Starting your own business is challenging, exhilarating and daunting. I know – I’ve done it! Privacy compliance is one of those areas that seems to confound and confuse. Let’s take a brief look at what’s involved.
Do I need to comply with privacy and spam laws?
Privacy and spam laws are not the same thing. Privacy law governs the collection and use of personal information generally. Spam law governs the use of personal information in commercial electronic messages (eg sending newsletters by email) specifically. There is some overlap between the two, but they are separate laws.
If your annual turnover is $3million or more, or your business falls into one of the exception categories, then you must comply with privacy law. You have to comply with spam law regardless of your turnover.
What do I have to do to comply?
You must have a privacy policy which covers (amongst other things) what information is being collected, who’s collecting it, how and why it’s collected, the purpose(s) for which it will be used, how it will be stored, whether information can be provided anonymously/ via a pseudonym or will be sent overseas, and contact details for questions or complaints. You will also need to provide an information collection statement at the point of collection (eg on an order form).
Regarding spam law, you must have recipients’ consent before sending commercial electronic messages. Each message must clearly identify the sender (full legal name, address and contact number) and include an unsubscribe facility.
When can I use and disclose the information I collect?
You can only use and disclose personal information for the purposes for which it was collected (eg fulfilling orders from customers). If you use an agent to do this (eg a mailing house), you can disclose the information to that agent (but must ensure that they don’t use it for any other purpose). Otherwise, you can’t disclose an individual’s personal information to any third party without their consent, unless required to by law.
How can I market to my database?
You can use personal information for marketing if you have collected it for this purpose (eg via an opt-in on an order form), or have said at the time of collection (eg in an information collection statement) that it will be used for this purpose. Generally speaking, you can also use it for marketing if consumers have a reasonable expectation that you will do so, and you provide an unsubscribe option (eg send direct mail which includes a phone number where people can unsubscribe at any time). Best to get advice on this before proceeding.
You must have consent to send commercial electronic messages.
What do I do if there is a security breach?
Where there is a risk of harm (eg someone has acquired customers’ credit card details), you should immediately notify the individuals affected. Although not mandatory, you may also wish to notify the Office of the Information Commissioner – note that mandatory reporting is likely to become law sometime in 2016. Given the potential consequences, if you experience a serious security breach, I strongly recommend you obtain legal advice.
What’s the takeout?
As a start-up, you’re unlikely to hit the turnover threshold for privacy compliance. But if you want to market your business electronically, then it makes sense to comply from the outset. That way, you’ll kill both the privacy and spam birds with one stone, and will be engaging in sound data protection practices from the outset (which will also give consumers confidence in your business).
