Submitting details.
Please wait ...

Contact Us Today
07 3224 0222

Resources
Governance & Risk Management | ClubsGovernance & Risk Management

Privacy laws and business card draws

As seen in the February 2020 Edition of the Queensland Bowler magazine.

It is no surprise to see more and more bowls clubs using marketing techniques to connect with members, advertise services and promote upcoming events. We have recently seen an increase in email and text message marketing, with clubs building electronic databases to fit their specific target audience. However, clubs should be mindful that there are strict rules as to how personal information such as phone numbers and email addresses may be collected, stored and used.

Under the Australian Privacy Principles (APPs) within the Privacy Act 1988 (Cth) (the Act), an organisation must not disclose personal information it holds for the purpose of direct marketing, unless that information has been collected from someone who has either consented to have their personal information used for direct marketing, or who would reasonably expect their information to be used for that purpose.

Penalties under the APP and the Act can be very serious – including fines in the millions of dollars for companies who misuse or fail to protect sensitive personal information. Your club is unlikely to be hit with such maximum penalties but even smaller fines could be potentially damaging for your club.

There are a number of ‘danger zones’ for clubs and businesses when it comes to collecting personal information for marketing purposes, most commonly involving:

  1. business card collection and draws;
  2. online application and booking forms; and
  3. online or paper-based raffles and competitions.

If using one of these avenues to build your club’s database, it is important to remember that once personal details are collected and recorded, you must treat the information in accordance with the Act to ensure the security of the information. Also, information may only be kept for as long as is required to fulfil the purpose for which it was collected.

For example, if you drop your business card into a prize draw in the hope of winning a bottle of wine or a holiday, would you expect to be followed up with a marketing email?

Depending on the circumstances, some people might answer “no” to that question. However, even if you answered “yes”, it is important for businesses to clearly communicate the purpose for collection, and to get additional consent, particularly if personal information is to be provided to a third party (such as an event sponsor) who also wishes to use that information for marketing purposes. You could achieve this by having a notice on the box for business cards confirming that the information may be used for marketing purposes in accordance with the club’s privacy policy, or by including a reference to this in your club’s privacy policy.

Conducting a business card draw is just one example of how you might collect contact details to add to your database. When collecting personal information more broadly, there are three simple ways to reduce your club’s risk: 

  1. Ensure that consent is provided

When adding a new contact to your online database, it is essential to first obtain clear consent to use their personal information for marketing. This can be done through a simple email or form (including checking a box) on a website, so that the information you take in from events or website visitors is clearly reasoned.

  1. Provide a simple way to opt-out or unsubscribe

An individual receiving your marketing correspondence should be able to easily determine how to opt out. Not only is this recommended under the APPs; in fact, under the SPAM Act 2003, opt-outs are mandatory for every electronic marketing communication. Failure to provide recipients with a low or no cost way to get out (e.g. an “unsubscribe” button in an email or text message) could attract significant penalties.

  1. Comply with requests

If an individual asks your club to stop using their personal information for marketing purposes, then you must comply with this request within a reasonable time (usually 30 days). If asked, you must also provide your source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

In addition to avoiding potential fines, complying with privacy laws is likely to produce healthier, and ultimately, more productive data for future marketing purposes.

Article written by Matthew Bradford (Partner) and Glen Rolley (Associate).

"The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication."