Unsolicited Emails In Australia: Compliance Guide For Businesses

Email can be one of the most effective ways to reach customers in Australia - it’s fast, affordable and measurable.

But there’s a catch: sending unsolicited emails comes with strict legal obligations. If you don’t get the rules right, you risk complaints, regulator action and damage to your brand.

This guide explains what counts as unsolicited email (often called “spam”), how Australia’s laws apply to businesses of all sizes, and the practical steps you can take to build a compliant email program that supports growth - not legal headaches.

Whether you’re sending newsletters, promotional offers or one-off announcements, the aim here is simple: help you send smarter, lawful emails that your audience actually wants.

What Counts As Unsolicited Email?

Unsolicited email is any commercial email sent to someone who hasn’t agreed to receive it from you.

Typical examples include:

• Cold marketing emails to people who haven’t opted in
• Promotions sent to addresses scraped from websites or social media without consent
• “Email blasts” to purchased or rented lists

By contrast, emails are generally not “unsolicited” where you have valid consent (for example, someone signs up to your list through your site) or you can rely on a narrow form of inferred consent in specific, limited scenarios.

Even when an email is permitted, you still need to meet identification and unsubscribe requirements. Australia’s email marketing laws are detailed, and the regulator expects you to have systems in place - not just good intentions.

How Australia’s Spam Rules Work

What Law Applies?

In Australia, commercial electronic messages (including email, SMS and certain instant messages) are regulated by the Spam Act 2003 (Cth), which is enforced by the Australian Communications and Media Authority (ACMA).

The Act applies where there’s an “Australian link” - for example, messages sent from Australia, to recipients in Australia, or about Australian products or services.

To comply, every commercial email you send must meet three core duties:

• Consent - you must have express or, in limited circumstances, inferred permission to contact the recipient
• Identification - your email must clearly identify you and include accurate contact details
• Unsubscribe - you must provide a functional, easy way to opt out that you action promptly

Consent Basics (Express vs Inferred)

Express consent is when someone actively agrees to receive your messages - for example, by ticking a box on a sign-up form, entering an email address with a clear statement about receiving marketing, or confirming via a double opt-in email.

Inferred consent may exist from a business relationship where it’s reasonable to expect related marketing (for example, a recent paying customer receiving product update emails). This is narrower and riskier than many businesses assume. If in doubt, don’t rely on inference - get express consent.

Good practice includes:

• Use clear, plain-language sign-up forms and record timestamps, source pages and consent wording
• Prefer double opt-in for higher-risk lists (e.g. competition entries) to reduce complaints
• Do not use purchased lists - you are responsible for ensuring valid consent exists

Identification And Unsubscribe Requirements

Your email must clearly identify who you are and provide accurate, current contact details (for example, your business or trading name, and a working email address/telephone number). A physical address is not specifically required by the Spam Act, but many businesses include it as an additional trust signal.

A functional unsubscribe facility must be present in every commercial email. Key points:

• Make the unsubscribe option easy to find - don’t bury it in tiny text
• Process unsubscribe requests within five business days (sooner is better)
• Don’t require a log-in, payment or additional personal data to unsubscribe

Many businesses also include an email disclaimer for non-marketing emails. Disclaimers don’t replace your obligations under the Spam Act, but they can help set expectations and reduce confusion.

Documents, Policies And Systems Your Business Should Have

Compliance isn’t just about what you put in an individual email - it’s also about the legal documents and operational processes behind your marketing. The following tools help you do both well.

• Privacy Policy: If you collect names, emails or other personal information, you should explain how you collect, use and store that data. Under the Privacy Act, a Privacy Policy is legally required for Australian Privacy Principles (APP) entities (generally businesses with annual turnover above $3 million, or smaller businesses that meet specific criteria such as handling certain health information). Even if you’re not an APP entity, having a transparent Privacy Policy builds trust and supports good practice.
• Privacy Collection Notice: Present this at the point of sign-up to tell people what you’re collecting, why and how to contact you. A clear Privacy Collection Notice helps make consent informed - a critical part of lawful marketing.
• Website Terms & Conditions: If people subscribe via your site, your Website Terms and Conditions should cover user conduct, acceptable use and any rules around promotions and account access. This is also a good place to set expectations about content and service availability.
• Cookie Policy (and consent banner): If you use analytics or marketing cookies to build audiences or personalise emails, a transparent Cookie Policy and consent mechanism is important for privacy compliance and customer trust.
• Data Processing Agreement (DPA): If you use overseas email platforms, CRMs or contractors, a robust Data Processing Agreement clarifies roles, security and cross‑border handling of personal information.
• Internal procedures and training: Document how your team collects consent, verifies list sources, manages unsubscribes and handles complaints. For broader governance, a practical workplace policy framework can include data handling and communications protocols.

Remember consumer law still applies to your content. Your claims must be accurate and not misleading or deceptive under the Australian Consumer Law (see section 18). If you run promotions, set clear conditions and honour them.

Penalties And Common Mistakes

ACMA can investigate and take action where businesses breach spam rules. Enforcement options include formal warnings, infringement notices, enforceable undertakings and significant civil penalties (which can escalate for serious or repeat non-compliance).

Beyond penalties, non-compliance can lead to email deliverability problems, lost trust and reputational damage.

Common mistakes to avoid:

• Relying on purchased or scraped lists (you can’t outsource consent)
• Assuming a business card or a contact form enquiry equals marketing consent
• Sending from “no‑reply” addresses with no practical contact path
• Hiding or breaking your unsubscribe link - or failing to action opt-outs quickly
• Using vague sign-up wording that doesn’t make the marketing purpose clear
• Overlooking consumer law - exaggerating results, misusing “limited time” claims, or burying key conditions

If your model includes phone or SMS outreach alongside email, make sure your approach aligns with Australia’s telemarketing laws and the Do Not Call Register rules as well.

Practical Compliance Checklist

Use this quick checklist to review your email program against Australia’s spam rules. It’s not exhaustive, but it covers the essentials most SMEs need to get right.

Before You Send

• Collect express consent with clear, specific wording at sign-up (use double opt‑in for extra assurance)
• Capture and store consent records (date, method, page source and the exact consent text)
• Ensure your form includes a link to your Privacy Policy and a concise collection notice
• Configure your platform settings: sender information, reply-to address, unsubscribe link and processing rules
• Avoid purchased lists - build your audience through genuine sign-ups, lead magnets and customers

Every Email You Send

• Clearly identify your business or trading name and include accurate contact details
• Include a functional, visible unsubscribe link (no log-in, no fee, no friction)
• Say what the email is about in the subject line and avoid misleading headers
• Sense check offers and testimonials against the ACL’s misleading and deceptive conduct rules

Ongoing Governance

• Action unsubscribe requests within five business days and suppress addresses across all systems
• Audit lists regularly - remove hard bounces and stale contacts to reduce complaints
• Train your team on consent and complaints handling; document your processes
• Review supplier contracts and put a Data Processing Agreement in place if you use third-party platforms or offshore support
• Keep your Website Terms & Conditions and Privacy Policy up to date as your practices evolve

Key Takeaways

• Unsolicited emails are tightly regulated in Australia - you need consent, clear identification and a simple unsubscribe in every commercial email.
• Express consent is best. Don’t rely on purchased lists or broad assumptions; build your audience with transparent sign‑ups and solid records.
• Your emails must be truthful and clear - Australian Consumer Law applies to your subject lines, claims and promotions.
• Put the right foundations in place: a transparent Privacy Policy, a clear collection notice, robust Website Terms & Conditions and, where relevant, a Data Processing Agreement.
• ACMA can issue warnings, undertakings and significant penalties. Strong processes, training and regular audits will keep you compliant and protect your reputation.

If you’d like a consultation on keeping your email marketing compliant in Australia - including policies, list practices and contracts with providers - contact us on 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.