The Spam Act 2003 (Spam Act) sets out Australia’s spam rules. They include when commercial electronic messages can be sent and what information must be included in the message.
Spam rules are important as they prevent intrusion on an individual’s privacy, which can cause offence or harm. They also ensure that Australia’s electronic communication channels are working effectively. The ACMA plays a key role promoting responsible industry practice and enforcing the spam rules.
The key rule is that commercial electronic messages cannot be sent without permission (or consent).
Who needs to comply?
You must comply with these rules if you’re planning to send any commercial electronic message to an electronic address, or have engaged someone to send them on your behalf. This includes messages sent by:
- instant message.
When do the spam rules apply?
The rules apply to messages sent to an electronic address, like a mobile number or email address, which contain a commercial element. This includes an offer to supply, provide, advertise or solicit:
- goods or services
- land, or an interest in land
- a business or investment opportunity.
The rules also apply to a person who assists or enables a person to dishonestly obtain property or a financial advantage.
Messages that are factual in nature are only required to comply with a limited section of the Spam Act. Take a look at the information below on exemptions from spam rules.
There are three key parts to the rules that you need to be aware of:
- Permission (consent)—messages can only be sent with the permission of the person who owns the account for the address (usually the recipient).
- Identification—messages must contain the name and contact details of the person or business that authorised the message (sender identification).
- Unsubscribe—messages must contain a low (or no cost) way for the recipient to stop getting messages (to ‘opt out’ or unsubscribe).
1. Permission (consent)
Commercial electronic messages can only be sent if the account holder (for example, the person who owns the email or phone account) has given permission. Permission can be given directly (‘express’) or, in limited circumstances, apply indirectly (‘inferred’).
- Express permission—an individual agrees to receive your marketing. For example, a person may sign up to your mailing list.
- Inferred permission—you may be able to infer permission from an individual’s conduct, business or other relationships. For example, if a consumer holds a bank credit card, that bank may contact them with related offers.
- Withdrawn permission—people can withdraw their permission (unsubscribe) at any time after it is given. These requests must be acted upon, and you must stop sending the person commercial messages within five business days.
You should keep a clear record of all instances where permission has been given, including who gave the permission, when, where and how. Under the Spam Act, it is up to you to prove that consent exists—even if you have purchased a mailing list from another business or a third party sends messages on your behalf.
Using public directories
You can’t infer permission to send commercial messages simply because a number or email address is published (such as online or in a directory). If you want to infer permission this way, you must be able to meet specific requirements in the Spam Act about ‘conspicuous publication’. These include ensuring that:
- messages sent concern matters relevant to the role of the recipient
- the electronic address is for a particular employee or office holder
- the electronic address wasn’t published with a statement that the receiver doesn’t want to receive messages.
There needs to be a strong link between the product you are promoting and the person that receives the message. For example, you may be able to infer consent to send a message advertising your employment agency to the recruitment manager at a business, if their electronic address has been published. However, you could not infer consent to send the recruitment manager messages about web optimisation, as this is not directly related to their role.
Messages also need to be sent to a particular employee or office holder, for example firstname.lastname@example.org or email@example.com. If you send a message to a generic email address, like firstname.lastname@example.org, then you may risk breaching the Spam Act.
All commercial electronic messages, regardless of the format (for example, SMS, email), must include clear and accurate details about who authorised the message (such as the registered trading name) and contact information for them (for example, a phone number, address or email address).
It’s important that the recipient can readily access this information—if a person has to click-through a number of web pages before they find your contact details, you risk breaching the Spam Act.
The information must be accurate for at least 30 days after the message is sent.
Messages must include a way for the recipient to withdraw their permission and stop receiving messages, known as an unsubscribe, ‘opt-out’ or ‘stop’ facility. The instructions must be clear and obvious, must be functional for at least 30 days after the message was sent, and be low or no cost to the recipient. Requests to unsubscribe must be actioned in five business days. You can’t use premium numbers for unsubscribing.
Address harvesting is the process of automatically obtaining a large number of email addresses using a computer program or service.
Under the spam rules, you cannot:
- use or supply a list that has been created using address-harvesting software
- use or supply address-harvesting software.
If you purchase a list, you should be careful that the list has not been created using address-harvesting software. You will need to ask your list supplier to make sure that the list has been obtained legally and to make sure that the people on the list have consented to getting your messages. Read our guide to purchased lists.
You must not:
- help, guide or work with another person to breach the spam rules
- encourage another person to breach the spam rules
- be directly or indirectly, knowingly concerned in a breach of the spam rules.
A person will not breach the ancillary provisions merely because they supply the service which enables the message to be sent, for example, an internet service provider. But if a person advertised their services to encourage behaviour that would breach the spam rules, then they may be in breach of the ancillary provisions.
Exemptions from spam rules
Some commercial electronic messages are partially exempt from the Spam Act. They can be sent without the permission of the recipient, and do not need to have an unsubscribe facility or statement (however, including these features is better practice and likely to result in happier customers).
Exempt messages must still comply with the sender identification rules in the Spam Act. That means the message must contain the name and contact details of the business that authorised the message. It’s important that this information is within the message itself and doesn’t involve multiple click-throughs to find it.
Exempt messages include:
- Factual messages—messages that do not contain commercial material; for example, a product recall notice or an appointment reminder. However, if the message contains an advertisement, or links to an advertisement, it is commercial. The name, logo and contact details of the business are not ‘commercial’ information in these types of messages. Remember, sending such messages does not mean you have the recipients’ permission to send future commercial messages, or to add them to a mailing list.
- Designated commercial messages—are those sent by exempt organisations, including registered charities, educational institutions (only if sent to current or former students), government bodies and registered political parties. Designated messages must relate to goods or services offered by the exempt organisation.