Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re running a small business, marketing is part of the job. Whether you’re promoting a new product, reminding customers about an appointment, or sharing a special offer, it’s normal to reach out through email, SMS, or even messaging platforms.
But in Australia, marketing messages aren’t a “send now, worry later” area. Australia’s spam laws set strict rules about when you can message someone, what you need to include in your message, and how quickly you must stop contacting someone who opts out.
The good news is that compliance doesn’t have to kill your marketing. With the right processes, you can market confidently, build customer trust, and avoid penalties that can seriously hurt a growing business.
Below, we’ll break down what small businesses need to know about spam laws in Australia, including consent, identifying your business, unsubscribe rules, common traps, and practical steps you can implement straight away.
What Are Spam Laws In Australia (And Why Do They Matter For Small Businesses)?
When people talk about “spam laws” in Australia, they’re usually referring to the rules under the Spam Act 2003 (Cth), which regulates commercial electronic messages.
These laws matter to small businesses because they apply to everyday marketing activities like:
- email marketing campaigns and newsletters
- SMS promotions and appointment reminders that include upsells
- direct messages sent through electronic platforms (depending on the circumstances)
- marketing sent through automation tools (like CRM sequences)
Importantly, spam laws aren’t just about stopping “scammers”. They’re designed to ensure customers have control over what marketing they receive and from whom. As a business owner, that means you need a marketing system that respects consent and makes it easy for people to opt out.
Spam compliance also overlaps with other obligations. For example, if you’re collecting customer details for marketing, you’ll usually need to think about privacy compliance and having a Privacy Policy that reflects what you actually do with personal information.
What Counts As A “Commercial Electronic Message”?
Spam laws generally focus on commercial electronic messages (often shortened to “CEMs”). In plain terms, this is an electronic message that:
- is sent to an electronic address (like an email address or phone number), and
- has a commercial purpose (advertising, promoting, offering, or directing someone to goods/services, business opportunities, etc.).
Even if your message is friendly or helpful, it can still be “commercial” if it encourages a purchase or promotes your business in some way.
Examples That Are Usually Commercial
- An email newsletter with product updates and links to your store
- An SMS: “20% off this weekend – use code SAVE20”
- An email: “We miss you! Book again and get a free upgrade”
What About Transactional Messages?
Some messages are primarily factual or “transactional” (like receipts, shipping notifications, or password resets). These aren’t usually sent for a marketing purpose. The Spam Act also recognises a category called designated commercial electronic messages, which can include messages that contain only limited “commercial” content (for example, certain account, billing, warranty, safety or recall information) and meet specific requirements.
But a common mistake is mixing marketing content into a message that would otherwise be transactional. For example, an appointment reminder that also includes “and check out our new packages here” may turn the message into a commercial electronic message that must comply with the Spam Act rules.
As a practical approach: if you include a promotion, discount, upsell, referral request, or link encouraging further purchases, treat the message as commercial and comply with spam laws.
Consent: The Core Rule Under Spam Laws
The number one question most small businesses ask is: “When am I allowed to contact someone?” Under Australian spam laws, the starting point is that you must have consent to send commercial electronic messages.
Consent generally falls into two buckets: express consent and inferred consent.
Express Consent (The Safest Option)
Express consent is where someone clearly agrees to receive marketing from you.
This might happen when a customer:
- ticks a box on your website form to receive promotions
- signs up for your newsletter
- opts in through a checkout page (“Yes, send me updates and offers”)
- gives you their details specifically for marketing (for example at an event)
Best practice tip: Use an unticked checkbox for marketing opt-in. Pre-ticked checkboxes can create disputes about whether the customer truly consented.
Inferred Consent (Where Businesses Often Get It Wrong)
Inferred consent is more contextual. It can exist where there’s a relationship with the customer and it’s reasonable to believe they would expect to receive your messages.
For example, a customer who buys from you might reasonably expect order-related updates. But whether they reasonably expect ongoing promotional marketing depends on how the relationship started and what you told them.
This is where businesses can drift into risky territory, especially if they:
- purchase marketing lists
- scrape email addresses from websites
- assume that because someone gave a business card, marketing is fair game
- message people who made an enquiry but never became customers
If you’re building a mailing list, it’s worth getting your onboarding forms, website disclosures, and internal marketing processes right from the start. This can also tie into your broader online compliance, such as having appropriate Website Terms and Conditions if you’re collecting leads through your website.
Can You Contact Other Businesses (B2B) Without Consent?
A common myth is that spam laws don’t apply to B2B marketing. That’s not correct.
Spam laws can apply to business recipients too. You still need consent (express or inferred), plus identification and unsubscribe functionality. The fact that you’re messaging a work email address doesn’t automatically make it lawful.
Identification: Your Message Must Clearly Say Who You Are
Even with consent, spam laws require you to include clear information identifying the sender.
In practice, your commercial messages should clearly include:
- your business name (or trading name)
- contact details (like an email address, phone number, or website)
- information that is accurate and remains valid for a reasonable period
This is partly about transparency and partly about consumer trust. People should not have to guess who is contacting them or why.
If your business uses multiple brands, trading names, or domains, make sure the identity shown in the message matches what customers recognise. If you’re operating under a business name that’s different from your legal entity name, it’s worth making sure you understand the entity name vs business name distinction so your marketing materials are consistent and compliant.
Unsubscribe Rules: You Must Make Opting Out Easy (And Honour It Fast)
One of the biggest compliance issues we see is not the initial consent, but what happens after a customer says “stop”.
Under Australian spam laws, your commercial messages must contain a functional unsubscribe facility that is:
- clear and easy to use (not hidden or confusing)
- free or low-cost for the recipient (for SMS, “Reply STOP” is common)
- functional for a reasonable period after the message is sent
You must also action unsubscribe requests within the required timeframe. In general, you must stop sending commercial electronic messages to that address within 5 business days after the unsubscribe request is made.
Common Unsubscribe Mistakes Small Businesses Make
- Including an unsubscribe link that doesn’t work or goes to a broken page
- Making people log in to unsubscribe (this can create friction and complaints)
- Continuing to message someone because they opted out of “emails” but not “SMS” (your systems should track channel-specific consent clearly)
- Unsubscribes that notify the recipient they must wait “up to 30 days” (your processes should be faster than that)
Unsubscribe handling is a systems issue as much as it is a legal one. If you’re using marketing platforms, CRMs, or third-party agencies, you still need to ensure your business is the one controlling compliance.
Penalties And Enforcement: What Happens If You Breach Spam Laws?
Spam laws are enforced by the Australian Communications and Media Authority (ACMA). ACMA can investigate complaints and take regulatory action.
For small businesses, the real risk is that spam compliance issues can escalate quickly because:
- marketing messages are often sent in bulk (one mistake can affect hundreds or thousands of recipients)
- customers can complain easily
- your systems might repeat the same compliance mistake automatically
Types Of Regulatory Action
Depending on what’s happened, enforcement can include warnings, infringement notices, enforceable undertakings, or court action. Outcomes can also require businesses to commit to compliance programs (which can be time-consuming and costly).
What Triggers Complaints?
In our experience, complaints often happen when:
- someone doesn’t remember opting in
- a customer feels “tricked” into subscribing (like a pre-ticked box)
- unsubscribing doesn’t work
- messages feel too frequent or too aggressive
The aim isn’t to scare you out of marketing. It’s to show that spam compliance should be treated as part of your business risk management, just like your customer contracts, refund policies, and privacy settings.
If you sell to consumers, it’s also worth ensuring your promotions match your consumer law obligations, including avoiding misleading advertising and understanding customer guarantees under the Australian Consumer Law (ACL). Depending on your business model, this can overlap with your website terms and your customer-facing promises, including warranties and returns (for example, a clear warranty approach).
Practical Compliance Checklist For Small Business Marketing
If you want a simple way to reduce risk under Australian spam laws, it helps to treat your marketing like a process (not a one-off campaign). Here’s a practical checklist you can build into your business operations.
1) Set Up Consent Collection Properly
- Use clear opt-in language (say what type of messages you’ll send and how often if possible)
- Keep records of when and how someone consented
- Separate consent by channel (email vs SMS) if you market in multiple ways
- Avoid buying lists or scraping addresses
2) Review Your Message Templates
- Make sure your business name is obvious
- Include contact details that work
- Check the unsubscribe method is present, easy and functional
- Be careful when adding promotions into transactional messages
3) Build An Unsubscribe System You Can Trust
- Test unsubscribe links and “STOP” functionality regularly
- Ensure opt-outs flow through all tools (email platform, CRM, SMS provider)
- Train staff so they recognise an opt-out request even if it comes in casually (e.g. “Please don’t message me anymore”)
4) Align Your Marketing With Your Privacy And Data Processes
Spam laws focus on the sending of messages, but marketing compliance rarely sits in a vacuum.
If you’re collecting, storing, and using customer contact details, you should also think about whether you need:
- a Privacy Policy that matches your data practices
- a collection notice at sign-up points (so customers understand what will happen with their details)
- internal rules for staff access to customer lists (especially if you have multiple team members or contractors)
5) Use Clear Customer-Facing Terms If You Sell Online
Even though spam laws are their own category, good marketing hygiene is easier when your overall customer journey is well documented. If you’re selling online (or taking enquiries through your website), having Website Terms and Conditions can help set expectations around accounts, communications, and how customers interact with your platform.
If you run an online store, clear eCommerce Terms and Conditions can also help reduce disputes about offers, discounts, pricing errors, and cancellation/refund processes (which can otherwise lead to complaints and reputational damage).
6) Make Sure Your Internal Agreements Support Compliance
If you outsource marketing to an agency, freelancer, or contractor, it’s important the relationship is documented so responsibilities are clear.
A properly drafted contract can help set expectations around compliance, data handling, and what happens if the provider breaches the law while acting on your instructions. Depending on the working relationship, you might use a services agreement or a tailored arrangement.
If you engage staff to handle marketing internally, a fit-for-purpose Employment Contract and clear policies can help set boundaries on how customer data is accessed and used.
Key Takeaways
- Spam laws in Australia regulate commercial electronic messages like email and SMS marketing, and they apply to small businesses as well as large organisations.
- Before sending marketing, you generally need consent (express consent is the safest, while inferred consent can be risky if you rely on assumptions).
- Your messages must clearly identify your business and include accurate contact details.
- You must include an easy-to-use unsubscribe option and honour opt-out requests quickly, across all the systems you use.
- Spam compliance works best when it’s built into your operations, supported by the right customer terms, privacy documentation, and internal processes.
If you’d like help getting your marketing legally compliant (including consent wording, unsubscribe processes, and customer-facing terms), you can reach Sprintlaw at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
