IAB Australia has made available the recording of its Data & Privacy 101 webinar, delivered on March 31, 2026, by Sarah Kruger, Director of Policy and Regulatory Affairs at IAB Australia. The session - the second in IAB Australia's 101 series - runs for just under an hour and frames privacy not as a legal checkbox but as an operational discipline that now sits at the centre of advertising, product, and commercial decision-making.

The webinar does not start with legislation. Kruger's approach is deliberately different. Instead of walking through the 13 Australian Privacy Principles line by line, the session builds from three core concepts - personal informationdeidentification, and consent - before mapping those concepts onto the practical life cycle of data collection, use, and disposal. For marketing professionals and ad tech practitioners who have long treated privacy as someone else's department, the session makes a pointed argument: it is now yours too.

"Gone of the days when privacy was a tickbox function tucked away in a legal department," according to Kruger in the webinar. "The use of data is now central to your businesses, creating growth, underpinning consumer products, maximizing advertising revenue, and measuring the effectiveness of campaigns."

What counts as personal information - and why the answer is broader than most assume

The definition of personal information (PI) under Australian law is not limited to obviously sensitive data. According to Kruger, PI covers any information or opinion about an individual who is identified or reasonably identifiable. There is no threshold requiring the information to be private, confidential, or harmful. Even entirely benign details qualify. Crucially, companies do not hold privacy rights under the framework - only individuals do.

The practical implication that draws the most attention is the phrase "reasonably identifiable." An individual is identifiable when data being used can be linked with other available information to identify that person. Deleting a name, email address, or phone number from a record does not automatically make it anonymous. A Harvard professor, according to the webinar, managed to reidentify 40% of allegedly anonymous participants in a DNA study by cross-referencing the dataset with other publicly available information.

Within the universe of PI, the session identifies a smaller category: sensitive information. This covers racial or ethnic origin, political opinion, religious belief, and health information - among other categories. Health information is itself a subset of sensitive information, covering disability status and use of health services. Kruger highlights an operational risk that many practitioners overlook. If a tracking pixel monitors users who visit a counselling website or a gambling addiction support service, the organisation deploying that pixel may be inadvertently accessing sensitive health information, even if that was never the intent.

The session also touches on a live policy question. Australian reform discussions are examining whether to expand the definition of PI to include online identifiers - codes or numbers assigned to individuals in place of their names. This would bring Australia closer to California and Europe, where the legal assumption is that harm can occur even when a named identity is not known. Behavioural signals - geolocation, click patterns, social media activity - already enable a form of tracking that operates independently of formal identification. As covered previously on PPC Land, Australia proposed a dual track privacy compliance framework at its Data and Privacy Summit in August 2025, with the Productivity Commission releasing its interim report on data and digital technology at 10:30 PM on August 5, 2025, fundamentally challenging existing reform proposals.

Deidentification: why removing a name is rarely enough

The deidentification section of the webinar is likely to be the most useful for data and technology teams. The Office of the Australian Information Commissioner (OAIC) - headed by Privacy Commissioner Carly Kind - has made clear it will look at all available information when assessing whether a dataset has been truly deidentified. The standard is not whether identifiers have been stripped; it is whether reidentification is possible by any means, including by matching the data with other accessible sources.

According to the session, the OAIC applies a very low risk threshold for reidentification. Meeting it requires organisations to ask specific questions: what deidentification techniques have been applied; who will have access to the data; and what other information those people also have access to, whether provided by the organisation or publicly available.

The webinar outlines several risk-reduction measures suggested by the OAIC. Limiting access to deidentified data is the first. Allowing analysis of data through a secure mechanism, such as a data lab, is the second - providing results rather than raw data reduces exposure without eliminating analytical value. On the commercial side, including a contractual provision that prohibits the recipient from attempting to reidentify the data transfers liability if the obligation is breached.

The session is explicit: when a colleague says a dataset has been deidentified so privacy obligations do not apply, that claim deserves scrutiny. The right questions to ask are technical, legal, and commercial simultaneously - and no single person in the organisation holds all the answers.

The treatment of consent in the webinar contains a finding that surprises many practitioners: consent is not required for most activities under Australian privacy law as it currently stands. It is only mandatory when collecting sensitive information, or when using or disclosing data outside its primary purpose and beyond what customers would reasonably expect.

According to Kruger, the customer expectation test is one of the most important concepts in the framework. If a use of data is within what a customer would reasonably anticipate, consent is often not required. Direct marketing using first-party customer data collected directly from the individual - where the information is not sensitive and direct marketing contact would be expected - does not need separate consent. A simple unsubscribe mechanism is still required.

When consent is required, the standard is demanding. Valid consent must be voluntary, informed, specific, current, and given by someone with the capacity to consent. According to the webinar, agreeing to a privacy policy does not constitute valid consent. Bundled consent covering multiple services or data uses carries legal risk. Consent must be specific enough that individuals know what they are agreeing to, and must be time-limited enough that the organisation tells individuals how long it will rely on it.

Children present a particular area of caution. The capacity requirement means consent from or about a minor demands additional care, a point that has growing regulatory significance given that Australia's Tranche 1 Privacy Act reforms include a Children's Online Privacy Code.

The IAB Australia data deletion framework explainer, published in November 2025, is directly relevant here. That document addressed consumer-initiated erasure requests across the digital advertising supply chain - a mechanism that becomes legally mandatory under some international frameworks and may follow under Australian law in a future tranche.

Tracking pixels: permissible but under scrutiny

The tracking pixel section of the webinar is the most operationally specific and carries the most immediate regulatory risk signals. A tracking pixel is a piece of code generated by a third party provider that, when placed on a website, loads when a user visits the page and sends data to the provider's server. Uses include web traffic analysis, demographic profiling, ad targeting on third-party platforms, and campaign measurement.

According to Kruger, collection of PI through tracking pixels is currently permissible in Australia where the collection is reasonably necessary for the organisation's activities. That said, permissibility does not mean enthusiasm from the regulator. The OAIC has stated it "strongly encourages organisations to err on the side of caution and comply with the privacy act when using third-party tracking pixels on their website."

The webinar references an opinion piece by the then-Privacy Commissioner published in The Australian newspaper, which stated that TikTok - like other social media platforms - receives personal information about users as they move across the web, ranging from the fact of a site visit to email addresses and mobile numbers. The Commissioner wrote in that piece that "these practices are unacceptable," describing the digital ecosystem as driven by a business model in which brands pay a premium to platforms that know enough about individuals to deliver the right advertisement at the right time. The Commissioner named not only social platforms but also shopping outlets, news media, health providers, and educational services as users of tracking technologies.

The session identifies specific categories of data that a pixel may collect: transaction data such as items viewed and cart additions; form inputs including name, address, date of birth, email, and phone number; network information such as IP address and geolocation data; and URL and activity data covering pages visited, content viewed, and session duration. Each of these categories carries different risk profiles, particularly when geolocation or browsing patterns could intersect with health or other sensitive information.

According to the webinar, the organisation deploying a pixel - not the third-party pixel provider - is typically liable for compliance. The session recommends reviewing terms of agreement with pixel providers to understand respective obligations, ensuring transparency about tracking practices in privacy notices, avoiding the collection of sensitive information through pixels, and conducting regular audits of tracking technologies present on a website.

The questions organisations should be asking before deploying any pixel include: what information will it collect; will sensitive information be captured; how will the third party use and share that data; whether the provider will use the data for its own commercial purposes; how the information will be secured; and how long it will be retained.

That last question matters more than it might appear. According to Kruger, data being held far longer than necessary is a common feature of privacy investigations and breach incidents. Actively managing retention periods - and contractually requiring third parties to do the same - is listed as a practical measure rather than optional compliance hygiene.

The Australian Privacy Principles through an operational lens

Rather than reproducing all 13 Australian Privacy Principles, the webinar maps obligations across three stages: collection, holding and use, and disposal.

At the collection stage, information must be reasonably necessary for the organisation's functions. It must be collected through lawful and fair means - deception about the purpose of collection is specifically called out as impermissible. First-party data collection directly from the individual is the required default unless it is unreasonable to do so. A collection notice must be provided at the time of collection, explaining what information is being gathered, whether provision is mandatory, and what the consequences of non-provision are.

The collection notice is distinct from a privacy policy. It is also distinct from consent. All three can be required simultaneously and none substitutes for another. According to the session, inferred data - information generated about an individual through analysis rather than direct provision - also counts as collection and must comply with these requirements. The counselling website tracking example applies here: inferences about health or wellbeing drawn from browsing behaviour are still collected data, subject to the same rules.

At the holding and use stage, data must only be used for the primary purpose for which it was collected or a directly related secondary purpose. Use for other purposes without consent - or without a public interest exception, which the session notes tends to apply to law enforcement rather than marketing - is a breach. The spam act imposes additional requirements: consent is required to send email, SMS, or instant messages, with an opt-in or inferred mechanism, plus an unsubscribe option.

GDPR receives brief mention. Organisations in Australia offering goods or services to EU residents, or monitoring their behaviour, are subject to GDPR regardless of where the organisation is based. Penalties run to 20 million euros or 4% of global annual turnover, whichever is higher. The webinar notes growing debate within Europe about whether GDPR's compliance burden is constraining growth and productivity, an argument that Australian industry participants are watching closely as domestic reform discussions continue.

What the reforms might change

The webinar is explicitly anchored in the current state of Australian privacy law rather than speculative future states. The Tranche 1 reforms have already passed. Tranche 2 has not yet been finalised, and the webinar acknowledges the absence of a clear timeline.

However, the session identifies several areas under active policy consideration. A broader definition of PI to capture online identifiers is a stated possibility, which would extend obligations to the use of behavioural signals even where named identity is not known. Browser-level restrictions on third-party cookies may be introduced. There is increasing policy focus on general harms, fairness, and reasonableness - particularly around children's location data - rather than the current prescriptive notification and consent model that generates the "consent fatigue" most consumers experience with popup boxes.

Australian digital advertisers have already responded to the regulatory direction by shifting strategy. IAB Australia's Data: State of the Nation 2025 report, released August 6, 2025, found that 80% of advertising professionals rate first-party data as critical or very important for targeting and creative decisions, with 92% considering data usage critical or very important for commercial success overall.

A convergence between consumer protection and privacy regulators is also flagged in the session. Personalised pricing is cited as an example: it involves both privacy issues (use of individual data to set a price) and consumer rights issues (whether pricing based on behavioural profiling is fair). The ACCC's 2026-27 enforcement priorities, announced in February 2026, confirmed that manipulative online practices and dark patterns are a headline priority - a direction that intersects directly with the data collection and targeting practices discussed throughout the webinar.

According to Kruger, the appropriate response to regulatory uncertainty is not to wait for Tranche 2. The Privacy Commissioner is actively enforcing the current law. Reviewing systems for compliance with what exists now is not optional.

Privacy impact assessments as routine practice

The final section of the session covers privacy impact assessments (PIAs) as a practical tool. A PIA describes how data flows through a project, analyses the privacy impact on individuals, and identifies measures to minimise or eliminate that impact. According to the webinar, many organisations are already conducting the equivalent of a PIA informally - mapping data flows, confirming consent, holding cross-functional meetings - without recognising it as such.

The OAIC recommends conducting a PIA before new projects and has published templates and tools on its website. Publishing the PIA is suggested by the regulator as a signal of good faith to consumers. The session adds one caveat: internal discussions where privacy risks are being assessed, and where the question of whether a proposed practice constitutes a breach is under examination, should involve legal counsel so those communications remain legally privileged and cannot be disclosed in court proceedings.

For the marketing community, the practical list of recommended steps from the session runs as follows: conduct a PIA before new projects; collect only what is reasonably necessary; use first-party data as the primary input; notify individuals at the point of collection; request consent specifically for sensitive information, new secondary uses, and sharing with third parties; check privacy practices of external partners; retain PI securely; and actively dispose of PI that is no longer needed.

Timeline

Summary

Who: Sarah Kruger, Director of Policy and Regulatory Affairs at IAB Australia, delivered the session. The intended audience is digital advertising professionals across commercial, product, legal, and policy functions.

What: The Data & Privacy 101 webinar covers the operational meaning of personal information under Australian law, the limits of deidentification, the narrow circumstances in which consent is legally required and what valid consent requires, the current legal status and regulatory risk profile of tracking pixels, and practical steps for privacy compliance across the data life cycle. It also outlines the likely directions of Australia's Tranche 2 privacy reforms.

When: The webinar was delivered on March 31, 2026, as the second session in IAB Australia's 101 series. It is now available for replay via the IAB Australia YouTube channel.

Where: The session was delivered online and is accessible to anyone who registered. IAB Australia has confirmed the recording and slide deck will be sent to all registered participants.

Why: Australian privacy law is in active reform. The Privacy Commissioner is enforcing existing obligations now. The regulatory and commercial stakes for the digital advertising industry are high - tracking pixel practices are an explicit enforcement priority for the OAIC, GDPR penalties of up to 4% of global turnover apply to any Australian organisation serving EU consumers, and the boundaries between consumer protection and privacy regulation are narrowing. The session provides a structured framework for understanding current obligations before Tranche 2 changes the parameters further.

Share this article
The link has been copied!