Australian Privacy Law for Direct Mail Campaigns
Direct mail to existing customers is generally well within Australian law — but there are specific obligations around data handling, opt-out mechanisms, and what you can send to whom. This guide covers the key requirements for Shopify brands using direct mail in Australia.
The Privacy Act 1988 and direct mail
The Australian Privacy Act 1988, administered by the Office of the Australian Information Commissioner (OAIC), governs how organisations collect, use, store, and disclose personal information. For direct mail, the key obligations are:
- Collection limitation — Only collect personal information (including postal addresses) that you need for a stated purpose. Shopify addresses collected for order delivery can generally be used for marketing to existing customers, provided your Privacy Policy discloses this use.
- Use and disclosure limitation — Don't share customer addresses with third parties without consent, or use them for purposes beyond what's disclosed in your Privacy Policy.
- Access and correction — Customers have the right to request access to their personal information and to correct inaccuracies.
- Opt-out mechanism — Marketing communications should provide a way for the recipient to opt out of future direct mail.
The SPAM Act 2003 — does it apply to direct mail?
The Spam Act 2003 regulates electronic commercial messages — specifically email, SMS, and instant messages. Physical postal mail is not covered by the Spam Act. Direct mail postcards sent to customer addresses are governed by the Privacy Act and general consumer law, not the Spam Act.
This means the Spam Act's consent requirements (opt-in, unsubscribe mechanism within 5 days) don't apply to your postcard campaigns. However, best practice is to include an opt-out mechanism and honour opt-out requests regardless.
Do Not Mail registers in Australia
Australia does not have a statutory Do Not Mail register equivalent to the Do Not Call Register (which covers telemarketing). There is no government-operated list of consumers who have opted out of direct mail that you're legally required to screen against.
The Australian Direct Marketing Association (ADMA) operates a voluntary Do Not Mail file as part of its Data & Marketing Code of Practice. ADMA members are expected to screen their lists against this file before sending direct mail. If your business is an ADMA member, you should check your obligations under the Code.
Mailing to existing customers vs prospects
For Shopify brands using TouchDrop, the vast majority of postcard sends are to existing customers — people who have previously purchased and provided their address for order delivery. This is the most straightforward scenario from a privacy standpoint:
- The customer has an existing relationship with your brand
- Their address was collected for a legitimate purpose (order delivery)
- Marketing to existing customers is within the reasonable expectations of the relationship
- Your Privacy Policy should disclose that you may use contact information for marketing communications
Mailing to purchased lists or prospects who haven't interacted with your brand carries higher privacy risk and requires more careful legal review.
Best practices for compliant direct mail
- Include your business name and a contact address on every postcard
- Include an opt-out mechanism (e.g. "To stop receiving mail from us, email [address] or go to [URL]")
- Honour opt-out requests promptly — add opted-out customers to your TouchDrop suppression list
- Keep your Privacy Policy up to date to disclose direct mail marketing use of customer data
- Don't mail to customers who have explicitly asked not to be contacted
- Retain records of your audience selection and suppression logic in case of a complaint
Related reading
Suppression and opt-out management built in.
TouchDrop handles suppression automatically — protecting you and your customers.
Get started free