our mentions in the report on the review of the Privacy Act. And a lot of people in my space go, wow, that's great that you were mentioned four times in that report. But I have to point out at all times, that's a drop in the bucket compared to privacy professors, people who've got a tenure.

Over at an academic institute who are mentioned 120, 160, 200 times. And really these are the people it's like, it's like, you know, Kris and Anthony from your space, who's who within the financial industry and other such sensitive data businesses from a data management perspective, discovery perspective, you've all grown up in the same career and you've all worked at the same kind of companies work the same people.

And the same is true of privacy. The people who are in senior positions with regulatory. or are being seconded in as part of regulatory change, are the people that grew up in the same career and understand a certain area. So, from what I'm seeing, no matter what I say, and what I think should be relevant with my four pieces that I was referenced in, it's going to be dwarfed by people who make money from complex privacy law.

And it's going to be very much a fascinating area where even those people who are referenced 120, 130 times on Monday, we were both discussing that they've given us nothing. They've not even mentioned small business exemption. But then yesterday, Thursday, there was a radio interview on the ABC talking about small business exemption.

So, they're starting to drip feed. And I think that's happening more and more as they get ready and each of those approved in principle are ready to go as well. So, the answer is, I don't know the answer because we don't know everything and it's until we know everything will I be able to give you that answer?

What are the top 2-3 things companies should do to prepare for Privacy Act reforms?

Anthony Woodward

What do you think are the key things that people should be thinking about to get themselves ready for these implications? What are the top two, three things you're out there suggesting?  

Chris Brinkworth  

It's always going to be, everyone in this room may understand it as a privacy impact assessment. But just the understanding of what is currently across what I mentioned as a customer experience layer.

And this is from my aspect. So, what is there across your customer experience layer, which you touch So, many times you touch your mobile phone, how many times a day websites, how many times a day. So, as a business or an entity, where are you creating the opportunity for data of any type? Of any type. I'm not just talking about in Australia, we don't have PII.

We have personal information, as you know, but if you were to think about personal information, whether it's hashed or not hash, whether it's identifiable or anonymized, is that leaving your first party control? And where is that going? Which third party vendor is it going to? What are your agreements with that third party? But also, what have you done from a disclosure agreement perspective? Privacy policy perspective. So, understanding just the flow of any type of data, whether it's battery level, Bluetooth, because all of these pieces of data can be pieced together like a fingerprint or a jigsaw piece to say, this is actually Chris Brinkworth from Civic Data on this device.

Once you pull together, that my battery level is always low at this certain time, I'm in this location this certain time. So, any type of data whatsoever that is leaving your control and going to third parties in your customer experience layer, you need to understand ASAP what that is based on, and let's talk about Australia for now.

Current Australian privacy principles, because all too often I go into my 90 minute session with an example of just a, I did a quick look under the rug and here's where you're sending a personal email address to Google Analytics in the clear straight away. Always the way we're like the gnarly old Marlin fisherman who knows what tide level temperature of the water to look.

We're not Flight Centre that say go to this big fishing company in Cancun. So, we know exactly what to look for. So, I think there's just understanding at the moment, what technology you're using, why you're using it, why you're sending data there, and are you being very clear about disclosing it? And also, if you're keeping a copy of that yourself, as you rightly know, why?

Why are you collecting this? Why are you storing it? How are you going to use it? Is there a real benefit to it? And don't get me wrong. One thing I do always say to my clients and prospects is. If you're going to send all of this data to Meta, and all of this data to TikTok, and all of this data to Google, and all of this data to A company you've never heard of from 15 years ago, but some bad actors actually bought that domain name.

And now they've reversed engineering and collecting that data. If you're sending all of that information, why not keep a copy yourself? Because if you keep a copy of that yourself and you have consent to use it, you've been disclosing exactly how you're going to use it. You can do So, much with that from.

A machine learning perspective, modeling perspective, product design perspective. So, if you start to understand what you're giving away that creates a risk, you can also start to understand how you could build value. If you think privacy first, privacy by design, protecting that data, what it's used for. So, that's what I'd say is understand what you've got.

Where the risks are, how that applies to your existing pricey principles based on future, but also what is the opportunity? I mean, really the opportunity is exciting. Our clients now, I've just been invited on stage with one of our clients for August to talk about what they've built over the past year and a half.

That puts them way ahead of any competitors who've been just kind of sitting there waiting to see what happens with this Google Chrome deprecation. Because at an advertising spend perspective, Company's going to run out of places to spend it compliantly. Can I run an ad to this person? No, you don't have permission.

Sorry, I don't have consent. You can't. Well, how do I reach them? Well, go with that company over there because they've really thought about this. And they've been very clearly doing this privacy by design from the start.  

What does the future hold for privacy in Australia?

Kris Brown  

I'd probably add one thing on the end there, just being who we are and make sure you know how long you can keep that information for So, you can get rid of it, minimize it in time.

So, I think that rolls up to really, really great advice there for the listeners. And I do appreciate that. So, we always like to throw the crystal ball question in here. And so, I'm going to hold that crystal ball out in front of you now and go, what do you think is going to happen in this space? Not just privacy in your world, that martech adtech space.

You just sort of discuss, yeah, someone's doing some really cool things that is going to give them a bit of a jump, but I want to jump ahead three to five years. What's the crystal ball. What's the future look like? What's up on the horizon in this space around how the organizations are going to deal with this data?

What should they be doing with it? What's the possibilities that you see? Let's stay with the good. We don't necessarily have to think of all the bad things that could possibly happen always. But what are the good things that are going to happen in the next three to five years? Do you think just thinking about, yeah, we've got all of this new technology, all of these new ways to collect data  

Anthony Woodward

And can I throw one extra bit to that thinking because a lot of this comes down to education over the next three or five years, right?

A lot of the privacy issues stem from complacency around how people both give their data. And the use of that data. So, I'd be really interested to hear, you know, from the other vector of what do you think people's responsibilities are going to be as well as what the future looks like.  

Chris Brinkworth  

And let's go right back to where we started today with the OAIC.

And if the understanding of what is fair and reasonable. When I really dived into their original submission to the Privacy Act Review, their own thoughts and posts that they've written about from an OAIC perspective around fair and reasonable, and why they want that. There's a societal and ethical part to it that I think professors of law, and I want to be very clear, I think when you started talking about all sorts of legal thoughts, I am in no way a lawyer at all.

I did the equivalent of a TAFE. I learned to develop black and white photos in chemicals at college. That's, that's my background. But I think there will be a lot of discussion around the societal and ethical implications of what fair and reasonable means. And I think businesses and consumers are going to start to, and this is unique to Australia, I think, and this is why I find it really interesting, fair and reasonable.

I think businesses and consumers are going to have to look at everything in a different way. They're going to have to look at everything through this lens of Is it fair that if I'm a supermarket and my customer has signed up to my loyalty program. Because of the fact they wanted to get more points on their frequent flyer program that the loyalty program has a partnership with, is it reasonable that an actuary somewhere else at a travel center uses that same data, licenses that data, Because they know if I buy cauliflower at 30 percent off, I'll pay 200 more for a flight.

Is that fair and reasonable that that's happening? And I think the more that businesses look at this and they start to understand this won't pass the fair and reasonable test. This will not happen, and if they start to realize that from a judicial system direct right to action and all that sort of stuff, as much as regulatory oversight, that's going to be very costly.

And as one of the other parts that we didn't discuss at the very top was the privacy policy data disclosure and everything else has to be understood by someone with less than average intelligence. So, you've got to be at a point where you can't start and that's wording that's common. You can't stuff these things into your consent and data disclosure document use privacy policy.

They're also focusing on dark patterns. Is it fair and reasonable that you're using this dark pattern? We should probably explain a dark pattern to the users. That's a deeper concept, but you explained it well. Absolutely, but I think there's an entire new podcast we could do when we've got more time on that.

If you go search, there's, there's a great document that was actually put forward. Can't remember which. It was a specific sector in, government sector within the UK that did an entire paper on dark patterns, dark nudges, dark sludge. But the easiest way I will explain it is recently Meta. Started asking me if I'd like to keep a copy of my link history and people listening may recognize that as well, because it's across Facebook, across Instagram and others.

It says, hey, do you want to keep a copy of your link history for any time you want to use it? Now, when you look at the reasons they give, it's all about always visit back what was interesting to you, blah, blah, blah. And then you've got icons next to each one of those bullets and they're all love hearts.

But one of those aspects is. Better personalized advertising for you with a love heart next to it. The question is, should that be a great big yellow toxic hazard sign versus a love heart? Have they been very clear in saying, did you know that we can infer a lot about you from the structure of your URL and the question mark in that URL refer a data to say they arrived at this website based on oncology, Based on kosher meals and the amount of sensitive data that's involved and inference data that's involved in a link, that dark pattern of trying to make everything look really cool and not clear isn't fair and reasonable.

So that's a good example that I did a LinkedIn post about that one.  

Dark patterns and cookies

Anthony Woodward

I'll probably just redefine it if you don't mind. It is those deceptive patterns that use trick wording, sneaking, obstruction to get you to do something. That's my definition. It's not just a dark pattern, it's just pure deception.  

Chris Brinkworth  

Yes, correct.

So dark patterns are you're trying to make someone do something that they think is the other thing. That is a dark pattern. A dark nudge would be something where you're trying to nudge them along in a certain direction that they weren't expecting to go, there's even a business out there that focuses and there's a great, they, they host a great podcast about this.

And maybe that should be your next guest on your next podcast. They do specifically focus only on advising on dark patterns, their entire business model is advising just on dark patterns, and they've had some incredibly smart privacy guests as one with someone who I highly respect to get on really well with Raashee Gupta, who over in the US, you may know her.

She was seconded at the FTC. She's now started her own business, Uplevel Digital because she comes from the same background as me. And she did a great session around this, around dark patterns as well.  

Anthony Woodward

I took you off there doing some forecasting around, around those pieces.

Chris Brinkworth  

I think the only other thing I could think about would be, and this is really unique to Australia, rather than your other listeners.

As cookies disappear, and people don't really understand, when you hear cookie deprecation, The entire billion, billion, billion, billion dollar industry is underpinned by cookies. And that's how we would identify people across websites. It's like a marker.  

Anthony Woodward

I gotta jump on something. When we say cookie deprecation, it's third-party cookie deprecation though, right?

That's correct. It's worth drilling into because we're not actually deprecating cookies. We're deprecating third-party cookies. And again, there's a whole other podcast in, in going and talking about that. It's not actually a protection people think it is.  

Chris Brinkworth  

No, you're right. And you know what? I think that's exactly why this is a super, super good spot to finish.

And the reason I say that is there is an entire hour where we can go into that and have that directly relates back because there is a very, very common practice where the cookie identifier with a first party or third party can be stitched back to the structured and unstructured. Backend data, which you manage, and you need a RecordPoint level, and your clients need to understand, are we keeping hold of that?

Because that is an identifier as well. And there's an entirely new list of technical terms that are being well, the terminology within the proposed act is an always updatable, non-exhaustive list of technical terms. that will be considered personal information. And that will also change everything that's stored on magnetic tapes, structured, unstructured, and so on as well.

So, I think that's a really good opportunity for the next podcast. If you want to, or just get another guest to kind of dive into that aspect.  

Anthony Woodward

We're going to have to have you back, Chris. I think that I've personally just enjoyed this conversation.  

Chris Brinkworth  

So, oh, me too. It's exploring and that's where I really want it to be clear, having the two distinct.

And that's why back at the IAAP event, what I'm seeing in my sessions is there are two distinct requirements by businesses. They need to understand ASAP across their entire business. What is there that we've already collected post-consent? Or do we have consent? How do we understand where it is, where it sits?

And how also can we prove that if we do delete it, how can we prove it's been deleted? And that's something that RecordPoint does really well. But then, that's where you should always specialize, but then that's why I wanted to tie you up with the Ketch guys, who are just one of the consent management systems out there.

They have focused specifically on the governance of consent and understanding where all these pixel data flow. And one of the other final points about what's going through that's been proposed is while we don't have to have the explicit consent box, you will always have to provide the ability for consumers to change their consent preferences at any time and be very clear on how they can do that.

Now, if you've sent a bunch, like I mentioned, of data, such as a personal email address to Google Analytics. But you don't know it because they do not tick the box or you as a business, haven't collected it yourself to store it. How can you do that? If you don't manage that consent at the experience layer as well, there's a whole hour more, I'd love to dive further.

Anthony Woodward Yeah. And look, we really even didn't get to “right to be forgotten”, about 10 other issues that I think also probably need an hour. So, look, I really thank you. It was an amazing conversation. There is So, much of this space that we are going to keep talking about it here and in other places. Thanks to all of the audience for listening and for staying this long.

I'm Anthony Woodward.  

Kris Brown  

And I'm Kris Brown. And we'll see you next time on FILED. Thanks, Chris. Thank you so much, man.  

Chris Brinkworth  

Thanks guys. Brilliant.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic