This article was co-authored with Shaun Buckton and Rachael Lee.
Throughout 2023, the Australian Media and Communications Authority (ACMA) has escalated its enforcement actions for non-compliance with the Spam Act 2003 (Cth) (Spam Act). Consistent with its enforcement priorities for 2023-2024, ACMA has increased surveillance and has issued a record number of fines, including its largest penalty of $3.55 million. Multiple businesses across a variety of sectors have been penalised for Spam Act contraventions, including Ticketek, The Wine Group, Sportsbet, Kogan Australia, Woolworths Group and Uber.
The Spam Act governs the sending of promotional messages and material via email and SMS, and, as a consequence, it regulates most aspects of a business’ marketing activity. Now more than ever, Australian businesses need to be aware of their obligations under the Spam Act and ensure their policies and processes for email and SMS marketing are compliant.
Recent enforcement objectives
ACMA’s recent enforcement action has focused on:
- The sending of marketing material via SMS, email or instant message to persons (defined in the Spam Act as commercial electronic messages – CEMs) without consent;
- Marketing messages sent without a functional ‘unsubscribe facility.’ A functional unsubscribe facility must state how a person can unsubscribe and must enable them to easily do so by clicking a link or sending a message (e.g. ‘stop’); and
- The sending of marketing messages more than 5 business days after a person has taken steps to unsubscribe.
Serious consequences for non-compliance
ACMA has broad-ranging enforcement powers under the Spam Act, including issuing infringement notices for pecuniary penalties. Penalties are calculated by reference to the number of messages sent in contravention of the Spam Act per day (see Schedule 3 to the Spam Act).
By way of example, a business that sent more than 50 CEMs without consent on one day would be liable for a fine of 1,000 penalty units (currently $313,000 if the contraventions occurred after 1 July 2023). Given the nature of mass marketing, it is not uncommon for businesses to send hundreds or thousands of CEMs each day over many months. Accordingly, the potential penalties may reach to tens of millions and require judicial discretion to reduce the penalty. Most recently, Doordash Technologies Australia received an infringement notice of over $2 million for contraventions occurring across 12 days from July to October 2022.
Key areas of non-compliance
Businesses typically run afoul of the Spam Act and find themselves in the sights of ACMA for four primary reasons:
- Failure to have express or inferred consent for the sending of electronic marketing material, and ensuring records of consent are maintained and updated;
- Messages sent for mixed purposes – both informative and commercial;
- Delay in addressing complaints from customers about spam; and
- Reliance on third party marketing companies and SMS providers.
Failure to obtain consent and keep appropriate records
Unless an exception applies, consent is required for the sending of CEMs. The Spam Act differentiates between express and inferred consent. Ultimately, the business that sends a CEM bears the onus of establishing consent and should ensure that records are properly maintained and processes are regularly reviewed.
For example, businesses should ensure that consent is genuinely obtained (whether expressly through terms accepted by a customer or on the basis of being reasonably inferred), unsubscribe processes operate correctly and records are updated, customer-facing staff are properly trained to obtain and record consent, and sign-up and registration processes are compliant. Businesses may risk contravening the Spam Act if they fail to take these steps.
Messages sent for a mixed purpose
Messages containing only factual information (such as updates on the delivery status of a customer’s order) do not need to be sent with a customer’s consent or with a functional unsubscribe facility. However, if a message also has a commercial purpose it will need to comply with these requirements.
ACMA has taken a broad view of what may constitute a commercial purpose and, as is evident from its recent enforcement action against Ticketek, considers that a message confirming an order that also contains a link to a business’ website (which could feature deals on goods or services and other advertising material) is likely to be construed as a message having this purpose.1
Delay in addressing customer complaints
Complaints received from customers about spam are often the first indication that a business’ systems of providing electronic marketing material may be non-compliant. It is prudent for businesses to be timely in addressing complaints so as to mitigate the risk of those complaints being escalated to ACMA.
If complaints are made to ACMA, ACMA may issue businesses with a Spam Compliance Alert, which provides notice of customer complaints. Early engagement and self-reporting to ACMA is advised to minimise the risk of a formal investigation and enforcement action.
Obligations under the Spam Act cannot be outsourced
It is common industry practice for businesses to rely on third party providers to manage customer databases and to send SMS and email messages on their behalf. Businesses must be alive to the fact that compliance with the Spam Act cannot be delegated to third party providers and businesses will remain liable for all CEMs sent to customers, including by third party providers.
How to ensure compliance with the Spam Act
We recommend the following key steps to manage compliance with the Spam Act.
- Obtain expert advice on compliance and, if required, early and strategic engagement with ACMA;
- Regular reviews of policies and procedures, including a business’ general terms and conditions and privacy policy, as well as processes for obtaining, recording and updating consent;
- Perform due diligence and periodic audits to confirm that third party providers are accurately maintaining customer databases and functional unsubscribe facilities;
- Ensure informative communications (e.g. regarding order confirmation and delivery updates) are not accompanied by links to the business’ website or other material that may be considered a CEM;
- Train customer-facing staff to ensure proper processes for obtaining and recording consent; and
- Monitor for common technical issues that may lead to contraventions, including non-functioning unsubscribe facilities, changes to the message a customer is required to send to unsubscribe (e.g. from ‘stop’ to ‘stopnow’) and inadvertent duplication of customer records.
One thing is clear, Australian businesses cannot afford to be complacent about Spam Act compliance. ACMA is becoming increasingly active with enforcement action and the penalties and other sanctions such as the appointment of independent monitors and regular reporting to ACMA can be costly to business. So can the damage to a business’ reputation, which can be substantial.