ACMA goes ham on spam Is your business in breach of the Spam Act

What you need to know

• In recent years, the Australian Communications and Media Authority (ACMA) has become increasingly active in investigating and pursuing breaches of the Spam Act 2003 (Cth).  
• In January 2021, an ACMA investigation found that online retailer, Kogan, breached the Spam Act by sending over 42 million marketing emails to consumers which were difficult for consumers to unsubscribe from. 
• Kogan agreed to a court-enforceable undertaking and paid $310,000 in fines for the breach, adding to the over $2,100,000 worth of infringement notices for breaches of the Spam Act that have been issued by ACMA in the past 2 years. 
• In the wake of Kogan’s breach, Parliament introduced the new Spam Regulations 2021 in April 2021. The new Spam Regulations expressly prohibit companies from requiring commercial electronic message (CEM) recipients to log into their account, or sign up for an account, to unsubscribe from receiving CEMs.

What you need to do

• Ensure that all marketing messages sent to consumers, whether by email, live chat, push notification or otherwise, are Spam Act compliant and that employees who prepare and send marketing messages are aware of the requirements of the Spam Act and the Spam Regulations. 
• Conduct regular tests and reviews of all electronic communications sent to customers to ensure compliance with the requirements of the Spam Act.

As businesses increasingly adopt new technological developments to push offers, services and products on consumers using email, SMS, push notifications, live chat, and other instant electronic messages, the risk of inadvertent Spam breaches increases and it becomes increasingly complex to manage those risks. 

In 2020, Optus was fined $504,000 for sending unsolicited marketing to consumers who had opted out of receiving such communications. 

More recently, in January 2021, Kogan agreed to a court-enforceable undertaking and paid over $310,000 in fines after an ACMA investigation, prompted by consumer complaints, found that Kogan had sent more than 42 million emails to consumers from which they could not easily unsubscribe. 

Specifically, Kogan was requiring consumers who sought to unsubscribe from receiving marketing emails to take additional steps including setting a password and logging into a Kogan account in order to successfully unsubscribe, in breach of the requirement under the Spam Act for marketing messages to include a "functional unsubscribe facility". 

Given ACMA’s increasing activity in this space, and the introduction of the new Spam Regulations 2021 in April, it is timely to remind businesses how the Spam Act operates, and how they can avoid the ire of the regulator.

Sending marketing emails and messages

The Spam Act regulates when and how Australian companies can send “commercial electronic messages”, including marketing emails, SMS, MMS, push notifications, instant messages, and live chat messages in particular circumstances.  

What is a Commercial Electronic Message?

The types of messages captured as CEMs under the Spam Act are very broad. In summary, a message will be a CEM if:

1. it is an “electronic message”

The meaning of “electronic message” is broad, and likely to capture emails, SMSs, MMSs, push notifications, instant messages and live chat messages in particular circumstances.

The only express exception from the definition of “electronic message” are voice calls, including by way of synthetic voice or human voice recording. It follows that telephone calls and recorded menu options are not captured by the Spam Act. However, businesses should keep in mind that there are separate obligations in relation to voice calls under the Do Not Call Register Act; and   

2. having regard to the content of the message, and the way it is presented, including any links contained in the content, it can be concluded that at least one of the purposes of the message is to offer to supply goods or services, advertise or promote goods or services, or advertise or promote a supplier of goods or services (amongst other purposes).

Under what circumstances are CEMs permitted?

The Spam Act prohibits the sending of CEMs, unless an applicable exception applies. 

One such exception is that a CEM may be sent with a recipient’s express or inferred consent. A common example of express consent is a customer proactively ticking a box to receive marketing emails in a sign-up flow.  Consent can also be inferred, including from the nature of the customer-business relationship. Importantly, notwithstanding the existence of a customer-business relationship, if a recipient has opted out of receiving marketing messages, the business cannot send a CEM (nor can the business send a message seeking consent to receive marketing, as this in itself is a CEM). 

In addition to recipient consent, to lawfully send a CEM, the Spam Act requires the CEM to contain:

1. a functional unsubscribe facility which allows the recipient to easily unsubscribe from receiving any further CEMs.

The facility must be presented in a clear and conspicuous manner, and cannot be hidden in the CEM.

Additionally, in the wake of Kogan’s breach of the Spam Act, Parliament introduced the new Spam Regulations 2021.  The new regulations prohibit businesses requiring CEM recipients from logging into an account, or signing up for an account, to unsubscribe from receiving CEMs. The intention is to protect customers from onerous unsubscribe processes designed to discourage them from unsubscribing; and

2. accurate sender details and contact information. 

Sending transactional emails and messages

Another exception to the prohibition against sending unsolicited CEMs is where the message is a "designated commercial electronic message" (DCEM). A DCEM is what businesses often internally call a "service message", “transactional email” or “transactional message”.  DCEMs do not require recipient consent, and are not required to contain a functional unsubscribe facility but are required to include accurate sender details and contact information.

To be regarded as a DCEM, the message must consist of no more than factual information, and may include certain additional factual details specified in the legislation, such as the name, logo and contact details of the individual or organisation who authorised the sending of the message, and/or the name and contact details of the author or the authors' employer, organisation, partnership or sponsor.  

Common examples of DCEMs include administrative communications such as emails confirming a consumer’s purchase of a product or an email to reset a password. 

Businesses should take care when classifying messages as DCEMs, as even if the message has a legitimate factual purpose, if it is presented in a manner, or combined with any other content such as hyperlinks (including in headers or footers) or images which could be taken to have the purpose of offering to advertise, promote or supply goods or services, the message will be a CEM for the purposes of the Spam Act.  In those circumstances, it will need to comply with all the requirements for the sending of a CEM.

How can you remain compliant?

It is not uncommon for a business’ communications to consumers to change frequently to reflect new offerings or changes to products or services. Accordingly, it is important for businesses to ensure their CEM templates are compliant with the Spam Act, are only sent to consumers who have given their express or inferred consent and that the CEMs are otherwise compliant with the Spam Act. We also recommend that businesses regularly test that unsubscribe facilities contained in CEMs are operational and effective. 

Furthermore, reviews should also be conducted in relation to messages sent to consumers that are considered to be DCEMs, to ensure that they are free from any content which could result in them being regarded as a CEM. 

Tips for CEMs

• Ensure that functional unsubscribe facilities are present in all CEMs and that the unsubscribe facilities are operational, simple to use and do not require a consumer to login to an account, create a new account or enter any personal information (other than their email address to which the CEM was sent for the purposes of unsubscribing).
• Ensure that CEMs are only being sent to consumers for whom express or inferred consent is obtained. 

Tips for DCEMs

• Ensure that DCEMs only contain factual information, do not contain links to offerings, products or any other pages where the purpose of that page is to offer, advertise or promote goods or services.