It has been a big year of change with new privacy and data protection laws both here and globally impacting Australian businesses. Here’s a checklist of some of the legalities relating to your digital marketing that you need to be aware of.
No matter your company’s size or related industry, cyber criminals don’t discriminate in choosing a target. It is important for every Australian business, including small and medium-size enterprises to understand their legal implications in relation to privacy and data protection laws.
And you owe it to your customers to protect the personal information they so trustingly hand over to you.
This year we have seen major changes to both local and global privacy and data protection laws, which will impact businesses in a number of significant ways.
In May, we saw the introduction of European Union’s (EU) General Data Protection Regulation (GDPR), which has wide implications for any business dealing or marketing to EU citizens – even if you may not be actively doing so (see further information below).
There has also been a major change to the local Privacy Act in February this year, which means you are now legally bound to involve the Office of the Australian Information Commissioner (OAIC) if you experience a data breach.
However, it seems that many small to medium businesses are struggling to keep up with data protection and privacy laws and may not even be aware of what is important to them.
- An analysis of the Australian Financial Review’s list of the 100 fastest growing companies in 2017 found that:
One-third (32%) of Australia’s fastest-growing companies do not have secure websites
- Close to one-half (44%) of the companies do not appear to comply with Australia’s privacy laws.
In addition, research released by technology giant HP Australia earlier this year, found that 57% of small to medium-size businesses have not done any sort of IT security risk assessment in the last 12 months, putting their devices, data and documents at risk.
Often legalities are neglected as businesses focus on more pressing priorities. But it is an area where increasingly it is important to check off at least the basics as part of a regular digital marketing audit.
The following is a checklist of some of the most important legal areas to consider. You may need to seek legal advice to ensure you are well prepared and knowledgeable when it comes to security breaches and the law relating to digital marketing and advertising.
Protecting Company and Client Data
Alerting the customer and the OAIC to any potential security or privacy breach
A recent change to the Privacy Act means that you must now report within 30 days all data breaches related to personal data to both the affected customers and to the Australian Information Commissioner (OIAC). Previously you were encouraged to report it to the OIAC but now you are legally bound.
The legislation applies to businesses with an annual turnover of $3 million or more, or for smaller businesses that operate by holding personal information, such as credit reporting agencies.
Even if you are not a company involved in e-commerce, an online ‘transaction’ is classified as any exchange of information, such as personal details obtained through a website contact form, or careers page. Non-compliance could mean a fine of up to $1.8 million for companies.
We are also seeing similar moves globally, including the recent case of British Airways having to notify 380,000 of its potentially affected customers to the fact that hackers had stolen credit card details or had skimmed data from its website and app. The 15-day hack resulted in thousands of customers having to cancel their credit cards, and the airline now faces a multi-million-pound fine and fare reimbursement, and legal action from affected customers.
Cookies Notice/GDPR Data Collection
The European Union’s (EU) General Data Protection Regulation (GDPR) is a set of data protection requirements which came into effect in May this year.
They aim to standardise data privacy laws across Europe, ensuring that personal data is handled more securely.
This ‘Cookie Law ‘has been a result of the new GDPR regulations, and is designed to obtain informed consent before using any cookie files to store information on a user’s computer. It only needs to be displayed to new visitors across all pages.
The GDPR applies to advertising to or collecting data of EU citizens specifically.
It applies to Australian businesses that:
- have an office in EU
- enable EU customers to order online goods or services in a European language (other than English) or enabling payment in euros
- mentions customers or users in the EU on its website
- has EU citizens included on their mailing list, or have had them visit their website (i.e. processing and holding their personal data).
This last point obviously is particularly tricky for Australian businesses, as it is a very real possibility that you are dealing with at least one EU citizen currently living here. Businesses need to weigh up their own situation and seek legal advice on the extent of their total or partial compliance with the GDPR.
Hyper Text Transfer Protocol Secure (HTTPS) is one way in which businesses and website traffic can protect their website traffic and transactions. Identified by the lock icon in the address bar, it is the secure protocol over which data is sent between a browser and a website. It safeguards the privacy and confidentiality of visitors, protects data and provides authentication so that visitors know it is safe to use your website.
Legal Obligations of Online Marketing/Social Media
Before you send out marketing material via email or mobile phone text messages (SMS) or other types of electronic messages, you need to ensure you comply with the Spam Act 2003.
- It is illegal in Australia to send unsolicited emails and you must ensure that:
recipients of your message have given consent to receive emails from you
- you have provided business contact details
- You have included a working unsubscribe link.
In the event of a breach, the Australian Communications and Media Authority (ACMA) can take a number of different actions from issuing a formal warning to prosecution and fines. Emailing marketing platforms like MailChimp and Campaign Monitor may also close your account and ask for a detailed explanation if you receive a large number of unsubscribes or spam notices.
Social media and defamation
If you are using social media, you need to be aware of the law of defamation. It’s something that is said, written, commented, tweeted, published or blogged about another person that has the potential to damage their reputation, business or subject them to shame or ridicule.
It is also important to be wary of ‘liking’ or ‘sharing’ a defamatory comment made by someone else, especially where this introduces a new and broader audience to the content.
Companies should have strict guidelines for all employees regarding what should or should not be posted about competitors and clients (even if they unfairly criticise your business), the type of language used and acceptable subject matter.
Advertising – false and misleading claims
When promoting your products or services, you need to ensure that any branding, statement, quote or any other representation is not false or misleading.
It is also illegal to participate in bait advertising whereby a product is advertised at a certain price, but the business knows they cannot meet the expected demand.
You may need to obtain a permit for certain competitions, lotteries or promotions over a certain amount, which differs depending on the state or territory. You also need to disclose any special terms and conditions of the award or prize, and to supply the promised gift or prize to the winner.
The laws stated above are really just the tip of the iceberg in terms of what you should be aware of when it comes to your legal digital marketing and data security obligations.
Much of it is common sense, such as social media comments and advertising in a truthful way. However, when it comes to the collecting and storage of personal data, it is probably a good time to review and update your company privacy policies in line with the recent changes to local laws, as well as the introduction of the GDPR.