In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act). The Review aims to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”. Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations. This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.
Direct marketing in the Privacy Act
Direct marketing is not defined in the Privacy Act. The Explanatory Memorandum outlines that direct marketing involves the “use and/or disclosure of personal information (discussed in our previous post) to communicate directly with an individual to promote goods and services”. The direct marketing communication could be delivered by a range of methods including mail, telephone, email or SMS.
The Australian Privacy Principle (APP) Guidelines suggest that direct marketing may be interpreted as broadly as using an individual’s personal information to display advertising on a social media site that an individual is logged into, including any data collected by cookies relating to websites the individual has viewed previously.
Direct marketing stands in contrast to other forms of marketing which do not specifically market goods and/or services to an individual based on their personal information, eg displaying advertisements on a website without using personal information to select which advertisements are being displayed.
The direct marketing activity identified as the area of greatest concern for submitters to the Discussion Paper is personalised targeted advertising, also known as behavioural advertising. Personalised targeted advertising involves displaying online advertisements targeted to specific individuals based on their attributes, characteristics or interests, which are inferred from their previous web browsing activity or other data. Such targeting is often reliant on an expansive range of technologies that track an individual’s activities across the internet and on electronic devices, such as cookies, pixel tags, device/browser fingerprinting, mobile device tracking and cross-device tracking.
Targeted advertising is often dependent on the use of a processing technique known as ‘profiling’. Profiling is not expressly contemplated by the Privacy Act, but Article 4 of the European Union’s General Data Protection Regulation (EU) 2016/679 (GDPR) defines profiling as the processing of personal data to “evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. As this definition suggests, profiling may be used for a wide range of purposes beyond advertising, including the personalisation of services, assessing eligibility for financial products or predicting the likelihood that certain medical treatments will be successful.
The existing regime
What are the requirements?
APP 7 outlines that an entity must not use or disclose personal information for the purpose of direct marketing “unless the individual has consented” to such use and the individual must be provided with a “simple means of opting out of direct marketing” that uses their personal information.
There are exceptions to this requirement, concerning “personal information other than sensitive information.” Where personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing, consent is not required from the individual (APP 7.2).
If the personal information has been collected from a third party, or directly from the individual but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing, consent must be obtained unless impracticable to do so (APP 7.3). Sources of third party data include data list providers, third party mobile applications, third party lead generation and enhancement data. In this circumstance, the collecting entity must ensure that the individual is made aware of their right to opt out of receiving direct marketing communications.
An individual may request an organisation not to use or disclose their personal information for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations (APP 7.6). The organisation must give effect to any such request by an individual within a reasonable period of time and for free (APP 7.7). However, this does not prevent the collection of personal information for direct marketing purposes, and therefore does not permit an individual to opt out of having their online behaviour tracked. Rather, it only allows individuals to opt out of receiving marketing communications.
Withdrawal of consent
The APP Guidelines state that consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely. It is good practice to inform the individual of the period for which the consent will be relied on in the absence of a material change of circumstances. The APP Guidelines further state that if the consent did not cover a proposed use or disclosure, an entity should seek the individual’s consent at the time of the use or disclosure.
The APP Guidelines also outline an individual may withdraw their consent and this should be an easy and accessible process. However, an individual often has limited opportunity to reconsider their initial provision of consent, with implications for that individual’s privacy where their information is subsequently used or disclosed for purposes the individual may not have envisaged at the time they gave their initial consent.
The gap in APP 7
APP 7 does not apply where the Spam Act 2003 (Cth) (Spam Act) or the Do Not Call Register Act 2006 (Cth) (DNCR Act) apply. The different obligations between the APPs, the Spam Act and the DNCR Act have created regulatory fragmentation which means that in practice, APP 7 only generally applies to:
- direct marketing calls or faxes where the number is not listed on the Do Not Call Register, or where the call is made by a registered charity;
- direct marketing by mail and door-to-door direct marketing; and
- online marketing (including on websites and mobile apps) which involves the use or disclosure of personal information about a reasonably identifiable individual that is the target of that marketing.
Privacy Act Review - Discussion Paper
The Discussion Paper outlined five key issues with the regulation of direct marketing:
- privacy risks and potential harms;
- lack of transparency;
- concerns about validity of consent;
- individuals’ ability to exercise control; and
- coverage of the Privacy Act.
To combat these issues, the Discussion Paper has proposed the following amendments to the regulation of direct marketing:
Proposal 16.1 - Unqualified right to object to collection, use and disclosure for direct marketing
The Discussion Paper proposes that the current limited right to opt out of receiving direct marketing communications could be replaced with an “unqualified right to object to the collection, use and disclosure of personal information for the purposes of direct marketing.” On receiving such a notice, the entity would need to immediately stop collecting, using or disclosing the individual’s personal information for the purpose of direct marketing and would need to inform the individual of the consequences of the objection. This proposal addresses a gap in the current regime of the APPs by allowing individuals to prevent their online behaviour from being tracked and their personal information from being collected.
If, as a result of an individual exercising this right, an entity determines that they are unable to offer or provide the individual with a product or service, the entity will need to demonstrate that the collection, use or disclosure is fair and reasonable. Importantly, this attracts consideration of whether the collection, use or disclosure was reasonably necessary to achieve the entity’s functions.
This proposal would bring Australian legislation closer in line with positions adopted in a number of international jurisdictions which provide a similar right to individuals, including the following:
- Article 21 of the GDPR includes a ‘right to object’ which enables an individual to request that an entity no longer processes personal data for the purpose of direct marketing. This is an absolute right that gives no exemptions or grounds for an entity to refuse the request.
- The California Consumer Privacy Act (CCPA) provides individuals with a right to request that businesses cease selling their personal information with a ‘clear and conspicuous link’.
Proposal 16.2 - Influencing an individual’s behaviour or decisions must be a primary purpose
The Discussion Paper proposes introducing a requirement that the collection, use or disclosure of personal information, for the purpose of influencing an individual’s behaviour or decisions, must be a “primary purpose notified to an individual at the point of collection.” This purpose would encompass not only the collection, use and disclosure of personal information for targeted advertising, but also the use of profiling to target individuals with ideological or political messaging.
An entity would therefore only be permitted to undertake direct marketing where it was the purpose of the original collection, as notified to the individual. This would address concerns about the prevalence of third parties collecting, using and disclosing personal information in the process of delivering targeted advertising to individuals without their knowledge.
- whether the entity is likely to use personal information, alone or in combination with any other information, for the purpose of influencing an individual’s behaviour or decisions and if so, the types of information that will be used, generated or inferred to influence the individual; and
- whether the entity uses third parties in the provision of online marketing materials and if so, the details of those parties and information regarding the appropriate method of opting-out of receiving those materials.
This amendment would increase the transparency around data collection, and allow individuals to make more informed decisions regarding their personal information.
Proposal 16.4 – Repeal APP 7
In light of the existing protections in the Privacy Act, as well as the proposed reforms, the Discussion Paper recommends repealing APP 7. This would also address the concerns that APP 7, the Spam Act and the DNCR Act create regulatory uncertainty by establishing inconsistent rules for different marketing channels.
Other recommendations not exclusive to direct marketing
The following recommendations made in the Discussion Paper regarding other areas of concern, also relate to direct marketing:
- Proposal 18.1 – require APP entities that have collected personal information about an individual indirectly, to identify the source from which it was collected on request from the individual;
- Proposals 2.1 and 2.2 – amend the definition of personal information to include a greater range of information and provide a non-exhaustive list of the types of information capable of constituting personal information. This would address concerns that some targeted advertising may fall outside the scope of the Privacy Act due to the use of technical identifiers and data to explicitly target an unidentified individual’s personal preferences with a high degree of accuracy; (see our earlier article here)
- Proposal 2.4 – amend the definition of ‘collection’ to provide clarity that inferred personal information is covered by the Privacy Act. This would address concerns that profiling that infers personal information may not be covered by the Privacy Act. It would ensure that where profiling results in inferred sensitive information, consent to that collection of sensitive information is required;
- Proposal 9.1 – require that consent must be voluntary, informed, current, specific, and an unambiguous indication through clear action. This would address concerns that entities do not obtain meaningful consent for intrusive or unnecessary profiling, and ensure that there is greater transparency around the individual practices to which individuals are consenting;
- Proposal 10.2 – require entities to take reasonable steps to ensure that indirect collections were originally collected from the individual in accordance with APP 3. This would address concerns about the prevalence of personal information that is sold or shared by third parties and aggregated to create digital profiles of individuals without an individual’s knowledge or, when required, without their consent; and
- Proposals 8.1, 8.2 and 8.3 – strengthen notice requirements. As indicated above, this would address concerns that individuals are unable to make informed decisions about their personal information as broad descriptions are used to describe the purpose of collecting personal information which do not explicitly disclose the extent of use for marketing, re-sale and profiling purposes.
OAIC Industry Submissions
The Office of the Australian Information Commissioner (OAIC) began their response to the Discussion Paper by restating results from their 2020 survey, which found that at least 89% of the Australians surveyed are uncomfortable or very uncomfortable with digital platforms and other online businesses, such as social media sites, conducting targeted advertising on them based on what they have said and done online. In light of these results, the OAIC largely supports the proposals put forward by the Discussion Paper, unequivocally supporting proposals 16.1 and 16.4. While the OAIC supports proposal 16.2 and 16.3 in principle, especially supporting the objective of increasing transparency about collection of personal information for direct marketing purposes, the OAIC notes that the concept of ‘influencing behaviour’ is a broad concept that could apply to a variety of conduct (such as health practitioners distributing material relating to new programs to quit smoking, or flu shots). As the risk around ‘influencing behaviour’ is largely contained to the online realm, the OAIC recommends that mitigation of these risks are best left to the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) (OP Bill) (see our earlier article here), rather than being addressed through the Privacy Act.
Responses from industry have been more guarded, arguing that any right to object to direct marketing should be limited in scope, that express consent to receive direct marketing is not required, and that a global opt-out process for online tracking is not required. The crux of these concerns is the regulatory burden that will be imposed in requiring entities to comply with a right to object to the collection of personal information (as opposed to use or disclosure), and that these costs outweigh any potential benefit to individuals. These submissions also highlight that personal information may be used for a variety of other legitimate purposes such as providing services to the customer, product improvement and sending non-marketing communications. A right to object which precludes collection of personal information would curtail these non-marketing related benefits.
These submissions have also mirrored the concerns raised by the OAIC that in their attempts to improve transparency about data collection, proposals 16.2 and 16.3 would have unintended consequences in regulating activity which is not marketing activity.
Challenge of Privacy Act reform review
There are a number of competing interests that will need to be balanced in reforming this area of privacy law. On the one hand, it is paramount that individuals have autonomy and control over their personal information. On the other, and as noted through the industry submissions, the amendments must be clear enough that they do not have unintended consequences which affect an individual’s access to services or what would ordinarily be considered to be the normal, unobjectionable use of personal information by business. The issue of direct marketing presents a difficult challenge for the Review, but is it clear that the status quo should not be allowed to continue – if only because technology and business practices have evolved much since APP7 was first introduced.
Authors: Andrew Hii, Luke Standen, Astan Ure