The new Privacy Principles – what you must do now to prepare for informed consent

Over the past two years, Australia has witnessed a major overhaul of its privacy laws. The most significant reforms to the Privacy Act 1988 in decades are now underway, bringing the Australian Privacy Principles (APPs) into line with global standards such as the European Union’s GDPR (General Data Protection Regulation), which is a comprehensive data protection and privacy law that came into effect on 25 May 2018 across all European Union (EU) member states. The GDPR is widely regarded as the most significant privacy regulation in the world and has influenced similar laws globally.

The first tranche of changes in Australia came into effect in December 2024, and you can read about them here. What I want to discuss in this article relates to a facet of the proposed second tranche of changes, for which a legislation date is yet to be determined but could be soon or even imminent. The topic I want to get to the heart of is the proposed change to the way organisations gain consent for the use of personal data. For charities in Australia, the change could mean a fundamental rethink of how personal information — especially supporter and donor data — is collected, stored and used.

Note that the law applies differently to organisations with an annual turnover of less than AUD $3 million versus organisations with an annual turnover of more than AUD $3 million – I have dedicated a section to explain this at the end of this article.

Let’s talk about consent

There are a variety of proposed changes in ‘Tranche 2’ of the reform, including a new approach to consent. If the proposed changes are legislated, vague privacy notices and pre-ticked boxes will be a thing of the past and nonprofits (who meet the thresholds for applicability – see below) will be required to ensure that consent to fundraising and marketing is voluntary, informed, specific, current and unambiguous.

This shift is not just a compliance issue. In my opinion, it is also an opportunity to build stronger trust with supporters and demonstrate that your organisation truly respects their choices.

What’s changing in the law

A date for Tranche 2 legislation is to be determined, although Attorney General Michelle Rowland expressed a desire for this next stage of reform to come into effect sooner rather than later in a July interview with Sky News). The most immediate and pressing expected changes for charities include:

• Stricter definition of consent: Consent would be opt-in, not assumed, and would be specific to each channel (email, SMS, phone, post)
• Withdrawal of consent: Supporters must be able to withdraw their consent easily, and charities must act on that withdrawal promptly
• Fairness and transparency: Data collection practices must be clear and not misleading. Long, complex privacy policies will no longer be sufficient
• Right to erasure: Individuals would be able to request that their personal data is deleted

For charities that rely heavily on supporter databases, these changes would be significant.

The current approach

Consider this donation form:

This form does not ask for informed consent to opt-in to any communications – either this charity plans to opt-in the donor without consent, or it does not plan to further communicate with the donor (a missed opportunity). There is no option to:

• Opt in (or out) of fundraising or marketing communications
• Choose which type of communications the supporter wants to receive
• Choose what channel to receive communications on
• Understand, in simple terms, how their data will be used

In this instance, the charity’s Privacy Policy is not within the field of vision – it is buried in the footer of the website. There is a clause in the policy that says: “We may need to disclose your personal information to others in order to carry out our activities… we may provide your contact details to other like-minded organisations to contact you with information that may be of interest to you.” This approach would fail the proposed Fair and Reasonable Test that aims to ensure data collection practices are clear and not misleading.

Under the proposed Tranche 2 reform, this kind of approach would no longer be acceptable. At best, it creates ambiguity. At worst, it exposes the charity to legal risk and reputational damage if supporters feel they are being contacted without permission.

How charities can capture consent going forward

If changes in the Tranche 2 reform go ahead, nonprofits can adhere to privacy law with the following practices:

1. Make consent channel-specific

When capturing supporter details, charities give people the option to say yes or no by channel, such as:

• Email newsletters
• SMS fundraising appeals
• Phone calls from volunteers or telefundraising partners
• Postal mail

This can be managed with a simple set of tick boxes on every sign-up form, each unchecked by default.

2. Differentiate between types of content

Consent is not bundled. A supporter may wish to receive a newsletter but not fundraising appeals, or may be happy to receive event invitations but not volunteer recruitment emails. Segmenting these options shows respect for preferences and reduces complaints. A preference centre gives supporters control over what communications they receive and when.

3. Use plain language

Privacy collection notices are written in ‘Plain English’. You can replace jargon with simple explanations, such as:

• “We will use your email address to send you news about our programs.”
• “Tick here if you would like to receive invitations to fundraising events.”
• “You can change your preferences or unsubscribe at any time.”

What you can do right now to prepare

Tranche 2 reform may still be under review, but the proposed changes provide an opportunity for your organisation to review its current consent practices.

Charities interact with supporters across many touchpoints, and each is an opportunity to capture and refresh consent.

Web forms

Redesign forms to include clear, unticked checkboxes for each channel and purpose. Under the proposed new stricter definition of consent, consent will be opt-in, NOT opt-out.

This example would NOT be compliant if Tranche 2 reform is legislated (the box should not be pre-ticked):

This example WOULD be compliant (the supporter chooses to tick the box and it is clear that the newsletter will be an email communication):

Donation pages

Separate the act of donating from consent to future appeals. Under Tranche 2 legislation donors cannot be forced to opt-in in order to complete a donation.

This example below has a Yes/No option for ‘Send me updates from Example Charity’, however it does not specify the channel that those updates will be sent through. Under the proposed, stricter definition of consent, the information provided to the supporter at point of consent must be specific to each channel (email, post, SMS, phone etc).

Events

Use QR codes or tablets at events to allow attendees to sign up with preferences captured on the spot.

Volunteers

Ensure volunteer application forms include clear consent for ongoing volunteer communications separate from fundraising communications. In this example below the picklist has the options ‘Yes’ and ‘No’ to agreeing to the Confidentiality Agreement, as well as a clear opt-in for more communications by email, phone and SMS.

Contact Us forms

Ensure that all your forms capture consent to market/fundraise, including your general enquiry form.

Service users

Think about the registration forms you may have for service users (beneficiaries). Consider consent where you have one party applying for support on behalf of another party. Do they have the right to give consent on behalf of someone else?

Let’s go back to the form at the top of the page

Returning to the example form we started with at the top of this article, here’s what would need to change on the form to meet the proposed APP standards in Tranche 2:

• Add unticked checkboxes for each channel (email, SMS, phone, post)
• Add options for content type (news, events, fundraising, volunteering)
• Provide a clear, one-sentence explanation of how each type of data will be used
• Include a link to a full privacy notice (written in simple terms), but keep the essential points on the form itself
• Ensure that consent preferences are stored in the CRM and can be updated at any time by the supporter

What the future might look like

This is an example of consent from Cancer Research UK. Here they give the user a choice of 4 communication options:

In Australia, Tranche 2 goes a step further – as well as providing the supporter with channel choice, organisations would need to provide options for how their email address/postal address/phone number will be used – newsletters/fundraising appeals/invitations to events etc. So let’s look at how you can set your organisation up to implement this.

Preparing your charity

The reforms may feel daunting, but the path forward is clear. If the Tranche 2 changes come into effect, charities would need to do some or all of the following:

• Audit current consent capture: Review every form, event registration and donation process
• Update CRM fields: Ensure your system can record channel-specific, purpose-specific consent. Examples include fields that record date and time consent was captured, where it was captured (what particular form), what channel the consent applies to (email, address, SMS or phone) and consent status – subscribed or unsubscribed. Date and time of opt-out and opt-out reason can also be tracked as insightful information
• Rewrite privacy policies: Replace jargon with simple, accessible language
• Train staff and volunteers: Everyone who handles supporter data should understand the new requirements
• Communicate proactively: Let your supporters know that you are making changes to respect their preferences

Let’s recap

While Australia’s next privacy tranche is still under review and we are yet to see if the proposed changes will become law, our Attorney General feels strongly that the changes should go ahead. Whatever your opinion, this sentiment from ADMA (Association for Data-Driven Marketing and Advertising) is a solid guide: “If you wouldn’t personally like or consent to the way a business is collecting or using personal information, it is probably safe to say that it should not be considered in the circumstances.”

My belief is that the proposed changes to the Australian Privacy Principles represent more than a compliance hurdle. They are a chance for charities to rebuild trust, improve data quality and strengthen relationships with supporters. By moving away from vague collection statements and toward genuine, informed consent, charities will avoid regulatory risk and demonstrate respect for the people whose generosity makes their work possible.

Consent is not a checkbox. It’s a commitment to transparency, respect and accountability. The charities that embrace this shift now will be the ones best placed to thrive in the new privacy era.

Helpful resources

There are a huge number of articles online explaining both the legislated and proposed changes to the Privacy Act, many of which are written by legal firms specialising in this space. Here are links to a selection used during my research for this article:

The full ADMA Privacy Series: https://www.adma.com.au/privacy-series

Australia’s first tranche of privacy reforms – a deep dive and why they matter

Australia’s blueprint for privacy reform–what you need to do today

Australian Privacy Reforms: A generational change inches closer

Does the Privacy Act apply to your NFP? The answer might surprise you

Australian Privacy Law Reform Tranche 2: The Time for Conversation is Over

Privacy Act Reform Tranche 2: Is Your Business Ready?

The 30-second statement that triggered Australia’s next privacy tranche – marketing, media and tech on notice

The Privacy Series: The Fair and Reasonable Test Explained

The Privacy Series: Understanding Consent

Charities/nonprofits with an annual turnover of LESS than AUD $3 million versus charities/nonprofits with an annual turnover of MORE than AUD $3 million

Please refer to this Government resource for a breakdown of how Privacy Law differs according to the $3 million financial threshold.

In essence:

Thresholds for applicability

• An organisation must have annual turnover of more than AUD $3 million for the Privacy Act to automatically apply under standard rules. For charities/NFPs below that threshold, they may not be required by law to comply with ALL aspects of the APPs. 
• Even if your turnover is less, there are special cases where you must comply:
  • If doing “health service” work;
  • If contracted with a Commonwealth government agency;
  • If you trade in personal information 
  • If you decide to “opt‑in” to the Privacy Law by choice. 

Good practice is expected regardless of financial threshold

Even when the law doesn’t require all requirements (like informed consent, notice, retention, etc.), the updated guidance is clear that donors, volunteers and service users/beneficiaries expect good privacy practices. Trust, transparency, risk of reputational damage are all concerns. Charities below thresholds are strongly encouraged to follow the APPs to “future‑proof” themselves. 

About the author

Jessica Macpherson OAM is the founder of Blaze Your Trail, a Melbourne-based fundraising and technology consultancy with a social purpose. She offers training and expert advice for nonprofit leaders around the use of Salesforce, cybersecurity, fundraising, digital marketing and website design.  

Jessica came to Australia from New Zealand to set up Oyster Bay Wine, before founding the charity St Kilda Mums (Our Village) in 2009.   

She especially enjoys supporting leaders to use technology to do more good.