pdf (4.32 MB)

Our reference: 2002-0228
Mr Steve French
General Manager
Competition and Consumer Policy Division
The Treasury
Langton Crescent
PARKES ACT 2600

Dear Mr French

REVIEW OF DIRECT MARKETING MODEL CODE OF PRACTICE

Thank you for the opportunity to put in this late submission to the Review of the Direct Marketing Model Code of Practice (the Model Code).

Direct Marketing is an area that raises particular privacy issues for many people. For example, research conducted by the Office last year asked people about their attitudes to unsolicited marketing information from organisations they have not dealt with before. Responses showed that people were concerned about how their contact details had been obtained and that many were angry or annoyed about the activity.[1] Approximately 90% of respondents to the survey thought that organisations should seek their permission before sending them marketing material. Relevant figures and tables from the research are included at Attachment A to this submission.

The Privacy Act 1988 (the Privacy Act) now provides baseline information handling standards that apply to many private sector organisations. Over time the implementation of these standards should increasingly improve the control that people have over the use of personal information about them for marketing. Whether the Privacy Act provides the whole solution is still an open question. The proposed review of the Privacy Act after it has been in effect for two years (December 2003) will provide an opportunity to examine these issues in detail. In the meantime the Office welcomes the opportunity to consider how the Model Code might complement the standards in the Privacy Act.

Our comments follow. Please note I have used the Review Paper question numbering in response to the questions.

8. What are your experiences with complaints in relation to direct marketing? Do particular types of activity raise more complaints than others? Does direct marketing cause particular problems for certain groups in the community (for example, older consumers, disabled people)?

Hotline calls related to direct marketing have formed 3.53% of all our Hotline enquiries for the period 21 December 2001 to 20 October 2002. In the main, enquiries to the Office are from individuals generally wanting to find out how to ‘get off’ marketing lists or complaining about their seeming inability to do so.

During this same period we have received 530 complaints about alleged breaches of the National Privacy Principles (NPPs) and of these approximately 9% have been in regard to direct marketing acts and practices.

These have included complaints about:

• marketing to deceased relatives which often causes great distress;
• marketing to children;
• use of publicly available sources such as electoral rolls, telephone directories, land title registers, deceased notices in newspapers and so on for marketing purposes;
• apparent difficulty in getting off marketing lists despite repeated requests to stop;
• no opt-out provided on direct marketing material;
• no organisation details on direct marketing material;
• telephone marketers refusing to provide information about their organisation;
• alleged inappropriate use of personal information collected by one organisation for direct marketing purposes by another organisation; and
• spam.

Our Office does not keep statistics on the effects of direct marketing on particular consumer groups.

9. How well do you think the Model Code fits within the current regulatory framework?

The Model Code sets out objectives that include enhancing the potential for consumers to benefit from distance selling, improving the market for reputable business and preventing unreasonably intrusive forms of marketing. The Model Code emphasises the fair trading obligations related to the direct marketing process and its outcomes (purchase and delivery of goods). The objectives of the Model Code, particularly with respect to ‘preventing unreasonably intrusive forms of marketing’ are generally consistent with the intent of the privacy principles in the Privacy Act.

However, as currently framed the Model Code does not directly address the matters that are covered by the Privacy Act and to this extent does not currently fit within the current regulatory framework for privacy. If the Model Code were to address privacy issues it would be important to recognise that the role of the Privacy Act is to provide a nationally consistent regulatory framework for privacy protection and, in the NPPs, a set of general, base line information handling standards for the private sector.

Within this context, we consider that there is a role for the Model Code in raising awareness about privacy and privacy practices related in particular to the direct marketing obligations under the Privacy Act by including references to the NPPs, the Privacy Act and related material in the Model Code.

The Office would be pleased to assist in drafting an appropriate set of words if this would be of assistance.

There may also be areas where the Model code could promote better privacy practice by suggesting higher or more specific privacy standards. Some examples of these are set out in response to questions below. We would expect that any proposals in the Model code that may have a bearing on privacy would be consistent with the Privacy Act and the NPPs.

11. Should the Model Code play a greater role in clarifying and improving compliance with existing law?

As a general principle I would not see the Model Code as the place for clarifying, explaining or interpreting the Privacy Act’s base line standards – the NPPs. As noted above, the Privacy Act is intended to provide a single nationally consistent privacy framework for the private sector at least as far as the general privacy framework is concerned. If the Model Code provided advice, standards or interpretation on matters dealt with by the NPPs there is the potential for confusion and conflict.

However, also as noted above the Model Code could play a greater role in improving compliance with the Privacy Act by including reference to the Act and where appropriate by setting more specific or higher standards in relation to matters that are dealt with in the NPPs or in relation to other privacy matters. If the Model Code does take the approach of including specific privacy standards it would be important to ensure that they are consistent with the Privacy Act.

14. What consumer issues in relation to direct marketing have arisen since the development of the Model Code?

I refer you to question 8 above for examples of the kind of complaints received by my Office and to the privacy research conducted for the Office, July 2001 (prior to the implementation of amendments to the Privacy Act) and noted in the introduction to this submission.

The findings in the Office’s research were also reflected in a survey quoted in Campaign Brief Magazine of 1 July 2002. The survey by ResponsAbility is reported to have found that 86% of those surveyed said unsolicited direct mail, where the organisation had no previous relationship with them, had no influence on their buying decisions and 21% believed it was an invasion of their privacy. The survey also showed that 84% of those receiving unsolicited email marketing pitches objected to them in some way.

Complaints and enquiries to my Office also indicate that spam has a significant privacy impact for Australians particularly with respect to the collection and re-use of personal information. This is particularly the case where email addresses are collected and used where the individuals concerned do not know about or have the ability to control the practice and also to the extent that it supports the building detailed profiles of individuals. I have recently made a submission to the National Office to the Information Economy on its Interim Report of its review of spam called The Spam Problem and How It Can Be Countered that included comment on these matters.[2] Measures to combat spam suggested in the Interim Report included the employment of technical tools and awareness-raising for consumers and Internet service providers; commercial and self-regulatory practices for Internet service providers; commercial association codes; enforcement of existing commercial and criminal laws; and spam-specific regulatory actions.

Another area that has the potential to raise consumer issue is the use of short message service or SMS technology for marketing. I note in this regard that the telecommunications industry through the Australian Communications Industry Forum has issued an industry code[3] on short message service issues.

I would be interested to have feedback on other issues that are raised in response to this question.

22. Is the Model Code consistent with the National Privacy Principles? Are any amendments to the Model Code required to ensure that private information of individuals is protected in line with the National Privacy Principles?

The ten NPPs in the Privacy Act set out the minimum standards for private sector organisations in the collection, use and disclosure, quality and security of information, the rights of the individual to access and correct information, the transfer of information overseas and special rules for the handling of sensitive information. The NPPs also includes specific principles related to direct marketing.

As currently framed the Model Code does not directly address matters covered by the NPPs and to this extent is neither consistent nor inconsistent with the NPPs.

As noted in answers to other questions, the Model Code could complement the NPPs by including references to the NPPs and the specific direct marketing obligations, the Guidelines and contact details for the Office.

23. Is the Model Code consistent with the E-commerce Best Practice Model? Are any amendments to the Model Code required to deal with the particular characteristics of electronic commerce?

There are a number of areas in the E-commerce Best Practice Model that could be reflected in the Model Code. These include information and advice on particular characteristics of on-line e-commerce issues such as security and authentication mechanisms and in relation to direct marketing to minors in the electronic environment.

The E-commerce Best Practice Model also includes the following standard in relation to commercial email:

23. For commercial e-mail:

23.1 Businesses should not send commercial e-mail except:

23.1.1 to people with whom they have an existing relationship; or

23.1.2 to people who have already said they want to receive commercial e-mail; and

23.2 Businesses should have simple procedures so that consumers can let them know they do not want to receive commercial e-mail[4].

In my submission to the NOIE spam inquiry mentioned above, I suggested a similar approach as the test for whether or not commercial emails would be classified as spam. I would also support its inclusion in the Model Code at least for online marketing on the grounds that this approach has already been decided on, following extensive consultation on the E-Commerce Best Practice Model.

25. Should the Model Code address the issue of collection and use of information from publicly available sources, for example, electoral rolls and municipal building approval records?

The collection and use of personal information from publicly available sources raises a range of complex issues. From a privacy perspective issues are most likely to arise where individuals have little or no choice about providing their information and then have very limited knowledge or control over the use and disclosure of their personal information in the public domain. This is the situation for example with the Electoral Roll and a number of public registers established under Commonwealth, State and Local Council regulations. As demonstrated in the survey research conducted by my Office last year, people have strong views about the re-use of personal information on public registers.[5]

For some time now I have been arguing, particularly in relation to registers such as the Electoral Roll where people are required by law to have their personal details on a publicly available register, that there is a need for a wide public debate to consider the privacy issues and other interest, such as the need for free flow of personal information for effective business and government information and the importance of public registers in relation to strategies to deal with emerging issues such as the rise of identity fraud, and to work out what are appropriate secondary uses of public register information in what circumstances. To date, there is no general review underway. However, the issues are being considered in a number of current public inquiries at the Commonwealth and State level, for example, by the Joint Select Committee on Electoral Matters in the context of the review of the 2001 federal election and by the Victorian Privacy Commissioner in the report of his inquiry into the appropriate re-use of personal information on a register containing details of building permits.[6]

I am also currently conducting a public consultation about the application of the Privacy Act to the collection of publicly available personal information. However it is important to note in this regard that I am not considering the issues from the perspective as to what may generally be appropriate in relation to re-use of public register information but rather I am developing practical guidance about how the Privacy Act currently applies.

It is clear that personal information from a range of public registers is collected and used by many public sector organisations for a range of purposes. The submissions, many of which are now available from my website, to my public consultation mentioned above give a range of examples of such re-uses. These include:

• Many home shopping companies use the white pages and the electoral roll to ‘cleanse’ their files;
• Public registers, such as the electoral roll, are often used by organisations for such purposes as helping locate people who previously made donations, after they have changed their addresses;
• Broadly speaking, some organisations rely on publicly accessible databases to:
  • Confirm the identity of people;
  • Locate people;
  • Assess credit worthiness;
  • Assess solvency;
  • Verify assets, liabilities and interests in property and other information; or
  • Reduce the potential for fraud.

In addition to the electoral roll, the types of databases commonly accessed for such purposes include: land titles registers; corporate, personal property registers; license registers; and court files (including bankruptcy and probate registers);

Many organisations produce a profile that defines and describes their support base and then use publicly available information (including public registers and newspapers) to locate like-profiled people, so they can make contact with them to seek donations. I should point out that the submission from which this comment is drawn did not name the public registers used, but in conversations we have been told that the sources used in such circumstances include the electoral roll, share registers, ABS data, land titles data and the white pages.[7]

I expect to have a final Information Sheet on the application of the Privacy Act to Publicly Available Personal Information available on my website by the end of this year or early next year.

As to the question of whether the Model Code should address the issue of collection and use of information from publicly available sources for direct marketing, I consider the development of good practice in this area could be a useful addition to the Code. The approach would need to be consistent with the current base rules in the Privacy Act and as set out in specific registers and could then consider how to build on these.

26. Should the Model Code cover direct marketing material circulated with non-direct marketing material (for example, enclosing advertising with the electricity bill)?

The NPPs already provide a set of standards in this regard. The NPPs permit organisations to use personal information for the secondary purpose of direct marketing in some specific circumstances.

In particular, NPP 2.1(a) permits the use and disclosure of personal information where the secondary purpose is related to the primary purpose of the collection and within the reasonable expectations of the individual. For example, an electricity supply vendor might include direct marketing advertising material related to electrical goods because this secondary purpose is related to the primary purpose of the original collection (supplying, maintaining and managing the electricity account) and within the customer’s reasonable expectations. The electricity vendor could not argue this was the case for gas-related goods, unless the individual already had a gas supply contract or was about to enter into one.

Where the direct marketing is not related and likely to be reasonably expected, it could proceed, under the NPPs, with the individual’s consent or for the organisation’s own material, on the basis that the individual can opt-out of receiving further approaches. The latter option – set out in NPP 2.1(c) – is only available if it is impracticable for the organisation to first seek consent. It is important to note that NPP 2.1(c) only permits use for unrelated direct marketing. Organisations cannot disclose personal information to other organisations using this route. Also, in my Guidelines to the National Privacy Principles I put the view that ‘As the cost of emailing is negligible, ordinarily is will not be ‘impracticable’ to seek consent where an organisation chooses on-line methods of contact or communication’.[8]

In line with my earlier comments, if the Model Code does address the issue of direct marketing material circulated with non-direct marketing material it would need to make sure these were consistent with NPPs. It would also be open to the Model Code to set higher or more specific standards in this area if particular issues were raised.

There is one area where I consider the NPPs may not currently provide the right framework in relation to direct marketing. The NPPs permit use and disclosure without restriction for the purpose for which personal information was collection – the NPPs term this the primary purpose. As I noted in my September 2000 submission to the Senate Legal & Constitutional Legislation Committee:

From the consumer’s point of view, receiving direct marketing material may be equally unwelcome regardless of whether use of the information for direct marketing is a primary or secondary purpose for the organisation collecting the material. This is particularly likely to be so where marketing information has been collected by an organisation via a third party.[9]

I am raising this issue for information at this stage. The Privacy Act is still in the very early stages of implementation and a review of the private sector provisions after two years was foreshadowed by the Attorney-General in the second reading speech to the Bill introducing the provisions. In general I think this is the appropriate approach and timeframe to consider these issues. However, if specific recommendations in relation to circulation of direct marketing material emerge from the review I am happy to consider these.

27. Should the current limits on the hours during which direct marketers are permitted to contact consumers remain in the Model Code? If so, should these hours be altered?

The Privacy Act is not specific in regard to an organisation’s obligations in regard to this matter, although it does note that collection should not be unreasonably intrusive (NPP 1.2). The Model Code could give guidance or best practice advice and examples in areas such as these. I would support guidance of this kind if it were developed with appropriate consultation.

28. Should the Model Code require that direct marketers be required to obtain a consumer’s consent before sending direct marketing material to that consumer? If so, should consent be express, or should constructive consent be permitted? Should direct marketers be required to update their do-not-call and do-not mail lists within a specified time-limit after receiving a request from a consumer?

As I noted above, the NPPs permit organisation to use or disclose personal information, without restrictions, for the primary purpose for which it was collected. In other words, the NPPs do not require marketers to obtain a consumer’s consent to use personal information if this is the purpose for which it collected the personal information. Also as noted above, I am happy to consider good practice standards, for example the inclusion of the approach taken in the E-commerce Best Practice Model in relation to commercial email, which would build on the current NPP framework.

The Privacy Act says that consent can be express or implied. In the Guidelines to the National Privacy Principles I have set out factors that organisation can consider in deciding whether they are able to imply consent from failure to act or whether the circumstances require express consent. The factors I note in the Guidelines, in my discussion of NPP 2.1(b), are as follows:

An organisation would have the most difficulty establishing consent to a use or disclosure where it wishes to rely on a failure to object to a use or disclosure to imply consent. Whether consent can be implied from a failure to object will often depend on whether there are circumstances in which it would be reasonable to conclude that the individual had the necessary knowledge and would have opted out if they objected to the use or disclosure.

An organisation will be in an increasingly better position to establish that the individual consented the more it can satisfy the following points:

• it is likely that the individual received and read the information about the use or disclosure;
• the chance to opt out of the offer is clearly stated and likely to be understood by the individual and the individual is likely to be aware of the implications of not opting out;
• the opting in or opting out is freely available and not bundled with other purposes;
• receiving the chance to opt out involves no financial cost to, and little effort from, the individual;
• opting out involves little effort from, and no or virtually no cost to the individual;
• the consequences of failing to opt out are harmless;
• if the individual opts out later, the individual is fully restored, where possible and appropriate, to the circumstances they would have been in if they had opted out earlier.

The greater the number of methods an organisation makes available to the individual to take the chance to opt out and the smaller the amount of time and cost involved on the part of the individual in taking up the opt out, the more likely it is that an opt out is easy to take up.

It is unlikely that consent to receive marketing material on-line could be implied from a failure to object to it. This is because it is usually difficult to conclude that the message has been read and it is generally difficult to take up the option of opting out as it is commonly considered that there are adverse consequences to an individual from opening or replying to email marketing – such as confirming the individual’s address exists. This may also apply where material is distributed using other automated processes. (This would not prevent an organisation from seeking opt in consent on-line if NPP 2.1 allowed it.)

If the review proposes to recommend a different standard or approach I would appreciate the opportunity to comment.

NPP 3 requires an organisation to take reasonable steps to keep the information they collect, use or disclose up-to-date, accurate and correct but does not specify a time in which this is to be done.

These steps need only be taken at the time the organisation collects, use or discloses the information.

As I have noted in the Guidelines to the National Privacy Principles, the organisation does not need to check the information at other times. I would support the Model Code (with appropriate consultation) providing good practice standards to direct marketers on updating lists within a specified time.

Other

I would like to take this opportunity to clarify the following points under section 4.3 of the Model Code paper dealing with Privacy legislation.

• Small businesses subject to the Privacy Act from 21 December 2002 include those small businesses related to a larger business (a related body corporate) as well as small businesses that trade in personal information or are Commonwealth contract service providers. All health service providers regardless of their size have been subject to the Privacy Act since 21 December 2001.
• Under the Privacy Act I am also able to investigate complaints about acts and practices that may be in breach of the Act.

If you have any questions about this matter please contact Robyn Longhurst on 02 6247 1239 or by email at robynlonghurst@privacy.gov.au

Yours sincerely

Malcolm Crompton

Federal Privacy Commissioner

November 2002

ATTACHMENT A

4.6 Responses to unsolicited marketing information
More than half of the population (55%) were concerned about how organisations (whom they had never dealt with before) obtained their name and address to send them unsolicited marketing information. Approximately 25% said they felt angry and annoyed when they received unsolicited marketing information, while 20% thought it was "annoying but harmless". Approximately 17% weren't bothered by direct marketing information and just under 1 in 10 (9%) said they enjoyed reading it.

These responses to unsolicited marketing information are shown in the following figure.

Figure 3: Responses to receiving unsolicited marketing information from
organisations they have never dealt with before

Differences across income groups show the following:

• those on lower household incomes ($30,000 or lower) were less likely than those on higher household incomes to feel concerned about where the organisation obtained their details from (47% cf. 55% national average) and slightly more likely to say they enjoyed reading the material (12% cf. 9% national average).
• The 40-49 years age group had higher percentages than other age groups who were concerned about where the organisation obtained their personal details from (64%) while those from the younger age group were less likely to be concerned about this (51% of those aged 18-24 years).
• People in the 40-49 years age group were also less likely to say that unsolicited marketing information didn't bother them (10% cf. 17% average) while people aged 50+ years were more likely to tolerate it with 22% saying it didn't bother them.
• Younger people were more likely than those in other age groups to think unsolicited direct marketing was annoying but harmless, and were slightly more likely to say they enjoyed reading it (13% cf. 9% national average).
• People in South Australia and Western Australia were more likely to say they enjoyed reading unsolicited marketing information (15% cf. 9% average), however Western Australians also had the highest proportion saying they felt angry and annoyed by direct marketing from a company they have never dealt with before (30% cf. 25% national average).

4.7 Should businesses have to ask for your permission before using personal information for direct marketing purposes?
Approximately 9 in 10 people (91%) thought that businesses should have to ask permission before using people's personal information for marketing purposes. Responses were similarly high across all variables, however there were minor differences in states with Tasmania and NSW having slightly higher percentages who thought business shouldn't have to seek permission for marketing purposes (12% and 11% respectively cf. 7% national average).

When asked if they would still prefer businesses to seek their permission before marketing to them if this involved having to complete permission forms, the vast majority (87%) said yes. Hence, having control over the use of their own personal information was highly desirable despite the inconvenience of dealing with extra forms.

While results were consistent across most variables, differences emerged in age groups with younger people (aged 18 to 24 years) more likely to forego the need for permission if it meant completing extra forms (11% cf. 9% national average). These results can be seen in the following figure.

Figure 4: The percentage of people who think businesses should seek permission before using personal information for marketing purposes

4.8 How important is it that you are advised about who may access your personal information?
Approximately 89% of the population thought it was important that organisations advise them who would have access to their personal information, with two-thirds (66%) rating this as very important. As few as 1 in 20 (5%) thought such advice wasn't an important issue.

Attitudes on this issue were consistently high across all variables, however 40 to 49 year olds were more likely than others to say it was very important (70% cf. 66% national average) while those aged 18 to 24 years the least likely to give this rating (57%).

Slight differences also emerged on the basis of sex with women more likely than men to rate this type of information as very important (70% cf. 62% of men).

When looking at education, those with lower levels of education had few people rating it as important, however figures remained high with 83% of those with year 10 or lower education level rating advice about who has access to your personal information as important.

4.9 How important is it that you are advised about how your personal information is used?
As well as wanting to know who may have access to their personal information, the desire to know how their personal information might be used was also strong with more than 9 in 10 (92%) rating this type of information as important. Again, this information was seen to be very important for over two-thirds (68%) of the population.

Although this information was seen as important for 90% of people aged 50+ years of age, this figure was slightly lower-than-average.

As in the previous question more women than men rated this type of information as very important (72% of women cf. 64% of men).

Those on lower incomes were slightly less likely to rate this information as important (although the figure remained high at 89%), as were those who had lower education levels (86% of those with year 10 or lower education cf. to 96% of those with a degree). As in the previous question no real differences emerged across states or location.

The following figure shows how important people think it is to know who has access to their personal information and how their information could be used.

4.30 Using public lists for marketing purposes
While 70% of the population thought that the electoral roll should not be accessed for marketing purposes, people were split on the use of the White Pages telephone directory with 42% agreeing that the directory should be accessible to marketers and 46% believing that it shouldn't be. These results are shown in the following figure.

Figure 20: The percentage of people who agree or disagree with use of the electoral roll or telephone directory for marketing purposes

The following tables shows the sub-groups who were more likely to support or disagree with using the public lists for marketing purposes.