Using electronic communications in business is crucial for success, regardless of your industry or the scale of your business. Understanding the legislation that governs such transactions is an important part of operating in our increasingly digital world. 

Even if you aren’t an eCommerce business, you may have found yourself engaging in online transactions as part of your business activities following the COVID-19 switch to digitalisation. 

So, before you jump into the eCommerce world, there is a mix of both state and federal legislation that must be carefully considered. This article will briefly run through some of the important parts of these statutes. 

However, these legislative materials can be quite complex, so it’s always recommended to get a lawyer’s help in understanding how these might apply to you and your business. 

What Is The Electronic Transactions Act?

The Electronic Transactions Act 1999 (Cth) (‘the Cth Act’) can be seen as the foundation of eCommerce law in Australia.

The Act attempts to ensure that transactions through electronic communication remain valid. For example, if you want to give information in writing or provide a signature, these can all be done electronically, and will remain valid. 

The Act does not provide that a certain type of signature technology be used, so as a business, you have some flexibility around the way you choose to do this. For example, at Sprintlaw, we have an E-Signature Tool, which can be accessed as part of our membership. Through the platform, you can keep all your documents in one online portal, and send out legal documents to other parties that you’re engaging in transactions with. 

It’s also worth noting that similar provisions are in place for different states in Australia. So, for NSW, there is the Electronic Transactions Act 2000 No 8 (NSW) (‘the NSW Act’). The NSW Act substantially mirrors the Cth Act in operation and effect. The Cth Act applies where the NSW Act does not. For example, electronic communications with the Commonwealth government are validated under the ambit of the Cth Act, not the NSW Act. 

What Is The Australian Consumer Law?

The Australian Consumer Law (‘ACL’) is set out in Schedule 2 of the Competition and Consumer Act 2010. This is an important piece of legislation that applies to all many Australian businesses, containing many different complex parts. 

Put simply, if you run a business in Australia, you will be affected by the operation of the ACL. This also includes foreign businesses who operate in Australia. Whether you work with customers, businesses, provide services or sell goods, you must know how the consumer laws affect your business. 

Since it is such a detailed piece of legislation, there are well-written guides for which areas would apply to your specific business. 

eCommerce businesses need to comply with the ACL in the same way regular stores would. It’s important to understand your obligations in light of the  consumer guarantees, which are an automatic set of rights offered to consumers where they purchase products or services. The consumer guarantees provide that a customer is entitled to a refund or replacement if the product they purchased does not do what it’s meant to do, or isn’t as described. This could extend to the mere quality of the product itself (note that this applies to eCommerce businesses that provide services, too!). 

The recent changes to the ACL made in July 2021 now require businesses to provide consumer guarantees for products and services they sell, hire or lease for under $100,000. Previously, the threshold rested at $40,000. 

This also applies to products and services over $100,000 that are normally bought for personal or household use. 

This is a significant promise that must be provided regardless of any other warranties you may have given your customers. These guarantees have been set out by the ACCC

What Is The Spam Act 2003?

For any eCommerce business, sending emails advertising your products and services is an easy and cheap way to grab the attention of potential and existing customers. But this method is still closely regulated! 

The Spam Act 2003 (‘the Spam Act’) prohibits the sending of commercial electronic messages via email, SMS, multimedia message service or instant messaging without the consent of the receiver. These messages are known as ‘spam’. 

There are several similarities between the Spam Act and the Privacy Act, especially in the way ‘consent’ is defined. 

The first thing to know about spam is that it is not strictly prohibited by the Spam Act. Only ‘“unsolicited commercial electronic messages” must not be sent. However there are a series of requirements that must be met before spam is validly sent. You must: 

  1. Get permission from the recipient
  2. Identify yourself as the sender, including your contact details
  3. Make it easy to unsubscribe


If you plan to send marketing messages or emails, you must have permission from the person who will receive them. There are two types of permission that can be obtained:

  • Express permission
  • Inferred permission

You can find this requirement under section 16.

Express permission is given by someone who knows and accepts that they will receive marketing emails or messages. It can be granted through something like ticking a box, filling in a form or through a phone call. Of these, the ticking of a box is the most efficient and common. Once this permission is obtained, it’s important to keep a record of it being given as part of your obligations under the Act. 

Inferred permission is valid if the relevant person has knowingly and directly given their address to you, and it is reasonable to believe they would expect to receive marketing from your business. So, where there is an ongoing relationship with the customer, and the communication/marketing is directly refereable to that business, permission will likely be inferred. 

For instance, where you provide an online writing service, and you are offering a discount in relation to that service. Importantly, simply buying something from a business does not qualify as inferred permission. This is why the ‘ticking the box’ option is usually used to obtain express permission in regards to purchases. 

Identify Yourself

You must also accurately identify your name or business name, and you must include correct contact details for you or your business. If someone, such as an employee, is sending an email on your business’s behalf, the message must still identify you as the business that authorised the message. 

The best way to do this is to use the correct (registered) legal name of your business (and/or your own legal name), and include the Australian Business Number (ABN) of your business. 

If this information changes within 30 days after the message is sent, you should send another email or communication updating the customer of the change in name or ABN (this requirement is set out in section 17). 

Easily Unsubscribe

Lastly, you must make it easy for your recipients to unsubscribe from your electronic mailing lists. Put simply, every commercial message that your business sends must contain: 

  • An ‘unsubscribe’ option that presents unsubscribe instructions clearly;
  • Honours a request to unsubscribe within 5 working days;
  • Does not cost more than the usual amount for using the address (such as a standard text charge);
  • Does not require the payment of a fee; and 
  • Is functional for at least 30 days after you sent the message. 

So, for instance, a clearly worded unsubscribe option might say “you may update your preferences or unsubscribe at any time” with a link to the relevant portal embedded in the word ‘unsubscribe’ (this requirement is set out in section 18). 

Lastly, under the Spam Act, you cannot use or supply address-harvesting software, or use or supply a list that has been created with address-harvesting software. This sort of software is specifically designed or marketed for use when  searching the internet for electronic addresses; and collecting, compiling, capturing or otherwise harvesting those electronic addresses.

What Should I Know About The Privacy Act 1988?

As a business owner, you are legally responsible for protecting your customers’ personal information. You might be required to protect your customers’ personal information from theft, misuse, interference, loss, unauthorised access, modification and disclosure. When you no longer need your customers’ information, you must destroy or de-identify it, so for instance shredding or securing documents. 

Privacy laws are taken and enforced quite seriously in Australia, especially if your business operates entirely online. The use and disclosure of certain information and data is also set out in the 13 Australian Privacy Principles

This article will briefly set out what you should be doing to make sure you comply with the Privacy Act 1988 (Privacy Act). 

To do this, ask yourself the following questions:

  • Does the Privacy Act apply to my business?
  • Is my business handling personal information?
  • Is my business handling health information?
  • Do I need a privacy policy?
  • Do I need to have a Data Breach Response Plan?
  • If my business conducts activities overseas, does the General Data Protection Regulation apply to me?

Does The Privacy Act Apply To Me?

Your first step should be to check if your business needs to comply with the Privacy Act

If you or your business has an annual turnover of more than $3 million, then the Privacy Act applies to you. However, there are some exceptions to this rule. For example, if your turnover is less than $3 million but your business handles health information, then the Privacy Act applies to you. 

Am I Handling Personal Information?

Like we mentioned above, there are some exceptions to the turnover rule. One of these is if your business is handling sensitive information, such as health information. 

If your business is handling personal information (such as home addresses, phone numbers or bank details), then you need to comply with the Privacy Act. This means you may need to have a thorough Privacy Policy in place (your Privacy Policy should be tailored to your business and the nature of the data you’re collecting, so it’s worth chatting to a lawyer before you set this up). 

Do I Need A Privacy Policy?

Regardless of whether the Privacy Act applies to your business or not, it’s always a safe option to have a Privacy Policy in place. In the world of eCommerce, information flows around freely and quickly, so any misuse of personal information is easy to come across. You want to protect your business in the unfortunate event that information ends up in the wrong hands. 

You should make sure you have a clear and up to date Privacy Policy that outlines the information you collect, what you use it for and how you protect it. It is always a good idea to make this policy available to your customers on your website to ensure they understand what information you collect, and how you handle this information. 

What About A Notifiable Data Breach?

If your business is covered by the Privacy Act, you must report notifiable data breaches. This involves complying with the Notifiable Data Breaches scheme

This essentially means that if a data breach involves personal information and is likely to cause serious harm to an individual, you must notify both the individual involved and the Office of the Australian Information Commissioner through this form. An example of a notifiable data breach might be something like a client’s information ending up with a third party, or being available to the public without consent. 

What Else Do I Need To Know?

Running an eCommerce business means you need to think about the best way to protect your business from cyber risks. So, you want to have a strong Cyber Security System in place. 

Apart from the pieces of legislation we’ve discussed, you also need to think about Cookie Policies, Website Terms & Conditions and Payment Terms. We’ve written other articles which list other things you need to consider when starting an eCommerce business

Key Takeaways

Running an eCommerce business in today’s diverse and ever-changing digital marketplace is no simple task. The internet  is a vast expanse, with thousands of online businesses operating within its bounds. 

Consumers need to be protected from bad actors in this vast area. This need for protection explains the strict and thorough legislative framework that governs how eCommerce businesses operate.  
If you need help navigating through this legislation, or how these eCommerce laws might affect the way your business runs, feel free to reach us at 1800 730 617 or for a free, no-obligations chat.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles
How To Start A Tech Company 
How To Start A Brewing Company 
How To Start A Contracting Company
How To Start A Cosmetics Company
How To Start A Bus Company