Australian Privacy Principle 7 (APP 7) applies to organisations that use or disclose personal information for direct marketing. It does not apply to direct marketing communications that are covered by the Do Not Call Register Act 2006 (DNCR Act) or the Spam Act 2003 (Spam Act). Show
This resource provides general information about how the requirements in each of these laws apply when an organisation direct markets to an individual. It is not a substitute for legal advice. What is direct marketing?Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods or services. It can encompass any communication made by or on behalf of an organisation to an individual, including fundraising communications. The communication may occur through a variety of channels, including telephone, SMS, mail, email, social media, and online advertising. Examples of using or disclosing personal information to direct market to an individual include:
More examples of when an entity uses or discloses personal information for direct marketing are in the APP guidelines. When is direct marketing allowed?This depends on the type of direct marketing communication used, and the type of organisation involved. The flowchart below will help you determine which requirements apply to a direct marketing communication.
When does APP 7 apply?APP 7 only applies to:
This means APP 7 generally will apply to:
APP 7 generally will not apply to:
Individuals who receive direct marketing communications may not be aware that different requirements apply to different direct marketing communications. You can meet customer expectations and demonstrate privacy best practice if you adopt the standards of APP 7 for all direct marketing communications. How do you comply with APP 7?When APP 7 applies, you can only use or disclose an individual’s personal information for direct marketing in certain circumstances. You can only use or disclose an individual’s ‘sensitive information’ (which includes personal information about their health, political opinions, their racial or ethnic origin or their sexual orientation) for direct marketing if the individual has given their consent. You can only use or disclose other types of personal information for direct marketing if:
More information about when an individual would ‘reasonably expect’ their personal information to be used or disclosed for direct marketing, what constitutes ‘consent’, and when it would be ‘impractical’ to get an individual’s consent can be found in the APP guidelines.
More information about these obligations, including providing a simple means for opting out, is contained in the APP guidelines. What are the requirements when you facilitate direct marketing?APP 7 also includes requirements for organisations that use or disclose individuals’ personal information to facilitate direct marketing by other organisations. An entity facilitates direct marketing where it collects personal information for the purpose of providing that personal information to other entities, so those entities can undertake direct marketing of their own products or services. One of the APP 7 requirements is that organisations must stop using or disclosing an individual’s personal information to facilitate direct marketing if requested by the individual. Examples of when an entity facilitates direct marketing, and more information about the obligations when doing so, are contained in the APP guidelines. What are the requirements of the DNCR Act and the Spam Act?Two key rules set out in the DNCR Act are:
The Telecommunications (Telemarketing and Research Calls (Industry Standard 2017 sets out rules that apply to any person or business intending to make telemarketing or research calls, regardless of whether they are exempt from the DNCR Act. These rules cover:
If you direct market using a commercial electronic message such as an email, instant message, SMS or MMS, it must comply with the Spam Act. This requires:
A partial exemption from these requirements applies with respect to certain messages (such as messages of a factual nature only, without a commercial element). Can a business use customer information for marketing purposes?Generally, organisations covered by the Australian Privacy Principles must not use the personal information they hold for the purpose of direct marketing. However, there are some exceptions. For example, a business may use the personal information it collects for marketing if it has collected the information directly from its customers, and the customers would reasonably expect the business to use it for marketing or if its customers have consented. It must also provide a way to easily opt out of receiving marketing messages, and must stop sending marketing offers if asked. Can a business create personal profiles of business associates or clients to help build a relationship?Yes, a business can do this, even if it is subject to the Australian Privacy Principles. But there are some restrictions:
If a business is collecting sensitive information (racial origin, political opinions, religion, philosophical beliefs, sexual preferences, criminal record, or health information) it will need the consent of the individual. Can a business use public sources of personal information, like the internet or public registers, to approach potential customers?Yes, the Australian Privacy Principles do not prevent a business from using publicly available personal information for marketing purposes. The business will still be required to comply with the APPs, in particular APP 7 which requires the business to have the individual’s consent (or it must be impracticable to obtain the individual’s consent) and it must provide a simple means by which the individual may easily request not to receive further direct marketing communications. It will also need to consider any obligations it may have under the DNCR Act and Spam Act. Some public registers have specific laws that limit the use of the information on the register. The business should check any restrictions with the relevant body, for example, the Australian Electoral Commission or the state land title office. Can a business use random number dialling to market products?The Australian Privacy Principles do not prevent a business from using random number dialling to market products. If a business is collecting personal information during the call it will need to comply with the Australian Privacy Principles, and consider any obligations it may have under the DNCR Act and Spam Act. What requirements apply to direct marketing communications? |