Online consumers and direct marketing issues

69.7 Personal information collected in the online environment is subject to the same laws as any other personal information. This chapter focuses on personal information collected in the online environment, such as through registration pages, survey forms, order forms, and online contests. In Chapter 9, the ALRC discusses technology that can be used to capture personal information in ways that are not obvious to the online consumer, such as by using cookies or web bugs, and security issues in the online environment. In Chapter 67, the ALRC deals more specifically with the situation where a child or young person, or a third party, chooses to disclose personal information on a social networking site.

69.8 The internet is now an integral part of modern marketing techniques. Given their familiarity and high usage of the internet, and their significant consumer power,^[1] it is not surprising that this medium is used to target children and young people.

The World Wide Web has provided children with abundant new opportunities for learning, communicating and playing. But parents and children need to be aware that the Internet has joined television, radio and print as a key component of today’s marketing campaigns and many use consumer information to build individual relationships. Children are often more cyber-savvy than their parents. But they also have a trusting and curious nature that may lead them to give out personal information without realising it.^[2]

69.9 There is extensive literature that addresses the particular susceptibilities of children as consumers.^[3] When combined with a medium that is often used by children and young people with little or no supervision, concerns arise about the privacy of children and young people as consumers using the internet.

Online privacy regulation in Australia

69.10 The Privacy Act does not distinguish between the application of privacy principles in the online environment and their application in any other area. There is some criticism, however, of the operation of the privacy principles in the online environment.

The fact is that, under existing Australian law, individuals have almost no privacy ‘rights’ in the online environment and even the few rights they allegedly have are not protected adequately and are difficult, sometimes impossible, to have enforced. The lack of rights arises from a combination of factors, including but not limited to, uncertainty regarding the definition of ‘personal information’; no requirement to obtain consent before collecting personal information; use of bundled ‘consents’ including to disclose information to unspecified ‘partners’; the small business exemption; and/or technological developments.^[4]

69.11 The more general issue of regulation of the internet is addressed in Chapter 11. The ALRC does not recommend, however, that privacy in the online environment be regulated separately from other environments. The same set of privacy principles is recommended to apply to the handling of personal information regardless of the medium.^[5]

69.12 It is possible for industries to develop their own standards or guidelines, consistent with the Privacy Act, that address particular online privacy practices, including with respect to the privacy of children and young people. For example, the Internet Industry Association (IIA) has developed a Privacy Code of Practice, which is currently under consideration by the Office of the Privacy Commissioner (OPC).^[6] The Code includes a specific provision requiring that a legal guardian provide consent on behalf of an individual under the age of 13 before disclosure of sensitive information collected from or about the child.^[7] The Australian Direct Marketing Association (ADMA) publishes tips on helping parents to safeguard a child’s privacy online, and plans to introduce guidelines on children’s privacy that will be compulsory for its members.^[8]

Online privacy regulation in the United States

69.13 While the United States (US) does not have federal legislation for the online privacy of adult consumers, it does have federal online privacy legislation dealing specifically with children. Based on the recommendations of the US Federal Trade Commission (FTC),^[9] the Children’s Online Privacy Protection Act 1998 (COPPA) was passed by the US Congress in 1998 with a requirement that the FTC issue and enforce rules concerning children’s online privacy.

69.14 The Children’s Online Privacy Protection Act Rule (COPPA Rule), which came into effect in April 2000, aims to give parents control over what information is collected from their children online. The COPPA Rule applies to operators of commercial websites and online services directed to individuals under the age of 13 that collect personal information from children, and to operators of general websites with ‘actualknowledge’ that they are collecting information from individuals under the age of 13. Websites hosted in a foreign jurisdiction must comply with COPPA if they are directed to children in the US, however difficult this is to enforce in practice. Under the Rule, operators are required to:

• post a clear and comprehensive privacy policy on their websites;

• provide notice to parents and, with limited exceptions, obtain verifiable parental consent before collecting personal information;

• give parents the choice to consent to the collection and use of personal information about their child;

• provide parents with access to their child’s personal information in order to review or delete it;

• give parents the opportunity to prevent further collection or use of the information; and

• maintain the confidentiality, security and integrity of information they collect from children.

69.15 The FTC has a sliding scale approach to obtaining verifiable parental consent, with the requirements for obtaining consent becoming more rigorous where the intended use of the information involves disclosure to third parties rather than internal use. Where the information is to be used for internal purposes only, verifiable parental consent can be obtained through the use of an email message to the parent, coupled with additional steps to provide assurances that the person providing the consent is, in fact, the parent. More rigorous methods specified in the Rule include: fax- or mail-back forms; credit card transactions; staffed toll-free numbers; digital certificates using public key cryptography; and emails accompanied by a PIN or passwords.

69.16 Website operators who violate the COPPA Rule can be liable for civil penalties of up to US$11,000 per violation. The FTC has undertaken an active enforcement approach to COPPA, including 11 successful enforcement cases between 2000 and 2004,^[10] and the publication of a survey of the compliance levels of 144 key US websites.^[11] In March 2006, after a public review of the Rule, the FTC announced that the COPPA Rule had succeeded in providing greater protection to children’s personal information online, and that the Rule—complete with the sliding scale—was to be retained without amendment.^[12]

69.17 There have been criticisms, however, of the COPPA Rule and how it has operated in practice. These include that:

• non-profit organisations are not covered by COPPA;^[13]

• operators of general websites without ‘actual knowledge’ of the age of the child do not have to comply with COPPA, and so can circumvent the Rule merely by not asking the age of the person submitting personal information;^[14]

• it is easy for children to circumvent the law by lying about their age, or opening email accounts in their parents’ names and giving consent on their own behalf;^[15]

• the substantial burden of complying with COPPA has forced many websites simply to eliminate children’s programming;^[16] and

• even those websites complying with the COPPA Rule do not necessarily comply with the spirit of the law, and most existing privacy policies are too complex for children or parents to understand.^[17]

Direct marketing to children and young people

69.18 The Obesity Prevention Policy Coalition (OPPC) and Young Media Australia (YMA) made a joint submission to this Inquiry that focused on the problems of direct marketing aimed at children and young people.^[18] Although the concerns about direct marketing arise regardless of the media involved, the increasing use of technology to engage with children and young people was seen as a particular concern.

In our view, protecting children from interference with their privacy through direct marketing is becoming increasingly important in light of children’s increasing use of the internet, email and SMS, and advertisers’ widespread use of these technologies to market products directly to children … We are particularly concerned about direct marketing using these technologies because, unlike television, these technologies enable marketers to interact directly with children. Direct marketing using these technologies intrudes directly into children’s personal space, and provides marketers with unsupervised access to children.^[19]

69.19 The OPPC and YMA cited research indicating that children are more susceptible to commercial influence, and that they are unfairly manipulated by direct marketing.^[20] Many children and young people do not have the capacity to make appropriate decisions regarding the disclosure of personal information in a direct marketing context. Further, the OPPC and YMA submitted that direct marketers are unlikely to have the kind of contact with children or young people required to make any individual assessment about capacity. They also noted that direct marketers have a vested interest in assuming that consent is informed and freely given.

69.20 The OPPC and YMA suggested that direct marketers should be prohibited from collecting or using information without the express, verified consent of the child’s parent if they know, or would be reasonably likely to know, that it is about an individual under the age of 14. It was proposed that the express, verified consent should be able to be provided through a signed form sent by mail or fax, provision of a credit card number or electronic signature, or calling a toll-free number staffed by trained personnel. It also was suggested that there be a prohibition on making consent to use personal information for direct marketing purposes a condition of entry to a competition, promotion or other activity if the entrant is under the age of 14. The OPPC and YMA provided a number of examples where this condition of entry has been used in competitions or clubs aimed at children in Australia.

Options for reform

69.21 Given the concerns raised about collection of personal information from children and young people for direct marketing purposes, particularly in the online environment, there is a need to consider whether the Privacy Act or related legislation should contain additional protections for children and young people that modify the general application of the privacy principles.

69.22 One option is to adopt a model based on COPPA. Many aspects of COPPA apply general privacy measures that are necessary due to the absence of general information privacy legislation in the US. These requirements—including posting privacy policies on websites; rights of access and correction; and obligations to maintain the confidentiality, security and integrity of collected personal information—apply under the Privacy Act to all personal information, not only to personal information about children.

69.23 The major additional protections provided by COPPA, which appeal to some in the Australian community, are the requirements to obtain verifiable parental consent before collecting any personal information from an individual under the age of 13, and giving parents the opportunity to prevent further collection or use of the information. This was the basis of the proposed amendment for the ‘special protection for children’ put forward by the Australian Labor Party during debate on the Privacy Amendment (Private Sector) Bill 2000 (Cth), although the proposal was not limited to online activity as it is in COPPA.^[21]

69.24 The suggestion for additional protections stems from concerns that children and young people are unable to make an informed choice before providing personal information to an agency or organisation. For example, a child or young person is more likely than an adult to complete an online form and provide personal information in order to continue to play a game or enter a competition without giving appropriate consideration to the intended use of the personal information. Even where a child or young person stops to consider the consequences, he or she is less likely than an adult to find and understand the privacy policy of the agency or organisation.^[22] Combined with the knowledge that children and young people interact regularly with agencies and organisations in the online environment, sometimes without adult supervision, this is seen as a serious concern by some stakeholders.

69.25 Under the model Unified Privacy Principles (UPPs), it is not necessary to obtain an individual’s consent to collect his or her personal information, except in relation to sensitive information where no other exception allows for collection without consent. While consent is not required for collection of non-sensitive personal information, an individual often can choose to take steps to prevent an agency or organisation from collecting that personal information. This was one factor considered by the ALRC when making a recommendation that agencies and organisations should be required to collect personal information directly from an individual wherever reasonable and practicable.^[23] The ALRC also makes a number of recommendations aimed at improving the extent and clarity of information made available to individuals about how their personal information will be handled.^[24] These recommendations, however, will not be of assistance to a child who is incapable of understanding and synthesising the information in order to make informed choices.

69.26 On the other hand, there are practical reasons why the privacy principles do not require consent to every collection of personal information. There needs to be a balance between privacy protection and the practical operation of services and businesses. Protections where required are included in the UPPs while still allowing for the appropriate flow of information. This may require agencies and organisations to seek consent from individuals where there are particular risks, such as before the collection of sensitive information, and before a use or disclosure that is not consistent with the primary purpose of collection, or otherwise covered by the carefully crafted exceptions to the ‘Use and Disclosure’ principle. General protections relating to data quality and security apply to all personal information regardless of the way in which it was collected.

Submissions and consultations

69.27 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC considered that the consent mechanisms built into the proposed ‘Direct Marketing’ principle provided sufficient protection to children and young people. Particularly when combined with the proposals regarding decision making on behalf of individuals under the age of 15, it was considered that no additional protections were necessary.

69.28 As indicated in Chapter 68, ADMA did not support the ALRC’s proposals for determining the decision-making capacity of individuals under the age of 18. ADMA was concerned about the impact they would have in the direct marketing context.^[25] The Law Council of Australia had a similar reaction:

There are many organisations that regularly collect and use the information of young people for marketing purposes (for example, birthday clubs, teen magazines, competitions etc), which are perfectly acceptable.

Imposing an age limit in relation to capacity to make privacy related decisions, including consenting to collection of information, would be impracticable and burdensome for businesses, especially in the online environment, and may deprive young people of opportunities they may otherwise be offered.

Offers are regularly made to young people which involve collection of their personal information. If it is considered that personal information should not be collected in specific circumstances, this should be a matter for the legislature to regulate. The difficulty with the proposed restriction is that it would place a burden on the organisation collecting the information which would be difficult to discharge. This may result in a detriment to young people, as organisations may choose to discontinue these activities.^[26]

69.29 The Obesity Policy Coalition, which raised significant concerns about direct marketing to children in an earlier submission to the Inquiry, gave general support for the proposed ‘Direct Marketing’ principle—in particular the requirement to obtain parental consent on behalf of a child or young person lacking decision-making capacity.^[27] The Coalition was worried, however, that the proposed principle provides too broad an exception that may allow direct marketing to children without parental consent. Of major concern was the exception in the ‘Direct Marketing’ principle that allows for direct marketing using non-sensitive personal information without consent where it is impracticable for the organisation to seek consent.^[28]

69.30 In DP 72, the ALRC suggested that guidance should deal with this issue, requiring the establishment of appropriate age verification and parental consent mechanisms where an organisation ‘knowingly’ handles personal information relating to individuals under the age of 15. The Obesity Policy Coalition submitted that the principle and guidance imposed insufficient obligations on organisations, too easily allowing an interpretation to avoid the consent requirement where ‘it is difficult to identify, locate or communicate’ with the person with parental responsibility.^[29]

69.31 The Obesity Policy Coalition also was concerned about the effective operation of the opt out provisions of the ‘Direct Marketing’ principle. While giving general support for the inclusion of opt out provisions, and the ability for a person with parental responsibility to activate the opt out on behalf of an incapable child or young person, the Coalition suggested that ongoing communications directly between the organisation and the child or young person would hinder the ability for the person with parental responsibility to exercise the option at an appropriate time. The Coalition suggested that those acting on behalf of the child or young person should be given the option to opt out directly each time information is communicated to that child or young person.^[30]

69.32 Liberty Victoria also did not support the ‘one-size-fits-all’ approach of the proposed ‘Direct Marketing’ principle, or the guidance for dealing with vulnerable individuals including children. It suggested that there was a need for a positive obligation on direct marketers not to ‘manipulate’ children.^[31]

ALRC’s view

69.33 When combined with the ALRC’s recommended provisions regarding decision making by and on behalf of individuals under the age of 18, the balance provided in the privacy principles between privacy protection and the free flow of information is appropriate and gives adequate protection to the personal information of a child or young person.

69.34 The ALRC notes particular concerns, however, about direct marketing. Questions may be raised about whether direct marketing to children and young people, of itself, is undesirable. The OPPC and YMA presented evidence highlighting that, for developmental reasons, children and young people are less able to resist commercial influence and that the risks to children are heightened when combined with technology that enables organisations to contact children directly.^[32] It is not appropriate to prohibit direct marketing to children and young people through information privacy law. Such a decision must involve policy considerations that extend beyond the scope of this Inquiry. The recommendations in this Report will ensure, however, that personal information about children and young people is handled appropriately by direct marketers.

69.35 The ALRC has reconfigured the ‘Direct Marketing’ principle, in light of concerns raised by stakeholders in response to DP 72.^[33] The recommended principle imposes different obligations on organisations based on a distinction between unsolicited direct marketing and direct marketing to existing customers. Direct marketing to existing customers is a simpler process that does not require the individual’s consent (or the application of the exception to seek consent).

69.36 In redrafting the principle, the ALRC considered the level of protection that exists for children and young people. Part of the ALRC’s reasoning in DP 72 for not proposing additional protections for children and young people in relation to direct marketing was that the proposed principle operated to require parental consent before using personal information about child or young person lacking decision-making capacity for the purposes of direct marketing. The ALRC acknowledged that the exception to consent—ie, where it is non-sensitive information and it is impracticable to obtain consent—would apply, but proposed guidance from the OPC to indicate how the exception would operate to limit the circumstances in which an organisation could claim it is impracticable to obtain parental consent.^[34]

69.37 Parental consent generally should be a prerequisite to the use of personal information for direct marketing purposes of a child or young person lacking decision-making capacity. While overall the ALRC considers that the obligations imposed on direct marketers in relation to existing customers can be reduced, due to the ongoing relationship between the organisation and customer,^[35] this policy is inappropriate when dealing with children and young people lacking decision-making capacity. Evidence has shown that children and young people have greater difficulties in distinguishing between commercial and non-commercial content. While children over the age of eight may have a rudimentary understanding that advertising is intended to sell products, many are unable to interpret advertising messages critically and understand the persuasive intent.^[36]

69.38 For these reasons, the ALRC has built into the ‘Direct Marketing’ principle an additional protection for individuals under the age of 15, requiring that these children and young people never be treated as ‘existing customers’ for these purposes.^[37] This brings into play higher obligations on the organisation seeking to use personal information about the individual for the purposes of direct marketing in relation to each use of the information—that is, the consent of the individual must be obtained for the use, unless the information is non-sensitive personal information, and it is impracticable to seek consent. When combined with the ALRC’s recommendations relating to decision making for children and young people lacking decision-making capacity, this will require that a person with parental responsibility provide the consent on behalf of the child or young person.^[38]

69.39 The ALRC notes that incorporating an age cut off of 15 years, which is the age of presumption of capacity recommended in Chapter 68, varies from the ALRC’s recommendations that the capacity of an individual under the age of 18 should be assessed whenever reasonable and practicable. It is recognised that in almost all circumstances involving direct marketing it would be unreasonable or impracticable for the organisation to undertake an individual assessment of the capacity of the individual. By incorporating the age of presumption of capacity in relation to this particular use of personal information, the wording of the principle is kept as simple as possible. This is consistent with the ALRC’s general approach to the drafting of the privacy principles, while still meeting the ALRC’s overall policy objectives in relation to regulating decision making by and on behalf of individuals under the age of 18 years.

69.40 Some stakeholders had concerns about the operation of the ‘not practicable’ exception to obtaining consent in the ‘Direct Marketing’ principle and the detrimental effect this could have on organisations implementing appropriate age verification and parental consent mechanisms. The ALRC notes these concerns and considers that it will be necessary to ensure that guidance in relation to the ‘Direct Marketing’ principle, as well as guidance in relation to the handling of personal information of individuals under the age of 18 years, deals sufficiently with these concerns to ensure that the principle and provisions are implemented appropriately.^[39]