Why retailers must rethink data practices under Australia’s privacy act reforms


Updated: 

As Australia moves to strengthen its privacy laws, retailers are being urged to take a hard look at how they manage customer data, particularly within loyalty programs. The proposed changes to the Privacy Act are designed to enhance consumer protections, reflecting growing concerns that loyalty programs, once a hallmark of customer engagement, may now pose significant privacy risks. While these reforms are a positive step toward greater transparency and accountability, they also introduce new compliance challenges and the potential for substantial financial penalties.

The hidden risk in loyalty programs

The concept of loyalty programs or ‘tokens’ is thought to date back to Ancient Egypt. Since then, loyalty programs have evolved to become a highly valuable cornerstone of modern retail strategy, offering customers rewards in exchange for personal information. Over time, these programs have accumulated extensive datasets, including names, addresses, phone numbers, purchase histories, and behavioural preferences. However, many retailers have adopted a ‘set and forget’ approach, rarely revisiting or reassessing the data they collect.

This passive data retention is now under scrutiny. Under the proposed Privacy Act reforms, regulators are challenging businesses to justify the data they hold. Is it still necessary? Is it still required for the purpose for which it was collected? Does it serve a clear and current business purpose? If not, why is it still being stored, and at what risk?

Retailers must now shift from passive data accumulation to active data protection, ensuring that every piece of personal information collected through loyalty programs is relevant, justified, and securely managed. This shift is not just about compliance—it’s about protecting customer trust and their own reputation in an increasingly privacy-conscious marketplace.

What’s changing and why it matters

The proposed reforms to Australia’s Privacy Act mark a significant shift in how personal data must be managed—and how non-compliance will be penalised. Regulators will be granted expanded powers to enforce privacy obligations, and businesses that fall short may face serious consequences. Key changes include:

  • Substantial financial penalties: Fines of up to $50 million, or three times the value of any benefit obtained from the misuse of personal data
  • Infringement notices: Regulators can issue penalties of up to $66,000 without needing to go through the courts
  • Individual rights to legal action: People whose privacy has been breached will have the right to seek compensation directly.

These reforms reflect a broader push toward greater accountability and transparency in data handling. For retailers, this means demonstrating active, ongoing management of customer information, particularly within loyalty programs. It’s no longer enough to collect data for future use; businesses must now justify why they hold it, how it’s protected, and whether it’s still necessary.

Immediate actions retailers should take

To navigate the proposed reforms, retailers should act decisively by undertaking a comprehensive stocktake of all personal details associated with loyalty programs. This means identifying what data is held, why it was collected, where it’s stored, and whether it’s still relevant. Key steps include:

  • Data minimisation: Retain only what is necessary and delete outdated or redundant information
  • Privacy-by-design: Embed privacy considerations into every stage of loyalty program development and system updates
  • Staff training: Ensure employees understand their responsibilities under the Australian Privacy Principles
  • Cybersecurity measures: Implement protections like multi-factor authentication to guard against threats such as credential stuffing and unauthorised access.

Ultimately, compliance will hinge on accountability and transparency. Retailers that take proactive steps now will not only reduce their legal exposure but also build stronger, more trustworthy relationships with their customers.

A new era of customer trust

The proposed changes to the Privacy Act are more than a compliance obligation, they represent a strategic opportunity. For retailers, this is a chance to reset how they manage customer data, demonstrate a genuine commitment to privacy and by extension enhance their own reputation.

In this new era, loyalty and privacy must go hand-in-hand. As trust is increasingly tied to how personal information is handled, responsible data stewardship becomes a competitive advantage.

Retailers that strike the right balance, rewarding customers while respecting their data, will be best positioned to thrive in a privacy-conscious marketplace.

How BDO can help

As privacy regulations tighten, BDO’s forensic services professionals are here to help retailers navigate the evolving compliance landscape with confidence. Additionally, our privacy and risk advisory specialists work closely with businesses to assess, strengthen, and future-proof their data governance practices, particularly in high-risk areas like loyalty programs.

Contact us today to learn how we can support your compliance journey and help you turn privacy into a competitive advantage.

Subscribe to receive the latest insights.

Authors