Data Privacy in Retail Media Networks: Key Standards

Retail media networks in Australia are booming, with the market expected to reach A$3 billion by 2027. These platforms allow retailers to use first-party data from loyalty programs, sales, and browsing activity to deliver targeted ads across websites, apps, and stores. While this creates new advertising opportunities, it also raises serious data privacy concerns. Regulations like GDPR, CCPA, and Australia's Privacy Principles require strict compliance to protect consumer data and avoid penalties of up to A$50 million.

Key takeaways:

• Retail media networks rely on first-party data for personalised ads.
• Privacy laws, including Australia's Privacy Act, enforce strict rules on data collection, use, and security.
• Technologies like data clean rooms, anonymisation, and programmatic integration help ensure compliance.
• Retailers must adopt strong governance, audit practices, and tools like Adflux CMS to manage data responsibly.

The future of retail advertising depends on balancing targeted marketing with robust privacy protections.

Why Permissioned Consumer Data ＞ Retail Media -- Brian Mandelbaum // Attain

sbb-itb-c231c83

Privacy Regulations for Retail Media Networks

Retail media networks operate in a regulatory maze where compliance is non-negotiable. These frameworks are designed to protect consumer data while balancing business operations. The stakes are high, with penalties reaching up to AU$50 million in Australia and cumulative GDPR fines of €5.88 billion expected by early 2025. Understanding and adhering to these laws is critical to building a compliant and sustainable retail media business.

Global Privacy Standards

Two major regulations set the tone globally: GDPR in the European Union and CCPA/CPRA in California. GDPR mandates explicit opt-in consent for tracking technologies like cookies and pixels. This means no tracking can occur until users actively agree. The penalties for non-compliance are severe. For instance, TikTok was fined €530 million in early 2025 for unauthorised data transfers to China, and Google faced a €200 million fine for displaying ads without valid consent.

In contrast, California's CCPA operates on an opt-out basis, requiring businesses to respect Global Privacy Control (GPC) signals from browsers. A notable case involved Sephora, which settled for $1.2 million in 2022 after failing to disclose data "sales" via third-party tracking pixels and ignoring GPC signals. By 2025, fines have increased to $2,664 for unintentional violations and $7,988 for intentional breaches.

Australia adds another layer of complexity with its own privacy rules.

Australian Privacy Principles (APPs)

Australia's Privacy Act 1988 outlines 13 principles that retail media networks must follow. Some of the most relevant include:

• APP 3: Data collection must be "reasonably necessary", meaning businesses can't collect everything available through tracking pixels.
• APP 6: Limits data use to its original purpose unless additional consent is obtained or the use aligns with reasonable expectations - using loyalty program data for ads often requires separate consent.
• APP 7: Direct marketing requires a simple opt-out mechanism, such as an unsubscribe link or "STOP" SMS. Requests must be processed promptly, typically within 30 days.
• APP 11: Security measures like encryption and access controls are mandatory. Data must also be de-identified when no longer needed.

The Australian Privacy Commissioner, Carly Kind, has criticised tracking tools as "harmful, invasive and corrosive of online privacy", signalling stricter enforcement. Penalties for serious breaches now include fines of up to AU$50 million, 30% of adjusted turnover, or three times the benefit gained from the breach. While the Act primarily applies to businesses with annual turnovers exceeding $3 million, proposed reforms could remove exemptions for smaller businesses.

And that's not all - new privacy laws are on the horizon.

New and Upcoming Privacy Laws

The privacy landscape is evolving rapidly. By 2025, 20 US states will have comprehensive privacy laws, covering 43% of the US population. Maryland's law, effective 1 October 2025, bans targeted advertising to anyone under 18 and prohibits selling sensitive personal data. Meanwhile, California's Privacy Protection Agency conducted a 2025 "investigative sweep" to ensure compliance with CPRA, focusing on geolocation data collection by ad networks.

In Australia, Tranche 2 reforms are expected by December 2026. These changes will introduce a "fair and reasonable test" for all data handling. According to ADMA:

"all collections, uses and disclosures of personal information will also need to be 'fair and reasonable'... regardless of whether you have a consumer's consent".

The reforms will also expand the definition of "personal information" to include online identifiers like IP addresses and device IDs. For retail media networks with global operations, preparing for these changes is essential, as compliance demands will only grow.

Feature	GDPR (EU)	CCPA/CPRA (California)	APPs (Australia)
Consent Model	Opt-in	Opt-out	Mixed (opt-out for direct marketing)
Browser Signals	Not explicitly required	Must honour GPC	Not currently required
Sensitive Data	High protection/consent required	Right to limit use	Express consent generally required
Minors	16+ (varies by country)	13+ (16+ for selling)	Strict safeguards for minors

Technologies for Data Privacy in Retail Media Networks

Protecting sensitive data is a critical priority for retail media networks, especially when balancing the need for actionable insights with stringent privacy requirements. These technologies not only help businesses comply with regulations but also safeguard their reputation. Interestingly, 64% of companies using privacy-enhancing tools rely on data clean rooms. Modern frameworks now allow retailers and brands to collaborate securely without sharing raw personal data.

Data Clean Rooms for Secure Collaboration

Data clean rooms (DCRs) create a secure space for retailers and brands to work together on combined datasets without exposing personal data. These platforms are designed with strict protocols that manage data input, matching processes, query execution, and aggregated outputs. Advanced technologies like commutative cryptography and Private Set Intersection (PSI) ensure identifiers remain encrypted during data matching. To further protect individuals, aggregation thresholds suppress outputs for groups smaller than a set number - typically 50 or 100 users.

For instance, in April 2023, Carrefour teamed up with LiveRamp to analyse customer buying trends - like how parents switch nappy brands as their babies grow - using a data clean room. This approach allowed them to gain insights without risking data breaches.

Lauren Wetzel, CEO of InfoSum, highlights the importance of this approach:

"Data clean rooms enable brands to collaborate without compromising data control".

Lori Johnshoy, Head of Global Retail, Media Network & CPG Industry Strategy at LiveRamp, adds:

"Collaboration can unlock stronger partnership between brands and retailers but the process needs to be grounded in privacy and security with controls and permissioning built into the model".

In addition to clean rooms, anonymisation techniques play a key role in protecting consumer data.

Anonymisation and Privacy-Preserving Analytics

Anonymisation removes or obscures direct identifiers like names and email addresses, enabling meaningful data analysis without compromising individual privacy. Techniques such as hashing (e.g., SHA-256) convert identifiers into irreversible strings, while differential privacy adds mathematical noise to prevent individual data points from influencing results. Other methods, like k-anonymity and Secure Multi-Party Computation (MPC), allow parties to generate insights collaboratively without exposing sensitive information.

Lauren Wetzel emphasises the importance of these tools:

"Privacy-enhancing technologies are critical for brands to stay compliant with regulations and maintain consumer trust. It's a way to understand your customers without sacrificing their privacy".

However, there’s a fine line to walk - over-anonymisation can reduce the usefulness of data, while under-anonymisation increases the risk of re-identification.

These measures also support secure, real-time data activation in programmatic advertising.

Programmatic Integration

Programmatic integration enables secure, real-time data activation. Using secure APIs and partnerships with Demand-Side Platforms (DSPs) like The Trade Desk, retailers can monetise their first-party data by sending it through data clean rooms to media buying platforms. This allows brands to target specific audiences using retailer data segments while maintaining privacy.

Despite these advancements, challenges persist. According to Pixalate, 35% of global open programmatic mobile app ad impressions are sold by unauthorised sellers, and in Q1 2025, 9% of mobile in-app traffic marked as "complete" SupplyChain Objects was reportedly sold by unauthorised direct sellers. To address these issues, the IAB Tech Lab has introduced new protocols:

• PAIR (Publisher Advertiser Identity Reconciliation): Finalised in July 2025, this protocol uses commutative cryptography to match first-party data securely.
• ADMaP (Attribution Data Matching Protocol): Finalised in February 2025, this tool enables secure sharing of conversion data using PSI.

These emerging standards aim to scale programmatic advertising securely while maintaining consumer privacy.

Data Privacy Compliance and Governance Practices

Navigating privacy standards isn't just about understanding the rules - retail media networks need actionable systems to stay compliant across all operations. The stakes are high: under the CCPA, even unintentional violations can cost up to $2,500 per incident, with intentional breaches climbing to $7,500.

Obtaining Consent and Minimising Data Collection

Upcoming reforms to the Australian Privacy Act introduce a "fair and reasonable" test, which means retailers can't rely solely on user consent to justify data collection. The collection itself must have a valid reason. As the ADMA explains:

"Businesses won't be able to 'consent their way to compliance'".

Consent must meet strict criteria: it has to be voluntary, specific, and unbundled - no more pre-ticked boxes.

Another key practice is data minimisation. Tracking tools should be configured to collect only the data necessary for clearly defined purposes. Regularly deleting unnecessary data not only cuts down on the risk of breaches but also simplifies the audit process. Jonathan Gilbert, Marketing Strategist at Lemonade Digital, highlights this point:

"Poor data governance now poses legal as well as operational risks".

For in-store media using facial recognition or video analytics, generic "CCTV" signage isn't enough. In November 2025, the Australian Privacy Commissioner ruled that Kmart's notices about facial recognition technology fell short - retailers must provide clear explanations about why biometric data is collected and outline how users can exercise their rights.

These consent and minimisation strategies lay the groundwork for stronger oversight, which is further supported by regular audits and brand safety measures.

Regular Audits and Brand Safety Measures

Strong governance extends beyond consent and minimisation, covering the entire data ecosystem, including third-party vendors. Importantly, retailers are still accountable for the privacy practices of their vendors - outsourcing campaign delivery doesn't exempt them from legal responsibility.

To stay compliant, track all pixels, tags, and SDKs used across your platforms. This helps identify what data is being collected, how it's being used, and whether any of it is transferred offshore. Regularly review these tools to ensure they align with evolving privacy standards. The OAIC has adopted a strict enforcement-first stance, focusing particularly on tracking pixels and profiling practices.

Internally, appoint a Data Protection Officer or Privacy Officer to oversee compliance and act as a central point of contact. Maintain detailed audit trails of consent records, including the date, time, method (e.g., online or verbal), and the specific version of the privacy policy accepted. Vendor contracts should also be updated to clearly define privacy obligations, audit rights, and breach notification requirements.

These measures not only help meet regulatory demands but also build consumer trust - an essential element for thriving retail media networks.

Regulatory Requirements Comparison

A side-by-side look at key regulations highlights why rigorous compliance practices are so important.

Regulation	Consent Requirements	Data Retention	Breach Notification	Max Penalties
GDPR	Explicit (Opt-in)	Limited to purpose	Within 72 hours	€20M or 4% of turnover
CCPA/CPRA	Opt-out (Right to Know)	Not specified	Reasonable timeframe	$7,500 per intentional violation
Australian APPs	Explicit for sensitive data	Destroy when redundant	As soon as practicable	AU$50M or 30% of turnover
CASL (Canada)	Express (Opt-in)	3 years for records	N/A	$10M per violation

Data Privacy Standards with Adflux CMS

Retail media networks must deliver campaigns that are both targeted and compliant with privacy regulations. Adflux CMS has been designed with a privacy-first approach, ensuring data protection throughout every stage - from collection to campaign delivery.

Privacy-First Features of Adflux CMS

Adflux CMS incorporates a multi-user permission system, ensuring that sensitive campaign data and administrative functions are only accessible to authorised personnel. This feature aligns with APP 11's data security guidelines. Administrators can assign tailored permission levels - for instance, granting "view-only" access to external partners while retaining full administrative control internally. This setup reduces the risk of unauthorised data exposure.

Another standout feature is Adflux's AI-powered vision analytics, which deliver demographic insights without storing personal identifiers. This method adheres to data minimisation principles under both the APPs and GDPR, allowing retailers to refine their campaign targeting without relying on persistent personal data.

Transparency is further enhanced through automated playback reports and remote screen monitoring, which provide a clear audit trail of content displays. These tools support APP 1's transparency requirements and help retailers demonstrate compliance during regulatory reviews. As Peter Leonard, Chair of ADMA's Regulatory and Advocacy Working Group, emphasises:

"Under Australian privacy law, not monitoring or 'turning a blind eye' to what other parties in a marketing data ecosystem are doing is not a defence".

These features collectively simplify compliance while ensuring robust privacy protections.

Simplifying Compliance and Campaign Management

Adflux CMS extends its privacy-first foundation with tools that streamline compliance and campaign management. Its centralised governance dashboard gives retailers a comprehensive view of their data ecosystem. This includes tracking all pixels, tags, and data destinations within the network - critical for meeting regulatory expectations around tracking technologies.

The platform also supports programmatic SSP integration, enabling secure and automated data exchanges configured to comply with global standards like the Data Deletion Request Framework (DDRF). This feature is especially relevant as Australia's Tranche 2 reforms introduce a potential "right to be forgotten", akin to GDPR Article 17.

For operational efficiency, Adflux offers remote health monitoring, allowing real-time status checks and logs of recent displays. This ensures system integrity without the need for on-site visits, reducing risks associated with manual data handling. These capabilities not only address regulatory challenges but also enhance the reliability of retail networks.

Data-Driven Innovation with Privacy Protection

Adflux CMS empowers retailers to leverage first-party and integrated third-party data for precise audience segmentation - without resorting to covert tracking methods. This shift is timely, as the industry moves away from third-party cookies. By 2025, 58% of U.S. ad buyers are expected to prioritise first-party data partnerships.

Through API integrations, the platform enables dynamic content updates, such as inventory-based ads. These updates occur via secure, standardised data exchanges, ensuring compliance with privacy standards while automatically refreshing campaign details like pricing and availability based on real-time inventory data. Jonas Jaanimagi, Technical Lead at IAB Australia, underscores the importance of proactive data management:

"Businesses must act proactively to delete data they no longer need, rather than waiting for consumer requests".

Adflux CMS combines cutting-edge tools with robust privacy measures, setting a new benchmark for retail data management.

Feature	Privacy/Compliance Benefit	Relevant Regulation
Multi-user Permissions	Restricts data access; ensures security	APP 11 (Data Security)
Playback Reporting	Provides transparency and accountability	APP 1 (Open Management)
AI Vision Analytics	Enables anonymised audience insights	Data Minimisation (GDPR/APP)
Remote Monitoring	Ensures data integrity and system health	APP 11 (Data Security)
API Integration	Supports secure, documented data flows	DDRF / Global Standards

Conclusion

Data privacy isn't just a legal necessity in retail media networks - it's a competitive advantage. With Australia's retail media market expected to hit $3 billion by 2027, retailers that prioritise transparent, privacy-compliant practices can set themselves apart. On the flip side, those who disregard these regulations risk facing penalties as steep as $50 million for serious breaches.

This guide has highlighted how strong privacy measures not only reduce risks but also open doors to new opportunities. As the industry moves towards reliance on first-party data, retailers must rethink their data strategies. This means mapping out their entire data ecosystem, cutting down on unnecessary data collection, and conducting regular audits. The days of "set and forget" data configurations are over. Meeting these demands calls for smart, automated compliance solutions.

Peter Leonard, Chair of ADMA's Regulatory and Advocacy Working Group, puts it succinctly:

"legal responsibility follows the data, not the contract".

This reality of shared responsibility across the data ecosystem makes it crucial to adopt tools that streamline compliance without disrupting operations.

Adflux CMS offers a great example of how a privacy-first approach can work in practice. Features like multi-user permissions, AI-powered anonymised analytics, and automated proof-of-play reporting allow for precise, targeted campaigns while safeguarding customer trust. Its centralised governance and programmatic integration make compliance feel effortless rather than overwhelming.

Forward-thinking retailers see privacy as more than just a box to tick - it’s a chance to build enduring trust with their customers. As regulations tighten and consumer expectations shift, those who treat privacy as a foundational strategy, not a limitation, will lead the way in Australia's retail media space.

FAQs

Do I need separate consent to use loyalty data for ads?

Under Australian privacy principles, including the Privacy Act and APPs, businesses generally need to obtain clear and informed consent before using loyalty program data for advertising. This ensures that companies comply with regulations while safeguarding customers' privacy.

How do data clean rooms protect customer privacy?

Data clean rooms offer a secure way to analyse data while protecting customer privacy. They achieve this by using methods such as encryption and de-identification, which mask direct identifiers and keep raw data confidential. The results generated are either aggregated or anonymised, ensuring compliance with privacy regulations like GDPR and CCPA. This setup enables businesses to extract insights and refine audience targeting without compromising strict privacy standards.

What should I audit to stay compliant with the APPs?

To stay aligned with the Australian Privacy Principles (APPs), take a closer look at how your organisation collects, uses, stores, and shares personal information. Pay particular attention to ensuring that proper consent is obtained before using personal data. It's also important to give individuals the choice to opt out of direct marketing communications - this builds trust and respects user preferences.

Regular reviews of these practices are not just about compliance; they also play a key role in safeguarding user privacy. By consistently evaluating and improving how data is handled, you can ensure your organisation remains trustworthy and legally compliant.