Privacy is not dead, it’s more important than ever. In an era of AI, hyper-personalisation, data breaches and increasing customer skepticism, compliance with privacy regulations is not just a legal requirement. It’s the foundation for building trust and competitive advantage.
Tim D’Souza, a Managing Director of Technology at FTI Consulting, joined Kudosity's Simplicity Effect podcast to unpack what privacy means today and how businesses can prepare for a new regulatory landscape in Australia.
Key regulatory changes in Australia
Australian privacy laws are undergoing a significant overhaul. As Tim explains, the reform agenda which began in 2019 after the Digital Platforms Inquiry, has now produced its first legislative wave, with 23 amendments to the Privacy Act already in place and more expected.
What's changed so far:
Clarified security obligations: Under APP 11.3, businesses must now take reasonable technical and organisational steps to secure personal data not just IT controls like firewalls, but also documented policies and governance frameworks.
Penalty notices without court: The OAIC can now issue direct fines for infractions like poor privacy policies or non-compliant direct marketing practices. This mirrors how ACMA enforces spam rules, often issuing "speeding ticket"-style penalties.
Country ‘whitelisting’: Upcoming rules will allow easier cross-border data transfers to jurisdictions deemed ‘safe’. This is similar to GDPR's adequacy decisions.
“If your privacy policy is insufficient… they don’t need to go to court for that. They can just issue a penalty notice.”
Tim D’Souza, a Managing Director FTI Consulting
Debunking the Small Business Myth
A common misconception is that small businesses are exempt from privacy laws. While this is currently true for those under $3M turnover, a proposed second tranche of amendments aims to remove this exemption entirely.
“Even small businesses are collecting large amounts of personal information… We can't allow large numbers of businesses to be handling personal information without any rules whatsoever.”
Tim D’Souza, a Managing Director, FTI Consulting
The role of ACMA and enforcement
The Australian Communications and Media Authority (ACMA) plays a key role in enforcing spam and direct marketing laws. Recent years have seen it become increasingly active, using penalty notices to crack down on breaches quickly and publicly.
Quick compliance tips:
Always include an opt-out for any message with commercial intent.
Ensure consent is provable, especially when relying on implied consent.
Avoid using fine print alone — regulators want effective communication, not just legal CYA.
"The fine print doesn't meet regulator expectations anymore… We need better ways of communicating critical information at the right point in time.” Tim D’Souza.
Why privacy builds customer trust
Privacy is more than a compliance checkbox. It’s about demonstrating that you value your customers’ data — and their agency.
"Trust becomes the very bedrock of your customer relationship… Privacy is critical to building that trust.” Tim D’Souza.
Especially during incidents, Tim warns that companies too often prioritise protecting themselves rather than affected individuals, which erodes public trust.
Integrating privacy into the data lifecycle
Tim makes a compelling case that privacy should be built in and not bolted on.
The Data Lifecycle Framework:
Collection/Creation: Only collect what you need.
Storage: Apply access controls, encryption, and governance.
Use and disclosure: Stay within your stated purpose, or obtain new consent.
Supplier Management: Ensure partners follow your privacy standards.
End-of-Life: Set clear retention policies and securely delete data.
"You cannot lose what you don’t have. Data minimisation is the most underrated privacy practice.” Tim D’Souza
AI, Hyperpersonalisation and the compliance
AI brings a new complexity. If your chatbot uses personal data to recommend products, it likely qualifies as direct marketing and must offer opt-outs.
“If it’s using personal information to target someone, that’s direct marketing. Even if it’s AI, even if it’s in a conversation.” Tim D’Souza
What's reasonable is evolving
Expectations around "reasonable steps" change as technology advances. Encryption, multi-factor authentication, and usage controls are now the baseline.
The Global Landscape and Sender ID
As businesses operate across borders, adopting a global gold-standard privacy framework can reduce legal complexity. Meanwhile, initiatives like Sender ID are becoming vital to combat SMS fraud.
“This seems like a relatively small step but it could break the business model of threat actors.” Tim D’Souza
Final takeaways for Australian Businesses
Invest in governance - policies, training, and frameworks are just as crucial as firewalls.
Prepare for universal applicability - SMBs won't stay exempt for long.
Reframe privacy as a trust-builder - it's not just a legal obligation.
Design with privacy from the start - especially when using AI or launching new messaging platforms.
Get expert help - if you don’t have a privacy advisor, it’s time to get one.
"Make privacy a feature, not a footnote.” Podcast host Tori Starkey, The Simplicity Effect.
If your business sends messages to customers, uses AI, or handles personal data, now is the time to ensure your privacy practices are up to scratch not just to avoid fines, but to earn lasting customer trust.
FAQ’s
1. What is Privacy by Design and why does it matter for Australian businesses in 2025?
Privacy by Design means embedding privacy and data protection into your systems, policies, and customer interactions from the beginning. It’s not an afterthought. In 2025, it’s essential for Australian businesses to build trust, meet updated legal requirements, and maintain a competitive edge in a privacy-conscious market.
2. What are the latest changes to the Australian Privacy Act?
Recent reforms to the Privacy Act include:
23 amendments already in effect.
Clarified security obligations (e.g., APP 11.3 now mandates both technical and organisational safeguards).
New penalty notice powers for the OAIC, allowing fines without court proceedings.
Introduction of country “whitelisting” for safer cross-border data transfers.
For more info on how to get your business prepared - SMS Sender ID
For guides to stay ahead of Privacy and Compliance changes
3. Are small businesses still exempt from Australian privacy laws?
Currently, businesses with under $3 million annual turnover may be exempt but that’s changing. New reforms propose removing this exemption, meaning all businesses collecting personal data may soon need to comply.
4. What are the penalties for non-compliance with privacy laws in Australia?
The OAIC and ACMA can now issue direct penalty notices for:
Poor privacy policies.
Inadequate data security measures.
Non-compliant direct marketing (e.g., no opt-out options).These fines can be issued without going to court.
5. How can Australian businesses comply with new privacy obligations?
Quick compliance tips include:
Always provide a clear opt-out in marketing messages.
Prove customer consent (especially implied consent).
Communicate clearly and don’t rely on fine print.
Encrypt personal data and enforce access controls.
Document policies and train your staff on privacy practices.
For more - Tim De Sousa at FTI Consulting .
6. What role does the ACMA play in privacy enforcement?
The Australian Communications and Media Authority (ACMA) enforces spam and direct marketing regulations. It actively issues fines and investigates breaches, especially around SMS marketing and implied consent issues.
Check out ACMA https://www.acma.gov.au/ for more info.
7. How does Privacy by Design help build customer trust?
Embedding privacy into your systems shows customers that their data is respected. Trust becomes a competitive advantage especially in the age of AI, data breaches, and scepticism.
8. What is the Data Lifecycle Framework, and why is it important?
The framework covers how businesses handle personal data across its entire life:
Collection: Only gather what’s necessary.
Storage: Encrypt and control access.
Use and Disclosure: Stay within stated purposes.
Suppliers: Ensure partners comply too.
Deletion: Securely remove data after its use.
9. Does AI affect privacy compliance in Australia?
Yes, if AI tools (like chatbots or recommendation engines) use personal data for targeting, it counts as direct marketing requiring opt-outs and consent, just like traditional methods.
10. What are “reasonable steps” for privacy in 2025?
"Reasonable" is a moving target. Today, it includes:
Encryption
Multi-factor authentication
Access and usage controls
Privacy training and documented policies
11. How does Australia’s privacy law compare to global standards like GDPR?
Australia is aligning more closely with GDPR. New rules on country whitelisting and cross-border transfers reflect global adequacy standards. Businesses operating internationally should consider adopting a global gold-standard privacy approach.
12. What is Sender ID and why is it important for privacy and security?
Sender ID is an initiative to combat SMS fraud by verifying message sources. It’s a small change that could significantly disrupt threat actors and protect consumers.
13. What should Australian businesses do now to prepare for future privacy law changes?
Invest in governance (policies, frameworks, training).
Reframe privacy as a feature, not a footnote.
Review AI and marketing tools for compliance risks.
Appoint a privacy advisor or consultant.
Design new systems and customer touchpoints with Privacy by Design.
14. Does sending messages to customers count as direct marketing under Australian law?
Yes. If you’re sending messages with commercial intent, even via AI, you must:
Provide an opt-out.
Ensure consent (express or implied).
Comply with both OAIC and ACMA guidelines.
Get started with our 14-day trial
If you’re not already a customer, give our online SMS service a try with our 14-day trial. No obligations and no credit card required.
