Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy business resource 19: Direct Marketing

Australian Privacy Principle 7 (APP 7) applies to organisations that use or disclose personal information for direct marketing. It does not apply to direct marketing communications that are covered by the Do Not Call Register Act 2006 (DNCR Act) or the Spam Act 2003 (Spam Act). This resource provides general information about how the requirements in each of these laws apply when an organisation direct markets to an individual.

What is direct marketing?

Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods or services. It can encompass any communication made by or on behalf of an organisation to an individual, including fundraising communications. The communication may occur through a variety of channels, including telephone, SMS, mail, email, social media, and online advertising.

Examples of using or disclosing personal information to direct market to an individual include:

  • sending a catalogue in the mail addressed to an individual by name
  • targeting online advertising at an individual using their personal information.

More examples of when an entity uses or discloses personal information for direct marketing are in Chapter 7 of the APP guidelines.

When is direct marketing allowed?

This depends on the type of direct marketing communication used, and the type of organisation involved. The flowchart at Appendix A will help you determine which requirements apply to a direct marketing communication.

In summary:

  • Telemarketers and fax marketers must not call or fax numbers listed on the Do Not Call Register (DNCR) as required in the DNCR Act (some exemptions apply). The DNCR Act does not apply where:
    • calls or faxes are made by exempt entities, such as registered charities or political parties
    • calls or faxes are made by market researchers conducting opinion polling and social research, or
    • an individual has consented to the call or fax
  • Organisations that send messages of a commercial nature by email, SMS instant message, or MMS must comply with the Spam Act.
  • Where the DNCR Act and Spam Act do not apply, an organisation may need to comply with APP 7 to direct market to an individual.

When does APP 7 apply?

APP 7 only applies to:

  • private sector organisations covered by the APPs. This means all businesses and not-for-profit organisations with an annual turnover of more than $3 million and some small businesses, including private sector health service providers and businesses that buy or sell personal information. These businesses are known as ‘organisations’ under the Privacy Act and may also be referred to as ‘APP entities’. The OAIC’s small business checklist assists entities to determine if they are organisations covered by the APPs
  • marketing communications that use or disclose an individual’s personal information to direct market to them. Personal information is information that identifies an individual, or could reasonably identify them
  • direct marketing communications that are not covered by the DNCR Act or Spam Act.

This means APP 7 generally will apply to:

  • direct marketing calls or faxes where the number is not listed on the DNCR, or the call is made by a registered charity
  • direct marketing by mail (whether sent by post or hand delivered) and door-to-door direct marketing
  • targeted marketing online, but only where using or disclosing an individual’s personal information (i.e. where direct marketing occurs)
  • marketing via a mobile application, if personal information is used to target that marketing.

APP 7 generally will not apply to:

  • direct marketing calls or faxes using numbers listed on the DNCR, except where the entity is exempt from the DNCR Act (such as registered charities), or where the individual has consented
  • direct marketing to an individual using a commercial electronic message, such as an email, instant message, SMS or MMS.

Individuals who receive direct marketing communications may not be aware that different requirements apply to different direct marketing communications. You can meet customer expectations and demonstrate privacy best practice if you adopt the standards of APP 7 for all direct marketing communications.

Where APP 7 does not apply to a direct marketing communication, APP entities will still need to comply with other APPs, for example APP 6 (use and disclosure of personal information).

How do you comply with APP 7?

When APP 7 applies, you can only use or disclose an individual’s personal information for direct marketing in certain circumstances.

You can only use or disclose an individual’s ‘sensitive information’ (which includes personal information about their health, political opinions, their racial or ethnic origin or their sexual orientation) for direct marketing if the individual has given their consent. Further information about ‘sensitive information’ and ‘consent’ is in Chapter B: Key concepts in the APP Guidelines.

You can only use or disclose other types of personal information for direct marketing if:

  • you collected the personal information directly from the individual and the individual would reasonably expect their personal information to be used or disclosed for direct marketing
  • the individual has consented to their personal information being used or disclosed for direct marketing, or
  • it is impractical to get the individual’s consent to their personal information being used or disclosed for direct marketing.

Further information about when an individual would ‘reasonably expect’ their personal information to be used or disclosed for direct marketing, what constitutes ‘consent’, and when it would be ‘impractical’ to get an individual’s consent can be found in Chapter 7 of the APP guidelines.

When you use or disclose an individual’s personal information for direct marketing, you must do all of the following:

  • provide the individual with a simple means of opting out of future direct marketing communications
  • give the individual information about how to opt out in each direct marketing communication (such as by including an obvious statement in the marketing material) – this only applies where you collected an individual’s personal information from someone else, or where the individual would not reasonably expect their personal information to be used or disclosed for direct marketing purposes
  • if requested, stop using or disclosing an individual’s personal information for direct marketing within a reasonable period of the individual making the request, and
  • if requested, tell the individual where you got their personal information from (unless this is not reasonable or practical). You must provide the individual with a response within a reasonable period of time – generally within 30 days of the request.

Further information about these obligations, including providing a simple means for opting out, is contained in Chapter 7 of the APP guidelines.

What are the APP 7 requirements when you facilitate direct marketing?

APP 7 also includes requirements for organisations that use or disclose individuals’ personal information to facilitate direct marketing by other organisations. An entity facilitates direct marketing where it collects personal information for the purpose of providing that personal information to other entities, so those entities can undertake direct marketing of their own products or services.

One of the APP 7 requirements is that organisations must stop using or disclosing an individual’s personal information to facilitate direct marketing if requested by the individual.

Examples of when an entity facilitates direct marketing, and more information about the obligations when doing so, are contained in Chapter 7 of the APP guidelines.

What are the requirements of the DNCR Act and the Spam Act?

Two key rules set out in the DNCR Act are:

  • you cannot make direct telemarketing calls to a number listed on the DNCR unless the individual has consented or you are an exempt entity (such as a registered charity), and
  • you must ensure that all agreements for the purpose of making telemarketing calls include an express provision that requires compliance with the DNCR Act.

The Telemarketing and Research Industry Standard 2007 (Industry Standard) also sets out rules that apply to any person or business intending to make telemarketing or research calls, regardless of whether they are exempt from the DNCR Act. These rules cover:

  • when telemarketing and research calls cannot be made
  • information that must be provided during a telemarketing or research call
  • when calls must be terminated
  • the use of calling line identification.

If you direct market using a commercial electronic message such as an email, instant message, SMS or MMS, it must comply with the Spam Act. This requires:

  • commercial electronic messages to be sent with the consent of the recipient
  • accurate sender identification including the sender’s contact information, and
  • a functional unsubscribe mechanism.

A partial exemption from these requirements applies with respect to certain messages (such as messages of a factual nature only, without a commercial element).

See the Australian Communications and Media Authority’s (ACMA) website for information about the DNCR Act and the Spam Act.

More information

The following resources may also assist organisations to understand and comply with the requirements of the Privacy Act:

The ACMA website contains a number of resources in relation to the Do Not Call Register and spam.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Appendix A: Flowchart — what requirements apply to direct marketing communications?

Are you direct marketing by sending an email, instant message, SMS or MMS?
Yes
The Spam Act covers this communication. See the ACMA website for more information about the Spam Act’s requirements.
No
Are you direct marketing by phoning or faxing a number listed on the Do Not Call Register (DNCR), and the entity is not an exempt entity (such as a registered charity) and has not obtained the individual’s consent?
Yes
The DNCR Act covers the entity’s communication. It prohibits the making or sending of direct telemarketing calls or faxes to numbers listed on the DNCR. See the ACMA website for more information about the DNCR Act.
No
Are you using or disclosing personal information to direct market to the individual?
Note: This could include addressing the communication to an individual by name, or targeting online advertising at an individual using their personal information.
No
The entity’s communication is not covered by the Spam Act, DNCR Act or APP 7. However, the entity may wish to consider customer expectations when direct marketing to them.
Yes
Are you a private sector organisation covered by the APPs?
Note: APP 7 applies to private sector organisations with an annual turnover of more than $3 million per year, and some specific types of smaller businesses, including private sector health service providers and businesses that sell or purchase personal information. See the OAIC’s small business checklist for more information.
No
The entity’s direct marketing communication is not covered by the Spam Act, DNCR Act or APP 7. However, the entity may better meet customer expectations and demonstrate privacy best practice if they adopt the standards of APP 7.
Yes

Your direct marketing communication is covered by APP 7, and your organisation must:

  • provide individuals with a simple way to opt out
  • only use or disclose personal information to direct market in particular situations, such as where an individual would reasonably expect it or has consented
  • if an individual asks, stop using or disclosing their personal information for direct marketing, and
  • if an individual asks, tell them where it got their personal information (unless it is not practical to do so).