Spamalanche: when inbox overflow leads to penalty blow.

Author: bespoke

13/06/24 | Reading time: 3 minutes

It’s a spamalanche

In 2023, businesses paid almost $10 million in penalties for breaching the Spam Act 2003 (Cth) (Spam Act). This involved breaches by household names including Kmart, Ticketek, DoorDash and the Commonwealth Bank of Australia. This was a significant increase in penalties from previous years, showing that consumers are fed up with receiving spam messages and the Australian Communications and Media Authority (ACMA) is as vigilant as ever.

2024 appears to be no different and moving in the same trajectory. Within the first 6 months of 2024, ACMA has already claimed its first offenders. Pizza Hut, Luxottica and Outdoor Supacentre have been hit with a combined $4,317,500 in penalties along with enforced undertakings for breaching the Spam Act by sending marketing emails or SMSes without consent, contact details and/or a functional unsubscribe facility.

Given recent events, it is important for businesses to familiarise (or re-familiarise) themselves with their obligations under the Spam Act.

What is spam?

Under the Spam Act, unsolicited commercial electronic messages are prohibited.

A commercial electronic message is any message:

  • sent by an internet carriage service; and
  • where the content of the message suggests that the purpose, or 1 of the purposes, of the message is to promote the goods or services of a business.

A business must have consent from the recipient to send, or cause to be sent, a commercial electronic message. Consent can be express or inferred.

Common ways to obtain express consent include potential recipients ticking an ‘opt-in’ box, filling out a form or providing written consent.

Consent may be inferred when a potential recipient has provided their contact details to a business and it is reasonable to believe the potential recipient would expect to receive commercial electronic messages as a result. It is important to note that a customer making a one-time purchase from a business does not constitute inferred consent to receive commercial electronic messages.

What are your obligations?

Get consent: before sending any commercial electronic message, ensure you have consent from the recipient. While consent can be express or inferred, express consent is more reliable.

Identify your business: ensure that all commercial electronic message identifies you as the sender. You must use the correct legal name of your business, or your name and ABN, and include relevant contact details (eg phone number, email address or website).

Make it easy to unsubscribe: all commercial electronic messages must have an ‘unsubscribe’ option with clear instructions.

If a recipient unsubscribes from your commercial electronic messages, you cannot:

  • charge them a fee for unsubscribing;
  • charge more than the usual amount for the messaging service (eg SMS charges);
  • require the recipient to provide additional personal information, or log in or create an account.

The ‘unsubscribe’ option must be functional for at least 30 days from the date the commercial electronic message is sent.

Any ‘unsubscribe’ request must be honoured within 5 working days.


Pecuniary penalties: in determining the pecuniary penalty, the Federal Court will consider the circumstances of the contravention, including:

  • the nature and extent of the contravention;
  • the nature and extent of any loss or damage suffered as a result of the contravention; and
  • whether the contravening business has previously breached the Spam Act.

As seen in the outcomes of the ACMA investigations, pecuniary penalties can amount to millions of dollars for a business.

Enforced undertakings: the ACMA can also enforce undertakings from a breaching business. This generally involves businesses undertaking to take specific actions to improve its internal processes and policies to ensure compliance with the Spam Act (eg reviewing current processes, introducing policies, and training staff).

Injunction: the ACMA may apply to the Federal Court for an injunction to prevent a business from further contravention of the Spam Act.

Reputational damage: the ACMA publishes the outcome of its investigations on its website (see ‘Media releases’ and ‘Investigations into spam and telemarketing’). This may lead to reputational damage for businesses.

Contact us: If you need assistance with spam compliance, the Bespoke team is here to help.