Spam Act 2003: the three rules every Australian sender must follow

What the Act covers

The Spam Act 2003 regulates commercial electronic messages. This includes email, SMS, MMS and instant messages. These messages are subject to the Act if they have an Australian link.

The Australian Communications and Media Authority (ACMA) administers the Spam Act 2003. This means ACMA is responsible for enforcing the rules and investigating complaints.

The Act applies regardless of where the message is sent from. It is relevant whether the sender is located inside or outside Australia, provided the message has an Australian link.

Rule 1 — Consent

A commercial electronic message can only be sent to a recipient if they have consented to receive it. This requirement is central to the Spam Act 2003. Consent can be given in two ways: express consent, where the recipient has clearly indicated their agreement to receive the message; or inferred consent, which arises from an existing relationship between the sender and the recipient.

Express consent requires a clear, separate action by the recipient to indicate their agreement. This means that pre-ticked boxes or bundled consents, where consent is obtained as part of a larger agreement, are generally problematic and unlikely to be recognised as valid consent.

To help ensure compliance, consider the following regarding express consent:

• The recipient must take a deliberate action.
• The action must clearly indicate agreement to receive commercial messages.
• The consent must be separate from other agreements.

Rule 2 — Identification

Commercial electronic messages sent to Australian recipients must clearly and accurately identify who sent them. This includes the individual or business that authorised the message’s transmission. This identification requirement applies to every commercial electronic message.

The obligation to identify the sender is not a one-off. Sender details must remain accurate for a period of at least 30 days following the message being sent. This allows recipients to recognise the sender and, if necessary, investigate the message's origin.

This rule ensures transparency and accountability for those sending commercial electronic messages.

Rule 3 — Unsubscribe

Commercial electronic messages sent to recipients in Australia must include a working unsubscribe facility. This allows recipients to opt out of receiving further messages from the sender.

The unsubscribe facility must be presented in a way that is clear and reasonably easy to access. It must also be free or low-cost to use and remain functional for at least 30 days after the message is sent.

Once a valid unsubscribe request is received, the sender must honour it within 5 business days. This means ceasing to send any further commercial electronic messages to that recipient.

Penalties

The Australian Spam Act 2003 provides several avenues for enforcement. The Australian Communications and Media Authority (ACMA) may issue infringement notices, accept enforceable undertakings, seek injunctions, or apply to the Federal Court for civil penalties. These actions are taken when the Act’s requirements are not met.

Civil penalties can be substantial, particularly for companies that repeatedly breach the Act. For repeat corporate offenders, the maximum civil penalty can reach approximately $2.96M per day of contravention. penalty estimator provides a tool to help understand potential penalties.

Recent ACMA enforcement activity has focused on retailers, telecommunications companies (telcos), and financial services providers. These cases often involve issues such as inadequate records of consent to send commercial electronic messages, or failures to properly process unsubscribe requests.