The fair and reasonable test, and why consent alone won't be enough
The second tranche of Privacy Act reforms introduces a test that is separate from consent. Having consent will not be sufficient if the use fails the test. This is the single largest structural risk to performance marketing in Australia.
The second tranche of Privacy Act reforms, expected in 2026, introduces a new overarching requirement that collection, use, and disclosure of personal information be “fair and reasonable in the circumstances.” This is separate from consent. Having consent will not be sufficient if the use fails the test.
This positions Australia differently from both GDPR’s lawful basis framework and the US approach. It is a structural shift in how data use is assessed, and IMO it is the largest single structural risk to performance marketing in this country.
How the test works
Factors to be considered include whether an individual would reasonably expect the data practice, the kind, sensitivity and volume of personal information involved, and whether the practice is proportionate to the purpose.
The critical word is “reasonable.” The OAIC’s 2023 Australian Community Attitudes to Privacy Survey found that 69% of adults did not consider it fair and reasonable for their personal information to be used for online tracking, profiling, and targeted advertising. That number rises to 89% when the targeting involves children.
If those numbers hold (and there is no current trend suggesting they will soften), the practical effect is that a large share of standard marketing data practices fail the test on community-attitudes evidence alone.
Why this is the largest structural risk
Behavioural targeting, cross-site tracking, lookalike audiences, retargeting: these are standard practices in digital marketing. The community sentiment data suggests that many of them would fail the fair and reasonable test. Consent alone would not save them.
This is a potential constraint on the operating model of performance marketing, not a compliance detail. Organisations that rely heavily on third-party data, behavioural profiling, or programmatic targeting need to assess which of their current practices would survive the test, and which would not.
What to do now
The test has been consulted but not yet legislated. The timing is subject to the political cycle, which creates a window without giving you a reason to wait.
The diagnostic question is straightforward. For each data practice in your marketing operations, can you demonstrate that a reasonable person would expect it, that the data collected is proportionate to the purpose, and that the practice is not disproportionately intrusive? If the answer is uncertain, the practice is at risk.
Organisations that move early have the advantage of designing compliant systems on their own timeline. Those that wait will be retrofitting under regulatory pressure (and IMO under public scrutiny too, because the community sentiment numbers will be quoted in every defence).