Search

Quality and consistency through collaboration

All.Corporate & Commercial.Technology Privacy and Data

In 2020, the Australian Communications and Media Authority (ACMA) stepped up its enforcement of spam-related offences by issuing significant penalties to companies for breaches of the Spam Act 2003 (Cth) (the Act). The Act aims to combat unauthorised marketing practices, which include sending of commercial electronic messages via email, SMS, multimedia message service, or instant messaging.

Since the ACMA began its increased enforcement actions, there has been a noticeable uptick in penalties issued. For example, Australian online retailer Kogan was fined $310,800 in 2021, while Latitude Finance faced a penalty of nearly $1.55 million in 2022. Enforceable undertakings accepted by the ACMA can be viewed on their website.

The largest enforcement to date involved the Commonwealth Bank of Australia (CBA), which agreed to pay a $7.5 million penalty for breach of the Act. The ACMA found that CBA had sent over 170 million marketing messages without a way to unsubscribe. Among these messages, more than 34 million emails were sent without having obtained the necessary consent.

Although these numbers may seem excessive and not directly impactful to most businesses, the growing accessibility of large datasets means that any business could face significant spam-related risks of this magnitude.

It is clear that the ACMA’s enforcement strategy primarily focuses on two key issues: ensuring that consent is obtained and providing a functional unsubscribe option.

Why are we here?

Australia has had laws relating to spam since 2003.  Until recently, the focus of the ACMA has been on compliance rather than strict enforcement.  However, since 2022, the ACMA has included spam on its list of enforcement priorities, particularly emphasising the unsubscribe rules. In 2019, the focus was more about obtaining consent.

When the ACMA investigates a potential regulatory breach, it has the authority to take regulatory action if a violation is confirmed. In determining whether a compliance breach has occurred, the ACMA considers a number of factors including but not limited to:

  • whether the conduct was deliberate, inadvertent, or reckless
  • whether it caused or may cause detriment to another person
  • the nature, severity, and extent of the detriment
  • whether the person has prior compliance or enforcement action and the outcome of that action, and
  • whether the conduct indicated systemic issues that could pose ongoing compliance or enforcement issues.

What does the law say?

In summary, the Act aims to protect consumers from unwanted commercial electronic messages. Businesses that fail to comply with the Act can face significant fines enforced by the ACMA. The Act requires businesses to:

  1. Obtain consent from recipients before sending. [1]
  2. Clearly identify themselves and provide contact information.
  3. Provide a functional and prominent unsubscribe option. [2]
  4. Avoid deceiving recipients with misleading subject lines or false identities.

It is worth noting that if even one part of a message is intended to advertise or promote goods or services, it is likely to be considered a commercial electronic message. For example, in October 2023 a banner advertisement on event tickets sold by Ticketek led to the company facing scrutiny under spam regulations.

What you should do

If you are using any form of commercial electronic marketing to communicate with customers that includes advertising, follow this checklist of essential steps to comply with the Act:

  1. Ensure there is a functioning unsubscribe option that allows recipients to easily opt out from future communications.
  2. Keep a record of the consent received, which can be express (directly given) or inferred (based on existing relationships) and note how it was obtained.
  3. Include the necessary information to accurately identify the sender.

Please contact our team if you have any questions.

 

[1] The general rule for e-marketing, consent should be obtained before a message can be sent, including to a business that can be either inferred or express consent.

[2] The unsubscribe option should present clear instructions on how to opt-out of receiving messages, take effect within 5 working days, continue to function at least 30 days after sending the message, does not require the person to provide extra personal information or require a log in to an account to unsubscribe.

 

Return To Top