Chapter 7: Privacy Safeguard 7 — Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

24 February 2020

Download the print version

Version 1.0

Key points

  • Privacy Safeguard 7 prohibits accredited data recipients and designated gateways from using or disclosing CDR data for direct marketing, unless the consumer consents and such use or disclosure is required or authorised under the consumer data rules (CDR Rules).

  • Direct marketing in the CDR context involves the use or disclosure of consumer data right (CDR) data to promote goods and services directly to a consumer.

  • The CDR Rules permit accredited data recipients to engage in certain direct marketing activities in relation to the good or service requested by the consumer, if consent has been received to do so.

What does Privacy Safeguard 7 say?

7.1 Privacy Safeguard 7 prohibits the use or disclosure of CDR data for direct marketing by accredited data recipients and designated gateways, unless the use or disclosure is required or authorised under the CDR Rules in accordance with the valid consent of the consumer.

7.2 CDR Rules 7.8 and 7.5(3) authorise certain direct marketing related uses or disclosures by accredited data recipients (in accordance with the consumer’s consent). These include uses or disclosures relating to:

  • information about upgraded or alternative goods or services
  • an offer to renew the existing goods or services being provided to the consumer, and
  • information about the benefits of the existing goods or services.

Why is it important?

7.3 To provide a positive consumer experience and ensure consumer control over their data, consumers should not be subjected to unwanted direct marketing.

7.4 Direct marketing is addressed separately to other uses and disclosures (see under Privacy Safeguard 6) because of significant community sentiments in relation to direct marketing.

Who does Privacy Safeguard 7 apply to?

7.5 Privacy Safeguard 7 applies to accredited data recipients and designated gateways. It does not apply to data holders.

7.6 Data holders must ensure that they are adhering to their obligations under the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs), including APP 7 in respect of direct marketing.

Note: Currently, there are no designated gateways in the CDR regime responsible for facilitating the transfer of information between data holders and accredited persons (see Chapter B: Key concepts for the meaning of designated gateway).

How Privacy Safeguard 7 interacts with the Privacy Act

7.7 It is important to understand how Privacy Safeguard 7 interacts with the Privacy Act and the APPs.[1]

7.8 APP 7 sets out when an APP entity is prohibited from using or disclosing personal information for the purpose of direct marketing.

CDR entityPrivacy protections that apply in the CDR context

Accredited person / accredited data recipient

Privacy Safeguard 7

Privacy Safeguard 7 applies instead of APP 7 to the use or disclosure of CDR data for direct marketing where the CDR data has been collected by an accredited data recipient under the CDR regime.

APP 7 will continue to apply to direct marketing activities involving personal information by an accredited person or accredited data recipient where the data is not CDR data.[2]

Designated gateway

Privacy Safeguard 7

Privacy Safeguard 7 applies instead of APP 7 in relation to the use and disclosure of CDR data for direct marketing.[3]

APP 7 will continue to apply to direct marketing activities involving personal information that is not CDR data.

Data holder

APP 7

Privacy Safeguard 7 does not apply to a data holder.

What is direct marketing?

7.9 ‘Direct marketing’ is not defined in the Competition and Consumer Act. The term is also used in APP 7 but is not defined in the Privacy Act.[4]

7.10 For the purpose of Privacy Safeguard 7, ‘direct marketing’ takes its ordinary meaning, and involves an entity’s use or disclosure of CDR data to communicate directly with a consumer to promote goods and services.

7.11 An example of direct marketing by an entity includes sending an email to a consumer promoting financial products using the consumer’s CDR data.[5]

7.12 ‘Direct marketing’ is distinct from the situation where:

  • a consumer has requested a good or service
  • the accredited data recipient has obtained the consumer’s consent to collect and use the consumer’s CDR data to provide this good or service, and
  • the requested good or service is to provide the consumer with offers about suitable products (for example, a service offered by a comparison site).[6]

This is illustrated in the following examples.

Example one — comparison site

Kwok wishes to obtain suitable offers from multiple providers for term deposit products and provides Tang and Co Pty Ltd, an accredited person, with a valid request to collect his CDR data from the data holders of his CDR data for this purpose.

Tang and Co provides Kwok with offers for term deposit products as requested, using Kwok’s CDR data that it has collected in accordance with the CDR Rules.

Example two — switching banking providers

Guy is considering switching banking providers for his credit card and provides McCarthy Bank, an accredited person, with a valid request to collect his CDR data from his existing bank for the purpose of providing suitable offers in relation to credit cards.

McCarthy Bank provides Guy with the offers for credit card products as requested, using Guy’s CDR data it has collected in accordance with the CDR Rules.

In both examples, the uses of the consumer’s CDR data by the accredited person (Tang and Co/McCarthy Bank) would not be ‘direct marketing’ and Privacy Safeguard 7 would not apply. The accredited person’s use of the consumer’s CDR data would be a permitted use under Privacy Safeguard 6 as the CDR data would be used for the purpose of providing the service requested by the consumer (Kwok/Guy).

However, if Tang and Co or McCarthy Bank were to use Kwok or Guy’s CDR data to provide offers about other products not requested by the consumer, this would likely be ‘direct marketing’ and if so would be permitted only if this was authorised under the CDR Rules.[7]

When is direct marketing allowed?

7.13 Generally, an entity is not permitted to engage in direct marketing under the CDR regime.

7.14 However, the CDR Rules permit an accredited data recipient to engage in certain specific direct marketing activities in relation to the ‘existing goods or services’ being provided to the consumer, in accordance with a ‘direct marketing consent’.[8]

7.15 The ‘existing goods or services’ refer to the goods or services requested by the consumer.[9]

7.16 A ‘direct marketing consent’ is a consent requested in accordance with CDR Rule 4.11(1)(c)(iii), which requires an accredited person to ask for the consumer’s express consent to any direct marketing they intend to undertake when asking the consumer to consent to the collection and use of their CDR data.[10]

7.17 CDR Rule 7.5(3) allows an accredited data recipient to use or disclose CDR data for the following permitted direct marketing activities:

  • in accordance with a consumer’s ‘direct marketing consent’, sending the consumer:
    • information about upgraded or alternative goods or services to ‘existing goods or services’
    • an offer to renew existing goods or services when they expire, or
    • information about the benefits of existing goods or services
  • using CDR data in a way and to the extent that is reasonably needed in order to send the consumer something permitted by the paragraph above (including by analysing the CDR data to identify the appropriate information to send), and
  • disclosing the consumer’s CDR data to an outsourced service provider:
    • for the purpose of doing the things referred to in the above two paragraphs, and
    • to the extent reasonably needed to do those things.

7.18 A direct marketing consent expires at the time that a consent to collect and use expires.

Information about upgraded or alternative goods or services

7.19 Sending the consumer information about upgraded[11] or alternative[12] goods or services is direct marketing.[13] An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under CDR Rule 4.11(1)(c)(iii).

Example

Loan Tracker Pty Ltd is an accredited person that offers products and services to assist consumers to monitor and repay their loans.

Loan Tracker asks its customers for their consent to receive direct marketing information about upgraded or alternative goods or services when seeking their consent to collect and use their CDR data to provide the requested service.

Through the ‘Show Me My Money’ service offered by Loan Tracker, monthly emails are sent to consumers setting out their current aggregate loan balances, the amount required to be repaid over the month, and estimating the consumer’s disposable income for that month after repayments and living expenses are taken into account.

Loan Tracker also wishes to include in its monthly emails links to information about other products and services offered by Loan Tracker which it considers might be useful to the consumer.

If Loan Tracker includes these links to information about other products and services, this may constitute using consumers’ CDR data to directly market its other products and services.

Loan tracker may only use the CDR data to engage in the direct marketing activities if it:

  • has obtained a direct marketing consent (which is still current) for the purpose of sending information about upgraded or alternative goods or services, and
  • is able to show that the other products and services marketed are truly ‘upgraded’ or ‘alternative’ services to the ‘Show Me My Money’ service.

Offer to renew existing goods or services

7.20 Sending the consumer an offer to renew the existing goods or services is direct marketing.[14]An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current)[15] from the consumer under CDR Rule 4.11(1)(c)(iii).

7.21 If the consumer wishes to ‘renew’ the existing goods or services, the accredited data recipient must once again seek the consumer’s consent to the collection and use of their CDR data for the relevant good or service. This because an accredited person may collect CDR data only in response to a valid request from the consumer.[16]

Information about the benefits of existing goods or services

7.22 Sending the consumer information about the benefits of the existing goods or services being used by the consumer is direct marketing.[17] An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) [18] from the consumer under CDR Rule 4.11(1)(c)(iii).

Using the CDR data as reasonably needed

7.23 Using CDR data for the purpose of sending the information or renewal offer outlined above in paragraphs 7.19, 7.20 and 7.22,[19] including by analysing the data to decide what, if any, information will be sent, is direct marketing.

7.24 In order to use the CDR data for this purpose, the underlying direct marketing consent for the sending of information or renewal offers must be current.

7.25 The CDR data must only be used as reasonably needed for that purpose.

Privacy tip: As a matter of best practice, all direct marketing communications should easily allow the consumer to opt out of receiving direct marketing communications. For instance, an email communication should allow the consumer to click an embedded link through which they may notify the accredited data recipient of their intention to opt out.

Disclosure to an outsourced service provider

7.26 ‘Outsourced service provider’ is discussed in Chapter B (Key concepts).

7.27 An accredited data recipient is permitted to disclose[20] CDR data to an outsourced service provider for the purpose of sending the information or renewal offer (outlined above in paragraphs 7.19, 7.20 and 7.22),[21] or to use the CDR data (as outlined above in paragraph 7.23).[22]

7.28 An accredited data recipient may only disclose CDR data to the extent reasonably needed for these purposes.[23]

7.29 Under this permitted disclosure, accredited persons may engage third parties (who fall within the meaning of ‘outsourced service provider’)[24] to undertake direct marketing activities on their behalf, where such activities are permitted under CDR Rule 7.5(3).

7.30 In order to disclose the CDR data for this purpose, the underlying direct marketing consent to send information or renewal offers must be current. In addition, the accredited person must:

  • provide the information required by CDR Rule 4.11(3)(f) to the consumer at the time of seeking the consumer’s consent to collect and use the consumer’s CDR data, and
  • include certain information about outsourced service providers in its CDR policy.[25]

7.31 If the disclosure is proposed to be made to an overseas outsourced service provider, Privacy Safeguard 8 will apply in addition to Privacy Safeguard 7 (see Chapter 8 (Privacy Safeguard 8)).

Risk point: As soon as the customer’s direct marketing consent is no longer current (i.e. because it expires or is withdrawn), the accredited data recipient can no longer engage in the permitted uses or disclosure relating to direct marketing under the CDR Rules.

Privacy tip: Accredited persons should have processes and systems in place to promptly inform any outsourced service providers engaging in direct marketing activities of the expiry of a consumer’s direct marketing consent.[26]

Interaction with other privacy safeguards

7.32 The prohibition against direct marketing in Privacy Safeguard 7 is complemented by Privacy Safeguard 6 (see Chapter 6 (Privacy Safeguard 6)) and Privacy Safeguard 8 (see Chapter 8 (Privacy Safeguard 8)).

7.33 Privacy Safeguard 6 prohibits an accredited data recipient from using or disclosing data unless required or authorised under the CDR Rules or another Australian law or court or tribunal order.

7.34 Privacy Safeguard 8 restricts disclosures of CDR data made to recipients located overseas.

Interaction with other legislation

7.35 Under the Privacy Act, APP 7 does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations applies (APP 7.8). There is no corresponding exemption under Privacy Safeguard 7.

7.36 This means that if an accredited data recipient or designated gateway engages in a form of direct marketing that may be permitted under another Act,[27] and the entity uses or discloses CDR data for that purpose, the entity will be in breach of Privacy Safeguard 7 unless that use or disclosure is required or authorised under the CDR Rules.

7.37 Similarly, this means that if an accredited data recipient or designated gateway engages in a form of direct marketing permitted under Privacy Safeguard 7 and the CDR Rules, the entity may nevertheless be in breach of another Act if the requirements relating to marketing communications under that Act are not also satisfied.

Footnotes

[1] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies (APP entities).

[2] All accredited persons are subject to the Privacy Act and the APPs in relation to information that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act.

[3] Section 56EC(4)(d) of the Competition and Consumer Act.

[4] For the purposes of APP 7, the phrase has been interpreted to take its ordinary meaning of marketing addressed directly to individuals (Shahin Enterprises Pty Ltd v BP Australia Pty Ltd [2019] SASC 12 [113] (Blue J)). It involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services (Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 81).

[5] For information regarding ‘valid requests’, see Chapter 3 (Privacy Safeguard 3).

[6] Explanatory Statement to the CDR Rules.

[7] This would be ‘direct marketing’ even where the offers were about other products related to the requested product.

[8] CDR Rules 7.8 and 7.5(3). Examples of existing goods or services include the services provided by Tang and Co to Kwok, and McCarthy Bank to Guy, in the examples under paragraph 7.12.

[9] CDR Rule 7.5(1)(a).

[10] CDR Rules 7.5(4) and 4.11(1)(c)(iii). For guidance regarding requirements for asking for consent, see Chapter C (Consent).

[11] A good or service will be an ‘upgraded’ good or service if the good or service is an improved version of the existing good or service.

[12] A good or service will be an ‘alternative’ good or service if a consumer could choose between that good or service and the existing good or service in order to achieve a similar outcome.

[13] CDR Rule 7.5(3)(a)(i).

[14] CDR Rule 7.5(3)(a)(ii).

[15] The direct marketing consent will expire when the consumer’s consent to collect and use particular CDR data expires, if the consumer does not withdraw it beforehand. Consent is discussed in Chapter C (Consent).

[16] The consumer’s consent to the collection and use of their CDR data is a fundamental component of the ‘valid request’. For information regarding valid requests and the requirements for seeking consent, see Chapter C (Consent).

[17] CDR Rule 7.5(3)(a)(iii).

[18] The direct marketing consent will expire when the consumer’s consent to collect and use particular CDR data expires, if the consumer does not withdraw it beforehand. Consent is discussed in Chapter C (Consent).

[19] CDR Rule 7.5(3)(b).

[20] Any provision of CDR data by an accredited data recipient to an outsourced service provider will be a disclosure. Whether an accredited data recipient retains effective control over the data does not affect whether data is ‘disclosed’. This is different to the situation under the Privacy Act, where in some limited circumstances the provision of information from an entity to a contractor to provide services on behalf of the entity may be a use, rather than a disclosure. See paragraph B.144 in Chapter B: Key concepts of the APP Guidelines.

[21] CDR Rule 7.5(3)(b).

[22] CDR Rule 7.5(3)(c)(i).

[23] CDR Rule 7.5(3)(c)(ii).

[24] See CDR Rule 1.10. ‘Outsourced service provider’ is discussed in Chapter B (Key concepts).

[25] CDR Rule 7.2(4). See Chapter 1 (Privacy Safeguard 1).

[26] This will assist the accredited person in directing an outsourced service provider under CDR Rule 1.10(2)(b)(iii).

[27] For instance, a person may make telemarketing calls to a number registered on the Do Not Call Register if the relevant account holder has consented to the making of the call (Do Not Call Register Act 2006, s 11(2)).

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au