Spam Act Compliance: Your Australian Business Guide to Avoiding Penalties

If you’re using email, SMS or instant messages to promote your products or services in Australia, the Spam Act 2003 sets the rules. Get those rules wrong and you risk complaints, ACMA investigations and costly penalties.

The good news? With the right systems and a few practical habits, you can run effective digital marketing that’s both compliant and customer-friendly.

In this guide, we’ll explain how the Spam Act works in plain English, what “consent” really means, what you must include in every message, and the simple steps to avoid fines while building a trustworthy brand.

What Is The Spam Act And Who Has To Comply?

The Spam Act 2003 is Australia’s main law regulating commercial electronic messages (CEMs). It applies to emails, SMS/MMS and instant messages that promote goods, services, business opportunities or investments.

If your message has a commercial purpose and is sent to an “electronic address” (like an email address or mobile number), the Spam Act likely applies. It covers Australian businesses and overseas businesses that send messages to Australian recipients.

Voice calls are governed separately (primarily under the Do Not Call Register rules). If your marketing includes calling customers or leads, make sure you also understand Australia’s telemarketing laws.

Some communications fall outside the Spam Act or are treated differently, for example purely “factual” messages (like a service outage notice) or certain messages from government bodies and registered charities. However, if you combine a factual message with promotional content (like an offer or upsell), the spam rules apply in full.

What Counts As Consent Under The Spam Act?

Consent is the cornerstone of spam compliance. You generally need the recipient’s consent before you send a commercial electronic message. There are two types:

1) Express Consent

Express consent is a clear “yes” to receive messages from you. It might be a tick box on your website, a sign-up form at checkout, or someone texting a keyword to opt in. To be valid, the opt-in should:

• Make it clear what the person is signing up to (e.g. promotional emails or SMS from your brand)
• Name your business and how often you’ll send messages (if relevant)
• Not be bundled with unrelated consent (avoid pre-ticked boxes or vague wording)

It’s wise to keep records: when and how someone opted in, what they were told at the time, and the source of the data.

2) Inferred Consent

In limited cases, consent can be inferred based on the relationship or conduct. For example, if there’s a reasonable expectation that the person would consent to receiving your marketing (often because they’re an existing customer who’s been given a clear opportunity to opt out), you may rely on inferred consent.

Be careful here. Inferred consent is narrower than many businesses assume, and it can fade over time. If in doubt, get express consent.

“Forward To A Friend” And Third-Party Lists

If your business encourages someone to forward a message or uses third-party mailing lists, you’re still responsible for compliance if you “cause” the message to be sent. Don’t use harvested lists or data obtained without proper consent.

Address-harvesting software and lists generated by it are prohibited. If you work with a marketing partner, ensure they collect opt-ins responsibly and can evidence consent.

What Must Be In Your Messages (And How To Avoid Penalties)

Every commercial electronic message must meet three core requirements:

1) Consent

As covered above, have express or validly inferred consent before sending. If your message is purely transactional or factual (e.g. a receipt), avoid adding promotional content unless you’ve also met the marketing requirements (consent, identity and unsubscribe).

2) Identity

Your message must clearly identify your business as the sender. Include your business name (and trading name if different) and contact details that remain current for a reasonable period after sending. A physical address, phone number or email address is typical. Many businesses also include an email disclaimer in their footer, though this isn’t a substitute for the required identity information.

3) Unsubscribe

Include a simple, functional unsubscribe in every commercial message. The opt-out method should be free (or low cost, e.g. standard SMS rate), easy to use and remain operational for at least 30 days after you send the message.

Unsubscribe requests must be actioned promptly (within five business days). Don’t require a login or complex steps to opt out. For SMS, a “Reply STOP” function is standard. For email, a one-click unsubscribe link is best practice.

Other Pitfalls That Trigger Enforcement

• Using or supplying address-harvesting software or harvested lists
• Sending to recipients who opted out (poor suppression list hygiene)
• Hiding your identity or making it hard to contact you
• Combining transactional content with promotions without consent
• Add-on marketing by partners or affiliates who don’t hold valid consent

Breaches can lead to investigations, infringement notices, court-enforceable undertakings and significant monetary penalties. Robust processes are your best defence.

Practical Steps To Build A Compliant Marketing Program

Compliance isn’t just a legal box-tick. It also improves list quality and trust. Here’s a practical, step-by-step approach to getting it right.

Step 1: Map Your Channels And Data Flows

List each channel you use (email platform, SMS gateway, chat app) and every place you collect contacts (website forms, checkout, events, referrals). Identify the exact wording shown at each opt-in and where consent records are stored.

If you run a website or app, make sure your Privacy Policy and Privacy Collection Notice explain what personal information you collect and how you use it for direct marketing. If you use tracking technologies for sign-ups or remarketing, add a clear Cookie Policy.

Step 2: Standardise Consent Language

Use plain, unbundled opt-in wording that names your business, the channel (email/SMS), and the purpose (promotions, updates, offers). Remove pre-ticked boxes. For SMS, consider a double opt-in (e.g. confirm by replying “YES”).

Keep immutable records of consent (timestamp, method, form version, IP, SMS keyword, etc.). Good record-keeping is critical if a complaint is made.

Step 3: Design Compliant Templates

Build email and SMS templates that always display your identity and a working unsubscribe. Test the unsubscribe regularly. Consider adding your ABN and contact details in the footer for clarity.

If you’re unsure how the rules apply to your specific workflow, it’s sensible to get advice from a data privacy lawyer before you scale.

Step 4: Clean Your Lists And Suppress Opt-Outs

Deduplicate and remove invalid addresses. Ensure unsubscribe events are instantly added to a suppression list across all platforms you use. Don’t re-add someone unless they opt back in.

Step 5: Set Rules For Third Parties And Affiliates

If you’re sharing audiences or running partner campaigns, document responsibilities in your supplier or marketing agreements. Require partners to hold valid consent and to identify your brand properly in co-branded messages. Never purchase harvested lists.

Step 6: Train Your Team And Monitor

Give simple, practical guidance to staff on what they can and can’t send. Run periodic audits of templates, forms, consent logs and suppression lists. Treat any complaint as a learning opportunity and fix the root cause.

If you also market by phone or door-to-door, remember separate rules can apply to unsolicited consumer agreements and the Do Not Call Register. Keep these frameworks distinct so you don’t mix compliance obligations.

How Does The Spam Act Interact With Privacy And Consumer Laws?

Spam rules sit alongside the Privacy Act 1988 and the Australian Consumer Law (ACL). Together, these laws aim to protect people from unwanted, intrusive or misleading marketing.

Privacy: Collection, Notices And Direct Marketing

The Privacy Act governs how you collect, use and disclose personal information (including emails and phone numbers). Even if the Spam Act doesn’t cover a particular message, privacy obligations still can.

In practice, this means:

• Tell people you’ll use their details for direct marketing (via a clear Privacy Collection Notice)
• Publish an accessible, up-to-date Privacy Policy
• Offer easy opt-outs from direct marketing in line with privacy principles

If your marketing is digital, it’s also worth reviewing broader email marketing laws so your settings, notices and consents line up across all channels.

Consumer Law: Accuracy And Transparency

The ACL prohibits misleading or deceptive conduct in advertising. Your subject lines, offers and claims must be accurate and not misleading. If you run promotions or discounts, ensure the terms are clear and fair to avoid misleading conduct issues.

Web And App Basics

If you market or sell online, it’s standard to have Website Terms and Conditions that set out how your site can be used and your liability limits. These don’t replace spam compliance, but they help set expectations and reduce disputes.

What Legal Documents Should You Have In Place?

While the Spam Act is about how you send messages, a few core documents support compliant and effective marketing. The right stack also improves customer trust and conversion.

• Privacy Policy: Explains what personal information you collect and how you use it, including direct marketing.
• Privacy Collection Notice: Shown where you collect details (forms, checkout) so people understand why you’re collecting their data and how to opt out.
• Cookie Policy: Discloses tracking tools used for analytics, advertising or sign-up flows and how users can manage preferences.
• Website Terms and Conditions: Sets rules for using your site or app, intellectual property ownership and acceptable use.
• Email Disclaimer: Optional footer statements about confidentiality and errors; not a compliance requirement, but often part of a professional template.
• Supplier/Marketing Agreements: If you use agencies, affiliates or list providers, contracts should require valid consent, unsubscribe processing and lawful list management.

Not every business needs every document on day one, but most will need a Privacy Policy and Collection Notice at minimum if you’re collecting names, emails or mobile numbers. Tailored contracts are valuable as you grow.

Key Takeaways

• The Spam Act applies to commercial emails, SMS/MMS and instant messages sent in Australia; it requires consent, clear sender identity and a functional unsubscribe.
• Express consent is strongest; inferred consent is limited and easy to overestimate. Keep clear records of when and how each contact opted in.
• Include an easy, free opt-out in every message and action unsubscribes within five business days. Maintain clean suppression lists across all platforms.
• Don’t use harvested lists or partners who can’t prove consent. You’re responsible for messages you cause to be sent, including “forward to a friend” campaigns.
• Spam rules sit alongside privacy and consumer laws. Back your marketing with a Privacy Policy, Privacy Collection Notice, and clear website terms.
• Train your team, audit regularly, and document your processes. Solid templates and good data hygiene are your best risk controls.

If you’d like a consultation on Spam Act compliance for your Australian business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.