Consent or Pause: New Privacy Rules for Small‑Business Marketing

Australian privacy expectations are tightening fast. With Privacy Act 1988 (Cth) reforms progressing, stronger OAIC guidance, and the likely removal of the small business exemption, every small business that markets to customers faces new compliance obligations and a rising data‑privacy risk. Here’s how to translate the shift into practical, 30‑day actions.

1) The Situation: New compliance obligations meet data‑privacy risk

This is a convergence of new compliance obligations, a cyber/data‑privacy and operational risk, and a broader industry trend away from third‑party data toward first‑party consent. The trigger? Many teams still rely on legacy lists and pixel audiences where consent is unclear.

Scenario: A client hands you a 2019 contact list plus pixel audiences. You can’t evidence consent or a working opt‑out.
Why it matters: You risk unlawful direct marketing, OAIC notices to produce, campaign pauses, and contract exposure.
What changes: APPs 3, 5, 6, 7 and 11 now demand purpose limitation, transparent notices, lawful direct marketing, and robust security.

2) The 2019 List Problem: Legacy consents won’t cut it

Consent must be informed, specific, current, and able to be withdrawn. Vague list sources, stale sign‑ups, or broad pixel captures don’t meet the mark—especially if you can’t show the notice presented at the time, the channel, and a clear opt‑out path.

Callout: If you can’t evidence consent and a working opt‑out, pause the record until you can.

Stale or bundled consent increases unlawful marketing risk.
No audit trail = no defensible position under scrutiny.
Pixel audiences built without explicit notice risk APP 3, 5 and 7 breaches.

3) Know Your APPs Before You Hit Send

APPs 3, 5, 6, 7 and 11 in plain English

APP 3 – Collect only what you need: Tie every data point to a clear, documented purpose.
APP 5 – Tell people what you’re doing: Use transparent, accessible collection notices at the point of capture.
APP 6 – Use/disclose for the stated purpose only: No repurposing without fresh, valid consent.
APP 7 – Direct marketing rules: Only market when you have a lawful basis and provide easy, effective opt‑outs.
APP 11 – Keep it secure and don’t keep it forever: Take reasonable steps to protect data, then destroy or de‑identify it when it’s no longer needed.

Quick pre‑campaign checklist

Can you show consent, the exact notice, and how to opt out?
Is the purpose unchanged since collection?
Have you validated suppression lists and opt‑outs across all channels?

4) The 30‑Day Consent Reconciliation Sprint

Your action plan, week by week

Freeze high‑risk sends: Pause any record without a verified consent basis.
Define your lawful bases: Map purpose, channel, and lawful path for each data source.
Stand up a central, auditable consent register: Track purpose, channel, timestamp, source, notice version, opt‑out method, and withdrawal date.
Classify records: Verified, Needs Refresh, or Blocked (no marketing allowed).
Refresh notices: Update website forms, footers, and in‑app prompts with clear APP‑aligned language.
Enable one‑click opt‑out: Make it immediate across email, SMS, and push; auto‑sync to suppression lists.
Tighten pixel governance: Fire only on consent; document tags, purposes, and data flows.
Run a controlled re‑permission campaign: Invite lapsed contacts to opt back in with transparent choices.
Prove it: Save evidence of notices, consent events, and opt‑outs alongside your campaign briefs.
Report outcomes: Weekly metrics on % verified, % paused, opt‑out rate, and time‑to‑suppress.

5) Notices, Preferences, and Frictionless Opt‑Outs

Design for trust and traceability

Layer your notices: Show short, plain‑English summaries with links to full privacy details.
Channel‑specific promises: Let people choose email, SMS, and ads separately; avoid bundled consent.
One‑click unsubscribe: Honor within minutes; show confirmation; no login walls.
Preference centre: Offer frequency controls and topic choices to reduce blanket opt‑outs.
Remote‑ready templates: Ensure distributed teams follow the same approved copy and settings.

6) Security Uplift to Meet APP 11

Reasonable steps you can implement now

Access control: Enforce least privilege; quarterly access reviews; MFA on all marketing and data platforms.
Data minimisation and retention: Stop collecting what you won’t use; apply destruction or de‑identification schedules.
Encryption and transport security: Encrypt at rest and in transit; use SFTP/HTTPS for transfers.
Vendor governance: Document where data goes (email, CDP, ads); review DPAs and security attestations.
Patch and backup hygiene: Keep systems current; test restores; protect backups.
Incident readiness: Maintain a privacy incident playbook and notify affected individuals where required by law.

7) Make Documentation Your Advantage

“Document your business—or get out.”

Good documentation turns privacy from a bottleneck into a competitive edge and a single source of truth your remote teams can actually follow.

Consent register as system of record: One place for purpose, channel, timestamps, source, and withdrawals.
SOPs for list ingestion and campaign approvals: Built‑in go/no‑go gates based on consent status.
Change management and version control: Track updates to notices, forms, and tag configurations.
OAIC‑ready evidence packs: Notices to produce require fast, accurate documentation—prepare now.
Training and audits: Short, repeatable checklists for remote workers; quarterly self‑audits.

8) From Risky to Resilient—Your Next Best Step

Set a 30‑day timer. Appoint an owner. Freeze unverifiable records, stand up your consent register, refresh notices, and enable one‑click opt‑out. Align security controls to APP 11 and document everything. The payoff is campaign continuity, lower legal exposure, and stronger customer trust as third‑party cookies fade and first‑party consent becomes your growth engine.

Consent or Pause: New Privacy Rules for Small‑Business Marketing