By Chamara Somaratne | Anthosa

The digital marketing world is undergoing a tectonic shift, one that is redefining how trust, relevance, and engagement will be earned in the years ahead. Once reliant on cookies, behavioural tracking, and third-party data, the industry now finds itself at a crossroads: evolve or risk irrelevance.

What’s driving this shift? A potent convergence of forces:

• Consumer consciousness around privacy has reached critical mass, with users demanding more control over their data and how it’s used.

• Landmark legislative reforms, like the GDPR, CPRA, and Australia’s own privacy law reviews, are rewriting the rulebook for compliance and consent.

• Big tech is recalibrating the infrastructure of the web, with Apple’s App Tracking Transparency, Google’s Privacy Sandbox, and Microsoft’s AI-enhanced security layers changing the foundations upon which digital marketers have long depended.

This isn’t just a technological upgrade. It’s a philosophical realignment where data ethics, transparency, and value exchange sit at the core of brand-consumer relationships.

In this article, we explore:

• The forces disrupting digital marketing as we know it

• How the power dynamics between platforms, brands, and consumers are shifting

• The strategic innovations emerging in a privacy-first era

• And what leaders must do now to stay competitive, compliant, and customer-centric

The privacy revolution isn’t just reshaping tactics. It’s redefining the future of digital trust, and with it, the very DNA of marketing itself.

A Holistic Analysis of the Current Digital Marketing Industry and Its Privacy Challenges

Digital marketing in Australia, much like globally, has been characterised by its reliance on vast amounts of consumer data to deliver personalised experiences and targeted advertisements.1 This industry fuels significant economic activity, enabling businesses to reach customers efficiently and effectively. However, this data-driven model operates within complex legislative frameworks, primarily the Privacy Act 1988 (Cth) and its associated Australian Privacy Principles (APPs), and the Telecommunications (Interception and Access) Act 1979 (TIA Act), particularly its data retention amendments from 2015.2

Legislative Frameworks and Their Challenges:

• Privacy Act 1988 (APPs):

This is the cornerstone of privacy protection in Australia, dictating how personal information is collected, used, stored, and disclosed by businesses (with an annual turnover of $3 million or more) and government agencies.3

• Challenge: While the APPs set broad principles, the sheer volume and complexity of data collection, especially by third parties and data brokers (often operating without direct consumer relationships), make it difficult for consumers to understand or control how their data is truly used. Lengthy, complex privacy policies often serve as “take-it-or-leave-it” propositions, limiting genuine consent. The ACCC has highlighted that consumers generally lack visibility and choice over data collection practices.4

• Telecommunications (Interception and Access) Act 1979 (Data Retention):

This Act mandates Australian Telcos (including Internet Service Providers or ISPs) to capture and store specific types of customer “metadata” for a minimum of two years.5 This includes subscriber identity, source and destination of communication (e.g., phone numbers, IP addresses), and the date, time, and duration of communication.

• Challenge: While the Act explicitly excludes the content of communications and general web browsing history, the retention of “destination of communication” (e.g., connecting to specific IP addresses, or through plaintext DNS, the domain names visited) provides a rich source of data. This “metadata” can, in aggregate, paint a very detailed picture of an individual’s online activities.6 The primary “loophole” here is the potential for Telcos and ISPs to infer or even monetise this comprehensive metadata, directly or indirectly, for commercial purposes, even if not explicitly mandated by the TIA Act, subject to the constraints of the Privacy Act.

What these challenges look like from an individual’s perspective (jargon-free examples):

Imagine you’re browsing online. You might think your activity is private, but:

• The “Creepy Factor”: You browse a specific product on one website, then suddenly see ads for that exact product on completely unrelated websites or apps. This happens because “third-party cookies” or other trackers collect your browsing habits and share them across the advertising ecosystem.7
• “Knowing Too Much”: Your phone shows you ads for local businesses you’ve driven past, even if you never searched for them. This is often due to location data sharing by apps.
• “Invisible Profiling”: You might be categorised as a “frequent gambler” or someone with a particular health interest, not because you explicitly said so, but because various data points (your app usage, websites visited through your ISP’s record, online purchases) are secretly collected and combined by data brokers, without you even knowing these firms exist. This data could then be used to target you with specific, potentially harmful advertising.
• ISP’s “Browser History” – Not Exactly, But Close: When you visit a website, your computer asks a “phonebook” (DNS server) for the website’s address.8 Traditionally, this “phonebook query” is unencrypted, meaning your ISP can see every website name you type or click on. Even if they don’t store your “browsing history” as a neat list, they have a very good record of your online movements.

Current Advancements in Privacy Tech and Their Impact

A new wave of privacy-enhancing technologies is emerging, largely driven by major tech platforms like Apple, Google, and Microsoft, aiming to give consumers more control and make pervasive tracking technically challenging.9

Key Privacy Tech Evolutions (in simple terms):

• Encrypted Internet Traffic (DoT, ECH):

• DNS over TLS (DoT): Think of this as putting your “phonebook query” (DNS request) into an encrypted envelope.10 Your Internet Service Provider (ISP) can still see that you’re asking a phonebook, but they can’t see what website name you’re asking for. This significantly reduces their ability to build a profile of your Browse habits.
• Encrypted Client Hello (ECH): When your device first connects to a secure website (HTTPS), it sends a “hello” message that traditionally included the website’s name. ECH encrypts this “hello,” so your ISP can see you’re connecting to a website, but not which specific one, further masking your online activity.11
• How it affects challenges: These directly impact the “destination of communication” metadata that Telcos/ISPs are required to retain. While the ISP still logs that you connected to something, they lose the ability to easily know what specific website or service that “something” was. This significantly diminishes the commercial value of that retained metadata for profiling and advertising.

• IP Address Obfuscation (Apple Private Relay, Microsoft Edge Secure Network, Chrome IP Protection):

• How it works: Instead of your internet traffic going directly from your device to a website (allowing your ISP and the website to see your real online address), it’s routed through two separate, encrypted steps.12 In the first step, your real address is seen but not the website you’re going to. In the second step, the website you’re going to is seen, but only a generic, temporary online address is presented, not your real one.
• How it affects challenges: This makes it much harder for websites and advertising networks to track you across different sites using your unique online address. It also further limits what your ISP can infer from your connection data.

• On-Device Processing and Privacy-Preserving AI (Apple Intelligence, Google’s Protected Computing, Microsoft’s On-Device AI):

• How it works: Instead of sending all your personal data (photos, messages, voice commands, smart home data) to vast cloud servers for analysis by AI, these technologies increasingly perform the analysis directly on your phone, computer, or smart home device. For tasks that require cloud power, they use “secure enclaves” or “private cloud compute” where data is processed in a way that even the tech company itself cannot see the raw personal information.13
• How it affects challenges: This is a fundamental shift that directly prevents sensitive personal data from being exposed on the network at all. If the data never leaves your device in an identifiable form, neither your ISP nor third-party data brokers can intercept, collect, or build profiles from it. This is particularly relevant for the new frontier of smart home data with Apple’s proposed homeOS, limiting new avenues for extensive metadata collection by ISPs.

• The Demise of Third-Party Cookies & New Advertising APIs (Google Privacy Sandbox, Apple ATT):

• The Problem: Third-party cookies are tiny files placed on your browser by advertisers, allowing them to track your movements across unrelated websites.14
• The Solution: Browsers (Safari already, Chrome in the near future) are blocking these cookies. In their place, Google’s “Privacy Sandbox” is proposing new ways for advertisers to still show relevant ads and measure effectiveness, but without individual tracking.15 For example, ads might be based on groups of people with similar interests (cohorts) rather than individuals, or ad selection could happen on your device without revealing your identity.16 Apple’s App Tracking Transparency (ATT) forces apps to ask for your explicit permission to track you across other apps and websites, and most users decline.
• How it affects challenges: This directly tackles the “creepy factor” and the “invisible profiling” by limiting the core mechanisms used for cross-site and cross-app tracking. It will significantly reduce the amount of personal data flowing into third-party advertising marketplaces.

How the Industry Will Evolve in the Future

These technological shifts, combined with growing consumer awareness and evolving regulations, will fundamentally reshape the digital marketing and advertising industries.

Next 12-18 Months (Year 1): The Immediate Shift

• Urgent Adaptation: Australian marketers will be in a frenetic race to adapt to the reality of a cookie-less web, particularly as Chrome phases out third-party cookies. Expect significant experimentation with new Privacy Sandbox APIs.
• First-Party Data Gold Rush: Brands will heavily invest in building their own direct customer relationships and collecting data directly from their customers (e.g., through loyalty programs, email sign-ups, customer service interactions). This “first-party data” will become their most valuable asset.
• Contextual Advertising Comeback: Advertising will increasingly rely on the content of the webpage or app itself, rather than the user’s past behaviour.17 An ad for car insurance will appear on an article about new cars, regardless of who is reading it.
• ISP Visibility Declines: As more users adopt browsers and operating systems with DoT/DoH and ECH enabled, the specific web domains an ISP can “see” in your traffic will diminish. This means their ability to infer detailed browsing habits for commercial purposes from legally retained metadata will lessen.

Next 1-3 Years (Years 2-3): Re-architecting and Specialisation

• Privacy-Preserving Ad Tech Takes Centre Stage: New companies and technologies will emerge that specialise in facilitating advertising without reliance on individual tracking. Solutions like Data Clean Rooms will become common – these are secure, anonymised environments where different companies can combine their data in a way that allows for aggregated insights without revealing individual identities.18
• Consolidation of Power: Large tech companies like Apple and Google, which control the operating systems and browsers, and have vast amounts of “first-party data” from their own services, will gain more influence in the advertising landscape.19 Brands will increasingly work directly with these platforms.
• On-Device Personalisation Flourishes: Expect highly personalised experiences within your devices and apps, driven by AI that processes your data locally. Your phone might suggest relevant products based on your messages or photos, but this data won’t leave your device to be used for ads elsewhere.20
• Sophisticated Contextual AI: AI will allow for extremely nuanced contextual advertising – understanding the full meaning and sentiment of content to place highly relevant ads, moving beyond simple keyword matching.21
• Reduced “Monetisation Loophole”: With encryption and on-device processing becoming standard, the practical ability of Telcos/ISPs to extract commercially valuable insights from mandated metadata will be significantly reduced. This makes it less attractive for them to try to monetise this data.

Next 3-5 Years (Years 4-5): The New Normal and Ethical Data Leadership

• Privacy-by-Default: Privacy will be a fundamental expectation, not a premium feature. Browsers and operating systems will be designed from the ground up to protect user data, with tracking and extensive data sharing becoming the exception, not the norm.
• Zero-Party Data: Brands will actively seek “zero-party data,” where consumers willingly and explicitly provide their preferences (e.g., “I’m interested in travel to Japan,” “I prefer eco-friendly products”).22 This builds direct trust and provides valuable, consented insights.
• Trust as a Competitive Advantage: Companies that demonstrate a genuine commitment to consumer privacy and ethical data practices will earn greater trust and loyalty, differentiating themselves in the market.23
• Shift in Digital Marketing Roles: Digital marketers will evolve from “data hoarders” to “creative strategists” and “customer relationship builders.” Success will depend on deep understanding of customer needs, compelling content, and building direct, consensual relationships.
• Less “Creepy,” More Relevant: For consumers, advertising will ideally become less intrusive and more genuinely useful, as it’s either based on expressed interests, contextual relevance, or on-device intelligence rather than surreptitious tracking.24

Making a Compelling Case for Legislative Environment Changes

While technological advancements are providing powerful practical protections, the legislative environment in Australia still needs to evolve to create a truly robust and future-proof privacy framework.

Required Changes for Policymakers:

1. Strengthened and Modernised Privacy Act: Australia’s Privacy Act has undergone recent reforms, including increased penalties and a statutory tort for serious invasions of privacy.25 However, further alignment with global best practices (like GDPR’s data minimisation principles and expanded individual rights) is crucial.

• Focus Areas: Clearer definitions of consent, stronger rights for individuals to access, correct, and erase their data, and more robust mechanisms for accountability for data misuse, especially by data brokers.
• Addressing AI: The rise of AI necessitates specific provisions around algorithmic transparency, explainability, and accountability when AI makes decisions that significantly affect individuals.26 The proposed disclosure of automated decision-making in privacy policies is a good start, but deeper protections are needed.

1. Explicit Prohibition on Metadata Monetisation: While the Privacy Act generally covers personal information, policymakers should consider explicitly legislating against the commercial sale or monetisation of metadata collected under the TIA Act (data retention scheme) by Telcos and ISPs. This would remove any ambiguity and close the “potential loophole” entirely, regardless of the level of encryption.
2. Cross-Sectoral Data Governance: A comprehensive framework is needed to manage data sharing across various sectors, including the emerging Internet of Things (IoT) and smart home ecosystems. This is where the homeOS and similar platforms will generate new types of metadata. Legislation should clarify ownership, access, and usage rights for IoT data, moving beyond traditional telecommunications.
3. Regulatory Enforcement and Resources: The Office of the Australian Information Commissioner (OAIC) needs adequate funding and powers to proactively audit, investigate, and enforce privacy laws against all entities, especially large tech companies and data brokers.

Collaboration Needed from Industry Players:

• Telcos and ISPs:

• Embrace Privacy Tech: Actively support and adopt DoT, ECH, and other network-level privacy enhancements. Instead of resisting these changes, see them as an opportunity to build trust with their customers.
• Transparency: Be transparent with customers about what metadata is collected for legal compliance and clearly state that it is not used for commercial profiling or monetisation.
• Secure Data Handling: Continue to invest heavily in the security and encryption of all retained data, exceeding minimum requirements.

• Big Tech (Apple, Google, Microsoft):

• Standardisation: Continue to collaborate on industry standards for privacy-preserving technologies (like Privacy Sandbox APIs, ECH) to ensure interoperability and a consistent privacy experience across the internet.
• User Control and Education: Prioritise user-friendly privacy controls and clear explanations of how data is used, empowering users to make informed choices.
• Accountability: Be transparent about how their internal first-party data is used for advertising and ensure robust internal governance.

• Digital Marketing and Advertising Industry:

• Innovate with Privacy: Shift away from tracking-based models to develop new, creative, and effective advertising strategies that respect user privacy (e.g., advanced contextual targeting, ethical AI use, engaging zero-party data collection).27
• Invest in First-Party Data: Prioritise building direct relationships and collecting consented first-party data.
• Embrace Data Clean Rooms: Invest in and utilise secure data clean rooms for collaborative insights and measurement.28
• Education: Educate their teams and clients on the evolving privacy landscape and the necessary shifts in strategy.

Contribution to Innovation, Digital Transformation, and the Future Digital Economy of Australia and Beyond

This privacy-first paradigm, driven by both technological innovation and a maturing regulatory environment, will have profound positive impacts:

• Enhanced Consumer Trust: A digital economy built on trust, where consumers feel their privacy is respected, will encourage greater participation and engagement online. This fuels sustained growth for digital businesses.
• Innovation in Ad Tech: The challenges posed by privacy restrictions will spur immense innovation in the digital advertising industry, leading to new, more creative, and ethically sound ways to connect with consumers. This pushes the industry to be smarter, not just more pervasive.
• Stronger First-Party Relationships: For brands, investing in first-party data fosters deeper, more meaningful direct relationships with customers, leading to better customer service, loyalty, and long-term value.29
• Fairer Competition: By leveling the playing field and reducing the dominance of companies that rely solely on vast third-party data collection, smaller businesses and ethical innovators will have more opportunities to compete.
• Resilience of the Digital Economy: A privacy-compliant and secure digital environment is crucial for the long-term health and resilience of Australia’s digital economy. It attracts investment, supports digital transformation across all sectors (health, education, finance), and ensures Australia remains a trusted participant in the global digital landscape.
• Exportable Expertise: Australia can become a leader in developing and implementing privacy-by-design solutions, exporting this expertise to other nations grappling with similar challenges. This contributes to Australia’s position as a digital innovator on the global stage.

The privacy revolution is not the end of digital marketing. It is its rebirth.

Yes, the road ahead will require adaptation. Legacy models built on passive data harvesting and opaque profiling are being phased out. But what replaces them is a more intelligent, ethical, and enduring form of engagement, one built on consent, value, and mutual respect.

In this new era:

• Brands won’t just capture attention, they’ll earn it.
• Data won’t be taken, it will be exchanged for clear, meaningful value.
• Campaigns won’t chase clicks, they’ll build long-term trust and loyalty.

Australia, with its strong regulatory direction and growing digital ecosystem, stands uniquely positioned to lead this next wave. By embracing privacy as a design principle, not a constraint, we can pioneer a digital economy where innovation and integrity coexist.

In the end, this isn’t just a marketing transformation, it’s a societal one. And the organisations that recognise this early will be the ones who don’t just survive the change but shape what comes next.

References:

1. In Marketing We Trust, Data Privacy in Australia: Guide for Digital Marketers, Kirsten Tanner, Jun 17, 2024
2. getLaw, Australian Privacy Principles
3. Australian Government, Digital platform services inquiry 2020-25
4. Attorney-General’s Department, Industry obligations
5. Freename,How are digital assets and digital footprints related?
6. TrustArc, Guide to Third-Party Cookie Trackers
7. Elementor, What is DNS? The Internet’s Phonebook Explained for Web Creators, Itamar Haim, May 07, 2025
8. Virtu, Respecting Data: How Apple is Making Privacy Cool – Virtru, Matt Howard, June 12, 2025
9. Indusface, DNS Over TLS (DoT): Definition, Key Benefits, and Potential Limitations
10. Mozila, Understand Encrypted Client Hello (ECH) | Firefox Help, Firefox, July 16, 2025
11. Avast, What Is a VPN and How Does It Work? – Avast, Nica Latto, January 17, 2025
12. Tin Foil, Got Privacy? – Tinfoil, Tinfoil Team, May 15, 2025
13. Secure Privacy, Tracking and Advertising Cookies | A Comprehensive Guide – Secure Privacy, Legal News
14. Privacy Sandbox, Protect user privacy online, July 07, 2025
15. Privacy Sandbox, Federated Learning of Cohorts (FLoC) – Privacy Sandbox
16. DoubleVerify, What You Need to Know About Contextual Advertising, Marketing Team, Nov 12, 2025
17. PwC, How data clean rooms reinvent media TMT business models – PwC, June 24, 2024
18. Brookings, Big Tech won. Now what? – Brookings Institution, Tom Wheeler, Oct 16, 2023
19. Hollyland, Why Your iPhone Suggested Contacts when Sending Pictures? Here’s What You Should Know – Hollyland, Jun 26, 2025
20. ILLUMIN, Contextual targeting in digital advertising: the ultimate guide | illumin, Niyathi Rao, Oct 20, 2023
21. iMark Infotech, Using Zero-Party Data to Elevate Social Media Strategy – iMark Infotech Pvt. Ltd., Ishan Gupta, May 09, 2025
22. Future B2B, Ethical marketing: Building trust and consumer engagement in the digital age, Victoria Martinez, May 23, 2024