Tips on the intersection of the Privacy Act and the Spam Act with Direct Marketing - JHK Legal Commercial Lawyers

9 December 2019

Tips on the intersection of the Privacy Act and the Spam Act with Direct Marketing

1. The Privacy Act and Direct Marketing

Pursuant to the Privacy Act 1988 (Cth) (“the Privacy Act”), an entity to which the Australian Privacy Principles apply is known as an APP. If it discloses, or collects, personal information about another individual for a benefit, service or advantage then it will be considered an APP.

 What is direct marketing?

The term ‘direct marketing’ refers to the promotion of goods and/or services, by way of communication sent directly to an individual through the use of disclosed, personal information.

Personal information is described as any information which identifies or could reasonably identify a person.

Some common examples of where an organisation and/or its agents may use personal information for the purposes of direct marketing include; sending special offers addressed personally to the individual at their residential address or targeted advertising on online platforms, such as Facebook or Google using information of the individual.

When is direct marketing allowed?

Whether or not you are permitted to use direct marketing will be dependent on the type of communication you intend to use and your organisation type.

For example, telemarketing companies must ensure they comply with the Do Not Call Register Act 2006 (Cth) (DNCRA), by not contacting (by phone of fax) any numbers on the Do Not Call Register, noting that some exemptions do apply.

Organisations which transmit communication or messages by way of email or SMS, of a commercial nature, must ensure they are complying with the Spam Act, compliance with which is explored in this article.

When is APP 7 triggered?

In the event neither the Spam Act, nor the DNCRA apply, organisations must ensure that they comply with APP 7.

APP 7 will apply to:

  • all businesses and not-for profit organisations with an annual turnover of more than $3 million;
  • small businesses which buy or sell personal information; and
  • any direct marketing communication not covered by the Spam Act or the DNCRA.

Accordingly, APP 7 will commonly be triggered in the following circumstances:

  • any direct marketing calls or faxes when transmitted to numbers not on the DNCR or where the call or fax is transmitted by a registered charity
  • any direct marketing sent by post
  • any door-to-door direct marketing
  • targeted marketing online where personal information is used or disclosed

Compliance with APP 7

APP 7 places restrictions on the circumstances in which you may use or disclose personal information of an individual for the purposes of direct marketing.

Where an organisation intends to use “sensitive” personal information of an individual, i.e. information about their health, political opinions, ethnic origin or sexual orientation, for the purposes of direct marketing, the individual must have provided the organisation with consent to do so.

In using or disclosing personal information of an individual, an organisation will comply with APP 7 in the context of direct marketing if:

  • The organisation collected the information directly form the individual and the individual would reasonably expect the use or disclosure of their personal information for the purposes of direct marketing;
  • The organisation received consent of the individual to use or disclose their personal information for the purposes of direct marketing;
  • It was impractical for the organisation to obtain consent of the individual to use or disclose their personal information for the purposes of direct marketing.

In participating in direct marketing, an organisation must do all of the following in order to be compliant with APP 7:

  • Provide a simple opting out method
  • Upon the request of the individual, cease the use and disclosure of the individual’s personal information
  • Upon the request of the individual and within a reasonable time, inform them of where you obtained their personal information

NB: where there is a reference to reasonable time, this will generally mean no more than 30 days.

Requirements for facilitating direct marketing

APP 7 will also apply to any organisation or entity that collects personal information to facilitate direct marketing by other organisations. That is, any organisation or entity that collects personal information of an individual and provides that personal information to other organisations or entities, must comply with APP 7.

Importantly, these types of organisations or entities facilitating direct marketing must cease to do so upon the request of the individual.

2. Legal ramifications for using customer details from competitor’s websites, with respect to Privacy Act

You need to ensure the entity that owns the website is operating in compliance with the Privacy Act and their own privacy policy.

This can safely be assumed where you are taking information from a website which has a specific privacy policy published on the website.

If there isn’t a published privacy policy you are at risk of breaching the Privacy Act by using any data from that website.

The APP does not prohibit entities from using publicly available information, however the entity is required to comply with APP 7, and specifically, the requirement for the individual’s consent to use or disclose the personal information.

3. Corporate and individual penalties for a breach of the Privacy Act

Following recent amendments to the Privacy Act, penalties for all entities covered by the Privacy Act will increase to, the higher of either:

  • $10 million; or
  • three times the value of the benefit obtained by the entity directly linked to the misuse of information; or
  • 10% of a company’s annual domestic turnover.

In relation to any failure to resolve minor breaches, individuals may face infringements of up to $12,600, and up to $63,000 for body corporates.

Where a dispute is settled between the parties, no fines are imposed against the breaching entity.

4. Legal ramifications of a breach under the Spam Act 2003 (Cth) (“the Spam Act”)

The operation of the Spam Act is triggered where an entity sends an electronic message to an electronic address or where an entity has engaged a third party to send on its behalf, on or more of the following, for the purposes of conveying an offer to supply, provide, advertise or solicitor goods and/or service:

  • An email; or
  • An SMS; or
  • An MMS; or
  • An instant message.

To ensure that you are not in breach of the Spam Act, we recommend contacting the marketing company which sold the customer list for the purposes of ensuring that the list has been legally obtained and that the entities on the list have provided consent with respect to receiving electronically transmitted messages.

Pursuant to the Spam Act, prior to sending the electronic message, you must ensure that:

  • You have permission or consent (can be express or implied) from the recipient to transmit the message;
  • The messages contain the name and contact details of the entity that authorised the transmission of the message; and
  • An avenue, which is clearly visible, for the recipient to withdraw its permission or consent by way of an “unsubscribe” or “opt out” function.

Contact details

You must ensure that in each electronically transmitted message, your contact details are provided. Contact details may include, an address, email address and contact number.

These contact details must be current for at least thirty (30) days following the transmission of the electronic message.

Avenue to “unsubscribe” or “opt-out”

With respect to the “unsubscribe” or “opt-out” avenue, in accordance with the Spam Act, you must have:

  • instructions on the face of the electronic message which are visible and clear for the recipient of the message;
  • a process which is either free or low cost to the recipient;
  • a process which is functional for at least thirty (30) days; and
  • the request to “unsubscribe” or “opt out” must be actioned within five business days.

6. Review of current Privacy Policy

We suggest that you contact us to review your current privacy policy to ensure it is up to date and that it adequately takes into account the requirements of the Spam Act.


Written by Rod Lindquist,