Chapter 7: Privacy Safeguard 7 — Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

9 June 2021

Download the print version

Version 3.0

Key points

  • Privacy Safeguard 7 prohibits accredited data recipients of CDR data and designated gateways from using or disclosing the CDR data for direct marketing, unless the consumer consents and such use or disclosure is required or authorised under the consumer data rules (CDR Rules).
  • Direct marketing in the CDR context involves the use or disclosure of consumer data right (CDR) data to promote goods and services directly to a consumer.
  • The CDR Rules permit accredited data recipients of CDR data to engage in certain direct marketing activities in relation to the good or service requested by the consumer, if consent has been received to do so.
  • An accredited data recipient of CDR data must comply with the data minimisation principle when using the CDR data for direct marketing.

What does Privacy Safeguard 7 say?

7.1 Privacy Safeguard 7 prohibits accredited data recipients of CDR data and designated gateways from using or disclosing the CDR data for direct marketing, unless the consumer consents and such use or disclosure is required or authorised under the consumer data rules (CDR Rules). CDR Rules 7.8 and 7.5(3) authorise certain direct marketing related uses or disclosures by accredited data recipients (in accordance with the consumer’s consent).

Why is it important?

7.2 To provide a positive consumer experience and ensure consumer control over their data, consumers should not be subjected to unwanted direct marketing.

7.3 Direct marketing is addressed separately to other uses and disclosures (see under Privacy Safeguard 6) because of significant community sentiments in relation to direct marketing.

Who does Privacy Safeguard 7 apply to?

7.4 Privacy Safeguard 7 applies to accredited data recipients of CDR data and designated gateways for CDR data. It does not apply to data holders.

7.5 Data holders must ensure that they are adhering to their obligations under the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs), including APP 7 in respect of direct marketing.

Note: There are no designated gateways in the banking sector. See Chapter B (Key concepts) for the meaning of designated gateway.

How Privacy Safeguard 7 interacts with the Privacy Act

7.6 It is important to understand how Privacy Safeguard 7 interacts with the Privacy Act and the APPs.[1]

7.7 APP 7 sets out when an APP entity is prohibited from using or disclosing personal information for the purpose of direct marketing.

CDR entity

Privacy protections that apply in the CDR context

Accredited data recipient

Privacy Safeguard 7

For accredited data recipients of a consumer’s CDR data, Privacy Safeguard 7 applies to any uses or disclosures of that CDR data for direct marketing.[2]

APP 7 does not apply in relation to that CDR data.[3]

Designated gateway

Privacy Safeguard 7

For designated gateways for CDR data, Privacy Safeguard 7 applies to the use and disclosure of the CDR data for direct marketing.[4]

APP 7 does not apply in relation to that CDR data.[5]

Data holder

APP 7

Privacy Safeguard 7 does not apply to a data holder.

What is direct marketing?

7.8 ‘Direct marketing’ is not defined in the Competition and Consumer Act. The term is also used in APP 7 but is not defined in the Privacy Act.[6]

7.9 For the purpose of Privacy Safeguard 7, ‘direct marketing’ takes its ordinary meaning, and involves an entity’s use or disclosure of CDR data to communicate directly with a consumer to promote goods and services.

7.10 An example of direct marketing by an entity includes sending an email to a consumer promoting financial products using the consumer’s CDR data.[7] 

7.11 ‘Direct marketing’ is distinct from the situation where:

  • a consumer has requested a good or service
  • the accredited data recipient has obtained the consumer’s consent to collect and use the consumer’s CDR data to provide this good or service, and
  • the requested good or service is to provide the consumer with offers about suitable products (for example, a service offered by a comparison site).[8]

This is illustrated in the following examples.

Example one — comparison site

Kwok wishes to obtain suitable offers from multiple providers for term deposit products and provides Tang and Co Pty Ltd, an accredited person, with a valid request to collect his CDR data from the data holders of his CDR data for this purpose.

Tang and Co provides Kwok with offers for term deposit products as requested, using Kwok’s CDR data that it has collected in accordance with the CDR Rules.

Example two — switching banking providers

Guy is considering switching banking providers for his credit card and provides McCarthy Bank, an accredited person, with a valid request to collect his CDR data from his existing bank for the purpose of providing suitable offers in relation to credit cards.

McCarthy Bank provides Guy with the offers for credit card products as requested, using Guy’s CDR data it has collected in accordance with the CDR Rules.

In both examples, the uses of the consumer’s CDR data by the accredited person (Tang and Co/McCarthy Bank) would not be ‘direct marketing’ and Privacy Safeguard 7 would not apply. The accredited person’s use of the consumer’s CDR data would be a permitted use under Privacy Safeguard 6 as the CDR data would be used for the purpose of providing the service requested by the consumer (Kwok/Guy).

However, if Tang and Co or McCarthy Bank were to use Kwok or Guy’s CDR data to provide offers about other products not requested by the consumer, this would likely be ‘direct marketing’ and if so would be permitted only if this was authorised under the CDR Rules.[9]

When is direct marketing allowed?

7.12 Generally, an entity is not permitted to engage in direct marketing under the CDR regime.

7.13 However, the CDR Rules permit an accredited data recipient of CDR data to engage in certain specific direct marketing activities in relation to the ‘existing goods or services’ being provided to the consumer, in accordance with a ‘direct marketing consent’.[10]

7.14 The ‘existing goods or services’ refer to the goods or services requested by the consumer.[11]

7.15 A ‘direct marketing consent’ is a consent provided by a consumer under the CDR Rules for an accredited data recipient to use or disclose CDR data for the purposes of direct marketing.[12] An accredited person must ask for the consumer’s express consent in accordance with Division 4.3 of the CDR Rules for any direct marketing they intend to undertake.  .[13]

7.16 CDR Rule 7.5(3) allows an accredited data recipient to use or disclose CDR data for the following permitted direct marketing activities:

  • in accordance with a consumer’s direct marketing consent:
  • sending the consumer information about upgraded or alternative goods or services to the existing goods or services
  • sending the consumer an offer to renew existing goods or services when they expire
  • sending the consumer information about the benefits of existing goods or services
  • sending the consumer information about other goods and services provided by another accredited person if the accredited data recipient reasonably believes the consumer might benefit from these other goods or services, and only sends such information on a reasonable number of occasions    
    • disclosing the consumer’s CDR data to an accredited person so that the accredited person may provide the goods or services referred to in the dot point above, but only where the consumer has provided a disclosure consent.
  •  using CDR data in a way and to the extent that is reasonably needed in order to send the consumer something permitted by the paragraph above (including by analysing the CDR data to identify the appropriate information to send), and
  • disclosing the consumer’s CDR data to an outsourced service provider:
  • for the purpose of doing the things referred to in the above two paragraphs, and
  • to the extent reasonably needed to do those things.

Information about upgraded or alternative goods or services

7.17 Sending the consumer information about upgraded[14] or alternative[15] goods or services is direct marketing.[16] An accredited data recipient of CDR data may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under Division 4.3 of the CDR Rules.[17]

Example

Loan Tracker Pty Ltd is an accredited person that offers products and services to assist consumers to monitor and repay their loans.

Loan Tracker asks its customers for their consent to receive direct marketing information about upgraded or alternative goods or services when seeking their consent to collect and use their CDR data to provide the requested service.

Through the ‘Show Me My Money’ service offered by Loan Tracker, monthly emails are sent to consumers setting out their current aggregate loan balances, the amount required to be repaid over the month, and estimating the consumer’s disposable income for that month after repayments and living expenses are taken into account.

Loan Tracker also wishes to include in its monthly emails links to information about other products and services offered by Loan Tracker which it considers might be useful to the consumer.

If Loan Tracker includes these links to information about other products and services, this may constitute using consumers’ CDR data to directly market its other products and services.

Loan tracker may only use the CDR data to engage in the direct marketing activities if it:

  • has obtained a direct marketing consent (which is still current) for the purpose of sending information about upgraded or alternative goods or services, and
  •  is able to show that the other products and services marketed are truly ‘upgraded’ or ‘alternative’ services to the ‘Show Me My Money’ service.

Offer to renew existing goods or services

7.18 Sending the consumer an offer to renew the existing goods or services is direct marketing.[18]An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under Division 4.3 of the CDR Rules.[19]

7.19 If the consumer wishes to ‘renew’ the existing goods or services, the accredited data recipient must once again seek the consumer’s consent to the collection, use and (if applicable) disclosure of their CDR data for the relevant good or service. This is because an accredited person may seek to collect CDR data only in response to a valid request from the consumer.[20]

7.20 From 1 July 2021, [21] an accredited data recipient may, in certain cases, invite a consumer to amend the duration of their consent (for example, by extending its duration).[22] Where an accredited data recipient wishes to issue such an invitation, they should first consider whether the invitation would constitute an offer to renew the existing goods or services under CDR Rule 7.5(3)(a)(ii) (in which case a direct marketing consent would be required).

Information about the benefits of existing goods or services

7.21 Sending the consumer information about the benefits of the existing goods or services being used by the consumer is direct marketing.[23] An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under Division 4.3 of the CDR Rules.[24]

Information about other goods or services provided by another accredited person

7.22 Sending the consumer information about other goods or services provided by another accredited person is direct marketing. An accredited data recipient may only engage in this form of direct marketing if it:

  • has obtained a direct marketing consent from the consumer under Division 4.3 of the CDR Rules[25]
  • reasonably believes that the consumer might benefit from the goods or services offered by the other accredited person, and
  • sends such information to the consumer on no more than a reasonable number of occasions.[26]

Disclosure to another accredited person to enable provision of promoted goods and services

7.23 An accredited data recipient of CDR data is permitted to disclose a consumer’s CDR data to another accredited person for the purposes of enabling that accredited person to provide the goods or services outlined in paragraph 7.22.[27]

7.24 An accredited data recipient may only disclose CDR data to another accredited person if the consumer has provided both a direct marketing consent and a disclosure consent to the accredited data recipient in accordance with Division 4.3 of the CDR Rules.[28]

Using the CDR data as reasonably needed, in accordance with the data minimisation principle

7.25 Using CDR data for the purpose of sending the information or renewal offer outlined above in paragraphs 7.17, 7.18, 7.21, 7.22 and 7.23 including by analysing the data to decide what, if any, information will be sent, is direct marketing.[29]  

7.26 In order to use the CDR data for this purpose, the underlying direct marketing consent for the sending of information or renewal offers must be current.

7.27 An accredited data recipient must comply with the data minimisation principle when using the CDR data for these direct marketing purposes. This means that the CDR data, and any CDR data derived from it, must only be used as reasonably needed to fulfil the relevant direct marketing purpose

7.28 For further information on the data minimisation principle, see Chapter B (Key concepts).

Privacy tip: An accredited data recipient must allow a consumer to withdraw their direct marketing consent by: [30]

  • using their dashboard, or
  • through a ‘simple alternative method of communication’ made available for that purpose, such as an embedded link in an email communication through which they may notify the accredited data recipient of their intention to ‘opt out’.

For further information regarding withdrawal of consent, see Chapter C (Consent).

Disclosure to an outsourced service provider

7.29 An accredited data recipient is permitted to disclose CDR data to an outsourced service provider for the purpose of sending the information or renewal offer (outlined above in paragraphs 7.17, 7.18, 7.21, 7.22 and 7.23), or to use the CDR data (as outlined above in paragraph 7.25).[31]

7.30 An accredited data recipient may only disclose CDR data to the extent reasonably needed for these purposes.[32]

7.31 Under this permitted disclosure, accredited persons may engage third parties (who fall within the meaning of ‘outsourced service provider’)[33] to undertake direct marketing activities on their behalf, where such activities are permitted under CDR Rule 7.5(3).

7.32 In order to disclose the CDR data for this purpose, the underlying direct marketing consent to send information or renewal offers must be current. In addition, the accredited person must:

  • provide the information required by CDR Rule 4.11(3)(f) to the consumer at the time of seeking the consumer’s consent to collect and use the consumer’s CDR data, and
  • include certain information about outsourced service providers in its CDR policy.[34]

7.33 An accredited data recipient who discloses CDR data to an outsourced service provider must ensure that the provider complies with its requirements under the arrangement.[35]

7.34 For the purposes of this permitted disclosure, an outsourced service provider is a person to whom an accredited data recipient discloses[36] CDR data under a CDR outsourcing arrangement.[37]

7.35 If the disclosure is proposed to be made to an overseas outsourced service provider, Privacy Safeguard 8 will apply in addition to Privacy Safeguard 7 (see Chapter 8 (Privacy Safeguard 8)).

7.36 For further information, see Chapter B (Key Concepts), ‘Outsourced service providers’. For further guidance regarding an accredited data recipient’s obligations in relation to outsourced service providers, see Chapter 6 (Privacy Safeguard 6).

Risk point: As soon as the customer’s direct marketing consent is no longer current (i.e. because it expires or is withdrawn), the accredited data recipient can no longer engage in the permitted uses or disclosure relating to direct marketing under the CDR Rules.

Privacy tip: Accredited data recipients should have processes and systems in place to promptly inform any outsourced service providers engaging in direct marketing activities of the expiry of a consumer’s direct marketing consent.[38]

Interaction with other privacy safeguards

7.37 The prohibition against direct marketing in Privacy Safeguard 7 is complemented by Privacy Safeguards 6 (see Chapter 6 (Privacy Safeguard 6)), 8 (see Chapter 8 (Privacy Safeguard 8)) and 9 (see Chapter 9 (Privacy Safeguard 9)).

7.38 Privacy Safeguard 6 prohibits an accredited data recipient of CDR data from using or disclosing CDR data unless required or authorised under the CDR Rules or another Australian law or court or tribunal order.

7.39 Privacy Safeguard 8 restricts disclosures of CDR data made to recipients located overseas.

7.40 Privacy Safeguard 9 prohibits an accredited data recipient of CDR data that contains a government related identifier from adopting, using or disclosing that identifier, unless an exception applies.

Interaction with other legislation

7.41 Under the Privacy Act, APP 7 does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations applies (APP 7.8). There is no corresponding exemption under Privacy Safeguard 7.

7.42 This means that if an accredited data recipient or designated gateway engages in a form of direct marketing that may be permitted under another Act,[39] and the entity uses or discloses CDR data for that purpose, the entity will be in breach of Privacy Safeguard 7 unless that use or disclosure is required or authorised under the CDR Rules.

7.43 Similarly, this means that if an accredited data recipient or designated gateway engages in a form of direct marketing permitted under Privacy Safeguard 7 and the CDR Rules, the entity may nevertheless be in breach of another Act if the requirements relating to marketing communications under that Act are not also satisfied.

Footnotes

[1] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies (APP entities).

[2] Privacy Safeguard 7 applies from the point when the accredited person becomes an accredited data recipient of the CDR data. An accredited person becomes an accredited data recipient for CDR data when:

  • CDR data is held by (or on behalf of) the person
  • the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules, and
  • the person is neither a data holder, nor a designated gateway, for the first mentioned CDR data. See s 56EK of the Competition and Consumer Act.

[3] The APPs do not apply to an accredited data recipient of CDR data, in relation to that CDR data - s 56EC(4)(a) of the Competition and Consumer Act. However, s 56EC(4) does not affect how the APPs apply to accredited persons and accredited data recipients who are APP entities, in relation to the handling of  personal information outside the CDR system. (Note: Small business operators accredited under the CDR system are APP entities in relation to information that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act.) Section 56EC(4) also does not affect how the APPs apply to an accredited person who does not become an accredited data recipient of the CDR data (other than for Privacy Safeguards 1 – 4). See s 56EC(5)(aa) of the Competition and Consumer Act.

[4] Section 56EJ(2) of the Competition and Consumer Act.

[5] The APPs do not apply to designated gateways for CDR data in relation to that CDR data - s 56EC(4)(d) of the Competition and Consumer Act. However, s 56EC(4) does not affect how the APPs apply to designated gateways who are APP entities, in relation to the handling of personal information outside the CDR system. See s 56EC(5)(b) of the Competition and Consumer Act.

[6] For the purposes of APP 7, the phrase has been interpreted to take its ordinary meaning of marketing addressed directly to individuals (Shahin Enterprises Pty Ltd v BP Australia Pty Ltd [2019] SASC 12 [113] (Blue J)). It involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services (Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 81).

[7] For information regarding ‘valid requests’, see Chapter 3 (Privacy Safeguard 3).

[8] Explanatory Statement to the CDR Rules.

[9] This would be ‘direct marketing’ even where the offers were about other products related to the requested product.

[10] CDR Rules 7.8 and 7.5(3). Examples of existing goods or services include the services provided by Tang and Co to Kwok, and McCarthy Bank to Guy, in the examples under paragraph 7.11.

[11] CDR Rule 7.5(1)(a).

[12] CDR Rule 1.10A(d). See Chapter B (Key concepts) for further information on direct marking consents.

[13] See especially CDR Rules 4.11(1)(a)(ii), 4.11(1)(c) and 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[14] A good or service will be an ‘upgraded’ good or service if the good or service is an improved version of the existing good or service.

[15] A good or service will be an ‘alternative’ good or service if a consumer could choose between that good or service and the existing good or service in order to achieve a similar outcome.

[16] CDR Rule 7.5(3)(a)(i).

[17] See especially CDR Rules 4.11(1)(a)(ii), 4.11(1)(c) and 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[18] CDR Rule 7.5(3)(a)(ii).

[19] See especially CDR Rules 4.11(1)(a)(ii), 4.11(1)(c) and 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[20] The consumer’s consent to the collection and use of their CDR data for an accredited person to provide goods or services is required for a ‘valid request’: CDR Rule 4.3. For information regarding valid requests and the requirements for seeking consent, see Chapter C (Consent).

[21] CDR Rule 4.12B(5) provides that an accredited person must not invite a consumer to amend their consent before 1 July 2020.

[22] CDR Rule 4.12B. For further information about the requirements for asking a consumer to amend their consent, see CDR Rule 4.12C and Chapter C (Consent).

[23] CDR Rule 7.5(3)(a)(iii).

[24] See especially CDR Rules 4.11(1)(a)(ii), 4.11(1)(c) and 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[25] See especially CDR Rules 4.11(1)(a)(ii), 4.11(1)(c) and 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[26] CDR Rule 7.5(3)(a)(iv).

[27] CDR Rule 7.5(3)(aa).

[28] For information regarding direct marketing consents and disclosure consents, see Chapter C (Consent).

[29] CDR Rule 7.5(3)(b).

[30] CDR Rule 4.13(1).

[31] CDR Rule 7.5(3)(c)(i).

[32] CDR Rule 7.5(3)(c)(ii).

[33] See CDR Rule 1.10. ‘Outsourced service provider’ is discussed in Chapter B (Key concepts).

[35] CDR Rule 1.16.

[36] Data will be ‘disclosed’ under the CDR regime where it is made accessible or visible to others outside the entity. Whether an accredited data recipient retains effective control over the data does not affect whether data is ‘disclosed’.

[37] CDR Rule 1.10. A CDR outsourcing arrangement is a written contract between the accredited data recipient and outsourced service provider which meets the requirements set out in CDR Rule 1.10(2), and under which the provider will provide goods or services to the accredited data recipient. For further information, see Chapter B (Key Concepts).

[38] This will assist the accredited data recipient in directing an outsourced service provider under CDR Rule 1.10(2)(b)(iii).

[39] For instance, a person may make telemarketing calls to a number registered on the Do Not Call Register if the relevant account holder has consented to the making of the call (Do Not Call Register Act 2006, s 11(2)).