Understanding The Commercial Electronic Messages Law: What Australian Businesses Need To Know About The Spam Act 2003

If you use email newsletters, SMS offers or in-app messages to connect with customers, you’re in good company. Digital communication is one of the best ways to grow an Australian business - but it also comes with legal responsibilities.

In Australia, the Spam Act 2003 sets clear rules for sending “commercial electronic messages”. If you’re unsure whether your current email or SMS practices are compliant, now’s the time to check. Penalties can be significant, and the reputational damage from a spam complaint can be even worse.

In this guide, we’ll explain what counts as a commercial electronic message, the three core legal requirements (consent, identification and unsubscribe), how the law applies in practice, and the steps you can take to build a compliant program from day one. We’ll also touch on related laws that often apply, like privacy and consumer protection.

Our goal is to make the rules simple and practical so you can communicate confidently - and compliantly - with your audience.

What Is A Commercial Electronic Message?

Under the Spam Act, a “commercial electronic message” is any email, SMS, MMS or instant message that has a commercial purpose. In plain English, your message is commercial if it:

• Offers, advertises or promotes goods or services
• Promotes a business, brand, investment or business opportunity
• Directly or indirectly seeks to increase sales, bookings or donations

This definition is broad. It will usually cover promotional newsletters, sales alerts, discount codes, cart abandonment messages, upsell sequences and referral offers. Messages sent via social media messaging platforms can also be captured if the purpose is to promote or sell.

There are limited exclusions. For example, purely factual messages (e.g. a service outage notice or appointment reminder) may be exempt if they don’t contain any promotional content and they clearly identify the sender. Once you add a “by the way, here’s 10% off” to a factual message, the Spam Act rules will apply.

What Does The Spam Act 2003 Require?

The Spam Act is built around three core obligations. If you’re sending commercial electronic messages in Australia, you must meet all three:

• Consent - You need the recipient’s permission before you send a commercial message. Consent can be:
  • Express consent: someone directly opts in (e.g. subscribes on your website or ticks a “yes, send me marketing” box).
  • Inferred consent: there’s an existing relationship and it’s reasonable to expect marketing (for example, a recent customer who provided their email in the course of a purchase where marketing was a reasonable expectation). Inferred consent doesn’t last forever and weakens over time.
• Identification - Every message must clearly identify your business as the sender and include accurate contact details (e.g. business name and an email address, phone number or physical/po box address).
• Unsubscribe - Include a functional and easy-to-use unsubscribe option in every message. It must be free (or standard rate for SMS), work reliably for at least 30 days after the message is sent, and unsubscribe requests must be actioned within five business days. Don’t make people log in, complete a survey or provide extra personal information to opt out.

There are also important “don’t” rules:

• Don’t use or supply address-harvesting software or lists that have been created with it.
• Don’t buy third-party lists unless you can verify that each contact has valid, transferable consent for your specific marketing.
• Don’t disguise or falsify your sender identity or routing information.

If your marketing mixes channels (for example, email, SMS and phone calls), remember separate rules also apply to calls and do-not-call obligations. If you use phone-based outreach, make sure you’re across Australia’s telemarketing laws as well.

How To Build A Compliant Email And SMS Program

Compliance doesn’t have to be complicated. Here’s a practical framework you can use to set up (or audit) your marketing program.

1) Design Consent Flows That Are Clear And Recorded

• Use explicit, opt-in consent wherever possible. Keep consent separate from other terms - no pre‑ticked boxes.
• Explain what people are signing up for (e.g. “weekly product updates and offers”).
• Record when, how and from where you obtained consent. Your CRM or email platform should capture timestamp, source and method. Good records help if a complaint arises.
• Be cautious relying on inferred consent. It’s context-specific and diminishes as time passes without engagement.

If you collect personal information during sign-up, you’ll likely need a clearly accessible Privacy Policy that explains how you handle that data.

2) Standardise Your Templates

• Ensure your sender identification is consistent and accurate (legal/business or trading name and contact details).
• Add a clear unsubscribe link in emails and an “Reply STOP to unsubscribe” option in SMS where supported.
• Remove promo content from operational notices that you intend to treat as purely factual (e.g. appointment reminders).

Template consistency reduces the chance that a one-off campaign forgets an essential element. If your marketing runs through a website or app, pair your messaging with up-to-date Website Terms & Conditions that govern platform use.

3) Test Your Unsubscribe And Suppression Processes

• Check unsubscribe links regularly and confirm they work for at least 30 days post-send.
• Verify that opt-outs are applied across all relevant lists and channels within five business days.
• Make sure suppressed contacts can’t be accidentally re-added by integrations or manual uploads.

It’s important the opt-out is “simple and functional” - if it’s hard to find or doesn’t work, that can trigger a breach even if you included a link.

4) Train Your Team And Set Role-Based Permissions

• Explain what counts as a commercial message and when consent is needed.
• Provide simple rules of thumb (e.g. “no pre-ticked boxes”, “never add someone from a business card unless they’ve opted in”).
• Restrict who can upload lists, change template footers or adjust unsubscribe settings.

A short playbook plus access controls go a long way to preventing accidental non‑compliance.

5) Keep Your Data Practices Tight

• Collect only what you need and store it securely.
• Use a purpose-built email/SMS platform that supports consent capture, suppression and auditing.
• Set sensible retention rules - don’t keep old lists “just in case”. Deleting stale data reduces risk and cost, and supports your obligations under data retention laws that may apply.

6) Review Third-Party Lists And Integrations

• Avoid purchased lists unless you have robust proof of express, transferrable consent for your marketing. “Consent to receive emails from ‘partners’” is rarely sufficient.
• Audit integrations (e.g. ecommerce, CRM, events) to ensure opt-ins are captured correctly and suppression flags sync in both directions.

7) Establish A Complaint Handling Process

• Respond quickly and courteously. Confirm the unsubscribe and check for system gaps.
• Keep a record of the complaint, what you found and how you fixed it.
• Use complaints as a trigger to improve your process or templates.

Who Enforces The Spam Act - And What Are The Penalties?

The Australian Communications and Media Authority (ACMA) enforces the Spam Act. ACMA can investigate complaints, conduct audits, issue formal warnings and infringement notices, accept enforceable undertakings, and apply to the courts for civil penalties.

Penalties scale with the seriousness and volume of non-compliance, and can reach into the hundreds of thousands (or more) for larger or repeated breaches. Beyond fines, public enforcement actions can damage trust with your customer base - which is often the bigger cost.

ACMA expects organisations to have robust systems, not just good intentions. That’s why audits, staff training and documented consent records matter.

How Does The Spam Act Apply To Overseas Messages?

The Spam Act applies where there is an “Australian link”. In practice, this generally covers messages that are sent from, to, or on behalf of businesses in Australia. If your marketing originates here, the Spam Act rules will apply regardless of where the recipient is located.

If you market to people in other countries, you should also check the spam rules in those jurisdictions. Many have similar (and sometimes stricter) consent and unsubscribe requirements. Building to the higher standard across the board usually keeps things simpler and safer.

Other Australian Laws That Also Matter

Your email and SMS program doesn’t operate in a vacuum. A few other laws commonly apply alongside the Spam Act:

• Privacy Act 1988 - If you collect and use personal information, privacy obligations may apply. Many small businesses under $3 million in annual turnover are not “APP entities”, but there are important exceptions (for example, health providers and some businesses trading in personal information). Having a clear, accessible Privacy Policy and a practical privacy program is best practice and often expected by customers.
• Australian Consumer Law (ACL) - Your marketing must be accurate and not misleading. Claims in your emails or SMS are subject to the misleading or deceptive conduct prohibition in section 18 of the ACL, covered in detail in our guide to section 18.
• Data Security And Breach Response - If you handle customer data, you should be prepared for incident management. Many businesses put a Data Breach Response Plan in place so the team knows what to do if something goes wrong.
• Channel-Specific Rules - If you also make marketing calls, review Australia’s telemarketing rules and do-not-call obligations.

If your industry is regulated (for example, financial services or health), there may be extra requirements for how, when and to whom you can market. It’s worth getting targeted advice before launching campaigns in a regulated space.

Essential Legal Documents And Practical Policies

Good documents support compliance and make your marketing more transparent for customers. Consider the following:

• Privacy Policy: Explains what personal information you collect (e.g. email, phone number), why you collect it, how you use it for marketing and how people can opt out. Most businesses that collect personal information should publish a clear Privacy Policy on their website and link to it from sign-up forms.
• Website Terms & Conditions: Set the ground rules for using your website or app, including acceptable use and contact information. These pair well with your Privacy Policy and can be implemented via Website Terms & Conditions.
• Consent And Preference Records: While not a public document, your internal processes should maintain reliable consent logs and suppression lists. This is essential evidence if ACMA asks questions.
• Privacy Notices At Collection: Short, plain-language disclosures on sign-up forms that point to your full policy. Many businesses add a simple Privacy Collection Notice to capture this clearly.
• Email Footer And SMS Templates: Standardised identification, contact details and unsubscribe wording reduce the risk of one-off mistakes.

Not every business needs a long list of documents, but having the essentials in place - and tailored to how you operate - will make compliance easier and your customer experience stronger.

Common Mistakes (And Easy Ways To Avoid Them)

Even diligent teams can slip up. Here are frequent pitfalls we see - and how you can stay clear:

• Relying on old contacts - Treat very old customers as “cold” unless they’ve recently engaged or opted in again. Consent weakens over time.
• Pre-ticked boxes - Consent must be positive and clear. Remove default opt-ins from forms.
• Missing or broken unsubscribe links - Build a checklist into your campaign QA and periodically test links and “STOP” replies.
• Purchased lists with vague consent - Don’t send to third-party lists unless you can prove specific, express and transferrable consent for your marketing.
• Promoting in “factual only” messages - If you want to use the factual message carve-out, keep it strictly factual and still include clear identification.
• Poor record-keeping - If you can’t show when and how consent was obtained, defending a complaint becomes difficult. Use your platform’s consent and suppression fields properly.

If you’re ever unsure whether a message is “commercial”, assume the Spam Act applies and build it to the higher standard.

Key Takeaways

• The Spam Act 2003 applies to marketing emails, SMS, MMS and instant messages sent for commercial purposes in Australia.
• You must have consent, clearly identify your business and include a simple, working unsubscribe in every commercial message.
• Keep reliable consent and suppression records, standardise your templates and test your unsubscribe process regularly.
• ACMA enforces the rules and expects robust systems, not just good intentions - penalties can be significant.
• Privacy, consumer law and data security obligations often sit alongside anti-spam rules, so align your program with a clear Privacy Policy, Website Terms & Conditions and sensible internal processes.
• Avoid common traps like pre-ticked boxes, purchased lists without solid consent, and mixing promotions into messages you intend to treat as purely factual.

If you would like a consultation on ensuring your email and SMS marketing complies with Australian law, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.