The Australian Privacy Principles (APPs) contained within the Privacy Act 1988 (Cth) (Privacy Act) sets out how businesses in Australia are to collect, use, disclose and store personal information, and under what circumstances it can be used for direct marketing.
Under the requirements of the APPs, if your business collects personal information from customers, you are required to tell your customers that you are collecting it and what you will be doing with it. You must only use personal information for the purpose for which it was obtained.
According to APP 7, businesses that collect personal information from individuals must not use or disclosure information for the purpose of direct marketing.
There are, however, several exceptions to this rule.
Your business is able to use and disclose personal information (other than information that is classified as sensitive information) for the purpose of direct marketing if:
- you collected the information directly from your customer;
- your customer would expect you to use or disclose the information for marketing purposes;
- you provide a means for your customer to request not to receive direct marketing from your business; and
- your customer has not made a request to not receive direct marketing from you.
Your business is also able to use and disclose personal information (other than information that is classified as sensitive information) for the purpose of direct marketing if:
- your business is a contracted service provider under a Commonwealth contract;
- your business collected personal information for the purpose of being able to meet (either directly or indirectly) an obligation under the Commonwealth contract; and
- the use or disclosure of the information is necessary to meet such an obligation.
Requests to not receive direct marketing
If you have used or disclosed the personal information of a customer for the purposes of direct marketing, and the customer returns with a request not to receive any further direct marketing communications from your business, you must give effect to the customer’s request within a reasonable period of time after the request is made.
It is important that you comply with the requirements of the Privacy Act. Failure to comply with the Privacy Act may result in a fine of up to $1.7 million for companies and $340,000 for entities that are not companies (including individuals) for any serious or repeated breaches of the Privacy Act.
If you are unsure whether your business is collecting, using, disclosing and/or storing personal information in a manner which is compliant with the APPs, contact one of our lawyers today.