I’m keen to build up a database on my customers for marketing purposes but I’m wondering what kind of information I can ask for/store/use without breaking privacy laws. What are the boundaries I can’t cross?
There are laws that govern what information businesses can collect from customers and how they may use and manage that information.
Whether your business needs to comply with these laws, or the extent to which it needs to comply with them, will depend on a range of factors including the industry in which your business operates, its size, the nature of the information you intend to use and the circumstances in which the information was gathered.
The key legislation governing privacy laws is the Privacy Act. The Privacy Act applies to most businesses with an annual turnover of more than $3 million, and some small businesses with annual turnover of less than $3 million, such as health service providers or business that are part of a larger businesses, for example, the subsidiaries of larger companies.
Businesses that are not covered by the Privacy Act can also elect to opt in to the Privacy Act.
National Privacy Principles
If your business is covered by the Privacy Act, the National Privacy Principles (NPPs) will apply with respect to any personal information of customers that your business collects.
Personal information is information from which an individual’s identity can or could be determined. Examples of personal information include a person’s name, address or bank account details.
The NPPs set the minimum standards for handling personal information. They cover things such as collection, use and disclosure, security, openness, access to and correction of personal information.
Generally speaking, if you intend to save contact and personal information from customers and build them into a database, you may be required to let them know what information you are collecting and how you will use their information.
In addition, the Privacy Act is likely to require you to:
- not pass a customer’s personal information on to any other person without telling the customer;
- give customers the chance to see any information you hold about them if they ask;
- keep each customer’s personal information safe and dispose of it securely when you no longer need it; and
- if a customer asks, tell them about how you handle personal information in your business.
There may also be some additional requirements if your business operates as a health service provider, a credit reporter or in other limited prescribed industries.
If you intend to use a customer’s personal information for direct marketing such as unsolicited mail or telemarketing, there are a number of other things to think about.
If you are covered by the Privacy Act and a customer requests you to stop sending them direct marketing materials you must do so, unless you originally collected their information in order to send them direct marketing material (in this case you will still need to comply with the NPPs in sending the material to the customers).
If you wish to use customers’ phone numbers to conduct telemarketing, you must not call any customer whose number appears on the Do Not Call Register.
This restriction applies regardless of whether your business is covered by the Privacy Act.
If you intend to use the personal information to conduct door-to-door marketing and sales, there are also specific provisions covering those activities under the Australian Consumer Law.
The Australian Consumer Law also contains a range of other non-privacy related provisions aimed at protecting consumers in their dealings with businesses and amongst other things, prohibits business from engaging in misleading and deceptive conduct.
If you intend to send commercial electronic messages to customers, the provisions in the Spam Act may also be applicable.
The Spam Act will generally require, amongst other things, for you to have the customer’s consent to send them commercial electronic messages and to set out certain required information in each such message you send to customers, such as:
- the name of your business;
- your business address, telephone number and electronic contact details; and
- inform the customer that they can unsubscribe from future messages.
Importantly, the Spam Act has a broader application than the Privacy Act and many businesses, persons and organisations that are not covered by the Privacy Act may be required to comply with the Spam Act.
In summary, there are a range of potential privacy boundaries that you need to be aware of, and these must be considered when you are collecting and using that information from customers.