Dated October 2002
This document is at http://www.privacy.org.au/Papers/SubmnCTreas0210.html
The Australian Privacy Foundation has operated since 1987 as a community group dedicated to promoting the protection of privacy for all Australians - raising awareness of privacy issues and campaigning for better business practices in the public and private sectors and, where necessary, for better laws, regulations and compliance mechanisms. The Foundation is an unincorporated association registered in NSW - for more information about the Foundation and its work see www.privacy.org.au
The Foundation, and its sister organizations the Australian Privacy Charter Council (now subsumed within the Foundation) have been heavily involved in debates about the privacy implications of direct marketing over the last decade. In particular, both groups made submissions to the Australian Competition and Consumer Commission in relation to their determination in 1999 on the ADMA Code of Practice. At that time the private sector amendments to the federal Privacy Act 1988 had still not been enacted, although the National Privacy Principles (NPPs) that were subsequently incorporated into that law were available. While these were used as a benchmark in the debate over the ADMA Code, the Foundation did not consider them to set a high enough or specific enough standard to deal adequately with privacy issues in direct marketing, and that continues to be our view of the statutory NPPs.
Our principal objective it to see direct marketing conducted with greater regard for the privacy and autonomy of individuals, giving them more control over the extent and manner in which they experience direct marketing. To the extent that the MCCA Model Code of Practice can contribute to this objective, we would like to see it revised and strengthened. However we are not committed to the use of a model Code if an effective alternative, such as a strengthened ADMA Code made binding by registration under one or more laws, is preferred by other interested parties.
The most relevant questions to our interests and concerns are those posed at the end of the "Issues for Discussion" section of your paper.
Q22. Is the Model Code consistent with the National Privacy Principles? Are any amendments to the Model Code required to ensure that private information of individuals is protected in line with the National Privacy Principles?
The Model Code only deals partially and imperfectly with privacy issues and with the reqirements of the National Privacy Principles. The requirement to identify the business in Parts 2 & 3 (clauses 15(a) and 52-53) is consistent with NPP 1.3 but the other matters required to be notified under NPP 1.3 are not covered. Given that some organizations undertaking direct marketing may not be covered by the NPPs (many small businesses are exempt from the Privacy Act), we think that the Model Code should have a separate Part dealing with handling of personal information, replicating the NPPs with appropriate improvements as discussed below (compliance with the NPPs alone does not deal with all of the privacy issues raised by direct marketing).
The requirement to identify, on request, the source of the personal information used to make the approach (Clause 55(b)) appears to apply to any direct marketer, although it appears in the Telemarketing only Part 3. This requirement, which goes beyond the Privacy Act NPP requirements, should apply generally, and should therefore be moved to the proposed new personal information/privacy Part of the Model Code.
Clause 52 prohibiting telemarketers from blocking their outgoing calling line identification (CLI) is important and should remain, but should be generalized to apply to email, fax and SMS marketing as well (see below).
Q23. Is the Model Code consistent with the E-commerce Best Practice Model? Are any amendments to the Model Code required to deal with the particular characteristics of electronic commerce?
Our main concern in this respect is the inadequate treatment by the Model Code (and ADMA Code) of unsolicited email marketing (SPAM) and other direct marketing by technologies other than traditional mail or voice telephone call, such as facsimile or SMS.
I attach a copy of our recent submission to NOIE on Spam. The main issues relevant to the Model Code are in our view:
Another e-commerce/Internet specific issue is the use of cookies and other devices such as web-bugs. Where an organization uses such devices on a web-site to collect information about users which can subsequently be linked to an identifiable individual (whether or not the information as collected is technically `personal information' under the Privacy Act, then it should be required to give individuals the same notice as required by NPP 1.3, and offer them at least an opt-out opportunity (see below re consent).
Ideally, organisations should not force users of their web-sites to accept cookies - ie they should respect the preference of some users to disable cookies in their browser settings. It is a myth that cookies are needed for security - for example some banks offer complete on-line banking services which do not require cookies to be enabled. Some web-site designers have simply used cookies to enhance functionality, but there are usually other ways of doing this. It is arguable that requiring a user to enable cookies to be able to use a site, where that cookie leads to the collection of personal information, may be a breach of NPP8 (Anonymity).
Q24. How does a code, which does not provide complete coverage of the direct marketing industry, affect the position for consumers?
Any limitation in the scope and coverage of a Direct Marketing Code obviously limits its value to consumers. Ideally, a code should apply to all uses of direct marketing techniques, through all media, and in any sector, and anything the Model Code can do to promote this objective would be welcomed.
Any Code should apply to all direct marketing activity - whether or not it aims for or results in distance selling. The apparently broad effect of clause 3 of the Model Code is undermined by clause 7, and by the definition of direct marketing and contract solicitation, which between them appear to limit the application of Part 2 to distance selling or fundraising where the donation is given remotely. We see no reason why some of the important protections in Part 2 - including those concerning provision of information and identification of the business - should not apply to all forms of direct marketing even where they are designed to get consumers to visit a physical store. In this respect a restricted scope that may be appropriate for fair trading aspects of the Code is not appropriate for fair information handling practices.
Q25. Should the Model Code address the issue of collection and use of information from publicly available sources, for example, electoral rolls and municipal building approval records?
Yes - this is an essential part of any effective strategy to empower consumers as regard the use of their personal information. Much personal information used for direct marketing (either for contact details or to add details to a consumer's `profile') is obtained from publicly available sources - often from registers which individuals are required to be included. The long term answer lies in reform of the laws and practices applying to public registers, but in the meantime, the Model Code should make it clear that marketers cannot use such register information freely for direct marketing just because it is in the public domain. Those responsible for some public registers are starting to impose conditions and limitation on uses. Where the terms under which the publicly available information is available do not constrain its uses, marketers should be allowed to make one approach, provided they off the individual a clear opportunity to `opt-out' of receipt of any further communication.
We have recently made a submission to the Privacy Commissioner on use of publicly available personal information, which goes into more detail on this issue. We attach a copy.
Q26. Should the Model Code cover direct marketing material circulated with non-direct marketing material (for example, enclosing advertising with the electricity bill)?
Yes. While this practice of `host mailing' raises different issues from direct communication with consumers, the effect is similar, in that many consumers consider it an unwelcome intrusion and nuisance. Again the National Privacy Principles are inadequate in that only the host mailer is `using' personal information in this context - the advertiser or potential beneficiary has no obligations under the Privacy Act in respect of these communications unless and until a consumer responds by providing personal information.
Ideally, organizations should be required to give consumers a choice as to whether they wish to receive `third party' information enclosed with communications from the first organization. The use for host mailing by the first party is in Privacy Act terms an unrelated secondary use and can therefore only be undertaken with consent (NPP 2.1(b)). In this case however, we acknowledge that there are significant indirect benefits to consumers from having the costs of communications offset by revenue from host mailings, and that the privacy issue is lessened by the absence of any transfer of personal information to the third party advertiser. In this context we suggest that an `opt-out' choice would be sufficient - in contrast to our general preference for express opt-in consent for secondary purposes where personal information is actually used (see below).
Q27. Should the current limits on the hours during which direct marketers are permitted to contact consumers remain in the Model Code? If so, should those hours be altered?
This is a good example of the sort of detailed privacy issue that the Privacy Act principles do not deal with adequately. It is clear that hours of telemarketing are a significant issue for many consumers, but this is not a matter that falls clearly within the scope of the NPPs, which deal with the collection and use of personal information - although where personal information is captured during a call it is possible that unreasonable hours of calling could breach the collection principle NPP1 (unfair or unreasonably intrusive collection). Where no personal information is captured, the Principle does not apply and can offer no protection.
The specific provisions in the Model Code about hours of calling should remain. Subject to any empirical evidence from other interested parties, 8 am-9 pm is a reasonable `default' period during which marketing calls are allowed but we suggest that any organization which undertakes telemarketing on a regular basis should be required to have a facility to record, on request, different acceptable hours for each consumer, and to use and respect this information when making subsequent calls.
28. Should the Model Code require that direct marketers be required to obtain a consumer's consent before sending direct marketing material to that consumer? If so, should consent be express, or should constructive consent be permitted? Should direct marketers be required to update their do-not-call and do-not-mail lists within a specified time limit after receiving a request from a consumer?
We generally favour a requirement for express consent (opt-in) over a constructive consent (opt-out) approach, certainly for the more intrusive forms of direct marketing such as by fax, SMS or Spam E-mail. However, where a consumer has a prior relationship, it is reasonable to allow a `notice and opt-out' even using these means.
As compliance with the Privacy Principles develops, express consent will start to become the norm as businesses seek consent for secondary uses during collection. This will however take years to `work through' to prospect lists.
In the meantime, in respect of the less intrusive (and more easily managed) postal direct mail, we accept that there are some circumstances - such as where a marketer has obtained a prospect's name from a third party source (and where that source has not passed on any information about the individual's preferences as regards direct marketing), in which they should be allowed to make one approach (by mail) that includes a clear opportunity to opt-out of subsequent communications. This is consistent with NPP 2.1(c) - but the Model Code should make it clear that the opt-out has to be provided even where the business sees the marketing as a related secondary purpose or even as a primary purpose. The Code should clarify the application of this standard in a way which the NPPs and Privacy Commissioner's guidance does not - some businesses read the NPPs as allowing direct marketing under NPP 2.1 or 2.1(a) without any need to give even an opt-out.
The Model Code should address the role of preference schemes. It is important to recognize that while the preference schemes operated by ADMA are a valuable service, they cater only for an extreme minority of individuals who do not whish to receive any unsolicited marketing. Most consumers are more selective - they are happy to receive some direct marketing - perhaps from charities, or from suppliers of particular categories of goods or services, but at the same time object more or less strongly to receipt of other messages. This is not irrational.
As already mentioned, we feel that the flagging of preferences in directories would be very valuable and provide an easy and visible indication of whether individuals are prepared to receive direct marketing. We suggest that the Model Code addresses this suggestion and if possible promotes the use of flags in directories.
Attachment A - Submission to NOIE re Spam
Attachment B - Submission to OFPC re publicly available personal information
Go to the APF Home Page.
Created: 7 February 2003
Last Amended: 7 February 2003
APF thanks its site-sponsor: