Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

The importance of compliance with the Spam Act

07 July 2020

5 min read

#Data & Privacy

Published by:

Ecca Zhang

The importance of compliance with the Spam Act

In light of recent action taken against Woolworths and Optus for breaches of the Spam Act, businesses should ensure they have processes and procedures in place to comply with this legislation.

Action taken for breaches of the Spam Act 2003 (Cth) (Spam Act)

On 2 July 2020, the Australian Communications and Media Authority (ACMA) announced that it had fined Woolworths just over $1 million for 5 million breaches of the Spam Act and that Woolworths had also agreed to a three year court enforceable undertaking in relation to those breaches. The undertaking requires Woolworths to assess its processes and procedures and implement improvements. Woolworths’ breaches of the Spam Act arose from emails sent to consumers between October 2018 and July 2019, after those consumers had already unsubscribed. This is the largest fine that the ACMA has imposed for breaches of the Spam Act to date.

In January 2020, the ACMA fined Optus $504,000 for breaches of the Spam Act. Those breaches related to Optus sending SMS and email marketing messages to consumers between June and December 2018 after they had unsubscribed. The ACMA also found that Optus sent commercial emails in the form of billing notices that did not include an unsubscribe facility. As in the case of Woolworths, Optus agreed to an enforceable undertaking, which requires Optus to assess its processes and procedures and implement improvements.

Given that the ACMA has imposed fines of over $1.75 million over the past 12 months for breaches of the Spam Act (and the Do Not Call Register Act 2006 (Cth) (Do Not Call Act)) and that, when announcing the Optus action, the ACMA Chair noted that the ACMA is “actively cracking down on” breaches of the Spam Act, businesses of all sizes that send marketing emails or messages need to ensure that they are fully compliant with the requirements of the Spam Act.

What does the Spam Act apply to?

The Spam Act prohibits the sending of unsolicited “commercial electronic messages”. Electronic messages include emails, instant messaging, SMS and MMS. Importantly, the Spam Act does not apply to voice calls, though businesses must remember to comply with the Do Not Call Act in relation to voice calls. 

For an electronic message to satisfy the “commercial” criteria, the message must be commercial in nature, such as offering goods or services for sale, advertising goods or services, promoting a business or advertising or promoting any business opportunity or investment. 

The Spam Act only applies to commercial electronic messages with an “Australian link”, that is, the messages must originate in Australia, the person sending (or authorising the sending) of the messages must be physically in Australia (if that person is an individual) or have its central management or control in Australia (in the case of an organisation) or the messages must be accessible in Australia.

Commercial electronic messages may only be sent if the requirements set out in the Spam Act are satisfied. There are three key requirements, that consent is obtained; it is possible for recipients to unsubscribe; and that the sender is identified (and the sender’s contact details provided).

There are, of course, some exclusions, such as that commercial electronic messages may be sent by registered political parties or charities even if consent is not obtained, but these exclusions are quite limited.

Consent is critical

The primary requirement is that consent is obtained from the recipient of the message. Consent may either be express or inferred. Examples of express consent include the recipient ticking a box on an electronic form on a website or giving verbal consent in person or over the phone.

Consent may be inferred based on the conduct between the relevant organisation and recipient together with their business or other relationship. For example, consent may be inferred if the recipient is an existing customer of the relevant organisation and the message is related to a product or service that customer has purchased from the organisation.

Consent may also be inferred in the following (quite limited) circumstances:

  1. A person has made their email address or phone number public.
  2. That person does not state that they do not wish to receive commercial messages.
  3. The public email address or phone number is for an individual or office holder.
  4. The message relates directly to the person’s role or function and there is a link between the recipient and the content of the commercial electronic message.

Functional unsubscribe facility

All commercial electronic messages must, in easy to understand language, provide an option for the recipients to send a message to ‘opt-out’ of future commercial electronic messages by using an electronic address (e.g. by reply email or SMS). Requests to unsubscribe must not incur a fee other than the usual cost of sending the opt-out message (e.g. the cost of using a broadband connection to respond to an email). The unsubscribe facility must function for 30 days after the message was sent.

Importantly, an unsubscribe request must be actioned by the recipient within five working days.

Identification of the sender

Under the Spam Act, each commercial electronic message is required to clearly and accurately identify the sender and include the sender’s contact details. In the case of an Australian company, the ACMA states that the message should include the ABN of that company. It is also a requirement that this information is reasonably likely to be valid for at least 30 days after the message is sent. These requirements will apply even if the sender engages a third party to send the messages on the sender’s behalf.

A final comment: purchasing potential customer lists

Unsurprisingly, many businesses seek to expand their customer bases by advertising to potential customers. To do this, businesses must seek to acquire the details of those potential customers. However, businesses should be very careful in purchasing potential customer lists for sending electronic direct marketing.

First, when sending commercial electronic messages using such purchased lists there is a risk that the business will not comply with the consent requirements of the Spam Act. In addition, the Spam Act imposes prohibitions in relation to “address-harvesting software”. That term is broadly defined to include software that is able to be, or marketed as having the ability to, search the internet for, and then collect or otherwise harvest, electronic addresses. The Spam Act prohibits, amongst other matters, the acquisition or use of a list that has been created with such address-harvesting software.

Authors: Angela Flannery, Sarah Cass and Ecca Zhang

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Ecca Zhang

Share this