Recently, the Australian Communication and Media Authority (ACMA) reported that it issued a million dollar infringement notice and received court enforceable undertakings from one of Australia’s major supermarket chains for breaches of the Spam Act 2003 (Cth) (Spam Act).  This and a similar enforcement action against a large Australian telecommunication company in early 2020 demonstrate that the ACMA is actively monitoring the market, and comes as a timely reminder for businesses to ensure compliance with requirements under the Spam Act when directly marketing to consumers, and / or purchasing electronic mailing / marketing lists.

ACMA Considerations

Some of the factors that were taken into account by the ACMA in setting the most recent fine were (a) that the sender of the emails was slow to respond to the ACMA’s initial reports about customer complaints, (b) that the sender pointed to ‘systems issues’ as part of the cause of the non-compliance, the investigation found that the sender’s systems, processes and practices were inadequate to comply with spam laws and (c) that the non-compliant conduct continued for a period of approximately 9 months. Organisations that use direct marketing in their businesses should take note of these factors and this enforcement action, and the other actions taken by the ACMA against major Australian businesses over the last 12 months, should cause organisations to review their own marketing consents and direct marketing programs.

One other interesting point to note is that the supermarket had multiple users registered with the same email address (e.g, where it was shared by a family) and was sending marketing emails to other accounts that used that same email even where one user with that address chose to unsubscribe. The provisions of the Spam Act provide that any person who sends an electronic message (including an unsubscribe request) about withdrawal of consent for electronic marketing is deemed to have sent that message on behalf of the account holder of the electronic account (e.g, email address, mobile phone number). That means that if anyone sends an unsubscribe request in relation to or on behalf of a particular email address or mobile phone number, that must be honoured as a withdrawal of consent and unsubscribe request. This means that organisations that have membership programs or mailing lists need to carefully review their lists for accounts that share email addresses or mobile phone numbers and put in place measures to make unsubscribe requests effective at the email address or mobile phone number level rather than the ‘user name’ level.

Compliance with the Spam Act

Under the Spam Act, businesses that send marketing messages or emails must ensure:

  1. they have the person’s consent to send the message (even when the message is sent by a third party). This means that:
    • the recipient has given their express consent (i.e. by filing in a form, ticking a box on a website or verbal permission, either over the phone or in person); or
    • it can be inferred that the recipient has given their consent. Consent can be inferred where the conduct, and the business and other relationships, of the individual or organisation concerned indicate that the recipient of the messages gives their permission to receiving marketing messages – this requirements an assessment of a range of factors and can vary from person to person, and it generally isn’t enough that there has been some limited interaction between the sender and recipient – or where there is a conspicuous publication of a work-related email address.
  2. the message itself:
    • identifies the business that is being marketing i.e. their name, business name and contact details – third parties that send messages on behalf of a business must provide this information, and this information must be accurate for 30 days after the message has been sent; and
    • it is easy to unsubscribe from electronic mailing lists – commercial messages must include an ‘unsubscribe’ option that:
      • presents unsubscribe instructions clearly i.e. “To unsubscribe, please click the ‘unsubscribe’ button below”;
      • the request to unsubscribe is completed within 5 working days;
      • there is no fee payable to unsubscribe;
      • the request to unsubscribe does not cost more than the usual amount for using the address i.e. only standard fees apply; and
      • is functional for at least 30 days after the message is sent.


Under the Spam Act, ACMA may issue formal warnings or infringement notices, commence proceedings in the Federal Court of Australia and accept court-enforceable undertakings. The penalties for on-going non-compliance by corporations can be up to AUD 2.2 million.

For advice on compliance with the Spam Act and other direct marketing, please contact Melinda Upton, Nicholas Boyle and Jessie Buchan.

This post was co-authored by Valiant Warzecha (Solicitor), Alexandra Moore (Solicitor), Jessie Buchan (Senior Associate), Nicholas Boyle (Partner) and Melinda Upton (Global Co-Chair, Intellectual Property and Technology, Partner).