Spam Act 2003 In Australia: Your Comprehensive Compliance Guide For E-Commerce Businesses

Running an online store in Australia? If you send emails, SMS, or app messages to customers, the Spam Act 2003 applies to you.

The good news is that compliance is achievable with a few practical steps. The Act isn’t there to stop you from marketing - it’s there to make sure messages are sent with consent, clear identification, and a simple way to opt out.

In this guide, we’ll walk through what the Spam Act requires, how to build a compliant email and SMS program, common e-commerce FAQs (like abandoned cart messages), how the Spam Act interacts with privacy and consumer law, and the key documents you should have in place.

What Does The Spam Act 2003 Require From Online Stores?

The Spam Act 2003 (Cth) regulates “commercial electronic messages” sent to or from Australia. For e-commerce businesses, that usually means marketing emails, SMS, MMS, and some instant messages (e.g. via in-app messaging if tied to an electronic address).

There are three core rules you need to follow for every marketing message:

• Consent - You must have express or inferred consent from the recipient before sending commercial electronic messages.
• Identification - Your message must clearly identify who you are and how to contact you (e.g. your business name and contact details).
• Unsubscribe - Every message must include a functional, easy-to-use unsubscribe that works for at least 30 days and is actioned within 5 business days.

Let’s unpack a few key concepts in plain English.

• Commercial electronic message: A message that offers, advertises, or promotes the supply of goods/services (including discounts, coupons, or content intended to drive sales).
• Express consent: The user actively opts in (e.g. ticking an unchecked box or completing a sign-up form).
• Inferred consent: A reasonable expectation that messages are okay based on the relationship and conduct (e.g. a regular customer who’d expect related communications). This is riskier - aim for express consent wherever possible.
• Transactional messages: Purely factual communications related to a purchase or account (e.g. receipts, delivery updates). If you add promotional content, the full Spam Act rules apply.

Who enforces the law? The Australian Communications and Media Authority (ACMA) can issue infringement notices, accept enforceable undertakings, and take court action. Penalties can be significant, particularly for systemic non-compliance or large-scale campaigns.

If you’re planning a campaign, it’s smart to sanity-check it against the Spam Act and general email marketing laws.

How To Build A Compliant Email And SMS Marketing Program

Here’s a practical framework you can apply to your e-commerce store today.

1) Map Your Messages

List everything you send: newsletters, promotions, abandoned cart nudges, win-back campaigns, loyalty updates, order confirmations, shipping notifications, and password resets. Label each as “marketing” or “transactional”.

Tip: If a message contains any promotional content (even a small banner), treat it as marketing and apply the Spam Act rules.

2) Capture Valid Consent

• Use unchecked sign-up boxes for newsletters and offers (no pre-ticked boxes).
• Enable double opt-in for high-quality consent and better deliverability.
• Offer clear, standalone consent for SMS - don’t bundle SMS under email consent.
• At checkout, separate consent to receive marketing from acceptance of your terms.

3) Keep Evidence

Record who consented, when, how (form, checkout, pop-up), and the consent language shown. Most email/SMS platforms can store this automatically. Good records are your best defence if ACMA asks for proof.

4) Identify Your Business Clearly

Include your trading name and at least one contact method (e.g. a reply-to email or a link to your contact page). Make sure the sender name is recognisable and consistent with your brand.

5) Make Unsubscribing Easy

• Every marketing email should have a one-click unsubscribe link that works for at least 30 days after sending.
• Process opt-outs within 5 business days (ideally immediately).
• For SMS, support “STOP” replies or a simple opt-out link.
• Don’t make people log in to unsubscribe.

6) Treat Third-Party Lists With Caution

Buying or renting email lists is high risk. You must be able to prove the recipient consented to receive your messages. If you can’t verify that consent, don’t use the list.

7) Use A Preference Centre

Let subscribers choose the type and frequency of messages. Sometimes, a reduced cadence prevents an unsubscribe while still respecting user choice.

8) Train Your Team And Configure Your Tech

Train staff on rules for consent and unsubscribes. Configure your platform to automatically honour opt-outs across all lists. Regularly test your unsubscribe links and suppression lists.

9) Review Your Website UX

Check that your sign-up forms are clear about what people will receive and how often. Link to your Privacy Policy near each form so users understand how you collect and use their data.

Consent, Unsubscribe And “Transactional” Messages: E-Commerce FAQs

What Counts As Express vs Inferred Consent?

Express consent is best: the user clearly opts in. Inferred consent relies on context - for example, a long-standing customer who would reasonably expect special offers. Because it’s subjective, inferred consent carries more risk. Aim for express consent by using clear, unticked checkboxes and double opt-in.

Can I Send Abandoned Cart Emails Or SMS?

Abandoned cart nudges often contain promotional content to drive a purchase, so treat them as marketing. Get consent before sending these messages, especially for SMS. If you frame an email as purely “order assistance” without promotional content, it may still be seen as commercial if it encourages a sale - so err on the side of consent.

Are Order Confirmations And Shipping Updates Exempt?

Factual, non-promotional updates tied to a purchase are generally transactional. Don’t add marketing banners to these messages. If you do, the full Spam Act requirements apply (consent + identification + unsubscribe).

Do These Rules Apply To B2B Messages?

Yes. There’s no blanket exemption for business addresses. You still need consent to send marketing to a work email or business mobile number.

How Fast Do I Need To Action Unsubscribes?

Within 5 business days, but best practice is immediately. Your unsubscribe mechanism must remain functional for at least 30 days after sending the message.

What About Social DMs Or Push Notifications?

The Spam Act focuses on messages sent to “electronic addresses” (e.g. email, phone number). Some channels fall outside its scope, but privacy and consumer laws still apply. If you’re using DMs or push notifications to promote sales, apply the same consent-first mindset.

How The Spam Act Interacts With Privacy And Consumer Law

Marketing rarely sits in a silo. Your campaigns must also align with privacy and consumer protection rules in Australia.

Privacy Act 1988 (Cth) And Data Practices

If you collect personal information (emails, phone numbers, names), you’ll need a clear and accessible Privacy Policy explaining what you collect, why, and how users can access or correct their information.

Think about how you track behaviour for marketing (e.g. cookies, pixels). A transparent Cookie Policy and consent banner help align your web tracking with user expectations. Also consider your breach preparedness through a Data Breach Response Plan.

Australian Consumer Law (ACL) And Advertising

Your marketing must not mislead or deceive - this is a core rule under section 18 of the ACL. Review campaign copy, claims, and testimonials with care and keep records to substantiate offers. For an overview, see section 18 of the Australian Consumer Law.

Subscriptions, Auto-Renewals And Payments

If you offer subscriptions or memberships, set out the renewal cycle, pricing, and how to cancel in plain English. Your online store will benefit from clear Online Subscription Terms and Conditions that match what your checkout displays. Make sure billing practices stay transparent and permission-based.

Website Legals And Transparency

E-commerce buyers look for trust markers. Publish robust Website Terms and Conditions covering how your store operates, user rules, and key disclaimers. Align what you promise in marketing with what appears in your terms - inconsistency is a common driver of complaints and refunds.

Essential Documents And Policies For E-Commerce Compliance

The Spam Act sets the rules for how you message your audience. These documents help you operationalise and demonstrate compliance across your marketing and website.

• Privacy Policy: Explains what personal information you collect, why you collect it, and how customers can manage their data. Link it anywhere you capture emails or phone numbers. Consider a tailored Privacy Policy for your store.
• Cookie Policy: Outlines tracking technologies (cookies, pixels) and user choices around consent. A clear Cookie Policy supports your marketing analytics and remarketing activities.
• Website Terms and Conditions: Sets the rules for using your site, permissible conduct, IP ownership, and limitation of liability. Publish comprehensive Website Terms and Conditions and keep them up to date.
• Online Subscription Terms: If you run a subscription or membership, ensure your Online Subscription Terms and Conditions clearly cover renewals, cancellations, and pricing changes.
• Data Breach Response Plan: Documents how you detect, assess, and respond to data incidents. A well-tested Data Breach Response Plan helps you meet privacy obligations and maintain customer trust.
• Internal Marketing Playbook: Not a legal document, but very useful. Capture your consent wording, preferred opt-in design, unsubscribe process, and approval workflows so campaigns stay consistent and compliant as your team grows.

If you use agencies or SaaS providers for email/SMS, align contracts with your compliance stance - for example, require lawful list sourcing, accurate identification, and prompt processing of unsubscribes. Periodically audit vendors and suppressions to make sure what’s written on paper is happening in practice.

Enforcement, Penalties And Practical Risk Management

ACMA actively enforces the Spam Act, and penalties can add up quickly for repeat or large-scale breaches. While fines vary case by case, the largest matters have involved millions of dollars in penalties and enforceable undertakings to fix systems.

Practical steps to reduce risk include:

• Make express consent your default - Capture it cleanly, store it reliably, and refresh it if you change your messaging approach.
• Design for opt-out - Put the unsubscribe where people expect it, and test it across devices (especially SMS).
• Segment transactional vs marketing flows - Keep receipts and delivery updates free of promotions.
• Centralise suppression lists - Ensure all platforms (email, SMS, ads) honour an opt-out.
• Audit your tech and content - Schedule quarterly reviews of templates, list sources, and automations.
• Train and empower your team - Give customer support a simple process to action opt-outs and complaints.
• Document decisions - Keep a paper trail of your consent language and compliance decisions for accountability and future audits.

If you’re unsure about a particular campaign (e.g. re-engagement after extended inactivity, data sourcing from partners, or international sends), it’s worth getting advice before you hit send.

Key Takeaways

• The Spam Act 2003 requires consent, clear sender identification, and a functional unsubscribe for marketing emails and SMS in Australia.
• Rely on express consent wherever possible, keep evidence of opt-ins, and separate transactional messages from promotions.
• Your marketing also needs to align with privacy and consumer law - pair your program with a clear Privacy Policy, accurate claims, and transparent website terms.
• Core e-commerce documents include Website Terms and Conditions, Privacy Policy, Cookie Policy, Online Subscription Terms, and a Data Breach Response Plan.
• Build compliance into your systems: preference centres, suppression lists, staff training, vendor controls, and regular audits will reduce risk.
• If in doubt, get advice before you launch a campaign - fixing issues after the fact is usually more expensive than setting it up right.

If you’d like a consultation on Spam Act compliance for your e-commerce business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.