Home Insights ACMA Spam Act enforcement and the implications for business

ACMA Spam Act enforcement and the implications for business

In June 2022, the Australian Communications and Media Authority (ACMA) announced that one of its enforcement priorities for 2022-23 was to ensure compliance with the Spam Act 2003 (Cth) (Spam Act). Specifically, ACMA indicated that it would seek to take action against businesses that continued to send marketing emails and texts to individuals who had made an unsubscribe request. This announcement was made after ACMA’s research indicated that six in ten Australians were still contacted by businesses after they made an unsubscribe request.

ACMA’s Spam Act enforcement in the past 12 months has demonstrated this priority.

In 2022-23, ACMA completed nine investigations into businesses that contravened the Spam Act which resulted in fines totalling over A$8 million in addition to court-enforceable undertakings. The largest fine for a single business’s contraventions was A$3.55 million. On top of these closed investigations, ACMA has also announced that it has five ongoing investigations relating to potential Spam Act breaches.

ACMA’s enforcement trend in seeking to ensure that businesses comply with the Spam Act is likely to continue over the next 12 months, with ACMA announcing that Spam Act compliance remains a regulatory priority for 2023-24.

This Insight examines the key themes arising from ACMA’s enforcement in 2022-23 and what businesses should consider to help prevent them from being subject to ACMA’s next investigation.

Spam Act Refresher

There are three key requirements under the Spam Act which relate to the sending of an email or text to an individual if it is a ‘commercial electronic message’:

  • Consent: A business must not send a commercial electronic message to an individual without the individual’s express or inferred consent.

  • Unsubscribe link: A commercial electronic message must include a functional unsubscribe link. This link must also meet the requirements set out in the Spam Regulations 2021 (Cth) (Spam Regulations).

  • Identification: The sender of a commercial electronic message must identify itself as the sender.

ACMA’s recent investigations have focused on the first and second of these requirements, with ACMA issuing fines where a business contravened the Spam Act in one (or more) of the following ways:

  • by sending a commercial electronic message to an individual more than five business days after the individual withdrew their consent through an unsubscribe request;

  • by sending a commercial electronic message without a functional unsubscribe link;

  • by only allowing an individual to unsubscribe from receiving future commercial electronic messages if they provided personal information (other than the phone number or email address that received the message); and

  • by only allowing an individual to unsubscribe from receiving future commercial electronic messages if they logged in to, or created, an account.

Based on ACMA’s recent enforcement activities, there are three key takeaways for businesses:

Takeaway 1: Categorise your messages properly

First, it is critical that businesses accurately categorise whether each message they intend to send is a ‘commercial electronic message’. The Spam Act defines the term ‘commercial electronic message’ broadly to include any electronic message that offers, advertises or promotes goods or services, or advertises or promotes a provider of goods or services, in any way.

The wide breadth of this definition is clear from ACMA’s recent investigations. For example, ACMA found that an email informing customers about the business’ app (which was relevant to the customer’s service) was a commercial electronic message. Similarly, ACMA found that an email informing customers about certain features of their service was a commercial electronic message as it promoted that service.

If any part of an electronic message is commercial in nature (i.e. it promotes a business, good or service), the message as a whole will be classified as a ‘commercial electronic message’.

A business is not prohibited from sending a message to an individual simply because it is classified as a commercial electronic message – the business can still send the message as long as it has the individual’s consent and the message includes a functional unsubscribe link (see Takeaways 2 and 3).

Takeaway 2: Review your consent records

Second, businesses should review their consent records to ensure they have valid consent from an individual before sending commercial electronic messages to that individual.

ACMA’s recent enforcement activities have focused on whether a business has complied with an individual’s unsubscribe requests within the required timeframe (i.e. five business days) as a business no longer has an individual’s consent to send them commercial electronic messages after the individual has made an unsubscribe request. Further, it is also a key consideration whether a business has consent to send a message to an individual where the individual has not made an unsubscribe request.

While consent can be express or inferred, express consent is highly preferable. This is because in the event a business receives a complaint (or is investigated by ACMA), the business will bear the evidentiary burden to show that it had valid consent to send commercial electronic messages.

Express consent involves an individual taking an active step to confirm that they wish to receive a commercial electronic message. For example, an individual could consent to receiving a commercial electronic message by ticking a check-box (that is unticked by default).

Inferred consent can only be relied on in limited circumstances. ACMA’s guidance suggests that consent can be inferred:

“… if someone has subscribed to a service, has an account or is a member, and the marketing is directly relevant to the relationship – such as a person’s savings bank telling them about another savings account with higher interest. It would not cover the bank trying to sell them insurance products."

However, a business does not have inferred consent to send a commercial electronic message to an individual simply because an individual made a one-off purchase from the business.

ACMA’s guidance suggests that inferred consent is unlikely to extend to the promotion of any ‘add-ons’ or ‘cross-sells’ (which may limit its utility for many businesses that have a range of goods or services). Further, there may be risks in relying on inferred consent. For example:

  • it is not entirely clear when a message would be ‘directly relevant’ to an account or subscription (as required by ACMA’s guidance). For example, using a similar example to the one in ACMA’s guidance, it is not clear if a bank could promote a savings account with an overdraft facility to an existing savings customer; and

  • it is also not clear whether a business could infer an individual’s consent if the individual was given the option to subscribe to receiving marketing messages from that business but chose not to.

For these reasons, it is preferable to always obtain express consent before sending a commercial electronic message. This will remove any doubt as to whether an individual has provided consent to receive a commercial electronic message.

Takeaway 3: Check if your unsubscribe link is valid

Finally, ACMA has shown that it is focused on ensuring all commercial electronic messages contain a functional unsubscribe link.

In order to be functional, the link must allow an individual to simply and easily opt-out of receiving future commercial electronic messages from a business. ACMA has not been sympathetic to businesses which have made a genuine mistake or experienced a technical error that resulted in commercial electronic messages being sent to individuals after they had made an unsubscribe request.

Further, the unsubscribe link must comply with the requirements under the Spam Regulations. In particular:

  • a business must not require an individual to provide personal information (other than the mobile number or email address to which the commercial electronic message was sent) to make an unsubscribe request; and

  • a business must not require an individual to log in to an existing account (or create a new account) to make an unsubscribe request.

To comply with this requirement, it is critical that a message is properly classified (i.e. as a commercial electronic message or a non-commercial electronic message). All commercial electronic messages must include a functional unsubscribe link in addition to the requirement that a business has the individual’s express or inferred consent to send them a commercial electronic message.


Given ACMA’s focus on ensuring compliance with the Spam Act, businesses should proactively:

  • determine whether they are correctly classifying their emails or texts as commercial electronic messages;

  • consider whether they have valid express or inferred consent to send any commercial electronic messages; and

  • ensure that all commercial electronic messages have a functional unsubscribe link and that they action all unsubscribe requests within five business days.


Robert Ceglia

Senior Associate

Mark Salamy

Law Graduate


Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.