Under the proposed changes to Australia's privacy laws, direct marketers will be required to comply with a new privacy principle specifically regulating the use of personal information for direct marketing.
One of the key changes contained in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 is the introduction of a new privacy principle, Australian Privacy Principle 7, which will impose strict rules on how businesses use and disclose personal information for the purpose of direct marketing.
What is the current position?
Direct marketing involves the promotion of goods or services directly to consumers, for example advertising via post, email, SMS and telemarketing. It may involve unsolicited communications or communications to existing customers.
Currently, under the current National Privacy Principles (NPPs) in the Privacy Act, if an organisation collects an individual's personal information for the primary purpose of direct marketing, it can use and disclose the individual's personal information for that purpose (although other laws – such as the laws on spam and the Do Not Call Register – may also apply depending on the circumstances).
It is not relevant that the individual may not know that his or her personal information has been collected by the organisation for the primary purpose of direct marketing. An example is unsolicited direct marketing where contact details are often compiled by direct marketers from telephone directories and other publicly available sources.
The existing privacy protections for direct marketing apply only where the personal information was not collected for the primary purpose of direct marketing and the individual's consent to direct marketing has not been obtained. In these circumstances, NPP 2.1(c) allows organisations to use (but not disclose) personal information for the secondary purpose of direct marketing, but only if the following conditions are met:
- the information is not sensitive information;
- it is impracticable to seek the individual's consent before the particular use;
- in each direct marketing communication with the individual, the organisation draws to the individual's attention, or prominently displays a notice, that he or she may opt out of receiving further direct marketing communications;
- the organisation does not charge for the individual to opt out;
- the individual has not opted out of receiving direct marketing material from that organisation in the past; and
- in each written direct marketing communication with the individual, the organisation sets out its business address and telephone number and, if the communication was by electronic means, a number or address at which the organisation can be directly contacted electronically.
The proposed APP 7 is the Government's response to community concerns that the current privacy laws permit personal information collected for the primary purpose of direct marketing to be used "almost without restraint" by direct marketers.
What will change?
The proposed APP 7 sets out new generally applicable requirements for organisations that engage in direct marketing. Importantly, these requirements will not apply to the extent that the Spam Act or the Do Not Call Register Act apply to the particular marketing activity (being more specific legislation that regulates direct marketing by electronic messaging and telephone respectively).
Under the proposed APP 7, the use and disclosure of personal information for direct marketing by private sector organisations will be prohibited unless one of the exceptions in APP 7 applies. Unlike the current position under the NPPs, the prohibition will apply regardless of the purpose for which the organisation collected the individual's personal information, that is, whether direct marketing is the primary purpose or a secondary purpose.
APP 7 will not apply to Federal public sector agencies generally, but in some circumstances the acts of an agency which engages in commercial activities may be treated as the acts of an organisation, requiring compliance with APP 7.
What are the permitted exceptions?
The proposed APP 7 provides an "opt-in" regime in relation to the use of sensitive information for direct marketing and an opt-out regime in relation to the use of personal information which is not sensitive. The opt-out regime distinguishes between the use of personal information collected directly from individuals and information collected indirectly through third parties.
Exceptions for the use of personal information other than sensitive information
Under the proposed APP 7, where an organisation collects personal information directly from an individual, it may use or disclose that information (other than sensitive information) for the purpose of direct marketing if:
- the individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and
- the organisation provides a simple way of opting out of direct marketing; and
- the individual has not already requested to opt out of direct marketing from the organisation (APP 7.2).
Where an organisation collects personal information from an individual who would not reasonably expect the organisation to use or disclose the information for the purpose of direct marketing or from someone other than the individual, it may use or disclose that information (other than sensitive information) for the purpose of direct marketing if:
- either the individual has consented to the use or disclosure of the information for direct marketing or it is impracticable to obtain that consent; and
- the organisation provides a simple way of opting out of direct marketing; and
- in each direct marketing communication, the organisation includes a prominent statement that the individual may make a request to opt out of direct marketing or otherwise draws the individual's attention to the fact that he or she may make such a request; and
- the individual has not already requested to opt-out of direct marketing from the organisation (APP 7.3)
Exception for the use of sensitive information
In relation to sensitive information (such as information about a person's racial or ethnic origins, political or religious beliefs and health information), an organisation may only use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose (APP 7.4).
Exception for contracted service providers
The proposed APP 7 also contains an exception for organisations that conduct direct marketing as a contracted service provider under a Commonwealth contract (APP 7.5).
Providing the source of information
The proposed APP 7 also gives individuals greater power to opt out of direct marketing. Individuals will have the right to request to opt out of direct marketing and an organisation must give effect to the request within a reasonable period of time.
Individuals may also request an organisation to provide its source of their information. If such a request is made, the organisation must notify the individual of its source without any charge within a reasonable period of time, unless it is impracticable or unreasonable to do so. (APP 7.6 and 7.7)
New penalties for breaches
Another key change contained in the Bill is the introduction of a civil penalties regime into the Privacy Act, with serious or repeated interferences with privacy potentially attracting fines of up to $220,000 for an individual and $1.1 million for a company. Businesses will need to increase compliance activities in the direct marketing area to avoid this new exposure.
While the proposed APP 7 offers greater protection for consumers, it brings additional complexities and hurdles for direct marketers.
Significant concern has been voiced by direct marketers about the changes, in particular over the proposed express "prohibition" on direct marketing, which businesses say is unnecessary and confusing, and uncertainty about how the opt-out notice requirements will be achieved when using new media technologies such as Facebook and Twitter to direct market.
While the laws are not expected to take effect immediately when passed by Parliament (expected later this year), there are no proposed transitional arrangements for these reforms. Businesses should therefore start reviewing their direct marketing practices now to ensure compliance with the new regime when it comes into effect.
You might also be interested in...
- Privacy and the new APP 8: Cross-border data flows in a world without borders
- The Australian Privacy Principles - one set of privacy principles to rule us all Part 1
- The Australian Privacy Principles - one set of privacy principles to rule us all Part 2
- How did you get it? Customer information and marketing
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.