9 December 2019
1. The Privacy Act and Direct Marketing
Pursuant to the Privacy Act 1988 (Cth) (“the Privacy Act”), an entity to which the Australian Privacy Principles apply is known as an APP. If it discloses, or collects, personal information about another individual for a benefit, service or advantage then it will be considered an APP.
What is direct marketing?
The term ‘direct marketing’ refers to the promotion of goods and/or services, by way of communication sent directly to an individual through the use of disclosed, personal information.
Personal information is described as any information which identifies or could reasonably identify a person.
Some common examples of where an organisation and/or its agents may use personal information for the purposes of direct marketing include; sending special offers addressed personally to the individual at their residential address or targeted advertising on online platforms, such as Facebook or Google using information of the individual.
When is direct marketing allowed?
Whether or not you are permitted to use direct marketing will be dependent on the type of communication you intend to use and your organisation type.
For example, telemarketing companies must ensure they comply with the Do Not Call Register Act 2006 (Cth) (DNCRA), by not contacting (by phone of fax) any numbers on the Do Not Call Register, noting that some exemptions do apply.
Organisations which transmit communication or messages by way of email or SMS, of a commercial nature, must ensure they are complying with the Spam Act, compliance with which is explored in this article.
When is APP 7 triggered?
In the event neither the Spam Act, nor the DNCRA apply, organisations must ensure that they comply with APP 7.
APP 7 will apply to:
Accordingly, APP 7 will commonly be triggered in the following circumstances:
Compliance with APP 7
APP 7 places restrictions on the circumstances in which you may use or disclose personal information of an individual for the purposes of direct marketing.
Where an organisation intends to use “sensitive” personal information of an individual, i.e. information about their health, political opinions, ethnic origin or sexual orientation, for the purposes of direct marketing, the individual must have provided the organisation with consent to do so.
In using or disclosing personal information of an individual, an organisation will comply with APP 7 in the context of direct marketing if:
In participating in direct marketing, an organisation must do all of the following in order to be compliant with APP 7:
NB: where there is a reference to reasonable time, this will generally mean no more than 30 days.
Requirements for facilitating direct marketing
APP 7 will also apply to any organisation or entity that collects personal information to facilitate direct marketing by other organisations. That is, any organisation or entity that collects personal information of an individual and provides that personal information to other organisations or entities, must comply with APP 7.
Importantly, these types of organisations or entities facilitating direct marketing must cease to do so upon the request of the individual.
2. Legal ramifications for using customer details from competitor’s websites, with respect to Privacy Act
You need to ensure the entity that owns the website is operating in compliance with the Privacy Act and their own privacy policy.
This can safely be assumed where you are taking information from a website which has a specific privacy policy published on the website.
If there isn’t a published privacy policy you are at risk of breaching the Privacy Act by using any data from that website.
The APP does not prohibit entities from using publicly available information, however the entity is required to comply with APP 7, and specifically, the requirement for the individual’s consent to use or disclose the personal information.
3. Corporate and individual penalties for a breach of the Privacy Act
Following recent amendments to the Privacy Act, penalties for all entities covered by the Privacy Act will increase to, the higher of either:
In relation to any failure to resolve minor breaches, individuals may face infringements of up to $12,600, and up to $63,000 for body corporates.
Where a dispute is settled between the parties, no fines are imposed against the breaching entity.
4. Legal ramifications of a breach under the Spam Act 2003 (Cth) (“the Spam Act”)
The operation of the Spam Act is triggered where an entity sends an electronic message to an electronic address or where an entity has engaged a third party to send on its behalf, on or more of the following, for the purposes of conveying an offer to supply, provide, advertise or solicitor goods and/or service:
To ensure that you are not in breach of the Spam Act, we recommend contacting the marketing company which sold the customer list for the purposes of ensuring that the list has been legally obtained and that the entities on the list have provided consent with respect to receiving electronically transmitted messages.
Pursuant to the Spam Act, prior to sending the electronic message, you must ensure that:
Contact details
You must ensure that in each electronically transmitted message, your contact details are provided. Contact details may include, an address, email address and contact number.
These contact details must be current for at least thirty (30) days following the transmission of the electronic message.
Avenue to “unsubscribe” or “opt-out”
With respect to the “unsubscribe” or “opt-out” avenue, in accordance with the Spam Act, you must have:
6. Review of current Privacy Policy
We suggest that you contact us to review your current privacy policy to ensure it is up to date and that it adequately takes into account the requirements of the Spam Act.
Written by Rod Lindquist,
Consultant