How to comply with AU Privacy Act Tranche 2

The Australian Privacy Act Tranche 2 regulations take effect in December 2026, bringing significant changes for agencies handling personal information in marketing campaigns.

What Changed?

Key changes include:

• IP addresses and device IDs are now personal information
• Automated decision-making must be explainable
• Data subject access requests (DSARs) must be handled within 30 days
• Consent must be granular (separate for marketing, analytics, etc.)

What Agencies Must Do

1. Audit Your Data

Document all personal information you collect, where it's stored, and how it's used. Include IP addresses, device IDs, and inferred demographics.

2. Implement Granular Consent

Stop using blanket consent forms. Offer separate opt-ins for:

• Marketing communications
• Analytics and tracking
• Personalization
• Third-party data sharing

3. Make Automated Decisions Explainable

If you use automation (bid adjustments, audience targeting, budget allocation), you must be able to explain why decisions were made. Log every automated action with full context.

4. Prepare for DSARs

You must be able to:

• Find all personal information about an individual
• Export it in a readable format
• Delete it on request
• Complete the process within 30 days

How Avergo Helps

Avergo is built for Australian Privacy Act compliance:

• Automated audit trail: Every action logged with full context
• Explainable automation: See why every automated decision was made
• DSAR workflow: Search, export, and delete personal data in one click
• Consent management: Track granular consent preferences per user

Don't wait until December. Get compliant today with Avergo.