Credit reporting agency, Veda, recently came under fire over its privacy practices regarding disclosure of personal information for marketing purposes.
Veda (a subsidiary of US credit reporting giant, Equifax) collates credit information about individuals and businesses. Individuals can obtain a free Veda credit report once every 12 months (additional reports in a 12 month period can be obtained for a fee).
Flags have been raised over Veda’s privacy practices concerning disclosure of personal information after consumers received personalised correspondence from banks which they had never previously contacted or had a relationship with. Receipt of this correspondence appeared to coincide with the individuals accessing a free report or submitting applications for new financial services. Confused consumers contacted the banks in question, and were told that their personal information had been passed on by Veda.
Australian privacy law
Under the Australian Privacy Principles (APPs) an organization that holds personal information about a consumer for one purpose, such as providing a service, must not use or disclose that information for any other purpose, including direct marketing or facilitating the direct marketing of third parties. This is the case unless the consumer consents, or would reasonably expect the use or disclosure of personal information in this way (and a clear opt out facility is provided with each marketing communication).
However, Part IIIA of the Privacy Act 1988 (“the Act”) prohibits banks (and other credit providers) from using information issued by a credit reporting body for the purposes of direct marketing. Put simply, banks can’t take your name and address from a credit report and use it for their direct marketing purposes. If the credit provider has obtained personal information from another source (eg directly from the individual), or it passes information onto a credit reporting body for the purpose of pre-screening, then this prohibition does not apply.
Privacy and direct marketing
Veda’s alleged conduct raises the question of whether consumers should be able to exercise their right to access a free credit report without becoming entangled in commercial opportunism. It’s important that consumers know what credit information is attached to their name, so they can correct any inaccuracies and make informed decisions.
Although credit reporting bodies like Veda are generally not permitted to use or disclose personal information for the purpose of direct marketing, it may be possible to do this with consumer consent. Where a form requires personal information to be entered, the ability to opt out of receiving marketing material, and the consequences of not opting out, must be clearly and prominently disclosed, not hidden away in small text. The process of opting out must be simple, able to be done using the same or similar platforms and involve no more than a nominal cost. Some forms, such as the online form reportedly used by Veda include a pre-checked opt-in box for marketing materials (in this case from Veda and its corporate partners). By leaving the box ticked, whether by genuine mistake, form filler’s fatigue or because a pre-ticked box sometimes implies necessity, customers may be consenting to the disclosure of their personal information for direct marketing purposes.
A Veda spokesperson said that consumers are made aware that they may untick any box in the online form and that any concerned consumers could get in touch after the fact and opt out. The spokesperson further commented that Veda’s practices are wholly within the Act and APPs and denied that Veda used credit reporting information to determine whether a consumer would be a desirable recipient for a client’s marketing material. Likewise, a spokesperson from one of the banks stated that it requires assurances from third parties, like Veda, that information has been sourced and is being used in accordance with privacy laws.
However, the Office of the Australian Information Commission (“OAIC”) has confirmed that it is investigating the matter, following complaints received by consumers. Although the banks and Veda believe they have acted appropriately, it will be interesting to see whether the OAIC concurs.
Best practice is, of course, be upfront with consumers when it comes to collecting, using or disclosing their personal information.
We will keep you posted on developments.