APP 7: Direct Marketing Rules for Australian Organisations

Scope and interaction with other regimes

APP 7 applies specifically to organisations, and does not extend to agencies. This distinction is important when determining which obligations apply to a particular marketing activity.

APP 7.8 provides that the rules of APP 7 are disapplied to the extent that the *Do Not Call Register Act 2006* or the *Spam Act 2003* apply to a communication. This means that where a marketing communication falls under the scope of either of these Acts, those Acts’ requirements take precedence. [Do Not Call Register obligations] and [Spam Act 2003 consent and unsubscribe] must be adhered to in those circumstances.

Consequently, while APP 7 governs many forms of direct marketing, it does not cover all. For example, APP 7 applies to direct mail and personalised communications that are outside the scope of the *Spam Act* and *Do Not Call Register Act*.

When personal information may be used for direct marketing

Personal information (excluding sensitive information) may be used for direct marketing if certain conditions are met. Specifically, APP 7.2 allows this where the organisation collected the information from the individual, the individual would reasonably expect the information to be used for this purpose, a simple opt-out mechanism is provided, and the individual has not opted out. It is important to consider APP 6 use and disclosure when determining if these conditions are satisfied.

Alternatively, APP 7.3 permits the use of personal information (other than sensitive information) even if reasonable expectation does not apply, or if the information was obtained from a third party. In these circumstances, the individual must consent to the use, or obtaining consent is impracticable. An opt-out and an opt-out notice must be included in each direct marketing communication.

The use or disclosure of sensitive information for direct marketing is significantly restricted. APP 7.4 requires explicit consent from the individual for this purpose, and a pre-existing relationship with the organisation is not sufficient to constitute consent.

Opt-out requirements

Individuals must be provided with a straightforward way to request they no longer receive direct marketing communications. Australian organisations are obligated under APP 7.3 and 7.5 to ensure this process is simple and easily accessible.

When sending direct marketing communications, organisations must clearly inform individuals of their ability to opt out. This can be achieved through a prominent statement within the communication or by otherwise drawing the individual’s attention to this option.

Following a request to opt out, or a request for information about the source of personal information used for direct marketing (under APP 7.7), the organisation must act on the request within a reasonable timeframe and without charge to the individual.

Contracted service providers and facilitation

APP 7 obligations extend to situations where an organisation engages a contracted service provider to conduct direct marketing. Both the organisation and the service provider may have responsibilities under APP 7. This means the organisation remains accountable for direct marketing activities even when outsourced.

Direct marketing, as defined by the Office of the Australian Information Commissioner (OAIC), involves the communication, by any means, of an offer or commercial message directed at promoting goods or services to a particular individual. APP 7.5 allows an organisation to use or disclose personal information to facilitate direct marketing by another organisation, provided the individual has a simple opt-out mechanism and has not exercised that option.

It is important to note that APP 7 does not supersede more specific direct marketing rules contained within industry codes registered under Part IIIB of the Privacy Act. Organisations must ensure compliance with any applicable industry codes in addition to, or instead of, APP 7.