There is a new Australian Privacy Principle 7 (APP 7) which will come into effect on 12 March 2014 and deals solely with the subject of direct marketing.

This will represent a change from how organisations currently deal with direct marketing as a secondary purpose under the current National Privacy Principles 2.1(NPPs).

The law as it currently stands allows organisations to collect consumer’s personal information for the primary purpose of direct marketing. Currently, a notification in your privacy consent would fit this purpose.

Under the NPPs an organisation would not be allowed to use consumer’s personal information for direct marketing if the information was not primarily collected for this purpose. NPP 2.1 lets organisations use personal information for the secondary purpose of direct marketing provided a consumer would reasonably expect the organisation to use or disclose personal information for direct marketing purposes.

Currently there are several conditions on using this personal information (NPP 2.1c) including it being impracticable to obtain the consumers consent and providing options for opting out of direct marketing communications.

New APP 7 states that direct marketing will be prohibited unless an exception applies. An organisation that collects personal information may use and disclose this personal information if:

  1. the consumer would reasonably expect the organisation to use their personal information for direct marketing;
  2. the organisation provides simple means for a consumer to ‘opt out’ of receiving direct marketing; and
  3. the consumer has not made such a request in the past.

There is still the exception for an organisation to use or disclose personal information for direct marketing if a consumer would not reasonably expect their personal information to be used for direct marketing or information has been collected from a third party.

In these circumstances, it will either be impracticable to obtain consent from the consumer or the consumer can consent for their personal information to be used for direct marketing purposes. The organisation will need to also have a simple means to ‘opt out’ of receiving direct marketing and the consumer has not made a request to do so in the past.

If an organisation receives an ‘opt-out’ request it must comply with the request within a reasonable time and free of charge

What you need to do

A company dealing with personal information and directing marking will need to amend their Privacy Policy and Privacy Consent.