Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re growing a small business or startup, marketing is likely high on your priority list. Email campaigns, SMS promotions and newsletter sign-ups can all be powerful ways to reach customers - but they can also create legal risk if your messages cross the line into spam.
The tricky part is that “spam” isn’t just a feeling (like “this message annoyed me”). In Australia, spam has a fairly specific meaning under the law, and there are clear rules about when and how you can send certain types of electronic marketing messages.
In this guide, we’ll break down what spam is under Australian law in a practical, business-friendly way, and show you how to build marketing processes that help you grow while staying compliant.
What Is Spam (In Australia)?
In an Australian business context, spam generally means an unsolicited commercial electronic message. Most spam compliance discussions in Australia relate to the Spam Act 2003 (Cth), which regulates certain types of marketing messages you send electronically.
So, when people ask what spam is, for small businesses the most useful answer is:
- Spam is a commercial electronic message (marketing or promotional in nature)
- sent without consent (or without a valid basis to rely on inferred consent)
- and/or sent without required sender details and a functioning unsubscribe option (that is easy to use).
Commercial electronic messages can include messages that:
- offer goods or services
- promote a business opportunity
- advertise a sale, discount, event or launch
- encourage someone to visit a website, app or store to buy something
Electronic messages often include:
- email marketing
- SMS marketing
- some instant messages (for example, messages sent to an electronic address or account, depending on how the message is delivered and used)
- some social media direct messages (these can be caught where they are sent to an “electronic address” and are commercial in nature - however, whether a particular platform/message is covered can depend on the facts)
Importantly, spam is usually about marketing - not operational messages. For example, sending a receipt, password reset, booking confirmation or shipping update is usually not “spam” (as long as it’s genuinely transactional and not primarily promoting or advertising something).
Why Small Businesses Should Care About Spam Compliance
It’s easy to think of spam rules as something that only applies to big companies sending mass email blasts. In reality, small businesses and startups can be exposed too - especially when you’re moving quickly and trying different growth tactics.
Spam compliance matters because it affects:
- Your legal risk: regulators can issue infringement notices and other penalties for non-compliance.
- Your deliverability: spam complaints and low engagement can push your emails into junk folders.
- Your brand trust: people remember businesses that ignore opt-outs or message without permission.
- Your systems as you scale: what “kind of worked” at 200 contacts can cause real problems at 20,000 contacts.
If you’re building an audience, raising capital, or trying to establish credibility with enterprise customers, having compliant marketing practices isn’t just about avoiding trouble - it’s part of running a professional operation.
What Are The Key Legal Rules Under Australia’s Spam Act?
For most businesses, the Spam Act boils down to three practical requirements. If you get these right, you’ll avoid most common spam issues.
1) Consent (Express Or Inferred)
You generally need consent to send commercial electronic messages.
There are two main types of consent:
- Express consent: someone clearly agrees to receive marketing (for example, ticking an opt-in box, signing up to a newsletter, or explicitly asking for promotions).
- Inferred consent: consent can sometimes be inferred from an existing relationship or the recipient’s conduct - but you should be careful here. It needs to be reasonable to believe the person would expect those messages.
A practical example: if a customer buys from you and gives you their email during checkout, you may be able to rely on inferred consent for certain marketing messages that are relevant to what they purchased - but it doesn’t mean you can automatically add them to unrelated campaigns forever.
If your business collects personal details through your website, a clear Privacy Policy can help you explain what you do with customer data and how marketing communications work in your business.
2) Identification (Be Clear About Who You Are)
Your marketing messages must clearly identify:
- who is sending the message (your business name is a good starting point)
- how to contact you (for example, a contact email address, phone number, or other business contact details)
This sounds simple, but it’s a common problem for startups that send messages from generic domains or personal accounts without clear business identification.
3) Unsubscribe (It Must Work, And It Must Be Easy)
If you’re sending commercial messages, you need a functional unsubscribe option.
In practice, that means:
- email: an unsubscribe link that actually works and is easy to find
- SMS: a clear opt-out method (often “Reply STOP” or similar)
- timing: unsubscribe requests must be honoured within 5 business days
- validity: your unsubscribe facility must remain functional for at least 30 days after the message is sent
From a business perspective, the most important thing is to build a system you can stick to. If someone opts out, you should not keep messaging them “just one more time” - that’s often what triggers complaints.
Common Scenarios: Is This Spam Or Legit Marketing?
To make the concept of spam more practical, here are common situations we see for small businesses - and what to watch out for.
Emailing A Purchased Or Scraped List
Buying a list or scraping emails from websites is one of the fastest ways to create spam risk.
Even if a list provider claims the contacts are “opted in”, your business still needs to be confident there is valid consent for you to send marketing messages. If you can’t back that up, you’re exposed.
If you’re doing email campaigns, it’s also worth ensuring your overall approach aligns with email marketing laws more broadly (including how you obtain consent and how you manage opt-outs).
Cold Outreach To Businesses (B2B Emails)
A lot of startups rely on B2B outreach. The mistake is assuming “it’s a business email, so it doesn’t count”.
Spam rules can still apply to commercial electronic messages sent to business addresses. The key question is whether you have consent (including inferred consent) and whether you’re meeting identification and unsubscribe requirements.
From a practical standpoint, cold outreach is safest when:
- it’s targeted and relevant (not bulk-blasted)
- you clearly identify your business
- you include an unsubscribe mechanism (even in a one-to-one email)
- you keep good records of why you believed the person would expect your message
SMS Marketing After A Customer Purchase
SMS can feel more personal - which is exactly why people are quick to complain when it’s unwanted.
If you’re collecting mobile numbers, be very clear at the point of collection whether the customer is agreeing to receive marketing texts. A well-drafted privacy collection notice can support this by explaining what you’re collecting and why, including marketing communications (where appropriate).
Transactional Emails With Marketing “Added On”
Many businesses put marketing content into transactional emails (for example: “Your invoice is attached… also check out our new sale!”).
This can be fine, but be careful: if the message becomes primarily promotional, it may be treated as a commercial electronic message - meaning you need to meet spam requirements (including unsubscribe).
A safer approach is to keep transactional messages genuinely transactional, and send promotions through your proper marketing channels where consent and unsubscribe are already built in.
Messages Through Your App Or Platform
If you operate a platform, marketplace or app, spam risk can show up in unexpected places - for example, direct messages sent between users, or automated marketing notifications.
Having clear rules in your Website Terms and Conditions can help set expectations for how your messaging features can be used (and reduce misuse that could reflect badly on your business).
How To Build A Spam-Safe Marketing Process (Without Killing Growth)
Most spam problems happen when marketing moves faster than operations. The solution isn’t “stop marketing” - it’s putting a few sensible guardrails in place.
Step 1: Map Your Message Types
List the messages your business sends, such as:
- newsletter emails
- promotional emails (sales, launches, events)
- abandoned cart emails
- transactional emails (receipts, bookings)
- SMS campaigns
- one-to-one outreach messages
Then decide which are truly “marketing” and which are “operational”. This helps you apply the right compliance steps to the right messages.
Step 2: Choose A Consent Strategy You Can Prove
For most startups, the easiest “clean” approach is to build express consent into your systems:
- clear opt-in checkboxes (not hidden, not confusing)
- plain-English sign-up wording (what are they signing up for?)
- double opt-in for newsletters (optional, but helpful for quality and proof)
And just as important: keep records. If you ever need to show how you got consent, you’ll want to be able to point to the sign-up source and date.
Step 3: Make Opt-Out Management Automatic
The more manual your unsubscribe process is, the more likely it will fail under pressure.
Where possible:
- use systems that automatically update lists when a person unsubscribes
- avoid exporting/importing lists across tools without syncing unsubscribe status
- ensure your team knows not to add opted-out contacts back into campaigns
If you run a platform or have user-generated content, an acceptable use policy can also help you manage misuse (for example, users spamming other users through your systems).
Step 4: Audit Your Templates
Create standard templates for marketing emails and SMS that always include:
- your business name
- contact details
- a clear unsubscribe option
This reduces the risk that someone on your team sends a campaign “quickly” and forgets a required element.
Step 5: Train Your Team (Even If It’s Just Two People)
Many spam mistakes happen when:
- a founder exports contacts into a new tool
- a contractor runs a campaign without understanding consent
- sales and marketing both message the same lead after an opt-out
A short internal guideline (even a one-page checklist) can prevent a lot of issues.
What Happens If You Get It Wrong? Penalties, Complaints And Damage Control
If you send spam, the consequences can range from mild to serious, depending on what happened, how often it happened, and how you respond.
Customer Complaints And Reputation Damage
Even before you get to formal enforcement, spam complaints can hurt:
- your email domain reputation and deliverability
- your brand (especially if complaints are public)
- your conversion rates (people stop trusting your messages)
Regulatory Action
Australian regulators can take action for spam breaches, including issuing infringement notices and other enforcement steps. For a small business, the bigger issue is often that enforcement (or even an investigation) can become a major distraction at a time when you’re trying to grow.
How To Respond If Someone Says You Spammed Them
If you receive a complaint, a practical approach is:
- confirm the person has been unsubscribed immediately
- check how their details entered your database (and whether you can evidence consent)
- review whether your message included identification and unsubscribe
- fix the underlying process (not just the one complaint)
If you suspect there’s been a broader issue (for example, you imported the wrong list or a system failed to process opt-outs), it’s worth tightening your internal marketing processes and list management to prevent repeats.
Key Takeaways
- What is spam? In Australia, spam is typically a commercial electronic message sent without consent, and/or without proper sender identification and a working unsubscribe option.
- To stay compliant, focus on the three core requirements: consent, identification, and unsubscribe.
- Small businesses and startups are still exposed - especially if you’re using purchased lists, running fast campaigns, or relying on unclear “inferred” consent.
- Build repeatable systems: clear opt-ins, good record-keeping, standard message templates, and automatic opt-out handling.
- Good spam compliance isn’t just legal risk management - it also protects your brand and improves marketing performance long-term.
If you’d like help reviewing your marketing approach, customer sign-up flows, or website legal documents so you can grow confidently, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
