Archived Posts Lists

Australian Regulatory Compliance Review
Australian Technology and IP Business
Credit Union and Mutual Law
National Consumer Credit Reform
Personal Property Securities Australia
Longview Business Insights
Australian Private Health Insurers
Wills, Trusts, Super
Mutuals Resource Centre


Commonwealth legislation
Corporate Governance
Not-for-Profit links
Regulator Links

January 10, 2014

ACCC v TPG: is the dominant message of your ad misleading?

In Australian Competition and Consumer Commission v TPG Internet Pty Ltd[2 013] HCA 54 the High Court of Australia upheld a $2million penalty imposed on TPG for misleading advertisements relating to its multi-media advertising campaign on television, radio, internet and print for its ADSL2+ service in 2010-2011.

The TPG advertisements prominently displayed the offer to supply broadband internet ADSL2+ service for $29.99 per month. Much less prominently, the advertisements qualified this offer, stating that it was made on the basis that the ADSL2+ service was available only when bundled with a home landline telephone service for an additional $30.00 per month (with a minimum commitment of six months). In addition, TPG required the consumer to pay a setup fee of $129.95 plus a deposit of $20.00 for telephone charges.

According to the High Court the "dominant message" of the advertisements is of crucial importance.

It agreed with the trial judge who decided that "each advertisement had the same dominant message, namely: "Unlimited ADSL2+ for $29.99 per month". His Honour found that the "ordinary or reasonable consumer taking in only the dominant message would have the impression that the entire cost of the service is $29.99 per month, with no other charges and no obligation to acquire another service"; and the balance of the advertisement which contained that information was not given sufficient prominence to counter the effect of the headline claim".

The High Court majority said:

" in this case, the advertisements were presented to accentuate the attractive aspect of TPG's invitation relative to the conditions which were less attractive to potential customers. That consumers might absorb only the general thrust or dominant message was not a consequence of selective attention or an unexpected want of sceptical vigilance on their part; rather, it was an unremarkable consequence of TPG's advertising strategy. In these circumstances, the primary judge was correct to attribute significance to the "dominant message" presented by TPG's advertisements. ...

It may be accepted that if the hypothetical reasonable consumer is taken to know that ADSL2+ services may be sold as part of a bundle with telephony services, then, if he or she brings that knowledge to bear in a conscious scrutiny of the terms of TPG's offer, he or she might be less likely to form the impression that the offer was of an ADSL2+ service available without a requirement to take and pay for an additional service from TPG. But the circumstance that many consumers might know that ADSL2+ services are commonly offered as a "bundle" was not apt to defuse the tendency of the advertisements to mislead, especially where the target audience is left only with the general thrust or dominant message after the evanescence of the advertisement."

In respect of the penalty the High Court majority said:

"General and specific deterrence must play a primary role in assessing the appropriate penalty in cases of calculated contravention of legislation where commercial profit is the driver of the contravening conduct. TPG's campaign was conducted over approximately 13 months at a cost to TPG of $8.9 million. It generated revenue of approximately $59 million, and an estimated profit of $8 million. TPG's customer base grew from 9,000 to 107,000 during this period, although it cannot be said that this was at the expense of TPG's competitors....

The pecuniary penalty fixed by the primary judge did not exceed that which might reasonably be thought appropriate to serve as a real deterrent both to TPG and to its competitors."

Although the High Court reached its decision by a 4-1 majority, 3 judges of the Full Court of the Federal Court had reached the opposite result in allowing an appeal from the trial judge who imposed the original $2million penalty.

It is likely that the ACCC will use the principles when examining ads for insurance, banking and energy products.

Print This Post Print This Post

Posted 10th January 2014 by David Jacobson in Marketing, Web/Tech

Management of online review platforms

The Australian Competition and Consumer Authority (ACCC) has released guidelines concerning the use and management of online review platforms.

Review platforms are sites which specialise in presenting product reviews about a range of businesses. Consumers expect reviews to be independent and genuine to help them make more informed purchasing decisions.

The publication discusses the impact of user-generated comments and business reviews on consumer behaviour. The ACCC was of the view that both positive and negative reviews are susceptible to misuse and have the potential to distort public perception.

The ACCC is concerned that there is an increase in paid for and fake reviews.

Businesses and review platforms that do not remove reviews that they know to be fake risk breaching the Competition and Consumer Act 2010.

Reviews may mislead consumers if they are presented as impartial, but were written by the reviewed business, a competitor, someone paid to write the review who has not used the product or someone who has used the product but written an inflated review to receive a financial or non-financial benefit.

Print This Post Print This Post

Posted 10th January 2014 by David Jacobson in Consumer Law, Marketing, Web/Tech

December 4, 2013

Disclosure on superannuation websites

ASIC has issued Consultation Paper 291 Keeping superannuation websites up to date which sets out options for public disclosure on websites of registrable superannuation entities (RSEs).

s29QB1 of the Supervision Industry (Supervision) Act 1993 (SIS Act) requires an RSE licensee to disclose on the RSE’s website:
(a) remuneration details of the RSE licensee’s executive officers or individual trustees; and
(b) other information and documents relating to the RSE and RSE licensee (e.g. the trust deed and proxy voting policies).

Section 29QB requires this information to be publicly available on the RSE’s website and kept up to date at all times—however, the legislation does not clarify what this means in practice. For example, should websites be updated on the day that the required information changes, or should they be updated within a specified number of days of such a change?(updating obligation), but the legislation does not say what this means.

ASIC's preferred option is to modify the law to give RSE licensees a ‘safe harbour’, so that if they update the RSE’s website within a certain time (generally, 14 days), they would be taken to comply with their updating obligation.

Print This Post Print This Post

Posted 4th December 2013 by David Jacobson in Superannuation, Web/Tech

November 29, 2013

Privacy: telling your customers about your arrangements with overseas contractors

Australian Privacy Principle 8 deals with the cross-border disclosure of personal information.

For example if an Australian businesses outsources business processes to an overseas contractor (such as a cloud service provider) which involves disclosure of its customers' data the Australian business must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

Depending on the purpose for which the information is used other APPs may also apply.

The draft APP 8 guidelines discuss the effect of foreign laws:

"where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law, this will not breach the APPs. The APP entity will also not be responsible for the act or practice under the accountability provision...For example, the Patriot Act (USA) may require the overseas recipient to disclose personal information to the Government of the United States of America. In these circumstances, the APP entity would not be responsible under the accountability provision for the disclosure required by that Act.... An APP entity should consider notifying an individual, if applicable, that the overseas recipient may be required to disclose their personal information under a foreign law. The entity could also explain that the disclosure will not breach the APPs. This information could be included in the APP entity’s APP 5 notice."

With respect to the US Patriot Act Microsoft’s standard explanation is as follows:

“We will not disclose Customer Data to law enforcement unless required by law. Should enforcement contact us with a demand for Customer Data, we will attempt to redirect the law enforcement agency to request it directly from you. As part of this effort we may provide your basic contact information to the agency. If compelled to disclose Customer Data to law enforcement, we will use commercially reasonable efforts to notify you in advance of a disclosure unless legally prohibited.”

If your customers' information is made available to overseas companies, for example to process purchases or provide technical and billing support, you need to understand where that information will be held, who else will be able to access the information and for what purposes, and what type of security measures will be used for the storage and management of the personal information so that you can tell your customers.

Print This Post Print This Post

Posted 29th November 2013 by David Jacobson in Privacy, Web/Tech

October 21, 2013

Failure to protect customer data: AAPT breaches Privacy Act

The Australian Privacy Commissioner, Timothy Pilgrim, has found AAPT Limited breached the Privacy Act by failing to adequately protect customer data from unauthorised access. The Commissioner also found that AAPT had failed to comply with its obligation to destroy or permanently de-identify information no longer in use(see Investigation Report here).

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers and provide a quoting and billing system for AAPT sales staff. The personal information included information collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other telecommunications carriers.

AAPT took the server offline immediately and worked closely with Melbourne IT to investigate and rectify the incident. A configuration change to the server by Melbourne IT closed the vulnerability exploited by the hacker.

The Commissioner made a number of recommendations to AAPT including implementing regular training for staff in relation to data retention and destruction, ensuring all IT applications are subject to vulnerability assessment and testing, as well as ensuring effective lifecycle management, and conducting regular audits of AAPT’s IT security framework. AAPT has implemented these recommendations.

Separately, the Australian Communications and Media Authority found that AAPT contravened clause 6.8.1 of the Telecommunications Consumer Protections Code by failing to protect the privacy of small business customers whose personal information was stored in a server which was the subject of unauthorised access.

Because of the terms of its contract with AAPT, no findings were made against Melbourne IT.

Print This Post Print This Post

Posted 21st October 2013 by David Jacobson in Privacy, Web/Tech

October 2, 2013

Privacy and data bases: back to basics

We were at a meeting recently when some surprise was expressed that there were privacy issues associated with the purchase of another business's data base of customers.

Every business has a data base whether it is individual computer files, a software program or even filing cabinets full of folders.

And every data base which contains personal information about customers is potentially regulated by the Privacy Act, regardless of whether you got the information from the customer or another source.

The Privacy Act sets out how information you collect from customers can be used, stored and provided to others.

There are special rules if the information is "sensitive" (eg health information").

The Privacy Principles (which will change from 12 March 2014) set out how you can use your data base for direct marketing (whether by you or someone else).

And if any of your customers' information is stored or processed overseas ("big data" in "the cloud") then you are accountable for ensuring that the data is handled overseas in accordance with the provisions of the Privacy Act. Normally this would involve you entering into a contractual relationship with an overseas recipient.

If you use a third party service and you don't know where they store or process your information you must find out and tell your customers in a privacy notice.

Your customers are entitled to know what information you have about them.

If your business processes have changed in the last 5-10 years then it is time to think about the privacy implications.

Print This Post Print This Post

Posted 2nd October 2013 by David Jacobson in Business Planning, Privacy, Web/Tech

Mobile privacy

The Office of the Australian Information Commissioner (OAIC) has released Mobile privacy: A better practice guide for mobile app developers.

The OAIC has developed this guide to help mobile device application (app) developers embed better privacy practices in their products and services, and help developers that are operating in the Australian market to comply with Australian privacy law and best practice.

Many of the practices outlined in the guide may also assist advertising networks, advertisers, mobile platform providers, app developer trade associations and developers of other (non-mobile) applications.

The OAIC's recommendations include:

  • you should adopt a ‘privacy by design’ (PBD) approach. PBD aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles
  • app developers should select the right strategy to convey privacy rules in a way that is meaningful on the small screen, including ‘short form notices’, with important points up front and links to more detailed explanations, and a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them
  • putting in place appropriate safeguards to protect the personal information you are handling.

Related article:OAIC's review of websites and mobile apps

Print This Post Print This Post

Posted 2nd October 2013 by David Jacobson in Privacy, Web/Tech

September 18, 2013

Regulation of crowd sourced equity funding

The Corporations and Markets Advisory Committee (CAMAC) has released a discussion paper Crowd sourced equity funding.

Crowd sourced equity funding (CSEF) refers to schemes through which a business seeks to raise funding, particularly early-stage funding, through offering debt or equity interests in the business to investors online. Businesses seeking to raise capital through CSEF typically advertise online through a crowd funding platform website, which serves as an intermediary between investors and the business.

The CAMAC discussion paper notes that CSEF is already theoretically available in Australia, but subject to compliance by the issuer and the online intermediary with fundraising, licensing and other requirements under the Corporations Act. This paper examines the nature of those requirements and raises for consideration, taking into account approaches in other jurisdictions, whether the Australian provisions should be adjusted in some manner for CSEF.

ASIC issued its guidance on the issue here.

The CAMAC discussion paper contains options for reform in relation to crowd sourced equity funding (CSEF) in Australia including:

  • no regulatory change;
  • liberalising the small scale personal offers exemption in the fundraising provisions;
  • confining CSEF exemptions to sophisticated, experienced or professional investors;
  • making targeted amendments to the existing regulatory structure for CSEF open to all investors; and
  • creating a self contained statutory compliance structure for CSEF open to all investors.

Print This Post Print This Post

Posted 18th September 2013 by David Jacobson in Corporations Act, Financial Services, Investments, Web/Tech

September 10, 2013

Facebook promotions rules change

Facebook has updated its Promotions Guidelines (previously discussed here).

The Promotions Guidelines set out how Facebook functionality may be used in competitions by businesses (whether involving skill or chance).

Under the new rules businesses can now:

  • Collect entries by having users post on the Page or comment/like a Page post
  • Collect entries by having users message the Page
  • Utilize likes as a voting mechanism

Print This Post Print This Post

Posted 10th September 2013 by David Jacobson in Marketing, Web/Tech

August 16, 2013

Website and app privacy policies

The Office of the Australian Information Commissioner (OAIC) has released the results of a ‘privacy sweep’ of 47 websites and mobile apps most used by Australians.

Website privacy policies were assessed for accessibility, readability and content. The websites were also assessed against new transparency requirements in the Privacy Act that will come into effect on 12 March 2014.

Some key trends observed by the OAIC included:

  • 15% had a privacy policy that was hard to find on the website
  • 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer
  • Almost 50% of policies raised 'readability' issues, ie they were considered to be too long and difficult to read. The average reading age of the policies was 16. None of the full privacy policies met the OAIC's preferred reading age level of 14.
  • More than 65% of privacy policies raised concerns with respect to the relevance of the information provided.

To comply with new Australian Privacy Principle 1 from 12 March 2014, organisations must have a clearly expressed and up to date privacy policy.

Langes can conduct a compliance review of your website.

Print This Post Print This Post

Posted 16th August 2013 by David Jacobson in Marketing, Privacy, Web/Tech
Older Posts »