Australian Privacy Principle 7 (APP 7) applies to organisations that use or disclose personal information for direct marketing. It does not apply to direct marketing communications that are covered by the Do Not Call Register Act 2006 (DNCR Act) or the Spam Act 2003 (Spam Act).
This resource provides general information about how the requirements in each of these laws apply when an organisation direct markets to an individual. It is not a substitute for legal advice.
What is direct marketing?
Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods or services. It can encompass any communication made by or on behalf of an organisation to an individual, including fundraising communications. The communication may occur through a variety of channels, including telephone, SMS, mail, email, social media, and online advertising.
Examples of using or disclosing personal information to direct market to an individual include:
- sending a catalogue in the mail addressed to an individual by name
- targeting online advertising at an individual using their personal information
More examples of when an entity uses or discloses personal information for direct marketing are in the APP guidelines.
When is direct marketing allowed?
This depends on the type of direct marketing communication used, and the type of organisation involved. The flowchart below will help you determine which requirements apply to a direct marketing communication.
- Telemarketers and fax marketers must not call or fax numbers listed on the Do Not Call Register (DNCR) as required in the DNCR Act (some exemptions apply). The DNCR Act does not apply where:
- calls or faxes are made by exempt entities, such as registered charities or political parties
- calls or faxes are made by market researchers conducting opinion polling and social research, or
- an individual has consented to the call or fax.
- Organisations that send messages of a commercial nature by email, SMS instant message, or MMS must comply with the Spam Act.
- Where the DNCR Act and Spam Act do not apply, an organisation may need to comply with APP 7 to direct market to an individual.
When does APP 7 apply?
APP 7 only applies to:
- private sector organisations covered by the Australian Privacy Principles. This means all businesses and not-for-profit organisations with an annual turnover of more than $3 million and some small businesses, including private sector health service providers and businesses that buy or sell personal information. These businesses are known as ‘organisations’ under the Privacy Act and may also be referred to as ‘APP entities’
- marketing communications that use or disclose an individual’s personal information to direct market to them. Personal information is information that identifies an individual, or could reasonably identify them
- direct marketing communications that are not covered by the DNCR Act or Spam Act
This means APP 7 generally will apply to:
- direct marketing calls or faxes where the number is not listed on the DNCR, or the call is made by a registered charity
- direct marketing by mail (whether sent by post or hand delivered) and door-to-door direct marketing
- targeted marketing online, but only where using or disclosing an individual’s personal information (i.e. where direct marketing occurs)
- marketing via a mobile application, if personal information is used to target that marketing.
APP 7 generally will not apply to:
- direct marketing calls or faxes using numbers listed on the DNCR, except where the entity is exempt from the DNCR Act (such as registered charities), or where the individual has consented
- direct marketing to an individual using a commercial electronic message, such as an email, instant message, SMS or MMS
Individuals who receive direct marketing communications may not be aware that different requirements apply to different direct marketing communications. You can meet customer expectations and demonstrate privacy best practice if you adopt the standards of APP 7 for all direct marketing communications.
Where APP 7 does not apply to a direct marketing communication, APP entities will still need to comply with other APPs, for example APP 6 (use and disclosure of personal information).
How do you comply with APP 7?
When APP 7 applies, you can only use or disclose an individual’s personal information for direct marketing in certain circumstances.
You can only use or disclose an individual’s ‘sensitive information’ (which includes personal information about their health, political opinions, their racial or ethnic origin or their sexual orientation) for direct marketing if the individual has given their consent.
You can only use or disclose other types of personal information for direct marketing if:
- you collected the personal information directly from the individual and the individual would reasonably expect their personal information to be used or disclosed for direct marketing
- the individual has consented to their personal information being used or disclosed for direct marketing, or
- it is impractical to get the individual’s consent to their personal information being used or disclosed for direct marketing
More information about when an individual would ‘reasonably expect’ their personal information to be used or disclosed for direct marketing, what constitutes ‘consent’, and when it would be ‘impractical’ to get an individual’s consent can be found in the APP guidelines.
When you use or disclose an individual’s personal information for direct marketing, you must do all of the following:
- provide the individual with a simple means of opting out of future direct marketing communications
- give the individual information about how to opt out in each direct marketing communication (such as by including an obvious statement in the marketing material) – this only applies where you collected an individual’s personal information from someone else, or where the individual would not reasonably expect their personal information to be used or disclosed for direct marketing purposes
- if requested, stop using or disclosing an individual’s personal information for direct marketing within a reasonable period of the individual making the request, and
- if requested, tell the individual where you got their personal information from (unless this is not reasonable or practical). You must provide the individual with a response within a reasonable period of time – generally within 30 days of the request
More information about these obligations, including providing a simple means for opting out, is contained in the APP guidelines.
What are the requirements when you facilitate direct marketing?
APP 7 also includes requirements for organisations that use or disclose individuals’ personal information to facilitate direct marketing by other organisations. An entity facilitates direct marketing where it collects personal information for the purpose of providing that personal information to other entities, so those entities can undertake direct marketing of their own products or services.
One of the APP 7 requirements is that organisations must stop using or disclosing an individual’s personal information to facilitate direct marketing if requested by the individual.
Examples of when an entity facilitates direct marketing, and more information about the obligations when doing so, are contained in the APP guidelines.
Two key rules set out in the DNCR Act are:
- you cannot make direct telemarketing calls to a number listed on the DNCR unless the individual has consented or you are an exempt entity (such as a registered charity), and
- you must ensure that all agreements for the purpose of making telemarketing calls include an express provision that requires compliance with the DNCR Act
The Telecommunications (Telemarketing and Research Calls (Industry Standard 2017 sets out rules that apply to any person or business intending to make telemarketing or research calls, regardless of whether they are exempt from the DNCR Act. These rules cover:
- when telemarketing and research calls cannot be made
- information that must be provided during a telemarketing or research call
- when calls must be terminated
- the use of calling line identification
If you direct market using a commercial electronic message such as an email, instant message, SMS or MMS, it must comply with the Spam Act. This requires:
- commercial electronic messages to be sent with the consent of the recipient
- accurate sender identification including the sender’s contact information
- a functional unsubscribe mechanism
A partial exemption from these requirements applies with respect to certain messages (such as messages of a factual nature only, without a commercial element).
Can a business use customer information for marketing purposes?
Generally, organisations covered by the Australian Privacy Principles must not use the personal information they hold for the purpose of direct marketing. However, there are some exceptions.
For example, a business may use the personal information it collects for marketing if it has collected the information directly from its customers, and the customers would reasonably expect the business to use it for marketing or if its customers have consented. It must also provide a way to easily opt out of receiving marketing messages, and must stop sending marketing offers if asked.
Can a business create personal profiles of business associates or clients to help build a relationship?
Yes, a business can do this, even if it is subject to the Australian Privacy Principles. But there are some restrictions:
- a business cannot use unfair means to collect the information, so it cannot trick someone into giving the information or spy on them
- a business can use the information for building a relationship but if it wants to use the information for some other purpose it can only do so if the client would reasonably expect that to happen or has consented
If a business is collecting sensitive information (racial origin, political opinions, religion, philosophical beliefs, sexual preferences, criminal record, or health information) it will need the consent of the individual.
Can a business use public sources of personal information, like the internet or public registers, to approach potential customers?
Yes, the Australian Privacy Principles do not prevent a business from using publicly available personal information for marketing purposes.
The business will still be required to comply with the APPs, in particular APP 7 which requires the business to have the individual’s consent (or it must be impracticable to obtain the individual’s consent) and it must provide a simple means by which the individual may easily request not to receive further direct marketing communications. It will also need to consider any obligations it may have under the DNCR Act and Spam Act.
Some public registers have specific laws that limit the use of the information on the register. The business should check any restrictions with the relevant body, for example, the Australian Electoral Commission or the state land title office.
Can a business use random number dialling to market products?
The Australian Privacy Principles do not prevent a business from using random number dialling to market products.
If a business is collecting personal information during the call it will need to comply with the Australian Privacy Principles, and consider any obligations it may have under the DNCR Act and Spam Act.