Direct marketing is a prevalent and ever-increasing aspect of life in this digital age. Direct marketing does not, of course, have to be digital but that is generally the method used to get marketing material out to the widest audience in the quickest and easiest way.
Direct marketing can only happen if a business that wants to market products or services has contact information for potential customers that it wants to market to, and it will be more effective if it is targeted to the potential needs or preferences of potential customers.
So, data with contact details and useful information about habits, needs and preferences of individuals can be very valuable to a business seeking to use direct marketing.
Given the prevalence of direct marketing, it may seem an odd question to ask whether a business can market directly to individuals. The question is really whether the business can use personal information, particularly names, addresses or other contact details, or personal information to do this. This is governed by the Australian Privacy Principles (“APPs”) in the Privacy Act 1988 (Cth)(“the Privacy Act”).
The APPs apply to personal information of individuals, that is real people, so information about firms, companies or other entities is not personal information and the APPs do not apply to marketing to them.
The starting point is APP 7, which deals expressly with direct marketing. APP 7.1 prohibits an organisation that holds personal information about an individual from using or disclosing the information for the purpose of direct marketing. This absolute prohibition, however, is qualified by some exceptions in APPs 7.2-7.5.
The exceptions that will most commonly apply are those in APP 7.2 and APP 7.3 relating to the use or disclosure of personal information, other than sensitive information, about an individual for the purpose of direct marketing. APP 7.4 deals with sensitive information about an individual and requires consent of the individual for use or disclosure of the sensitive information for direct marketing.
APP 6 also deals with use or disclosure of personal information by an organisation, and APP 6.1 prohibits use or disclosure of the information that was collected for a particular purpose (the primary purpose) for another purpose (the secondary purpose) unless the individual has consented or (for an organisation) exceptions in APP 6.2 apply. The main exception in APP 6.2 for information, other than sensitive information, is that the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is related to the primary purpose.
A recent judgment of Justice Blue in the Supreme Court of South Australia has clarified the operation of some of the provisions of APP 7, and the interaction of APP 7 and APP 6.[i]
For those who may have had some difficulty understanding APP 7 and APP 6, it may be some comfort that Justice Blue has observed that:
“…Principle 7 is unhappily drafted: the draftsperson has not adequately grappled with the various dichotomies created or sought to be created within Principle 7 or between Principle 7 and Principle 6 or with the situation in which an organisation discloses personal information to another organisation for the purpose of direct marketing by that other organisation.”
In his concluding remarks, the Judge went even further, saying:
“I have observed that in several respects Principle 7 is unhappily drafted. It is desirable that the Commonwealth review whether Principle 7 should be comprehensively redrafted to manifest more clearly the legislative intention sought to be effected by it”.
The litigation between Shahin Enterprises and BP Australia arose out of an agreement between these companies entitled “BP Branded Privately Owned Sites Agreement” (“the agreement”). This Agreement was completed following the acquisition by Shahin Enterprises from BP Australia (“BP”) of 25 service stations operated by BP in South Australia.
The litigation involved the construction of clauses of the Agreement relating to the branding of sites operated by Shahin as BP service stations and, in relation to direct marketing, clause SC21 which provided that:
Subject to relevant privacy legislation, BP will regularly provide to the Dealer information reasonably requested about BP cardholders who visit Dealer sites so that the Dealer may market goods and services to these customers.
Relying on clause SC21, Shahin made a written request to BP requesting personal information about BP Plus card customers who visited Shahin petrol stations in the previous 24 months. Shahin said expressly that its purpose in making the request was to market goods and services at its service stations directly to the BP cardholders.
BP refused the request of Shahin on the basis that it would breach the applicable privacy legislation referred to in clause SC21, which was acknowledged to be the Privacy Act and the APPs. In the proceedings, BP contended that the disclosure by it to Shahin of the requested information would have been a breach of the legislation, and that the use by Shahin of the information, if disclosed, for direct marketing would also have been a breach of the legislation.
Shahin asserted that the refusal of BP to provide the information was a breach of clause SC 21, and asserted that the disclosure of the information by BP would not have been contrary to the legislation. The Judge found that the disclosure of the information by BP would have been contrary to the APPs, and that BP did not therefore breach clause SC 21 by this refusal, but this was not a straightforward conclusion because of the wording of the APPs.
Some of the findings of the Judge in relation to the direct marketing and privacy issues are:
The reference in clause SC 21 of the Agreement to the “relevant privacy legislation” meant that as a matter of construction of the Agreement BP was not in breach by refusing to supply the requested personal information to Shahin. This leaves open the question of what would have been situation if there had been no reference to privacy legislation in the Agreement. The Judge observed, although noting that this was not strictly necessary for the decision, that a disclosure by BP would have been unlawful, and the result would, presumably, have been the same.
Perhaps the clearest lesson from this case is that terms and conditions of organisations providing for consent by individuals to the use of personal information for direct marketing should be very clearly expressed, and that this is particularly the case if data will be shared with other organisations for the purpose of direct marketing by other organisations.
Apart from the APPs, there are other requirements which must be considered if direct marketing is to be undertaken. These include:
It may be prudent for organisations to review their terms
and conditions and privacy policies to consider the consents that are given by
individuals for use of personal information for direct marketing.
[i] Shahin Enterprises Pty Ltd v BP Australia Pty Ltd [2019] SASC 12.
Sandy Donaldson
Consultant
p. +61 8 8124 1954
e. Email me
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.