Direct Marketing Laws 101 – Part 3 – Privacy Act 1988

This is the third in a series of 3 articles that summarise three of the key pieces of legislation that impact on your direct marketing activities.

Do you use direct marketing to advertise your business directly to customers? If yes, there are three key pieces of legislation that you need to comply with when you direct market:

• Spam Act 2003
• Do Not Call Register Act 2006
• Privacy Act 1988

This article covers the Privacy Act.  Click to see my other articles on the Spam Act and Do Not Call Register Act (a new window will open).

Here’s a quick guide to what you need to know about how the Privacy Act applies to direct marketing.

Privacy Act                   

The Privacy Act creates the Australian Privacy Principles, which are 13 setting out how certain Australian organisations need to handle personal information.

The Privacy Principles contain rules about how you can collect, use, store, disclose personal information, and the circumstances in which you are required to grant a person with access to that information.

“Personal information” is essentially any information or an opinion about a person that allows that person to be reasonably identified, including a name, home address, email address and telephone number.

Here is a summary of how the privacy principles affect direct marketing:

• Your Privacy Policy needs to clearly state that you are collecting your customers’ personal information for direct marketing purposes (remembering that there may be a number of purposes why you’re collecting personal information).
• Your Privacy Policy must also clearly set out the circumstances in which you will disclose your customers’ personal information with third parties for direct marketing purposes.
  • Always keep records of the personal information you share with third parties.
  • Always get a third party to give an undertaking that they will not share the personal information which you provide to any other parties, and that they will use that information in accordance with the privacy legislation.
  • Privacy Principle 7 specifically covers using personal information for direct marketing purposes.  It says you must not use personal information for direct marketing purposes, unless:
    • you collected the personal information from the customer (or someone else in certain circumstances); and
    • the customer would reasonably expect you to use his/her personal information for direct marketing; and
    • you provide a simple means for your customer to opt-out of receiving direct marketing from you, and that means is clearly communicated in each direct marketing communication; and
    • your customer hasn’t opted-out of direct marketing.
    • A customer can ask you not to share his/her personal information with another organisation for direct marketing purposes.
    • It is your responsibility to show that a customer has consented to you using or disclosing his/her personal information for direct marketing purposes.
    • Privacy Principle 7 doesn’t apply if the Do Not Call Register Act or Spam Act apply to a particular direct marketing activity.  It does apply to mail-out direct marketing communications, door-to-door marketing and to calls made to customers whose numbers are not listed on the Do Not Call Register.

Some of these provisions in the Privacy Act relating to direct marketing were only introduced in March 2014.  There haven’t been any examples to date of the Privacy Commissioner taking any action under Privacy Principle 7.

If you need help understanding your obligations under the Privacy Act or any other law that applies to your marketing activities, you can contact us by clicking here.