Data-driven marketing regulation glossary
Best practice and legislation around data-driven marketing is changing more frequently than ever thanks to technological advances.
We aim to keep this glossary up to date, but please be mindful that regulations, laws and best practices in Australia and across the globe evolve quickly.
This glossary is not all inclusive, it includes key terms you will find used in day to day data driven marketing regulation. It also includes some of the Key Regulators that operate in this space.
It’s always wise to seek legal advice that’s specific to your business to be fully compliant.
Australian Privacy Act
Australian Spam Act
Competitions - see trade promotions
Consumer Data Right
Consumer Loyalty Schemes
Digital Advertising Services
Do Not Mail Register
Notifiable data breach
Australian Competition and Consumer Commission (ACCC)
In June 2021, the ACCC is the regulator responsible for overseeing a raft of issues including:
- Deceptive and misleading conduct (section 18 of the Australian Consumer Law)
- Digital platforms inquiry
- Consumer data right
- Australian Consumer Law
Australian Communications and Media Authority (ACMA)
ACMA is a regulator that oversees the convergence of telecommunications, broadcasting, radio and the internet. The independent statutory government body collects the licence fees and revenues and in June 2021 oversees issues like:
Australian Consumer Law (ACL)
The Australian Consumer Law applies nationally and in all States and Territories, and to all Australian businesses. The ACL covers general standards of business conduct, prohibits unfair trading practices, regulates specific types of business-to-consumer transactions, provides basic consumer guarantees for goods and services , and regulates the safety of consumer products and product-related services.
The ACCC oversees the administration of these laws.
Australian Privacy Principles (APPs)
The legal concept of privacy in Australia is governed by the Australian Privacy Act as well as the Australian Privacy Principles. These 13 Australian Privacy Principles are designed to be technology neutral, so they can adapt to changing technologies. Breaching an APP is considered ‘interference with the privacy of an individual’ and can lead to penalties and regulatory action. The 13 APPs include regulations and disclosures around:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
Australian Prudential Regulation Authority (APRA)
APRA is an independent statutory authority that supervises institutions across banking, insurance and superannuation, and is accountable to the Australian Parliament.
Australian Privacy Act
The 1988 Privacy Act was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million and some other organisations handle personal information.
The Privacy Act includes 13 APP (Australian Privacy Principles) which apply to some private sector organisations, as well as most Australian Government agencies. These are collectively referred to as ‘APP entities’.
Australian Spam Act
The Spam Act 2003 and Spam Regulations govern how marketers can send ‘electronic messages’ like emails and SMS to consumers. Businesses must only send electronic messages that identify themselves with full contact details and allow unsubscribe options (rules around which are covered specifically in the SPAM Regulations 2021. Those receiving messages need to give permission to receive messages. Businesses cannot use COVID-19 check ins as permission to send electronic messages.
California Consumer Privacy Act (CCPA)
The internet crosses national borders so if your website or customer base reaches Californian customers, then you need to make sure your data handling practices comply with the California Consumer Privacy Act.
Competitions - see Trade Promotions
Competitions and marketing promotions are commonly referred to by the legal terminology known as ‘trade promotions’ . These are governed by different laws in each state and territory. Generally speaking, all competitions which fall into the category of Games of Chance may need to obtain an approval for each state in which they are open to, not merely the state the business holding the promotion is based in.
Consent is an individual’s free agreement to participate. From a marketers’ perspective, it is used in context of the permission required to add a consumer to its marketing database. Consent is usually brought up when considering electronic messaging and sending marketing materials to a consumer. It’s good practice to send messages to customers who have expressly given permission either by filling in a form or signing a document or spoken over the telephone or face-to-face to agree to opt in. Australian spam regulations do allow contact through ‘inferred consent’ where it is reasonable to expect that if a consumer filled in their details that they wish to hear from a business again.
Consumer Data Right (CDR)
2020 legislation gives consumers the right to opt in and have their personal data shared to different businesses to enable more competition, for example by allowing a citizen the right to share their personal banking history with another bank to get a better mortgage. Currently the law applies to banking but it is intended to roll out to other industries like utilities and other services.
Consumer Loyalty Schemes
Customer loyalty schemes are marketing and promotional tools used to encourage consumers to have a connection to a particular brand and encourage repeat business. Consumers often join these schemes to earn discounts or points, which can be redeemed for rewards including goods and services.
Loyalty schemes like this are often run by supermarkets, hotels, airlines and credit cards. These schemes are regulated by various Acts and policies. Any consumer or business enquiries are best directed to the business that administers the scheme.
A web cookie is a small text file containing information about your browsing history which is stored on your device locally. The cookie file will store information about your ID, session ID, or information about IP address or search history. Cookies help sites deliver a more personalized user experience in return for information about their visitors. Types of Cookies Commonly Used:
- First Party Cookies – are set by the publisher or site a consumer visits and is written to that domain. First-party cookies that track data about your own website’s visitors on all browsers will not be affected by the upcoming demise in cookies.
- Third-Party Cookies – created by websites other than the ones you’re visiting – hence the name third-party. These are primarily used for website activity tracking, data collection, cross-site tracking, retargeting and ad-serving. The data from third-party cookies is often inferred data, which is based on past user behaviour and not on information that has been explicitly provided by the user. The upcoming browser setting changes will phase out third-party cookies usage by default.
ADMA views data as information that’s stored or used by technology. Personal data is information about a particular person that should be anonymised and de-identified.
Digital Advertising Services
The programmatic advertising ecosystem relies on digital purchases rather than manual insertion orders. It has been subject to recent submissions and reports overseen by the ACCC to make recommendations that improve outcomes for consumers and businesses.
Digital Platforms Inquiry
On 4 December 2017, the then Treasurer, the Hon Scott Morrison MP, directed the ACCC to conduct an inquiry into digital platforms. The inquiry looked at the effect that digital search engines, social media platforms and other digital content aggregation platforms have on competition in media and advertising services markets. In particular, the inquiry looked at the impact of digital platforms on the supply of news and journalistic content and the implications of this for media content creators, advertisers and consumers. The final report was published on 26 July 2019 following the report being provided to the Treasurer.
Do Not Mail Register
This is a register facilitated by ADMA that allows consumers to stop receiving unsolicited mail from ADMA members. While it does not prevent all unsolicited direct mail it does reduce the amount of unsolicited mail you will receive.
General Data Protection Regulation (GDPR)
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.
Notifiable data breach
The rise in scams and security issues mean even the best companies can fall victim to a notifiable data breach, where a business unwittingly disseminates the personal information they hold. There are strict reporting requirements when these incidents happen and there are heavy penalties for failing to report. It’s best practice to have a data breach response plan in place so organisations know how to respond if an incident occurs.
Office of the Australian Information Commissioner (OAIC)
This regulator oversees privacy and regulation around notifiable data breaches. They play a key role to regulate privacy in Australia and as the Digital Platforms Inquiry progresses it is expected that they may also administer a social media code.
Sometimes this is also called personally identifiable information (PII). From a legal perspective, personal information is about an identified individual, or an individual who is reasonably identifiable, from information that may or may not be true or may or may not be collected in a material form. It’s a tricky area, which is worth getting specific advice on. Personal information is defined in the Privacy Act as information about a person, which may or may not include things like name, date of birth, address, signature and so on. Sensitive information - such as race, membership of political organisations or criminal records - is also included in this definition and has a higher standard of governance.
There are international and national laws that govern how privacy works, and this can be a fast-changing space due to different regulators creating new policies, legislation and guidelines. There are Australian privacy laws, but increasingly technology changes and our interactions and engagement with varying territories means that Australian businesses must also abide by privacy laws of the territories they do business with (or in some instance market to). For example, Californians have a strict CCPA and Europeans have protective GDPR laws.
Scams come in all shapes and sizes. Have you received an offer that seems too good to refuse, or a request to donate to a good cause? Perhaps an invitation to ‘befriend’ or connect with an online admirer? Scammers know how to press your buttons to get what they want. Scams target people of all backgrounds, ages and income levels. Every year scams cost Australians millions of dollars and cause considerable non-financial harm. One of the best ways to combat this type of fraud is to stay one step ahead of the scammers by being aware of scams and how to protect yourself.
With the dark web attracting more scammers and thieves, businesses need to be wary of phishing attempts, fake invoicing and other scams that falsely convince people to share personal information. Many large businesses are investing significantly into security and training to avoid these scams, which the ACCC estimates cost us billions of dollars each year. There are many COVID-19 scams, dating website scams and others convincing people to give away their personal information or bank details or even make false payments. It pays to keep up with new scams that affect your business or industry category by visiting the ACCC’s Scamwatch site.
Security requirements around data and personal information changes as technology evolves and laws change. All marketers should secure any personal information they hold - especially sensitive information like sexuality or religion. It’s best practice to have internal security policies and procedures in place in case a business experiences a notifiable data breach or privacy issues. Security considerations include things like unauthorised access, modification or disclosure. Businesses must also protect against misuse, interference and loss. Businesses holding financially information may also have to comply with APRA security considerations and technical guidelines around the Consumer Data Right.
This is a subset of personal information and in Australia is defined in our Privacy Act to be information such as racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record. It also includes health information and genetic information, like DNA. State and international regulations like GDPR can also come into play when considering how to best secure, handle and store sensitive information.
Spam is unwanted content. In Australia the sending of commercial electronic communications are governed by the SPAM Act under Australian law, it’s an offence to supply or use a list that’s been created with address-harvesting software or to send electronic messages to people without their consent. It’s also poor marketing. High quality data-driven marketing builds trust with consumers and should help allow the free flow of information to make sure businesses prosper by offering genuine benefit to consumers.