IDC Names Securiti a Worldwide Leader in Data Privacy


Direct Marketing Requirements under Australian Law

By Sayem Mustafa
Published March 1, 2023 / Updated November 22, 2023

Listen to the content

Three primary laws in Australia govern direct marketing, i.e., Privacy Act 1988, the Spam Act 2003, and the Do Not Call Register Act ('DNCR Act') 2006.

Applicability of the Acts

  • If an entity conducts direct marketing by sending an electronic message, including through email, instant message, SMS, or MMS, they are subject to the Spam Act.
  • If an entity, that is not exempt under the DNCR Act, conducts direct marketing by phoning or faxing a number on the Do Not Call Register, they are subject to the DNCR Act.
  • If an entity does not rely on the foregoing means, but uses or discloses personal information to conduct direct marketing, they may be subject to the Privacy Act, provided they meet the Privacy Act's applicability criteria as specified below.

Privacy Act Requirements

The Privacy Act includes 13 Australian Privacy Principles ('APPs'), including 'direct marketing' (APP 7). All APP entities should remain compliant with the APPs. However, as explained above, if an act or a practice of an APP entity is completely or partially subject to the Spam Act, DNCR Act or any other legislation, the APP does not apply to the extent another legislation is applicable.

APP entities constitute of:

  • certain agencies as specified in the Privacy Act, including federal government entities and office holders,
  • all private sector organizations with an annual turnover of more than AUD 3 million, and
  • certain private sector organizations with less than AUD 3 million annual turnover, including health sector providers, businesses that sell or purchase personal information ('PI'), employee associations, or any businesses related to a business that is covered by the Privacy Act.

Moreover, the acts of certain public agencies as prescribed by regulations, and such acts of the agencies listed in Part 2 of Schedule 2 to the Freedom of Information Act, 1982 that relate to their respective commercial activities or those of another entity, are deemed as acts of an 'organization' and thus subject to the APPs' requirements.

The territorial application of the Privacy Act extends to entities within Australia and outside Australia if they engage in business-related acts in Australia, including where they have agent(s) in Australia, collect PI from Australian residents, have purchase orders being auctioned in Australia, or promote goods or services to Australian residents.

The following is an overview of the requirements applicable under the Privacy Act in relation to direct marketing. Direct marketing constitutes the use or disclosure of PI to communicate directly with an individual to promote goods and services offered by an organization.

1. Use or Disclosure of Personal Information for Direct Marketing

An APP entity may use or disclose an individual's PI for direct marketing purposes through the following two means.

a. Direct Collection of Personal Information and Data Subject's Reasonable Expectation

An individual's PI may be used for direct marketing purposes if the information is collected directly from the concerned individual, and such an individual reasonably expects that their information would be used or disclosed for direct marketing purposes.

An APP entity should be able to prove that the concerned individual reasonably expected that their PI would be used or disclosed for direct marketing purposes. Whether an individual reasonably expected their PI to be used for direct marketing purposes depends on a case-by-case basis. Factors that may be important in determining that an individual had such reasonable expectations include:

  1. Data subject's consent: the individual consented to the use or disclosure of their PI for direct marketing, 
  2. Notification to the data subject: the APP entity notified the individual that their PI is, amongst other purposes, also being collected for direct marketing purposes, or
  3. Opt-out notice to the data subject: the APP entity made the individual aware that they can opt-out of receiving direct marketing communications - if the individual did not make an opt-out request, they are deemed to have a reasonable expectation of receiving direct marketing.

An individual's occupation, or place of residence, etc., does not indicate whether or not they would reasonably expect the usage or disclosure of their PI for direct marketing purposes.

If an APP entity informs an individual that their PI will be used for a purpose unrelated to direct marketing, such an individual is not presumed to have a reasonable expectation of receiving direct marketing.

Where an individual's PI is collected from a third party, or the concerned individual directly - albeit without any reasonable expectation that their information would be used or disclosed for direct marketing, such PI may be used for direct marketing with the individual's express or implied consent.

Consent of an individual should be informed, voluntary, current, and specific. An individual should have the capacity to understand and communicate their consent.

Consent is expressed when given explicitly, through written, oral or electronic means. 

Consent is implied when reasonably inferred from the conduct of an APP entity and the concerned individual. However, an APP entity cannot infer consent merely on the basis that it provided an individual a notice regarding the proposed collection, use of disclosure of their PI and the individual consequently did not raise an objection regarding the handling of their information. Moreover, consent may not be implied if there is a reasonable doubt, or ambiguity regarding an individual's intention. 

An APP entity may only infer an individual's implied consent from their failure to opt-out in only limited circumstances, provided most of the following factors are met:

  • the opt-out option provided to the data subject was conspicuous, freely available, and clearly and separately presented,
  • it is likely that the individual received and read the notice/information about the proposed collection, use or disclosure, and the opt-out facility,
  • the individual was informed of the consequences of not opting out,
  • it was easy for the individual to exercise the opt-out option, e.g., the option could be exercised without any extra effort or financial cost,
  • the consequences of not opting-out are not serious, and
  • an individual will be placed, as far as practicable, in a similar position regardless of whether they opted out earlier or at a later time.

Where obtaining the concerned individual's consent is impracticable, the APP entity may use or disclose the collected information for direct marketing without obtaining consent.

However, an APP entity cannot be excused from obtaining consent solely because it would be inconvenient, time-consuming, or costly. Whether it is impracticable to obtain consent depends on whether the burden on the APP entity is excessive in all circumstances.

1.1 Opting-out of Direct Marketing

Regardless of how an individual's PI is collected, when using or disclosing such information for direct marketing purposes, the APP entity should provide a simple means by which the concerned individual may easily opt-out or request to not receive direct marketing communications.

A simple means for opting-out should include a conspicuous, clear and easy explanation of how to opt-out, and a simple, quick and free (or involving nominal cost) opting-out process which uses straightforward and accessible communication channels. The means for opting-out should be accessible to persons with disabilities as well. 

The APP entity should fulfill the request to not receive direct marketing communications for free, and within 30 days, or a shorter period where digital communication channels are involved.

Furthermore, where an individual's PI is collected from a third party, or directly from the concerned individual but without any reasonable expectation regarding its use for direct marketing, the APP entity, in each subsequent direct marketing communication with the individual, should draw their attention to the fact that they may request to completely or partially opt-out of direct marketing communications, including through a prominent statement.

The APP entity may allow individuals to unsubscribe by clicking on a link, through replying to a text message, verbally, or by any other means. 

Any statement put out by the APP entity should be written in plain English (without any legal or industry jargon), positioned conspicuously, and published in legible font size and type. 

2. Use or Disclosure of Sensitive Personal Information for Direct Marketing

Sensitive information may only be used or disclosed for direct marketing purposes with the consent of the concerned individual. In this respect, APP entities should generally seek express consent because of the greater privacy implications involved in handling SPI.

Sensitive information means an individual's health, genetic or biometric information, biometric templates, or an individual's personal information regarding their racial or ethnic origin, political opinions, membership of a political, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, or criminal record.

An APP entity cannot use or disclose an individual's sensitive information for direct marketing purposes without their consent, even if it is impracticable or impossible to obtain such consent. 

3. Facilitating Another Organization in Conducting Direct Marketing

If an APP entity uses or discloses an individual's PI for facilitating direct marketing by another organization, the concerned individual may request:

  • the primary entity to not use or disclose its PI for facilitating the other organization in conducting direct marketing; or
  • the recipient organization, if it is an APP entity, to not receive direct marketing communications.

The relevant APP entity should fulfill the concerned individual's request for free and within 30 days, or a shorter period where digital communication channels are involved. 

4. Request for Source of Information

Unless it is impracticable or unreasonable to do so, an APP entity should, upon an individual's request, provide its source for any PI it uses or discloses for conducting direct marketing by itself, or facilitating another organization in conducting direct marketing.

The APP entity should fulfill the request for free and within 30 days, or a shorter period where digital communication channels are involved. However, the response period may be extended if any special circumstances apply. 

An organization should justify that it is impracticable or unreasonable to provide its source of information. In this respect, the organization should take into consideration the following:

  • the possible adverse consequences of request denial on an individual,
  • the time that has elapsed since the PI was collected, 
  • the time and cost involved in fulfilling the request - an organization may be excused from request fulfillment if it is excessively time-consuming and expensive, and 
  • whether the source of any PI collected before the promulgation of the foregoing marketing requirements was recorded. 

5. Use or Disclosure of Credit Reporting Information for Direct Marketing

A credit reporting body may only use an individual's credit information for the purposes of ascertaining whether such an individual is eligible to receive direct marketing communications from the concerned credit provider. If an individual requests the credit reporting body to not use their credit information for pre-screening purposes, the credit reporting body should comply with the request.

Spam Act Requirements

A commercial electronic message is any electronic message which has the purpose of:

  • offering to supply goods or services or provide a business or investment opportunity,
  • advertising or promoting goods or services, or a business or investment opportunity, or
  • advertising or promoting any supplier of goods or services, or a provider or prospective provider of a business or investment opportunity.

The Spam Act also specifies other purposes which may qualify an electronic message as a commercial electronic message.

A commercial electronic message has an Australian link in either of the following instances:

  • The commercial electronic message originated in Australia.
  • The entity who sent or authorized the commercial electronic message is physically present, or has its central management and control, in Australia when the message is sent.
  • The commercial electronic message is accessed on a computer, device or server in Australia.
  • The recipient is an individual who is physically present, or an organization that carries on operations, in Australia when the commercial electronic message is accessed.

Commercial electronic messages with an Australian link, sent by a person (including a partnership), are only permitted in the following instances:

  1. The recipient has provided express consent, or their consent is inferred by the organization.

    An organization may infer consent if an individual knowingly and directly provides their address and it is reasonable to believe that they would expect marketing, particularly because of their ongoing relationship with the organization and a direct link between the marketing and such relationship. For example, consent may be inferred where an individual has subscribed to a service and the marketing is relevant to that relationship. On the contrary, an organization may not infer an individual's consent for receiving marketing if they just bought something from the business.

    An organization cannot send an electronic message to ask for consent. Moreover, organizations should maintain consent records as it is their responsibility to prove that they obtained an individual's consent prior to sending them a commercial electronic message.

  2. The person did not know, and could not, with reasonable diligence, have ascertained that the commercial electronic message had an Australian link.
  3. The person mistakenly sent the commercial electronic message.

2. Content of Commercial Electronic Messages

Commercial electronic messages should contain information about the individual or organization who authorized the sending of the message and their contact details, including the legal name of a business, or an individual's name and Australian Business Number (ABN). Such information should reasonably be valid for at least 30 days after a commercial electronic message has been sent.

3. Unsubscribe Facilities

Commercial electronic messages should provide the recipient with the capability to unsubscribe from future communications. The unsubscribe facility should:

  • be clear, visible and easy to use,
  • remain functional for at least 30 days after a commercial electronic message has been sent,
  • not cost any additional fee to unsubscribe,
  • honor a request to unsubscribe within 5 business days,
  • allow the user to unsubscribe using the same kind of technology as was used to receive the commercial electronic message, and
  • not require any additional information or creating or logging into an account to be able to unsubscribe.

4. Sending Commercial Electronic Messages to Non-Existent Electronic Addresses

Commercial electronic messages to non-existent electronic addresses are not permitted. A sender may avoid liability if they did not know, and could not, with reasonable diligence, have ascertained that the commercial electronic message had an Australian link.

5. Use of Address-Harvesting Software

It is illegal to use, supply, or acquire an address-harvesting software, or to use an electronic address list produced with such software.

6. Sending Designated Commercial Electronic Messages

The Spam Act allows designated commercial electronic messages. Designated commercial electronic messages should include information about the entity that authorized the message, and are not required to have an unsubscribe facility.

A designated commercial electronic message either contains no more than factual information, or is authorized by a government body, a registered political party or a registered charity, or a present or former member or student of an educational institution. 

DNCR Act Requirements

1. Making Telemarketing Calls and Sending Marketing Faxes

Telemarketing calls or marketing faxes made or sent to a number registered on the Do Not Call Register ('DNCR'), by a person (including a partnership), are only permitted in the following instances:

  • A relevant account holder or their nominee has consented to the making of the call or the sending of the fax (as the case may be).
  • The person making the telemarketing call or sending the marketing fax sought information (from the ACMA or a contracted service provider on behalf of the ACMA) as to whether a particular number is placed on the DNCR, and received inaccurate information that the number is not placed on the DNCR, on the basis of which such person made the call or sent the fax.
  • The person mistakenly made the telemarketing call or sent the marketing fax.
  • The person took reasonable precautions, and exercised due diligence, to avoid the violation of the DNCR Act.

2. Making Designated Telemarketing Calls and Sending Designated Marketing Faxes

The DNCR Act allows making designated telemarketing calls or sending designated marketing faxes to a number registered on the DNCR.

A designated telemarketing call or designated marketing fax is authorized by a government body, a registered political party or a registered charity, a member of a legislative body or a local governing body, a candidate in an election, or a present or former member or student of an educational institution. 

3. Contractual Arrangements for Telemarketing Calls and Marketing Faxes

Any contractual arrangements for telemarketing calls or for marketing faxes should be compliant with the requirements of the DNCR Act.

How Securiti Can Help

An essential component of any marketing campaign is obtaining the consent of the relevant individual. In this regard, Securiti's Universal Consent Management can help organizations remain compliant with the Australian legal framework by:

  • effectively capturing users' consent,
  • ensuring the provision of a consent preference center that allows granular consent opt-ins and opt-outs, and
  • enabling the maintenance of adequate and updated consent records, including individual consent records, the content the data subject has consented to, consent status, and timestamps of consent status.

The Universal Consent Management Solution streamlines the consent management process and helps organizations efficiently and adequately honor consent preferences across multiple systems. This helps organizations advertise their products and services efficiently and compliantly, thereby respecting an individual's privacy and avoiding any potential legal consequences.

Sayem Mustafa

Authored by Sayem Mustafa

Syed Sayem Mustafa is an accomplished Digital Marketing Director renowned for his exceptional contributions to the cybersecurity landscape.
With a strong background in the SaaS and IaaS industry, Syed Sayem Mustufa has extensive experience in Marketing. Over the years, Sayem has served some of the top data intelligence and cybersecurity brands, including He loves nothing more than breaking down and simplifying highly complex product details into easy-to-understand benefits for end users.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend