Shopping Cart


No products in the cart.


We're Building the World's BIGGEST Online Community for Small Businesses

Spam Act 101 for SMEs: What you need to know


Australian Communications and Media Authority (ACMA) recently imposed a $302,500 penalty on Outdoor Supacentre Pty Ltd (Outdoor Supacentre), a four-wheel drive and camping accessory retailer, for sending over 83,000 marketing text messages in breach of the Spam Act 2003 (Cth) (Spam Act).

The Spam Act requires businesses of all sizes to have the recipient’s consent to send marketing materials and each communication must include a functional unsubscribe option. Being a small or medium sized business is no excuse not to comply with the rules.

In this case, consumers complained that over a period of more than 10 months Outdoor Supacentre sent text messages without a functional unsubscribe option and continued to send marketing messages even after they had withdrawn consent to receive such communications. It was after these complaints that the ACMA initiated an investigation.

Outdoor Supacentre submitted to the ACMA that the marketing messages had been sent by mistake, blaming the delivery of messages on a previous data migration between service providers. However, it did not provide evidence of any quality assurance processes or compliance checks undertaken to prevent the marketing text messages from being sent.

The ACMA was not satisfied that they made a mistake of fact.

In addition to the fine, the ACMA also accepted a three-year court-enforceable undertaking from Outdoor Supacentre, committing it to appoint an independent consultant to review its compliance with Spam rules.

What does the Spam Act apply to?

The Spam Act prohibits the sending of unsolicited “commercial electronic messages”. Electronic messages include emails, instant messaging, SMS and MMS. However, the direct marketing obligations under the Privacy Act 1988 (Cth), being Australian Privacy Principle 7 on direct marketing, apply to all other channels of direct communication. Those provisions broadly mirror those in the Spam Act.

While the Spam Act does not apply to voice calls, businesses must remember to comply with the Do Not Call Act in relation to voice calls. The ACMA regularly fines companies who fail to wash phone lists against the Do Not Call Register.

For an electronic message to satisfy the “commercial” criteria, the message must be commercial in nature, such as offering goods or services for sale, advertising goods or services, promoting a business or advertising or promoting any business opportunity or investment. The ACMA also considers surveys and free offer type promotions to fall within the Spam Act as they have a commercial intent.

What do I need to do to comply with the Spam Act?

Commercial electronic messages may only be sent if the requirements set out in the Spam Act are satisfied: 

that consent is obtained; 

it is possible for recipients to unsubscribe; 

and that the sender is identified (with their contact details included).

There are, of course, some exclusions, such as that commercial electronic messages may be sent by registered political parties or charities even if consent is not obtained, but these exclusions are quite limited.

Consent is critical

The primary requirement is that consent is obtained from the recipient of the message. Consent may either be express or inferred. Examples of express consent include the recipient ticking a box on an electronic form on a website or giving verbal consent in person or over the phone.

Consent may be inferred based on the conduct between the relevant organisation and recipient together with their business or other relationship. For example, consent may be inferred if the recipient is an existing customer of the relevant organisation and the message is related to a product or service that customer has purchased from the organisation.

Consent may also be inferred in the following (quite limited) circumstances:

a person has made their email address or phone number public

that person does not state that they do not wish to receive commercial messages

the public email address or phone number is for an individual or office holder

the message relates directly to the person’s role or function and there is a link between the recipient and the content of the commercial electronic message.

For example, if you emailed the author of this article about services that you supply to lawyers in the conduct of their job, such as printing or transcription services, this would be inferred. If you send promotional material about wine, cars or things unrelated to the business role, this would be in breach.  

Functional unsubscribe facility or opt out

All commercial electronic messages must, in easy to understand language, provide an option for the recipients to send a message to ‘opt-out’ of future commercial electronic messages by using an electronic address (e.g. by reply email or SMS). Requests to unsubscribe must not incur a fee and the unsubscribe facility must function for 30 days after the message was sent.

Importantly, an unsubscribe request must be actioned by the recipient within five working days. This was a key issue in the Outdoor Supacentre case.

Identification of the sender

Under the Spam Act, each commercial electronic message is required to clearly and accurately identify the sender and include the sender’s contact details. In the case of an Australian company, the ACMA states that the message should include the company’s ABN. It is also a requirement that this information be valid for at least 30 days after the message is sent. These requirements will apply even if the sender engages a third party to send the messages on their behalf.

The risk of purchasing customer lists

Unsurprisingly, many businesses seek to expand their customer bases by advertising to potential customers. However, businesses should be careful in purchasing potential customer lists for sending electronic direct marketing as there is a risk that the business will not comply with the consent requirements of the Spam Act. 

In addition, the Spam Act imposes prohibitions in relation to “address-harvesting software”. That includes web scraping and digital data capture. 

Key takeaways

While the Spam Act has been around for quite a while, small businesses should not be complacent about their marketing communications. The ACMA is consistently investigating breaches and taking action against businesses, irrespective of size.

Small businesses can prevent breaching spam laws by conducting regular testing and risk assessment – many privacy and data issues have historically emerged from unintended consequences of software upgrades. In this case, Outdoor Supacentre attributed the unsolicited marketing messages to a data migration process.

Small businesses should also check their email preference settings – in the same way hyperlinks can be broken, unsubscribe text may fall off communication templates. Even if the unsubscribe option is on the text, are those notifications being actioned?

Finally, small businesses should investigate and respond to customer complaints – if customers are telling you something is wrong, investigating the issue before a regulator is involved can likely save your business the financial cost of a penalty and/or enforceable undertaking.

If you have any questions regarding your small business’ obligations under the Spam Act or require assistance with reviewing your data and privacy policies, please get in touch with Lyn Nicholson at

By Lyn Nicholson, General Counsel

The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Learn more about us here:

Keep up to date with our stories on LinkedInTwitterFacebook and Instagram.


Leave a Reply