Navigating Privacy & Consent in Australian Customer Communication

As customer expectations rise and regulatory scrutiny sharpens, privacy and consent have become front-and-centre issues for Australian enterprises. Whether you're sending a simple policy update or delivering dynamic digital experiences, the way your organisation handles personal information in communications can either build trust - or break it.

At Cadence, we see growing urgency among Australian businesses to modernise their communications in line with evolving privacy requirements. But translating legal obligations into consistent, compliant customer interactions is easier said than done.

The Privacy Landscape Is Changing

Australia's Privacy Act 1988 has long been the cornerstone of data protection, but recent legislative reforms are reshaping the landscape.

The Privacy and Other Legislation Amendment Act 2024, enacted in December 2024, introduced significant changes including:

• A new statutory tort for serious invasions of privacy, enabling individuals to take civil action without needing to prove damage.
• Enhanced enforcement powers for the Office of the Australian Information Commissioner (OAIC).
• A criminal offence targeting doxxing (the malicious publication of personal information), with penalties up to seven years' imprisonment.
• New initiatives like a Children's Online Privacy Code.

Looking ahead, the government is preparing a second tranche of reforms aimed at strengthening protections further - introducing obligations for fair and reasonable data handling, expanded individual rights (such as access and erasure), and possible removal of long-standing exemptions.

These changes signal a move toward a more proactive, principles-based privacy regime (closer to global standards like the GDPR) and they raise the bar for how organisations manage personal information in customer communications.

Communications Compliance in the Spotlight

While high-profile cybersecurity breaches have dominated headlines in recent years, regulators are increasingly turning their attention to compliance failures in customer communications - particularly where businesses neglect opt-out obligations or send messages without valid consent.

In the past 12–24 months, multiple high-profile Australian organisations - including major banks, telcos, and large consumer brands - have been formally penalised for breaching consent rules under the Spam Act 2003. Common issues include:

• Sending promotional messages without a functional unsubscribe option
• Continuing to contact customers after they had withdrawn consent
• Making it unnecessarily difficult to opt out of communications
• Failing to properly synchronise customer preferences across channels

These breaches didn't stem from cyberattacks, but from everyday communication processes gone wrong - resulting in significant financial penalties and reputational damage. They reflect systemic failures to manage consent properly at scale, underscoring the need for robust governance and integrated communication platforms.

Where Communications Often Fall Short

In many Australian organisations, the systems that manage customer communications are fragmented, outdated, or too rigid to adapt quickly. This creates risk in several ways:

• Messages go out without verifying consent status.
• Customers can't easily manage their preferences across channels.
• Privacy notices are buried in legalese, not built into the experience.
• Sensitive data is exposed through poor document controls or manual processes.

These issues are especially pronounced in industries like insurance, banking, utilities, and government, where communication is both high-volume and high-stakes.

What Good Looks Like

Modern, privacy-conscious communications are:

• Customer-centric – giving users clear choices and visibility into their preferences.
• Embedded by design – where consent checkpoints and data minimisation are built into communication flows.
• Auditable – with a clear record of what was sent, to whom, and under what legal basis.
• Flexible – allowing for rapid updates to templates and rules as laws or customer needs change.

How to Get There

If you're unsure where to start, we recommend assessing your current state against four key pillars:

1. Consent and Preference Management — Can your systems track and enforce consent at a granular level (e.g. channel, topic)? Are preferences easy to update?
2. Content Governance — How do you manage the wording of privacy statements, disclosures, and opt-out messaging across templates and channels?
3. Data Handling in Communications — Are you minimising personal data use, securing file generation and delivery, and monitoring sensitive communications?
4. Auditability and Reporting — Can you demonstrate compliance if challenged by a regulator or customer?

At Cadence, we help organisations align customer communications with both compliance and customer experience goals - using proven frameworks and industry-leading technology.

Can I send mandatory or compliance-driven communications without offering an opt-out?

Yes, you can.

In Australia, communications that are purely factual or legally required (such as account notices, policy updates, regulatory disclosures, or safety recalls) are not considered marketing messages under the Spam Act 2003. Because they're not promotional in nature, they do not require consent and don't need to include an unsubscribe option.

How to identify a "compliance-driven" communication

To qualify as a non-commercial (non-marketing) message, it must:

• Be directly related to an existing transaction, service, or legal obligation
• Not include promotional content, upselling, or advertising
• Be necessary to fulfill a contractual, legal, or safety duty

Examples that don't require an opt-out:

• Privacy policy updates
• Changes to product terms and conditions
• Payment reminders or overdue notices
• Important safety or security alerts
• Service disruption notifications

Examples that do require opt-out:

• Cross-selling or upselling in any form
• "You might also like" recommendations
• Invitations to events or surveys not contractually required
• Loyalty program offers or newsletter-style content

Even if bundled with a compliance message, any inclusion of promotional material turns the whole message into a "commercial electronic message" - which means the unsubscribe rules apply.

Final Thoughts

The privacy and consent challenge isn't just a compliance issue - it's a communication opportunity. Done well, it can strengthen customer trust, reduce legal risk, and improve operational efficiency.

Need help navigating the complexity of privacy-conscious customer communications? Let's talk.

Disclaimer: This article is provided for general information purposes only and does not constitute legal advice. Organisations should seek independent legal advice to understand their specific obligations under Australian privacy and communications laws.