Retailers to face $50m penalties for data mismanagement, BDO warns
Under new privacy laws, retailers that offer loyalty programs could face steep penalties for holding onto obsolete customer data, BDO has warned.
The Australian government has imposed stricter laws for managing customer data, drawing severe penalties for retailers who don’t take proactive steps to identify, store or remove customer data appropriately, BDO said in a press release on Tuesday.
“Loyalty programs collect vast amounts of personal data—addresses, phone numbers, transaction histories, and preferences—often without revisiting this information for years,”
BDO forensic services partner Conor McGarrity said.
“The regulators are now taking a much harder stance, questioning whether all of this data is still necessary to retain. For retailers, that could mean facing scrutiny over data that no longer serves a valid business purpose.”
The government updated the Privacy Act in late 2024 to better protect customer data in the context of evolving cybersecurity threats. The changes significantly expand penalties, enforcement and investigative powers targeting companies that mismanage personal information.
Many retailers were sitting on large troves of old data that could expose them - and their customers - to significant privacy risks, McGarrity warned.
Businesses that failed to comply with the new privacy requirements could face penalties of up to $50 million, or three times the value of the benefit obtained by mishandling personal data, McGarrity said.
BDO urged retailers to take immediate action to ensure their own loyalty programs complied with the updated privacy laws. Businesses needed to be aware of where their data was stored, how it was accessed, and whether it was needed anymore.
McGarrity added that retailers should conduct privacy impact assessments and adopt a privacy-by-design approach when implementing new technologies or updating loyalty program systems.
Companies should also review their cybersecurity policies and assess whether they could be doing more to protect customer data, he said.
“Retailers should also be mindful of cyber risks related to loyalty program accounts, such as
credential stuffing attacks and compromised staff access. Multi-factor authentication is a
simple yet effective way to protect customer accounts and reduce the risk of a breach.”
The new laws would give customers the right to take legal action if their privacy was compromised, McGarrity warned.
“The key to compliance will be accountability and transparency—especially since individuals will now have the right to take legal action if their privacy is breached,” he said.
“For retailers, this means a sharp focus on ensuring that customer data, particularly in loyalty programs, is handled properly.”
