This guide explains what has changed, why digital & marketing is under regulatory scrutiny, and what your agency must do now to avoid enforcement action.
Privacy reform is now a real business risk
Penalties up to $50M
Serious or repeated privacy breaches can attract penalties up to AU$50 million, 30% of adjusted turnover, or three times the benefit gained.
Dual exposure
Agencies face their own privacy obligations and liability risk when a client breach traces back to your systems, campaigns or third-party integrations.
Consent under the microscope
The OAIC is scrutinising how consent is collected online. Bundled, buried or pre-ticked consent is no longer valid. Cookie banners and forms must meet a higher standard.
Data you hold for clients is still your problem
Processing personal data on behalf of a client does not shift your obligations. If you store it, access it or transfer it, you have responsibilities under the Privacy Act.
Individuals can sue
Since 10 June 2025, individuals can bring legal action for serious invasions of privacy. Damages cover both economic loss and emotional distress.
New direct marketing rules
OAIC can now issue infringement notices for direct marketing breaches. Unlawful email lists, lookalike audiences and retargeting without valid consent are immediate risks.
Does the Privacy Act apply to your agency?
The Privacy Act 1988 (Cth) applies to organisations with annual turnover above $3 million, but the small business exemption is narrower than many assume - and the regulatory environment has shifted regardless of size.
The exemption does not apply if your agency is related to a body corporate that is not a small business; if you share or trade in personal information, including selling leads or licensed data; or if your contracts with enterprise clients include privacy representations that bring you within scope.
More importantly, digital agencies routinely act as processors for clients who are bound by the Privacy Act. If your client has obligations, the data flows through your infrastructure, your ad platforms and your analytics tools - and you are accountable for what happens there.
What has changed under the privacy act?
Much stronger enforcement powers
The Privacy and Other Legislation Amendment Act 2024 significantly expanded the powers of the OAIC, including the ability to issue infringement notices, stronger investigation powers, and the ability to conduct public inquiries into systemic privacy practices across industries, including digital marketing.
Significantly higher penalties
Maximum penalties for serious or repeated interferences with privacy have been raised to the greater of AU$50 million, three times the benefit obtained, or 30% of adjusted turnover. These figures put privacy penalties on par with serious competition and consumer law breaches.
Individuals can now sue
Since 10 June 2025, individuals can take legal action where a privacy invasion was intentional or reckless, serious in nature, and where they had a reasonable expectation of privacy. Damages cover both economic loss and emotional distress, with non-economic damages capped at AU$500,000.
Consent standards have tightened
Consent must now be freely given, informed, specific and unambiguous. Pre-ticked boxes, bundled consent in terms and conditions, and "implied" consent from continued browsing no longer meet the standard. This directly affects how agencies build forms, cookie banners and opt-in flows for clients.
WHY IT MATTERS
Real examples of regulatory action
Under the APPs, both a digital agency and its client can bear responsibility for how personal information is used in marketing campaigns. If an agency uses a client-supplied email list without verifying that consent was obtained for the specific purpose of marketing, both parties may be found to have interfered with privacy - the client for unlawful disclosure, and the agency for unlawful use. The OAIC's APP 7 guidance makes clear that engaging a third party to conduct marketing does not transfer or reduce the originating entity's obligations.
Key obligations under the Australian Privacy Principles
APP 1 - Open and Transparent Management
Agencies must have a current, accessible privacy policy covering what data is collected, why, how it is used and disclosed, and how individuals can access or correct it. Many agency policies are outdated or fail to account for client data processing activities.
APP 3 & 5 - Collection and Notification
Only collect information that is reasonably necessary for a specific purpose. Notify individuals at or before collection. Forms, landing pages and lead magnets built for clients must include compliant collection notices - not just a buried privacy policy link.
APP 6 – Use and Disclosure
Information collected for one purpose cannot be used for another without consent. Using a client's customer list to build lookalike audiences or seed new campaigns without explicit consent is a common breach point.
APP 7 – Direct Marketing
Personal information cannot be used for direct marketing without consent, or without providing a clear and functional opt-out. The OAIC can issue infringement notices for direct marketing breaches - this is an immediate and enforceable risk for agencies managing campaigns.
APP 8 - Cross-Border Disclosure
When personal data is transferred to overseas services - including US-based ad platforms, analytics tools and CRMs - agencies must take reasonable steps to ensure those providers uphold comparable protections. Standard reliance on platform terms is increasingly insufficient.
APP 11 - Security
Agencies must take reasonable steps to protect personal information from misuse, loss, and unauthorised access. This includes access controls on shared tools, secure offboarding of client data, and managing the security of integrated third-party platforms.
What digital agencies should do now
Privacy compliance requires action across three timeframes. Immediate steps address critical exposure now. Medium-term work builds governance capability. Strategic initiatives position your agency as a trusted, privacy-forward partner.
Immediate (0-3 months)
Fix critical privacy gaps now
Medium term (3-12 months)
Build governance and processes
Strategic (12-18 months)
Embed long-term privacy strategy
Immediate: 0 to 3 months
- Audit your consent mechanisms - forms, cookie banners, landing pages - and fix anything that doesn't meet the current standard.
- Update your privacy policy to reflect how you handle client data, third-party integrations and cross-border transfers.
- Stop any direct marketing activity running on lists without documented, valid consent.
- Review pixel and tag implementations to ensure tracking does not fire before valid consent is obtained.
- Implement basic data security hygiene - access controls on shared tools, removal of dormant accounts, stronger authentication.
Medium term: 3 to 12 months
- Conduct a data mapping exercise across all client accounts, platforms and integrations.
- Establish data processing agreements with key clients, particularly those sharing personal data with your agency.
- Document retention schedules and implement deletion processes for campaign data and lead lists.
- Review all third-party vendor contracts for APP 8 compliance and adequate data processing terms.
- Deliver privacy training tailored to agency roles - account managers, developers, data analysts and campaign managers each face different risk points.
- Build a breach response plan and register. Test it.
Strategic: 12 to 18 months
- Monitor upcoming Privacy Act reforms, particularly around automated decision-making, children's privacy and the regulation of data brokers.
- Conduct privacy impact assessments for AI-assisted targeting, personalisation and content generation tools before deploying them for clients.
- Develop a client-facing privacy offering - position your agency's compliance capability as a genuine differentiator in new business conversations.
- Integrate privacy risk into agency governance, reporting and insurance review cycles.
- Build consent management into your standard website build and campaign delivery templates so compliance is default, not retrofitted.
Practical checklist
Use this as an accountability tool. Assign an owner in your team to each item and track progress against it.
How Savira can help
Savira works with Australian accounting practices to conduct privacy risk reviews aligned to the Privacy Act and APPs, update privacy policies and collection notices for the new regulatory environment, redesign client onboarding and engagement processes to meet collection and notification requirements, deliver practical scenario-based staff training tailored to accounting, implement privacy management frameworks suitable for partner-level reporting, and support incident response and regulator engagement.
Whether you are a sole practitioner, a mid-tier firm, or a national network, Savira can help you move from uncertainty to structured, defensible privacy compliance. , or building tools for the sector, Savira can help you move from reactive compliance to structured, defensible governance, and help your agency align it's customer due diligence processes with Australian Privacy Principle requirements, so you collect what you need without over-collecting.
Staying current with privacy reform
This guide was last updated 17 March 2026 to reflect current OAIC enforcement priorities and updated consent standards. Australian privacy law continues to evolve.