Spam Act Compliance: Australian Legal Guide For Businesses

Email, SMS and in‑app messaging can be powerful, low‑cost ways to reach your customers. In Australia, though, electronic direct marketing is tightly regulated to protect people from unwanted spam.

The Spam Act 2003 sets out strict rules on when and how you can send commercial electronic messages. If you’re running a business in Australia, understanding these rules isn’t just about avoiding fines - it’s about building trust with your audience and protecting your brand.

In this guide, we break down what the Spam Act requires, clear up common myths, and give you a practical checklist to stay compliant. If you want deeper guidance tailored to your business, we’re here to help so you can market confidently and stay on the right side of the law.

Why Spam Compliance Matters In Australia

Australia has some of the toughest anti‑spam laws in the world. The Australian Communications and Media Authority (ACMA) actively monitors compliance and takes enforcement action where needed.

Beyond the legal risk, spam hurts your reputation. Poor practices lead to complaints, spam folder placement, deliverability issues and unsubscribes - all of which waste your marketing budget.

The upside? When you embed compliance into your sign‑up flows and campaigns, you improve list quality, engagement and long‑term customer trust. Put simply: compliant marketing works better.

If email and SMS are part of your strategy, it’s worth also reviewing your broader email marketing laws obligations so everything from your opt‑ins to your messaging and disclosures lines up.

What Counts As A Commercial Electronic Message?

The Spam Act covers “commercial electronic messages” sent by email, SMS, MMS or instant messaging. A message is “commercial” if it offers, advertises or promotes goods, services, land, business or investment opportunities - or if it assists in doing so (for example, asking people to visit your online store).

Key points to keep in mind:

• Format doesn’t matter - email, SMS, MMS, and direct messages are all covered.
• It’s still “commercial” even if there’s no discount code or sales copy, as long as it promotes your business, brand or offers.
• Purely factual messages (like a receipt or system outage notice) are generally not “commercial”, but adding promotional content can turn them into commercial messages that must comply.

The Spam Act applies to messages sent to, from or within Australia. That means Australian rules still apply even if you’re using a platform that operates overseas. If you also market to customers in other countries, you may need to meet additional regimes (more on this below).

The Three Core Rules: Consent, Identify, Unsubscribe

Every commercial electronic message must meet three fundamental requirements. If you build your systems around these, you’ll avoid most pitfalls.

1) Consent

You must have the recipient’s consent before sending a commercial message. There are two types:

Express consent

• Given actively - for example, by ticking a clearly labelled checkbox, submitting a sign‑up form, or verbally agreeing.
• Should be specific and informed - people should know who you are and what they’ll receive (e.g. “news, updates and offers from ABC Pty Ltd”).
• Keep records - your system should capture when, how and from which source each person opted in.

Inferred consent

• Can arise from an existing business or other relationship where marketing would be reasonably expected.
• It’s narrow and contextual - messages should be closely related to the original transaction or relationship and sent within a reasonable time.
• Publicly available contact details or receiving a business card is not consent on its own.

When in doubt, work towards express, provable consent. It’s the most reliable foundation for your lists and the easiest to demonstrate if you’re ever asked.

2) Identification

Your message must clearly and accurately identify the individual or organisation who authorised it, and provide contact details that work for at least 30 days after sending.

• Use your legal entity name (e.g. “ABC Pty Ltd”) or your registered business name. Avoid vague or misleading “from” names.
• Provide contact details - for example, a functional reply email address, a phone number, or a street/postal address.
• Don’t hide behind disposable inboxes or shortened URLs that mask who you are.

This is mandatory for all commercial messages - including those sent by organisations that have special consent exemptions (like registered charities). Identification must always be clear.

3) Unsubscribe (Opt‑Out)

Every commercial message must include a functional, easy and free way to unsubscribe.

• Make it simple - an obvious “unsubscribe” link in emails, or clear SMS instructions such as “Reply STOP to opt out”.
• Process requests promptly - within 5 business days.
• Keep it free - don’t charge a fee. Standard SMS or data costs for the recipient are fine.
• Don’t create hurdles - no forced logins, surveys or multiple steps.
• Keep it live - the opt‑out facility must work for at least 30 days after the message was sent.

If your platform handles unsubscribes, check the settings and test them regularly. If you manage unsubscribes manually, build a process so no request slips through.

Exemptions, Edge Cases And Common Myths

There are a few important carve‑outs and misconceptions to understand.

Designated senders (consent exemption)

Messages from certain organisations - such as registered charities, registered political parties and government bodies - have a consent exemption in specific contexts. However, those messages are still commercial if they promote goods, services or donations, so they must include accurate identification and a functional unsubscribe.

Educational institutions have a narrow exemption for messages sent to current and former students (again, identification and unsubscribe still apply).

Purely factual messages

Truly factual communications (for example, a receipt, a shipping notification, or a critical service update) are not commercial. If you add promotional content - even a small sales banner - the message becomes commercial and must comply with all three rules above.

Purchased lists and address harvesting

Buying lists is high‑risk. You are responsible for ensuring valid consent exists for each contact - and you must be able to prove it. The Spam Act also prohibits the supply, acquisition and use of address‑harvesting software and harvested‑address lists for sending unsolicited messages.

“One complaint triggers an investigation”

ACMA considers a range of intelligence, including complaints, industry information and technical monitoring. A single complaint does not automatically trigger enforcement, but it can prompt scrutiny. Building compliance into your processes is the best way to avoid issues.

Messaging outside email

The rules apply to SMS/MMS and instant messaging as well as email. If you also contact customers by phone, separate telemarketing rules can apply - it’s wise to review Australia’s telemarketing laws if outbound calling is part of your strategy.

Practical Compliance Steps For Small Businesses

Here’s a practical, step‑by‑step way to embed Spam Act compliance into your marketing stack.

1) Design consent‑first sign‑up flows

• Use clear, unticked checkboxes with concise descriptions of what subscribers will receive and who is sending it.
• Consider double opt‑in for higher‑risk lists (e.g. competition entries) to capture clean consent records.
• Capture and store timestamp, IP/source, consent wording and the list/language shown at the moment of sign‑up.

2) Audit your outbound templates

• Add accurate sender identification to all templates and ensure a working reply‑to or contact method.
• Insert a prominent unsubscribe in every commercial message (email and SMS) and remove any unnecessary hurdles.
• Check automations like abandoned cart reminders, win‑back sequences and loyalty campaigns - these count as commercial messages.

3) Clean and manage your lists

• Remove bounced addresses and process unsubscribes promptly (ideally in real time).
• Don’t add contacts from invoices or contact forms to marketing lists unless the form captured express consent for marketing.
• Avoid purchased lists. If you use a third party, obtain written assurances about consent provenance and audit them.

4) Build compliance into your platform settings

• Enable automatic unsubscribe headers, footers and STOP logic provided by your ESP or SMS gateway.
• Set up suppression lists so unsubscribed contacts can’t be re‑added by mistake.
• Keep system logs for at least as long as you may need to demonstrate compliance.

5) Align with privacy and consumer laws

• Make sure your Privacy Policy explains how you collect, use and store contact details for marketing, and how people can opt out.
• If you use tracking technologies for segmentation or analytics, a clear Cookie Policy and consent banner are good practice.
• Your marketing must also be fair and accurate under the Australian Consumer Law - if you need help in this area, speak with a consumer law specialist.

It’s also worth understanding your broader data retention obligations so you’re keeping the right records for the right amount of time.

6) Train your team and lock in your suppliers

• Give clear guidance to staff and contractors on consent, identification and unsubscribe, and how to handle opt‑out requests.
• If you work with agencies or freelancers, ensure your Marketing Service Agreement requires compliance with the Spam Act and sets out who is responsible for list quality and unsubscribe handling.

7) Keep evidence

• Maintain records of consent (screenshots of forms, timestamps, IPs), campaign logs, unsubscribe logs and template versions.
• If you rely on inferred consent, document the business relationship and why a recipient would reasonably expect your message.

8) Plan for international audiences

If you market to overseas customers, you may need to comply with regimes like CAN‑SPAM (US), CASL (Canada) and the GDPR (EU/UK). The best approach is to build a global baseline - clear opt‑in, accurate identification and easy opt‑out - then handle country‑specific nuances where required. If the EU is on your roadmap, consider a tailored GDPR package alongside your Australian compliance.

What Happens If You Breach The Spam Act?

ACMA has a range of tools, from warnings and directions to comply, through to enforceable undertakings and significant penalties for systemic or serious non‑compliance.

The most common triggers for enforcement include large numbers of messages sent without consent, faulty or missing unsubscribe mechanisms, and repeated failures to act on opt‑out requests. Public enforcement can also damage your brand, impact deliverability and erode customer trust.

A sensible approach is to conduct periodic internal audits, fix any gaps quickly, and document what you’ve done. If you uncover a compliance issue affecting a large volume of messages, get legal advice early - timely remediation can reduce risk.

Key Takeaways

• The Spam Act 2003 applies to commercial emails, SMS, MMS and instant messages sent to, from or within Australia.
• Every commercial message must have valid consent, clearly identify the sender, and include a simple, functional unsubscribe that’s processed within 5 business days.
• Designated senders (like registered charities, political parties and government bodies) may have consent exemptions in certain contexts, but identification and unsubscribe still apply.
• Inferred consent is narrow and context‑dependent; express, provable consent is the safest baseline for your lists.
• Avoid purchased lists and address harvesting - you are responsible for proving consent and respecting opt‑outs.
• Embed compliance into your sign‑ups, templates and platform settings, and align your Privacy Policy, Cookie Policy and consumer law obligations.
• Train your team, keep good records, and review your processes regularly to reduce the risk of enforcement and protect your brand.

If you’d like a consultation on Spam Act compliance for your business’ email or SMS marketing, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.