Published on the 25/11/2020 | Written by Heather Wright
Data minimisation key…
Data minimisation becomes the name of the game as New Zealand’s new Privacy Act comes into force on December 1, with programmatic advertising facing a potential shakeup as part of the changes – and there are ramifications for Australian companies too.
The new Act, which applies to any company ‘carrying on business’ in New Zealand, places greater emphasis on being open and transparent with consumers about where information has come from and how it is being used. It’s an acknowledgement of the dramatic changes seen in technology over the past 25 years since the original Act became law, and the fact we now live large parts of our lives online, enabling companies to collect screeds of data about us.
“Your goal should be to collect and use the least amount of information possible to meet your objective.”
While still lacking teeth compared to international laws such as the GDPR, it also serves up fines of up to $10,000 for breaches. (GDPR fines can reach 20 million Euros. Privacy Commissioner John Edwards had previously called for $1 million penalties for New Zealand, but that was watered down as the Act made its long journey to law.)
Data minimisation is key for the updated Act: “If you don’t really need identifying information, such as a person’s name or their contact details, you shouldn’t collect it,” the Office of the Privacy Commissioner site notes.
“Your goal should be to collect and use the least amount of information possible to meet your objective.”
And being upfront about why data is collected will also be key, with a new offence of misleading people in order to get personal information created, complete with a penalty of up to $10,000 for those found guilty.
Zane Furtado, general manager of technology an innovation at marketing company Acquire, says when it comes to programmatic media buying, brands and agencies are having to re-think how they collect, store and use personally identifiable information (PII) across their media buys, with legacy data collection systems needing to be updated to meet the new privacy requirements.
“Having a water tight privacy cookie policy on your website should be a good starting point,” says Furtado.
“The user should have the ability to opt out of advertising at any time and should also have the ability to correct any incorrect information gathered by the brand/platform,” he says.
Website owners will be required to ensure they let users know if a cookie is being dropped on the users browser, and the purpose of the cookie.
Furtado points to online GDPR and ePrivacy compliancy tool, Cookiebot, which provides transparency and control over cookies and similar tracking on a website. It’s free if you have a single domain. Additional domains are charged for.
“As media buyers, we have got a few more months until the cookies fade away, but until then we are still very reliant on using pixels to collect information and measure attribution.”
The introduction of GDPR in Europe in 2018 helped raise awareness of privacy needs around, Furtado notes, helping local organisations create systems to make data collection policy compliant as well as protocols to address a breach if it does happen.
When it comes to brands and agencies passing information to media buying platforms, information will need to be secure and hashed, he says. And, should a breach occur, there needs to be protocols in place to inform individuals – and in the case of third parties such as agencies, the brands themselves.
In line with Australia, the updated Act sees mandatory breach reporting introduced, with any serious privacy breaches needing to be reported to the privacy commissioner and, in most cases, the impacted individuals.
Information also can’t be held longer than required or expected.
“For example, if you were collecting names and email addresses for an online competition, once that competition ends, it’s a responsibility of the advertiser/agency to delete that data,” Furtado says.
“Similarly, if you are collecting pixel loads via floodlight tags for an advertiser, make sure you are not pulling any PII and if you do lose that advertiser for any reason, you need to make sure you tell the advertiser to remove the floodlight tags from their site.”
The Act also comes with increased obligations for storing information outside of New Zealand, setting out rules requiring that personal data can only be transferred to countries with ‘comparable’ privacy laws and safeguards to those in New Zealand.
International digital platforms operating in New Zealand will be obliged to comply with the updated law, regardless of where they, or their servers, are based. Edwards has previously accused Facebook of failing to comply with New Zealand laws, when the social media giant refused to provide a complainant with access to personal information held on the accounts of several Facebook users.
When it comes to targeted ads, however, a spokesperson for the Office of the Privacy Commissioner notes that they’re usually a condition of a consumer’s use of an online service or platform.
“We, of course, want organisations to make sure they seek meaningful consent from users to disclose or share their information,” he says.