Your agency could be breaking privacy laws – spotting the signs and how to respond

Australia’s agencies are neglecting to protect the privacy and data of their clients and stakeholders. says Helaine Leggat. Despite their reliance on data, 47% of Australia’s agencies don’t even comply with Australia’s privacy laws.

Australia’s marketing agencies are struggling with contemporary privacy and data protection laws. Many still don’t appreciate (or are choosing to ignore) how Europe’s General Data Protection Regulation (which took effect on 25 May) may affect them. Meanwhile, four months after the introduction of mandatory breach disclosure law in Australia, a huge number of Australian agencies are not yet compliant with the Privacy Act or the Notifiable Data Breach Scheme.

Even at the most basic level, Australian agencies are neglecting to protect the privacy and personal information of their clients and stakeholders.

Here are two examples drawn from an analysis of 100 marketing and advertising agencies in Australia (listed below).

  • One-third (34%) of the agencies do not have secure websites, and
  • one-half (47%) of the agencies do not appear to comply with Australia’s privacy laws.

 

Why should agencies embrace HTTPS?

HTTPS, Hypertext Transfer Protocol Secure, is the secure protocol over which data is sent between a browser and a website. As a consumer, you’ll know when you’re on a secure website – you’ll most likely observe a padlock in the address bar.

Though HTTPS is not mandated by legislation or regulation, it performs four important functions:

  1. Protects the integrity (trustworthiness) of your website
  2. provides authentication so that visitors know your site is legitimate
  3. safeguards the privacy and confidentiality of visitors to your website, and
  4. protects all data that is exchanged between your site visitors to your website.

Without HTTPS, website communications are vulnerable to malicious attacks. The personal information of visitors transacting on the website could be exploited. The business’ unprotected resources could be compromised. And all data transmissions could be intercepted.

Importantly, ‘online transactions’ do not have to involve payment. A ‘transaction’ includes exchange of information. If your website collects data – such as through a contact form, chatbot, lead magnet or careers page – it is engaging in online transactions.

At least two-thirds (67%) of the agency websites examined engage in online transactions – unsecure online transactions.

 

Privacy is not negotiable

HTTPS is just one way an agency can demonstrate its commitment to data security, though the absence of HTTPS can signal other measures might also be absent or inadequate.

Businesses that collect personal information and that have an annual turnover of $3 million or more must comply with the Australian Privacy Principles and Notifiable Data Breach Scheme. Those that don’t face crippling fines.

Whatever their annual revenue, given the marketing industry now makes a living online and using data, every agency should comply.

Yet, half (47%) of the agencies examined are not complying with Australia’s privacy laws – they have not published a privacy policy and they do not include a privacy notification wherever they collect personal information – most obviously, on their contact forms.

Ignorance is neither a defence nor a safeguard against the potentially catastrophic reputational damage that would be caused by a privacy or data security breach.

 

Taking action

Nothing will motivate change more than market pressure. If you are a client or prospective client of one the agencies listed, here are some tips about how you might like to respond:

Group one – risky business

No website security; not privacy compliant:

  • These agencies are failing on all counts.
  • Make the agency understand your ongoing relationship is contingent upon their compliance with Australia’s privacy and data security laws.
  • When your work next goes out for tender, make privacy compliance and data security part of the evaluation criteria.
  • Put pressure on them to secure their website.

Group two – misguided marketers

Secure website; not privacy compliant:

  • Make the agency understand your ongoing relationship is contingent upon their compliance with Australia’s privacy and data security laws.
  • When your work next goes out for tender, make privacy compliance and data security part of the evaluation criteria.

Group three – step up

No website security; privacy compliant:

  • Put pressure on them to secure their website.

Group four – best of the breed

Secure website; privacy compliant:

  • Where privacy and data security are concerned, these agencies appear to be best-of-breed.
  • Write a letter or place a phone call to the head of the agency. Thank them for taking privacy and data security seriously.
  • Tell others these agencies are industry leaders.

 

Agenies examined

10 Feet Tall, 24 Digital, Acidgreen , Advisible, Affinity, AFK, Akqa, AndMine, Artlivemedia, Atomic 212, August, Bliss, Bloke, Brand Chemistry, Brand Manager, Bravo, Bright Inbound, Bright Labs, Butterfly, BWM Dentsu, Castleford, Che Proximity, Clemenger BBDO, Cummins-Partners, Curated Content, DDB, Deep End, Defectors, Dejan, Digital Garden , Direct Clicks, Emote Digital, Essence, Evolution 7, Ewawe, Flint, Frank Digital, Get Started, GMG Web, Havoc Digital, Holler , Host/Havas, Icon, Inlight, Isobar, Jay Wing, JWT, Leo Burnett, Liquid, M&C Saatchi, Made Agency, Marcel, McCann, Mediacom, Metronome, Mindarc , Mindshare, Monkii, Move Ahead Media, Netstarter, Ogilvy, OMD, Online Marketing Gurus, Performics, PHD, Reborn, Red Pandas , Reff Digital Agency, Reprise, Rocket Agency, ROICOMAU, Search Insights, Shaba, Shout Web Strategy, Smart , Social Garden, Spark, Spicy Media , Spinfluence, Starcom, Switched On Media, TBWA, The M Agency, The Monkeys, The Special Group, The Tonic, The White Agency, The Works, Tickyes, TKT, Toast Creative, Tug Agency, Um, VCCP, VML, White Crow Digital, WME, Woven, Y&R andYou & Co.

 

Helaine Leggat is a principal lawyer at Sladen Legal.

 

Further Reading:

 

 

 

Image credit:  Paweł Czerwiński