Privacy Law and competitions

Australia’s amended privacy laws came into effect just under a month ago, and if you haven’t already done so, now is the time to review your Privacy Policy and practices.

Competitions are often centred on the collection of personal information. If you are conducting competitions, with the aim of (or resulting in) collecting personal information, ensure that your competition is compliant with the Privacy Act 1988 [the Act].

The Act and Australian Privacy Principles [APPs] govern the collection, storage, use and disclosure of personal information.

What is personal information and who is covered?

Personal information is defined in section 6 of the Act as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.”

The Act applies to businesses with a turnover of more than $3 million a year who collect personal information or to those businesses who fall within a listed category.

A ‘B2B’ business may still be bound by the Act if it handles personal information, such as the personal information of contacts within its clients’ businesses or of employees of its clients.

Importance of Compliance

There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches of privacy laws, including enforceable undertakings and fines of up to $1.7 million- Not to mention the reputation damage resulting from a breach.

Collection of Personal Information via Competitions

To understand the application of the Act and APPs in relation to competitions, it is necessary to review: a) the reason for collection, b) the types of personal information collected, and c) how information is collected. There are typically two reasons for collection of personal information. The first is to conduct the competition i.e. to conduct the draw and to notify winners. The second is to use personal information for marketing including via email.

If you conduct direct marketing using personal information collected via a competition, you will need to consider APP 6 and APP 7: “If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.” Review the exemptions to this principle contained in APP 7.2 and APP 7.3. Ensure that, if you use personal information for direct marketing, you are compliant with APP 7.

We sought independent legal advice from a professional in the field who confirmed the following:

“When entering into the draw, the individuals need to consent to the use and disclosure of their personal information. This can be achieved by using a privacy policy incorporated into the general terms and conditions of the lucky draw. The privacy statement will provide the methods and ways the personal information of the individuals are collected, used and disclosed. Acceptance of the general terms and conditions and hence the privacy policy will amount to consent.”

Consequently, it is important that your competition terms make the intended collection, use and disclosure of personal information clear to entrants.

One question that often arises is whether a competition entry page should include an ‘opt-in’ or if entry in itself can constitute consent. The legal advice we received indicates that entry can be consent, for the purposes of the Act, so long as the terms and privacy policy are clear. If entry itself is conditional on consent we would suggest this be made clear at the time of entry i.e. in the condensed terms.

If consent to receive marketing material is not mandatory then an opt- in (not pre – ticked) should be used.If marketing material is to be sent electronically then it is also important to consider the Spam Act.If an entrant has given positive consent to receive marketing material including via electronic means for an unlimited period, an option to opt- out must be included in all future messages sent. Typically, this would be as simple as a reply email or the click of a button. All messages must also include contact details and the identity of the sender.

Your Privacy Policy 

It is no longer acceptable to have an ‘off the shelf’ Privacy Policy which does not specifically address how your business collects, stores, uses and discloses personal information. Your Privacy Policy should be specifically drafted to reflect the reality of how you do business. APP 1.4 lists some of areas that should be covered by a Privacy Policy.

Next steps

A sensible idea is to conduct a comprehensive audit into how and why you collect personal information and how it is then stored, used and disclosed. Update your Privacy Policy to reflect the results of the review.

When reviewing the kinds of personal information collected, you should consider if you actually need to collect that kind of personal information. Review APP 3 which requires that you only collect personal information “reasonably necessary for one or more of the entity’s functions or activities.”Consider whether or not you collect ‘sensitive information’ and if so review all requirements in the Act and APPs relating to sensitive information. Consider how long you need to hold information and if you can de-identify or destroy information you no longer need.

Permitz is able to conduct a compliance audit of your business and provide you with a report and list of recommendations. Permitz can then update your Privacy Policy based on the review.

Note: This is not intended as a comprehensive guide to the Act or APPs. We recommend that you seek independent legal advice to ensure compliance with the Act and all other applicable laws.