Publication date: 22 July 2019

Version 1.1

Download the print version [191.8KB]

Key points

  • APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. APP 7 may also apply to an agency in the circumstances set out in s 7A.
  • Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
  • Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
    • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
    • comply with that request.
  • An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

What does APP 7 say?

7.1 An organisation must not use or disclose the personal information that it holds about an individual for the purpose of direct marketing (APP 7.1). The term ‘holds’ is discussed in Chapter B (Key concepts).

7.2 There are a number of exceptions to this requirement. The exceptions in APP 7.2 and 7.3 apply to personal information other than sensitive information. They draw a distinction between the use or disclosure of personal information by an organisation where:

  • the personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing (APP 7.2), and
  • the personal information has been collected from a third party, or from the individual directly but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing (APP 7.3). Sources of third party data include data list providers, third party mobile applications, third party lead generation and enhancement data.

7.3 Both of these exceptions require an organisation to provide a simple means by which an individual can request not to receive direct marketing communications (also known as ‘opting out’). However, in the circumstances where the organisation has not obtained personal information from the individual, or the individual would not reasonably expect their personal information to be used in this way, there are additional requirements to ensure that the individual is made aware of their right to opt out of receiving direct marketing communications from the organisation.

7.4 Exceptions to this principle also apply in relation to:

  • sensitive information (APP 7.4), and
  • an organisation that is a contracted service provider for a Commonwealth contract (APP 7.5).

7.5 APP 7 may apply to an agency in the circumstances set out in s 7A (see paragraph 7.13 below).

7.6 An individual may request an organisation not to use or disclose their personal information for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations (APP 7.6). The organisation must give effect to any such request by an individual within a reasonable period of time and for free (APP 7.7).

7.7 An organisation must, on request, notify an individual of its source of the individual’s personal information that it has used or disclosed for the purpose of direct marketing unless this is unreasonable or impracticable to do so (APP 7.6).

7.8 APP 7 does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations apply (APP 7.8). APP 7 will still apply to the acts or practices of an organisation that are exempt from these Acts.

‘Direct marketing’

7.9 Direct marketing involves the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services.[1] A direct marketer may communicate with an individual through a variety of channels, including telephone, SMS, mail, email and online advertising.

7.10 Organisations involved in direct marketing often collect personal information about an individual from a variety of sources, including:

  • public records, such as telephone directories and land title registers
  • membership lists of business, professional and trade organisations
  • online, paper-based or phone surveys and competitions
  • online accounts, for example, purchase history or the browsing habits of identified, or logged in, users[2]
  • mail order or online purchases.

7.11 Examples of direct marketing by an organisation include:

  • sending an individual a catalogue in the mail addressed to them by name
  • displaying an advertisement on a social media site that an individual is logged into, using personal information, including data collected by cookies relating to websites the individual has viewed[3]
  • sending an email to an individual about a store sale, or other advertising material relating to the store, using personal information provided by the customer in the course of signing up for a store loyalty card.

7.12 Marketing is not direct, and therefore APP 7.1 does not apply, if personal information is not used or disclosed to identify or target particular recipients, for example, where:

  • an organisation sends catalogues by mail to all mailing addresses in a particular location, addressed ‘To the householder’ (that is, where recipients are not selected on the basis of personal information)
  • an organisation hand delivers promotional flyers to the mailboxes of local residents
  • an organisation displays advertisements on a website, but does not use personal information to select which advertisements are displayed.

When are agencies covered by APP 7?

7.13 An agency must comply with the direct marketing requirements of APP 7 in the circumstances set out in s 7A. These circumstances include where:

  • the agency is listed in Part 1 of Schedule 2 to the Freedom of Information Act 1982 (the FOI Act) and is prescribed in regulations,[4] or
  • the act or practice relates to the commercial activity of an agency specified in Part 2 of Schedule 2 to the FOI Act.[5]

Using and disclosing personal information for the purpose of direct marketing where reasonably expected by the individual

7.14 APP 7.2 provides that an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

  • the organisation collected the personal information from the individual
  • the individual would reasonably expect the organisation to use or disclose the personal information for that purpose
  • the organisation provides a simple way for the individual to request not to receive direct marketing communications from the organisation (also known as ‘opting out’), and
  • the individual has not made such a request to the organisation.

Reasonably expect

7.15 The ‘reasonably expect’ test is an objective test that has regard to what a reasonable person, who is properly informed, would expect in the circumstances. This is a question of fact in each individual case. It is the responsibility of the organisation to be able to justify its conduct.

7.16 Factors that may be important in deciding whether an individual has a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing include where:

  • the individual has consented to the use or disclosure of their personal information for that purpose (see discussion in paragraph 7.23 below and Chapter B (Key concepts) for further information about the elements of consent)
  • the organisation has notified the individual that one of the purposes for which it collects the personal information is for the purpose of direct marketing under APP 5.1 (see Chapter 5 (APP 5))
  • the organisation made the individual aware that they could request not to receive direct marketing communications from the organisation, and the individual does not make such a request (see paragraph 7.21).

7.17 An organisation should not assume that an individual would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing just because the organisation believes that the individual would welcome the direct marketing, for example, because of the individual’s profession, interest or hobby.

7.18 An individual is not likely to have a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing where the organisation has notified the individual that their personal information will only be used for a particular purpose unrelated to direct marketing. For example, where an individual provides personal information to their bank when setting up internet banking, and the bank tells the individual that it will only use that personal information for enabling security for internet banking, the individual is not likely to have a reasonable expectation that their personal information will then be used or disclosed for the purpose of direct marketing.[6]

Providing a simple means for ‘opting out’

7.19 A simple means for opting out should include:

  • a visible, clear and easily understood explanation of how to opt out, for example, instructions written in plain English and in a font size that is easy to read
  • a process for opting out, which requires minimal time and effort
  • an opt out process that uses a straightforward and accessible communication channel, or channels. For example, the same communication channel that the organisation used to deliver the direct marketing communication. However, in some circumstances, a straightforward and accessible communication channel may be a different channel to that used to deliver the direct marketing communication, such as telephone and email, where the original channel was post, and
  • an opt out process that is free, or that does not involve more than a nominal cost for the individual, for example, the cost of a local phone call, text message or postage stamp.

7.20 The individual should be able to easily find out how to opt out. For example, an organisation could provide information about how to opt out in each direct marketing communication. An organisation should also consider whether the means for opting out is accessible to a person with a disability.

7.21 If the individual has ‘opted out’, the organisation must not use or disclose their personal information for the purpose of direct marketing, in accordance with the individual’s request (APP 7.2(d)). Further examples of a simple means to opt out are given in paragraphs 7.27–7.30 below.

Using and disclosing personal information for the purpose of direct marketing where no reasonable expectation of the individual, or information collected from a third party

7.22 APP 7.3 provides that an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

  • the organisation collected the information from:
    • the individual, but the individual would not reasonably expect their information to be used or disclosed for that purpose, or
    • a third party, and
  • the individual has consented to use or disclosure for that purpose, or it is impracticable to obtain that consent, and
  • the organisation provides a simple way for the individual to opt out of receiving direct marketing communications from the organisation, and
  • in each direct marketing communication with the individual, the organisation includes a prominent statement, or otherwise draws the individual’s attention to the fact that the individual may make such a request (referred to as an ‘opt out statement’), and
  • the individual has not made such a request to the organisation.

7.23 Consent is defined in s 6(1) as ‘express consent or implied consent’ and is discussed generally in Chapter B (Key concepts). The four key elements of consent are:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent.

7.24 Whether it is ‘impracticable’ for an organisation to obtain consent will depend on a number of factors, including the time and cost involved in seeking consent. However, an organisation is not excused from obtaining consent by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.

7.25 An organisation may obtain the consent from the individual in relation to a subsequent use or disclosure of the individual’s personal information for the purpose of direct marketing at the time it collects the personal information. In order to rely on this consent, the organisation must be satisfied that it is still current at the time of the use or disclosure. ‘Current’ consent is discussed in Chapter B (Key concepts).

7.26 Where an organisation did not obtain the individual’s consent at the time of collection, it must obtain the consent of the individual for the proposed use or disclosure, unless it is impracticable to do so. In that case, the organisation should assess whether it is impracticable to obtain consent at the time of the proposed use or disclosure.

Providing a prominent statement about simple means for ‘opting out’

7.27 APP 7.3 requires that an organisation provides a simple means for an individual to opt out of receiving direct marketing communications (see discussion at paragraphs 7.19–7.21 above).

7.28 In addition, APP 7.3 requires an organisation to provide a prominent statement that the individual may request to opt out in each direct marketing communication. This statement should meet the following criteria:

  • it should be written in plain English, and not use legal or industry jargon
  • it should be positioned prominently, and not hidden amongst other text. Headings may be necessary to draw attention to the statement, and
  • it should be published in a font size and type which is easy to read, for example, in at least the same font size as the main body of text in the communication.

7.29 The following are given as examples of ways that an organisation may comply with the ‘opt out’ requirements of APP 7.3:

  • clearly indicating in each direct marketing email that the individual can opt out of receiving future emails by replying with a single word instruction in the subject line (for example, ‘unsubscribe’). Alternatively, ensuring that a link is prominently located in the email, which takes the individual to a subscription control centre
  • clearly indicating that the individual can opt out of future direct marketing by replying to a direct marketing text message with a single word instruction (for example, ‘STOP’)
  • telling the recipient of a direct marketing phone call that they can verbally opt out from any future calls
  • including instructions about how to opt out from future direct marketing in each mailed communication.

7.30 In each case, an organisation may use an opt out mechanism that provides the individual with the opportunity to indicate their direct marketing communication preferences, including the extent to which they wish to opt out. However, the organisation should always provide the individual with an option to opt out of all future direct marketing communications as one of these preferences.

7.31 APP 7.4 provides that an organisation may use or disclose sensitive information for the purpose of direct marketing if the individual has consented to the use or disclosure for that purpose.

7.32 The requirement to obtain consent applies even if the individual and the organisation have a pre-existing relationship.[7] If consent is not obtained, the organisation cannot rely on this exception, even if obtaining consent is impracticable or impossible in the circumstances.

7.33 Consent is discussed in paragraph 7.23 below, and generally in Chapter B (Key concepts). ‘Sensitive information’ is defined in s 6(1) and discussed in Chapter B (Key concepts).

Using and disclosing personal information for the purpose of direct marketing by contracted service providers

7.34 APP 7.5 provides that an organisation that is a contracted service provider for a Commonwealth contract may use or disclose personal information for the purpose of direct marketing if:

  • it collects the information for the purpose of meeting (directly or indirectly) an obligation under the contract, and
  • the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

7.35 The terms ‘contracted service provider’ and ‘Commonwealth contract’ are defined in s 6(1) and discussed in Chapter A (Introductory matters).

Requests by an individual to stop direct marketing communications

7.36 If an organisation uses or discloses personal information about an individual for the purpose of direct marketing, the individual may request not to receive direct marketing communications from that organisation (APP 7.6(c)).

7.37 The organisation must not charge the individual for making or giving effect to the request (APP 7.7). It must also stop sending the direct marketing communications within a reasonable period after the request is made (APP 7.7(a)). A ‘reasonable period’ would generally be no more than 30 days. However, an organisation could give effect to an opt-out request in a shorter timeframe, particularly where digital communication channels are being utilised.

7.38 When the first organisation engages a second organisation to carry out, or assist in carrying out direct marketing on its behalf, it should ensure that the contractual arrangements with the second organisation reflect the first organisation’s obligations under APP 7. Where the second organisation is an APP entity, it must also comply with the APPs when handling personal information (see also paragraph 7.44 below).

7.39 In particular, where an individual makes a request to the second organisation to stop the direct marketing under APP 7.6, the contractual arrangements between the two organisations could require the second organisation to give effect to or pass on the opt out request to the first organisation.

Requests by an individual to stop facilitating direct marketing

7.40 An individual may request an organisation not to use or disclose personal information about the individual for the purpose of facilitating direct marketing by a second organisation (APP 7.6(d)).

7.41 The organisation must not charge the individual for making or giving effect to the request (APP 7.7). It must also stop using or disclosing the personal information for the purpose of facilitating direct marketing by a second organisation within a reasonable period after the request is made (APP 7.7(a)). A ‘reasonable period’ would be no more than 30 days. However, an organisation could give effect to an opt-out request in a shorter timeframe, particularly when digital communication channels are being utilised.

7.42 Where the second organisation is an APP entity, an individual can also make a separate request to not receive direct marketing communications from that organisation (APP 7.6(c)).

When does an organisation ‘facilitate’ direct marketing?

7.43 An organisation (the first organisation) facilitates direct marketing where it collects personal information for the purpose of providing that personal information to another organisation (the second organisation), so that the second organisation can undertake direct marketing of its own products or services.[8] For example, an organisation facilitates direct marketing where it collects personal information and sells that personal information to the second organisation which uses or discloses the personal information to send out marketing material.

7.44 An organisation does not facilitate direct marketing where it engages a second organisation to carry out, or assist in carrying out, direct marketing on its own behalf. In these circumstances, the second organisation will usually be a contractor, or an agent of the first organisation (see paragraphs 7.38–7.39 above). The following are given as examples of where an organisation ‘carries out’ direct marketing through a contractor, rather than facilitates direct marketing by a second organisation:

  • an organisation engages a mailing house to mail out its direct marketing communications
  • an organisation engages a second organisation to conduct door-to-door marketing or telemarketing on its behalf.

Requests by an individual to identify the source of the personal information

7.45 An individual may ask an organisation to identify the source of the personal information that it uses or discloses for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations (APP 7.6(e)).

7.46 The organisation must then notify the individual of its source, unless this is impracticable or unreasonable (APP 7.7(b)). It is the responsibility of the organisation to be able to justify that it is impracticable or unreasonable to provide this notification. Relevant considerations may include:

  • the possible adverse consequences for the individual if they are not notified of the source
  • the length of time that has elapsed since the personal information was collected by the organisation
  • for personal information collected before commencement of APP 7, whether the source of the personal information was recorded
  • the time and cost involved. However, an organisation is not excused from notifying an individual by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to do so will depend on whether the burden is excessive in all the circumstances.

7.47 Notification of the source of the personal information must be given within a reasonable period after the request is made (APP 7.7(b)). A ‘reasonable period’ would generally be 30 days unless special circumstances apply.

Interaction with other legislation

7.48 The Spam Act 2003 (Spam Act) and the Do Not Call Register Act 2006 (DNCR Act) contain specific provisions regarding direct marketing. Where the act or practice of an APP entity is subject to the Spam Act, DNCR Act, or other legislation prescribed under the regulations, APP 7 does not apply to the extent that this legislation applies (APP 7.8).

7.49 If an organisation that is an APP entity is exempt or partially exempt from the Spam Act or DNCR Act, APP 7 will still apply to the acts and practices of that organisation to the extent of that exemption.

Footnotes

[1] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 81.

[2] For more information about online behavioural advertising and personal information, see OAIC, Targeted Advertising, OAIC website <https://www.oaic.gov.au>.

[3] For more information about cookies, see OAIC, Targeted Advertising, OAIC website <https://www.oaic.gov.au>.

[4] See the Federal Register of Legislation <https://www.legislation.gov.au> for up-to-date versions of the regulations made under the Freedom of Information Act 1982.

[5] See s 7A and OAIC, FOI Guidelines, Part 2, OAIC website <https://www.oaic.gov.au>.

[6] A and Financial Institution [2012] AICmrCN 1 (1 May 2012).

[7] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 82.

[8] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 82.