Spam Act 2003: Compliance Essentials For Australian Businesses

Email and SMS marketing are powerful tools for growing your business in Australia. But if you’re sending promotional messages without the right consent or unsubscribe tools, you can quickly fall foul of the Spam Act 2003.

The good news? With a few practical steps and the right policies, you can run effective campaigns while staying compliant and protecting your brand.

In this guide, we’ll walk through what the Spam Act requires, how consent really works, what must appear in your messages, and the practical steps to build a compliant program. We’ll also highlight the key documents that help keep your team on track.

What Is The Spam Act 2003 And Who Does It Apply To?

The Spam Act 2003 is Australia’s national law regulating commercial electronic messages. It’s enforced by the Australian Communications and Media Authority (ACMA).

It covers emails, SMS and MMS, and certain instant messaging (IM) or direct messages that promote or advertise goods, services or business opportunities. It applies whether you’re sending to consumers or other businesses, and whether you’re a startup or a large enterprise.

The law focuses on three core rules for any commercial message with an Australian link:

• Have consent: You must have express or inferred consent from the recipient before sending commercial messages.
• Identify yourself: Your message must clearly state who you are and how to contact you.
• Include an easy unsubscribe: Every commercial message must have a functional unsubscribe that works reliably.

ACMA can investigate complaints, require undertakings, and issue infringement notices and court proceedings for serious or repeated non-compliance. Aside from penalties, non‑compliance damages customer trust-so it’s worth getting this right from day one.

Note: Telemarketing voice calls are regulated under different rules. If your strategy includes phone outreach, make sure you also understand Australia’s telemarketing laws.

For broader marketing obligations (like misleading conduct and pricing claims), your campaigns must also comply with the Australian Consumer Law. And if you collect personal information for your lists, your privacy obligations apply too-we cover key documents below.

What Counts As Consent Under The Spam Act?

Consent is the foundation of the Spam Act. Without it, you can’t legally send a commercial electronic message.

Express Consent

Express consent is a clear “yes” from the person you’re contacting. For example, they tick a box on a form saying “I want to receive marketing emails” or they enter their phone number into a field clearly labelled for SMS updates.

Important points:

• No pre‑ticked boxes. The person must take a positive step to opt in.
• Make it specific. Say what kind of messages they’ll get (e.g. newsletters, promotions, event invites).
• Make it easy. Keep opt-in language plain and clear, and give them a way to opt out later in every message.

Inferred Consent

Inferred consent arises from an existing relationship or conduct where it’s reasonable to expect you’ll send related marketing. For example, if someone is an active customer and you’re sending promotions closely connected to the products or services they already use.

Be careful here. Inferred consent is not a free pass to send broad, ongoing promotions, especially long after someone stops engaging. If in doubt, refresh consent or rely on express consent instead.

No Consent From Harvested Or Purchased Lists

The Spam Act also prohibits using address‑harvesting software or lists generated by it. Buying lists is risky because you usually can’t verify valid consent for each contact. If you can’t demonstrate consent, don’t send.

Service vs Commercial Messages

Service or transactional messages (like receipts, shipping updates, security alerts or outage notices) aren’t considered “commercial” if they’re purely about delivering your service. But many messages are mixed. If there’s any promotional content in the message, treat it as commercial and follow the Spam Act rules.

What Must Your Commercial Messages Include?

Even with consent, your email, SMS or IM message must meet specific content requirements.

Accurate Sender Identification

Your message must clearly identify your business or trading name and provide accurate contact details. For SMS, you can use a clear sender ID plus a link to a page with full details; for email, include your business name and a working email or contact method.

Functional Unsubscribe

Every commercial message must have a simple, low‑friction unsubscribe that actually works. Key points:

• It must be easy to use. For email, a one‑click link is best practice. For SMS, an option like “Reply STOP to opt out” is typical.
• Make it free or standard cost. Don’t require the person to log in or pay to unsubscribe.
• Honor requests promptly. In Australia, unsubscribe requests must be processed within five business days.
• Keep it available. The unsubscribe facility must remain functional for at least 30 days after the message is sent.

No Misleading Content

Don’t mislead people about the purpose of your message. Subject lines should match the content, and any offers should be truthful and clear (e.g., include material conditions or limitations).

Can You Use Purchased Lists, Referrals Or Lead Magnets?

Marketing databases grow fastest when you attract people who genuinely want to hear from you. Here’s how common tactics stack up under the Spam Act.

Purchased Lists

Avoid them. You usually won’t have reliable proof of consent for each address, and the Spam Act prohibits messages based on harvested addresses. Building your own list is safer, more effective, and better for deliverability.

“Refer A Friend” Campaigns

Be cautious. If a customer enters someone else’s email or phone number, you still need consent to send a commercial message to that person. A safer approach is to let the referrer share a link so the friend can opt in directly, or send a one‑off invitation message without promotional content, asking the friend to opt in themselves before any marketing is sent.

Competitions And Lead Magnets

Competitions, downloadable guides and discounts can be great list builders, but consent must be clear and specific. Make sure your sign‑up form states that the person is opting in to receive marketing and describes the types of messages they’ll get. If your competition involves email or SMS outreach, consider your broader email marketing laws obligations, including fair terms and privacy compliance.

Third‑Party Senders And Affiliates

If you use a marketing agency or affiliate to send messages on your behalf, you still carry legal responsibility for compliance. Put robust contracts in place, approve message content, and ensure they only contact recipients who have valid consent for your brand. You should also maintain a suppression list so unsubscribed contacts aren’t emailed again by any party.

How To Build A Compliant Email And SMS Program (Step‑By‑Step)

Setting up a compliant program is less about guesswork and more about process. Here’s a practical roadmap you can follow.

1) Map Your Messages And Channels

List every type of message you send: newsletters, product updates, promotions, onboarding emails, receipts, SMS alerts and re‑engagement campaigns. For each, note whether it’s transactional or commercial, who receives it, and how consent will be captured and stored.

2) Design Consent Flows The Right Way

Update forms and checkouts so consent is explicit, specific and easy to understand. Avoid pre‑ticked boxes. Separate consent for different channels (email vs SMS) and different brands or business units where needed.

3) Implement Reliable Unsubscribe Tools

Use your email service provider’s one‑click unsubscribe and test it regularly. For SMS, provide a simple reply keyword or short link that works consistently. Confirm opt‑out processing is automated within five business days.

4) Build Robust Record‑Keeping

Keep logs that show when, how and for what purpose someone consented, including the wording they saw. Store unsubscribe timestamps and maintain a suppression list. Good records are your best defence if ACMA investigates.

5) Review Message Content And Branding

Ensure all commercial messages identify your business and include valid contact details. Check subject lines and offers for clarity and accuracy. Avoid mixing service and promotional content unless you treat the message as commercial (and include unsubscribe).

6) Train Your Team And Vendors

Marketing, sales and customer support teams all touch outbound messaging. Provide training on consent, unsubscribe handling, suppression lists and escalation processes. If you use external senders (agencies, affiliates or SMS gateways), make sure their contracts reflect your compliance requirements.

7) Align With Privacy And Website Practices

If you collect personal information for marketing, your Privacy Policy and Privacy Collection Notice should clearly explain what you collect and how you use it for email/SMS. If you run sign‑ups on your site or app, make sure your Website Terms and Conditions reflect how users can engage with your platform and your acceptable use rules.

8) Vet Your Tech Stack And Data Flows

When you share customer data with email/SMS providers or analytics platforms, you’re engaging a processor. A Data Processing Agreement helps ensure your vendors handle data lawfully and securely, including unsubscribes and deletion on request. If you use tracking technologies for sign‑ups, consider whether a Cookie Policy is appropriate.

9) Monitor, Audit And Improve

Schedule periodic audits to check consent logs, suppression lists, bounce rates, complaint volumes and sample message content. Spot‑check that unsubscribes are actioned within five business days and that old campaigns still include accurate sender details.

10) Have An Escalation Path

If you receive a complaint or ACMA contact, pause affected campaigns, investigate quickly and document your findings. Even where you’ve acted in good faith, swift remediation (e.g., fixing a faulty unsubscribe link) reduces risk and demonstrates a strong compliance culture.

Common Compliance Questions We Hear

Can I Send “Cold” B2B Emails?

Only if you have consent. The Spam Act applies to business recipients too. Inferred consent can sometimes apply to existing business relationships, but it’s safer to rely on express opt‑in whenever possible.

Are “Transactional” Emails Safe To Send Without Unsubscribe?

If the message is purely about delivering your service (e.g., receipts, shipping updates or password resets), it’s not a commercial message. But if you add promotional content, treat it as commercial and include a functional unsubscribe.

Do I Need Consent For Re‑Engagement Campaigns To Lapsed Customers?

Be careful claiming “inferred” consent long after someone stops using your product. If in doubt, use a one‑off, non‑promotional invitation asking them to opt in again before sending any marketing.

What About Social Media DMs?

If you’re using direct messages that meet the definition of a commercial electronic message with an Australian link, the Spam Act rules apply. Consent, sender identification and unsubscribe must still be addressed.

Can My Agency Send Campaigns On My Behalf?

Yes, but you remain responsible for compliance. Tighten your approval workflows, ensure they only use contacts with valid consent for your brand, and share suppression lists so opt‑outs are respected across all senders.

What Legal Documents Will Help With Spam Act Compliance?

A strong paperwork foundation makes everyday compliance much easier. These documents and policies help align your team, vendors and customers:

• Privacy Policy: Explains what personal information you collect (e.g., emails and phone numbers), how you use it for marketing and how people can contact you or opt out; publish your Privacy Policy prominently on your website and link it in relevant forms.
• Privacy Collection Notice: Shown at the point of collection (e.g., sign‑up forms) to set clear expectations about marketing use; this is separate to your full policy and should be concise and specific. Use a tailored Privacy Collection Notice wherever you gather email or phone details.
• Website Terms And Conditions: Sets the rules for using your site (including acceptable use and any promotional programs), and can reference how users engage with your newsletters and SMS alerts; ensure your Website Terms and Conditions align with your marketing practices.
• Data Processing Agreement (DPA): Governs how your email/SMS vendors and other processors handle personal information, including consent and unsubscribe signals; a Data Processing Agreement helps you meet privacy and security obligations.
• Internal Marketing Compliance Policy: A practical playbook for staff covering consent capture, message approvals, sender identification, unsubscribe handling, suppression lists and escalation steps; this can sit within your broader Workplace Policy framework and training.
• Agency Or Affiliate Agreements: Contracts that require third parties to follow your consent standards, identify your business properly, and synchronise suppression lists so opt‑outs are always respected.
• Email Disclaimer (Optional): For certain communications, an email disclaimer can help clarify confidentiality and legal notices, but remember: disclaimers don’t replace the Spam Act’s core requirements.

These documents won’t run your marketing for you-but they make expectations clear and help you prove your compliance if you’re ever asked to show it.

How Does The Spam Act Interact With Privacy And Consumer Law?

Although the Spam Act is your primary marketing law, it works alongside privacy and consumer protections.

• Privacy: If you collect personal information for marketing, you have obligations under the Privacy Act (for most medium to large businesses and some smaller ones). Clear disclosures, secure handling and honoring opt‑outs are core expectations-your Privacy Policy and processes should reflect this.
• Consumer Law: Your promotions and claims must be accurate and not misleading under the Australian Consumer Law. That covers things like pricing, discount representations, and comparison claims.
• Telemarketing: Voice calls fall under different rules, including Do Not Call requirements and call time restrictions. If you also call prospects, read up on Australia’s telemarketing laws.

In practice, teams do best when they treat these areas as one connected framework-plan your campaign, check your claims, ensure you have consent, and keep the unsubscribe easy.

Practical Pitfalls To Avoid (And What To Do Instead)

• Pre‑ticked boxes at sign‑up: Replace with an active opt‑in and clear wording about what the person is agreeing to receive.
• “One list fits all” opt‑ins: Separate consent for email vs SMS and for distinct product lines or brands where relevant.
• Hiding the unsubscribe link: Make it obvious; if people can’t find it, complaints (and risk) go up.
• Slow or manual unsubscribe processing: Automate opt‑outs through your email/SMS platform so requests are actioned within five business days.
• Relying on purchased lists: Focus on owned audience growth-lead magnets, content and events-where you control consent quality.
• Forgetting affiliates: Roll your consent standards and suppression lists into agency and affiliate contracts to avoid accidental breaches.

If you’re unsure whether a campaign or message type is covered, assume it is and build in the unsubscribe. It’s safer, simpler and more user‑friendly.

Key Takeaways

• The Spam Act 2003 applies to commercial electronic messages sent in Australia, including email, SMS and certain IM-consent, sender identification and an easy unsubscribe are mandatory.
• Express consent is best practice; inferred consent can apply in limited, closely related contexts, but avoid relying on purchased or harvested lists.
• Every marketing message must identify your business accurately and include a functional unsubscribe that’s honored within five business days and remains available for 30 days.
• Referrals, competitions and lead magnets can be compliant list‑building tools if your consent wording is clear, specific and easy to understand.
• Build compliance into your workflow: map message types, design clean consent flows, automate unsubscribes, keep strong records, and train staff and vendors.
• Support your program with key documents such as a Privacy Policy, Privacy Collection Notice, Website Terms and Conditions, Data Processing Agreement and internal policies.
• Marketing also needs to meet privacy and consumer law standards-treat these obligations as part of one connected compliance process.

If you’d like a consultation on Spam Act compliance for your Australian business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.