IDC Names Securiti a Worldwide Leader in Data PrivacyView
Three primary laws in Australia govern direct marketing, i.e., Privacy Act 1988, the Spam Act 2003, and the Do Not Call Register Act ('DNCR Act') 2006.
The Privacy Act includes 13 Australian Privacy Principles ('APPs'), including 'direct marketing' (APP 7). All APP entities should remain compliant with the APPs. However, as explained above, if an act or a practice of an APP entity is completely or partially subject to the Spam Act, DNCR Act or any other legislation, the APP does not apply to the extent another legislation is applicable.
APP entities constitute of:
Moreover, the acts of certain public agencies as prescribed by regulations, and such acts of the agencies listed in Part 2 of Schedule 2 to the Freedom of Information Act, 1982 that relate to their respective commercial activities or those of another entity, are deemed as acts of an 'organization' and thus subject to the APPs' requirements.
The territorial application of the Privacy Act extends to entities within Australia and outside Australia if they engage in business-related acts in Australia, including where they have agent(s) in Australia, collect PI from Australian residents, have purchase orders being auctioned in Australia, or promote goods or services to Australian residents.
The following is an overview of the requirements applicable under the Privacy Act in relation to direct marketing. Direct marketing constitutes the use or disclosure of PI to communicate directly with an individual to promote goods and services offered by an organization.
An APP entity may use or disclose an individual's PI for direct marketing purposes through the following two means.
An individual's PI may be used for direct marketing purposes if the information is collected directly from the concerned individual, and such an individual reasonably expects that their information would be used or disclosed for direct marketing purposes.
An APP entity should be able to prove that the concerned individual reasonably expected that their PI would be used or disclosed for direct marketing purposes. Whether an individual reasonably expected their PI to be used for direct marketing purposes depends on a case-by-case basis. Factors that may be important in determining that an individual had such reasonable expectations include:
An individual's occupation, or place of residence, etc., does not indicate whether or not they would reasonably expect the usage or disclosure of their PI for direct marketing purposes.
If an APP entity informs an individual that their PI will be used for a purpose unrelated to direct marketing, such an individual is not presumed to have a reasonable expectation of receiving direct marketing.
Where an individual's PI is collected from a third party, or the concerned individual directly - albeit without any reasonable expectation that their information would be used or disclosed for direct marketing, such PI may be used for direct marketing with the individual's express or implied consent.
Consent of an individual should be informed, voluntary, current, and specific. An individual should have the capacity to understand and communicate their consent.
Consent is expressed when given explicitly, through written, oral or electronic means.
Consent is implied when reasonably inferred from the conduct of an APP entity and the concerned individual. However, an APP entity cannot infer consent merely on the basis that it provided an individual a notice regarding the proposed collection, use of disclosure of their PI and the individual consequently did not raise an objection regarding the handling of their information. Moreover, consent may not be implied if there is a reasonable doubt, or ambiguity regarding an individual's intention.
An APP entity may only infer an individual's implied consent from their failure to opt-out in only limited circumstances, provided most of the following factors are met:
Where obtaining the concerned individual's consent is impracticable, the APP entity may use or disclose the collected information for direct marketing without obtaining consent.
However, an APP entity cannot be excused from obtaining consent solely because it would be inconvenient, time-consuming, or costly. Whether it is impracticable to obtain consent depends on whether the burden on the APP entity is excessive in all circumstances.
1.1 Opting-out of Direct Marketing
Regardless of how an individual's PI is collected, when using or disclosing such information for direct marketing purposes, the APP entity should provide a simple means by which the concerned individual may easily opt-out or request to not receive direct marketing communications.
A simple means for opting-out should include a conspicuous, clear and easy explanation of how to opt-out, and a simple, quick and free (or involving nominal cost) opting-out process which uses straightforward and accessible communication channels. The means for opting-out should be accessible to persons with disabilities as well.
The APP entity should fulfill the request to not receive direct marketing communications for free, and within 30 days, or a shorter period where digital communication channels are involved.
Furthermore, where an individual's PI is collected from a third party, or directly from the concerned individual but without any reasonable expectation regarding its use for direct marketing, the APP entity, in each subsequent direct marketing communication with the individual, should draw their attention to the fact that they may request to completely or partially opt-out of direct marketing communications, including through a prominent statement.
The APP entity may allow individuals to unsubscribe by clicking on a link, through replying to a text message, verbally, or by any other means.
Any statement put out by the APP entity should be written in plain English (without any legal or industry jargon), positioned conspicuously, and published in legible font size and type.
Sensitive information may only be used or disclosed for direct marketing purposes with the consent of the concerned individual. In this respect, APP entities should generally seek express consent because of the greater privacy implications involved in handling SPI.
Sensitive information means an individual's health, genetic or biometric information, biometric templates, or an individual's personal information regarding their racial or ethnic origin, political opinions, membership of a political, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, or criminal record.
An APP entity cannot use or disclose an individual's sensitive information for direct marketing purposes without their consent, even if it is impracticable or impossible to obtain such consent.
If an APP entity uses or discloses an individual's PI for facilitating direct marketing by another organization, the concerned individual may request:
The relevant APP entity should fulfill the concerned individual's request for free and within 30 days, or a shorter period where digital communication channels are involved.
Unless it is impracticable or unreasonable to do so, an APP entity should, upon an individual's request, provide its source for any PI it uses or discloses for conducting direct marketing by itself, or facilitating another organization in conducting direct marketing.
The APP entity should fulfill the request for free and within 30 days, or a shorter period where digital communication channels are involved. However, the response period may be extended if any special circumstances apply.
An organization should justify that it is impracticable or unreasonable to provide its source of information. In this respect, the organization should take into consideration the following:
A credit reporting body may only use an individual's credit information for the purposes of ascertaining whether such an individual is eligible to receive direct marketing communications from the concerned credit provider. If an individual requests the credit reporting body to not use their credit information for pre-screening purposes, the credit reporting body should comply with the request.
A commercial electronic message is any electronic message which has the purpose of:
The Spam Act also specifies other purposes which may qualify an electronic message as a commercial electronic message.
A commercial electronic message has an Australian link in either of the following instances:
Commercial electronic messages with an Australian link, sent by a person (including a partnership), are only permitted in the following instances:
An organization may infer consent if an individual knowingly and directly provides their address and it is reasonable to believe that they would expect marketing, particularly because of their ongoing relationship with the organization and a direct link between the marketing and such relationship. For example, consent may be inferred where an individual has subscribed to a service and the marketing is relevant to that relationship. On the contrary, an organization may not infer an individual's consent for receiving marketing if they just bought something from the business.
An organization cannot send an electronic message to ask for consent. Moreover, organizations should maintain consent records as it is their responsibility to prove that they obtained an individual's consent prior to sending them a commercial electronic message.
Commercial electronic messages should contain information about the individual or organization who authorized the sending of the message and their contact details, including the legal name of a business, or an individual's name and Australian Business Number (ABN). Such information should reasonably be valid for at least 30 days after a commercial electronic message has been sent.
Commercial electronic messages should provide the recipient with the capability to unsubscribe from future communications. The unsubscribe facility should:
Commercial electronic messages to non-existent electronic addresses are not permitted. A sender may avoid liability if they did not know, and could not, with reasonable diligence, have ascertained that the commercial electronic message had an Australian link.
It is illegal to use, supply, or acquire an address-harvesting software, or to use an electronic address list produced with such software.
The Spam Act allows designated commercial electronic messages. Designated commercial electronic messages should include information about the entity that authorized the message, and are not required to have an unsubscribe facility.
A designated commercial electronic message either contains no more than factual information, or is authorized by a government body, a registered political party or a registered charity, or a present or former member or student of an educational institution.
Telemarketing calls or marketing faxes made or sent to a number registered on the Do Not Call Register ('DNCR'), by a person (including a partnership), are only permitted in the following instances:
The DNCR Act allows making designated telemarketing calls or sending designated marketing faxes to a number registered on the DNCR.
A designated telemarketing call or designated marketing fax is authorized by a government body, a registered political party or a registered charity, a member of a legislative body or a local governing body, a candidate in an election, or a present or former member or student of an educational institution.
Any contractual arrangements for telemarketing calls or for marketing faxes should be compliant with the requirements of the DNCR Act.
An essential component of any marketing campaign is obtaining the consent of the relevant individual. In this regard, Securiti's Universal Consent Management can help organizations remain compliant with the Australian legal framework by:
The Universal Consent Management Solution streamlines the consent management process and helps organizations efficiently and adequately honor consent preferences across multiple systems. This helps organizations advertise their products and services efficiently and compliantly, thereby respecting an individual's privacy and avoiding any potential legal consequences.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row Suite 450. San Jose,