Marketing Mag: Ask IAB: How do the changes to the Privacy Act affect my marketing plans?
Developed by Marketing Mag, Written by Samantha Yorke, 14 February 2013
Question: How do the changes to the Privacy Act affect my marketing plans?
The new Privacy Act, which regulates the collection and use of personal information will come into effect in March 2014 and it has some important changes which you need to be aware of.
Under the new Privacy Act, the definition of personal information has been broadened to now include information which can be used to 'reasonably identify' an individual, rather than just the information which directly identifies an individual (such as their name or email address). Typically this comes into play when you hold several pieces of information about someone which when put together can be used to identify them or if you hold personally identifiable information about someone as well as anonymous or de-identified information about them (eg. a unique membership number). Previously any anonymous or de-identified information would not be covered by the Privacy Act but under the new definition, the mere fact that you could identify someone by combining their anonymous information with the personally identifiable information means that you will likely have to treat both sets of data as personal information.
Direct marketing activities are specifically targeted in the new Privacy Principle 7 which states that companies must not use personal information in their possession for the purposes of direct marketing unless:
- The company collected the personal information directly from the individual, and
- The individual would reasonably expect the company to use their personal information for marketing, and
- The company provides a simple mechanism through which individuals can unsubscribe or opt out of receiving marketing, and
- The individual has not opted out or unsubscribed
There is no definition in the new Act of 'direct marketing', however the focus of the Act is on the use of personal information so it is unlikely that anonymous or de-identified data collection and use would be caught by these new provisions.
Another new and potentially very serious change is the imposition of full responsibility on any Australian company who transfers personal information offshore to another company. As foreign companies are typically out of reach of the Australian government, the approach which has been adopted in the new Privacy Act is to hold the Australian company who originally collected personal information responsible for any mistreatment or breach of that data by third parties who are based overseas.
This will (and should) prompt some very serious thinking by many marketers considering transferring Australian customer data to international affiliate organisations or who are thinking about an offshore cloud storage solution for their data. It is also worth mentioning that the maximum penalty for data breach has been raised to $1.1 million under the new Act.
On the topic of enforcement, the Australian Privacy Commissioner has been given sharper teeth in the form of new powers to initiate investigations (in the absence of any consumer complaint), resolve complaints (by compelling courts to enforce his decisions) and promote compliance.
Finally, there is an entire section in the new Privacy Act on the development of privacy codes of practice. The inclusion of these provisions is a clear sign from the Government that they are encouraging of industries developing self-regulatory frameworks around how they will collect and use data. These codes can be blessed by the Privacy Commissioner and it is expected that they will be industry specific, so make sure that you are using your industry associations (such as the IAB) to get your point of view across.
There is a lot of debate among privacy advocates at the moment on how effective privacy policies are for conveying important information about how data and personal information is being collected and used.
In the past these policies tended to be rather long and legalistic documents which were not very easy to digest. As more and more privacy best practice relies on being transparent with your customers about how you are collecting and using their data, focus has turned to how best to communicate this information to them.
Geo-location services are frequently cited as being a good example of a privacy notification. Why? Because they are simple and contextual. In other words they inform you in the moment that your location is needed in order to tell you where the nearest ATM is or how to get to where you are going. 81% of people surveyed by PwC said that they were willing to share personal information with a company if (a) they were informed upfront, and (b) it was clearly explained to them how that information was going to be used.
The problem faced by many marketers and advertisers is that they are often collecting a lot of different types of information, personal or otherwise, for a multitude of different reasons that it becomes challenging to simply explain. Nonetheless, we can all make an effort to present our privacy policies in a format which is easy to navigate through (using headings and hyperlinks to allow people to jump straight to the section that they are interested in) and by using more intuitive presentation styles such as an FAQ format or pop-up windows at the point of data collection.
Question: Where can I go to find out more about restrictions or guidelines about advertising certain types of products and services online?
While most people will agree that interactive or digital advertising is inherently different to offline advertising, you shouldn't be tempted to think that anything goes online – it doesn't.
The Australian Association of National Advertisers (AANA) has developed a number of codes relating to advertising that apply across all media advertising, including online. Subjects include advertising and marketing to children and making environmental claims within your marketing or advertising. In addition, the AANA Code of Ethics addresses issues such as nudity or sexual content within advertising.
The financial services regulator, ASIC, has also published guidelines on advertising financial products and services with specific guidance for interactive and digital advertising.