As online channels become an increasingly important part of retail businesses, organisations are increasingly collecting customer data in the course of trade. This information is rich with insights that can be used by organisations to track consumption patterns, effectively target their advertising to particular consumers or particular groups of consumers and directly contact consumers.
With significant penalties for non-compliance, it is important for businesses to be aware of legal obligations that apply to dealing with this information. Accordingly, below we set out an overview of key considerations under Australian law.
Handling of Customer Data
The handling of customer data is governed by the Australian Privacy Principles (APPs) which form part of the Privacy Act 1988 (Cth) (Privacy Act). The APPs set out obligations, including in relation to the collection, use and disclosure of ‘personal information’.
Notably, the definition of ‘personal information’ contained in the Privacy Act is broad and includes ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’. Even though data may not look like personal information on its own, if it is combined with other customer data held by (or accessible to) a business that enables the organisation to identify an individual, it will be considered ‘personal information’ and therefore subject to the Privacy Act and APPs.
At a high level, the APPs require businesses to do the following:
- the kinds of personal information it collects and holds;
- how it collects and holds that personal information;
- the purposes for which it collects, holds, uses and discloses personal information; and
- how an individual can access and seek correction of their personal information;
- only collect personal information that is reasonably necessary for the functions and activities of the business;
- only use or disclose personal information for the primary purpose it was collected, unless a valid exception applies (e.g. if the individual has consented to the use or disclosure); and
- take reasonable steps to:
- ensure the personal information it collects is accurate and complete; and
- protect the information from misuse and unauthorised access.
Notifiable Data Breach Scheme
Organisations that are subject to the Privacy Act must also comply with the ‘Notifiable Data Breach Scheme’ (NDB). Under this regime, if a business experiences a data breach that is likely to result in ‘serious harm’ to an individual for which the business holds personal information, the business may be required to notify the Office of Australian Information Commissioner (OAIC) and affected individual/s.
For more information on the applicability and requirements under the NDB, please see the OAIC website at this link.
The APPs also deal with the sending of direct marketing materials. APP 7 prohibits businesses from using personal information to send direct marketing to an individual, unless a valid exception applies. One such exception is where the recipient has consented to receiving the direct marketing. Importantly, the provisions of the Privacy Act and APPs in relation to direct marketing do not apply where the more onerous requirements of the Spam Act 2003 (Cth) (Spam Act) (as those requirements are outlined below) apply – it is therefore important for organisations to consider the application of the Spam Act when considering engaging in direct marketing.
Businesses should also consider obligations under the Spam Act if they intend to send electronic direct marketing communications or ‘commercial electronic messages’ such as email (eDM) or SMS.
Under the Spam Act, commercial electronic messages may only be sent to consumers if they satisfy the following:
- consent – the message can only be sent with the prior consent of the recipient. Importantly, an email sent to obtain consent is itself a commercial electronic message and therefore sending such emails is likely to breach the Spam Act, and ‘refer a friend’ emails also generally breach the Spam Act because consent must come from the recipient of the email, and not a third party;
- identification – it must include the name and contact details of the business that sent the message; and
- unsubscribe – it must contain a straightforward and free (or low cost) way for the recipient to opt out of receiving future marketing messages of this nature.
Under the Privacy Act, if a business is found to have engaged in ‘a serious or repeated interference’ with an individual’s privacy or failed to notify an eligible breach in accordance with the NDB, they could face penalties of up to $2.1 million.
Similarly, penalties for contraventions of the Spam Act can reach up to $2.1 million per day.
This post was co-authored by Luke Bardas (Solicitor), Valiant Warzecha, Jessie Buchan, Nicholas Boyle (Senior Associate) and Melinda Upton.