Recent changes to Australia’s Privacy Act has put retailers with loyalty programs at heightened risk of being hit with severe penalties.
Accounting firm BDO has joined a chorus of other consultancy firms warning retailers to take proactive steps to identify, store or remove customer data appropriately.
Forensic services partner Conor McGarrity highlighted that while the changes to the Privacy Act were necessary for stronger privacy protections, retailers must conduct thorough reviews of the personal data they hold, especially in relation to their loyalty programs.
“Loyalty programs collect vast amounts of personal data – addresses, phone numbers, transaction histories, and preferences – often without revisiting this information for years,” McGarrity said.
“The regulators are now taking a much harder stance, questioning whether all of this data is still necessary to retain. For retailers, that could mean facing scrutiny over data that no longer serves a valid business purpose.”
According to the consultant, businesses must take immediate action by conducting a comprehensive stocktake of all the personal data they have, particularly within loyalty programs, to assess what’s being stored, why it was collected, and whether it’s still relevant or necessary.
“It’s crucial for businesses to understand the full extent of the data they’re holding – especially as loyalty programs grow and evolve. Many retailers are sitting on large troves of old data that could expose them to significant privacy risks,” he said.
“Retailers need to know where their data is stored, how it’s accessed, and whether it's truly needed anymore. Companies subject to the Australian Privacy Principles must take continuing and proactive steps, including training relevant personnel.”
If businesses are caught not doing the right thing, they face penalties of up to $50 million or three times the value of the benefit obtained from mishandling personal data.
“The regulator can now also issue infringement notices to companies for up to $66,000, without having to take claims through the courts,” McGarrity added.
“The key to compliance will be accountability and transparency – especially since individuals will now have the right to take legal action if their privacy is breached. For retailers, this means a sharp focus on ensuring that customer data, particularly in loyalty programs, is handled properly.”
The amendments were passed in December 2024, with penalties set to come into effect this month. Other key changes include the requirement of organisations to update their privacy policies to disclose when decisions are made using automated processes, coming into effect in 2026.
To safeguard against privacy breaches, McGarrity recommends conducting privacy impact assessments and adopting a privacy-by-design approach when implementing new technologies or updating loyalty program systems.
“Retailers should also be mindful of cyber risks related to loyalty program accounts, such as credential stuffing attacks and compromised staff access. Multi-factor authentication is a simple yet effective way to protect customer accounts and reduce the risk of a breach,” he said.