The key points to know about the Spam Act and Privacy legislation in Australia.
This was hard to write, because no matter how I twisted it, I couldn’t find inspiration to make it interesting. Talking about the law is boring. However, a quick 5 minute read to understand how to keep on the right side of the law when it comes to emailing and dealing with your customer data - and you never know - it may end up saving you a lot of grief down the track.
The following is an outline of the key key points that you need to be aware as a small business.
The Australian Spam Act 2003
The Spam Act was put into place to stop unscrupulous businesses from relentlessly spamming people with digital communications and messages, regardless of whether it was email, text or any other direct form of messaging.
The Spam Act applies to all businesses regardless of size. It covers:
- all messages coming out of Australia even if the broadcast service you’re using is outside of Australia - such as Mailchimp.
- all messages originating overseas sent to an Australian address.
- all digital messages and communications that offers, advertises or promotes a product or service.
The basic rules of the Act are:
You must have permission to send a promotion type email/message to anyone.
This is the opt in model at play in Australia and rules out buying lists of email addresses - a big no no. The important thing to be clear about here is when you collect an email address from someone, be clear what you’re using it for.
Here’s an example. As part of your sales process you collect their email address to email the receipt and delivery information. This is not giving you permission to know start emailing them in the future with promotional deals. What you need to do is include an opt in button where people opt in to receive future emails about your services/products. Yes it makes it hard - but that’s the law.
Within your message eg email, you must have a complete and accurate set of contact details of you - the sender
You must always provide a way to ‘unsubscribe’ from any list
You must complete a request to ‘unsubscribe’ a person within 5 working days.
There are exceptions.
Certain messages from the following types of organisations are exempt:
- government bodies
- registered charities
- registered political parties
- educational institutions (for messages sent to current and former students).
The above are likely to be completely unhelpful to you as a small biz operator, luckily there is a however. IF you have an existing relationship and you are emailing them about something to do with that relationship eg. they are a member of your website and you need to tell them about upcoming changes, outages or new features, then you are able to contact them without express ‘opt-in’ permission.
They are steep - up to $220,000 per day in breach and up to $1.1 million for a repeated breach.
Australian Privacy legislation
Under the law in Australia, if you’ve got a turnover of more than $3 million or regardless of size or type of organisation but you deal with personal health information, then the legislation applies to you.
It applies to personal information such as name, address, date of birth and rare or unique characteristic(s).
The basic rules for digital are:
what you will use the data for
how and where you will store it
who you will disclose it to including if they will be outside of Australia
what information you will collect as part of browsing the website
how people can view their personal data and lodge a privacy complaint
how you’ll communicate any changes to the policy.
You must ensure that any personal information is reasonably protected and secured from misuse or unauthorised access, modification or disclosure
Once you no longer need that personal information then you must have a process to destroy or de-identify the information.
Now while this only relates to larger sized businesses and those in health care, it’s good practice to follow the basic principles of the Privacy Act. Why? This law is about protecting customers from people misusing their private information including on-selling to other organisations. By adhering to it you lend credibility and respect to your business, so that your customers can trust you as a digital business.
A serious or repeated breach with privacy comes with a maximum penalty of $340,000 for an individual or $1.7 million for a corporation.
Further information is available at the not so helpful, not really english, but some form of legalese version of english, government websites.
Important note: I am not a lawyer just a digital specialist who has had to work within these laws for many years. You must seek proper legal advice relating to your own unique circumstances. The following is just an outline of key points, so it's not complete. I still hope that you’ll find it useful and point you in the right direction.