Spreading the word of what your business offers to potential customers is incredibly important—especially when many businesses opt to market their business directly to their customers.

But businesses must be mindful of customers’ privacy and make sure that their digital marketing efforts are not considered spam.

So, we’ve provided you with a handy guide to ensure your business is directly marketing to your customers and clients within legal boundaries, and keeping their personal information  protected!

Key Legal Requirements Of Direct Marketing 

Different types of direct marketing have different legal requirements. The following requirements ensure you’re protecting your customer and clients’ privacy. 

Complying With The Privacy Act

First off, make sure that your business is complying with the Privacy Act. All Australian businesses must follow the Privacy Act, except if you’re a small business.

If you’re a small business, you can opt in to the Privacy Act. If your business must follow – or has opted to follow – the Privacy Act, we’ll now take a look at your obligations in keeping your customers’ personal information safe.

The Difference Between ‘Personal Information’ and ‘Sensitive Information’

Confused about what ‘personal information’ means? Well, to break it down, personal information is any information that identifies the person to whom it relates. First off, you should get to know the differences between personal information and sensitive information. 

‘Personal information’ is any information that identifies the person it relates to. Examples include names, credit card details and addresses. Opinions made by that person can also fall under personal information, if those opinions contain identifiable information. 

On the other hand, ‘sensitive information’ can include racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health records and biometric information.

Now that you have an idea of the difference, you should make sure your business only collects ‘sensitive information’ with the customers’ consent and if the information is reasonably necessary for the purpose of directly marketing to your customers.

Having A Privacy Policy

It’s a good idea to make sure your business has a privacy policy in place. 

This is important as a privacy policy tells your customers what privacy rights they have. 

To address customers’ concerns about what their personal information is being used for, privacy policies should outline: 

  • How your business is handling, securing and protecting your customers’ information
  • What your business is doing with information you no longer need
  • How your customers can contact you or make a complaint

A privacy policy can be a bit lengthy for your customers, so make sure your business’ privacy policy is easily readable and accessible. Our lawyers can help you with this if you need one drafted.

Handling Personal Information For Marketing Purposes

Your business may be able to use personal information to directly market to individuals, but only if your business is exempt under the Australian Privacy Principle 7 (‘APP 7’), which is part of the Privacy Act. 

One exception to the restrictions is when the personal information has been collected directly from the individual by the business, and the individual expects their personal information to be used for direct marketing via email, SMS or MMS. 

Another exception is when the personal information has been collected from a third party, or from the individual directly but they don’t expect that their personal information will be used for direct marketing. 

If your business is a contracted service provider, you could also be exempt from the restrictions. 

Also, if your business has personal information that has been collected to meet its obligations under a Commonwealth contract and it is necessary for you to use and disclose the information to meet these contractual obligations, then your business can use the personal information for direct marketing. 

If any of these exceptions apply, your business must give your customers an easy way out of receiving any direct marketing.

Ensuring Customers Can Opt Out Of Marketing Messages 

As a business, you should make it easy for your customers and individuals to opt out of receiving marketing messages. 

This can be done by providing a link to unsubscribe from promotional emails, or by adding a prompt to message back ‘STOP’ in SMS/MMS marketing.

If your business has collected personal information from someone other than the individual themselves, or if the individual does not expect that their information will be used for direct marketing, you must give them information on how to opt out of each direct marketing communication. 

If a customer asks you to stop, your business must stop sending marketing messages. You must stop this within a reasonable period of time—within 30 days of request is best, if not immediately. 

Usually, customers won’t want their personal information to be used for direct marketing purposes by other businesses, so make sure this request is carried out free of charge!

If the person wants to know how you got their details, you may have to tell the recipient of the messages where you got their personal information.  But you’re under no obligation to do this if it’s unreasonable or impractical to do so. 

If you have no qualms in letting the customer know where your business got their personal information, this again must be done within a reasonable period of time.

Complying With The Spam Act

If your business is going to directly market to your customers via email, SMS or MMS, you must make sure you’re also following your obligations under the Spam Act. We’ll go through these obligations below. 

Having The Customer’s Consent

First off, the Spam Act requires that electronic direct mail (or EDMs) be sent to customers with their expressed consent—or when consent can be inferred from their conduct or the relationship the customer has with your business. 

Express consent in EDMs includes:

  • People ticking the box next to a statement which gives permission for the business to send emails directly
  • People directly entering their email address into a form which confirms they want to receive regular email updates from the business

Express consent for SMS and MMS marketing can be given when customers enter their mobile number on a website to opt-in to the business’ updates.

On the other hand, examples of inferred consent include the person subscribing to magazines or newspapers, as it indicates that there is an existing relationship between you and the customer.

Identifying Your Business To Customers

The Spam Act requires that the email contains accurate information about your business to the person that consented to receiving EDMs. 

In addition to including your business’s website and contact details in the email, your business’ name should be clearly visible in the ‘from’ field or subject line, and in the body of the message text of your emails.

For SMS and MMS marketing, your business’s identity must be clear and accurate to the customer when they look at the sender information when receiving marketing messages. 

Not abiding by this requirement can be costly to your business. This was seen when Optus was fined $140,000 in 2009 for assuming customers could make the connection of the sender ID 966 — which is the numerical representation of the word “zoo” — to promote their OptusZoo entertainment service.

Not complying with these requirements may lead to your business’s messages being reported to the Australian Communications and Media Authority (ACMA).

Unsubscribe Facilities For Customers To Opt Out

Under the Spam Act, you must give clear instructions to your customers on how to opt out of receiving EDMs, SMS or MMS marketing messages using unsubscribe facilities. 

Examples of unsubscribe facilities include:

  • A sentence at the bottom of EDMs saying ‘to unsubscribe, click here’
  • Notifications in SMS or MMS marketing messages prompting customers to reply ‘STOP’ to opt out

If a person has decided to unsubscribe from your business’s marketing messages, you have five working days to act on these requests.

Make sure you include unsubscribe facilities in your marketing messages as, again, if you don’t, you can be reported to the ACMA. 

What Happens If My Business Breaches These Laws?

ACMA has the ability to crack down on certain businesses for sending marketing messages to their customers that are not in compliance with the Spam Act. ACMA has the power to enforce direct marketing laws if the marketing messages have been classified as spam and include Australian links, particularly EDMs.

ACMA can issue formal warnings, infringement notices and fines of up to $1.8 million. 

A hefty fine can be issued when it’s been found that the business has sent two or more marketing messages within a day without peoples’ consent. 

Plus, ACMA can also accept undertakings from the business sending the messages, take matters to the Federal Court and seek remedies from the Federal Court. 

Examples Of What Could Happen If You Don’t Comply With The Spam Act

Recent examples of non-compliance show how costly it can be for businesses to not comply with the Spam Act. Let’s go through a few particularly prominent cases. 


In 2019, Oneflare – a Sydney based online marketplace – contacted individuals on a public database without seeking expressed or implied consent from them. The messages sent to these people also did not have unsubscribe facilities. As a result of these breaches of the Spam Act, the ACMA issued a fine of $75,600.

What’s more, Oneflare had to make statements in an enforceable undertaking to promise to comply with the Spam Act. Oneflare also had to hire an independent consultant to review its internal advertising procedures.

Oneflare tried to argue there was inferred consent simply because the personal information was available through a public database. 

ACMA found that there was no inferred consent as Oneflare’s marketing messages did not relate to the work-related business of the recipients. Oneflare had to remove the personal information from their database.


In January 2020, ACMA found that Optus breached anti-spam laws 2 million times. 


By spamming its customers with SMS messages and emails after they had opted out or unsubscribed.

As a result of this breach, Optus paid a fine of $504,000 and had to apologise to its customers. 

Key Takeaways…

If your business is subject to the Privacy Act, you must have a privacy policy in place that outlines to customers and clientele how and why their personal information is being collected, stored and used by the business.

Personal information can be used for direct marketing purposes if the customers and clients have provided their personal information under the exceptions in APP 7. Sensitive information can also be used for direct marketing purposes if your customers and clientele have consented to its use.

After collecting this information, you must make sure your business falls under one of the three exceptions in APP 7 for you to use the information for direct marketing purposes. You should allow anyone receiving direct marketing messages to easily opt out of them, and to act on their request within a reasonable time and free of charge.

Lastly, if there is a breach of the Spam Act in relation to the consent, identity and unsubscribe facilities requirements, you could face hefty penalties. 

If you want more advice on how to directly market to your customers and clients legally, give us a call on 1800 730 617 or email us at team@sprintlaw.com.au. Our experienced team is available at any time for a free, no-obligations consultation.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles
Is ChatGPT Copyright Free?