Content of the ‘Direct Marketing’ principle

26.66 This part of this chapter considers the content of the ‘Direct Marketing’ principle. First, the distinction between existing customers and prospective customers is considered. Secondly, the ‘opt-out’ model is discussed. The extent to which specific provision should be made for children and young people in the ‘Direct Marketing’ principle is then addressed, and the timeframes for compliance with requests to opt out of direct marketing are considered. Finally, the issue of whether there should be an obligation on organisations involved in direct marketing to disclose the source of personal information is discussed.

Existing customers

26.67 As discussed above, the ALRC recommends that the ‘Direct Marketing’ principle should distinguish between direct marketing to individuals who are ‘existing customers’ and direct marketing to individuals who are not ‘existing customers’.[93] This distinction addresses the concerns raised by stakeholders that direct marketing to existing customers is a legitimate business activity and is acceptable where it is within the reasonable expectations of such customers. The framework now recommended by the ALRC was developed in response to issues identified by stakeholders in DP 72.

26.68 It is necessary to consider the appropriate scope of the concept of an ‘existing customer’. A number of regimes rely on the notion of an ongoing commercial or business relationship. ADMA’s Direct Marketing Code of Practice, for example, defines‘unsolicited’ to mean:

a communication sent to a recipient: (a) with whom the message originator does not have an ongoing commercial or contractual relationship; or (b) that has not consented to the receipt of such communications.[94]

26.69 The OPC’s submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000 discussed the extent to which an opportunity to ‘opt out’ should be provided. In doing so, the OPC commented:

The need to provide a chance to opt-out for each use for direct marketing might need to be qualified so that it applies except where the use is clearly within the reasonable expectations of the individual concerned, or is consistent with an ongoing business relationship between the individual concerned and the direct marketer.[95]

26.70 Further,both the Spam Act and the Do Not Call Register Act currently draw on the concept of existing ‘business and other relationships’ in defining consent. For the purposes of the Spam Act and the Do Not Call Register Act, consent is defined to include ‘consent that can reasonably be inferred from (i) the conduct; and (ii) the business and other relationships; of the individual and organisation concerned’.[96] In the context of the Do Not Call Register scheme, guidance published by ACMA states:

In the absence of express consent to receiving telemarketing calls, consent may still be able to be reasonably inferred from both an individual’s conduct and their business or other relationships. For example, it is possible that a person who holds a ‘XYZ Bank’ credit card may reasonably expect to receive calls about ‘XYZ Bank’ home loans or ‘XYZ Bank’ savings products.

However, it is less likely to be reasonable for a person with a ‘XYZ Bank’ credit card to be cold called by ‘Lucky’s Financial Services’, regardless of the subsidiary relationship these entities share.[97]

26.71 ACMA’s guidance on the Spam Act also considers the concept of a ‘pre-existing relationship’:

Consent will not always be inferred where there is a pre-existing relationship. Transactions such as the purchase of a publication or service, attendance at a function, conference or performance alone are unlikely to be a sound basis for inferring consent or assuming that there is a pre-existing relationship.[98]

26.72 Another ACMA publication, addressing consent in the context of the Do Not Call Register scheme, states that it is necessary to look at consent on a ‘case-by-case basis, and assess what sort of telemarketing calls a person would reasonably expect to receive under the inferred consent provisions’.[99]

26.73 The concept of ‘reasonable expectations’ already exists in the Privacy Act. As discussed above, one of the circumstances in which direct marketing is permitted under NPP 2 is where direct marketing is related to the primary purpose of collection (or in the case of sensitive information, is directly related to that primary purpose) and the individual concerned would reasonably expect the organisation to use or disclose the information for direct marketing.[100]

26.74 Factors to consider in order to determine whether a use or disclosure of personal information for a secondary purpose is within an individual’s reasonable expectations for the purposes of NPP 2.1(a)(ii) include, for example:

  • whether the individual knew, or it was clear from the circumstances surrounding the collection, that the information may be used for the secondary purpose;

  • whether a high level of confidentiality or sensitivity attaches to the information;

  • whether it is common business practice to use or disclose the information for the secondary purpose; and

  • whether the organisation is under a duty of care or bound by a professional code of conduct or professional standards of which the individual would reasonably be aware and which would require the organisation to make the secondary use or disclosure.[101]

26.75 Further, as discussed above, both the Spam Act and the Do Not Call Register Act utilise the concept of ‘reasonable expectations’.

26.76 The concept of ‘impracticability’ is already used in the context of secondary purpose direct marketing in NPP 2.1(c)(i). The Macquarie Dictionary defines ‘impracticable’ as ‘not practicable; that cannot be put into practice with the available means’.[102] The Comprehensive Guide to Privacy Law states that the requirement of impracticability in NPP 2.1(c) is ‘likely to apply only in a minority of cases as, in the majority of cases, it will be practicable to seek consent’.[103] In other contexts in which the concept of ‘impracticability’ is operative under the Privacy Act, such as the research context, factors such as the quantity, age or accessibility of the records are relevant to a determination of whether it is impracticable to obtain consent.[104]

Submissions and consultations

26.77 In ADMA’s view, disclosure and use of personal information for direct marketing purposes is within an existing customer’s ‘reasonable expectations’.[105] ADMA submitted that the ALRC should adopt a definition of ‘direct marketing’ that either discerns between current and prospective customers or otherwise preserves the ability of organisations to direct market to existing customers, subject to their ‘reasonable expectations’.[106] In a similar vein, Acxiom submitted:

Direct marketing involves both solicited and unsolicited marketing and, as the Privacy Act applies to both, the provisions contained within must not be so draconian as to inadvertently over regulate solicited communications as a by-product of attempting to control unsolicited communications.[107]

26.78 Similarly, Optus ‘strenuously’ objected to the ‘imposition of obligations under the current NPP 2.1(c) to both prospective and customer data’, because to do so would involve significant costs to business.[108]

26.79 The Law Council of Australia criticised the ‘Direct Marketing’ principle proposed in DP 72 on the basis that its impact would be always to require consent even where there was an existing business relationship, unless it could be argued that such a relationship gave rise to an implied consent. It also commented:

Organisations will need complete clarity on when this principle will apply and in particular whether it will apply:

(a) to marketing activities to existing customers; and

(b) if so, whether it is only intended to address marketing to those existing customers a product or service they do not currently have, or whether it could capture activity designed to promote the use of, or the purchase of supplementary goods and services (for example accessories) for use with, a product or service the customer already holds.[109]

26.80 One stakeholder raised concerns about a blanket prohibition against using sensitive information for the purposes of direct marketing, arguing that restricting the use of health information in this way may not be in best interests of consumers. For example, the Broader Health Cover initiative under the Private Health Insurance Act 2007 (Cth) allows a private health insurer to offer chronic disease management and preventative health programs to members. It was argued, however, that such offers have to be targeted to the health needs of particular individuals and can be made safely only by direct marketing communications.[110]

ALRC’s view

26.81 As stated above, the ALRC recommends that the requirements that apply to direct marketing communications to individuals who are not existing customers should be more onerous than those applying in the context of direct marketing to existing customers.

26.82 In relation to existing customers, the ALRC recommends that an organisation may use or disclose personal information about an individual who is an existing customer for the purposes of direct marketing only where the individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing.

26.83 While sensitive information cannot be used for the secondary purpose of direct marketing under NPP 2.1(c), there are some circumstances in which sensitive information can be used for the primary purpose of direct marketing under the NPPs.[111] The model ‘Direct Marketing’ principle recommended by the ALRC allows sensitive information to be used or disclosed for the purpose of direct marketing to existing customers only where it is within the customer’s reasonable expectations. As noted above, one of the factors in determining whether a use or disclosure is within the reasonable expectations of an individual is whether a high level of sensitivity attaches to the information.[112] Submissions also illustrated that there may be circumstances in which such direct marketing would serve the interests of an existing customer.It is important to note that the ALRC’s recommended approach in respect of existing customers includes the ability to opt out at any time, discussed below.

26.84 The concept of an existing customer should require some kind of ongoing commercial, contractual or business relationship. The question of whether someone is an existing customer should be determined by reference to the particular factual circumstances. Generally, however, a one-off purchase would not be sufficient to make an individual an existing customer—such a conceptualisation of an existing customer would be too loose. This is consistent with the approach taken under both the Spam Act and the Do Not Call Register Act. In the ALRC’s view, however, the concept of existing customer would generally allow for the direct marketing of products and services other than those previously provided to the existing customer.

26.85 The question of whether someone is an existing customer also needs to be resolved by reference to the particular organisation in question—that is, an individual who is an existing customer of a particular organisation will probably not be an existing customer of a related body corporate of that organisation. In this regard, the ALRC adopts the reasoning of the Do Not Call Register Act. The effect of this is that direct marketing communications from related bodies corporate should be treated as unsolicited direct marketing communications.

26.86 The concept of ‘reasonable expectation’ is an appropriate way to anchor the requirements applying in the context of existing customers. The ALRC notes that the concept of reasonable expectations already exists under the Privacy Act. The factors relevant to determining whether a use or disclosure is within a person’s reasonable expectations[113] also would be relevant to determining whether the use of personal information for the purpose of direct marketing is within the reasonable expectations of an existing customer.

26.87 In relation to individuals who are not existing customers, an organisation should use or disclose personal information about them for the purpose of direct marketing only where: the individual has consented; or the information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure. The ALRC has modelled this aspect of the principle on the existing requirements attaching to secondary purpose direct marketing under NPP 2.1(c). Further protections are warranted in relation to the use or disclosure of sensitive information for the purpose of unsolicited direct marketing and direct marketing to persons under 15 years.[114]

26.88 The concept of ‘impracticability’ in respect of unsolicited direct marketing under the ‘Direct Marketing’ principle would need to be broader than that which exists currently in relation to secondary purpose direct marketing. The question of whether it is possible logistically to contact the relevant individuals is not a complete answer to the question of whether it is impracticable to obtain consent. The concept of ‘impracticability’ is broader, and flexible enough to take into account considerations relevant to the particular circumstances. Such factors may include the number of individuals on a direct marketing list, the cost of obtaining consent and the time involved. An organisation, however, needs to be in a position to demonstrate factors which render the obtaining of consent impracticable in the particular circumstances.

Opt-in or opt-out requirement?

Background

26.89 The Senate Legal and Constitutional References Committee inquiry into the Privacy Act (Senate Committee privacy inquiry) recommended that the ALRC consider the possibility of an ‘opt-in’ regime for direct marketing, in line with the Spam Act.[115] The OPC Review recommended that the Australian Government consider amending the Privacy Act to provide that consumers have a general right to opt out of direct marketing approaches at any time, and also to impose an obligation on organisations to comply with opt-out requests within a specified time after receipt.[116]

26.90 Some overseas privacy legislation, such as that in force in Hong Kong, provides for an ‘opt-out’ model.[117] A similar approach is taken in the European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995) (EU Directive).[118] A Working Party, set up under art 29 of the EU Directive, commented that ‘where data are transferred for the purposes of direct marketing, the data subject should be able to “opt-out” from having his/her data used for such purposes at any stage’.[119]

26.91 In DP 72, the ALRC considered whether the relevant privacy principle should adopt an opt-in regime, an opt-out regime, or neither. In other words, should organisations engaged in direct marketing be required to allow individuals to opt out of receiving direct marketing communications; should organisations only be permitted to engage in direct marketing if the individual in question has explicitly opted in to receiving such communications; or should neither of these requirements apply? The ALRC proposed that the ‘Direct Marketing’ principle should require organisations to present individuals with a simple means to opt out of receiving direct marketing communications.[120]

Submissions and consultations

26.92 This proposal was supported by the majority of stakeholders who commented on it.[121] ANZ submitted that the current opt-out provisions were working well. ANZ noted that it communicates regularly with its customers about services and products that may be beneficial to a customer’s circumstances and that ANZ customers can contact it at any time if they do not want to receive further direct marketing communications.[122] BPay submitted that no change should be made to the existing opt-out mechanism under the NPPs, which provide adequate protection of the privacy of individuals.[123]

26.93 Some stakeholders called for an opt-in model.[124] The Consumer Action Law Centre submitted that, while it believes there is a strong consumer argument for an opt-in model, ‘any opt-out model of regulating direct marketing must be clear and simple to use and should ensure that consumers who do not want to be contacted by direct marketers are not contacted’.[125]

26.94 The Victorian Council for Civil Liberties submitted:

The discussion in the Review appears to start from the principle or policy position that passing on non-sensitive information for the purposes of direct marketing is permissible provided that the individual is given an opportunity to request to be taken off direct marketing lists. Liberty Victoria believes that at the very least all direct marketing should provide an opt-out mechanism.[126]

26.95 Some of the support for the ALRC’s proposal was qualified. For example, the Law Council supported the concept of an opt-out model in principle, but argued that the concept of a simple means to opt out needed to be amplified.[127] The Australian Privacy Foundation and the Cyberspace Law and Policy Centre supported the opt-out model, but suggested that it be strengthened in particular ways.[128] They argued that there should be a specific requirement that the provided means to opt out be ‘functional’—that is, able to achieve the intended effect. This would be similar to the ‘functional unsubscribe facility’ requirement in the Spam Act. They also argued that there should be a specific reference to an individual’s ability to opt out indirectly.[129] The Cyberspace Law and Policy Centre submitted that this should occur through ‘any general preference scheme to which the organisation or agency is subject’ and it should ensure that organisations and agencies respect individual’s preferences registered with such schemes as the Do Not Call Register or the voluntary ADMA Do Not Mail Service.[130] The Cyberspace Law and Policy Centre also argued that the principle should not use technology or media-specific language.[131]

26.96 Optus also expressed qualified support. It agreed that individuals should have a general right to opt out, but argued:

The ‘Direct Marketing’ principle should not require organisations to draw attention to the ability to opt-out in each direct marketing communication with the individual. This may have been appropriate at the introduction of the private sector provisions of the Privacy Act however many individuals are now aware of their rights with respect to the use and disclosure of their information and this is no longer necessary.

Australian individuals are able to and frequently do articulate that they do not want to be contacted by an organisation for direct marketing purposes. This occurs regardless of whether they are aware of their rights under the Privacy Act or not and regardless of whether they are a potential customer or an existing customer.[132]

26.97 Similarly, ADMA did not support the proposal that organisations be required to present individuals with the opportunity to opt out with each marketing approach, as this ignored the need for organisations to communicate with their existing customers to ‘fulfil their wants and needs’. In ADMA’s view, such a requirement would have an inconsistent impact on marketing channels—for example, it would unfairly impact on organisations that rely on telephone marketing by effectively introducing an opt-in approach for telemarketing calls. ADMA argued that this would place Australian businesses at a ‘distinct commercial disadvantage’ globally. ADMA’s view was that the introduction of ‘different provisions for current or prospective customers, and prescriptive definitions of the circumstances where an opt-out opportunity must be provided for each would be onerous’. Instead, it submitted that ‘individuals should have the right to opt-out on request and the organisation in question should comply with that request within a reasonable period of time’.[133]

ALRC’s view

26.98 The majority of stakeholders expressed support for an opt-out model to regulate direct marketing under the Privacy Act. This support was expressed by a broad range of stakeholders, including individuals, some entities directly or indirectly involved in direct marketing, the OPC and privacy advocates. Nevertheless, some concern was expressed that an opt-out model which required an organisation to provide an individual with an opportunity to opt out with each direct marketing communication would be too restrictive on businesses that use direct marketing, particularly with respect to communications with existing customers.

26.99 Organisations should be required to provide a simple and functional means by which an individual (whether or not an existing customer) may advise the organisation that he or she does not wish to receive any further direct marketing communications. An individual should be able to make use of such means to opt out of further direct marketing communications at any time. The ALRC’s recommended ‘Direct Marketing’ principle addresses the concerns raised by stakeholders by requiring organisations to provide a simple and functional means to opt out and by adopting media neutrality.[134]

26.100 There is a legitimate basis for drawing a distinction between unsolicited direct marketing and direct marketing to existing customers, in terms of the frequency with which express opportunities to opt out must be provided by organisations. An organisation should be required to provide an individual with an opportunity to opt out of receiving further direct marketing communications in every direct marketing communication which is unsolicited or directed to an individual under 15 years. This requirement is modelled on the existing requirement under NPP 2.1(c)(iv). An organisation should be required to draw to the individual’s attention, or prominently display a notice, advising the individual that he or she may express a wish not to receive any further direct marketing communications. This requirement is warranted by the high level of community concern about unsolicited direct marketing. This requirement, however, is not necessary for existing customers. It should be sufficient for existing customers to be made aware, through an organisation’s Privacy Policy, that they have the ability to opt out of direct marketing communications at any time.

Application of the principle to individuals under 15 years of age

26.101 In DP 72, the ALRC considered whether direct marketing may pose a particular risk to children and young people. It noted the submission of the Obesity Prevention Policy Coalition and Young Media Australia, that ‘children are more susceptible to commercial manipulation than adults’. These problems are exacerbated by a number of factors, including that children and young people often ‘lack the cognitive capacity and maturity’ to give informed consent, and also that new technologies (such as the internet, email and SMS) are increasingly being used in direct marketing to children. For this reason, the Obesity Prevention Policy Coalition and Young Media Australia submitted that organisations should be prohibited from engaging in direct marketing with a child under 14 years, unless a parent has provided ‘express and verifiable consent’.[135]

26.102 In DP 72, the ALRC stated that the proposed ‘Direct Marketing’ principle would provide sufficient protection by building in a consent mechanism, combined with the proposals regarding decision making on behalf of individuals under the age of 15. The ALRC proposed that OPC guidance should address direct marketing in respect of particularly vulnerable individuals.[136]

Submissions and consultations

26.103 A number of submissions addressed the application of the ‘Direct Marketing’ principle to children. These submissions are considered in detail in the general discussion of privacy issues impacting on children and young people in Chapter 69.

26.104 For example, the Obesity Policy Coalition continued to express concern about direct marketing to children and the way in which it should be regulated by the Privacy Act. It submitted that the proposed ‘Direct Marketing’ principle, and OPC guidance, would impose insufficient obligations on organisations; and too easily allow organisations to avoid the consent requirement where ‘it is difficult to identify, locate or communicate’ with the person with parental responsibility.[137]

26.105 The Obesity Policy Coalition also was concerned about the effective operation of the opt-out provisions of the proposed ‘Direct Marketing’ principle. While indicating general support for the inclusion of opt-out provisions, and the ability for a person with parental responsibility to activate the opt out on behalf of a child or young person, the Coalition expressed concern that ongoing communication directly between the organisation and the child or young person may impede the ability for the person with parental responsibility to exercise the option at an appropriate time. The Coalition suggested that those acting on behalf of the child or young person should receive the opt-out information directly each time information is communicated to that child or young person.[138]

ALRC’s view

26.106 The ALRC recognises that children and young people particularly can be at risk from direct marketing. In reformulating the ‘Direct Marketing’ principle, the ALRC has considered the level of protection that exists for children and young people. Part of the ALRC’s reasoning in DP 72 for not imposing additional protections for children and young people in relation to direct marketing was that the proposed principle operated so as to, in effect, require parental consent before using personal information about a child or young person for the purposes of direct marketing. The ALRC acknowledged that the proposed exception to consent—that is, where it is non-sensitive information and it is impracticable to obtain consent—would apply, but proposed guidance to indicate how the exception would operate so as to limit organisations claiming in inappropriate circumstances that it is impracticable to obtain parental consent.[139]

26.107 It is appropriate that, as a general approach, parental consent should be a prerequisite to using the personal information of a child or young person under the age of 15 for direct marketing purposes.[140] While, overall, the ALRC considers that the obligations in relation to direct marketing to existing customers can be reduced due to the ongoing relationship between the organisation and customer, this policy is not appropriate when dealing with children and young people under the age of 15. It is very likely that these customers do not have the ability to comprehend the nature of an ongoing relationship or have sufficient understanding to meet the criterion of a ‘reasonable expectation’ of receiving direct marketing as a result of that continuing relationship.

26.108 To address these concerns, the ALRC’s recommended ‘Direct Marketing’ principle provides further protection for individuals under the age of 15 years. The principle will require that direct marketing to individuals under the age of 15 years can only occur where either: the individual has consented; or the information is not sensitive information, and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure. An individual under the age of 15 should always be treated as an individual who is not an existing customer. This brings into play higher obligations on the organisation seeking to use personal information about the individual for the purposes of direct marketing in relation to each use of the information. For example, an opportunity to opt out of receiving further direct marketing communications must be provided each time information is communicated to that child or young person. Further, combined with the ALRC’s recommendations relating to decision making for children and young people under the age of 15, it will require that a person with parental responsibility provide the consent on behalf of the child or young person.[141] Particular privacy issues affecting children and young people, including direct marketing, are discussed in Chapter 69.

26.109 Some stakeholders had concerns about the operation of the ‘not practicable’ exception to obtaining consent in the ‘Direct Marketing’ principle, and the likely detrimental effect this would have on organisations implementing appropriate age verification and parental consent mechanisms. The ALRC notes these concerns and considers it will be necessary to ensure that guidance in relation to the ‘Direct Marketing’ principle addresses such concerns to ensure that the principle and provisions are implemented appropriately.[142] This is discussed below.

Recommendation 26–3 The ‘Direct Marketing’principle should provide that an organisation may use or disclose personal information about an individual who is an existing customer aged 15 years or over for the purpose of direct marketing only where the:

(a) individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and

(b) organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any direct marketing communications.

Recommendation 26–4 The ‘Direct Marketing’principle should provide that an organisation may use or disclose personal information about an individual who is not an existing customer or is under 15 years of age for the purpose of direct marketing only in the following circumstances:

(a) either:

(i) the individual has consented; or

(ii) the information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure;

(b) in each direct marketing communication, the organisation draws to the individual’s attention, or prominently displays, a notice advising the individual that he or she may express a wish not to receive any direct marketing communications; and

(c) the organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any direct marketing communications.

Timeframes for compliance with opt-out requests

26.110 In DP 72, the ALRC considered whether direct marketers should be required to comply with an opt-out request within a set timeframe. That is, when a person expresses their intention to opt out of receiving direct marketing communications, should the organisation be required to comply with this request within a period specified in the ‘Direct Marketing’ principle? There was no consensus among those who favoured a specified timeframe. One view was that any such timeframe should be consistent with the Spam Act, which provides for five business days within which to act upon the request.[143] On the other hand, in the OPC Review, the OPC approved of ADMA’s view that the period should be 45 days.[144]

26.111 The ALRC proposed, in DP 72, that an organisation should be required to comply within a ‘reasonable time’ with an individual’s request not to receive direct marketing communications.[145]

Submissions and consultations

26.112 The ALRC’s proposal was supported by the majority of stakeholders.[146] ADMA commented that:

It is current industry best practice that in all instances, including where an ongoing business relationship exists between the organisation and the individual, that an organisation respects and actions an individual’s request to opt-out of future direct marketing approaches.[147]

26.113 The Law Council submitted that the concept of a ‘reasonable time’ was a ‘sensible approach’, since different direct marketing channels (for example, email as opposed to post) have different timeframes.[148] Optus submitted that five days for implementation of an ‘opt-out’ request was too short.[149]

26.114 The DBCDE noted that the five day time limit in the Spam Act applies differently depending on the communication medium used. If a withdrawal of consent is sent electronically, the five day time limit starts on the day on which the message was sent, but if a request is sent by post, the time limit does not commence until service of the message is effected. In any other case, the time limit does not commence until the day on which the message is delivered. On this basis, it submitted that the Spam Act provided for a flexible response.[150]

26.115 The Australian Privacy Foundation and the Cyberspace Law and Policy Centre supported the proposal, but urged that it be ‘strengthened by prescription, in Regulations or a binding Code, of specific target response times for different media of communication’.[151]

26.116 While the OPC expressed general support, its view was that an organisation involved in direct marketing should comply with an individual’s request not to receive direct marketing communications within ‘a specific period of time’. It suggested that other sectoral legislation could provide guidance as to the time period.[152] PIAC shared this view, submitting that a ‘reasonable time’ requirement is ‘too vague and open to self-serving interpretations by direct marketing organisations’.[153]

ALRC’s view

26.117 In order to make the opt-out model effective, the ‘Direct Marketing’ principle should provide that organisations must act on a request by an individual not to receive any further direct marketing communications within a reasonable period of time. The term ‘reasonable’ should be interpreted with reference to all relevant factors, including how the direct marketing communications are transmitted and the length of time it takes to amend an organisation’s database. It is too difficult to specify a time period that addresses all of the ways in which direct marketing communications can occur. The wide variation in the timeframes suggested by stakeholders illustrates this point. The ‘Direct Marketing’ principle should not specify the number of days within which to act on any request not to receive direct marketing communications. Rather, the organisation should comply within a reasonable time.

26.118 The ‘Direct Marketing’ principle should clarify that an organisation must not charge an individual for giving effect to a request from the individual not to receive further direct marketing communications. This currently forms part of NPP 2.1(c)(ii) and it is important that this requirement be retained.

Recommendation 26–5 The ‘Direct Marketing’principle should provide that an organisation involved in direct marketing must comply, within a reasonable period of time, with an individual’s request not to receive further direct marketing communications and must not charge the individual for giving effect to such a request.

Original source of personal information

26.119 The OPC Review recommended that the Australian Government consider amending the Privacy Act to require organisations engaged in direct marketing to take reasonable steps, on request, to advise an individual from where it acquired the individual’s personal information.[154] In its submission to the OPC Review, ADMA stated that the rationale behind such a provision is that ‘informing individuals of the source of the data being used gives them more control over their personal information and reduces the number of repeat complaints about unsolicited marketing’.[155] A recent survey commissioned by the OPC indicated that 53% of people who had received unsolicited direct marketing communications were concerned about how the organisations in question obtained their details.[156]

26.120 One individual who contacted the ALRC noted:

Some marketing organisation has gotten my details for on-selling, but I can’t get at the ‘source’. I can only tell marketers who contact me directly to remove my name from their individual lists. I want for the ‘source’ to be obliged to tell me on a regular basis … what details they have on me, and give me the chance to have my details removed from their master list.[157]

26.121 In DP 72, the ALRC proposed that the ‘Direct Marketing’ principle should provide that an organisation involved in direct marketing, when requested by an individual to whom it has sent direct marketing communications, must take reasonable steps to advise the individual from where it acquired the individual’s personal information.[158]

Submissions and consultations

26.122 A range of views were received on the ALRC’s proposal. A large number of stakeholders expressed support for the proposal,[159] including the OPC which stated:

This proposal would enhance transparency in how individuals’ personal information is handled and promote handling that accords with individuals’ reasonable expectations … Knowing the source of the information may also permit the individual to pursue other options with that entity, such as to complain to it or, if the entity is an agency or organisation, make a complaint about the disclosure to the Privacy Commissioner.[160]

26.123 PIAC also expressed strong support, arguing that it would ‘empower individuals to take back control’ of the use of their personal information. PIAC noted that it also may encourage organisations to ‘carefully consider whether they have a legitimate basis for collecting the personal information in the first place’.[161]

26.124 The Victorian Council for Civil Liberties identified as a central issue

where the ‘master source’ of the information discloses it to a number of direct marketing bodies resulting in an individual being inundated with information they neither sought nor are interested in. In such cases the individual needs to identify the source in order to be removed from the Master list.[162]

26.125 The Consumer Action Law Centre submitted that:

marketers should be obliged to inform individuals, on request, of the source of the individual’s personal information … Consumers are often frustrated by companies failing to tell them where they obtained their personal information.[163]

26.126 While the Cyberspace Law and Policy Centre and the Australian Privacy Foundation supported the proposal, they called for more specificity ‘by requiring information on the identity of the source’, arguing that, in its absence, ‘the principle could be satisfied by a broad generic description—for example, a of list brokers’. This would be of limited value to an individual seeking to ‘follow the chain’ of information.[164]

26.127 AMCA submitted that the proposal was generally consistent with the requirements placed on persons making telemarketing and research calls under the Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Industry Standard 2007 (Cth) (the Industry Standard).[165] ACMA noted that the Industry Standard requires telemarketers and researchers (the callers), if requested by the call recipient, to indicate where they obtained the telephone number and the name and contact details of any organisation that provided them with the information (where applicable). ACMA also noted that the requirements only apply to data disclosed to a caller after 1 July 2007.[166]

26.128 Optus expressed support for the proposal. It submitted, however, that the requirement should be limited to requiring an organisation to provide an individual with the contact details of the company from which the organisation sourced the data.

Should an individual want to trace the source of their data the responsibility to conduct this activity should fall to the individual and individuals should be given sufficient information to conduct this activity. A requirement for organisations to obtain and hold the primary source of data would be extremely expensive and cause a significant increase in the compliance costs of the Privacy Act.[167]

26.129 ADMA’s support for the proposal was qualified. It agreed that ‘retaining records regarding the source of contact details and disclosing the source to the consumer on request is best practice and should be encouraged’ but called for a ‘balanced and logical approach’. It submitted that many organisations currently lack the capacity to store information about the source of contact details. ADMA sought two modifications to the ALRC’s proposal: the requirement should apply to contact details only, rather than all personal information held by an organisation; and the obligation must not apply retrospectively, because most organisations do not currently hold these records and it would not be possible for them to comply.[168]

26.130 There also were a number of stakeholders that objected to the proposal.[169] The ABA raised a number of issues. First, it asked whether it would be necessary to name a ‘precise source’ or whether it was intended that reference to a ‘generic source’ would be sufficient, such as ‘from a credit bureau’. Secondly, it noted that there may be problems where information is collected from multiple sources, including unsolicited sources.[170]

26.131 BPay strongly disagreed with the proposal, on the basis that ‘many organisations would have great difficulty in complying’ and because of the ‘large expense associated with developing systems to comply with this proposal’.[171] The Law Council of Australia submitted that the proposal was ‘impracticable’ and ‘burdensome’ on organisations. Further, it submitted:

If such a requirement is introduced, it should only oblige an organisation to advise the individual of the direct source from which the organisation acquired the data (and not the original source of the data), and should not require the organisation to make any further enquiries beyond this source.

The requirement should not apply retrospectively; particularly given the source information may not have been recorded and therefore may not be ascertainable by some organisations.[172]

26.132 Microsoft Asia Pacific also argued that the implementation of the proposal has the potential to result in substantial costs. Such costs are likely to arise from: a change to ‘business practices and systems to ensure that source data is collected’; and the fact that businesses will be required to ‘record and maintain data about all of the multiple sources from which they collect personal information’. Microsoft indicated that, in its experience, personal information is collected and updated from numerous sources. For this reason, substantial resources would be required to ‘record source data on each occasion that personal information is collected or updated’. It called on the ALRC to weigh the costs associated with the proposal against the privacy benefits it was likely to generate, arguing that the proposal was an ‘unduly onerous step’ when the likely costs were taken into account.[173]

26.133 Telstra objected to the proposal on the basis that ‘it creates significant obligations on organisations but gives no significant benefit to individuals’ privacy’. In Telstra’s view, having to track information from the ‘point of entry into the organisation’ until it was used for direct marketing purposes would involve a significant compliance burden.

The complexity of undertaking this task increases further if the information is obtained through other organisations which themselves have collected information through various sources. It is very different to a simple scenario in which an organisation buys a customer list and uses the personal information acquired from that list for marketing purposes. This scenario is, we believe, relatively unusual.[174]

26.134 One stakeholder in the airline industry highlighted the practical constraints for organisations in complying with the ALRC’s proposal. It noted that often organisations collect many separate pieces of information about their customers and that compliance would be expensive, for example, as a result of the costs associated with the storage of information. The stakeholder also noted that sometimes compliance would be impossible. An example noted was Global Distribution Systems.[175] Global Distribution Systems are ‘international computer reservations systems that book and sell tickets for most airlines’—there are four major suppliers of such systems internationally. No travel business has control over the information that such a system records, except to the extent that they themselves enter it. It would be unlikely that any major Global Distribution System would be prepared to take on the ‘major development costs (both in terms of modification of software and data storage)’ in order to comply with such a requirement.[176]

ALRC’s view

26.135 Many stakeholders were in favour of requiring organisations involved in direct marketing to take reasonable steps, on request, to advise an individual from where they acquired the individual’s personal information.

26.136 Such a requirement would be useful particularly where an individual’s personal information has been disclosed by an organisation to another organisation and it has then been used to carry out unsolicited direct marketing. In such a situation, the individual could follow a ‘chain’ of disclosure to the source and, if he or she wished, could then take action to have his or her name removed from the list. This would facilitate individuals being able to assert substantive, as distinct from merely formal, privacy rights with respect to direct marketing.

26.137 Part of the Terms of Reference for this Inquiry called for the ALRC to consider the ‘desirability of minimising the regulatory burden on business in the privacy area’.[177] The ALRC does not want to add unnecessarily to the compliance burdens faced by organisations.

26.138 The recommended ‘Direct Marketing’ principle provides, therefore, that this requirement will only apply where the direct marketing communications are made to individuals who are not existing customers. In the ALRC’s view, concern about source will be most relevant where there is no existing business relationship between an organisation and an individual.

26.139 Further, the recommended ‘Direct Marketing’ principle introduces a ‘reasonable and practicable’ threshold. The ALRC acknowledges that there may be constraints on an organisation’s ability to provide source information and, in some cases, it may not be practicable to provide such information. In other circumstances, to provide source information may not be reasonable. In deciding whether it is reasonable to provide source information, relevant factors may include the potential consequences to the individual if the information is not provided—for example, that the individual may continue to receive unsolicited direct marketing communications—and the cost to the organisation of providing this information.

26.140 For these reasons, the ALRC recommends that an organisation who has made direct marketing communications to an individual who is not an existing customer must, where reasonable and practicable and where requested to do so by the individual, advise the individual of the source from which it acquired the individual’s personal information.

26.141 ‘Source’ in this context should mean the direct source from which the organisation acquired the information. For example, if organisation C obtains personal information from organisation B, who in turn obtained the personal information from organisation A, organisation C, in responding to a request for source information, will only need to disclose the details of organisation B. It would be unduly onerous to require organisations to track personal information back to the original source. In some cases, organisation C may not be aware that organisation B obtained the personal information from some other source.

Recommendation 26–6 The ‘Direct Marketing’principle should provide that an organisation that has made direct marketing communications to an individual who is not an existing customer or is under 15 years of age must, where reasonable and practicable and where requested to do so by the individual, advise the individual of the source from which it acquired the individual’s personal information.

[93] Rec 26–1.

[94] Australian Direct Marketing Association, Direct Marketing Code of Practice (2006), 9.

[95] Office of the Federal Privacy Commissioner, Submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000, 1 September 2000, 10.

[96] Spam Act 2003 (Cth) sch 2, cl 2; Do Not Call Register Act 2006 (Cth)sch 2, cl 2.

[97] Australian Communications and Media Authority, Do Not Call Register—A Guide for Your Business (2007), 4.

[98] Australian Communications Authority, Spam Act 2003: A Practical Guide for Government, 1 April 2004, 6.

[99] Australian Communications and Media Authority, Do Not Call Register—Consent: Information for Industry (2007), 2.

[100] Privacy Act 1988 (Cth) sch 3, NPP 2.1(a).

[101] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2-995].

[102]Macquarie Dictionary (online ed, 2007).

[103] J Douglas-Stewart, Comprehensive Guide to Privacy Law—Private Sector (online ed, as at 14 March 2008), [25-330].

[104] National Health and Medical Research Council, Australian Research Council and Australian Vice Chancellors’ Committee, National Statement on Ethical Conduct in Human Research (2007), [2.3.6(c)]. This concept of impracticability in the research context is discussed in detail in Ch 65.

[105] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[106] Ibid.

[107] Acxiom Australia, Submission PR 551, 1 January 2008.

[108] Optus, Submission PR 532, 21 December 2007.

[109] Law Council of Australia, Submission PR 527, 21 December 2007.

[110] Confidential, Submission PR 519, 21 December 2007.

[111] Currently, under the NPPs, sensitive information can be used or disclosed for the primary purpose of direct marketing if the individual consents; if the sensitive information was collected for the primary purpose of direct marketing; or if the direct marketing is directly related to the primary purpose of collection of the sensitive information and the individual concerned would reasonably expect the organisation to use or disclose the sensitive information for the purposes of direct marketing: Privacy Act 1988 (Cth) sch 3, NPP 2.1(a), 2.1(b). See J Douglas-Stewart, Comprehensive Guide to Privacy Law—Private Sector (online ed, as at 14 March 2008), [25-70].

[112] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2-995].

[113] ‘Reasonable expectations’ in the context of use and disclosure of personal information are discussed in Ch 25.

[114] This is discussed in detail below.

[115] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), rec 15.

[116] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 23.

[117] See Personal Data (Privacy) Ordinance (Hong Kong) s 34.

[118] See European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 14(b).

[119] European Commission Working Party on the Protection of Individuals With Regard to the Processing of Personal Data, Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, 24 July 1998, ch 1.

[120] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 23–3, 23–4.

[121] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Pureprofile, Submission PR 526, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; ANZ, Submission PR 467, 13 December 2007; Australia Post, Submission PR 445, 10 December 2007; Australian Information Industry Association, Submission PR 410, 7 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; B Laing, Submission PR 339, 12 November 2007.

[122] ANZ, Submission PR 467, 13 December 2007.

[123] BPay, Submission PR 566, 31 January 2008.

[124] Confidential, Submission PR 535, 21 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[125] Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[126] Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007.

[127] Law Council of Australia, Submission PR 527, 21 December 2007.

[128] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[129] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[130] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[131] Ibid.

[132] Optus, Submission PR 532, 21 December 2007.

[133] Australian Direct Marketing Association, Submission PR 543, 21 December 2007. See also Acxiom Australia, Submission PR 551, 1 January 2008.

[134] Media neutrality means that the principle does not use technology or media-specific language.

[135] Obesity Prevention Policy Coalition and Young Media Australia, Submission PR 144, 25 January 2007.

[136] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 23–6.

[137] Obesity Policy Coalition, Submission PR 506, 20 December 2007.

[138] Ibid.

[139] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [60.136].

[140]See Ch 69.

[141] Rec 68–1. See also Recs 68–2, 68–3, 68–4.

[142] See recommendations in relation to guidance in these areas: Recs 26–7, 68–4.

[143] See Spam Act 2003 (Cth) sch 2, cl 6(1).

[144] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 100.

[145] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 23–3, 23–4.

[146] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Obesity Policy Coalition, Submission PR 506, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; ANZ, Submission PR 467, 13 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[147] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[148] Law Council of Australia, Submission PR 527, 21 December 2007.

[149] Optus, Submission PR 532, 21 December 2007.

[150] Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007. DBCDE noted that the Department’s recent review of the Spam Act concluded that the arrangements were appropriate.

[151] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[152] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[153] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[154] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 24.

[155] Ibid, 101–102.

[156] Wallis Consulting Group, Community Attitudes Towards Privacy 2007 [prepared for the Office of the Privacy Commissioner] (2007), 29.

[157] Anonymous, Submission PR 189, 10 February 2007. See also E Cousins, Submission PR 585, 11 April 2008.

[158] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 23–5.

[159] GE Money Australia, Submission PR 537, 21 December 2007; Pureprofile, Submission PR 526, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Obesity Policy Coalition, Submission PR 506, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; ANZ, Submission PR 467, 13 December 2007; Australia Post, Submission PR 445, 10 December 2007.

[160] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[161] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[162] Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007. Also, one individual raised concerns about their personal information being sold to ‘name brokers’ without permission: E Cousins, Submission PR 585, 11 April 2008.

[163] Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[164] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[165] Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Industry Standard 2007 (Cth) as amended by the Telecommunications (Do Not Call Register) (Telemarketing and Research Calls) Industry Standard Variation 2007 (No 1) (Cth).

[166] Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[167] Optus, Submission PR 532, 21 December 2007.

[168] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[169] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; BPay, Submission PR 566, 31 January 2008; Confidential, Submission PR 536, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007.

[170]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Law Council of Australia, Submission PR 527, 21 December 2007.

[171] BPay, Submission PR 566, 31 January 2008.

[172] Law Council of Australia, Submission PR 527, 21 December 2007.

[173] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[174] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[175] Confidential, Submission PR 536, 21 December 2007.

[176] Ibid.

[177] The Terms of Reference are reproduced at the beginning of this Report.