Direct marketing involves using or disclosing personal information to communicate with an individual for the purpose of promoting your goods or services. By way of example, some common direct marketing practices include:

  • Telemarketing (aka, cold calling);
  • Mail order catalogues;
  • Interactive marketing (for example, pay TV and radio); and
  • SMS marketing.

While direct marketing can be a useful tool to increase sales, businesses should have a clear understanding of their legal obligations. In this article, we explore the rules governing direct marketing and how to avoid breaching the Australian Privacy Principles (APP).

When Can I Engage in Direct Marketing?

APP 7 provides that unless an exception applies, a business must not use or disclose personal information for the purpose of engaging in direct marketing, subject to the following exceptions.

The First Exception

  • Your business has collected personal information (other than sensitive information) from an individual;
  • The individual would reasonably expect your business to use their personal information for direct marketing;
  • Your business provides a simple option for the individual to opt out if they no longer wish to receive communications through direct marketing; and
  • The individual has not made that request to your business.

The Second Exception

  • Your business has collected the personal information (other than sensitive information) from the individual or the third party;
  • The individual would not reasonably expect your business to use their personal information for direct marketing;
  • Your business provides a simple option for the individual to opt out if they no longer want you to communicate with them via direct marketing;
  • In your direct marketing, you include a prominent statement that the individual may request to opt-out or you draw the individual’s attention to this option.
  • The individual has not requested to opt out; and either
    • The individual has consented to the use of their personal information for the purpose of direct marketing; or
    • It is impracticable to gain consent.

The Third Exception

  • Your business is a contracted service provider under a Commonwealth contract;
  • Your business collected personal information (other than sensitive information) to meet its obligations under a Commonwealth contract (either directly or indirectly); and
  • It is necessary for you to use and disclose the information to meet your obligations under the Commonwealth contract.

How do I Provide a Simple Means to Opt Out?

As mentioned already, one of the requirements for direct marketing is that you provide an individual with an easy way to opt out of future communications. In your opt out option, it is best practice to ensure that you have:

  • Clear instructions written in plain English on how to opt out;
  • A process for opting out which requires minimal time and effort; and
  • A free opt out process.

Once an individual has successfully opted out, your business must not then disclose their personal information for the purpose of direct marketing.

How do I Provide a Prominent Statement for Opting Out?

When writing a statement for opting out, ensure you comply with best practice:

  • Write in plain English and avoid industry or legal jargon;
  • State your position clearly and use headings to draw attention to it; and
  • Publish your statement in a reasonable font and size, so it’s easy to read. It should not be smaller than the rest of your text.

Collection of Personal Information

A business that engages in direct marketing will likely collect and retain customer data. At the very minimum, they will keep customer names and contact details. The Privacy Act 1988 (Cth) (the Act) covers the rules surrounding the collection of personal information.

When you collect personal information that is used for marketing purposes or to share with third parties, you are required to have a privacy policy under Australian law. Always disclose to a consumer in your privacy policy the following:

  • You are keeping consumer data;
  • How you intend to use the data;
  • Customers can request access to their information and an amendment if there is an error; and
  • Consumers can opt out of having you store their data.

Ensure that you also impose obligations of third parties, for example, subcontractors who have access to personal information which you collect. Importantly, train your employees to understand the importance of privacy protection so as to promote this in your organisational culture.

Key Takeaways

Direct marketing is prohibited in Australia unless your business falls within one of the exceptions of APP 7. If you engage in direct marketing, you must provide the individual with an option to opt out and comply with that request within a reasonable period after the user has made the request. Failure to comply with the Act can result in substantial fines of up to $1.7 million for companies and $340,000 for other entities for serious and repeated privacy breaches.

If you have any questions about your legal obligations when direct marketing, get in touch with our specialist commercial lawyers on 1300 544 755.

Next Steps

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.