Spreading the word about what your business offers to potential customers is incredibly important—especially when many businesses opt to market their business directly to their customers.

But businesses must be mindful of customers’ privacy and ensure that their digital marketing efforts are not considered spam.

So, we’ve provided you with a handy guide to ensure your business is directly marketing to your customers and clients within legal boundaries, and keeping their personal information protected!

Key Legal Requirements Of Direct Marketing

Different types of direct marketing have different legal requirements. The following requirements ensure you’re protecting your customer and clients’ privacy.

Complying With The Privacy Act 2020

First off, make sure that your business is complying with the Privacy Act 2020. All New Zealand businesses that handle personal information must follow the Privacy Act.

If your business must follow – or has opted to follow – the Privacy Act, we’ll now take a look at your obligations in keeping your customers’ personal information safe.

The Difference Between ‘Personal Information’ and ‘Sensitive Information’

Confused about what ‘personal information’ means? Well, to break it down, personal information is any information that identifies the person to whom it relates. First off, you should get to know the differences between personal information and sensitive information.

‘Personal information’ is any information that identifies the person it relates to. Examples include names, credit card details and addresses. Opinions made by that person can also fall under personal information, if those opinions contain identifiable information.

On the other hand, ‘sensitive information’ can include racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health records and biometric information.

Now that you have an idea of the difference, you should make sure your business only collects ‘sensitive information’ with the customers’ consent and if the information is reasonably necessary for the purpose of directly marketing to your customers.

Having A Privacy Policy

It’s a good idea to make sure your business has a privacy policy in place.

This is important as a privacy policy tells your customers what privacy rights they have.

To address customers’ concerns about what their personal information is being used for, privacy policies should outline:

  • How your business is handling, securing and protecting your customers’ information
  • What your business is doing with information you no longer need
  • How your customers can contact you or make a complaint

A privacy policy can be a bit lengthy for your customers, so make sure your business’ privacy policy is easily readable and accessible. Our lawyers can help you with this if you need one drafted.

Handling Personal Information For Marketing Purposes

Your business may be able to use personal information to directly market to individuals, but only if your business is complying with the Information Privacy Principles (‘IPPs’) which are part of the Privacy Act 2020.

One exception to the restrictions is when the personal information has been collected directly from the individual by the business, and the individual expects their personal information to be used for direct marketing via email, SMS or MMS.

If your business is a contracted service provider, you could also be exempt from the restrictions.

Also, if your business has personal information that has been collected to meet its obligations under a contract and it is necessary for you to use and disclose the information to meet these contractual obligations, then your business can use the personal information for direct marketing.

If any of these exceptions apply, your business must give your customers an easy way out of receiving any direct marketing.

Ensuring Customers Can Opt Out Of Marketing Messages

As a business, you should make it easy for your customers and individuals to opt out of receiving marketing messages.

This can be done by providing a link to unsubscribe from promotional emails, or by adding a prompt to message back ‘STOP’ in SMS/MMS marketing.

If your business has collected personal information from someone other than the individual themselves, or if the individual does not expect that their information will be used for direct marketing, you must give them information on how to opt out of each direct marketing communication.

If a customer asks you to stop, your business must stop sending marketing messages. You must stop this within a reasonable period of time—within 30 days of request is best, if not immediately.

Usually, customers won’t want their personal information to be used for direct marketing purposes by other businesses, so make sure this request is carried out free of charge!

If the person wants to know how you got their details, you may have to tell the recipient of the messages where you got their personal information. But you’re under no obligation to do this if it’s unreasonable or impractical to do so.

If you have no qualms in letting the customer know where your business got their personal information, this again must be done within a reasonable period of time.

Complying With The Unsolicited Electronic Messages Act 2007

If your business is going to directly market to your customers via email, SMS or MMS, you must make sure you’re also following your obligations under the Unsolicited Electronic Messages Act 2007. We’ll go through these obligations below.

Having The Customer’s Consent

First off, the Unsolicited Electronic Messages Act 2007 requires that electronic direct mail (or EDMs) be sent to customers with their expressed consent—or when consent can be inferred from their conduct or the relationship the customer has with your business.

Express consent in EDMs includes:

  • People ticking the box next to a statement which gives permission for the business to send emails directly
  • People directly entering their email address into a form which confirms they want to receive regular email updates from the business

Express consent for SMS and MMS marketing can be given when customers enter their mobile number on a website to opt-in to the business’ updates.

On the other hand, examples of inferred consent include the person subscribing to magazines or newspapers, as it indicates that there is an existing relationship between you and the customer.

Identifying Your Business To Customers

The Unsolicited Electronic Messages Act 2007 requires that the email contains accurate information about your business to the person that consented to receiving EDMs.

In addition to including your business’s website and contact details in the email, your business’ name should be clearly visible in the ‘from’ field or subject line, and in the body of the message text of your emails.

For SMS and MMS marketing, your business’s identity must be clear and accurate to the customer when they look at the sender information when receiving marketing messages.

Not abiding by this requirement can be costly to your business. This was seen when a company was fined for not making the connection between their sender ID and their business clear enough to promote their services.

Not complying with these requirements may lead to your business’s messages being reported to the Department of Internal Affairs.

Unsubscribe Facilities For Customers To Opt Out

Under the Unsolicited Electronic Messages Act 2007, you must give clear instructions to your customers on how to opt out of receiving EDMs, SMS or MMS marketing messages using unsubscribe facilities.

Examples of unsubscribe facilities include:

  • A sentence at the bottom of EDMs saying ‘to unsubscribe, click here’
  • Notifications in SMS or MMS marketing messages prompting customers to reply ‘STOP’ to opt out

If a person has decided to unsubscribe from your business’s marketing messages, you have five working days to act on these requests.

Make sure you include unsubscribe facilities in your marketing messages as, again, if you don’t, you can be reported to the Department of Internal Affairs.

What Happens If My Business Breaches These Laws?

The Department of Internal Affairs has the ability to crack down on certain businesses for sending marketing messages to their customers that are not in compliance with the Unsolicited Electronic Messages Act 2007. The Department has the power to enforce direct marketing laws if the marketing messages have been classified as spam and include New Zealand links, particularly EDMs.

The Department can issue formal warnings, infringement notices and fines. A hefty fine can be issued when it’s been found that the business has sent two or more marketing messages within a day without peoples’ consent.

Plus, the Department can also accept undertakings from the business sending the messages, take matters to court and seek remedies from the court.

Examples Of What Could Happen If You Don’t Comply With The Unsolicited Electronic Messages Act 2007

Recent examples of non-compliance show how costly it can be for businesses to not comply with the Unsolicited Electronic Messages Act 2007. Let’s go through a few particularly prominent cases.

Example Case

In a notable case, a New Zealand-based company was fined for contacting individuals without seeking expressed or implied consent from them. The messages sent to these people also did not have unsubscribe facilities. As a result of these breaches, the Department of Internal Affairs issued a significant fine.

The company had to make statements in an enforceable undertaking to promise to comply with the Unsolicited Electronic Messages Act 2007. They also had to review their internal advertising procedures.

The company tried to argue there was inferred consent simply because the personal information was available through a public database. However, it was found that there was no inferred consent as the company’s marketing messages did not relate to the work-related business of the recipients. The company had to remove the personal information from their database.

Key Takeaways…

If your business is subject to the Privacy Act 2020, you must have a privacy policy in place that outlines to customers and clientele how and why their personal information is being collected, stored and used by the business.

Personal information can be used for direct marketing purposes if the customers and clients have provided their personal information under the exceptions in the IPPs. Sensitive information can also be used for direct marketing purposes if your customers and clientele have consented to its use.

After collecting this information, you must make sure your business falls under one of the exceptions in the IPPs for you to use the information for direct marketing purposes. You should allow anyone receiving direct marketing messages to easily opt out of them, and to act on their request within a reasonable time and free of charge.

Lastly, if there is a breach of the Unsolicited Electronic Messages Act 2007 in relation to the consent, identity and unsubscribe facilities requirements, you could face significant penalties.

If you want more advice on how to directly market to your customers and clients legally, give us a call on 0800 002 184 or email us at [email protected]. Our experienced team is available at any time for a free, no-obligations consultation.

Christoffer Aguilar
Christoffer is a Legal Intern at Sprintlaw. Having worked in digital marketing before studying law at University of New South Wales, he aims to use his experience at Sprintlaw to launch a career practicing across intellectual property, media law and employment law.
About Sprintlaw

We're an online legal provider operating in New Zealand, Australia and the UK. Our team services New Zealand companies and works remotely from all around the world.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Marketing Service Agreement

Running a marketing business?
Learn More

Affiliate Marketing Agreement

Considering affiliate marketing? Our lawyers can help.
Learn More
Related Articles
How Do I Protect Customer Data?
Posted 31st January, 2024
What Is A Location Release Form?
Posted 28th January, 2024
A Guide To The Privacy Act 2020
Posted 24th January, 2024
Business Call Recording Laws In New Zealand
Posted 24th January, 2024
Get A Cross-Border Data Processing Agreement
Posted 24th January, 2024
Is ChatGPT Copyright Free?
Posted 24th January, 2024