Latest news:

You are currently not logged in

Log in

How to collect customer data without breaking the law

Customer data is valuable currency for online retailers. These large datasets provide insights about customers’ shopping habits and their behaviour online, which retailers can use to create a more personalised experience.

They can also use this data to provide customers with more targeted marketing campaigns. From analysing customer data, retailers can understand purchaser trends, consumer trends and predict which types of products a particular store should sell.

But if retailers collect personal information online, it’s important that they understand their obligations under the Privacy Act 1988 (Privacy Act) and the Spam Act 2003 (Spam Act).

The Privacy Act defines personal information as information that can be used to identify an individual, such as email addresses that are collected by inviting customers to subscribe to a newsletter, join a loyalty program or enter into a competition.

If a retailer’s online store has an annual turnover of $3 million or more, they will also have additional obligations under the Australian Privacy Principles (APPs). Retailers should confirm whether their  business is exempt or not from the APPs.

Any retailer that conducts online marketing or sends other electronic messages (including email and text) regardless of size or turnover, however, must comply with the Spam Act.

Email marketing

Retailers implement email marketing to engage with their customers about special offers and to receive real-time feedback about their products or services. The Spam Act protects customers from receiving unwanted emails that advertise and promote the sale of goods.

To comply with the Spam Act, retailers must follow three rules:

  • Obtain the recipient’s consent;
  • Identify the business and how customers can get in contact; and
  • Include an unsubscribe function in communications.

A prominent unsubscribe function is important not only to comply with legal obligations but also, to maintain trust in the brand (no-one likes an inbox overflowing with irrelevant offers!).


Consent can be either:

  • Inferred (e.g. from conduct or the relationship between the sender and the consumer); or
  • Express (e.g. through a tick box, or customers completing an online form, or otherwise consenting to online terms which include consent to receive electronic marketing).

The Australian Communications and Media Authority recommends managing a subscriber list through a double opt-in process:

  • The customer signs up to an email marketing list; and
  • The retailer sends the customer a confirmation message, including a link they can click on to confirm they consent to receive emails.

Doing so will help retailers prove that a customer’s request to receive marketing material came from their email address.


A number of online retailers collect information through online cookies (for instance, the number of times an individual visited a webpage).

Cookies help retailers customise the customer’s experience, particularly at checkout. If a customer abandons their cart for whatever reason, cookies facilitate retrieving their selection next time that customer is on the page.

The information retailers collect through cookies is not considered personal information because it does not identify the person, as compared to say a phone number, email address or home address. Information collected through cookies, therefore, does not attract the same obligations under the Privacy Act.

This means that, currently in Australia, retailers are not required to obtain customer consent merely to obtain information using cookies. Many online retailers state in their privacy policy that they use cookies to collect information, for transparency with the users of their site.

Quick Tips

Even if an online store is not subject to the APPs, it’s still best practice to have a privacy policy setting out how personal information is collected and for what purpose.

Doing so will assist with building relationships with customers based on transparency and accountability.

  • Ensure the privacy policy is easily accessible and uses plain English
  • Be ready to answer questions about how customer data is used
  • Ensure that all marketing material that sent to customers is relevant

Personalisation through collection and use of data can help provide exceptional customer experiences. Online retailers, however, should be mindful of doing so at the expense of deviating from their legal obligations.

Ursula Hogben is the general counsel at LegalVision. She is passionate about helping online businesses and SMEs launch and grow.

No Comments | Be the first to comment

Comment Manually

No comments