16.08.2010

Current coverage by IPPs and NPPs

26.9 The current rules in the Privacy Act on direct marketing differ between agencies and organisations. The Information Privacy Principles (IPPs) do not contain any provisions dealing explicitly with direct marketing by agencies. In contrast, the National Privacy Principles (NPPs) deal with the issue of direct marketing by organisations as part of the use and disclosure principle. NPP 2 creates a general prohibition against the use or disclosure of personal information for a secondary purpose, and then lists a number of exceptions to this general rule.^[9] The most significant exception is NPP 2.1(c), which permits the use of personal information for the secondary purpose of direct marketing only if all of the following conditions are met:

the information in question is not ‘sensitive information’;
it is impracticable to seek the individual’s consent before using the information;
the organisation will not charge the individual for giving effect to a request by the individual not to receive direct marketing communications;
the individual has not requested the organisation to refrain from providing direct marketing communications;
in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that the individual may express a wish not to receive any further direct marketing communications; and
each written direct marketing communication to the individual sets out the organisation’s business address and telephone number and, if the communication is made by electronic means, a number or address at which the organisation can be contacted directly electronically.

26.10 Currently, the direct marketing provisions only permit personal information to be used, but not disclosed, for direct marketing.^[10] The Annotated National Privacy Principles state that, in determining whether it is ‘impracticable’ to gain consent for the purposes of NPP 2.1(c)(i), relevant factors will include the cost of obtaining consent and any negative privacy implications that may result from not obtaining consent.^[11] The factors listed in relation to ‘impracticability’ in the OPC’s Guidelines to the NPPs include the consequences for the individual of receiving the information without having consented and how often the organisation is in contact with an individual.^[12]

26.11 NPP 2 prohibits an organisation from using or disclosing personal information for the secondary purpose of direct marketing, unless its proposed use or disclosure falls within one of the exceptions in NPP 2.1. In addition to direct marketing permitted by NPP 2.1(c), there are other circumstances in which the use or disclosure of personal information for direct marketing is permitted under the NPPs. These are where

the individual concerned has consented to its use for that purpose;
the information was collected for the primary purpose of direct marketing;
direct marketing is related, or, in the case of sensitive information, is directly related, to the primary purpose of collection and the individual concerned would reasonably expect the organisation to use or disclose the information for direct marketing.^[13]

26.12 The Comprehensive Guide to Privacy Law states that ‘if any of these circumstances exist, there is no need to rely on the special direct marketing provisions’.^[14] For example, in E v Motor Vehicle Retail Organisation,^[15] the respondent had collected the complainant’s personal information without consent by acquiring a marketing list from another organisation for the purpose of direct marketing. The Privacy Commissioner determined that there was no breach of NPP 2, since the respondent had collected the respondent’s personal information for the primary purpose of direct marketing and used it for that purpose.

26.13 It seems that much direct marketing, in particular to existing customers, is facilitated by the other limbs of the use and disclosure principle. For the purposes of NPP 2.1(b), consent can either be express or implied. An example of implied consent for a secondary purpose is where an individual does not ‘indicate on an application form that he or she would like to opt-out of receiving direct marketing material where the option to do so is clearly indicated above the signature box’.^[16]

Issues in current coverage by the NPPs of direct marketing

26.14 Issues arising from the practice of direct marketing and the application of the principles dealing with direct marketing were considered by the OPC Review.^[17] These included, for example, whether the Privacy Act should contain the assumption that personal information may be used for direct marketing. The OPC recommended that the Australian Government should consider:

amending the Privacy Act to provide consumers with a general right to opt out of direct marketing approaches at any time and to require that organisations comply with such a request within a specified time;^[18]
amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual’s personal information;^[19] and
exploring options for establishing a national ‘Do Not Contact’ register.^[20]

26.15 In response to the Issues Paper, Review of Privacy (IP 31), the Law Council of Australia submitted that there should be a separate privacy principle dealing with direct marketing, and that it should apply regardless of whether the relevant personal information was collected for the primary purpose or a secondary purpose of direct marketing.^[21] This is because the current provisions permit personal information that is collected for the primary purpose of direct marketing to be used ‘almost without restraint’.^[22] The Law Council submitted that:

There appears to be no valid policy reason why an organisation which collects information for the primary purpose of direct marketing should be free to use that information in a way which organisations which collect it in the context of a relationship with the individual are not free to use it. Indeed, from a policy perspective you might expect fewer, not more, constraints on an organisation with which an individual has chosen to deal as opposed to an organisation which has no relationship with an individual but buys their information for the purpose of marketing to them.^[23]

26.16 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC noted that there is currently considerable ambiguity about whether organisations have collected personal information for the primary or secondary purpose of direct marketing. There also may be some deliberate or unintended obfuscation. For example, where individuals are asked to provide personal information to make them eligible to win a prize, the individuals might assume that the primary purpose of the collection is to make them eligible for the prize, whereas the primary purpose of the organisation collecting this information may in fact be to create a database from which to carry out direct marketing. The OPC Review observed that ‘even if the individual reads the fine print, he or she is unlikely to draw a distinction between a primary and secondary purpose and to understand the consequences of the decision’.^[24] This problem would be eliminated by making the direct marketing rules apply regardless of whether the personal information in question was collected for the primary purpose of direct marketing or whether it was a secondary purpose.

26.17 In DP 72, the ALRC expressed the preliminary view that stakeholder concerns regarding the direct marketing activities of some organisations are unlikely to be addressed adequately if the relevant privacy principle only covers secondary purpose direct marketing. Consequently, the ALRC proposed that the Privacy Act should apply to direct marketing, whether the individual’s personal information was collected for the primary purpose or a secondary purpose of direct marketing.

26.18 In DP 72, the ALRC stated that, if this reform is adopted, the rationale for locating the direct marketing provisions in the general use and disclosure privacy principle would be severely undermined. Moreover, given that direct marketing is relevant to other aspects of the information cycle—most notably, the collection of personal information and the maintenance of data quality and data security—the ALRC noted that it is logical to create a discrete privacy principle to regulate direct marketing. The ALRC proposed that the Unified Privacy Principles (UPPs) should regulate direct marketing by organisations in a discrete privacy principle, separate from the ‘Use and Disclosure’ privacy principle, to be called ‘Direct Marketing’.^[25]

Submissions and consultations

26.19 The proposal was supported by a large number of stakeholders.^[26] The Public Interest Advocacy Centre (PIAC) supported the removal of the distinction between primary and secondary purpose direct marketing:

In many cases it will be too difficult to determine whether direct marketing is a primary or a secondary purpose of collection. The proposed UPP will avoid the need to get bogged down in this type of argument.^[27]

26.20 The OPC submitted that the proposed separate principle was ‘an appropriate response to the demonstrable community concern regarding the handling of personal information for direct marketing’.^[28] GE Money Australia submitted that the proposed principle would assist in ‘providing clarity’ as to the rules associated with direct marketing for organisations engaged in it.^[29] The Insurance Council of Australia submitted:

It is anomalous that those who intend to use personal information for direct marketing as a secondary purpose currently have significantly more onerous obligations than those who receive consent for direct marketing as a primary purpose.^[30]

26.21 A number of stakeholders, however, did not support a separate principle.^[31] Optus submitted that direct marketing

serves an important economic function and is a vital component of Australian business … Many Australians purchase goods and services through direct marketing channels. Further, the ability to use customer information for the secondary purpose of direct marketing prevents anonymous direct marketing contacts and allows more targeted direct marketing. More targeted direct marketing results in direct marketing approaches being made to parties that are interested in receiving an approach by an organisation. There are two significant positive effects that arise from targeted marketing. Firstly it reduces the number of unwanted direct marketing contacts. Secondly it increases business efficiency.^[32]

26.22 The Australian Bankers’ Association (ABA) submitted that direct marketing was simply one aspect of use and disclosure.^[33] Acxiom submitted that privacy legislation was not ‘the appropriate mechanism through which to regulate specific industry sectors or industry practices’.^[34]ADMA and Acxiom argued that it was more appropriate for the UPPs to remain both technologically neutral and non-industry or practice specific.^[35] They submitted that more detailed rules relating to direct marketing should be addressed by a registered industry code of practice or in guidance published by the OPC.^[36]

26.23 The Law Council of Australia submitted:

The impact of the proposed change is the direct marketers would always be required to obtain consent (where it is practical to do so) and to provide an opt-out to recipients, even where the information was collected for the primary purpose of direct marketing and where there is an existing business relationship (although arguably this may give rise to an implied consent).^[37]

26.24 Some stakeholders took issue with the description of direct marketing in DP 72.^[38] ADMA argued that the ‘definition’ of direct marketing focused on ‘unsolicited communications’ and did not capture ‘direct marketing to individuals with whom organisations have existing business relationships’.^[39] ADMA argued that ‘direct marketers do not “compile lists” of current customers from external sources because they have already been given the data’.^[40] ADMA also pointed out that ‘legislation ensures that the electoral roll is not to be used for direct marketing purposes and telephone directories are protected by copyright’.^[41]

26.25 Some stakeholders called for the term ‘direct marketing’ to be defined.^[42] For example, the Cyberspace Law and Policy Centre and the Australian Privacy Foundation suggested the Privacy Act should define direct marketing as

the marketing or promotion of goods, services or ideas, including fundraising and recruitment, by direct targeted communication with specific individuals or by individualized communications by any means.^[43]

26.26 The Law Council called for the definition of direct marketing in the OPC Review, referred to above, to be adopted.^[44] A number of stakeholders also called for a distinction to be made between direct marketing to existing customers and direct marketing to prospective customers.^[45] ADMA submitted:

It is vital to make the distinction between direct marketing to existing customers and unsolicited direct marketing to prospective customers.
Marketing to existing customers is both a legitimate business activity and essential as it ensures that an organisation can meet the needs of its customers by offering the most appropriate and cost effective products and services to consumers that it has already established a relationship with.^[46]

ALRC’s view

26.27 The issue of direct marketing has been, and continues to be, the subject of a very strong response from stakeholders and the community generally. On one hand, there is a strong push from consumers and consumer advocates to tighten the rules on direct marketing to make it more difficult for companies engaged in direct marketing to communicate with people in this way, particularly with respect to unsolicited direct marketing. This draws on the conceptualisation of privacy as including, at least, ‘the right to be let alone’.^[47]

26.28 On the other hand, business groups and others have emphasised the importance of direct marketing for the economy generally. They have also stressed that, if direct marketing is carried out appropriately, it can be of considerable assistance to consumers that receive direct marketing communications.

26.29 It is possible to balance these competing positions by recognising both that some forms of direct marketing can be pernicious and can erode individuals’ privacy rights but that, if undertaken appropriately, direct marketing also can be beneficial.

26.30 The Privacy Act currently deals with the issue of direct marketing by organisations as part of the use and disclosure principle in NPP 2. There currently is considerable ambiguity as to whether organisations, which collect personal information that they later intend to use for direct marketing, have collected this information for the secondary purpose of direct marketing. The concerns expressed by stakeholders regarding the direct marketing activities of some organisations are unlikely to be addressed adequately if the relevant privacy principle only covers secondary purpose direct marketing.

26.31 The model UPPs should regulate direct marketing by organisations in a discrete privacy principle, which should apply regardless of whether the organisation has collected the individual’s personal information for the primary purpose or a secondary purpose of direct marketing.

26.32 The ALRC acknowledges the issues raised by stakeholders about the description of direct marketing in DP 72, and has attempted to address those concerns in this chapter. The ALRC notes, however, that while some stakeholders called for the term ‘direct marketing’ to be defined for the purposes of the Privacy Act, there is no consensus about how that term should be defined. In the ALRC’s view, the scope of the term generally seems to be understood. Concerns raised in relation to direct marketing were not definitional—instead the concerns raised were about the process of direct marketing, in particular, unsolicited direct marketing. To define direct marketing may unnecessarily confine the application of the ‘Direct Marketing’ principle. For example, if direct marketing is defined by reference to current practice, but practice later evolves, new methods of direct marketing may not be caught by the definition and so would not be subject to the ‘Direct Marketing’ principle. In the ALRC’s view, ‘direct marketing’ should not be defined for the purposes of the Act.

26.33 The requirements that apply to direct marketing communications to individuals who are not existing customers should be more onerous than those applying in the context of direct marketing to existing customers. The reasons for this distinction are discussed later in relation to the content of the model ‘Direct Marketing’ principle.

Recommendation 26–1 The model Unified Privacy Principles should regulate direct marketing by organisations in a discrete privacy principle, separate from the ‘Use and Disclosure’ principle. This principle should be called ‘Direct Marketing’ and it should apply regardless of whether the organisation has collected the individual’s personal information for the primary purpose or a secondary purpose of direct marketing. The principle should distinguish between direct marketing to individuals who are existing customers and direct marketing to individuals who are not existing customers.

^[9] The operation of NPP 2 is considered in greater detail in Ch 25.

^[10] J Douglas-Stewart, Comprehensive Guide to Privacy Law—Private Sector (online ed, as at 14 March 2008), [25-320]; Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 38.

^[11] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2-1125].

^[12] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 39.

^[13] J Douglas-Stewart, Comprehensive Guide to Privacy Law—Private Sector (online ed, as at 14 March 2008), [25-70], referring to Privacy Act 1988 (Cth) sch 3, NPP 2.1(a), 2.1(b).

^[14] J Douglas-Stewart, Comprehensive Guide to Privacy Law—Private Sector (online ed, as at 14 March 2008), [25-60].

^[15] E v Motor Vehicle Retail Organisation [2004] PrivCmrA 19; cited in J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2-906].

^[16] J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [2-1040].

^[17] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 94–103.

^[18] Ibid, rec 23, 11, 103.

^[19] Ibid, rec 24, 11, 103.

^[20] Ibid, rec 25, 11, 103.

^[21] Law Council of Australia, Submission PR 177, 8 February 2007.

^[22] Ibid. See also Obesity Prevention Policy Coalition and Young Media Australia, Submission PR 144, 25 January 2007.

^[23] Law Council of Australia, Submission PR 177, 8 February 2007.

^[24] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 95.

^[25] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 23-1.

^[26] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Obesity Policy Coalition, Submission PR 506, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; ANZ, Submission PR 467, 13 December 2007; Australia Post, Submission PR 445, 10 December 2007.

^[27] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

^[28] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

^[29] GE Money Australia, Submission PR 537, 21 December 2007.

^[30] Insurance Council of Australia, Submission PR 485, 18 December 2007.

^[31] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Investment and Financial Services Association, Submission PR 538, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

^[32] Optus, Submission PR 532, 21 December 2007.

^[33] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008. Also: Acxiom Australia, Submission PR 551, 1 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australia Post, Submission PR 445, 10 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007.

^[34] Acxiom Australia, Submission PR 551, 1 January 2008.

^[35] Ibid; Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

^[36] Acxiom Australia, Submission PR 551, 1 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

^[37] Law Council of Australia, Submission PR 527, 21 December 2007.

^[38] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [23.1].

^[39] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

^[40] Ibid.

^[41] Ibid. See also Acxiom Australia, Submission PR 551, 1 January 2008.

^[42] Law Council of Australia, Submission PR 527, 21 December 2007.

^[43] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

^[44] Law Council of Australia, Submission PR 527, 21 December 2007.

^[45] Acxiom Australia, Submission PR 551, 1 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Optus, Submission PR 532, 21 December 2007.

^[46] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

^[47] See S Warren and L Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review 193, 193. Note, however, that the definition of the ‘right to privacy’ should not be reduced only to the right to be left undisturbed. As explained in Ch 1, the modern conceptualisation of privacy involves many other elements.