Competitions are often centred on the collection of personal information. If you are conducting competitions, with the aim of (or resulting in) collecting personal information, ensure that your competition is compliant with the Privacy Act 1988 [the Act].
The Act and Australian Privacy Principles [APPs] govern the collection, storage, use and disclosure of personal information.
What is personal information and who is covered?
Personal information is defined in section 6 of the Act as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.”
The Act applies to businesses with a turnover of more than $3 million a year who collect personal information or to those businesses who fall within a listed category.
A ‘B2B’ business may still be bound by the Act if it handles personal information, such as the personal information of contacts within its clients’ businesses or of employees of its clients.
Importance of Compliance
There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches of privacy laws, including enforceable undertakings and fines of up to $1.7 million- Not to mention the reputation damage resulting from a breach.
Collection of Personal Information via Competitions
To understand the application of the Act and APPs in relation to competitions, it is necessary to review: a) the reason for collection, b) the types of personal information collected, and c) how information is collected. There are typically two reasons for collection of personal information. The first is to conduct the competition i.e. to conduct the draw and to notify winners. The second is to use personal information for marketing including via email.
If you conduct direct marketing using personal information collected via a competition, you will need to consider APP 6 and APP 7: “If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.” Review the exemptions to this principle contained in APP 7.2 and APP 7.3. Ensure that, if you use personal information for direct marketing, you are compliant with APP 7.
We sought independent legal advice from a professional in the field who confirmed the following:
Consequently, it is important that your competition terms make the intended collection, use and disclosure of personal information clear to entrants.
If consent to receive marketing material is not mandatory then an opt- in (not pre – ticked) should be used.If marketing material is to be sent electronically then it is also important to consider the Spam Act.If an entrant has given positive consent to receive marketing material including via electronic means for an unlimited period, an option to opt- out must be included in all future messages sent. Typically, this would be as simple as a reply email or the click of a button. All messages must also include contact details and the identity of the sender.
When reviewing the kinds of personal information collected, you should consider if you actually need to collect that kind of personal information. Review APP 3 which requires that you only collect personal information “reasonably necessary for one or more of the entity’s functions or activities.”Consider whether or not you collect ‘sensitive information’ and if so review all requirements in the Act and APPs relating to sensitive information. Consider how long you need to hold information and if you can de-identify or destroy information you no longer need.
Note: This is not intended as a comprehensive guide to the Act or APPs. We recommend that you seek independent legal advice to ensure compliance with the Act and all other applicable laws.