Credit: Rinck Content Studio (Unsplash)
We Have Consent, Don’t We?
Why Email Marketing and Data-Sharing Models Can Create Legal Risk
This blog talks about how Australian businesses need to think carefully before using customer data for partner offers, shared marketing or third-party campaigns.
Who needs to read this?
This article is especially relevant if you:
- run email or SMS marketing campaigns for your business;
- use “subscribe for partner offers” or similar tick boxes on forms;
- share customer lists with other businesses or upload them into a platform;
- operate a marketplace, comparison site or referral network;
- manage a CRM or marketing automation system such as Mailchimp, Klaviyo or HubSpot;
- run loyalty, rewards or VIP programs involving promotional messaging;
- are building a product that matches, enriches or shares customer data across brands; or
- are a founder, marketing manager, agency or SaaS provider in the e-commerce, fintech, wagering or retail space.
A lot of businesses assume that if they have a customer’s email address, they can use it for future promotions or share it with others for marketing.
In Australia, it is not that simple.
The Spam Act 2003 (Cth), the Privacy Act 1988 (Cth) and regulator guidance can all affect whether a business is allowed to send marketing emails, rely on consent, or use customer data in a broader marketing ecosystem.
This is especially important for businesses looking at data-sharing arrangements, partner marketing, audience-matching tools or platforms that help multiple businesses market to the same pool of customers. Even if the model sounds innovative, the legal risks can become serious if consent is unclear, privacy notices are too broad, or unsubscribe processes do not work properly.
Why consent matters so much.
Under the Spam Act 2003 (Cth), businesses generally need consent before sending commercial electronic messages such as marketing emails and SMS. Those messages must also clearly identify the sender and contain a functional unsubscribe facility.
ACMA has made it clear that businesses should be very careful about how they obtain and rely on consent. The regulator expects consent terms to clearly explain what the marketing is for, who will use the consent, how long it will be relied upon and how a person can withdraw it.
That means vague statements such as “receive partner offers” may not always be enough, especially where the customer does not really understand which businesses are involved or how their information will be used. The more complex the marketing arrangement, the more important it is that consent is specific, transparent and properly recorded.
Why asking for consent can itself be risky
One issue that often surprises businesses is that an email sent just to ask for marketing consent may itself be treated as a commercial electronic message.
If there is no valid consent for that first email, the message may already create a Spam Act problem.
This catches many businesses off guard. A business may think it is taking a cautious approach by emailing people to “opt in”, but if there was no proper basis to send that message in the first place, the legal risk may start before any broader campaign even begins.
Privacy law can also apply
The Privacy Act 1988 (Cth) and Australian Privacy Principle 7 regulate the use and disclosure of personal information for direct marketing. In some cases, a business can only use personal information for direct marketing if the person would reasonably expect it, or if the person has consented.
Where personal information is collected indirectly, or used in a way the individual would not reasonably expect, extra care is needed. Businesses may also need to tell individuals how they obtained the information and stop using it for direct marketing within a reasonable period if the person asks them to stop.
In practical terms, if customer data is shared between businesses, uploaded into a platform, matched with other audiences or used to send marketing on behalf of others, privacy compliance needs to be built into the model from the start. It is not just a matter of adding a short sentence to a privacy policy and hoping for the best.
Small businesses should not assume they are outside the law
Some small businesses assume privacy law does not apply to them because of the small business exemption. That assumption can be dangerous.
A business that buys, sells or otherwise trades in personal information may still be caught by the Privacy Act 1988 (Cth), even if it might otherwise have been exempt.
That matters for any business model involving customer lists, shared databases, audience pools or commercial benefits linked to the exchange of personal information. If personal information is being exchanged for a benefit, service or commercial advantage, it may trigger privacy obligations that were not previously front of mind.
Regulators are paying attention
ACMA has been increasingly active in enforcing the spam rules and has emphasized the importance of clear consent, easy unsubscribe processes and proper marketing records.
That means businesses should not only think about whether they have consent in theory. They should also be able to prove it in practice, including what the person saw at the time, what they agreed to, and whether the consent still makes sense for the message being sent.
Some real-world penalties for getting it wrong
- Latitude Finance — $3.96 million
- Commonwealth Bank — $7.5 million
- Pizza Hut — $2,502,500
- Telstra — $626,000
- Kogan — $310,800
Latitude Finance paid a $3.96 million penalty after ACMA found it breached Australia’s spam laws more than 2.7 million times, including by sending marketing messages without accurate contact information and with non-functioning unsubscribe options.
CBA paid a $7.5 million penalty after sending more than 170 million emails that did not comply with spam laws, including marketing messages without a way to unsubscribe and messages sent to people who had not consented or had withdrawn consent.
Pizza Hut Australia paid a $2,502,500 penalty for sending more than 10 million marketing messages in breach of Australian spam laws over a four-month period, including messages sent without consent or after consent had been withdrawn, and messages without an unsubscribe option.
Telstra paid a $626,000 penalty after sending close to 10.5 million text messages that did not comply with spam laws, including messages with unsubscribe arrangements that required recipients to provide personal information to opt out.
Kogan paid a $310,800 penalty after ACMA found it had sent more than 42 million marketing emails from which consumers could not easily unsubscribe, including because consumers had to set up a password and log into a Kogan account.
Credit: Quilia (Unsplash)
Could this affect your business?
Your business may be at risk if:
- you send marketing emails based on broad or unclear consent;
- you use customer data for partner promotions;
- you share customer details across related businesses or third parties;
- you cannot easily prove when consent was obtained;
- your unsubscribe function is hard to use; or
- you assume privacy law does not apply because your business is small.
What businesses should do before launching a marketing model
Before launching a new email marketing system, partner campaign or shared-data model, businesses should carefully review how consent is obtained, what privacy disclosures say, how opt-outs are handled and whether the data flows match what customers were actually told.
They should also think about how long consent lasts, whether it is specific enough for third-party marketing, whether unsubscribe requests are applied across all relevant campaigns, and whether they can justify every step in the data lifecycle.
If the model depends on creative interpretations of consent, that is usually a sign more legal work is needed before rollout.
How Sharon Givoni Consulting can help
Sharon Givoni Consulting assists businesses with:
- reviewing email and SMS marketing practices;
- drafting consent wording and disclosure language;
- advising on privacy policies and collection notices;
- assessing shared marketing and referral models;
- reviewing contracts for data-sharing and campaign arrangements; and
- helping businesses respond to regulatory risk before launch.
Further Reading
ACMA – Avoid sending spam:
https://www.acma.gov.au/avoid-sending-spam
OAIC – Direct marketing:
https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/direct-marketing
OAIC – APP 7 direct marketing guidelines:
https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-7-app-7-direct-marketing
Business.gov.au – Protect your customers’ information:
https://business.gov.au/online-and-digital/cyber-security/protect-your-customers-information
Please note the above article is general in nature and does not constitute legal advice.
Please email us info@iplegal.com.au if you need legal advice about your brand or another legal matter in this area generally.