Spam Act 2003

The Spam Act 2003 (Cth) regulates commercial electronic messages with an Australian link. The Act structure shows that it deals with electronic messages, commercial electronic messages, the Australian link concept, authorising the sending of messages, sender information, unsubscribe facilities, and separate rules about address-harvesting software and harvested-address lists.

For most businesses, the practical focus is email, SMS, MMS and similar electronic messaging used for promotions. The law is broader than the everyday idea of spam. It is not only about obvious mass unsolicited campaigns. If a message is commercial in purpose, the Act can matter even where the message volume is small or the communication is partly operational and partly promotional.

That means businesses should look closely at newsletters, sale announcements, promotional SMS campaigns, upgrade prompts, loyalty offers, re-engagement campaigns and follow-up messages after a purchase or enquiry. If the message promotes goods, services, land, a business opportunity or the business itself, it should be checked against the Act.

The Act commonly affects businesses that collect customer contact details and later use those details for marketing. That includes online retailers, subscription businesses, professional services firms, venues, clinics, gyms, trades, consultants and app-based businesses. It also matters to organisations that send campaigns to business contacts, not just consumers.

The Act is also relevant where a business authorises messages to be sent on its behalf. If you instruct an agency, franchise operator, software provider or internal marketing team to send a campaign, you should assume the law may still be relevant to your business. Responsibility is not limited to the person who physically sends the message.

The Act also refers to carriage service providers and contains designated message rules in Schedule 1 and consent rules in Schedule 2. Those details matter in edge cases, but for most businesses the starting point is simple: if you are sending or arranging promotional electronic messages connected to Australia, you should check compliance before sending.

Common trigger points arise well before a campaign is launched. A website newsletter form, a checkout page collecting an email address, a booking form asking for a mobile number, a CRM import, or a client-supplied contact list can all create Spam Act issues later if the consent pathway is unclear.

Another common problem is assuming that an existing customer relationship automatically allows broad marketing. The Act deals with consent, and businesses should be careful not to stretch that concept beyond what the person actually agreed to receive. A person who gave an email address for a receipt, support request or booking confirmation may not have agreed to ongoing promotions.

Mixed-purpose messages are another risk area. A service update that also promotes an upgrade, or an appointment reminder that includes a discount offer, may need to be treated as a commercial electronic message. Businesses should review the overall purpose and content of the message rather than relying on the label attached to it internally.

Consent is one of the central practical issues under the Act. Schedule 2 deals specifically with consent and the Act recognises that consent may be express or inferred. For most businesses, express consent is the safer and easier basis to manage because it is clearer to explain and easier to prove later.

In practical terms, express consent usually means the person actively agreed to receive marketing messages. Businesses should use clear sign-up wording, keep records of what the person was told at the time, and store when and how the opt-in happened. If your systems cannot show the wording used, the date of sign-up and the source of the contact, your evidence may be weak if the consent is later questioned.

Inferred consent can be more difficult. The Act specifically addresses when consent may be inferred from publication of an electronic address, which shows that this area is not a simple free-for-all. Businesses should be cautious about assuming that a publicly available business email address, a prior enquiry or a past transaction automatically supports ongoing marketing. If your campaign depends on anything other than a clear opt-in, it is sensible to review the position carefully before sending.

The Act requires commercial electronic messages to include accurate sender information and a functional unsubscribe facility. These are core legal requirements, not optional campaign features. Every relevant template should be built with these requirements in mind before it is used.

Accurate sender information means the recipient should be able to identify who is behind the message. If your business trades under a brand, uses multiple entities or sends through a third-party platform, the message should still clearly identify the sender. Businesses should avoid vague branding that leaves the recipient guessing who contacted them.

The unsubscribe facility must be functional. Businesses should make sure the opt-out process actually works in practice and is not blocked by technical or design choices. The Act also deals with when withdrawal of consent takes effect in Schedule 2. Businesses should check their templates, reply pathways and suppression processes carefully before sending campaigns.

Common failures include broken links, requiring a login to unsubscribe, making the recipient take unnecessary steps, or failing to update all relevant lists after an opt-out. If a person unsubscribes from one campaign but remains on another marketing list in your systems, your process may still create risk.

Part 3 of the Act contains separate rules about address-harvesting software and harvested-address lists. Even without going into technical detail, the practical message for businesses is clear: scraped, harvested or poorly documented contact databases are a major risk area.

This matters because many businesses are offered lead lists, industry databases or outsourced prospecting services that appear efficient but create legal exposure. A seller may say the contacts are public, targeted or business-related, but that does not answer the consent question. It also does not remove the separate concerns the Act raises about harvested-address lists.

Before using any third-party list, businesses should be able to explain where the addresses came from, how they were collected, what consent supports the proposed campaign, and whether there is any connection to address harvesting. If those questions cannot be answered clearly, the safer course is not to use the list until the position is properly checked.

The Act applies to commercial electronic messages with an Australian link. That concept is defined in the legislation and should be checked carefully in cross-border or online business settings. It is important because many businesses assume the law only matters when both the sender and recipient are physically in Australia, but the statutory test is more specific than that.

If your business operates internationally, uses offshore service providers, sends from overseas systems, or markets to recipients in multiple countries, you should not rely on assumptions about location alone. The better approach is to review whether the message has the required Australian connection under the Act before deciding your process is outside scope.

For local businesses, the Australian link issue will often be straightforward. For digital businesses, marketplaces, software platforms and groups with overseas marketing operations, it deserves a deliberate check as part of campaign approval.

A practical compliance approach is to treat the Spam Act as a systems issue rather than a one-off legal review. Your business should know where each contact came from, what they agreed to receive, which messages are commercial, who is identified as the sender, and how opt-outs are processed across all systems.

This is especially important if you use multiple tools such as ecommerce software, booking systems, CRMs, SMS platforms and external agencies. A person who unsubscribes in one system should not continue receiving marketing from another list that was never updated. Businesses should also make sure their privacy materials, sign-up wording and campaign practice tell the same story.

If your team cannot explain the consent pathway in plain English, that is usually a sign the process needs work. Edge cases such as inferred consent, mixed transactional and promotional messages, cross-border campaigns and third-party lead sources should be reviewed carefully before scaling up.