Information for businesses - The Law
For Australian businesses, in addition to the Spam Act 2003 in relation to most spam (more information available by clicking here), the provisions of the Privacy Amendment (Private Sector) Act 2000 (Cth) do impose some obligations on certain Australian business in relation to acquaintance spam. Businesses who wish to send marketing material to their customers via email are required to seek explicit advance permission in some circumstances since December 2001. See our "What to do" section for information on how to comply with these requirements and improve the effectiveness of your signups and our brochure describing the relevant requirements of the law.
In addition to those provisions, which form part of the Privacy Act 1998 (Cth), there are government policy directives, as well as industry codes which do have some force of law. In particular, the National Privacy Principles and the e-commerce best practice model are generally relevant to all businesses, and the Australian Direct Marketing Association Code of Practice, which is based on the National Privacy Principles, has the force of law for ADMA members, and direct marketers who are not members of a direct marketing industry association can be directed to comply with that code. Section 5 of the Australian Federation of Advertisers privacy guidelines also require strict opt-in for email communications - even when sending email to your own customers (refer to the definitions section of that document). The Internet Industry Association Code of Practice also covers online merchants - who are content providers under the Telecommunications Act - and that code prohibits unsolicited commercial email to people you do not have a prior business relationship with.
The Privacy Principles, the ADMA code and the AFA privacy guidelines, as well as the amendments to the Privacy Act all mandate the up-front choice that we describe here in the "What to do" section. Specifically, the new provisions of the Privacy Act state (in Schedule 3):
2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or...
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individuals consent before that particular use; and
(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and
(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and
(iv) in each direct marketing communication with the individual, the organisation draws to the individuals attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and
(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisations business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically;...
In simple terms, these principles state that if you collect information from a person, and it is reasonable for you to ask permission to use that information for marketing at the time of collection, then you may not use that information for marketing unless you have obtained that permission. Most notably, a vendor who spams email addresses collected via a web page and did not ask for permission on that web page will be in violation of the new law, even if they offer an "opt-out" option in the spams. While you may be tempted to think this interpretation of the new law is a radical one, the Privacy Commissioner has given the same interpretation, and in fact any contrary interpretation would clearly treat clause 2.1(c)(i) of the privacy principles as a clause allowing marketing without permission in every relevant circumstance, an outcome which is clearly not intended in those principles, and one which would give effect to neither the words nor the intent.
To see how to ensure you are complying with the Privacy Principles, check the What to do section.
The national e-commerce best practice model, "Building Consumer Sovereignty in Electronic Commerce", serves as the Government's guidelines on acceptable behaviour for businesses engaged in electronic commerce, including businesses marketing on the Internet. It is also intended as guidelines for industry codes. This document clearly states that spam is not acceptable behaviour. While these guidelines are not law at this time, they are likely to be coded into law if they are not voluntarily adopted by businesses.
23. For commercial e-mail:
23.1 Businesses should not send commercial e-mail except:
23.1.1 to people with whom they have an existing relationship; or
23.1.2 to people who have already said they want to receive commercial e-mail; and
23.2 Businesses should have simple procedures so that consumers can let them know they do not want to receive commercial e-mail.
In other words, in order to be in compliance with the best practice model, a business must not send unsolicited solicitations to recipients they have no relationship with. Note that this does not mean that businesses can still spam their customers without asking - see section 16 of the best practice model:
16. ..., if there is an inconsistency, the law has precedence over the Best Practice Model.
Under section 76E(b) of the Crimes Act 1914 (Commonwealth), it an offence to interfere with, interrupt or obstruct the lawful use of, a computer by means of a carrier (telephone line or ISP) or facility provided by the Commonwealth. This offence carries a maximum term of 10 years imprisonment, and in November 2000 the first spammer was convicted under this section for relaying their spam off third party systems without permission. In other words, unauthorised third party relay is a criminal offence in Australia, and this has now been successfuly tested in court.
Additionally, it appears that spam is already illegal under the Common Law (Rollo T, "Liability for spam through trespass to goods" (2001) 8 PLPR 77). Several spammers have been successfully prosecuted in the United States under the Common Law, and it appears that the principles used to prosecute those cases are applicable to a much wider variety of spam than was previously thought. Two of the cases prosecuted have involved exemplary (punitive) damages of hundreds of thousands of dollars, so a business that does spam runs a real risk of being the subject of a very expensive test case.
In summary, existing government guidelines render both spam to your customers, and to others inappropriate, and existing industry codes also address both types of spam, rendering it illegal for businesses covered by these codes to send certain types of spam. Common Law remedies also appear to render spam illegal in Australia.
Contents
Preface - Why this is the most important lesson in Internet marketing you will ever read.
Overview - What the problem means to you.
Microeconomics of Spam - the economist's view.
Getting Permission - how to get permission for the first mailing.
What to do - Easy ways to avoid being labelled as a spammer, and still get what you want out of email lists.
The law - The current state of the law on this issue.