In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act). The Review aims to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”. Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations. This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.
Direct marketing is not defined in the Privacy Act. The Explanatory Memorandum outlines that direct marketing involves the “use and/or disclosure of personal information (discussed in our previous post) to communicate directly with an individual to promote goods and services”. The direct marketing communication could be delivered by a range of methods including mail, telephone, email or SMS.
The Australian Privacy Principle (APP) Guidelines suggest that direct marketing may be interpreted as broadly as using an individual’s personal information to display advertising on a social media site that an individual is logged into, including any data collected by cookies relating to websites the individual has viewed previously.
Direct marketing stands in contrast to other forms of marketing which do not specifically market goods and/or services to an individual based on their personal information, eg displaying advertisements on a website without using personal information to select which advertisements are being displayed.
The direct marketing activity identified as the area of greatest concern for submitters to the Discussion Paper is personalised targeted advertising, also known as behavioural advertising. Personalised targeted advertising involves displaying online advertisements targeted to specific individuals based on their attributes, characteristics or interests, which are inferred from their previous web browsing activity or other data. Such targeting is often reliant on an expansive range of technologies that track an individual’s activities across the internet and on electronic devices, such as cookies, pixel tags, device/browser fingerprinting, mobile device tracking and cross-device tracking.
Targeted advertising is often dependent on the use of a processing technique known as ‘profiling’. Profiling is not expressly contemplated by the Privacy Act, but Article 4 of the European Union’s General Data Protection Regulation (EU) 2016/679 (GDPR) defines profiling as the processing of personal data to “evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. As this definition suggests, profiling may be used for a wide range of purposes beyond advertising, including the personalisation of services, assessing eligibility for financial products or predicting the likelihood that certain medical treatments will be successful.
APP 7 outlines that an entity must not use or disclose personal information for the purpose of direct marketing “unless the individual has consented” to such use and the individual must be provided with a “simple means of opting out of direct marketing” that uses their personal information.
There are exceptions to this requirement, concerning “personal information other than sensitive information.” Where personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing, consent is not required from the individual (APP 7.2).
If the personal information has been collected from a third party, or directly from the individual but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing, consent must be obtained unless impracticable to do so (APP 7.3). Sources of third party data include data list providers, third party mobile applications, third party lead generation and enhancement data. In this circumstance, the collecting entity must ensure that the individual is made aware of their right to opt out of receiving direct marketing communications.
An individual may request an organisation not to use or disclose their personal information for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations (APP 7.6). The organisation must give effect to any such request by an individual within a reasonable period of time and for free (APP 7.7). However, this does not prevent the collection of personal information for direct marketing purposes, and therefore does not permit an individual to opt out of having their online behaviour tracked. Rather, it only allows individuals to opt out of receiving marketing communications.
The APP Guidelines state that consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely. It is good practice to inform the individual of the period for which the consent will be relied on in the absence of a material change of circumstances. The APP Guidelines further state that if the consent did not cover a proposed use or disclosure, an entity should seek the individual’s consent at the time of the use or disclosure.
The APP Guidelines also outline an individual may withdraw their consent and this should be an easy and accessible process. However, an individual often has limited opportunity to reconsider their initial provision of consent, with implications for that individual’s privacy where their information is subsequently used or disclosed for purposes the individual may not have envisaged at the time they gave their initial consent.
APP 7 does not apply where the Spam Act 2003 (Cth) (Spam Act) or the Do Not Call Register Act 2006 (Cth) (DNCR Act) apply. The different obligations between the APPs, the Spam Act and the DNCR Act have created regulatory fragmentation which means that in practice, APP 7 only generally applies to:
The Discussion Paper outlined five key issues with the regulation of direct marketing:
To combat these issues, the Discussion Paper has proposed the following amendments to the regulation of direct marketing:
The Discussion Paper proposes that the current limited right to opt out of receiving direct marketing communications could be replaced with an “unqualified right to object to the collection, use and disclosure of personal information for the purposes of direct marketing.” On receiving such a notice, the entity would need to immediately stop collecting, using or disclosing the individual’s personal information for the purpose of direct marketing and would need to inform the individual of the consequences of the objection. This proposal addresses a gap in the current regime of the APPs by allowing individuals to prevent their online behaviour from being tracked and their personal information from being collected.
If, as a result of an individual exercising this right, an entity determines that they are unable to offer or provide the individual with a product or service, the entity will need to demonstrate that the collection, use or disclosure is fair and reasonable. Importantly, this attracts consideration of whether the collection, use or disclosure was reasonably necessary to achieve the entity’s functions.
This proposal would bring Australian legislation closer in line with positions adopted in a number of international jurisdictions which provide a similar right to individuals, including the following:
The Discussion Paper proposes introducing a requirement that the collection, use or disclosure of personal information, for the purpose of influencing an individual’s behaviour or decisions, must be a “primary purpose notified to an individual at the point of collection.” This purpose would encompass not only the collection, use and disclosure of personal information for targeted advertising, but also the use of profiling to target individuals with ideological or political messaging.
An entity would therefore only be permitted to undertake direct marketing where it was the purpose of the original collection, as notified to the individual. This would address concerns about the prevalence of third parties collecting, using and disclosing personal information in the process of delivering targeted advertising to individuals without their knowledge.
The Discussion Paper proposes that APP entities be required to include the following additional information in their privacy policy:
This amendment would increase the transparency around data collection, and allow individuals to make more informed decisions regarding their personal information.
In light of the existing protections in the Privacy Act, as well as the proposed reforms, the Discussion Paper recommends repealing APP 7. This would also address the concerns that APP 7, the Spam Act and the DNCR Act create regulatory uncertainty by establishing inconsistent rules for different marketing channels.
The following recommendations made in the Discussion Paper regarding other areas of concern, also relate to direct marketing:
The Office of the Australian Information Commissioner (OAIC) began their response to the Discussion Paper by restating results from their 2020 survey, which found that at least 89% of the Australians surveyed are uncomfortable or very uncomfortable with digital platforms and other online businesses, such as social media sites, conducting targeted advertising on them based on what they have said and done online. In light of these results, the OAIC largely supports the proposals put forward by the Discussion Paper, unequivocally supporting proposals 16.1 and 16.4. While the OAIC supports proposal 16.2 and 16.3 in principle, especially supporting the objective of increasing transparency about collection of personal information for direct marketing purposes, the OAIC notes that the concept of ‘influencing behaviour’ is a broad concept that could apply to a variety of conduct (such as health practitioners distributing material relating to new programs to quit smoking, or flu shots). As the risk around ‘influencing behaviour’ is largely contained to the online realm, the OAIC recommends that mitigation of these risks are best left to the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) (OP Bill) (see our earlier article here), rather than being addressed through the Privacy Act.
Responses from industry have been more guarded, arguing that any right to object to direct marketing should be limited in scope, that express consent to receive direct marketing is not required, and that a global opt-out process for online tracking is not required. The crux of these concerns is the regulatory burden that will be imposed in requiring entities to comply with a right to object to the collection of personal information (as opposed to use or disclosure), and that these costs outweigh any potential benefit to individuals. These submissions also highlight that personal information may be used for a variety of other legitimate purposes such as providing services to the customer, product improvement and sending non-marketing communications. A right to object which precludes collection of personal information would curtail these non-marketing related benefits.
These submissions have also mirrored the concerns raised by the OAIC that in their attempts to improve transparency about data collection, proposals 16.2 and 16.3 would have unintended consequences in regulating activity which is not marketing activity.
There are a number of competing interests that will need to be balanced in reforming this area of privacy law. On the one hand, it is paramount that individuals have autonomy and control over their personal information. On the other, and as noted through the industry submissions, the amendments must be clear enough that they do not have unintended consequences which affect an individual’s access to services or what would ordinarily be considered to be the normal, unobjectionable use of personal information by business. The issue of direct marketing presents a difficult challenge for the Review, but is it clear that the status quo should not be allowed to continue – if only because technology and business practices have evolved much since APP7 was first introduced.
Authors: Andrew Hii, Luke Standen, Astan Ure