Spam Regulations 2021

The Spam Regulations 2021 are a Commonwealth legislative instrument made under the Spam Act 2003. The instrument was made on 18 March 2021, registered on 22 March 2021, and the whole instrument commenced on 1 April 2021.

For most businesses, these regulations are best understood as a targeted set of operational rules rather than a complete code for spam compliance. They deal with two main points. First, they state that a fax is not a commercial electronic message for the purposes of the Spam Act. Second, and more importantly for day-to-day marketing activity, they set conditions that must be met when a commercial electronic message includes an electronic address to be used for sending an unsubscribe message.

That means the regulations are especially relevant to businesses that send promotional emails, SMS campaigns or similar electronic marketing and rely on links, reply channels or web forms for opt-outs. If your unsubscribe process creates cost, friction or unnecessary data collection, these regulations are directly relevant.

Part 2 contains a classification rule. It says that, for the purposes of subsection 6(7) of the Spam Act, a fax is not a commercial electronic message for the purposes of the Act. Businesses that still use fax communications should note that this instrument expressly excludes fax from that category.

Part 3 contains the practical rules most businesses will care about. It specifies the conditions to be complied with by an electronic address set out in a commercial electronic message as the electronic address to be used to send an unsubscribe message. In plain terms, if your message tells a recipient where to send an unsubscribe request or gives them a link or address for opting out, that address and process must satisfy the conditions in the regulations.

The conditions focus on five practical areas: premium services, usual cost, fees and charges, personal information, and account access barriers. These are the parts businesses should test in real campaigns.

These regulations matter where a business sends a commercial electronic message and includes an electronic address for unsubscribe messages. In practice, that commonly covers marketing emails, SMS promotions, product announcements, event invitations, lead-nurture campaigns and other electronic communications with a commercial purpose.

The regulations are particularly relevant where unsubscribe functionality is not handled manually but through software settings, templates or outsourced providers. A business may assume it is compliant because a platform inserts an unsubscribe footer automatically, but the legal question is whether the actual address and process satisfy the conditions in operation.

Businesses that are carriers or carriage service providers are also in scope, but they should pay special attention to the limited exception dealing with certain ordinary carriage service charges. Businesses outside the telecommunications space should not assume that exception helps them.

On the other hand, the regulations themselves expressly say that a fax is not a commercial electronic message for the purposes of the Spam Act. That is a specific exclusion in this instrument. Apart from that, these regulations do not attempt to list every message type or every business model that may fall inside or outside the broader Spam Act.

The regulations include several definitions that matter in practice. They define premium service by reference to the Telecommunications Regulations 2021, other than a service mentioned in subparagraph 9(2)(b)(ii) of that instrument. Because this is a cross-reference to telecommunications law, businesses should be careful before using any unsubscribe channel that could involve premium-rate charging or a specialised paid service.

They also define related person in relation to the sender of a commercial electronic message. A related person is someone who receives, or may receive, payment of a fee or charge in relation to the use of an electronic address because of an agreement, arrangement or understanding with the sender. There is an exclusion for certain agreements between the sender and a carrier or carriage service provider where the charge imposed in that capacity is lower than it otherwise would have been.

The regulations also use terms drawn from other legislation. Carrier and carriage service provider have the same meanings as in the Telecommunications Act 1997. Personal information is used with the meaning it has in the Privacy Act 1988. Unsubscribe message has the meaning given by subsection 18(9) of the Spam Act.

For business owners, the practical point is that these regulations interact with other Commonwealth laws. If your unsubscribe process touches customer data, telecommunications charging or account systems, you may need to check more than one Act.

The regulations say the use of the electronic address must not require the recipient to use a premium service. This is a direct rule. If your unsubscribe path depends on a premium-rate number or another premium service, that is a clear compliance concern.

The electronic address also must not cost more to use than the usual cost of using that kind of electronic address, using the same kind of technology as was used to receive the commercial electronic message. This means businesses should compare the unsubscribe cost with the ordinary cost of using that type of channel in the same technological context. If a person receives an SMS, the unsubscribe method should not push them into an unusually expensive process for that kind of communication.

Subject to a limited exception, the use of the electronic address must not require the recipient to pay a fee or other charge to the sender or a related person. This is aimed at preventing businesses from making opt-out a paid process or structuring charges so that the sender or an associated party benefits from the unsubscribe route.

The regulations also say the use of the electronic address must not require the recipient to provide personal information, within the meaning of the Privacy Act 1988, other than the electronic address to which the commercial electronic message was sent. In practical terms, a business should not make a recipient provide extra identifying details just to stop future messages.

Finally, the regulations say the recipient must not be required to log in to an existing account or create a new account with the sender or with the individual or organisation who authorised the sending of the message. This is one of the clearest operational rules in the instrument. If your unsubscribe page sits behind an account wall, that setup should be reviewed.

The regulations include a specific exception to the no-fee rule. If the sender of the commercial electronic message is also a carrier or a carriage service provider, the rule against requiring the recipient to pay a fee or other charge does not apply to a fee or charge ordinarily imposed for the use of carriage services by the sender in that capacity and on a monthly or other periodic basis.

This is a narrow exception. It is tied to the sender being a carrier or carriage service provider, to the charge being ordinarily imposed for the use of carriage services, to the sender acting in that capacity, and to the charge being imposed on a monthly or other periodic basis.

Businesses outside that category should not rely on this exception. Even businesses within the telecommunications sector should read it carefully and check whether the charge in question really fits the wording of the regulation.

Compliance with these regulations depends on how the unsubscribe process works in reality. Businesses should review the message template, the linked page or reply path, the software settings behind it, and any charges or data fields the recipient encounters.

Start with every email footer, SMS opt-out instruction and automated campaign template. Then test the unsubscribe route exactly as a recipient would use it. If the message was received by SMS, check the cost and steps involved in unsubscribing through that channel or the linked method. If the message was received by email, check whether the link leads to a simple opt-out or to a login page, profile form or account creation flow.

Businesses should also review contracts and settings with agencies, CRM providers and marketing platforms. A default preference centre may ask for more information than the regulations allow, or a platform may redirect users into an account-based workflow that creates legal risk. Internal teams should know that convenience for the business is not the test. The test is whether the unsubscribe address and process comply with the conditions in the regulations.

Keeping dated records of templates, platform settings and testing can also help if a complaint later turns on how the unsubscribe process worked at a particular time.

An online store sends promotional emails with an unsubscribe link that takes the customer to a page requiring account login before preferences can be changed. That is a direct risk point because the regulations say the recipient must not be required to log in to an existing account or create a new one.

A business sends SMS promotions and tells recipients to unsubscribe by contacting a premium-rate number. That should be reviewed immediately because the regulations say the use of the electronic address must not require the recipient to use a premium service.

A software company routes unsubscribe requests through a web form that requires full name, phone number and business name before the request can be submitted. That is also a clear review point because the regulations say the recipient must not be required to provide personal information other than the electronic address to which the message was sent.

A franchise group uses a centralised unsubscribe footer, but the linked page is broken or redirects to a customer account portal. Even if the wording in the message looks standard, the actual unsubscribe address and process must satisfy the regulations in operation.

The instrument was made on 18 March 2021 and registered on 22 March 2021. The whole instrument commenced on 1 April 2021.

The regulations apply in relation to an electronic message sent on or after 1 April 2021. The instrument also contains a transitional rule preserving the old position for earlier messages. Despite the repeal of the Spam Regulations 2004, those earlier regulations continue to apply in relation to an electronic message sent before 1 April 2021 as if the repeal had not happened.

For most current business operations, the practical date is 1 April 2021. If you are assessing an older campaign or complaint, the date the message was sent matters because different regulations may apply.

These regulations sit under the Spam Act 2003 and should be read with it. The regulations themselves also refer to concepts drawn from the Privacy Act 1988 and the Telecommunications Act 1997, and they define premium service by reference to the Telecommunications Regulations 2021.

That means businesses should not treat this page as a complete statement of all legal requirements for electronic marketing. Before relying on it, check at least four things. First, confirm that your message is a commercial electronic message under the Spam Act. Second, confirm that your unsubscribe address and process satisfy the specific conditions in these regulations. Third, check whether your process collects or handles personal information in a way that also raises Privacy Act issues. Fourth, if you operate in telecommunications, check whether any carrier or carriage service provider concepts or charging arrangements affect your position.

Where campaigns are automated, outsourced or run across multiple brands, it is sensible to review the legal settings and the technical settings together. A compliant policy document will not fix a non-compliant unsubscribe workflow.