Publication
Proposed changes to Alberta’s Freedom of Information and Protection of Privacy Act
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
Australia | Publication | November 2023
This article was co-authored with Shaun Buckton and Rachael Lee.
Throughout 2023, the Australian Media and Communications Authority (ACMA) has escalated its enforcement actions for non-compliance with the Spam Act 2003 (Cth) (Spam Act). Consistent with its enforcement priorities for 2023-2024, ACMA has increased surveillance and has issued a record number of fines, including its largest penalty of $3.55 million. Multiple businesses across a variety of sectors have been penalised for Spam Act contraventions, including Ticketek, The Wine Group, Sportsbet, Kogan Australia, Woolworths Group and Uber.
The Spam Act governs the sending of promotional messages and material via email and SMS, and, as a consequence, it regulates most aspects of a business’ marketing activity. Now more than ever, Australian businesses need to be aware of their obligations under the Spam Act and ensure their policies and processes for email and SMS marketing are compliant.
ACMA’s recent enforcement action has focused on:
ACMA has broad-ranging enforcement powers under the Spam Act, including issuing infringement notices for pecuniary penalties. Penalties are calculated by reference to the number of messages sent in contravention of the Spam Act per day (see Schedule 3 to the Spam Act).
By way of example, a business that sent more than 50 CEMs without consent on one day would be liable for a fine of 1,000 penalty units (currently $313,000 if the contraventions occurred after 1 July 2023). Given the nature of mass marketing, it is not uncommon for businesses to send hundreds or thousands of CEMs each day over many months. Accordingly, the potential penalties may reach to tens of millions and require judicial discretion to reduce the penalty. Most recently, Doordash Technologies Australia received an infringement notice of over $2 million for contraventions occurring across 12 days from July to October 2022.
Businesses typically run afoul of the Spam Act and find themselves in the sights of ACMA for four primary reasons:
Unless an exception applies, consent is required for the sending of CEMs. The Spam Act differentiates between express and inferred consent. Ultimately, the business that sends a CEM bears the onus of establishing consent and should ensure that records are properly maintained and processes are regularly reviewed.
For example, businesses should ensure that consent is genuinely obtained (whether expressly through terms accepted by a customer or on the basis of being reasonably inferred), unsubscribe processes operate correctly and records are updated, customer-facing staff are properly trained to obtain and record consent, and sign-up and registration processes are compliant. Businesses may risk contravening the Spam Act if they fail to take these steps.
Messages containing only factual information (such as updates on the delivery status of a customer’s order) do not need to be sent with a customer’s consent or with a functional unsubscribe facility. However, if a message also has a commercial purpose it will need to comply with these requirements.
ACMA has taken a broad view of what may constitute a commercial purpose and, as is evident from its recent enforcement action against Ticketek, considers that a message confirming an order that also contains a link to a business’ website (which could feature deals on goods or services and other advertising material) is likely to be construed as a message having this purpose.1
Complaints received from customers about spam are often the first indication that a business’ systems of providing electronic marketing material may be non-compliant. It is prudent for businesses to be timely in addressing complaints so as to mitigate the risk of those complaints being escalated to ACMA.
If complaints are made to ACMA, ACMA may issue businesses with a Spam Compliance Alert, which provides notice of customer complaints. Early engagement and self-reporting to ACMA is advised to minimise the risk of a formal investigation and enforcement action.
It is common industry practice for businesses to rely on third party providers to manage customer databases and to send SMS and email messages on their behalf. Businesses must be alive to the fact that compliance with the Spam Act cannot be delegated to third party providers and businesses will remain liable for all CEMs sent to customers, including by third party providers.
We recommend the following key steps to manage compliance with the Spam Act.
One thing is clear, Australian businesses cannot afford to be complacent about Spam Act compliance. ACMA is becoming increasingly active with enforcement action and the penalties and other sanctions such as the appointment of independent monitors and regular reporting to ACMA can be costly to business. So can the damage to a business’ reputation, which can be substantial.
Publication
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
Publication
On December 15, amendments to the Competition Act (Canada) (the Act) that were intended at least in part to target competitor property controls that restrict the use of commercial real estate – specifically exclusivity clauses and restrictive covenants – came into effect.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023