Chapter 10
Australian Privacy Principle 7–direct marketing
Introduction
10.1
Australian Privacy Principle (APP) 7 addresses significant
community concern about the use and disclosure of personal information for
direct marketing. It provides limitations on organisations which use or
disclose personal information for such purposes.[1]
10.2
The Companion Guide noted that the language in the draft principle
differs to the approach outlined in the Government's first stage response to
the Australian Law Reform Commission (ALRC) report. Where the Government
response referred to 'existing customers' and 'non-existing customers', the
exposure draft refers to individuals who have directly provided information to
the entity undertaking direct marketing and individuals who have not directly
provided their personal information to the entity. The Companion Guide explains
that while the language differs, the same policy is achieved.[2]
Background
What is direct marketing?
10.3
Direct marketing is not currently defined under the Privacy Act 1988 (Privacy
Act). Differing descriptions have been provided by the Office of the Privacy
Commissioner (OPC) and the Australian Direct Marketing Association (ADMA). The
ALRC described direct marketing as follows:
'Direct marketing' involves the promotion and sale of goods
and services directly to consumers. Direct marketing can include both
unsolicited direct marketing and direct marketing to existing customers. For
unsolicited direct marketing, direct marketers usually compile lists of
individuals’ names and contact details from many sources, including publicly
available sources. An individual may not always know that his or her personal
information has been collected for the primary purpose of direct marketing.
Direct marketing to existing customers may involve communications designed to
let customers know about new products or services.[3]
10.4
This appears to be the same basic meaning adopted in the Companion
Guide, which describes the practice as the promotion or sale of goods or
services directly to individuals.[4]
10.5
The ALRC noted that while some stakeholders had called for a definition
of direct marketing to be provided in the Privacy Act, the term seems to be
generally understood, and 'there is no consensus about how the term should be
defined'. The ALRC formed the view that the term should not be defined for the
purposes of the Privacy Act, as providing a definition of direct marketing may
limit the application of the principle:
For example, if direct marketing is defined by reference to
current practice, but practice later evolves, new methods of direct marketing
may not be caught by the definition and so would not be subject to the 'Direct
Marketing' principle.[5]
Current provisions regarding direct
marketing
10.6
While there is no explicit provision relating to direct marketing by
agencies under the Information Privacy Principles (IPPs), National Privacy
Principle (NPP) 2.1(c) allows the use of personal information by
organisations for the secondary purpose of direct marketing, subject to
a list of conditions.[6]
10.7
Further, in its report, the ALRC noted that there are other exceptions
under the NPPs which permit the use or disclosure of information for direct
marketing, for example if the individual has consented to the use or
disclosure, or if the information was collected for the primary purpose
of direct marketing, etc. If use or disclosure of personal information is
permitted under an exception due to collection of information for the primary
purpose of direct marketing, that use or disclosure is not subject to the list
of conditions under NPP 2.1(c).[7]
Reviews direct marketing provisions
10.8
The practice of direct marketing, unsolicited direct marketing
communications in particular, is the subject of considerable community concern.
A series of issues have been identified regarding the operation and application
of the principles regarding direct marketing. Some of these issues were
considered in the Office of the Privacy Commissioner's (OPC) report Getting
in on the Act: The Review of the Private Sector Provisions of the Privacy Act
1988 (OPC review).[8]
Concerns regarding the direct marketing provisions were also examined as part
of the 2005 Senate Legal and Constitutional Affairs References Committee
inquiry into the Privacy Act 1988.[9]
10.9
The ALRC review considered the following matters:
-
whether the privacy principles should regulate direct marketing
regardless of whether the personal information in question was collected for a
primary or secondary purpose of direct marketing;
-
whether direct marketing should be regulated by a separate
privacy principle;
-
whether the Privacy Act should regulate direct marketing by
agencies;
-
how the 'Direct Marketing' principle in the Privacy Act should
relate to other legislation that deals with particular forms of direct
marketing; and
-
the content of the 'Direct Marketing' principle and the need for
guidance from the OPC in relation to the 'Direct Marketing' principle.[10]
Direct marketing as a primary or
secondary purpose, and a discrete principle
10.10
A chief concern appears to be the different requirements for the use or
disclosure of information for the purposes of direct marketing depending on
whether the direct marketing is the primary purpose of collection, or a
secondary purpose. The ALRC explained that 'there is currently considerable
ambiguity about whether organisations have collected personal information for
the primary or secondary purpose of direct marketing'.[11]
10.11
The OPC review noted this is of particular concern, because an
individual is unlikely to comprehend the implications of the differences
between collection for a primary purpose and a secondary purpose. This is aptly
illustrated by the following example:
...an organisation may run a competition for the primary
purpose of collecting information; awarding prizes to successful entrants being
a secondary purpose. The individual, on the other hand, may assume that the
purpose of the competition is to provide an opportunity to consumers to win
prizes. Even if he or she reads the fine print, an individual is unlikely to
draw a distinction between a primary and a secondary purpose and to understand
the consequences of the distinction.[12]
10.12
The ALRC noted that while some forms of direct marketing can be harmful
to the privacy of individuals, if conducted appropriately, direct marketing can
also offer benefits. After considering the concerns addressed in previous
reviews, and those raised by stakeholders, the ALRC recommended that regulation
of direct marketing should be provided for through a single discrete privacy
principle. Importantly, the principle 'should apply regardless of whether the
organisation has collected the individual’s personal information for the
primary purpose or a secondary purpose of direct marketing' and 'should
distinguish between direct marketing to individuals who are existing customers
and direct marketing to individuals who are not existing customers'.[13]
Application to agencies
10.13
Agencies are currently not subject to express regulation of direct
marketing under the IPPs. In considering whether the direct marketing principle
should apply to agencies, the ALRC looked at what is encompassed by the term
'agency' in some detail, and came to the understanding 'that "agency"
will not generally include Commonwealth, state or territory commercial
enterprises which are in competition with private sector organisations'.[14]
The ALRC further noted that while agencies are generally exempt from direct
marketing requirements under the Privacy Act, according to the policy position
expressed by the Government:
...even if legislation technically does not apply to
government bodies who are in competition with the private sector, it will be
best practice for such government bodies to meet legislative requirements in
relation to those commercial activities.[15]
10.14
The ALRC formed the view that the direct marketing principle should not
apply to agencies as it may impact on the ability of agencies to communicate
legitimate and important information to individuals. However, the ALRC supported
Government policy in relation to government bodies engaged in commercial
activities.[16]
Interaction with other legislation
10.15
The ALRC noted the existence of sectoral legislation which relates to
specific types or aspects of direct marketing, such as the Do Not Call
Register Act 2006 (DNCR Act) which regulates some aspects of telemarketing
and the Spam Act 2003 (Spam Act) which regulates some aspects of email
marketing. The ALRC noted that:
...there is a strong community view that some forms of direct
marketing are, or have the capacity to be, more intrusive than others. Clearly,
those forms of direct marketing should be subject to regulation that differs
from the rules applicable to less intrusive forms of direct marketing.[17]
10.16
In light of this, the ALRC formed the view that the privacy principles
should provide for 'the generally applicable requirements for organisations
engaged in the practice of direct marketing.' However, the requirements under
the direct marketing privacy principle 'should be able to be displaced by more
specific legislation that deals with a particular type of direct marketing, or
direct marketing by a particular technology'.[18]
Existing and non-existing customers
concept
10.17
The ALRC recommended that the direct marketing principle should
distinguish between direct marketing to individuals who are existing customers and
those who are non-existing customers. This reflects the concept of existing
relationships which is used to define consent in the Spam and DNCR Acts. It
also addresses stakeholder comments that 'direct marketing to existing
customers is a legitimate business activity and is acceptable where it is
within the reasonable expectations of such customers'.[19]
10.18
However, the ALRC specified that the use or disclosure of personal
information for the purposes of direct marketing to existing customers should
only take place where the customer would reasonably expect the use or
disclosure of their information for that purpose. This concept of reasonable
expectation already exists under the current Privacy Act.[20]
10.19
The ALRC considered that the requirements applying to the use or
disclosure of personal information for direct marketing to non-existing
customers should be more onerous than those applying to the use or disclosure
of personal information for direct marketing to existing customers. The ALRC
suggested that personal information of non-existing customers should only be
used or disclosed for the purposes of direct marketing if 'the individual has
consented; or the information is not sensitive information and it is
impracticable for the organisation to seek the individual’s consent before that
particular use or disclosure'.[21]
10.20
The ALRC considered that guidance on the following matters would be
required from the OPC:
-
what constitutes an existing customer;
-
the types of direct marketing communications which are likely to
be within the reasonable expectations of existing customers and the extent to
which the use and disclosure of sensitive information for the purposes of
direct marketing will be within an existing customer’s reasonable expectations;
and
-
the kinds of circumstances in which it will be impracticable for
an organisation to seek consent in relation to direct marketing.[22]
Opt-in requirement vs opt-out
requirement
10.21
The Senate Legal and Constitutional Affairs References Committee inquiry
into the Privacy Act 1988 recommended the consideration of providing an
'opt-in' requirement for direct marketing, in line with the Spam Act. The OPC
review took a different approach, recommending that consideration be given to
amending the Privacy Act to grant consumers the option to 'opt-out' of direct
marketing at any time, and that organisations should be required to comply with
such a request within a particular timeframe.[23]
10.22
The ALRC noted that the majority of stakeholders supported the adoption
of an 'opt-out' regime in relation to direct marketing, however recommended a
distinction be drawn between direct marketing to non-existing customers and
direct marketing to existing customers. Non-existing customers should be
provided with an opportunity to opt-out of direct marketing in every direct
marketing communication. However, in relation to existing customers, the ALRC
considered it sufficient to make the customer aware through the organisation's
privacy policy, that they are able to opt-out of direct marketing at any time.[24]
Direct marketing to minors
10.23
The ALRC considered it appropriate that parental consent should be
required before the use or disclosure of the personal information of a child or
young person under the age of 15 for the purposes of direct marketing is
permitted. Further, the ALRC considered that a child or young person under the
age of 15 should always be treated as a non-existing customer, ensuring that
stricter obligations relating to the use or disclosure of their personal
information for the purposes of direct marketing apply. The ALRC suggested
that:
...direct marketing to individuals under the age of 15 years
can only occur where either: the individual has consented; or the information
is not sensitive information, and it is impracticable for the organisation to
seek the individual’s consent before that particular use or disclosure.[25]
Providing the source of information
10.24
The OPC review recommended that the Privacy Act be amended to 'require
organisations to take reasonable steps, on request, to advise an individual
where it acquired the individual’s personal information.'[26]
This recommendation was supported by the Senate Legal and Constitutional
Affairs References Committee.[27]
10.25
The ALRC noted support from stakeholders for such a requirement as this
would enable individuals to assert their privacy rights regarding direct
marketing. However, the ALRC was conscious that this requirement might increase
the compliance burden on organisations, and suggested the requirement be
limited to individuals who are non-existing customers, and that a 'reasonable
and practicable' test be introduced, to ensure that the requirement would not
be overly onerous for organisations to comply with. It was suggested that the
OPC could provide guidance on the factors to be considered in determining
whether it is 'reasonable or practicable' to advise an individual of the source
of information. The ALRC also considered that the 'source' in this requirement
should refer to 'the direct source from which the organisation acquired the
information' as opposed to the original source of information. The ALRC stated
that:
It would be unduly onerous to require organisations to track
personal information back to the original source. In some cases, organisation C
may not be aware that organisation B obtained the personal information from
some other source.[28]
Government response
10.26
The Government agreed that provisions regulating the use and disclosure
of personal information for the purposes of direct marketing should form a
separate and discrete principle. The Government further agreed that different
standards should be applied to those who have an existing relationship with an
organisation and those who do not. However, the appropriateness of the term
'customer' was questioned, and the Government stated it would seek advice from
the OPC to ensure that the draft legislation reflects the correct intent.[29]
10.27
In relation to extending the application of the principle to agencies,
the Government stated that this 'would generally not be appropriate' and noted
that section 7A of the existing Privacy Act provides for the treatment of acts
of certain agencies as acts of organisations. A note should be added to the principle
to draw attention to section 7A.[30]
10.28
The Government agreed that specific sectoral legislation such as the
Spam and DNCR Acts should displace the more general requirements under the
direct marketing principle.[31]
10.29
In relation to sensitive information, the Government took a different
position to the ALRC and stated that an individual's consent should always be
sought for the use and disclosure of sensitive information for the purposes of
direct marketing, regardless of whether the individual is an existing or
non-existing customer.[32]
10.30
The response noted the Government's agreement with the recommendation
that personal information of existing customers should only be used or
disclosed for the purpose of direct marketing if the individual would
reasonably expect the organisation to use or disclose their information for
that purpose, and if the organisation provides the individual with a simple and
functional way of opting-out of direct marketing communications. The Government
also concurred with the ALRC's suggestion that in every direct marketing
communication, non-existing customers should be informed of their ability to
opt-out of direct marketing communications, and that a simple and functional
means of opting-out should be offered.[33]
10.31
The Government also recognised concerns regarding the potential effect
of direct marketing on children, in particular direct marketing via email and
SMS which are regulated under the Spam Act. It was noted that, in effect, the
provisions under the Privacy Act principally relate to postal direct marketing
and there is 'insufficient evidence that postal direct marketing to young
people has resulted in substantial adverse consequences'. Given this, and given
that determining the age of an individual is likely to result in organisations
collecting more information about individuals than would otherwise be
necessary, the Government did not agree that different standards for the use
and disclosure of personal information for the purpose of direct marketing
should be applied on the basis of an individual's age. In the Government's view
this would only 'impose an unnecessary regulatory burden and added complexity,
without substantial benefit'.[34]
10.32
Finally, the Government agreed that, where practicable, an organisation
should be obliged to advise an individual of the source from which they
obtained the individual's information, if this information is requested by the
individual.[35]
Issues
10.33
The committee received many comments in relation to structure and
terminology used and submitters commented that APP 7 is a particularly
difficult and complex principle. Submitters also noted that the requirements
under APP 7 would be administratively burdensome and costly to comply
with, particularly as it will require investment in IT infrastructure and other
systems.[36]
Structure and terminology
10.34
A number of submissions raised concerns about the complexity and
structure of APP 7. While the National Australia Bank (NAB) and the
Australian Bankers' Association (ABA) supported a separate principle for direct
marketing, a larger number of submitters did not. They suggested that
APP 7 be incorporated into APP 6 to ensure clarity and avoid
confusion.[37]
Privacy NSW further suggested that if this was to occur, APP 7(1)-(6)
should be contained in an Australian Privacy Rules.[38]
10.35
Another view was put by Dr Colin Bennett who commented that direct
marketing is a practice, rather than a principle and 'to elevate the practice
(and industry) to the statues of a principle is really inconsistent with other
"principle" based laws and regimes and will be viewed as such by
overseas privacy regulators and experts'.[39]
10.36
Submitters also commented about the complexity of the principle and
called for guidance and clarity around the operation or meaning of certain
parts of the provision.[40]
The OPC commented that 'if direct marketing is to be addressed in a separate
principle, it is important that the principle be clearly drafted, easily
understood, and proportionate with community expectations'.[41]
10.37
Privacy Law Consulting Australia also noted that complexity of structure
is a particular concern, as the principle is difficult to understand and apply.
Consequently, organisations will experience difficulty in developing compliance
programs and systems which meet the legislative requirements. Privacy Law
Consulting Australia stated:
This could result in, for example, organisations simply
adopting "the lowest common denominator" (e.g. providing opt‐out facilities and/or obtaining
consent) in relation to all direct marketing activities, which may be
unintended consequences of the principle.[42]
10.38
The Department of the Prime Minister and Cabinet (the department) commented
on the matters raised by Privacy Law Consulting Australia and stated that the
requirements in APP 7 are intended to allow organisations to undertake
legitimate direct marketing activities subject to strict rules aimed at
protecting individuals from having their personal information used and
disclosed inappropriately. Organisations will be required to consider their
existing procedures to ensure that they comply with the new regime.[43]
10.39
The department also commented that the Government had agreed to a separate
principle for direct marketing to provide 'greater clarity' and went on to note
the ALRC's comments that 'stakeholder concerns regarding the direct marketing
activities of some organisations were unlikely to be addressed adequately if
the relevant privacy principle only covered secondary purpose direct marketing
(as existing NPP 2.1 does)'.[44]
10.40
Submitters commented on the drafting of this principle, noting that the inconsistent
use of terminology and positive and negative expression of requirements. Submitters
also noted that the headings in APP 7(2) and APP 7(3) do not
adequately reflect the intent and content of the provisions, and should be
redrafted.[45]
The Australian Institute of Credit Management suggested that APP 7(2)(d)
is not clear and could be redrafted to set out a 'logical process of receipt
and opting-out'.[46]
10.41
Professor Greenleaf and Mr Waters commented on the 'poor' drafting in
that it does not use the same distinctions as are explained in the Companion
Guide.[47]
These issues combined with the use of cross-referencing have made the
relationship between provisions very unclear. They commented, for example, that
APP 7(1)(b) is expressed as an exemption to APP 7(1), is subject to
two pre-conditions, and requires readers to refer to other provisions before
understanding where it applies. Further, APP 7(2) and (3) are in fact
exceptions to APP 7(1), however, this is not clear from the structure or
the drafting of the principle, and consequently 'APP 7 fails the
fundamental test that legal obligations should be at least reasonably
comprehensible'. It was submitted that the principle would be better
constructed as a set of 'conditions' on direct marketing activity and could be
modelled on UPP 6.[48]
10.42
The OPC concluded:
The principle's structure could be simplified and reorganised
to reflect the general rules that regulate how information can be used or
disclosed for direct marketing, followed by exceptions (such as for contracted
service providers) and any additional requirements.[49]
Conclusion
10.43
In relation to the comments that direct marketing should not be a
separate privacy principle, the committee notes the comments of the ALRC which
reported that stakeholders had submitted both in favour of, and against the
creation of a discrete principle on direct marketing. The ALRC report provided
the following rationale for its recommendation for a separate principle, and
this was supported by the Government response:
Making clear that the 'Direct Marketing' principle in the
Privacy Act sets out the general requirements in this area, and that these may
be displaced by other requirements in certain contexts, where Parliament deems
it appropriate, allows for a regime that is more responsive to the specific
needs of consumers and business.[50]
10.44
However, as the ALRC concluded that any provisions relating to use or
disclosure of information for direct marketing should apply regardless of
whether the information was collected for the primary or secondary purpose of
direct marketing, it should be constituted as a separate principle to the
general 'use and disclosure' principle. In its response to the ALRC report, the
Government supported the creation of a discrete principle regulating the use
and disclosure of personal information for the purposes of direct marketing.[51]
The committee also notes the department's comments regarding a separate
principle and supports this approach.
10.45
The committee considers that, as currently drafted, APP 7 is
particularly difficult and complex. The committee has concerns that this will
adversely affect the implementation of this principle and for this reason
believes that further consideration be given to the structure and language used
in the principle.
Recommendation 10
10.46
The committee recommends that the drafting of APP 7 be reconsidered
with the aim of improving structure and clarity to ensure that the intent of
the principle is not undermined.
Defining 'direct marketing'
10.47
Some submitters noted that a definition of 'direct marketing' has not
been provided in the exposure draft.[52]
The ABA noted that, due to the reference in APP 7(6) to the SPAM and DNCR
Acts, the absence of a specific definition allows the interpretation that
direct marketing as used in the principle, 'is confined to direct marketing by
means other than the means covered under those Acts'.[53]
10.48
Privacy Law Consulting Australia noted that as two differing definitions
of the term 'direct marketing' are provided in the Australian Direct Marketing
Association's Direct Marketing Code of Practice (2001) and the OPC's Draft
NPP Guidelines (7 May 2001), it would be useful to have the term defined in
the new Privacy Act, particularly as the definition of this term will determine
the activities to which APP 7 applies.[54]
10.49
The ALRC report noted calls from stakeholders for a definition of direct
marketing to be provided in the Privacy Act, however, the submissions received
did not provide consensus on how the term should be defined. Further, the ALRC
expressed concern that providing a definition of direct marketing 'may
unnecessarily confine the application of the 'Direct Marketing' principle'. Therefore
the ALRC considered that direct marketing should not be defined in the Privacy
Act.[55]
10.50
The committee notes the department's response that there is no intention
to include a definition of 'direct marketing' in the Act and that the current
Act does not define direct marketing. Further, the Government accepted the
ALRC's view as outlined above.
Application to agencies
10.51
APP 7 applies to organisations and those agencies which engage in
commercial activities, as provided by existing section 7A of the Privacy Act.
This was supported by some submitters, including Privacy Victoria.[56]
However, other submitters argued that, as a number of agencies, both at the Commonwealth
and State and Territory level, engage in direct marketing, APP 7 should
apply to all entities.[57]
Professor Graham Greenleaf and Mr Nigel Waters stated:
We believe the principle should apply to both agencies and
organisations on the grounds that the boundaries between private and public
sectors are increasingly blurred, and government agencies are now commonly undertaking
direct marketing activities.[58]
10.52
Professor Greenleaf and Mr Waters noted that while under section 7A of
the current Privacy Act, APP 7 would apply to the commercial activities of
some prescribed agencies, this is not sufficient, particularly as the exemption
for the majority of agencies has been extended under APP 7(1)(c).[59]
10.53
In addition, concern was expressed by the ADMA that as currently
drafted, APP 7 may have the effect of requiring agencies to discontinue
their direct marketing activities, or be forced to justify their direct
marketing activities under APP 6, which does not afford the same level of
privacy protection regarding direct marketing as APP 7.[60]
10.54
In light of these issues, some submitters recommended that references to
'organisation' in APP 7 should be changed to 'entity'. Professor Greenleaf
and Mr Waters submitted that if this change were made, an additional
provision providing an exception regarding information for the purpose of
direct marketing communications which are required or authorised by law would
need to be inserted.[61]
10.55
The OPC commented that it is not clear whether the note to APP 7(1)
is intended to give force to the position in the Government's response, which
suggested that agencies which engage in commercial activities should be
'required to comply' with the APPs. It was noted that this position differed
from the ALRC recommendation, which suggested that the direct marketing
principle should only apply to organisations, and agencies should comply with
the direct marketing principle as a matter of 'best practice'.[62]
10.56
The ALRC provided commentary on the basis of its recommendation
concerning direct marketing in relation to agencies. Mr Bruce Alston, Senior
Legal Officer at the ALRC, stated that:
When looking at whether it should include agencies—that is,
Commonwealth government agencies—we obviously rejected that idea and instead
went for organisations with an extension to contracted service providers, in
the same way a lot of other Commonwealth laws reach out and cover people
providing services to the Commonwealth as well as to agencies.[63]
10.57
Professor Rosalind Croucher, President of the ALRC further elucidated:
There is a distinction made between organisations and
entities but I think the overall approach is that similar principles should
apply. There is a distinction between public and private sector. It necessarily
is that way, and that is partly because of the constitutional backdrop. The
idea is that there should be similar obligations with respect to all.[64]
Conclusion
10.58
The committee notes that the ALRC considered arguments for the extension
of the application of direct marketing requirements to agencies. However, the
ALRC formed the view that if direct marketing requirements were extended to
apply to agencies, the way that government agencies communicate with individuals
would be significantly affected. The Government agreed that the application of
direct marketing requirements to agencies would not be appropriate.[65]
Further, in its submission to the ALRC review, and in its submission to this
inquiry, the OPC noted that the use and disclosure of personal information by
agencies would still be regulated, as agencies will be required to abide by the
use and disclosure principle in their management of personal information.[66]
10.59
The committee concurs with the Government's view that the direct
marketing principle should only apply to agencies in specific circumstances.
However, mindful of the OPC's comments, the committee considers that the draft
note to APP 7(1) should be redrafted to better reflect the Government's
position.
Recommendation 11
10.60
The committee recommends that the note to APP 7(1) be redrafted to
better reflect the position outlined in the Government response.
Direct marketing to minors
10.61
Some submitters expressed concern that the exposure draft does not
expressly prohibit direct marketing to minors. The Public Interest Advocacy
Centre (PIAC) noted that where UPP 6 contained a reference to children
under the age of 15 years, APP 7 makes no mention of minors. PIAC argued
that direct marketing to children under 15 years of ages should be prohibited,
with the possible exception of existing customers and targeted public health
and safety campaigns. Although PIAC acknowledged that ascertaining the age of
an individual can be difficult, it noted that if an organisation has sufficient
personal information to undertake direct marketing, it should be able to
ascertain the individual's age, and obtain their consent before undertaking
direct marketing.[67]
10.62
The Obesity Policy Coalition expressed similar concerns, and recommended
that APP 7 be amended to prevent an organisation from using or disclosing
personal information of an individual who is known to be, or is reasonably
likely to be, younger than 15 years old, for the purposes of direct marketing,
unless express and verifiable consent has been provided by a parent, or the
organisation can confirm that the individual is older than 15 years of age. The
Obesity Policy Coalition suggested this is particularly important as most
young children under 15 years of age do not have the capacity to make informed
decisions about the use of their personal information, and are more susceptible
to commercial influence.[68]
10.63
The Government response acknowledged concerns raised in the ALRC's
review about the potential impact of direct marketing on individuals under 15
years of age, in particular direct marketing via email and SMS. However, the
Government was 'not convinced that there is sufficient justification for
distinguishing direct marketing obligations on the basis of an individual’s age'.
The Government formed this view on the basis that:
-
in effect, the Privacy Act chiefly relates to postal direct
marketing and there is insufficient evidence that this form of marketing has
adversely affected young people; and
-
if organisations are required to establish an individual's age,
they may collect more information about the individual than would otherwise be
necessary.[69]
10.64
Consequently, the Government concluded that applying different standards
for the use and disclosure of personal information for the purpose of direct
marketing on the basis of an individual's age would only increase the burden on
organisations, and the complexity of the principles, without providing
commensurate benefit. However, the Government did encourage the OPC to issue
guidance on the obligations of organisations regarding direct marketing to
vulnerable people, should the Privacy Commissioner decide it is appropriate to
do so.[70]
Conclusion
10.65
While acknowledging the concerns of commentators about the impact of
direct marketing to minors, the committee is mindful that the Privacy Act will
primarily regulate direct marketing via post and that there is insufficient
evidence that postal direct marketing to young people has resulted in
substantial adverse consequences. Therefore, the committee does not consider
that specific prohibition of direct marketing to minors is required in the
Privacy Act but is of the view guidance from the Australian Information
Commissioner on direct marketing to vulnerable people, as suggested by the
Government, would be beneficial.
Recommendation 12
10.66
The committee recommends that the Australian Information Commissioner
develop guidance in relation to direct marketing to vulnerable people.
'Existing' and 'non-existing' customers
concept
10.67
The Companion Guide explains that while the terminology used in
APP 7 is different to that in the Government response: rather than
'existing' and 'non-existing' customers, APP 7 focuses on individuals who have
provided personal information to the entity which is undertaking the direct
marketing (APP 7(2) and people who have not provided information
(APP 7(3)).[71]
The Companion Guide states that the same policy is achieved and that the policy
intent is to apply more stringent obligations when using personal information
of non-existing customers as the individual is less likely to expect use or
disclosure for direct marketing purposes.
10.68
The department noted that:
In the case of personal information that is not sensitive
information the requirements that are stated in the Government response to
apply to 'existing customers' will apply where the information was collected
from the individual. Further, they apply where the individual would reasonably
expect the organisation to use or disclose the information for the purpose of
direct marketing.
The requirements that apply to 'non-existing customers' in
the Government response will apply where the information was not collected from
the individual (or, for logical consistency, where the 'existing customer'
would not have reasonably expected that the organisation would use or disclose
the information for the purpose of direct marketing).[72]
10.69
Submitters raised a range of concerns including the difficulties of the
implementation of the principle. Australian Direct Marketing Association
(ADMA), for example, submitted that this approach is 'unworkable' as industry
process cannot be neatly divided into two streams on the basis of whether the
information was obtained from the individual or not. Further, ADMA argued that
it would be very difficult, even for external agencies such as regulators, to
independently assess whether APP 7(2) or APP 7(3) applies in any
given situation. ADMA stated that it rejected the approach taken by the
Government and submitted that the principles should revert to the structure as
recommended by the ALRC.[73]
ADMA also argued that there would be significant additional complexity for
organisations as they would be required to examine on a case-by-case basis,
each campaign and potentially each individual record to determine whether any
elements of the information that is being used or disclosed was not obtained
from the individual.[74]
10.70
ADMA concluded:
The move to information source represents a significant
departure both from the stated policy that different regimes would apply
depending on whether an organisation has an existing relationship with the
individual, but more importantly does not satisfactorily meet the criteria set
by the Government of introducing a simpler regime.[75]
10.71
The OPC noted that APP 7 appears to be more complex than outlined
in the Companion Guide as there are exceptions which depend on individuals' reasonable
expectations for use and disclosure. The OPC suggested that 'the language in
the principle could more clearly distinguish between individuals who have an established
relationship with an organisation and those who do not'.[76]
10.72
The OPC commented further that the Spam Act, the DNCR Act and ADMA
Direct Marking Code of Practice use the concept of 'on-going' or 'pre-existing'
relationships for direct marketing. The OPC suggested that there would be
advantage to adopting terms from those Acts or codes as this would ensure that:
-
APP obligations are well understood across the industry and
smoothly incorporated within existing compliance frameworks; and
-
individuals can readily understand their rights, and marketers' obligations.
10.73
ADMA and The Communications Council also supported the alignment of the
Privacy Act with the SPAM and DNCR Acts.[77]
ADMA noted that 'existing relationship' is widely understood by industry and
that it would provide a consistent approach with other privacy related laws.[78]
10.74
The Communications Council was concerned that the provisions of
APP 7(3) may apply in the case where an entity may use information gained
from existing customers to make inferences on customer interest in purchasing
products or services. This would result in more 'onerous requirements to
provide opt-out facilities and opt-out statements'. Further, 'this would have
an adverse effect on direct marketing and jeopardises marketing agencies'
existing relationships with individuals'.[79]
10.75
The ABA noted that the 'existing' and 'non-existing' distinction is helpful
for compliance. However, the ABA argued that the provisions of APP 7(3)
meant that this distinction between customers is lost:
The distinction between existing and non-existing customers
becomes confused by the provisions of APP 7 (3)(a)(i) that suggest that the
personal information, although collected from an existing customer by the
organisation, must be handled differently because that individual would not
reasonably expect the information to be used by the organisation for direct
marketing. The advantage of the distinction between existing and non-existing
customers is therefore significantly lost.[80]
10.76
The OPC also suggested that the Government's concerns about the use of
the term 'customer' could be overcome by the inclusion of a definition or by
the concept of ongoing or existing relationships.[81]
10.77
The department provided the committee with comments on the issues raised
in submissions and stated that:
The drafting approach taken does not divert from the Government's
response. The focus in APP 7 is on the key elements of an existing
customer relationship, and this is different to the more ambiguous and
potentially broader 'existing relationship' concept in the Spam Act 2003 and
the Do Not Call Register Act 2006. The approach of distinguishing a customer
from a non-existing customer by whether information is provided is the best drafting
approach to defining an 'existing customer'. The consequence may be that the
requirements in the Privacy Act may differ from sectoral specific legislation
but that is necessary to ensure that concepts in the Privacy Act (particularly
relating to consent) are consistent and unambiguous.[82]
10.78
The department went on to state that the 'existing relationship' concept
in the Spam Act and the Do Not Call Register Act is appropriate for the
sectoral specific direct marketing practices relating to electronic messages
and phone calls. That concept is included within a broader notion of 'inferred
consent', which is based on consent that 'can be reasonably inferred from the
conduct, and the business and other relationships, of the individual or
organisation concerned'.[83]
Conclusion
10.79
The committee notes that many submitters raised significant concerns
with the concepts in APP 7. However, the Companion Guide and the
department's answer make clear that the policy outlined in the Government
response is achieved. Further, the 'existing relationship' concept in the Spam
Act and the Do Not Call Register Act is more ambiguous and potentially broader.
The committee therefore does not consider that any amendment to this concept is
required.
10.80
In relation to the simplification of the principle, the committee
considers that further consideration be given to the inclusion in APP 7(3)
of the provision in relation to the use and disclosure of information collected
from an individual when the individual would not have reasonably expected the
information to used or disclosed for the purpose (APP 7(3)(a)(i)). This
adds to the difficulties of interpreting the principle.
Recommendation 13
10.81
The committee recommends that the structure of APP 7(2) and APP 7(3)
in relation to APP 7(3)(a)(i) be reconsidered.
Personal information collected from
the individual–APP 7(2)
10.82
APP 7(2) provides that information collected from the individual can
be used or disclosed for direct marketing purposes if the individual would
'reasonably expect' the organisation to undertake that activity, the
organisation provides a simple means for the individual to not request not to
receive the direct marketing communications; and the individual has not
requested that information be not received.
10.83
Issues raised in relation to this provision included the need for
clarification of terms and guidance.
10.84
The ABA commented that wording of APP 7(2)(a) in relation to
aggregation products and noted that these products typically involve an
agreement with the customer to source and aggregate financial information about
the customer from the customer's other financial institutions using the customer's
credentials. Information acquired this way is compiled into financial
statements and can be made available to the customer in a useful format in
secure internet banking sessions. Informed consent for the collection underpins
the arrangement. As part of the terms of these products the bank may use this
information for marketing purposes. The ABA commented the wording of
APP 7(2) would require excessive disclosure of the customer's right to opt
out in these circumstances.[84]
10.85
Submitters requested guidance as to what would constitute a 'simple
means' for an individual to request not to receive direct marketing
information. Epworth HealthCare suggested that it may be useful if examples are
provided.[85]
The Law Institute of Victoria (LIV also identified this issue, and suggested
that an amendment be made to indicate that in relation to electronic
communications, 'simple means' is subject to additional obligations under the
Spam Act.[86]
Submitters also suggested that guidance would be as to the types of direct
marketing communications for which an individual might 'reasonably expect' an
organisation to use or disclose their personal information, and the
circumstances in which it might be impracticable for an organisation to seek an
individual's consent to use or disclose their information for the purposes of
direct marketing.[87]
10.86
Professor Greenleaf and Mr Waters raised concern that use of the phrase
'collected the information from the individual' in APP 7(2)(a), instead of
the expression 'provided by', might lead to an interpretation that 'reasonable
expectation' under APP 7(2)(b) would also apply to non-consensual
collection of information. It was argued that:
For the principle to achieve its objective, it is essential
that the lesser protection afforded to 'existing customers' should only apply where
the individual has knowingly and voluntarily provided the information. It would
not be acceptable for individuals be denied an 'opt‐out' either because their information had
been collected without their knowledge (as is often the case in internet use)
or because they had been required (e.g. by law) to provide it (as is the case
with many financial, telecommunications and government transactions under
statutory ‘customer identification’ requirements).[88]
10.87
The National Australia Bank (NAB) noted concern that APP 7 does not
adequately cover circumstances in which an organisation collects personal
information from an individual for the primary purpose of direct marketing, as
it requires a test under APP7 (2)(b) as to whether 'the individual would
reasonably expect the organisation to use or disclose the information for that
purpose'. The NAB suggested that this is inconsistent with APP 6 which
states that if an entity has collected information for a particular purpose
(the primary purpose), it may use and disclose the information for that purpose
without further assessment.[89]
10.88
The Australian Finance Conference (AFC) noted that no specific consent
provision regarding the use or disclosure of information collected without the
individual's consent has been provided in APP 7(2). The AFC suggested that
even though APP 7(2)(b) provides a general permission, a specific
provision regarding consent to the use or disclosure of information collected
without the individual's consent would assist compliance certainty.[90]
Conclusion
10.89
The committee considers that guidance on the provisions of APP 7(2)
and APP 7(3) would be useful.
Personal information collect from
another person–APP 7(3)
10.90
As noted above, APP 7 provides for more stringent obligations in
relation to the use or disclosure of information collected from another person.
The AFC noted that the drafting of this provision required some clarification,
and suggested it be redrafted, as it is unclear 'how an individual would not
reasonably expect the organisation to use/disclose personal information for
direct marketing [APP 7(3)(a)(i)] if the individual had consented to the
use/disclosure [APP 7(3)(b)(i)].'[91]
Consent
10.91
Telstra Corporation Limited (Telstra), noted that the requirement in
APP 7(3) for an organisation to obtain an individual's consent before
using or disclosing personal information about them received from a third
party, appears quite broad. Concern was raised that this requirement may oblige
an organisation to obtain consent to use publicly available information or
updated information provided by an authorised representative on a customer's
account. Telstra suggested that to address this issues, the phrase 'would not
reasonably expect' be included at the end of APP 7(3)(a)(ii), and that
information obtained from authorised representatives and third parties working
for or affiliated with the organisation be excluded from requirements under the
provision.[92]
Opt-out provisions–APP 7(1)(a),(2)(c),(3)(c)(d)
and (4)
10.92
A number of comments were made about the 'opt-out' provisions under
APP 7. The OPC suggested that the opt-out requirements in the principle
could be simplified by consolidating APP 7(4) and APP 7(5) and
modelling it more closely on UPP 6.3.[93]
10.93
Professor Greenleaf and Mr Waters commented on the difference in the
provisions of APP 7(2) and (3). They stated that APP 7(2) does not
require the opt-out to draw an individual's attention to the provision although
this is included in APP 7(3). They commented:
Under (2), if the individual would reasonably expect to
receive marketing communications, they are not even required to be notified –
this seems perverse and is a very weak provision. All the evidence suggests
that most individuals are only too aware that they are likely to receive direct
marketing from organisations with which they have dealt, but that it is precisely
these communications they wish to be able to stop![94]
10.94
Concerns were also raised that the opt-out provision is weak and can be
circumvented. Privacy Law Consulting Australia noted that APP 7(4)(b)
refers to 'direct marketing by other organisations' therefore, if an
organisation markets on behalf of persons or bodies which are not organisations
as defined by the Act, they will not be required to comply with the provision.[95]
10.95
Submitters also commented about the lack of a provision to require
organisations to provide individuals with the option to opt-out of the
provision of sensitive information for direct marketing purposes.[96]
Privacy Law Consulting Australia stated that this is most likely because
consent is required in all circumstances for the use of this information for
direct marketing, and that such consent can be revoked at any time. However, it
was submitted that the requirement that sensitive information only be disclosed
or used with consent is undermined by the definition of 'consent' in the Act,
which includes 'implied consent'. It was suggested that express consent should
be required regarding the disclosure and use of sensitive information, and that
consideration be given to whether an opt-out facility should be required in
relation to the use of sensitive information for direct marketing purposes, to
facilitate individuals exercising their right to withdraw consent.[97]
10.96
The department responded that under APP 7(1)(a), sensitive information
about an individual can only be used for direct marketing by an organisation
with the consent of that individual unless the organisation is a contracted
service provider for a Commonwealth contract and the organisation collected the
information for the purpose of meeting an obligation under the contract. The
concerns expressed are that, at some point in the future, the individual may
want to revoke consent or opt-out (i.e. no longer wants to receive direct
marketing communications from the organisation). Further:
There would be options available to individuals in this
instance. First, as noted by the PLCA, consent could be revoked at any time, in
which case the organisation could not use sensitive information for direct
marketing purposes.
While it is a matter for the [Australian Information Commissioner],
guidelines to be prepared on the meaning of 'consent' are likely to address key
issues such as revocation.
In addition, as a result of APP 7(2) and (3), organisations
will be required in practice to provide a simple means by which an individual
may easily request not to receive direct marketing communications from an
organisation. Further, APP 7(4)(a) provides that an individual may request not
to receive direct marketing communications from the organisation.[98]
10.97
The department also stated that:
Obtaining consent and including opt-out facilities should be
encouraged as part of a direct marketing organisation's internal procedures. As
with other new APPs, there is scope for the AIC to provide guidance on the
operation of these provisions. If guidance on the practical workings of
APP 7 became necessary, the Department will liaise with the AIC to
consider whether to develop guidelines.[99]
10.98
Some submitters argued that the APP imposes an excessive requirement to
disclose customers' right to opt-out, and the ABA recommended particular
changes to APP 7(2) and (3) in its submission to address these concerns.[100]
The ABA and other submitters also suggested that APP 7(4) should allow for
an option not to receive any direct marketing at all or that organisations should
only have to provide opt-out information to non-existing customers.[101]
10.99
APP 7(3)(d) provides that in each direct marketing communication
with the individual, a prominent must be included that the individual can make
a request to opt out or draws attention of the individual to this option by
another means. Telstra argued that this provision would not be required for
customers who had already received the entity's privacy statement that has set
out this information and should only apply where the individual has not already
received the entity's privacy statement.[102]
10.100 ADMA raised
similar concerns about the obligations on organisations and facilitating
organisations under APP 4, noting that in its understanding:
...the organisations whose products and services are being
advertised (the marketing organisation) will carry the responsibility for
receiving and actioning a request by the individual not to have their data used
in the future for direct marketing purposes. In such circumstances the
marketing organisation may put in place processes for its suppliers
(facilitating organisations) to accept and forward on those opt out requests
however the facilitating organisations would not in this circumstance be
required to not contact the individual again on behalf of other marketing
organisations.[103]
10.101 Given this
apparent uncertainty, ADMA suggested that the exposure draft should specify
that facilitating organisations, which do not provide direct marketing
communications in their own right, will be exempt from APP 7(3)(c), and:
...will not be bound by the Act to not contact the individual
again where a subsequent direct marketing communication is originated by the
facilitating organisation on behalf of another marketing organisation that is
wholly unrelated to the original marketing organisation that the individual’s
opt out request was directed.[104]
Conclusion
10.102 The committee
notes that the ALRC review suggested that the opt-out notification obligations
should differ for existing and non-existing customers.[105]
While the exposure draft has taken a different approach, it has still provided
a distinction in the required level of notification regarding the ability of an
individual to opt-out. In circumstances in which the information has been
collected from the individual, an organisation merely has to provide a simple
means by which an individual can opt-out of receiving future direct marketing
communications. Where the information about an individual has been collected
from a third party, in each direct marketing communication, the organisation
must notify the individual of their ability to opt-out of receiving future
direct marketing communications from the organisation.
10.103 Further to its
comments in chapter 3, the committee considers that further guidance on the definition
of consent will assist in the interpretation of the principle.
Source of information–APP 7(4)(c)
and (5)
10.104 APP 7(4)(c)
provides for an individual to request the organisation to provide the source
from which they obtained personal information about the individual. APP 7(5)(c)
provides that an organisation must notify the individual or the sources within
a reasonable period 'unless it is impracticable or unreasonable to do so'. Professor
Greenleaf and Mr Waters expressed concern that the exception in APP 5(c)
'unless it is impracticable or unreasonable to do so' is too broad, and
consequently is likely to be misused, thereby undermining the purpose of the
principle.[106]
10.105 However, a number
of submitters argued that the provisions of APP 7(4)(c) are onerous and
impractical.[107]
For example, Coles commented on the wide range of sources used to collect
personal information including emails, in-store transactions and competitions.
Once information is collected via some sources, it is no longer possible to
determine the source of the information, and changing IT systems for this
purpose is likely to be impractical and prohibitively expensive. Coles noted
the exception provided for in APP 7(5), however, remained concerned that:
...this exemption is as yet unclear as to whether not keeping
track of such information will be sufficient for reliance on an ongoing basis
or whether an organisation will be required in future to change its systems or
selection of its systems to ensure compliance with APP(4) going forward. This
is likely to impose a significant administrative and costs burden on organisations.[108]
10.106 Coles went on to
comment that the exemption in APP 7(5) could be amended to provide a
further exemption that identification of the source of the personal information
will not be required if the specific source of the information is not traceable,
provided that the organisation can identify the possible or likely sources of
collection.[109]
10.107 Coles' concerns
were echoed by the Westpac Group, which noted that this requirement could not
be retrospectively applied. Consequently, the Westpac Group indicated its
support for the Australian Bankers' Association suggestion that the requirement
to record the source of information received from third parties for the
purposes of direct marketing, and the requirement to inform those third parties
of any change to the information held by an organisation, should be limited to
non-existing customers.[110]
10.108 Further guidance
and clarification on these provisions was sought by the Financial Services
Council (FSC), which suggested that the principle should explicitly state that
organisations are not required to disclose the ultimate source of information,
only the source from which the organisation obtained the information. The FSC
also suggested further guidance regarding the factors an organisation should
consider in determining whether it is reasonable and practical to advise an
individual of the source from which it obtained the individual's information.[111]
10.109 Privacy Law
Consulting Australia noted uncertainty regarding the construction of
APP 7(5)(c), as it appears unclear whether 'impracticable or unreasonable'
applies to the 'reasonable period' or the notification of the individual. It
was suggested that this be clarified in the legislation.[112]
10.110 The department
responded to these concerns and stated that this language is consistent with
the ALRC recommendation that source disclosure be mandated upon request 'where
reasonable and practicable'. The ALRC review noted that an obligation to advise
individuals, in response to a request, of the source from which their personal
information was obtained might increase the compliance burden on organisations.
In light of this the ALRC suggested that the obligation should only apply where
'reasonable and practicable', and should be limited to individuals who are
non-existing customers.[113]
The department provided the example of information that was recorded at a time
where an organisation has not been required to record, and not recorded, the
source of this information, then it would be unreasonable to expect an
organisation to provide this information.
10.111 The department
went on to stated that:
While some organisations may attempt to misuse this test, it
is a necessary element of the legislation to enable the policy goal of source
disclosure to existing customers who have not provided information to
organisations. It is also possible to clarify this issue in the Explanatory
Memorandum when the Privacy Act is considered by the Parliament.[114]
10.112 The ALRC also
formed the view that the organisation should only be required to name the direct
source from which the organisation obtained the individual's information,
rather than the original source of information.[115]
Interaction with other
legislation–APP 7(6)
10.113 APP 7(6)
provides that the principle does not apply to the extent that any of the DNCR
Act, the Spam Act or any other Act prescribed by the regulations apply.
Comments in relation to APP 7(6) went to the effect of this provision and
the need for clarity.[116]
Some submitters suggested that the inclusion of this section means that in
effect, the Privacy Act will only apply to marketing activities via direct mail
and this could result in confusion about handling personal information. Coles
commented:
APP 7(6) suggests that an organisation will not be
required to deal with personal information in accordance with APP 7 for
direct marketing activities like emails, faxes and telephone contact provided
that the activities are done with the individuals consent as these activities
are otherwise dealt with under the Spam Act 2003 or the Do Not Call Register
Act 2006. As each regime requires a different approach to the handling and use
of personal information, this is likely to increase the likelihood of confusion
arising and the incorrect regime being applied to the handling and use of the information.[117]
10.114 Privacy Law
Consulting Australia expressed uncertainty as to the meaning of the phrase
'apply to the extent that' as the Spam or DNCR Acts regulate activities, not
the handling of personal information per se. Consequently:
It appears that the intention is that, if one of the Acts
permits an activity that necessarily involves the use or disclosure of personal
information in a particular manner, APP 7 does not apply to such use or disclosure.
For example, the Spam Act permits commercial emails to be sent with consent.
This suggests that an organisation will be permitted to use or disclose
personal information to send such emails in accordance with the Spam Act,
regardless of requirements that might otherwise apply under APP 7.[118]
10.115 Coles suggested
that this confusion could be addressed by incorporating the obligations under
the Spam and DNCR Acts into the new exposure draft, thereby reducing the
complexity of the legislation, and ensuring that the obligations of
organisations and the protections for individuals are unambiguous and clearly
set out in one document. Coles went on to suggest that the obligations of the
Spam and DNCR Acts would be incorporated in the Privacy Act as 'this would
reduce the complexity of the law in this area and reduce the likelihood of
unintentional inappropriate use of personal information in the area of direct
marketing activities.[119]
10.116 Although
APP 7(6)(c) refers to 'any other Act', the AFC suggested that the
interaction between APP 7 and the anti-hawking provisions in the Corporations
Act 2001, requires clarification, it may increase compliance certainty if
those anti-hawking provisions are specifically included in the list under
APP 7(6).[120]
10.117 The department
provided a response to this comment and stated that the Government agreed with
the ALRC‘s recommendation that the 'direct marketing' principle should be
displaced to the extent that more specific sectoral legislation regulated a
particular type of direct marketing or direct marketing by a particular
technology. Further, that the ALRC believed this approach was preferable
because imposing a blanket rule for all forms of direct marketing was too
rigid. It stated that other forms of more intrusive direct marketing should be
subject to regulation that differs from the rules applicable to less intrusive
forms of direct marketing. It noted that, relying on such sectoral legislation
to the exclusion of the Privacy Act is problematic, because it leaves loopholes
that could encourage other types of direct marketing that also may be
intrusive.
10.118 The department
concluded that 'this is reflected in APP 7(6) which provides that APP 7 does
not apply to the extent that the Spam Act, the Do Not Call Register Act, or any
other Act of the Commonwealth prescribed by the regulations applies'. Further
'this means that APP 7 will apply to organisations involved in direct marketing
relating to electronic messages and phone calls, where acts and practices are
not covered by those Acts'.[121]
Navigation: Previous Page | Contents | Next Page