Privacy, consent and data protection: using property data legally.

Data protection in real estate

At National Property Data, we pride ourselves on our support services. Every week, we get calls from customers looking for advice about how they can do more with data to grow their business.

Our aim is to ensure we not only provide good advice, but that the guidance we pass along is legal and ethical.

Recently, we had a conversation with a real estate agent who had read a competing data provider’s blog. The article suggested agents should directly contact property owners, using the data provided, to win more listings.

Of course, when the agent contacted a property owner to try to win a listing, the response they received wasn’t pleasant.

It wasn’t the cold call itself that upset the person, it was the fact the agent had sourced and used their property ownership and contact details to call, without consent.

The agent, a little battered and confused, was left with a loud dial tone at the end of the conversation and a lot of questions about what had gone wrong.

Over the last few years, as global data giants have pushed the boundaries of what is legal and ethical, the law as it relates to privacy, data protection, spam, and importantly, consent, has started to catch up.

When using property data, it’s important to know what you can and can’t do, legally and ethically, so you build a reputation as a compliant and law-abiding property expert. 

To combat some of the myths shared in property communities, here are some simple insights that will help you use data effectively and operate within the law.

1. Know the privacy and data protection laws in Australia

The use of personal data by Australian organisations, is governed primarily by the Privacy Act 1988, with a review of the Act announced in December 2019 (discussion paper released 2021), and the Spam Act 2003 (Cth).

Those in the Australian Capital Territory are also covered by the Information Privacy Act 2014 (ACT).

Australia’s businesses – including yours – may be affected by international laws, such as the General Data Protection Regulation (GDPR). This is the European Union’s data protection law that came into effect in 2018 and applies to any business that collects or uses information on citizens of the Union (whether they live there or not).

2. Understand if the laws apply to you and your business

Knowing any law inside and out can be challenging, and yet, understanding exactly how a law may affect your business and what you need to do to comply, is crucial.

While the three main privacy, data protection and spam laws (and others that apply) are quite complex, who they apply to can be much more straightforward:

  • The Privacy Act 1988 applies mainly to Australian Government organisations and other organisations (likely including yours, even if you are a sole trader) with an annual turnover of $3 million or more.

    Small businesses with a lower turnover are also covered by the Act if they buy or sell personal information (most agents purchase this data) or they interact with a residential tenancy database.

  • The Spam Act 2003 (Cth) applies to any business that operates in Australia and sends commercial or marketing messages to other businesses or individual people.

  • The GDPR may affect any Australian business that collects data about EU citizens or that offers goods or services to EU citizens. As agents, this might apply if you have a buyer, property owner or tenant who is from the EU.


Importantly, the Privacy Act 1988 has 13 Privacy Principles that apply to relevant businesses, governing collection, use and disclosure of personal information.

They also detail governance and accountability, integrity and correction of personal information, and the rights of people to access their own information.

3. Always get consent to use personal data

When it comes to data, having consent to collect information about a person or people, and to use it, especially to contact them, is important.

In its 13 Privacy Principles, the Privacy Act 1988 sets out how data about a person can be used, especially in direct marketing (emailing, calling, texting).

Principle 6 tells us that ‘an entity can only use or disclose personal information for the purposes which it was collected or for a secondary purpose if an exception applies’.

Most of those exceptions revolve around consent to the secondary use, that use is directly related to the primary purpose or that a person might reasonably expect to be contacted for the secondary purpose.

In the case of most property data platforms, ownership information has been collected by Government sources (or other third parties) for the purpose of keeping a record of a property transaction, and many owners aren’t aware of this.

Principle 7 notes that personal data obtained by a third party may be used if the third party has the consent of the person to use their data for the purpose of marketing, and if the third party provides a simple way to opt out.

While some organisations may find these laws a little ‘grey’, ask yourself:

If you sell your house and communicate only with your lawyer and agent, and years later, a second, unknown real estate agent sees your ownership details on a data platform and emails you – have you given consent for your data to be used for that purpose?

Would you reasonably expect an agent to be contacting you (by name) to try to offer their services?

Like the Privacy Act 1988, the Spam Act requires you to have consent to contact the individual.

You also need to identify yourself as the sender and give the person an easy option to opt out. The Spam Act applies to most businesses, regardless of size and turnover.

Do more with data: marketing within data protection and spam laws

There are a lot of ways you can market to potential sellers, without breaking the law.

A commitment to doing so not only shows your respect for the privacy of other Australians, but also your dedication to being an ethical professional within your field.

Marketing using data, starts with collecting it, so we suggest familiarising yourself with legal and ethical practices for collecting and storing data about the people with whom you do business.

As a first step, make sure they know you are collecting their data and they give you permission to do so.

Second, ensure they understand your purpose for collecting their data (or a secondary purpose) is to communicate to them about your services.

Thirdly, always give them an option to opt-out and have their data scrubbed from your lists.

With data collected consensually, you may be able to market via email, phone and text. You may also load your lists into Facebook and other social media platforms to target advertisements very specifically at your contacts, or at unidentified people who look or behave like them.

If you do want to use property ownership information for marketing, you may be able to, but you need keep it less personal. You can identify hot spots for listings or recent sales, and send letters to all the residents, careful not to address the letters or envelopes by name.

In business, we can become so focused on our marketing and our targets, that we forget what it’s like to be the person at the other end. A simple guide for approaching privacy is to ask yourself, would I want this? Would I expect this? Would I be ok with this?

Find out more information about Australia’s Privacy Act 1988 and start planning smarter, data-driven marketing today.

This article does not constitute legal advice. We suggest contacting the OAIC or your lawyer for specific privacy, consent and data protection advice.

Sign up for National Property Data’s 7-day FREE trial.

More articles.