Caroline Hayward and Brian Whelan discuss recent developments in relation to spam laws. How can you ensure your messages are positively received? They offer a checklist that outlines how to reduce the risk of non-compliance when preparing your next round of marketing activity.

The Australian Communications and Media Authority (ACMA) recently imposed Australia’s largest ever penalty of AU$3.6m on a business for sending spam. This is a stark reminder to businesses to refresh their understanding of the laws surrounding commercial electronic messages.

The regulatory landscape: the net tightens

Over the past 18 months, ACMA has strengthened its “no tolerance” approach to noncompliance with spam laws. In addition to penalties, this can include enforceable undertakings for businesses to review their policies and implement training and education programs for staff.

ACMA has flagged spam compliance as a continuing priority for 2024. Major organisations investigated recently include food delivery service DoorDash.

What is spam?

Following the introduction of the spam laws in 2003, most organisations will have well embedded processes for their marketing materials.  However, “spam” is to be distinguished from “scam”, and it may not be front of mind when terms like phishing, hacking and ransomware are currently more prevalent.

The spam laws regulate the use of “commercial electronic messages”.  As you would imagine, this is a message such as an email or an SMS/text.

An electronic message is “commercial” if it offers goods or services for sale or promotes or advertises a business opportunity or investment.

Spam doesn’t need to be sent in bulk – a single message can constitute spam under the legislation.

What are the requirements?

Each commercial electronic message must:

• identify who is responsible for sending it (easy -that’s you!)
• include information describing how the sender can be contacted (usually this is an email address), and
• ensure that a functional unsubscribe facility is included (this is usually a link to a new page or email reply).

By “functional”, the information given and email address should be current for at least 30 days from the date the message was sent.

Consent is key

To avoid creating spam – you must have the recipient’s consent. Consent may be express or inferred.

• Express consent is where a person has specifically requested email / SMS messages (eg ticked an ‘opt-in’ box, or declared in writing that they wish to receive marketing from the sender). Best practice is to ensure express consent.
• Inferred consent is where there has been no direct request, but a recipient may reasonably expect to receive such messages.

From an individual’s perspective, to avoid spam, they should be careful of ticking boxes or entering competitions where personal information is collected, to avoid giving express consent inadvertently.

Getting your message across

Marketing increasingly relies on commercial electronic messages to reach target customer groups.  The spam laws were introduced to prevent a high frequency of unsolicited messages disturbing people and potentially causing other important messages to be lost in the barrage.

In addition to potential penalties and enforceable undertakings, businesses should also consider the commercial, financial and reputational risks associated with sending spam messages.

Most importantly, a sender wants a message to be received and read – not relegated to the “spam” or junk folder of an inbox and, above all, not deleted having been left unread!

What is not spam?

Messages (even if they are unwanted or just plain annoying!) are not spam if they aren’t commercial in nature – such as appointment or payment reminders, or notifications of a service or product fault – messages which are factual in nature and which identify the sender.

There are also certain limited exemptions for government bodies, political parties, educational institutions and charitable organisations.

Is it spam?

Between 2018 and 2019, a major supermarket sent marketing emails to consumers after they had unsubscribed from previous mailouts

Spam. By previously unsubscribing, Customers had not consented to receive further emails. By sending further emails, the supermarket had not honoured requests from customers to be unsubscribed.

In 2019, a political figure sent unsolicited text messages to an unknown number of voters

Not spam. Even though many were left wondering how their number had been obtained, registered political parties are exempt from requirements to obtain consent.

Every day, millions of Australians receive calls, emails and text messages impersonating a company or government agency (eg “you have an overdue toll fee”) or using other tactics to target personal or financial information

Not spam. These are more likely to be scams (or phishing attempts.

Are you complying with your responsibilities?

Do you have consent?

Unsolicited marketing emails or messages must not be sent to an individual without prior consent (express or inferred).

This means you should not:

• have a pre-ticked consent check-box
• bundle or bury consent requests with acceptance of T&Cs.

Best practice is to require express opt-in consent.

Have you identified yourself or your organisation?

If your organisation authorises the sending of the email or message, your organisation must be clearly identified in the email (including contact information).

Is it easy to unsubscribe or opt out?

Every mail-out must contain a straight-forward and opt-out or unsubscribe function ie a “One Click” approach. Customers must not be required to provide more personal information, to log in or to create an account simply to unsubscribe.

The unsubscribe link in a message must remain active for at least 30 days after the message has been sent.

Unsubscribe requests must be honoured within 5 days of receipt.

Is your message exempt from consent and unsubscribe requirements?

Certain commercial messages are exempt from consent and unsubscribe requirements depending on the sender and the nature of the content for example, payment reminders (see above).

 Have you considered other related laws, regulations and rules?

There are various other laws that must be considered such as the Privacy Act and the Do Not Call Register Act.

Further information

ACMA publishes guidelines to assist organisations in complying with the spam laws and can be contacted for general advice.

If you or someone in your organisation wants guidance on the spam laws and how to prepare your next marketing message to customers, please reach out to your KWM contact. If your business needs specialised advice on navigating spam laws, please contact Patrick Gunning or Kendra Fouracre.

Check out other insights from our Office of General Counsel team – from our inhouse to yours:

• Crisis Management ‘How To’: Don’t Throw Your Hands In The Air!
• Using the shield: Practical tips to managing privilege as inhouse counsel