Australian Privacy Principles and Direct Marketing

The Australian Privacy Principles set specific rules about when you can use someone's personal information to market to them. APP 7 of the Privacy Act 1988 covers this directly, and it's stricter than most SMEs expect. If you're running email campaigns, SMS blasts, or retargeting ads using customer data, APP 7 applies to you.

This is one of the areas where I see businesses get into trouble without realising it. You collected someone's email for an invoice. Now they're on your newsletter list. That's exactly the kind of thing APP 7 is designed to prevent.

What the Australian Privacy Principles Say About Direct Marketing

APP 7 draws a line between using someone's data for the purpose you collected it, and repurposing that data to sell to them later.

The general rule: you can only use personal information for direct marketing if the person would reasonably expect you to use their information for that purpose, and you provide a simple way to opt out. If someone bought a product from you and you want to email them about related products, that's probably within their reasonable expectations. If someone filled in a warranty form and you added them to a promotional campaign for a completely different service, that's harder to justify.

For sensitive information, the bar is higher. You need explicit consent. Health data, biometric data, information about someone's race or religion. You can't use any of that for marketing without the person clearly agreeing to it. "Implied consent" doesn't cut it for sensitive information under the APPs.

There's also a source requirement. If you didn't collect the information directly from the person (say you got it from a purchased list or a third-party lead gen tool), APP 7 adds extra conditions. You need to make sure the person would still reasonably expect direct marketing from you, or you need their consent. And you must tell them where you got their information if they ask.

Where SMEs Get Australian Privacy Principles Marketing Wrong

Three patterns come up constantly.

Mixing transactional and marketing lists. Someone gives you their email to receive a quote, get a receipt, or create an account. That's a transactional purpose. Adding them to your marketing list without separate consent, or at least a clear opt-in at the point of collection, puts you offside with APP 7. Your CRM probably makes it easy to dump everyone into one audience. The APPs don't care about your CRM's defaults.

Making opt-out difficult. APP 7 requires a "simple means" for people to opt out of direct marketing. An unsubscribe link buried in size-8 font at the bottom of your email technically exists, but the OAIC has made it clear that opt-out mechanisms need to be genuinely accessible. If opting out requires logging in, calling a phone number, or filling in a form, you've made it too hard. One click. That's the standard you should aim for.

Ignoring the Spam Act overlap. The Privacy Act and the Spam Act 2003 both apply to commercial electronic messages, but they have different rules. The Spam Act requires consent before sending commercial emails or SMS. The Privacy Act controls how you use the personal information behind those messages. You can comply with one and breach the other. Most SMEs think their Mailchimp unsubscribe link covers both. It handles the Spam Act requirement. It doesn't automatically address your APP 7 obligations around purpose limitation and source disclosure.

How to Get Your Direct Marketing Compliant With the Australian Privacy Principles

Start with your collection points. Every form, sign-up page, or point-of-sale interaction where you capture personal information should clearly state whether that information will be used for marketing. APP 1 requires a privacy policy that covers this, and APP 5 requires you to notify people at the time of collection. If your form just says "Email" with a submit button, you're missing both.

Then audit your lists. Look at where each contact came from and whether you have a lawful basis to market to them. People who opted in through a newsletter sign-up are straightforward. People who got added because they emailed your support inbox are not.

Check your opt-out process end to end. Click your own unsubscribe link. Does it actually work? Does it process within a reasonable timeframe? Some email platforms take up to 10 business days to action an unsubscribe. That's too slow if someone has clearly told you to stop.

For any third-party data you use, document where it came from and what consent was obtained. If a lead gen provider can't tell you how they got consent, assume they didn't. That risk sits with you, not them, once you start using the data.

Finally, keep sensitive information completely out of your marketing segmentation unless you have explicit consent. If your CRM lets you segment by health conditions, demographics, or other sensitive categories, that capability doesn't mean you're allowed to use it.

The Penalties Are Real for Marketing Breaches

The maximum penalties under the Privacy Act are now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover. Those numbers are designed for large companies, but the OAIC investigates businesses of all sizes. Most enforcement at the SME level comes through complaints. One person who can't unsubscribe, one customer who asks where you got their number and you can't answer, that's enough to trigger an investigation.

The December 2024 amendments also introduced a statutory tort for serious privacy invasions. Individuals can now take action directly in Federal Court. That changes the economics. It's not just the OAIC you need to worry about. It's the customer who's had enough.

Getting direct marketing right under the APPs isn't complicated. Collect with clear purpose, market only within that purpose, make opt-out effortless, and keep records of consent. Most of the work is cleaning up what's already in your systems, not building anything new.