Direct marketing in Australia offers immense potential but comes with a responsibility to adhere to the legal framework. By understanding and complying with the Privacy Act, particularly Australian Privacy Principle 7 (APP7), and other relevant legislation, organisations can conduct their marketing activities ethically and effectively, building trust with their customers and clients, and avoiding legal pitfalls.
APP7: The Cornerstones of Direct Marketing Compliance
Under APP7 an organisation must not use or disclose the personal information it holds about an individual for the purposes of direct marketing unless:
The organisation has collected the personal information from the individual; and
The individual would reasonably expect the organisation to use or disclose the information for that purpose (noting the onus of proof is on the organisation); and
The organisation provides a simple means in the direct marketing communication for the individual to opt out from receiving further marketing communications (and this must be made in each communication); and
The individual has not previously made a request to not receive marketing communications.
All the above criteria must be satisfied if an organisation wishes to use or disclose personal information in its possession for direct marketing purposes (for example sending marketing flyer in the post to its customers who have not directly signed up to received postal offers).
If an organisation wants to send direct marketing communications to:
an individual who would not reasonably expect the organisation to use or disclose their personal information for direct marketing purposes; or
if the organisation has collected an individual’s personal information from a third party (such as purchasing a marketing list)
then the organisation must obtain consent[1] from the individual to use or disclose their personal information for direct marketing purposes unless obtaining consent is impracticable (noting the onus of proof is on the organisation). In these circumstances the organisation must also ensure that the direct marketing communications meet the criteria of points 3 and 4 above.
Sensitive Information
It is important to note that organisation MUST obtain consent from an individual if they wish to use or disclose the individual’s sensitive information for direct marketing purposes. For example, a medical clinic cannot share the personal information of its patients with a third party who wishes to market medical device, even if the clinic thinks the devices would benefit their patients unless they have the consent from their patients to do so. In these circumstances the organisation must also ensure that the direct marketing communications meet the criteria of points 3 and 4 above.
Contracted Service Providers
If an organisation is a contracted service provider for a Commonwealth contract[2] the organisation may use or disclose personal information for direct marketing purposes if:
if the organisation has collected the personal information for the purposes of directly or indirectly meeting an obligation under the Commonwealth contract; and
the use or disclosure for direct marketing purposes is necessary to meet such an obligation directly or indirectly.
In these circumstances the organisation must ensure that the direct marketing communications meet the criteria of points 3 and 4 above.
Facilitating Direct Marketing for Other Organisations
If an organisation uses or discloses personal information for the purposes of facilitating direct marketing by other organisations then they must honour any request by the individual to:
not use or disclose the individual’s personal information for the purposes of facilitating direct marketing by other organisations; and/or
request the organisation to provide details about where they sourced their personal information.
Similarly, if an organisation obtained personal information from a third party for the purposes of direct marketing (such as buying a contacts lists) then any individual to whom the personal information relates can request they don’t receive any marketing communications AND they have the right to request where the organisation sourced their personal information.
Points 3 and 4 above will still apply to the direct marketing communications in these circumstances.
If an individual makes a request under these circumstances then organisation must:
not charge the individual for actioning the request; and
must action the request within a reasonable time (usually 30 days).
An organisation may deny a request to notify an individual of where it got the individual’s personal information if it is impracticable or unreasonable to do so (noting the onus of proving this is on the organisation).
Other Direct Marketing Laws
It is important to note that APP7 will not apply to an organisation to the extent that following laws apply:
Spam Act 2003 (this Act regulates commercial electronic communications, including emails and SMS. It requires organisations to have consent (either express or inferred), appropriate identify themselves in messages, provide a functional unsubscribe option and ensure you opts receipts out within 5 working days upon request).
Do Not Call Register Act 2006 (Governs telemarketing calls, this Act prohibits organisations from making unsolicited calls to numbers listed on the Do Not Call Register. Compliance is essential to avoid hefty penalties).
Interactive Gambling Act 2001 (applies to organisations involved in gambling services. This Act restricts the advertising of such services, necessitating careful compliance in marketing strategies).
This means that APP7 will regulate the direct print marketing practices of most organisations. It will only regulate electronic marketing and telemarketing practices of organisations that are exempt under the above legislation or where it does not apply (For example, where an individual’s number is not registered on the Do Not Call Register).
There may also be other laws and standards that may apply to an organisation’s marketing practices, which are in addition to APP 7.
Way to Improve Direct Marketing Practices
To stay on the right side of the law, organisations should consider:
trying to always obtain consent from individuals (where possible) to receive marketing communications and keeping a record of consent.
ensuring marketing communications contain unsubscribe or opt-out requests (and honouring those requests).
having a dedicated person within the organisation to manage and respond to privacy concerns.
ensuring marketing teams are well-versed in the legal requirements of direct marketing.
undertaking regular internal audits of the organisation’s marketing strategies and activities.
seeking further legal advice.
Non-compliance any direct marketing laws may lead to significant penalties, legal challenges, and damage to an organisation’s reputation.
This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under the various direct marketing laws.
[1] Consent can be expressed (such as written consent) or implied (meaning its implied by action or relationship). It is always best to obtain express consent where possible.
[2] Commonwealth contract means a contract, to which the Commonwealth of Australia or an agency of the Commonwealth is or was a party, under which services are provided to an agency.