Privacy Commissioner Signals Shift to Enforcement – Why NFPs Must Stay Ahead

Australia’s Privacy Commissioner Carly Kind has delivered a stark warning to businesses and not-for-profits (NFPs) alike, reported in a recent article on Mi3: the current approach to data privacy is about to change dramatically. In a recent interview, Kind outlined her concerns around widespread misuse of data, including tracking pixels, loyalty programs, and data brokering—signalling that the regulator is gearing up for enforcement. This isn’t just a future problem tied to incoming legislation; it’s happening now under the current Privacy Act.The takeaway? NFPs need to act immediately to tighten their data practices or face potential regulatory action.

“Don’t Take Your Foot Off the Gas” – The Regulator Is Watching

In her interview, Carly Kind was unequivocal: “If I can get one message out, it’s don’t take your foot off the gas, because we’re going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms.”The warning is clear. While many businesses may feel they have more time due to the delayed full-scale rollout of Privacy Act reforms, Kind has stated that her office will focus on enforcing current laws. This includes scrutiny of businesses misusing data beyond its initial collection purpose, failing to manage third-party data exchanges, and neglecting retention and destruction policies. For NFPs that handle sensitive donor data, this means compliance with existing regulations is critical. Non-compliance could result in significant penalties, reputational damage, and the loss of valuable donor trust.

Key Areas of Focus: Pixels, Loyalty, and Data Brokering

Kind highlighted several areas where she sees current and widespread non-compliance:

• Tracking Pixels: Many websites, including those in the NFP sector, use tracking pixels to collect browsing data that is then passed to third parties, such as social media platforms. This practice is under heavy scrutiny, as many users are unaware that their activity is being tracked and shared.
• Loyalty Programmes: Kind expressed concerns over the practices of loyalty programmes that collect excessive amounts of personal data and use it for purposes beyond what the individual originally consented to.
• Data Brokering and Enrichment: The data brokering industry, which includes companies enriching and selling personal data, is another key area of focus. NFPs should be especially cautious when sharing data with third-party service providers, ensuring that their processes are transparent and lawful.
• Geolocation Data: Location data collection practices are being closely examined. Kind warned that organisations using geotargeting must ensure that data collection is robust and compliant with Australian Privacy Principles.

How NFPs Can Stay Ahead of Enforcement

For NFPs, maintaining donor trust is essential, and compliance with data privacy regulations plays a crucial role in safeguarding that trust. With regulators now turning their attention to enforcement, it’s critical that organisations assess their data management practices now.Here are four steps NFPs can take to ensure compliance:

• Audit Your Data: Understand what data you hold and who has access to it. This includes not only your internal teams but also any third-party vendors or service providers. Know exactly how donor data is being collected, processed, and shared.
• Review Consent Practices: Ensure that you have clear, unambiguous consent from donors for how their data will be used. Donors need to be informed of any data-sharing practices with third parties, especially when it comes to tracking, pixels, or enriching their data for marketing purposes.
• Implement a Retention and Destruction Policy: Data that is no longer needed should be securely deleted. Retaining unnecessary data increases the risk of non-compliance and data breaches. A robust retention and destruction policy ensures that your NFP only holds onto data that is essential.
• Prepare for Data Breaches: Have a data breach response plan in place. As Carly Kind mentioned, many companies fail to secure the personal data they hold, leaving them vulnerable to breaches. Ensure that your NFP is ready to act swiftly if a breach occurs.

The Road Ahead: Fair and Reasonable Use of Data

Kind also hinted at what’s coming next: the concept of “fair and reasonable” data use. While this provision didn’t make it into the first tranche of reforms, it’s likely to be introduced in the next wave. This change will significantly impact how organisations handle consent, meaning even if consent is obtained, using data for unreasonable purposes may still violate privacy regulations.For NFPs, this means that any future data practices must not only be consent-based but also fair and reasonable in the eyes of regulators—and ultimately, donors.

Don’t Wait Until It’s Too Late

With over 40+ organisations already completing our free 30-Minute Privacy Landscape Sessions, it’s clear that the privacy landscape is a top concern for many NFPs.

At Marketsoft, we are committed to helping NFPs like yours prepare for these evolving regulations, providing practical, actionable steps to protect donor data and ensure compliance with the current Privacy Act.

Book your free 30-minute session now to get expert guidance on how to safeguard your organisation before the regulator comes knocking.

The Time to Act Is Now

Carly Kind has made it clear: enforcement is coming, and NFPs are not exempt. The actions you take now will determine how prepared you are to meet the challenges posed by new regulations and enforcement priorities.

Don’t wait for the next wave of reforms to hit—start preparing today.

Book your free 30-minute Privacy Landscape Session today and ensure your NFP is ready for the changes. Early action can make all the difference in protecting your organisation from penalties and ensuring that your donor relationships remain strong.