Marketing Consent in Australia: What Businesses Need to Know

Growing your business often means building an audience and staying in touch with customers. But in Australia, the way you collect and use people’s details for marketing is regulated - and the penalties for getting it wrong can be serious.

The good news: with a clear plan, the right consents and a few simple processes, you can run compliant, effective marketing that builds trust.

In this guide, we’ll walk through what “marketing consent” actually means in Australia, when you need it, how to get it properly, and the practical legal documents and processes to have in place.

What Is Marketing Consent (And Why It Matters In Australia)?

Marketing consent is a customer’s permission for you to send them promotional messages or use their data for advertising.

In Australia, there are a few laws that shape what consent must look like, depending on the channel and your business:

• Spam Act 2003 (Cth): regulates commercial electronic messages (emails, SMS, MMS). You generally need consent, correct sender identification and a working unsubscribe.
• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs): regulate how “APP entities” handle personal information, including using it for direct marketing (APP 7). Even if you’re a small business under $3 million in turnover, many still choose to follow these standards as best practice.
• Do Not Call Register Act 2006 (Cth): sets rules for telemarketing calls and SMS to numbers on the Do Not Call Register (with limited exceptions).
• Australian Consumer Law (ACL): governs advertising conduct (e.g. don’t mislead or make false claims). Transparency about how you obtained consent and what you’re sending is part of good compliance.

Consent should be:

• Freely given: no pressure or bundling with unrelated conditions.
• Specific and informed: you explain what they’re signing up for, and how you’ll use their info.
• Unambiguous and opt-in: the person actively ticks a box or enters their email to subscribe; avoid pre‑checked boxes.
• Granular where needed: if you use multiple channels (email, SMS), let people choose.
• Current and easy to withdraw: you honour opt-outs promptly and keep preferences up to date.

Handled properly, marketing consent protects your brand and reduces complaint risk - and it typically improves engagement because people actually want to hear from you.

Do You Need Consent For All Marketing Channels?

Different channels have different legal requirements. Here’s how the main ones work in practice.

Email And SMS

Under the Spam Act, you generally need consent to send commercial electronic messages, plus clear sender identification and a functional unsubscribe that works within five business days.

Consent can be:

• Express: someone fills a form or ticks a box saying “yes, send me emails/SMS”. A double opt-in (they confirm via email or SMS) strengthens your records.
• Inferred: in limited cases where there’s an existing business relationship and your messages directly relate to what they bought from you (be cautious and document your basis).

For practical channel rules and examples, see our plain-English guide to email marketing laws.

Telemarketing Calls

Telemarketing is tightly regulated. You need to identify who’s calling, call only within permitted hours, and check numbers against the Do Not Call Register unless an exception applies (such as express consent or an existing relationship in certain scenarios).

Get across the details before you run a calling campaign by reviewing Australia’s telemarketing laws.

Social Media Ads And Online Tracking

If you use customer data to create “custom audiences” or run personalised ads, you’re “using” personal information for direct marketing. You’ll need to have told people about this use and, where required, obtained consent. Cookies and ad pixels also collect data - your website should explain this and give users control where appropriate.

While there’s no standalone “cookie law” in Australia, the Privacy Act and APPs still apply if individuals are reasonably identifiable. A clear Privacy Policy and on‑site notices help you set expectations.

In-Store And Paper Forms

Paper sign-up forms still need to meet the same standard: clear wording, optional tick boxes (not pre‑checked), and a way to opt out later. Keep the forms or scan them so you can evidence consent.

Third-Party Lists

Buying or renting lists is high risk. You must be able to prove that each person gave consent to receive marketing from your business (not just a “partner”). In most cases, this is hard to achieve. If a supplier can’t demonstrate valid, transferrable consent, don’t use the list.

How To Get Valid Marketing Consent (Step-By-Step)

A few practical tweaks to your sign-up flows can dramatically improve compliance and data quality.

1) Make Your Value Exchange Clear

Explain what subscribers get: updates, discounts, early access, helpful tips. Clear value drives higher opt-in rates and reduces spam complaints.

2) Use Clean, Active Opt-Ins

• Separate consent from necessary terms (e.g. don’t force marketing consent to create an account).
• Use unticked checkboxes with plain English, like “Email me news and offers”.
• If you collect consent for multiple channels, offer separate tick boxes for email and SMS.

3) Add Double Opt-In (Recommended)

Ask subscribers to confirm via a link or code. This helps verify ownership of the email or mobile, lowers bounce rates and gives you strong proof of consent.

4) Be Specific About How You’ll Use Data

If you plan to personalise messages, use data for audience matching, or share it with trusted providers (like an email platform), say so in your Privacy Policy and collection notice. Transparency builds trust.

5) Collect Only What You Need

Ask for the minimum data required (e.g. email and first name). If you request extra details (birth date for birthday offers), explain why.

6) Provide A Simple, Always-Available Opt-Out

Every email and SMS must include an obvious, working unsubscribe. Honour requests quickly - under the Spam Act, this is usually within five business days for emails and more promptly for SMS.

7) Keep A Consent Log

Store when, how and what someone consented to (timestamp, source, IP, checkbox text, confirmation status). This is invaluable if a regulator investigates or a customer complains.

Managing Consent: Records, Preferences And Opt-Outs

Consent is not a one-off checkbox. Treat it as an ongoing preference you maintain for each customer.

Build A Preference Centre

Let people tailor what they receive (e.g. product updates vs. promotions), choose channels (email vs. SMS) and change frequency. This reduces blanket unsubscribes.

Set Unsubscribe SLAs And Automations

Configure your platform to stop messages as soon as someone opts out. If you process unsubscribes manually (e.g. from replies), set an internal standard and stick to it.

Respect “Silent” Signals

If people consistently don’t engage, consider reducing frequency or pausing messages. Consent must remain current; re‑permission inactive contacts from time to time.

Secure Your Data

Marketing lists contain personal information. Restrict access, encrypt where possible, and have a plan for incidents. A documented Data Breach Response Plan helps you act quickly if something goes wrong.

Don’t Forget The ACL

Marketing must not mislead or create false impressions. Claims should be accurate, qualifications easy to find, and prices clear. If you advertise discounts or “limited time” offers, make sure they’re genuine - our overview of advertised price laws explains common pitfalls.

Working With Third Parties And MarTech: Stay Compliant

Most small businesses use external tools - email service providers, SMS gateways, analytics platforms and ad networks. That’s fine, but make sure your privacy and consent story remains consistent.

Choose Vendors Carefully

• Check where data is stored and processed (Australia or overseas) and whether that aligns with your privacy commitments.
• Review security credentials and data handling practices.
• Ensure you can export consent logs if you switch platforms.

Put Contracts In Place

When a supplier processes personal information on your behalf, it’s good practice to set clear rules about use, security, and deletion on termination. A tailored Data Processing Agreement helps manage this relationship.

Don’t “Borrow” Consent

If a partner says “we have a list you can email,” proceed with caution. Unless each person expressly consented to receive marketing from your specific business, sending to that list may breach the Spam Act and Privacy Act. Ask for evidence of the original consent wording and scope - if it’s not watertight, don’t send.

Competitions And Lead Generation

Competitions can be a great way to grow your list - but be crystal clear that entering means opting in (if that’s what you want), and provide a separate checkbox if entry should be possible without subscribing. Also consider legal rules for prizes and permits; our guide to giveaway laws in Australia is a helpful primer.

What Legal Documents Should You Have In Place?

A few core documents make your marketing compliance clear and consistent across your website, forms and campaigns.

• Privacy Policy: Sets out what personal information you collect, how you use it (including direct marketing and ad targeting), who you share it with, and how people can access or correct their data. Most businesses with any online presence should publish a clear, tailored Privacy Policy.
• Privacy Collection Notice: A shorter notice shown at the point of collection (e.g. under a signup form) explaining key facts in plain English. A well-drafted Privacy Collection Notice supports valid, informed consent.
• Privacy Consent Form: Useful where you need explicit, written consent - for example, for sensitive information or particular use cases. A Privacy Consent Form keeps the wording consistent and records tidy.
• Cookie Policy (or Website Notice): Explains cookies, pixels and tracking technologies used on your site, and how users can control them. If you run analytics and ads, a clear Cookie Policy and just‑in‑time notices help set expectations.
• Email/SMS Footer Language: Standardised identification and unsubscribe text across your templates, so every message ticks the Spam Act boxes.
• Data Processing Agreement: If a vendor processes personal information for you (e.g. your email platform), a Data Processing Agreement clarifies responsibilities around security, sub‑processors, and deletion.

Depending on how you sell, you may also need customer-facing terms. If you’re running a website or app, your terms should align with your privacy and marketing disclosures (for example, not promising “no marketing” while your forms collect opt-ins). If you’re emailing customers post‑purchase, ensure those communications align with the Spam Act and are consistent with the consent they gave.

Frequently Asked Practical Questions

Here are quick answers to common consent scenarios we see with small businesses.

Can I email existing customers without consent? Sometimes. In limited situations, consent can be inferred if there’s an existing relationship and your message directly relates to what they bought. It’s safer to obtain express consent wherever possible, and keep messages tightly relevant if you rely on inference.

What about B2B emails? The Spam Act still applies to business email addresses. You still need consent (express or in limited cases inferred), sender identification and an unsubscribe.

Is a “refer a friend” program okay? Avoid sending messages to someone if they haven’t provided consent to you directly. You can invite your customer to forward a link, but be careful about auto‑sending to their contacts.

Do I need consent for service messages? Purely transactional or service messages (e.g. receipts, shipping updates) aren’t “commercial electronic messages.” If you add promotions, they become commercial, so include an unsubscribe and get consent.

What if I market to children? Extra care is required. Use simple language, avoid profiling, and consider obtaining parental consent - especially if any sensitive information is involved.

Key Takeaways

• In Australia, email and SMS marketing requires consent under the Spam Act, clear sender identification and an easy unsubscribe.
• The Privacy Act and APPs shape how you use personal information for direct marketing - be transparent through a Privacy Policy and collection notices.
• Valid consent is active, informed and easy to withdraw; pre‑checked boxes or buried terms are not enough.
• Keep robust records of consent, manage preferences through a simple process, and honour opt‑outs promptly.
• If you use vendors or run competitions, align contracts, privacy disclosures and consent wording so everything stays consistent.
• Strong, customer‑friendly documents like a Privacy Policy, Privacy Collection Notice, and Cookie Policy help you set expectations and reduce risk.

If you’d like a consultation on setting up compliant marketing consent for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.