Direct marketing, such as sending mail or emails or making phone calls directly to individuals to promote a charity’s services, raise a charity’s profile or solicit donations or support, will involve a charity using the information and data it holds about a person.
For charities that are required to comply with, or opt in to comply with, the Privacy Act, it is important that the responsible persons understand Australian Privacy Principle 7 (APP 7), which sets requirements for direct marketing.
For charities that are not required to comply with the Privacy Act, following APP 7 when considering the use of people’s information and data for direct marketing is a good idea. Doing so is good practice and sends a message to donors, supporters and the public that the charity manages people’s information and data in a responsible way.
In short, APP 7 says that a charity must not use or disclose a person’s personal information for the purpose of direct marketing unless it satisfies all of the following criteria:
- the charity collected the information from the person;
- the person would reasonably expect the charity to use or disclose their information and data for the purpose of direct marketing;
- the charity provides a simple means by which the person may easily request to not receive direct marketing communications from the charity; and
- the person has not made a request to not receive direct marketing communications from the charity.
An exception to this principle may apply in instances where a person would not reasonably expect a charity to use their information for direct marketing. In such instances, a charity may still use the person’s information for direct marketing purposes, if it meets all of these criteria:
- the person has given consent for their information to be used for this purpose (or it is impracticable for the charity to obtain the consent);
- the charity provides a simple means by which the person may easily request to not receive direct marketing communications from the charity;
- the charity provides a prominent statement that the person may make such a request each time that it contacts the person for a direct marketing purpose (or the charity otherwise draws the person’s attention to this option); and
- the person has not made a request to not receive direct marketing communications from the charity.
These criteria also apply in situations where a charity collects the person’s information from a source other than the person in question (for example, if it collects the information from another charity).
Under APP 7, the use of sensitive information is treated differently to personal information. For a charity to use a person’s sensitive information for direct marketing purposes, it must first receive the person’s direct consent.
Importantly, APP 7 requires a charity to act on a person’s request to not receive direct marketing communications. If a charity uses a person’s information for direct marketing (or for facilitating direct marketing by other organisations), the person may request:
- to not receive direct marketing communications from the charity
- to not have their information used for the purposes of facilitating direct marketing communications, and
- that the charity provide the source of its information.
Once a charity receives such a request, it must act on the request within a reasonable time period. The OAIC’s APP Guidelines indicate that this will usually be no more than 30 days.