Direct Marketing Under The Privacy Act: Guidelines For Australian Businesses

Direct marketing is one of the most effective ways to reach your ideal customers. Whether you’re sending promotional emails, running SMS campaigns or using targeted ads, it lets you speak directly to people who care about what you offer.

But there’s a catch: modern marketing relies on personal data. That means privacy law is front and centre. With rising consumer expectations and tighter enforcement, getting your compliance right isn’t optional - it’s essential for trust and growth.

In this guide, we’ll break down how the Privacy Act 1988 (Cth) applies to direct marketing in Australia, what the Australian Privacy Principles (APPs) - especially APP 7 - require, and the practical steps you can take to run effective, compliant campaigns. We’ll keep it plain English and action-focused so you can get on with promoting your business confidently.

Does The Privacy Act Apply To My Direct Marketing?

The Privacy Act applies to most Australian organisations that handle personal information. Personal information is any information or opinion about an identified person (or a person who can be reasonably identified). In a marketing context, that often includes names, email addresses, phone numbers, purchase history, browsing behaviour, customer profiles and more.

Broadly, the Privacy Act covers:

• Businesses and not-for-profits with an annual turnover of more than $3 million, and
• Certain small businesses under $3 million if they trade in personal information, provide health services, are a service provider to the Commonwealth, or fall within other specific categories set out in the Act.

Even if you fall outside the Act’s threshold, adopting Privacy Act standards is smart business. Clear privacy practices build trust and reduce risk - especially if you plan to scale or work with larger organisations that expect compliance.

Remember, the Privacy Act sits alongside other rules that also affect direct marketing. Commercial emails and SMS are governed by the Spam Act 2003 (Cth), and telemarketing is regulated under the Do Not Call Register Act 2006 (Cth). You must also avoid misleading or deceptive conduct under the Australian Consumer Law (ACL) when promoting your products or services (but note, the ACL doesn’t regulate “spam” - that’s the Spam Act’s job).

What Does APP 7 Say About Direct Marketing?

Australian Privacy Principle 7 (APP 7) sets the key rules for using or disclosing personal information for direct marketing. It applies to “organisations” under the Privacy Act (not government agencies) and generally requires you to be fair, transparent and respectful of choice.

Core Requirements Under APP 7

• Reasonable expectations: If you collected personal information directly from the person, you can generally use it to market if they would reasonably expect that use and you provide a simple way to opt out.
• Consent when expectations don’t exist: If the person wouldn’t reasonably expect marketing (or you collected the information indirectly), you usually need consent before using or disclosing it for direct marketing.
• Clear opt-outs: Every direct marketing communication must include a prominent, easy, and free way to opt out. You must action opt-out requests within a reasonable time.
• Sensitive information: You cannot use or disclose sensitive information (for example, health information, racial or ethnic origin, religious beliefs) for direct marketing without explicit consent.
• Source transparency: If someone asks, you must tell them where you got their personal information.

Bottom line: target people in ways they’d reasonably expect, get consent where appropriate, and always include a no-fuss unsubscribe.

How APP 7 Interacts With The Spam Act And Do Not Call Rules

APP 7 is about when and how you can use personal information for marketing. The Spam Act and Do Not Call laws set extra rules for specific channels:

• Spam Act (emails/SMS): You need consent (which can be express or inferred), sender identification and a functional unsubscribe. Inferred consent can arise from an existing business relationship where marketing is reasonably expected. Our overview of email marketing laws explains how this plays out day to day.
• Do Not Call Register (phone calls): You generally must not make unsolicited telemarketing calls to numbers on the register (with limited exceptions) and must comply with time and conduct rules.

Think of it like this: APP 7 sets the privacy baseline. The Spam Act and Do Not Call laws add channel-specific requirements you must also meet.

How To Run Direct Marketing Campaigns Legally (And Smoothly)

Strong privacy foundations make your marketing more effective. Here’s a practical roadmap to keep your campaigns compliant and customer-friendly.

1) Collect Only What You Need - And Be Clear About Why

• Minimise data: If you don’t need a data point to achieve your marketing goal, don’t collect it. Less data means less risk.
• Be transparent at the point of collection: Tell people you’ll use their details for direct marketing and how they can opt out. This should be reflected in your Privacy Collection Notice and your public-facing Privacy Policy.
• Be careful with purchased lists: If you use third-party lists, you are responsible for ensuring the data was collected lawfully and that the consents cover your intended use.

2) Get Valid Consent Where Required

• Express consent: Opt-in checkboxes (unticked by default), sign-up forms, and in-person signups work well - record time, date and method.
• Inferred consent (Spam Act): In some cases, you may rely on an existing relationship where the person would reasonably expect marketing from you (for example, a recent customer). Be conservative and honour preferences quickly.
• Sensitive information: Always obtain explicit, informed consent before using any sensitive information for marketing.

3) Make Unsubscribing Effortless

• Include a clear unsubscribe in every marketing message. Don’t hide it in dense text or require log-ins.
• Action opt-outs promptly. Treat an unsubscribe for one channel (e.g. email) as a preference signal for all channels where reasonable.
• Keep a suppression list to prevent future sends to opted-out contacts.

4) Be Transparent About Tracking And Targeting

• Cookies and pixels: If you use tracking tools for targeted ads or analytics, explain this in your Privacy Policy and consider a Cookie Policy for clarity.
• Online behavioural advertising: Ensure you’re not building profiles in ways people wouldn’t reasonably expect. Provide controls where you can.

5) Manage Your Vendors And Data Flows

• MarTech stack: Email, SMS, CRM and ad platforms often involve overseas storage or processing. Check where data goes and ensure appropriate safeguards under APP 8 (cross-border disclosure).
• Contracts matter: Put in place a Data Processing Agreement (or similar terms) with service providers to set clear data security, use and deletion obligations.

6) Keep Security Tight And Be Ready To Respond

• Security controls: Limit access to marketing lists, use MFA, and encrypt where possible. Train staff on privacy basics and phishing risks.
• Incident readiness: Have a practical Data Breach Response Plan so you can act quickly if something goes wrong.
• Retention and deletion: Don’t keep marketing data forever. Set sensible retention periods and follow Australia’s expectations around data retention.

Essential Legal Documents For Direct Marketing

Policies and contracts turn good intentions into consistent practice. The right documents help your team stay aligned and show regulators you take compliance seriously.

• Privacy Policy: Explains how you collect, use, disclose and secure personal information, including direct marketing and opt-out mechanisms. Link it in your website footer and in marketing emails. You can start with a tailored Privacy Policy.
• Privacy Collection Notice: Provided when you collect personal information, setting out why you’re collecting it, who you share it with and how people can opt out; a clear collection notice supports informed consent.
• Website Terms & Conditions: Set house rules for site use and reference your privacy practices; see Website Terms & Conditions for a solid foundation.
• Cookie Policy: Helpful if you use analytics or ad tracking so visitors understand how cookies and pixels are used; consider a dedicated Cookie Policy.
• Data Processing Agreement (DPA): Governs how your email/SMS platforms and other vendors handle personal information; a DPA sets expectations for security, use and deletion.
• Internal Unsubscribe Procedure: A simple workflow your team follows to action opt-outs across systems and prevent re-sends.

Not every business needs everything on this list right away, but most will need several of these documents as they grow. Getting them tailored to how you actually market avoids messy workarounds later.

What Happens If You Get It Wrong?

Privacy and marketing enforcement has stepped up in recent years. Consequences can include:

• Complaints and investigations: Individuals can lodge complaints with the Office of the Australian Information Commissioner (OAIC), which can investigate and make determinations.
• Enforceable actions: The OAIC may accept enforceable undertakings or require remedial steps. Serious or repeated interferences with privacy can attract significant civil penalties.
• Spam Act penalties: The Australian Communications and Media Authority (ACMA) can issue infringement notices and pursue penalties for Spam Act breaches.
• Reputational impact: Negative publicity and customer churn can outlast any fine.

There is currently no general statutory tort of “serious invasion of privacy” in Australia. However, privacy determinations, contractual claims, confidentiality issues and consumer law risks can still arise depending on the circumstances. Prevention is far cheaper than remediation - and far better for your brand.

What’s Changing? Future-Proof Your Direct Marketing

Privacy reform remains on the national agenda. Expect tighter rules around consent, transparency and data minimisation, and potentially stronger individual rights over how their data is used for profiling and targeted ads.

It’s a good time to refresh your marketing data practices with a “privacy-by-design” mindset:

• Collect less, explain more, and offer genuine choices.
• Map your ad-tech and data flows so you know where personal information goes - especially across borders.
• Set realistic retention periods and delete data when it’s no longer needed.
• Build consent and preference centres that are easy to use.

If you’re evolving your stack or expanding into new channels, consider a quick privacy health check alongside any new tools. When your tech and your legal settings move in step, you’ll avoid nasty surprises.

Key Takeaways

• APP 7 allows direct marketing when it’s within people’s reasonable expectations or with consent, and you must always provide a straightforward opt-out.
• The Spam Act governs commercial emails and SMS (consent - express or inferred - sender identification and a working unsubscribe), while the Do Not Call rules apply to telemarketing.
• Put strong foundations in place: a clear Privacy Collection Notice at sign-up, a transparent Privacy Policy, and easy unsubscribe processes across all channels.
• Be careful with sensitive information, purchased lists, overseas disclosures and ad-tech tracking - these areas carry higher risk and need tighter controls.
• Lock in practical documents - Website Terms & Conditions, a Cookie Policy and a Data Processing Agreement with vendors - so your team and suppliers handle data consistently.
• Staying compliant isn’t just about avoiding penalties; it builds trust, improves deliverability and keeps your marketing running smoothly as you scale.

If you’d like a consultation on direct marketing compliance under the Privacy Act, including your Privacy Policy, collection notices and data-processing terms, reach out to us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.