Reading time: 6 minutes

If you handle any personal information, the New Zealand Privacy Act applies to you. Therefore, you need to comply with its standards for handling personal data, including its collection and usage. Privacy laws apply when you engage in direct marketing because you use the personal data of your customers to contact them or target them with ads. Indeed, this personal information you use could include:

  • email addresses;
  • cookies; or
  • intellectual property information.

If your customers feel you have used their personal data in a way that goes against your privacy obligations, they can complain to the Privacy Commission. You may then face both legal and financial penalties if the issue is serious enough. Therefore, this article will outline five privacy mistakes to avoid when sending direct marketing to your customers.

1. Failing to Adequately Inform Your Customers

Whenever you collect personal data from your customers, such as their contact details, they need to know that you are doing so. You need to take reasonable steps to tell them:

  • why you are collecting their personal information;
  • whether any particular laws apply;
  • who has access to their information;
  • whether they can opt-out of giving you their information;
  • the consequences of not giving you their information;
  • about their ability to access and correct their personal information; and
  • how they can contact you or anyone else that holds their personal information.

You must collect information in a way that is legal and unintrusive. For example, say that you collect cookies that attach unique identifiers to your customers when they visit and use your site, determining what marketing you send them. You may need a cookie consent pop-up, and you should detail how you use this information in your privacy policy.

2. Using Collected Information For a Different Purpose

Once you have collected personal information, you generally cannot use that information for any reason other than what you told your customers at collection. If your customers would be surprised by how you use their personal information, then you should not be using it in that way. You can only change your purpose when:

  • you have your customers’ consent;
  • the new purpose is directly related to the old one; or
  • it is necessary for meeting other legal requirements.

For example, say that you collect a customers’ email address to send them shipping notifications about product delivery. Unless you have their permission, it is a breach of privacy to then send direct marketing to that email address. This would breach your privacy obligations.

3. Insufficient Security Measures for Your Databases

The information you use for direct marketing will usually classify as personal information, which means you need to have reasonable security measures for your databases storing that information. This applies to both your physical and digital databases.

For example, say that you keep files of customer mobile numbers you use for direct text marketing in a filing cabinet. You need to ensure that the filing cabinet is locked, and you limit who has access to those numbers.

When you store information digitally, you can have more significant risks of a privacy breach. Therefore, you need to have adequate security software and control measures, such as:

  • strong passwords;
  • up to date anti-virus software;
  • two-factor or multi-factor authentication;
  • firewalls; and
  • encryption.

If you do not adequately protect the personal information you hold and a privacy breach occurs, customers will have their contact information fall into the wrong hands. This goes against your privacy obligations, and you could face legal penalties.

4. Failing to De-Identify Information Where Appropriate

Depending on the kind of direct marketing you engage in, you may have the ability to de-identify the personal data you hold. Whenever this is possible, you should do so. De-identifying information means that you remove any identifying aspects of that information, removing ties to a person. You can do this for:

  • general location information; and
  • information about customer preferences.

Instead, rely on anonymous customer profiles to determine the advertising they see on your website. You can still keep information about their preferences or behaviour on your site, but do not keep information that you can use to identify them as an individual. This reduces risks if there is a privacy breach and you are dealing with less personal data.

5. Sending Emails that Classify as Spam

It is illegal to send spam to your customers in New Zealand. When you send commercial emails to your customers, such as those promoting new products, you need to follow a specific legal standard when you do so. Otherwise, these emails will classify as spam, and you could face legal repercussions. These requirements are that you:

  • have customer consent to send them these emails;
  • identify your business and provide contact details; and
  • provide the ability to unsubscribe in every email or other direct marketing communication.

Sending customers emails they do not want to their personal email addresses may also have privacy implications, as email addresses can be personal information. Therefore, it is doubly important that customers know when you collect their email addresses, and you have their consent to send them direct marketing of this nature.

Key Takeaways

Your business may use direct marketing tactics like email marketing or targeted ads to engage customers you think will be likely buyers of your products. This can be useful for drawing customers, but there are privacy risks attached to this kind of marketing. It is important to tell customers when you collect their personal data and get their consent when you need it. If you would like more information or help with privacy and direct marketing, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is direct marketing?

Direct marketing refers to a marketing tactic where you present promotional information about your business to specific groups or individuals. This is because you have identified them as potential customers.

How do you de-identify information?

You can de-identify information by removing any personal data that points to a specific data subject. This could include removing their name from documents or blurring out their face in images.

What is spam?

Spam refers to unsolicited commercial electronic messages. These are commercial messages, such as those with direct marketing purposes, that your customers have not asked to receive and are illegal.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards