Terms and Conditions

Customer information is protected in Australia by an array of Federal, State and Territory privacy legislation, including:

• the Federal Privacy Act 1988 (Cth);
• specific State and Territory health privacy legislation;
• the Spam Act 2003 (Cth); and
• the Do Not Call Register Act 2006 (Cth).

This guide is designed to help you navigate the legislation and suggests steps specific for a dealership to help comply with some aspects of the privacy legislation.

The design of this Foundation compliance framework has been built around generic Dealer processes and Toyota Motor Corporation Australia Ltd (Toyota) does not represent that this Guide will be appropriate or adequate for all dealerships. Dealers will need to consider the content of this Guide and all related material for themselves and should seek their own independent legal advice. Any necessary modifications should be made by Dealers to ensure that the steps taken are appropriate for their dealership. In particular, if your dealership uses or discloses customer information in ways that are not considered in this Guide, we recommend you seek further legal advice to assist you with building compliance in those practices.

If you wish to change or amend any of the privacy templates for use in your dealership we also recommend that you seek legal advice to ensure the changes comply with the legislation.

A Three Staged Approach to Privacy Compliance
Privacy legislation is a comprehensive body of legislation that impacts on all aspects of a Dealer’s business practices. To help the dealership undertake this change, this version of the guide explains the first steps towards achieving privacy compliance. In some sections this guide will also present options for the Dealer. The dealership can select the options that best fit their dealership practices and preferred degree of risk.

These are the steps for Foundation Dealers to complete to begin the process of privacy compliance. Completing all the steps in this guide will not achieve full privacy compliance. As Dealers move through the Toyota Sales Kaizen Levels, from Foundations to Advanced and Lighthouse, there will be further privacy processes to implement.

Importantly, Toyota is not representing that Dealers will achieve compliance with all applicable privacy legislation by implementing Stage 1, 2, or 3 Privacy Compliance. These guides are just that – basic guides to assist Dealers in better achieving privacy compliance. It is not possible to be definitive, as the circumstances of each Dealer will differ, and some of the legislation differs from State to State. However, in developing this Dealer privacy compliance framework, we have identified the privacy risks that we believe will affect most Dealers, and suggested steps to help you address those risks.

Why do I need to be Privacy Compliant?

Privacy compliance is a legal requirement for all businesses. Dealers need to capture use and store customer information, as well transfer that information through to Toyota as clean and accurate data. Privacy compliance is also a Toyota requirement, as the Dealer Agreement requires Dealers to:

• ensure personal information provided to Toyota is collected in accordance with the Privacy Act;
• provide individuals with collection details on behalf of Toyota;
• protect personal information provided to them by Toyota and use it for the purpose of its original intent only.
• promptly inform Toyota of any privacy complaints they receive.

Most importantly, implementing proper privacy compliance helps Dealers to conduct their marketing activities in a way that not only reduces their legal risk, but offers a number of commercial benefits, including:

• A more positive organisational image that will differentiate the Dealer from its competitors
• Enhanced data quality and integrity, fostering better customer service and more strategic business decision making
• Helps create a process culture in the dealership
• Savings in terms of time and money through targeting marketing to receptive customers

Foundations Privacy Compliance Steps

The following 10 steps will assist Dealers in taking the first basic steps towards privacy compliance.

Step 1. Collecting Customer Information

Collection of Enquiry/Prospect Information
At the point of collecting a person’s (whether prospect or customer) personal information, the Privacy Act requires the Dealer to make the prospect aware upfront how their information is being collected and how it will be used and/or disclosed. This allows the prospect to make an informed decision about whether they wish to give you their personal information.

How the Dealer conveys this information will depend upon the situation. Where information is initially provided by a prospect without solicitation (for example, some type of enquiry), a formal privacy collection statement is not required. This is based on the proviso that the prospect has initiated the provision of information and that the Dealer intends to use the prospect’s information for contact, related to the prospect’s enquiry. For example, the Dealer only provides a sales prospect with a marketing offer related to purchasing a vehicle., or a service prospect receiving a service offer.

Collection for Wider Marketing Purposes
When a Dealer collects prospect information they may want to use the information for wider marketing purposes. Wider Marketing purposes include where the Dealer uses the prospect’s information to market offers to them other than those related to the original enquiry. For example, where the Dealer provides the sales prospect with offers on service or other Dealer products.

If this is the case, the legislation requires the Dealer to:

1. Inform the customer of their intention to use this information for the wider purposes, specifying in a general sense what these purposes are.
2. Obtain the customer’s consent to do so. At a minimum, this requires allowing the customer to say no or “opt-out” of ongoing contact

Toyota Australia has developed a set of templates that a Dealer can use to include on the relevant document(s). Please note that each of these templates is an example only and should be used as the basis for a Dealer to develop their own version. If the Dealer uses other forms which are not included above, then they need to seek their own legal advice to develop an appropriate collection statement.

Please note all written privacy collections statement should be located in an area on the form that is clearly visible, or if it is positioned on the back of the form, the form should clearly refer to its location. It is important to note that collection statements need to be tailored for each situation to reflect the specific purposes for which the information will be used and disclosed. Please bear this in mind when following the guidelines above.

Collection of Sales/Service Customer Information
Once a prospect becomes a customer, through the purchase and/or service of their vehicle, Toyota Australia has assumed the Dealer will wish to have ongoing contact with the customer to provide information regarding the Dealer’s products and services. To inform the customer of this purpose, the Dealer must include a Privacy Collection Statement on the Contract of Sale and Repair Order

Please note the collection statements for the Contract and Repair Order also include additional information to meet other requirements of the Privacy Legislation. This guide will not detail those requirements, however if the Dealer wants further information they can access the Privacy Act at http://www.privacy.gov.au/act/.

Step 2. Recording Opt-outs

The customer always has the right to say ‘no’ to contact from the Dealer. If a customer makes this request, a dealership must not initiate phone calls, marketing material, invitations, service reminders etc. The only exception is contact for the purposes of warranty recall information.

Once the Dealer has identified where they need to use a privacy collection statement, there are two options provided for many of the templates in the Appendix. Toyota Australia recommends using Type A collection statements, which includes an opt-out box on the form, allowing the customer to opt-out on the form itself, by ticking the appropriate box. Type B templates allow a Dealer to select its preferred opt-out method(s), which may carry a higher risk of non-compliance with the legislative requirements, depending on the method(s) indicated on the statement.

The Dealer can nominate their preferred method(s) by at least one of the following methods (preferably more than one):

• Phoning the dealership
• Emailing the dealership
• Letter to the dealership
• An Opt-out function on Dealer website

To ensure that all opt-out requests by customers are recorded on the Dealer’s system, some Dealers have developed an automated electronic link via their website as part of their privacy compliance activity. The customer is directed via the Privacy Collection Statement (Type B Template), to the opt-out webpage on the Dealer’s site. The customer can record their opt-out preferences online. This request automatically updates the Dealer’s DMS, removing the possibility of human process error.

If a Dealer does not have an automated opt-out system, they need to ensure they manually enter every opt-out request in their DMS. The dealership needs to develop thorough opt-out processes to ensure the customer’s wishes are complied with. Any marketing related contact with the customer after that point will breach the legislation, giving the customer the right to complain to the Privacy Commission.

Having multiple opt-outs

One opt-out flag on the DMS is all that is required to comply with the legislation. However, having more than one opt-out flag gives the customer some flexibility when it comes to selecting the type of contact they wish to receive.

For example, a customer that purchased a vehicle from the dealership, but lives a considerable distance away, may not be interested in receiving service information and reminders. By having more than one opt-out flag, instead of electing to cease all contact, the customer can decide to receive sales information but not service information from the dealership.

An example of how the dealership could present these options to the customer via an opt-out box on a Dealer document is:

• Please do not contact me with information about your products and services (including special offers)
• Please do not contact me with service information and reminders

Adopting this structure enables the dealership to conduct more tailored marketing activities, saving money by avoiding marketing that is not likely to be effective with the customer.

If the dealer wants to add multiple opt-outs, it is important that the DMS is structured to reflect this. In this example, the DMS must be able to create separate customer lists for Service and Sales marketing activities.

Step 3. Ongoing Contact

Once a customer’s consent for contact has been obtained, the customer is still able to opt-out at any time in the future. The dealership must make it easy and economical for the customer to opt-out at any time. The Dealer needs to inform the customer of their right to opt-out and the method by which they can opt-out at each point of contact. Again, how the Dealer conveys this information depends upon the situation. Most situations are addressed in the following Privacy Steps.

Step 4. Privacy Policy

All Dealers should have a privacy policy that tells customers how the dealership manages their personal information, and to make that policy available to anyone who asks for it. The policy should be made available (if requested) in hard copy, and should also be published on the Dealer’s website.

Step 5. Individual Webpage Privacy References

Each web page of the Dealer’s website that collects personal information should include a reference and link to the Website Privacy Collection Statement that has been incorporated in the Website Terms of Use. The reference must be located where the information is collected. An example of a reference would be:

“Click below (or above depending on how website is designed) to view our Website Privacy Statement”

Examples of where a dealership would need to put a link to the website privacy collection statement include:

• New and Used Sales enquiry
• Service enquiry or appointment booking
• Finance and Insurance enquiry
• Contact Us

Step 6. Privacy Notice

The privacy notice is designed to inform walk-in customers about the dealership’s privacy policy and how they can obtain a copy.

Privacy Notices should be displayed in prominent locations in the dealership, such as sales and service reception desk and customer waiting areas. An example of a Privacy notice is provided in Appendix page #.

Step 7. Direct Marketing Privacy Statements

All direct marketing material should include a privacy statement. This statement explains to the customer how they can opt out of further contact, should they wish to do so.

Please refer to Appendix page # for an example of a privacy statement that can be used in this instance.

Step 8. Functional unsubscribe for electronic messages

If the Dealer sends commercial material to customers by email, SMS or MMS, they must comply with the Spam Act. To comply the Dealer must:

1. Inform the customer who sent the message
2. contain a functional unsubscribe facility

The unsubscribe facility must be functional. That is, it should be capable of receiving a reasonable number of unsubscribe responses. Further a Dealer must ensure the requests to unsubscribe are honoured.

Step 9. Referral Calls

Contacting a referral (ie a potential customer whose information has been gathered from an existing customer) by email or telephone risks breaching the Spam Act or the Do Not Call Register Act respectively.
To mitigate the risk, Dealers can:

1. Make every effort to ensure the call is solicited. Where possible check with the referee that the referral is aware and/or expecting the contact.
2. When contacting a referral (for example, by phone):
   1. the salesperson must state the reason for the call (including how the referral’s details were obtained)
   2. ask the customer if they wish to continue with the phone conversation.
   3. if the customer declines, the salesperson must honour the customer’s request.
   4. to fully comply with the request not to be contacted, the customer’s details should then be removed from the DMS to ensure they do not receive any future marketing information or contact from the dealership.

Step 10. Train all Frontline Staff

All staff should understand privacy legislation, as well as the privacy processes of the dealership. Accordingly, a satisfactory level of training should be provided.

Summary

The Privacy acts place many requirements on businesses in order to comply with the legislation. It can be an overwhelming task just trying to establish where to start. This guide is intended to help a Dealer take the first steps towards privacy compliance. It is not a comprehensive guide and addresses just some of the legislative requirements we recommend Dealers address first.

As Dealers take part in the Retail Development Advanced and Lighthouse programs there will be other processes, documents and requirements introduced to help build upon the Foundation Privacy Program. This guide helps you start the journey towards privacy compliance.