Businesses can't indiscriminately use every item of personal information they have about customers for marketing.
The Office of the Australian Information Commissioner (OAIC) has sent a clear warning to businesses that they cannot indiscriminately use every item of personal information held about customers for marketing purposes.
The case also highlights the fact that burying an opt-out privacy consent in fine print at the end of a customer communication will not mean you haven't interfered with privacy.
The mobile phone number and direct marketing calls
The OAIC received a complaint from the customer of a financial institution. The customer had been required to provide their mobile number to the financial institution to set up internet banking, and was told at the time that the financial institution would only use the mobile phone number to provide security identification for internet banking.
Five years later, the customer received several calls from a direct marketing company, which tried to sell the customer insurance products on behalf of the financial institution.
The Commissioner investigated the complaint. The financial institution did not deny that the customer had provided their mobile phone number for security identification purposes, but it told the Commissioner that it had sent the customer a letter about its insurance products a week before the telephone calls.
The letter contained a notice in fine print on the back page, which stated that the financial institution would provide the customer's mobile phone number to a telemarketing company unless the customer called a number to opt out.
On this basis, the financial institution sought to rely on National Privacy Principle (NPP) 2.1(a), which provides that an organisation can use personal information for a purpose related to the primary purpose of collection, if the individual would reasonably expect their information to be used for that purpose. Because the customer had not called to opt out, the financial institution argued that the disclosure of the customer's mobile phone number to the telemarketing company was within the customer's reasonable expectations.
The Commissioner did not agree. He considered that:
- The primary purpose of collection of the mobile number was to provide extra security protection for banking transactions. Disclosing that mobile number for the secondary purpose of enabling the direct marketing company to contact the customer was not related to the primary purpose.
- Even if the disclosure was related to the primary purpose of collection, the customer would not have reasonably expected their mobile phone number to be disclosed to the telemarketer. The Commissioner considered that the customer was unlikely to have closely read the correspondence at all, given that it was about a service that the customer was not interested in. Further, the notification that the customer's mobile number would be disclosed to the telemarketing company unless the customer opted out was placed on the back of the correspondence in extremely small font (despite its being titled "Important Information").
The Commissioner then considered whether the customer's failure to opt out amounted to an implied consent to the disclosure of their mobile phone number to the telemarketer (although the financial institution had not sought to rely on consent). He formed the view that implied consent had not been obtained, taking into account the OAIC's NPP Guidelines, which state that an organisation will have difficulty in establishing consent by failure to opt out where the opt-out provision is not clearly and prominently presented or easy to take up.
Finally, the Commissioner considered whether the disclosure was permitted by NPP 2.1(c), which allows organisations to use personal information for the secondary purpose of direct marketing in certain circumstances. He found that this provision did not apply, as it permits an organisation only to usepersonal information for direct marketing itself, not to disclose that information to a third party for direct marketing purposes.
The Commissioner found that the financial institution had interfered with the customer's privacy. The financial institution provided the customer with a letter of apology and an assurance that the customer would not be included in any future marketing campaigns. It also undertook to conduct a review of its marketing campaign procedures.
Businesses should not simply assume that every item of personal information held about customers can be used for marketing purposes. The purpose for which each item of personal information was collected, and what the customer was told at the time of collection, must be considered. Businesses using opt out mechanisms to obtain consent should also carefully consider the NPP Guidelines when formulating how those opt out mechanisms are presented. If this is not done, the consents may not be considered to have been validly obtained and conduct relying on them may breach the Privacy Act.
You might also be interested in...
- Proposed changes to Australian privacy laws
- Could the party be over for direct marketers?
- New guides on personal information security breaches, privacy complaint handling and spam
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.