Last review date: 31 December 2024

☒  No

However, the OAIC has issued guidance on tracking pixels and privacy obligations, which explains how the Privacy Act’s general requirements apply to the use of tracking pixels. Additionally, the report on the review of the Privacy Act makes a range of proposals that would impact on the use of cookies and/or other online tracking technologies. The government has agreed in-principle (subject to further consultation) with the following proposals:

• Targeting should be fair and reasonable in the circumstances
• Targeting of children should be prohibited, except where it is in a child's best interests
• Targeting of individuals based on sensitive information should be prohibited, with an exception for socially beneficial content
• Entities should have provide information about targeting, including clear information about the use of algorithms and profiling to recommend content to individuals
• The definition of "collection" should be amended to expressly cover information obtained from any source and by any means, including inferred or generated information

These proposals are expected to be addressed in later reforms to the Privacy Act.

For completeness, the ACCC's Digital Platforms Branch conducted a digital advertising services inquiry and published its final report in September 2021, which discussed the use of cookies in this context. The focus of this inquiry is transparency and competition in the digital advertising market, rather than privacy, although consumer privacy issues were considered to some extent.

Last review date: 31 December 2024

☒  Yes

☒         email marketing

☒         prior opt-in consent

☒         prior existing business relationship (and subject to other requirements) with opt-out consent

☒         telephone marketing

☒         prior opt-in consent

☒         opt-out or implied consent

☒         prior existing business relationship (and subject to other requirements) with opt-out consent

☒         SMS/text message marketing

☒         prior opt-in consent

☒         prior existing business relationship (and subject to other requirements) with opt-out consent

☒         postal marketing

☒         prior opt-in consent

☒         opt-out or implied consent

☒         prior existing business relationship (and subject to other requirements) with opt-out consent

☒         online behavioral advertising targeting/social media targeting/ad personalization marketing

☒         prior opt-in consent

☒         opt-out or implied consent

☒         prior existing business relationship (and subject to other requirements) with opt-out consent

Whether businesses can use personal data for direct marketing will depend on how they collected the information (whether it was directly from the relevant individual or from a third party) and whether individuals would reasonably expect their information to be used for this purpose. There is also an opt-out requirement that applies to all direct marketing communications. Additional restrictions apply to the use of sensitive data for direct marketing.

The review of the Privacy Act examined whether current rules around handling of personal information for direct marketing purposes strike the right balance, or whether changes should be made. The report on the review proposed – and the government has agreed in-principle (subject to further consultation) – a number of changes to the current law, including that:

• A definition of direct marketing should be introduced, covering the collection, use or disclosure of personal information to communicate directly with an individual to promote advertising or marketing material
• Direct marketing to a child should be prohibited unless the personal information used for direct marketing was collected directly from the child and the direct marketing is in the child's best interests

These proposals are expected to be addressed in later reforms to the Privacy Act.

In addition to requirements under the Privacy Act, direct marketing communications are also subject to requirements under the Spam Act, which prohibit the sending of electronic commercial messages without consent and require all such messages to contain certain information and an unsubscribe facility. The DNCR Act prohibits businesses from contacting individuals on the Do Not Call Register by telephone or fax except in certain restricted circumstances.

To the extent the Spam Act or the DNCR Act applies, the Privacy Act does not apply.

As an example of the interaction between the Spam Act and the Privacy Act, the OAIC has indicated in the APP Guidelines that the display of an advertisement on a social media site that an individual is logged into where those advertisements are tailored based on that individual's browsing history may be direct marketing, suggesting that this would be regulated by the Privacy Act rather than under the Spam Act.

(Social media activity by or for advertisers who are AANA members would be subject to the AANA Code of Ethics, including the requirement that advertisements are clearly distinguishable.)