Chapter 10

Australian Privacy Principle 7–direct marketing

Introduction

10.1 Australian Privacy Principle (APP) 7 addresses significant community concern about the use and disclosure of personal information for direct marketing. It provides limitations on organisations which use or disclose personal information for such purposes.[1]

10.2 The Companion Guide noted that the language in the draft principle differs to the approach outlined in the Government's first stage response to the Australian Law Reform Commission (ALRC) report. Where the Government response referred to 'existing customers' and 'non-existing customers', the exposure draft refers to individuals who have directly provided information to the entity undertaking direct marketing and individuals who have not directly provided their personal information to the entity. The Companion Guide explains that while the language differs, the same policy is achieved.[2]

Background

What is direct marketing?

10.3 Direct marketing is not currently defined under the Privacy Act 1988 (Privacy Act). Differing descriptions have been provided by the Office of the Privacy Commissioner (OPC) and the Australian Direct Marketing Association (ADMA). The ALRC described direct marketing as follows:

'Direct marketing' involves the promotion and sale of goods and services directly to consumers. Direct marketing can include both unsolicited direct marketing and direct marketing to existing customers. For unsolicited direct marketing, direct marketers usually compile lists of individuals’ names and contact details from many sources, including publicly available sources. An individual may not always know that his or her personal information has been collected for the primary purpose of direct marketing. Direct marketing to existing customers may involve communications designed to let customers know about new products or services.[3]

10.4 This appears to be the same basic meaning adopted in the Companion Guide, which describes the practice as the promotion or sale of goods or services directly to individuals.[4]

10.5 The ALRC noted that while some stakeholders had called for a definition of direct marketing to be provided in the Privacy Act, the term seems to be generally understood, and 'there is no consensus about how the term should be defined'. The ALRC formed the view that the term should not be defined for the purposes of the Privacy Act, as providing a definition of direct marketing may limit the application of the principle:

For example, if direct marketing is defined by reference to current practice, but practice later evolves, new methods of direct marketing may not be caught by the definition and so would not be subject to the 'Direct Marketing' principle.[5]

Current provisions regarding direct marketing

10.6 While there is no explicit provision relating to direct marketing by agencies under the Information Privacy Principles (IPPs), National Privacy Principle (NPP) 2.1(c) allows the use of personal information by organisations for the secondary purpose of direct marketing, subject to a list of conditions.[6]

10.7 Further, in its report, the ALRC noted that there are other exceptions under the NPPs which permit the use or disclosure of information for direct marketing, for example if the individual has consented to the use or disclosure, or if the information was collected for the primary purpose of direct marketing, etc. If use or disclosure of personal information is permitted under an exception due to collection of information for the primary purpose of direct marketing, that use or disclosure is not subject to the list of conditions under NPP 2.1(c).[7]

Reviews direct marketing provisions

10.8 The practice of direct marketing, unsolicited direct marketing communications in particular, is the subject of considerable community concern. A series of issues have been identified regarding the operation and application of the principles regarding direct marketing. Some of these issues were considered in the Office of the Privacy Commissioner's (OPC) report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (OPC review).[8] Concerns regarding the direct marketing provisions were also examined as part of the 2005 Senate Legal and Constitutional Affairs References Committee inquiry into the Privacy Act 1988.[9]

10.9 The ALRC review considered the following matters:

whether the privacy principles should regulate direct marketing regardless of whether the personal information in question was collected for a primary or secondary purpose of direct marketing;
whether direct marketing should be regulated by a separate privacy principle;
whether the Privacy Act should regulate direct marketing by agencies;
how the 'Direct Marketing' principle in the Privacy Act should relate to other legislation that deals with particular forms of direct marketing; and
the content of the 'Direct Marketing' principle and the need for guidance from the OPC in relation to the 'Direct Marketing' principle.[10]

Direct marketing as a primary or secondary purpose, and a discrete principle

10.10 A chief concern appears to be the different requirements for the use or disclosure of information for the purposes of direct marketing depending on whether the direct marketing is the primary purpose of collection, or a secondary purpose. The ALRC explained that 'there is currently considerable ambiguity about whether organisations have collected personal information for the primary or secondary purpose of direct marketing'.[11]

10.11 The OPC review noted this is of particular concern, because an individual is unlikely to comprehend the implications of the differences between collection for a primary purpose and a secondary purpose. This is aptly illustrated by the following example:

...an organisation may run a competition for the primary purpose of collecting information; awarding prizes to successful entrants being a secondary purpose. The individual, on the other hand, may assume that the purpose of the competition is to provide an opportunity to consumers to win prizes. Even if he or she reads the fine print, an individual is unlikely to draw a distinction between a primary and a secondary purpose and to understand the consequences of the distinction.[12]

10.12 The ALRC noted that while some forms of direct marketing can be harmful to the privacy of individuals, if conducted appropriately, direct marketing can also offer benefits. After considering the concerns addressed in previous reviews, and those raised by stakeholders, the ALRC recommended that regulation of direct marketing should be provided for through a single discrete privacy principle. Importantly, the principle 'should apply regardless of whether the organisation has collected the individual’s personal information for the primary purpose or a secondary purpose of direct marketing' and 'should distinguish between direct marketing to individuals who are existing customers and direct marketing to individuals who are not existing customers'.[13]

Application to agencies

10.13 Agencies are currently not subject to express regulation of direct marketing under the IPPs. In considering whether the direct marketing principle should apply to agencies, the ALRC looked at what is encompassed by the term 'agency' in some detail, and came to the understanding 'that "agency" will not generally include Commonwealth, state or territory commercial enterprises which are in competition with private sector organisations'.[14] The ALRC further noted that while agencies are generally exempt from direct marketing requirements under the Privacy Act, according to the policy position expressed by the Government:

...even if legislation technically does not apply to government bodies who are in competition with the private sector, it will be best practice for such government bodies to meet legislative requirements in relation to those commercial activities.[15]

10.14 The ALRC formed the view that the direct marketing principle should not apply to agencies as it may impact on the ability of agencies to communicate legitimate and important information to individuals. However, the ALRC supported Government policy in relation to government bodies engaged in commercial activities.[16]

Interaction with other legislation

10.15 The ALRC noted the existence of sectoral legislation which relates to specific types or aspects of direct marketing, such as the Do Not Call Register Act 2006 (DNCR Act) which regulates some aspects of telemarketing and the Spam Act 2003 (Spam Act) which regulates some aspects of email marketing. The ALRC noted that:

...there is a strong community view that some forms of direct marketing are, or have the capacity to be, more intrusive than others. Clearly, those forms of direct marketing should be subject to regulation that differs from the rules applicable to less intrusive forms of direct marketing.[17]

10.16 In light of this, the ALRC formed the view that the privacy principles should provide for 'the generally applicable requirements for organisations engaged in the practice of direct marketing.' However, the requirements under the direct marketing privacy principle 'should be able to be displaced by more specific legislation that deals with a particular type of direct marketing, or direct marketing by a particular technology'.[18]

Existing and non-existing customers concept

10.17 The ALRC recommended that the direct marketing principle should distinguish between direct marketing to individuals who are existing customers and those who are non-existing customers. This reflects the concept of existing relationships which is used to define consent in the Spam and DNCR Acts. It also addresses stakeholder comments that 'direct marketing to existing customers is a legitimate business activity and is acceptable where it is within the reasonable expectations of such customers'.[19]

10.18 However, the ALRC specified that the use or disclosure of personal information for the purposes of direct marketing to existing customers should only take place where the customer would reasonably expect the use or disclosure of their information for that purpose. This concept of reasonable expectation already exists under the current Privacy Act.[20]

10.19 The ALRC considered that the requirements applying to the use or disclosure of personal information for direct marketing to non-existing customers should be more onerous than those applying to the use or disclosure of personal information for direct marketing to existing customers. The ALRC suggested that personal information of non-existing customers should only be used or disclosed for the purposes of direct marketing if 'the individual has consented; or the information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure'.[21]

10.20 The ALRC considered that guidance on the following matters would be required from the OPC:

what constitutes an existing customer;
the types of direct marketing communications which are likely to be within the reasonable expectations of existing customers and the extent to which the use and disclosure of sensitive information for the purposes of direct marketing will be within an existing customer’s reasonable expectations; and
the kinds of circumstances in which it will be impracticable for an organisation to seek consent in relation to direct marketing.[22]

Opt-in requirement vs opt-out requirement

10.21 The Senate Legal and Constitutional Affairs References Committee inquiry into the Privacy Act 1988 recommended the consideration of providing an 'opt-in' requirement for direct marketing, in line with the Spam Act. The OPC review took a different approach, recommending that consideration be given to amending the Privacy Act to grant consumers the option to 'opt-out' of direct marketing at any time, and that organisations should be required to comply with such a request within a particular timeframe.[23]

10.22 The ALRC noted that the majority of stakeholders supported the adoption of an 'opt-out' regime in relation to direct marketing, however recommended a distinction be drawn between direct marketing to non-existing customers and direct marketing to existing customers. Non-existing customers should be provided with an opportunity to opt-out of direct marketing in every direct marketing communication. However, in relation to existing customers, the ALRC considered it sufficient to make the customer aware through the organisation's privacy policy, that they are able to opt-out of direct marketing at any time.[24]

Direct marketing to minors

10.23 The ALRC considered it appropriate that parental consent should be required before the use or disclosure of the personal information of a child or young person under the age of 15 for the purposes of direct marketing is permitted. Further, the ALRC considered that a child or young person under the age of 15 should always be treated as a non-existing customer, ensuring that stricter obligations relating to the use or disclosure of their personal information for the purposes of direct marketing apply. The ALRC suggested that:

...direct marketing to individuals under the age of 15 years can only occur where either: the individual has consented; or the information is not sensitive information, and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure.[25]

Providing the source of information

10.24 The OPC review recommended that the Privacy Act be amended to 'require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual’s personal information.'[26] This recommendation was supported by the Senate Legal and Constitutional Affairs References Committee.[27]

10.25 The ALRC noted support from stakeholders for such a requirement as this would enable individuals to assert their privacy rights regarding direct marketing. However, the ALRC was conscious that this requirement might increase the compliance burden on organisations, and suggested the requirement be limited to individuals who are non-existing customers, and that a 'reasonable and practicable' test be introduced, to ensure that the requirement would not be overly onerous for organisations to comply with. It was suggested that the OPC could provide guidance on the factors to be considered in determining whether it is 'reasonable or practicable' to advise an individual of the source of information. The ALRC also considered that the 'source' in this requirement should refer to 'the direct source from which the organisation acquired the information' as opposed to the original source of information. The ALRC stated that:

It would be unduly onerous to require organisations to track personal information back to the original source. In some cases, organisation C may not be aware that organisation B obtained the personal information from some other source.[28]

Government response

10.26 The Government agreed that provisions regulating the use and disclosure of personal information for the purposes of direct marketing should form a separate and discrete principle. The Government further agreed that different standards should be applied to those who have an existing relationship with an organisation and those who do not. However, the appropriateness of the term 'customer' was questioned, and the Government stated it would seek advice from the OPC to ensure that the draft legislation reflects the correct intent.[29]

10.27 In relation to extending the application of the principle to agencies, the Government stated that this 'would generally not be appropriate' and noted that section 7A of the existing Privacy Act provides for the treatment of acts of certain agencies as acts of organisations. A note should be added to the principle to draw attention to section 7A.[30]

10.28 The Government agreed that specific sectoral legislation such as the Spam and DNCR Acts should displace the more general requirements under the direct marketing principle.[31]

10.29 In relation to sensitive information, the Government took a different position to the ALRC and stated that an individual's consent should always be sought for the use and disclosure of sensitive information for the purposes of direct marketing, regardless of whether the individual is an existing or non-existing customer.[32]

10.30 The response noted the Government's agreement with the recommendation that personal information of existing customers should only be used or disclosed for the purpose of direct marketing if the individual would reasonably expect the organisation to use or disclose their information for that purpose, and if the organisation provides the individual with a simple and functional way of opting-out of direct marketing communications. The Government also concurred with the ALRC's suggestion that in every direct marketing communication, non-existing customers should be informed of their ability to opt-out of direct marketing communications, and that a simple and functional means of opting-out should be offered.[33]

10.31 The Government also recognised concerns regarding the potential effect of direct marketing on children, in particular direct marketing via email and SMS which are regulated under the Spam Act. It was noted that, in effect, the provisions under the Privacy Act principally relate to postal direct marketing and there is 'insufficient evidence that postal direct marketing to young people has resulted in substantial adverse consequences'. Given this, and given that determining the age of an individual is likely to result in organisations collecting more information about individuals than would otherwise be necessary, the Government did not agree that different standards for the use and disclosure of personal information for the purpose of direct marketing should be applied on the basis of an individual's age. In the Government's view this would only 'impose an unnecessary regulatory burden and added complexity, without substantial benefit'.[34]

10.32 Finally, the Government agreed that, where practicable, an organisation should be obliged to advise an individual of the source from which they obtained the individual's information, if this information is requested by the individual.[35]

Issues

10.33 The committee received many comments in relation to structure and terminology used and submitters commented that APP 7 is a particularly difficult and complex principle. Submitters also noted that the requirements under APP 7 would be administratively burdensome and costly to comply with, particularly as it will require investment in IT infrastructure and other systems.[36]

Structure and terminology

10.34 A number of submissions raised concerns about the complexity and structure of APP 7. While the National Australia Bank (NAB) and the Australian Bankers' Association (ABA) supported a separate principle for direct marketing, a larger number of submitters did not. They suggested that APP 7 be incorporated into APP 6 to ensure clarity and avoid confusion.[37] Privacy NSW further suggested that if this was to occur, APP 7(1)-(6) should be contained in an Australian Privacy Rules.[38]

10.35 Another view was put by Dr Colin Bennett who commented that direct marketing is a practice, rather than a principle and 'to elevate the practice (and industry) to the statues of a principle is really inconsistent with other "principle" based laws and regimes and will be viewed as such by overseas privacy regulators and experts'.[39]

10.36 Submitters also commented about the complexity of the principle and called for guidance and clarity around the operation or meaning of certain parts of the provision.[40] The OPC commented that 'if direct marketing is to be addressed in a separate principle, it is important that the principle be clearly drafted, easily understood, and proportionate with community expectations'.[41]

10.37 Privacy Law Consulting Australia also noted that complexity of structure is a particular concern, as the principle is difficult to understand and apply. Consequently, organisations will experience difficulty in developing compliance programs and systems which meet the legislative requirements. Privacy Law Consulting Australia stated:

This could result in, for example, organisations simply adopting "the lowest common denominator" (e.g. providing opt‐out facilities and/or obtaining consent) in relation to all direct marketing activities, which may be unintended consequences of the principle.[42]

10.38 The Department of the Prime Minister and Cabinet (the department) commented on the matters raised by Privacy Law Consulting Australia and stated that the requirements in APP 7 are intended to allow organisations to undertake legitimate direct marketing activities subject to strict rules aimed at protecting individuals from having their personal information used and disclosed inappropriately. Organisations will be required to consider their existing procedures to ensure that they comply with the new regime.[43]

10.39 The department also commented that the Government had agreed to a separate principle for direct marketing to provide 'greater clarity' and went on to note the ALRC's comments that 'stakeholder concerns regarding the direct marketing activities of some organisations were unlikely to be addressed adequately if the relevant privacy principle only covered secondary purpose direct marketing (as existing NPP 2.1 does)'.[44]

10.40 Submitters commented on the drafting of this principle, noting that the inconsistent use of terminology and positive and negative expression of requirements. Submitters also noted that the headings in APP 7(2) and APP 7(3) do not adequately reflect the intent and content of the provisions, and should be redrafted.[45] The Australian Institute of Credit Management suggested that APP 7(2)(d) is not clear and could be redrafted to set out a 'logical process of receipt and opting-out'.[46]

10.41 Professor Greenleaf and Mr Waters commented on the 'poor' drafting in that it does not use the same distinctions as are explained in the Companion Guide.[47] These issues combined with the use of cross-referencing have made the relationship between provisions very unclear. They commented, for example, that APP 7(1)(b) is expressed as an exemption to APP 7(1), is subject to two pre-conditions, and requires readers to refer to other provisions before understanding where it applies. Further, APP 7(2) and (3) are in fact exceptions to APP 7(1), however, this is not clear from the structure or the drafting of the principle, and consequently 'APP 7 fails the fundamental test that legal obligations should be at least reasonably comprehensible'. It was submitted that the principle would be better constructed as a set of 'conditions' on direct marketing activity and could be modelled on UPP 6.[48]

10.42 The OPC concluded:

The principle's structure could be simplified and reorganised to reflect the general rules that regulate how information can be used or disclosed for direct marketing, followed by exceptions (such as for contracted service providers) and any additional requirements.[49]

Conclusion

10.43 In relation to the comments that direct marketing should not be a separate privacy principle, the committee notes the comments of the ALRC which reported that stakeholders had submitted both in favour of, and against the creation of a discrete principle on direct marketing. The ALRC report provided the following rationale for its recommendation for a separate principle, and this was supported by the Government response:

Making clear that the 'Direct Marketing' principle in the Privacy Act sets out the general requirements in this area, and that these may be displaced by other requirements in certain contexts, where Parliament deems it appropriate, allows for a regime that is more responsive to the specific needs of consumers and business.[50]

10.44 However, as the ALRC concluded that any provisions relating to use or disclosure of information for direct marketing should apply regardless of whether the information was collected for the primary or secondary purpose of direct marketing, it should be constituted as a separate principle to the general 'use and disclosure' principle. In its response to the ALRC report, the Government supported the creation of a discrete principle regulating the use and disclosure of personal information for the purposes of direct marketing.[51] The committee also notes the department's comments regarding a separate principle and supports this approach.

10.45 The committee considers that, as currently drafted, APP 7 is particularly difficult and complex. The committee has concerns that this will adversely affect the implementation of this principle and for this reason believes that further consideration be given to the structure and language used in the principle.

Recommendation 10

10.46 The committee recommends that the drafting of APP 7 be reconsidered with the aim of improving structure and clarity to ensure that the intent of the principle is not undermined.

Defining 'direct marketing'

10.47 Some submitters noted that a definition of 'direct marketing' has not been provided in the exposure draft.[52] The ABA noted that, due to the reference in APP 7(6) to the SPAM and DNCR Acts, the absence of a specific definition allows the interpretation that direct marketing as used in the principle, 'is confined to direct marketing by means other than the means covered under those Acts'.[53]

10.48 Privacy Law Consulting Australia noted that as two differing definitions of the term 'direct marketing' are provided in the Australian Direct Marketing Association's Direct Marketing Code of Practice (2001) and the OPC's Draft NPP Guidelines (7 May 2001), it would be useful to have the term defined in the new Privacy Act, particularly as the definition of this term will determine the activities to which APP 7 applies.[54]

10.49 The ALRC report noted calls from stakeholders for a definition of direct marketing to be provided in the Privacy Act, however, the submissions received did not provide consensus on how the term should be defined. Further, the ALRC expressed concern that providing a definition of direct marketing 'may unnecessarily confine the application of the 'Direct Marketing' principle'. Therefore the ALRC considered that direct marketing should not be defined in the Privacy Act.[55]

10.50 The committee notes the department's response that there is no intention to include a definition of 'direct marketing' in the Act and that the current Act does not define direct marketing. Further, the Government accepted the ALRC's view as outlined above.

Application to agencies

10.51 APP 7 applies to organisations and those agencies which engage in commercial activities, as provided by existing section 7A of the Privacy Act. This was supported by some submitters, including Privacy Victoria.[56] However, other submitters argued that, as a number of agencies, both at the Commonwealth and State and Territory level, engage in direct marketing, APP 7 should apply to all entities.[57] Professor Graham Greenleaf and Mr Nigel Waters stated:

We believe the principle should apply to both agencies and organisations on the grounds that the boundaries between private and public sectors are increasingly blurred, and government agencies are now commonly undertaking direct marketing activities.[58]

10.52 Professor Greenleaf and Mr Waters noted that while under section 7A of the current Privacy Act, APP 7 would apply to the commercial activities of some prescribed agencies, this is not sufficient, particularly as the exemption for the majority of agencies has been extended under APP 7(1)(c).[59]

10.53 In addition, concern was expressed by the ADMA that as currently drafted, APP 7 may have the effect of requiring agencies to discontinue their direct marketing activities, or be forced to justify their direct marketing activities under APP 6, which does not afford the same level of privacy protection regarding direct marketing as APP 7.[60]

10.54 In light of these issues, some submitters recommended that references to 'organisation' in APP 7 should be changed to 'entity'. Professor Greenleaf and Mr Waters submitted that if this change were made, an additional provision providing an exception regarding information for the purpose of direct marketing communications which are required or authorised by law would need to be inserted.[61]

10.55 The OPC commented that it is not clear whether the note to APP 7(1) is intended to give force to the position in the Government's response, which suggested that agencies which engage in commercial activities should be 'required to comply' with the APPs. It was noted that this position differed from the ALRC recommendation, which suggested that the direct marketing principle should only apply to organisations, and agencies should comply with the direct marketing principle as a matter of 'best practice'.[62]

10.56 The ALRC provided commentary on the basis of its recommendation concerning direct marketing in relation to agencies. Mr Bruce Alston, Senior Legal Officer at the ALRC, stated that:

When looking at whether it should include agencies—that is, Commonwealth government agencies—we obviously rejected that idea and instead went for organisations with an extension to contracted service providers, in the same way a lot of other Commonwealth laws reach out and cover people providing services to the Commonwealth as well as to agencies.[63]

10.57 Professor Rosalind Croucher, President of the ALRC further elucidated:

There is a distinction made between organisations and entities but I think the overall approach is that similar principles should apply. There is a distinction between public and private sector. It necessarily is that way, and that is partly because of the constitutional backdrop. The idea is that there should be similar obligations with respect to all.[64]

Conclusion

10.58 The committee notes that the ALRC considered arguments for the extension of the application of direct marketing requirements to agencies. However, the ALRC formed the view that if direct marketing requirements were extended to apply to agencies, the way that government agencies communicate with individuals would be significantly affected. The Government agreed that the application of direct marketing requirements to agencies would not be appropriate.[65] Further, in its submission to the ALRC review, and in its submission to this inquiry, the OPC noted that the use and disclosure of personal information by agencies would still be regulated, as agencies will be required to abide by the use and disclosure principle in their management of personal information.[66]

10.59 The committee concurs with the Government's view that the direct marketing principle should only apply to agencies in specific circumstances. However, mindful of the OPC's comments, the committee considers that the draft note to APP 7(1) should be redrafted to better reflect the Government's position.

Recommendation 11

10.60 The committee recommends that the note to APP 7(1) be redrafted to better reflect the position outlined in the Government response.

Direct marketing to minors

10.61 Some submitters expressed concern that the exposure draft does not expressly prohibit direct marketing to minors. The Public Interest Advocacy Centre (PIAC) noted that where UPP 6 contained a reference to children under the age of 15 years, APP 7 makes no mention of minors. PIAC argued that direct marketing to children under 15 years of ages should be prohibited, with the possible exception of existing customers and targeted public health and safety campaigns. Although PIAC acknowledged that ascertaining the age of an individual can be difficult, it noted that if an organisation has sufficient personal information to undertake direct marketing, it should be able to ascertain the individual's age, and obtain their consent before undertaking direct marketing.[67]

10.62 The Obesity Policy Coalition expressed similar concerns, and recommended that APP 7 be amended to prevent an organisation from using or disclosing personal information of an individual who is known to be, or is reasonably likely to be, younger than 15 years old, for the purposes of direct marketing, unless express and verifiable consent has been provided by a parent, or the organisation can confirm that the individual is older than 15 years of age. The Obesity Policy Coalition suggested this is particularly important as most young children under 15 years of age do not have the capacity to make informed decisions about the use of their personal information, and are more susceptible to commercial influence.[68]

10.63 The Government response acknowledged concerns raised in the ALRC's review about the potential impact of direct marketing on individuals under 15 years of age, in particular direct marketing via email and SMS. However, the Government was 'not convinced that there is sufficient justification for distinguishing direct marketing obligations on the basis of an individual’s age'. The Government formed this view on the basis that:

in effect, the Privacy Act chiefly relates to postal direct marketing and there is insufficient evidence that this form of marketing has adversely affected young people; and
if organisations are required to establish an individual's age, they may collect more information about the individual than would otherwise be necessary.[69]

10.64 Consequently, the Government concluded that applying different standards for the use and disclosure of personal information for the purpose of direct marketing on the basis of an individual's age would only increase the burden on organisations, and the complexity of the principles, without providing commensurate benefit. However, the Government did encourage the OPC to issue guidance on the obligations of organisations regarding direct marketing to vulnerable people, should the Privacy Commissioner decide it is appropriate to do so.[70]

Conclusion

10.65 While acknowledging the concerns of commentators about the impact of direct marketing to minors, the committee is mindful that the Privacy Act will primarily regulate direct marketing via post and that there is insufficient evidence that postal direct marketing to young people has resulted in substantial adverse consequences. Therefore, the committee does not consider that specific prohibition of direct marketing to minors is required in the Privacy Act but is of the view guidance from the Australian Information Commissioner on direct marketing to vulnerable people, as suggested by the Government, would be beneficial.

Recommendation 12

10.66 The committee recommends that the Australian Information Commissioner develop guidance in relation to direct marketing to vulnerable people.

'Existing' and 'non-existing' customers concept

10.67 The Companion Guide explains that while the terminology used in APP 7 is different to that in the Government response: rather than 'existing' and 'non-existing' customers, APP 7 focuses on individuals who have provided personal information to the entity which is undertaking the direct marketing (APP 7(2) and people who have not provided information (APP 7(3)).[71] The Companion Guide states that the same policy is achieved and that the policy intent is to apply more stringent obligations when using personal information of non-existing customers as the individual is less likely to expect use or disclosure for direct marketing purposes.

10.68 The department noted that:

In the case of personal information that is not sensitive information the requirements that are stated in the Government response to apply to 'existing customers' will apply where the information was collected from the individual. Further, they apply where the individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing.

The requirements that apply to 'non-existing customers' in the Government response will apply where the information was not collected from the individual (or, for logical consistency, where the 'existing customer' would not have reasonably expected that the organisation would use or disclose the information for the purpose of direct marketing).[72]

10.69 Submitters raised a range of concerns including the difficulties of the implementation of the principle. Australian Direct Marketing Association (ADMA), for example, submitted that this approach is 'unworkable' as industry process cannot be neatly divided into two streams on the basis of whether the information was obtained from the individual or not. Further, ADMA argued that it would be very difficult, even for external agencies such as regulators, to independently assess whether APP 7(2) or APP 7(3) applies in any given situation. ADMA stated that it rejected the approach taken by the Government and submitted that the principles should revert to the structure as recommended by the ALRC.[73] ADMA also argued that there would be significant additional complexity for organisations as they would be required to examine on a case-by-case basis, each campaign and potentially each individual record to determine whether any elements of the information that is being used or disclosed was not obtained from the individual.[74]

10.70 ADMA concluded:

The move to information source represents a significant departure both from the stated policy that different regimes would apply depending on whether an organisation has an existing relationship with the individual, but more importantly does not satisfactorily meet the criteria set by the Government of introducing a simpler regime.[75]

10.71 The OPC noted that APP 7 appears to be more complex than outlined in the Companion Guide as there are exceptions which depend on individuals' reasonable expectations for use and disclosure. The OPC suggested that 'the language in the principle could more clearly distinguish between individuals who have an established relationship with an organisation and those who do not'.[76]

10.72 The OPC commented further that the Spam Act, the DNCR Act and ADMA Direct Marking Code of Practice use the concept of 'on-going' or 'pre-existing' relationships for direct marketing. The OPC suggested that there would be advantage to adopting terms from those Acts or codes as this would ensure that:

APP obligations are well understood across the industry and smoothly incorporated within existing compliance frameworks; and
individuals can readily understand their rights, and marketers' obligations.

10.73 ADMA and The Communications Council also supported the alignment of the Privacy Act with the SPAM and DNCR Acts.[77] ADMA noted that 'existing relationship' is widely understood by industry and that it would provide a consistent approach with other privacy related laws.[78]

10.74 The Communications Council was concerned that the provisions of APP 7(3) may apply in the case where an entity may use information gained from existing customers to make inferences on customer interest in purchasing products or services. This would result in more 'onerous requirements to provide opt-out facilities and opt-out statements'. Further, 'this would have an adverse effect on direct marketing and jeopardises marketing agencies' existing relationships with individuals'.[79]

10.75 The ABA noted that the 'existing' and 'non-existing' distinction is helpful for compliance. However, the ABA argued that the provisions of APP 7(3) meant that this distinction between customers is lost:

The distinction between existing and non-existing customers becomes confused by the provisions of APP 7 (3)(a)(i) that suggest that the personal information, although collected from an existing customer by the organisation, must be handled differently because that individual would not reasonably expect the information to be used by the organisation for direct marketing. The advantage of the distinction between existing and non-existing customers is therefore significantly lost.[80]

10.76 The OPC also suggested that the Government's concerns about the use of the term 'customer' could be overcome by the inclusion of a definition or by the concept of ongoing or existing relationships.[81]

10.77 The department provided the committee with comments on the issues raised in submissions and stated that:

The drafting approach taken does not divert from the Government's response. The focus in APP 7 is on the key elements of an existing customer relationship, and this is different to the more ambiguous and potentially broader 'existing relationship' concept in the Spam Act 2003 and the Do Not Call Register Act 2006. The approach of distinguishing a customer from a non-existing customer by whether information is provided is the best drafting approach to defining an 'existing customer'. The consequence may be that the requirements in the Privacy Act may differ from sectoral specific legislation but that is necessary to ensure that concepts in the Privacy Act (particularly relating to consent) are consistent and unambiguous.[82]

10.78 The department went on to state that the 'existing relationship' concept in the Spam Act and the Do Not Call Register Act is appropriate for the sectoral specific direct marketing practices relating to electronic messages and phone calls. That concept is included within a broader notion of 'inferred consent', which is based on consent that 'can be reasonably inferred from the conduct, and the business and other relationships, of the individual or organisation concerned'.[83]

Conclusion

10.79 The committee notes that many submitters raised significant concerns with the concepts in APP 7. However, the Companion Guide and the department's answer make clear that the policy outlined in the Government response is achieved. Further, the 'existing relationship' concept in the Spam Act and the Do Not Call Register Act is more ambiguous and potentially broader. The committee therefore does not consider that any amendment to this concept is required.

10.80 In relation to the simplification of the principle, the committee considers that further consideration be given to the inclusion in APP 7(3) of the provision in relation to the use and disclosure of information collected from an individual when the individual would not have reasonably expected the information to used or disclosed for the purpose (APP 7(3)(a)(i)). This adds to the difficulties of interpreting the principle.

Recommendation 13

10.81 The committee recommends that the structure of APP 7(2) and APP 7(3) in relation to APP 7(3)(a)(i) be reconsidered.

Personal information collected from the individual–APP 7(2)

10.82 APP 7(2) provides that information collected from the individual can be used or disclosed for direct marketing purposes if the individual would 'reasonably expect' the organisation to undertake that activity, the organisation provides a simple means for the individual to not request not to receive the direct marketing communications; and the individual has not requested that information be not received.

10.83 Issues raised in relation to this provision included the need for clarification of terms and guidance.

10.84 The ABA commented that wording of APP 7(2)(a) in relation to aggregation products and noted that these products typically involve an agreement with the customer to source and aggregate financial information about the customer from the customer's other financial institutions using the customer's credentials. Information acquired this way is compiled into financial statements and can be made available to the customer in a useful format in secure internet banking sessions. Informed consent for the collection underpins the arrangement. As part of the terms of these products the bank may use this information for marketing purposes. The ABA commented the wording of APP 7(2) would require excessive disclosure of the customer's right to opt out in these circumstances.[84]

10.85 Submitters requested guidance as to what would constitute a 'simple means' for an individual to request not to receive direct marketing information. Epworth HealthCare suggested that it may be useful if examples are provided.[85] The Law Institute of Victoria (LIV also identified this issue, and suggested that an amendment be made to indicate that in relation to electronic communications, 'simple means' is subject to additional obligations under the Spam Act.[86] Submitters also suggested that guidance would be as to the types of direct marketing communications for which an individual might 'reasonably expect' an organisation to use or disclose their personal information, and the circumstances in which it might be impracticable for an organisation to seek an individual's consent to use or disclose their information for the purposes of direct marketing.[87]

10.86 Professor Greenleaf and Mr Waters raised concern that use of the phrase 'collected the information from the individual' in APP 7(2)(a), instead of the expression 'provided by', might lead to an interpretation that 'reasonable expectation' under APP 7(2)(b) would also apply to non-consensual collection of information. It was argued that:

For the principle to achieve its objective, it is essential that the lesser protection afforded to 'existing customers' should only apply where the individual has knowingly and voluntarily provided the information. It would not be acceptable for individuals be denied an 'opt‐out' either because their information had been collected without their knowledge (as is often the case in internet use) or because they had been required (e.g. by law) to provide it (as is the case with many financial, telecommunications and government transactions under statutory ‘customer identification’ requirements).[88]

10.87 The National Australia Bank (NAB) noted concern that APP 7 does not adequately cover circumstances in which an organisation collects personal information from an individual for the primary purpose of direct marketing, as it requires a test under APP7 (2)(b) as to whether 'the individual would reasonably expect the organisation to use or disclose the information for that purpose'. The NAB suggested that this is inconsistent with APP 6 which states that if an entity has collected information for a particular purpose (the primary purpose), it may use and disclose the information for that purpose without further assessment.[89]

10.88 The Australian Finance Conference (AFC) noted that no specific consent provision regarding the use or disclosure of information collected without the individual's consent has been provided in APP 7(2). The AFC suggested that even though APP 7(2)(b) provides a general permission, a specific provision regarding consent to the use or disclosure of information collected without the individual's consent would assist compliance certainty.[90]

Conclusion

10.89 The committee considers that guidance on the provisions of APP 7(2) and APP 7(3) would be useful.

Personal information collect from another person–APP 7(3)

10.90 As noted above, APP 7 provides for more stringent obligations in relation to the use or disclosure of information collected from another person. The AFC noted that the drafting of this provision required some clarification, and suggested it be redrafted, as it is unclear 'how an individual would not reasonably expect the organisation to use/disclose personal information for direct marketing [APP 7(3)(a)(i)] if the individual had consented to the use/disclosure [APP 7(3)(b)(i)].'[91]

Consent

10.91 Telstra Corporation Limited (Telstra), noted that the requirement in APP 7(3) for an organisation to obtain an individual's consent before using or disclosing personal information about them received from a third party, appears quite broad. Concern was raised that this requirement may oblige an organisation to obtain consent to use publicly available information or updated information provided by an authorised representative on a customer's account. Telstra suggested that to address this issues, the phrase 'would not reasonably expect' be included at the end of APP 7(3)(a)(ii), and that information obtained from authorised representatives and third parties working for or affiliated with the organisation be excluded from requirements under the provision.[92]

Opt-out provisions–APP 7(1)(a),(2)(c),(3)(c)(d) and (4)

10.92 A number of comments were made about the 'opt-out' provisions under APP 7. The OPC suggested that the opt-out requirements in the principle could be simplified by consolidating APP 7(4) and APP 7(5) and modelling it more closely on UPP 6.3.[93]

10.93 Professor Greenleaf and Mr Waters commented on the difference in the provisions of APP 7(2) and (3). They stated that APP 7(2) does not require the opt-out to draw an individual's attention to the provision although this is included in APP 7(3). They commented:

Under (2), if the individual would reasonably expect to receive marketing communications, they are not even required to be notified – this seems perverse and is a very weak provision. All the evidence suggests that most individuals are only too aware that they are likely to receive direct marketing from organisations with which they have dealt, but that it is precisely these communications they wish to be able to stop![94]

10.94 Concerns were also raised that the opt-out provision is weak and can be circumvented. Privacy Law Consulting Australia noted that APP 7(4)(b) refers to 'direct marketing by other organisations' therefore, if an organisation markets on behalf of persons or bodies which are not organisations as defined by the Act, they will not be required to comply with the provision.[95]

10.95 Submitters also commented about the lack of a provision to require organisations to provide individuals with the option to opt-out of the provision of sensitive information for direct marketing purposes.[96] Privacy Law Consulting Australia stated that this is most likely because consent is required in all circumstances for the use of this information for direct marketing, and that such consent can be revoked at any time. However, it was submitted that the requirement that sensitive information only be disclosed or used with consent is undermined by the definition of 'consent' in the Act, which includes 'implied consent'. It was suggested that express consent should be required regarding the disclosure and use of sensitive information, and that consideration be given to whether an opt-out facility should be required in relation to the use of sensitive information for direct marketing purposes, to facilitate individuals exercising their right to withdraw consent.[97]

10.96 The department responded that under APP 7(1)(a), sensitive information about an individual can only be used for direct marketing by an organisation with the consent of that individual unless the organisation is a contracted service provider for a Commonwealth contract and the organisation collected the information for the purpose of meeting an obligation under the contract. The concerns expressed are that, at some point in the future, the individual may want to revoke consent or opt-out (i.e. no longer wants to receive direct marketing communications from the organisation). Further:

There would be options available to individuals in this instance. First, as noted by the PLCA, consent could be revoked at any time, in which case the organisation could not use sensitive information for direct marketing purposes.

While it is a matter for the [Australian Information Commissioner], guidelines to be prepared on the meaning of 'consent' are likely to address key issues such as revocation.

In addition, as a result of APP 7(2) and (3), organisations will be required in practice to provide a simple means by which an individual may easily request not to receive direct marketing communications from an organisation. Further, APP 7(4)(a) provides that an individual may request not to receive direct marketing communications from the organisation.[98]

10.97 The department also stated that:

Obtaining consent and including opt-out facilities should be encouraged as part of a direct marketing organisation's internal procedures. As with other new APPs, there is scope for the AIC to provide guidance on the operation of these provisions. If guidance on the practical workings of APP 7 became necessary, the Department will liaise with the AIC to consider whether to develop guidelines.[99]

10.98 Some submitters argued that the APP imposes an excessive requirement to disclose customers' right to opt-out, and the ABA recommended particular changes to APP 7(2) and (3) in its submission to address these concerns.[100] The ABA and other submitters also suggested that APP 7(4) should allow for an option not to receive any direct marketing at all or that organisations should only have to provide opt-out information to non-existing customers.[101]

10.99 APP 7(3)(d) provides that in each direct marketing communication with the individual, a prominent must be included that the individual can make a request to opt out or draws attention of the individual to this option by another means. Telstra argued that this provision would not be required for customers who had already received the entity's privacy statement that has set out this information and should only apply where the individual has not already received the entity's privacy statement.[102]

10.100 ADMA raised similar concerns about the obligations on organisations and facilitating organisations under APP 4, noting that in its understanding:

...the organisations whose products and services are being advertised (the marketing organisation) will carry the responsibility for receiving and actioning a request by the individual not to have their data used in the future for direct marketing purposes. In such circumstances the marketing organisation may put in place processes for its suppliers (facilitating organisations) to accept and forward on those opt out requests however the facilitating organisations would not in this circumstance be required to not contact the individual again on behalf of other marketing organisations.[103]

10.101 Given this apparent uncertainty, ADMA suggested that the exposure draft should specify that facilitating organisations, which do not provide direct marketing communications in their own right, will be exempt from APP 7(3)(c), and:

...will not be bound by the Act to not contact the individual again where a subsequent direct marketing communication is originated by the facilitating organisation on behalf of another marketing organisation that is wholly unrelated to the original marketing organisation that the individual’s opt out request was directed.[104]

Conclusion

10.102 The committee notes that the ALRC review suggested that the opt-out notification obligations should differ for existing and non-existing customers.[105] While the exposure draft has taken a different approach, it has still provided a distinction in the required level of notification regarding the ability of an individual to opt-out. In circumstances in which the information has been collected from the individual, an organisation merely has to provide a simple means by which an individual can opt-out of receiving future direct marketing communications. Where the information about an individual has been collected from a third party, in each direct marketing communication, the organisation must notify the individual of their ability to opt-out of receiving future direct marketing communications from the organisation.

10.103 Further to its comments in chapter 3, the committee considers that further guidance on the definition of consent will assist in the interpretation of the principle.

Source of information–APP 7(4)(c) and (5)

10.104 APP 7(4)(c) provides for an individual to request the organisation to provide the source from which they obtained personal information about the individual. APP 7(5)(c) provides that an organisation must notify the individual or the sources within a reasonable period 'unless it is impracticable or unreasonable to do so'. Professor Greenleaf and Mr Waters expressed concern that the exception in APP 5(c) 'unless it is impracticable or unreasonable to do so' is too broad, and consequently is likely to be misused, thereby undermining the purpose of the principle.[106]

10.105 However, a number of submitters argued that the provisions of APP 7(4)(c) are onerous and impractical.[107] For example, Coles commented on the wide range of sources used to collect personal information including emails, in-store transactions and competitions. Once information is collected via some sources, it is no longer possible to determine the source of the information, and changing IT systems for this purpose is likely to be impractical and prohibitively expensive. Coles noted the exception provided for in APP 7(5), however, remained concerned that:

...this exemption is as yet unclear as to whether not keeping track of such information will be sufficient for reliance on an ongoing basis or whether an organisation will be required in future to change its systems or selection of its systems to ensure compliance with APP(4) going forward. This is likely to impose a significant administrative and costs burden on organisations.[108]

10.106 Coles went on to comment that the exemption in APP 7(5) could be amended to provide a further exemption that identification of the source of the personal information will not be required if the specific source of the information is not traceable, provided that the organisation can identify the possible or likely sources of collection.[109]

10.107 Coles' concerns were echoed by the Westpac Group, which noted that this requirement could not be retrospectively applied. Consequently, the Westpac Group indicated its support for the Australian Bankers' Association suggestion that the requirement to record the source of information received from third parties for the purposes of direct marketing, and the requirement to inform those third parties of any change to the information held by an organisation, should be limited to non-existing customers.[110]

10.108 Further guidance and clarification on these provisions was sought by the Financial Services Council (FSC), which suggested that the principle should explicitly state that organisations are not required to disclose the ultimate source of information, only the source from which the organisation obtained the information. The FSC also suggested further guidance regarding the factors an organisation should consider in determining whether it is reasonable and practical to advise an individual of the source from which it obtained the individual's information.[111]

10.109 Privacy Law Consulting Australia noted uncertainty regarding the construction of APP 7(5)(c), as it appears unclear whether 'impracticable or unreasonable' applies to the 'reasonable period' or the notification of the individual. It was suggested that this be clarified in the legislation.[112]

10.110 The department responded to these concerns and stated that this language is consistent with the ALRC recommendation that source disclosure be mandated upon request 'where reasonable and practicable'. The ALRC review noted that an obligation to advise individuals, in response to a request, of the source from which their personal information was obtained might increase the compliance burden on organisations. In light of this the ALRC suggested that the obligation should only apply where 'reasonable and practicable', and should be limited to individuals who are non-existing customers.[113] The department provided the example of information that was recorded at a time where an organisation has not been required to record, and not recorded, the source of this information, then it would be unreasonable to expect an organisation to provide this information.

10.111 The department went on to stated that:

While some organisations may attempt to misuse this test, it is a necessary element of the legislation to enable the policy goal of source disclosure to existing customers who have not provided information to organisations. It is also possible to clarify this issue in the Explanatory Memorandum when the Privacy Act is considered by the Parliament.[114]

10.112 The ALRC also formed the view that the organisation should only be required to name the direct source from which the organisation obtained the individual's information, rather than the original source of information.[115]

Interaction with other legislation–APP 7(6)

10.113 APP 7(6) provides that the principle does not apply to the extent that any of the DNCR Act, the Spam Act or any other Act prescribed by the regulations apply. Comments in relation to APP 7(6) went to the effect of this provision and the need for clarity.[116] Some submitters suggested that the inclusion of this section means that in effect, the Privacy Act will only apply to marketing activities via direct mail and this could result in confusion about handling personal information. Coles commented:

APP 7(6) suggests that an organisation will not be required to deal with personal information in accordance with APP 7 for direct marketing activities like emails, faxes and telephone contact provided that the activities are done with the individuals consent as these activities are otherwise dealt with under the Spam Act 2003 or the Do Not Call Register Act 2006. As each regime requires a different approach to the handling and use of personal information, this is likely to increase the likelihood of confusion arising and the incorrect regime being applied to the handling and use of the information.[117]

10.114 Privacy Law Consulting Australia expressed uncertainty as to the meaning of the phrase 'apply to the extent that' as the Spam or DNCR Acts regulate activities, not the handling of personal information per se. Consequently:

It appears that the intention is that, if one of the Acts permits an activity that necessarily involves the use or disclosure of personal information in a particular manner, APP 7 does not apply to such use or disclosure. For example, the Spam Act permits commercial emails to be sent with consent. This suggests that an organisation will be permitted to use or disclose personal information to send such emails in accordance with the Spam Act, regardless of requirements that might otherwise apply under APP 7.[118]

10.115 Coles suggested that this confusion could be addressed by incorporating the obligations under the Spam and DNCR Acts into the new exposure draft, thereby reducing the complexity of the legislation, and ensuring that the obligations of organisations and the protections for individuals are unambiguous and clearly set out in one document. Coles went on to suggest that the obligations of the Spam and DNCR Acts would be incorporated in the Privacy Act as 'this would reduce the complexity of the law in this area and reduce the likelihood of unintentional inappropriate use of personal information in the area of direct marketing activities.[119]

10.116 Although APP 7(6)(c) refers to 'any other Act', the AFC suggested that the interaction between APP 7 and the anti-hawking provisions in the Corporations Act 2001, requires clarification, it may increase compliance certainty if those anti-hawking provisions are specifically included in the list under APP 7(6).[120]

10.117 The department provided a response to this comment and stated that the Government agreed with the ALRC‘s recommendation that the 'direct marketing' principle should be displaced to the extent that more specific sectoral legislation regulated a particular type of direct marketing or direct marketing by a particular technology. Further, that the ALRC believed this approach was preferable because imposing a blanket rule for all forms of direct marketing was too rigid. It stated that other forms of more intrusive direct marketing should be subject to regulation that differs from the rules applicable to less intrusive forms of direct marketing. It noted that, relying on such sectoral legislation to the exclusion of the Privacy Act is problematic, because it leaves loopholes that could encourage other types of direct marketing that also may be intrusive.

10.118 The department concluded that 'this is reflected in APP 7(6) which provides that APP 7 does not apply to the extent that the Spam Act, the Do Not Call Register Act, or any other Act of the Commonwealth prescribed by the regulations applies'. Further 'this means that APP 7 will apply to organisations involved in direct marketing relating to electronic messages and phone calls, where acts and practices are not covered by those Acts'.[121]

Navigation: Previous Page | Contents | Next Page