Tag Archives: Privacy

Privacy Law and competitions

Australia’s amended privacy laws came into effect just under a month ago, and if you haven’t already done so, now is the time to review your Privacy Policy and practices.

Competitions are often centred on the collection of personal information. If you are conducting competitions, with the aim of (or resulting in) collecting personal information, ensure that your competition is compliant with the Privacy Act 1988 [the Act].

The Act and Australian Privacy Principles [APPs] govern the collection, storage, use and disclosure of personal information.

What is personal information and who is covered?

Personal information is defined in section 6 of the Act as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.”

The Act applies to businesses with a turnover of more than $3 million a year who collect personal information or to those businesses who fall within a listed category.

A ‘B2B’ business may still be bound by the Act if it handles personal information, such as the personal information of contacts within its clients’ businesses or of employees of its clients.

Importance of Compliance

There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches of privacy laws, including enforceable undertakings and fines of up to $1.7 million- Not to mention the reputation damage resulting from a breach.

Collection of Personal Information via Competitions

To understand the application of the Act and APPs in relation to competitions, it is necessary to review: a) the reason for collection, b) the types of personal information collected, and c) how information is collected. There are typically two reasons for collection of personal information. The first is to conduct the competition i.e. to conduct the draw and to notify winners. The second is to use personal information for marketing including via email.

If you conduct direct marketing using personal information collected via a competition, you will need to consider APP 6 and APP 7: “If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.” Review the exemptions to this principle contained in APP 7.2 and APP 7.3. Ensure that, if you use personal information for direct marketing, you are compliant with APP 7.

We sought independent legal advice from a professional in the field who confirmed the following:

“When entering into the draw, the individuals need to consent to the use and disclosure of their personal information. This can be achieved by using a privacy policy incorporated into the general terms and conditions of the lucky draw. The privacy statement will provide the methods and ways the personal information of the individuals are collected, used and disclosed. Acceptance of the general terms and conditions and hence the privacy policy will amount to consent.”

Consequently, it is important that your competition terms make the intended collection, use and disclosure of personal information clear to entrants.

One question that often arises is whether a competition entry page should include an ‘opt-in’ or if entry in itself can constitute consent. The legal advice we received indicates that entry can be consent, for the purposes of the Act, so long as the terms and privacy policy are clear. If entry itself is conditional on consent we would suggest this be made clear at the time of entry i.e. in the condensed terms.

If consent to receive marketing material is not mandatory then an opt- in (not pre – ticked) should be used.If marketing material is to be sent electronically then it is also important to consider the Spam Act.If an entrant has given positive consent to receive marketing material including via electronic means for an unlimited period, an option to opt- out must be included in all future messages sent. Typically, this would be as simple as a reply email or the click of a button. All messages must also include contact details and the identity of the sender.

Your Privacy Policy 

It is no longer acceptable to have an ‘off the shelf’ Privacy Policy which does not specifically address how your business collects, stores, uses and discloses personal information. Your Privacy Policy should be specifically drafted to reflect the reality of how you do business. APP 1.4 lists some of areas that should be covered by a Privacy Policy.

Next steps

A sensible idea is to conduct a comprehensive audit into how and why you collect personal information and how it is then stored, used and disclosed. Update your Privacy Policy to reflect the results of the review.

When reviewing the kinds of personal information collected, you should consider if you actually need to collect that kind of personal information. Review APP 3 which requires that you only collect personal information “reasonably necessary for one or more of the entity’s functions or activities.”Consider whether or not you collect ‘sensitive information’ and if so review all requirements in the Act and APPs relating to sensitive information. Consider how long you need to hold information and if you can de-identify or destroy information you no longer need.

Permitz is able to conduct a compliance audit of your business and provide you with a report and list of recommendations. Permitz can then update your Privacy Policy based on the review.

Note: This is not intended as a comprehensive guide to the Act or APPs. We recommend that you seek independent legal advice to ensure compliance with the Act and all other applicable laws.

Why businesses give away cash!

Each year hundreds of thousands of dollars in cash and prizes are given away by businesses via competitions. There are a number of reasons why businesses run competitions (also referred to as trade promotions). Competitions, when compared to discounting, can be a more cost effective marketing method in that predetermined prizes are being given away as opposed to a percentage off an undetermined number of sales.

Competitions can increase sales. Entrants in a competition can be required to purchase a product or service to enter. If the competition is structured correctly, the same customers can then lodge multiple entries when they purchase multiple products. Most of the top consumer brands run competitions in this way, promoting the competition on the product and at point of sale.

Competitions can also help businesses build customer databases. When it receives an entry in a competition, a business is provided with useful information about a consumer. In doing so, it is essential that the business comply with the Privacy Act, National Privacy Principles and Spam Act.

The essentials

There are many requirements to consider when establishing a competition. When drafting terms and conditions, a business must fully set out how and when people can enter, what the prizes are, their value, how the winners will be determined and how winners will be notified. Consideration must also be given to how many times people can enter the competition. The primary responsibility of the business is to be fair and abide by the terms and conditions.

Competition permits will usually be required from the state gaming agencies if the winners of a competition are determined on the basis of an element of chance such as a prize draw. Competition permits will not be required if winners are determined by a suitably qualified judge or judges on the skill shown in the entrant’s answer and there is no element of chance involved.


When conducted properly, competitions can be an exciting and cost effective way of increasing sales and further promoting a business’ goods and services. Businesses give away cash and prizes as they receive something in return and consumers love to win prize.

Permitz Group has been set up in the niche of competitions and trade promotions. Permitz Group can help set up your business’ competition and apply for competition permits on your behalf.

Privacy considerations for competitions

With Privacy Awareness Week commencing on Monday, 28 April 2013 it’s timely to have a look at the issue of privacy when conducting a competition.

Many companies are aware of and comply with their obligations under the Privacy Act and National Privacy Principles. These obligations are particularly important to consider when setting up a competition.

Competition entrants may not be aware of what a company will do with their personal information when conducting a competition and we certainly advocate for prior disclosure and openness.

Key questions to consider include:

How will we be collecting personal information?

Entrants are usually asked to supply personal information when submitting an entry into a competition. It is important to only collect personal information that is required to conduct the competition. If you are intending on using personal information for the purposes of marketing we would suggest you make sure entrants are fully aware of this and consent.

Do you intend on using an opt-in or require entrants to opt-out? The use of a tick box for opt-in to receive future marketing messages from your organisation is one way to make sure entrants are fully aware of your intention to market to them. If you are going to use electronic means to market to them, also ensure you comply with the Spam Act.

Will you disclose personal information?

Some disclosure of personal information may be required under a competition for it to be conducted effectively. For example you may disclose personal information to: i) prize suppliers, ii) the entity who will conduct the draw on your behalf, and iii) regulatory authorities.  Ensure that an entrant understands how you will disclose personal information.

Before setting up a competition you should check to ensure that these third parties have adequate measures in place to protect the personal information of entrants to your competition.

Will personal information be held securely?

Personal information can be very valuable and must be protected. When setting up your competition we suggest you give careful consideration to the security of the information you collect. A competition entry website should be protected as should any servers you use to hold personal information. After you have held the personal information for the period required under any trade promotion obligations it should be de-identified or destroyed.

Document it

A privacy policy is a must for any company looking to run a competition as is a Competition permit for any chance based competition. Your privacy policy is a document which clearly explains your position on the management of personal information.

Further information

For further information you may wish to contact:

Privacy Commissioner GPO Box 5218 Sydney NSW 2001

Privacy Hotline: 1300 363 992 Telephone: (02) 9284 9800 Fax: (02) 9284 9666