Privacy Law and Policy Reporter
Submission by the Australian Privacy Foundation in Response to the Department of Communications, Information Technology and the Arts’ Discussion Paper on the Introduction of a Do Not Call Register, November 2005.
This submission is included in PLPR as an important example of the APF’s input to national debate on private sector privacy intrusions. The submission welcomes the proposal for a national do-not-call register, but calls for it to be set in a wider context of the need for effective regulation of direct marketing in general, and to avoid pandering to special interests by way of extensive exemptions, which would significantly undermine the effect of a register.
1.We welcome the initiative of the Department of Communications, Information Technology and the Arts in publishing the Discussion Paper for public comment. The introduction of a Do Not Call Register would be an important step in enhancing the protection of privacy, and a strong regulatory approach is likely to be the only effective solution.
2. The Australian Privacy Foundation supports the introduction of a Do Not Call Register. However, as is clear from the comments below, considerable work remains before a satisfactory solution is found. In particular, it is submitted that such a Register must be sophisticated enough to cater for individual choice going beyond a mere ‘yes’ or ‘no’ alternative to all forms of direct marketing.
4. As to the scope of the proposed regulation, we suggest there are good reasons to take this opportunity to approach the identified problems in a broader manner, and to aim for a Do Not Approach Register that is technology neutral and thereby covers all means of communication (see below). DoCITA’s area of responsibility would appear wide enough for this not to pose a jurisdictional problem.
5. In addition, the relationship to, and interaction with, the Privacy Act 1988 should be made clearer, thus avoiding the type of confusion and duplication that exists in relation to the relationship between the Privacy Act and the Telecommunications Act 1997. While there is some discussion of the Privacy Act in the Appendix, the implications are not drawn out. The key points here are that any reliance on the Privacy Act 1988 as part of the solution can only be partial due to the extensive exemptions to the application of that Act, such as the small business exemption, but also that in relation to those organisations subject to the Privacy Act, any do-not-call register obligations should be at least as effective as the statutory obligations under that Act.
6. Certain of the definitions found in the Discussion Paper may need further consideration:
Automated calls – There is a need to distinguish between automation of the dialling process, on the one hand, and random or sequential dialling of numbers without knowing anything about who might answer, on the other hand. The former involves no particular problems where the numbers have been purposely selected. The latter approach, however, is rarely, if ever, justified. We understand that random or sequential dialling is prohibited in some other jurisdictions, and would support this in Australia, although it is a separate issue which need not be part of a Do-not-call register.
Furthermore, there is a need to distinguish between automated first response from automated dialling that seamlessly transfers to a human operator when the call is answered. Automated messages which are not left for the recipient to hear later but which are used instead to elicit a first response (by voice or dialling a number) which results is switching to further recorded options and/or human response should arguably be treated the same as normal voice calls rather than as recorded message calls as defined in the Discussion Paper.
Affiliate – While it is clear that a broad definition seems appropriate, it is nevertheless necessary to clarify its relationship to the concept of ‘related body corporate’ as found in the Privacy Act 1988 (see also subsidiary definition).
Direct marketing – It is vital that the definition of ‘direct marketing’ is kept appropriately broad. Every form of limitation of this key term is an invitation for direct marketers to take steps to circumvent the regulation.
Calls – It may be necessary to include a definition of the term ‘calls’ to ensure certainty as to whether it includes SMS/MMS, recorded message calls, VoIP etc.
Dual purpose calls – It is advisable that the phrase “while they purport not to be for telemarketing” be removed from the definition, and replaced by the phrase “whether or not they purport to be for telemarketing”.
Market researcher/Social researcher – These definitions should be linked to compliance with the AMSRO MSR Privacy Principles (see below).
7. While the Spam Act 2003 is an ‘opt-in’ instrument in theory, it is arguable that it really is an ‘opt-out’ instrument in practice, because of the wide range of exemptions. The justification, in the Discussion Paper, for why a similar default position is not appropriate for telemarketing calls is inadequate.
8. The Discussion Paper mentions the balancing of two important sets of rights: “an individual’s right to privacy, and the rights of legitimate businesses and organisations to access the community for commercial and non commercial reasons”. However, while the first of these rights is established both through international and domestic instruments, there is no specific right to use personal information to directly approach individuals. In addition, there are plenty of other ways of advertising. Thus, it can certainly not be suggested that we here are balancing two equal rights.
A Regulatory Approach
9. The two examples of a non-regulatory approach given in the Discussion Paper could in our view form part of a regulatory response. We suggest that more meaningful distinction involve universality and enforceability.
10. As already highlighted above, it is essential that the proposed register is not of an ‘all or nothing’ type. Avoiding such an approach is in the best interest of both the consumers and telemarketers as, otherwise, consumers may be forced to decline some welcome calls (e.g. research) to avoid unwelcome ones.
11. The discussion of where telemarketers obtain numbers in the first place – including the relationship of any do-not-call register to the IPND (the Appendix mentions current the ACMA consultation on a draft IPND Standard but this is not explored) is inadequate.
Type of Scheme
12. As we have suggested above, the Spam Act 2003 is essentially an ‘opt-out’ instrument in practice, because so much of the Spam that is received from Australian businesses will be covered by one of the exemptions, and therefore confer only an opt-out right. The Spam to which the opt-in regime applies is largely of overseas origin and beyond the effective reach of the Act. Further, it appears likely that e-mail will become a more and more popular medium for businesses with an existing relationship with consumers. Combining these two observations, it is clear that consumers will be faced with the burdensome task of contacting each business individually to ‘opt-out’ of receiving spam from those businesses. In light of this, it is clear that the Do Not Call Register could play a valuable role also in relation to spam, and there appears to be no problems with such overlapping regulation. The same is true in relation to marketing via fax.
13. Furthermore, current opt-out mechanisms for addressed direct (postal) mail suffer all of the weaknesses that currently apply to calls. Consequently there are no good reasons not to address also these problems when designing a Do Not Call Register (note: the Distribution Standards Board mentioned as regulating direct mail is largely irrelevant – as this only covers unaddressed advertising (http://www.catalogue.asn.au/distribution/).
14. On a more general level, the criticism of opt-in is only valid if such an approach is applied harshly – if a similar regime to the Spam Act was adopted, this would leave most organisations with existing relationships with customers free to operate under an opt-out regime.
15. To summarise the above, this review provides a valuable opportunity to approach the identified problems in a broader manner, and to aim for a Do Not Approach Register that is technology neutral.
16. It is indisputable that telemarketing aimed at businesses and organisations, rather than at consumers, also can be a problem. This is perhaps particularly true for small businesses or organisations, but may also be so in relation to larger corporations and organisations. Consequently, where a corporation/organisation wishes to be included on the Do Not Call Register, in the full knowledge that such an approach may cause them to miss out on valuable business proposals, their wish ought to be respected.
17. We agree that there should be no time limitation to the duration of the registration – once registered, a number should remain registered unless/until unregistered by the person concerned (or when the line is given up and allocated to a new customer). Further, while the implementation delay period of 30 days may be reasonable, it is important that those registering are made aware of this delay period.
18. The treatment of silent numbers needs to be considered. It would be logical to assume that holders of silent lines would want to be included in a do-not-call register, and it would be unreasonable to expect them to register again. Marketing calls are currently made to silent lines both by automated random/sequential diallers and because there is an inevitable ‘leakage’ of silent line numbers into general use (such as by persons giving those numbers to merchants and others that they deal with, etc). However, the automatic inclusion of silent lines in the register (by transfer either from telcos or from the IPND to the register administrator) would create additional security concerns and difficulties. We suggest the treatment of silent lines needs further consideration.
19. While not an issue that should stand in the way of a Do Not Call Register, further work is necessary in relation to who can make the registrations. Issues would arise, for example, in the context of tenant/landlord situations. Where the subscriber for the phone line is a landlord, the tenant should still have the possibility to register on the Do Not Call list. Similar issues arise in relation to members of a household and shared accommodation and it should be made clearer as to whether registration, and the consequent effect, would apply to all calls to the specified number or only to calls to the registering person on that number. If this issue is not dealt with, one person’s registration could be voided by another person using the same number establishing a relationship with an organisation, calls from which could then be exempt (if the proposed existing relationship exemption applied).
Types of calls prohibited
20. While not completely free from problems, the concept of ‘Australian link’ from the Spam Act 2003 constitutes a suitable point of departure also for the regulation of a Do Not Call Register. It is particularly important that action can be taken, not only against the party making the actual call, but also against those who may have contracted for, or otherwise authorised, the call to be made.
21. The practice of sequential/random automated and predictive dialling, and recorded message marketing, is not a problem that needs to be dealt with in the context of a Do Not Call Register. Rather, such practices constitute a separate problem and should be prohibited in any case (see under Definitions).
22. It is important for the Do Not Call Register to cover dual purpose calls that have selling, at least, as one of their ultimate purposes.
23. We question why registration needs to be made in writing. Registration could suitably also be made via telephone and fax, subject to appropriate audit trails to provide accountability. Furthermore, on-line registration should be an option.
24. The rules regulating exemptions are of the greatest importance as they risk seriously undermining the value of the Do Not Call Register. The starting point must be that the rights to opt-out should be no less than those which are currently provided under NPP2.1(c) of the Privacy Act 1988. There are no reasons for, or legitimacy in, providing exemptions that go beyond what is catered for in that instrument.
25. In our view, provided that the Register is sophisticated enough to allow selective registration, there is no need for exemptions at all. In other words, as long as a registrant can choose to register to avoid calls from e.g. religious organisations, charities and political parties and candidates, and still allow for calls from e.g. existing business contacts, government bodies and market researchers, there is no reason to provide for exemptions to the Do Not Call Register. This reasoning is in line with the above observation as to the superiority of individuals’ well established right to privacy over the purported “rights of legitimate businesses and organisations to access the community for commercial and non commercial reasons”. Further, it is consistent with the view that individuals are quite capable of deciding for themselves whether they want to receive the discussed types of calls, and that none of the purported public interests put forward are strong enough to ‘trump’ an individual’s clearly expressed wish not to be disturbed.
26. In addition to the above, there are several other reasons why exemptions are not necessary. First, as is stressed in the Discussion Paper, there are other less intrusive means by which businesses and organisations can approach people. Second, people always have the right to say ‘no thanks’ once the call is made anyhow. Thus, the Register simply constitutes a means for people to say ‘no thanks’ before the harm is done. This observation is perhaps particularly relevant in relation to research calls (which is the call type that may be most heavily supported by a ‘public interest’ argument) – people have the right to decline taking part in the research, and the option of exercising that right through a specific choice on a Do Not Call Register cannot be said to be against the ‘public interest’.
27. If, contrary to our preference, an exemption is granted for social/market research, it should be linked to clear criteria/definitions, such as the Association of Market and Survey Research Organisations (AMSRO) Market and Social Research Privacy Principles (at http://www.amro.com.au/index.cfm?p=1635 ) which require that no personal information is disclosed to the client.
28. The ACMA, or a contractor, provided that it is just as accountable and acts in an equally transparent manner, should be the administrator of the Do Not Call Register. The responsibility should not be given to a body with a vested interest like and industry association (such as ADMA) or a commercial organisation with conflict of interest (such as Telstra/Sensis).
29. Security will be very important – as unauthorised access to or use of names and numbers on the list would be particularly unfortunate, and potentially harmful if it also contained silent numbers by default (see above).
30. As complaints may relate to the administration of the Register, it is essential that the body responsible for the enforcement of the Do Not Call Register is different to, and independent from, the body in charge of the administration of the scheme.
31. It is also important that the body responsible for the enforcement of the Do Not Call Register is suitably equipped to deal with violations. It needs to have a full range of powers and sanctions, including: injunctions, compliance notices, determinations awarding compensation and ordering changes in practice. In addition, it needs to be able to undertake pro-active audits and must have inspection powers.
32. Companies tend to focus their compliance efforts on legislation / regulation where there are the greatest penalties, where negative publicity could damage the reputation of the company, and where legislation is enforced and administered with vigour. It is important therefore that there are substantial penalties for non-compliance and that the body responsible for enforcement is adequately resourced to investigate complaints within reasonable timeframes and impose penalties.
33. It is appropriate that where a company can demonstrate that they have a compliance program in place, which includes training, monitoring and supervision of employees, etc, that this be taken into account when assessing the appropriate consequences of any inadvertent breach of the law.
34. A party said to have violated the provisions of the Do Not Call Register ought to have access to a ‘defence’ of having taken reasonable steps. However, such a defence should not be provided in the cases of repeated breaches.
35. Particularly considering that marketers are being given the benefit of default permission to market (opt-out) rather than opt-in, it is absolutely essential that the Do Not Call Register be free of charge for those registering. Further, it is appropriate that the industry should pay for the Register, but it is also important that the payment system is not designed in a manner that discourages businesses and organisations from doing the right thing in frequently cleaning their lists.
General telemarketing issues
36. The suggestion of a national standard is good and should apply even to those exempt (if any) from the register rules.
37. There should be a standard restriction on the hours during which calls may be made. The MCCA Model Code hours seem a reasonable compromise, but many individuals are likely to resent calls in the early evening. To deal with this, the Register could include the option of limiting the hours during which allowed calls may be made.
38. It is essential to include a requirement for the caller to identify not only the caller, but also the client, if the call is being made by an agent. Further, the caller should give genuine contact details (for both themselves and any client) on request (The NPPs arguably require this anyway but it would be useful to expressly make this clear). In this context it is also worth remembering that one reason people are reluctant to provide their credit card details over the phone to a telemarketer is that the consumer cannot be sure whether the caller is actually calling from the company that they claim to be. This point is not explored in the discussion paper. A requirement for the telemarketer to provide certain details may help alleviate these concerns, or alternatively alert the consumer that the caller may not be from the company that they claim.
39. Callers should also be required to disclose, on request, where the name/number has been obtained. This would ensure that those called can complain both about compliance by the source of the data with the NPPs, and opt-out of further disclosure by the source (in accordance with NPP 2.1(c)) even where they have chosen not to register with the national scheme.
40. Finally, it is also essential to require immediate termination of call on request. However, at the same time, there is a need for a safeguard to avoid callers using an initial reaction along the lines of ‘I don’t want calls like this’ to avoid legitimate follow up questions about where information has been obtained, and how to opt-out etc.