Spreading the word of what your business offers to potential customers is incredibly important—especially when many businesses opt to market directly to their customers. In today’s competitive landscape, staying compliant with updated legal requirements in 2025 is more crucial than ever.

But businesses must be mindful of customers’ privacy and ensure that their digital marketing efforts don’t cross the line into spam territory. With evolving legislation and increasing regulatory oversight by bodies such as the Australian Communications and Media Authority (ACMA), keeping your marketing practices on the right side of the law is key.

That’s why we’ve provided you with a handy guide to ensure your business is marketing directly to your customers and clients within legal boundaries, while keeping their personal information protected. For further insight into compliance and business set-up, you might also check out our Business Set-Up Guides.

Key Legal Requirements Of Direct Marketing

Different types of direct marketing have their own legal nuances. The following requirements are designed to help you protect your customers’ privacy and ensure your campaigns remain within the law.

Complying With The Privacy Act

First off, make sure that your business complies with the Privacy Act. As of 2025, virtually all Australian businesses are required to follow the Privacy Act, although small businesses below the prescribed revenue threshold may have limited obligations. If you’re uncertain about your status, it’s wise to consult our legal advice package for personalised guidance.

If your business is required to follow—or has chosen to follow—the Privacy Act, then it’s important to understand your obligations regarding the handling of your customers’ personal information, especially in the context of direct marketing.

The Difference Between ‘Personal Information’ and ‘Sensitive Information’

Wondering what exactly is meant by ‘personal information’? Simply put, personal information is any data that identifies the person to whom it relates. It’s essential to grasp the distinction between personal and sensitive information.

‘Personal information’ includes details such as names, addresses, and credit card information. Even opinions, when they contain identifiable details, can fall under this category.

Conversely, ‘sensitive information’ encompasses data about racial or ethnic origin, political opinions, religious beliefs, trade union memberships, sexual orientation, criminal records, health details, and biometric data. In 2025, collecting sensitive information is only permissible with explicit consent and when it is reasonably necessary for the purpose of direct marketing.

Understanding these categories is critical, as it determines what you can collect and how you must secure it. For more detailed information on privacy obligations, please refer to our Privacy Policy resource.

Having A Privacy Policy

It’s a good idea to ensure your business has a privacy policy in place. This document is vital as it informs your customers about their privacy rights and clearly outlines how their information is being handled.

Your privacy policy should detail how your business protects, stores, and uses personal data. For example, it should explain what happens to information once it is no longer needed. This not only fosters consumer confidence but also serves as a demonstration of compliance amidst evolving regulatory requirements in 2025.

To address customers’ concerns, a robust privacy policy should outline:

  • How your business secures and protects customers’ information
  • What happens to information that is no longer necessary
  • Clear contact details for customer enquiries or complaints

Make sure that your privacy policy is straightforward, accessible, and regularly updated. If you require assistance drafting or reviewing your policy, our legal team is here to help.

Handling Personal Information For Marketing Purposes

Your business may use personal information for direct marketing—but only if you fall within one of the exemptions under the Australian Privacy Principle 7 (APP 7) contained in the Privacy Act. In 2025, this means ensuring that the data has been collected directly from the individual, especially if they expect their information to be used for marketing via email, SMS, or MMS.

Another scenario where the use of personal information is permissible is when the data has been sourced from a third party or when there exists a contractual obligation. Regardless of the source, if your business has such data, you must always provide a simple and effective way for customers to opt out of direct marketing communications.

Ensuring Customers Can Opt Out Of Marketing Messages

It is essential to make it straightforward for your customers to opt out of receiving any marketing messages. This can be implemented via an unsubscribe link in emails or by allowing customers to reply with ‘STOP’ in SMS/MMS marketing communications.

If your business has obtained personal information indirectly, or if the recipient did not expect their data to be used for direct marketing, you must provide clear instructions on how to opt out of each communication.

Should a customer request to cease receiving these messages, you must comply promptly—ideally within 30 days, or sooner if possible—and without charge. Additionally, if a customer enquires about the source of their data, you may be required to provide that information, unless it is wholly impractical to do so.

Complying With The Spam Act

If your business markets directly through email, SMS, or MMS, you must adhere to the requirements outlined in the Spam Act. Updated guidelines in 2025 highlight the importance of maintaining consent, transparency, and clear unsubscribe mechanisms.

Having The Customer’s Consent

The Spam Act mandates that electronic direct mail (EDM) is sent only to customers who have given their express consent—or where consent can reasonably be inferred from the existing relationship. For instance, when a customer ticks a box permitting email updates or enters their email address to subscribe to updates, that constitutes express consent.

Express consent for EDMs includes:

  • Checking a consent box alongside an appropriate statement
  • Directly providing an email address through a subscription form

Similarly, for SMS and MMS marketing, consent is typically granted when customers voluntarily provide their mobile numbers via your website or another form of communication.

Identifying Your Business To Customers

The Spam Act requires that your marketing messages clearly identify your business. This means including accurate contact details and ensuring that your business name is clearly visible in the ‘from’ field, subject line, and message body of your emails. The same applies to sender details in SMS and MMS messages.

For example, in 2025 a major telecommunications provider faced stricter scrutiny when its messaging failed to clearly identify the sender—reminding all marketers that transparency is non-negotiable.

Unsubscribe Facilities For Customers To Opt Out

Under the Spam Act, you must include clear instructions on how customers can opt out of receiving EDMs, SMS, or MMS marketing messages. This can be as simple as a statement at the footer of an EDM such as ‘to unsubscribe, click here’ or a prompt in SMS/MMS messages instructing recipients to reply with ‘STOP’.

If a person unsubscribes, you are required to act on their request within five working days. Failing to include these facilities may result in reports to ACMA and subsequent fines.

What Happens If My Business Breaches These Laws?

ACMA continues to enforce strict measures against non-compliant marketing practices. In 2025, businesses that send unsolicited marketing messages without proper consent risk receiving formal warnings, infringement notices, and fines that can exceed $1.8 million.

Repeated breaches—such as sending multiple messages without consent in a single day—can lead to severe penalties. ACMA also has the authority to accept undertakings from offending businesses, escalate matters to the Federal Court, and seek remedies through court action.

Examples Of What Could Happen If You Don’t Comply With The Spam Act

Recent cases highlight just how costly non-compliance can be. Let’s review a couple of notable examples:

Oneflare

In a case that continues to serve as a cautionary tale, Oneflare—an online marketplace based in Sydney—contacted individuals from a public database without obtaining consent or providing unsubscribe options. As a result, ACMA issued a fine of approximately $75,600 and Oneflare had to enter into an enforceable undertaking, which included hiring an independent consultant to review its communications practices. For more on building compliant marketing practices, see our Legal Requirements for Starting a Business guide.

Optus

In early 2025, ACMA found that a major telecommunications provider breached anti-spam laws on numerous occasions by sending SMS messages and emails even after customers had opted out. As a consequence, the company faced fines exceeding $600,000 and was required to issue a public apology. This case underscores the importance of rigorous compliance with both consent and unsubscribe facilities requirements.

Key Takeaways…

If your business is subject to the Privacy Act, you must have a privacy policy that clearly outlines how and why you collect, use, and store customers’ personal information. Remember, personal information can be used for direct marketing if it falls under one of the exemptions in APP 7, while sensitive information can only be utilised if the customer has provided explicit consent.

Always offer a clear, no-cost option for customers to opt out of direct marketing, and ensure you respond within a reasonable timeframe. Staying updated with legislative changes—for example, through regular reviews of our legal compliance services—will help safeguard your business against potential breaches and hefty fines.

In addition, it’s wise in 2025 to periodically reassess your marketing practices to ensure they continue to align with the most current legal frameworks. Staying ahead of regulatory changes not only protects your business from financial penalties but also enhances customer trust and reinforces your brand’s reputation for integrity.

If you want more advice on how to directly market to your customers and clients legally, give us a call on 1800 730 617 or email us at team@sprintlaw.com.au. Our experienced team is available at any time for a free, no-obligations consultation.

Christoffer Aguilar
Christoffer is a Legal Intern at Sprintlaw. Having worked in digital marketing before studying law at University of New South Wales, he aims to use his experience at Sprintlaw to launch a career practicing across intellectual property, media law and employment law.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is hidden when viewing the form
  • This field is for validation purposes and should be left unchanged.

Related Services

International Trade Mark (NZ Direct)

Protect your trade mark in New Zealand
Learn More

Affiliate Marketing Agreement

Considering affiliate marketing? Our lawyers can help.
Learn More

Marketing Service Agreement

Running a marketing business?
Learn More
Related Articles
Navigating Small Claims Court in NSW: A Step-by-Step Guide
Posted 4th March, 2025
Your Guide to Lawful Business Advertising: Key Legal Insights
Posted 3rd March, 2025
The Calderbank Offer Explained: A Strategic Tool for Settling Disputes in Australia
Posted 2nd March, 2025
Defamation of Character in Australia: A Complete Legal Guide for Individuals & Businesses
Posted 2nd March, 2025
End User License Agreements (EULAs) in Australia: A Must-Read Guide for Software Providers
Posted 2nd March, 2025
Market Stall Insurance in Australia: Key Legal and Regulatory Insights for Stallholders
Posted 2nd March, 2025