Spam: Are Your Emails Breaking the Law?

In the race to get their business out in front of people, many Australian small business owners don’t realise they are breaking a long-standing piece of law – the Spam Act of 2003.

The Spam Act is a piece of legislation that has become like a distant uncool relative: The one who only gets remembered when they turn up uninvited at a party and demands to know where their invitation is. Unfortunately, it is routinely forgotten when training start-ups and small businesses about their roles and responsibilities.

So what is it and why should you care?

The Legal Foundations

The Spam Act is a piece of Australian legislation that bans sending unsolicited commercial electronic messages. It is currently administered by the ACMA (The Australian Communications and Media Authority) – a government body.

Other countries have their own versions of this legislation, so if you do business internationally, you need to know the legislation of the jurisdiction you are working within.

In Australia, the Spam Act covers any electronic message that has a marketing or commercial element:

• Emails & newsletters
• SMS messages
• MMS messages
• Instant messages
• Other electronic messaging (e.g.: LinkedIn, Facebook etc. messages)

If you communicate with people using any of these means, you need to comply with the Spam Act.

Telemarketing calls and faxes are covered under the Do Not Call Register.

What is a Commercial Message?

According to the ACMA, the Spam Act defines a commercial electronic message as:

• offers, advertises or promotes the supply of goods, services, land or business or investment opportunities
• advertises or promotes a supplier of goods, services, land or a provider of business or investment opportunities
• helps a person dishonestly obtain property, commercial advantage or other gain from another person.

The Act classifies an electronic message as ‘commercial’ by considering:

• the content of the message
• the way the message is presented
• any links, phone numbers or contact information in the message that leads to content with a commercial purpose—as these may also lead the message to be defined as ‘commercial’ in nature.

In other words, if you send out any marketing promotion, email, or newsletter advertising or promoting your business, you are covered and you need to comply with the Spam Act.

What Do I Need To Do To Comply?

There are 3 key rules you need to follow with in order to comply with the Spam Act.

1. Consent

2. Identification

3. Unsubscribe facilities

Consent

Consent in any jurisdiction is murky and one that causes loads of debate and legal battles.

My view is that unless it is a hell yes – it is a hell no! It is not worth you or your business trying to dance around in the grey area, while trying to force yourself on someone who really is not interested.

Express Consent = Hell Yes!

Express consent means someone has deliberately, willingly and consciously agreed to hearing from you.

According to the ACMA, “A person who gives express permission knows and accepts that they will receive marketing emails or messages from you.“

Putting it simply – you asked someone and you heard them say yes!

Here’s a few examples of express permission:

• A client ticking a box saying that they would like to receive email communication from you.
• A client contacting a business directly and asking to be sent regular information
• A client filling in a form to get information or an eBook, and the form includes details that they will join your mailing list.
• Exchanging business cards 1 on 1, and verbally asking the person if they would like to join your mailing list. The person explicitly states they would (and you noted that on their business card with the date & details). You can’t ask for consent electronically after the event – it has to be done verbally to be in compliance of the Act.
• Asking someone over the phone if they would like to be added to your mailing list.
• Offering a lucky door prize or game of chance, where the terms of entry clearly and obviously state that the details will be added to your mailing list.

One thing to be aware of: Hell Yes can turn to Hell No at any time. People have a right to change their mind. In those situations, you need to stop what you are doing, give them the right to unsubscribe and immediately honour that request.

Inferred Consent – The Shades of Grey

The Spam Act does allow for some limited shades of grey.

Think of these “outs” in the same way you think of a teenage boy asking if it is OK to give a girl a bottle of vodka before asking if she wants to get intimate.

According to the ACMA,

“You may infer that you have permission to send marketing messages if the recipient has knowingly and directly given their address and it is reasonable to believe they would expect to receive marketing from your business.

This is usually when a person has a provable, ongoing relationship with your business, and the marketing is directly related to that relationship.

For example, if someone has subscribed to a service, has an account or is a member, and the marketing is relevant to the relationship.

It does not cover sending messages after someone has just bought something from your business.“

If you really want to go there, and your business model is based on the ethical grey line, then here are your inferred consent outs:

• Existing Relationships – If there is a provable, ongoing, existing business or other relationship where there is a reasonable expectation that you will send them ongoing commercial messages.
• Conspicuous Publication – If there is conspicuous publication of a work-related, publicly accessible email address that is not accompanied by a statement that no commercial messages are wanted, and the subject of the message is directly related to the role or function of the recipient.

Existing Relationships

Let’s talk about relationships for a minute.

Saying yes to a LinkedIn connection does not constitute a relationship. It means you said yes to the connection.

In dating terms, it means you agreed to go out for coffee with someone. It didn’t mean you agreed to let your bits bump or that you wanted to see photographs of their anatomy.

If your first response after getting a LinkedIn request is to send a promotion about yourself – expect your face to get slapped.

If you try and hide your real intent by fudging an email about how you like to know more about a business before swiftly throwing in an invitation to a networking opportunity, investment opportunity, MLM opportunity, referral opportunity – expect your face to get slapped.

An existing relationship means more than just knowing the person’s first name and email address.

Conspicuous Publication of Email Addresses

This one really gets me fired up. If a business provides an email address on their website to help their clients communicate with them, do they really need to add in huge walls to stop irrelevant businesses sending unwanted marketing emails to their email address?

The ACMA gives some guidance on how grey we are talking with inferred consent and conspicuous publication.

You can’t assume that just because every business needs debt recovery, toner, paper etc. that any email is welcomed. You can’t infer consent just because you believe that what you sell will benefit someone, just like you can’t infer consent on a date because you are good in bed. Life doesn’t work that way!

If you are going to use an email you scraped from someone’s website, your promotion must be directly related to the role or function of the recipient.

This means you probably can’t send an email to an info@ email if you are not sure of the role of the person receiving the email. Info@ emails are general emails that are not linked to a role.

If you are trying to flog accounting software, then you could possibly get away with sending email to accounts@ email addresses as you could prove a direct link between your product or service and the person receiving it.

But do you really want to do that? Do you really want to be seen as a scraper who scrounges email addresses off random websites in the same way that a homeless person looks for half-smoked cigarettes in the gutters? Is that really what you want your business to be known for?

Proof of Consent

If you get hauled up before the courts after a complaint that you spammed someone, you need to provide proof that the person actually did give explicit consent to receive your marketing emails. It is up to you to prove consent.

How do you prove consent? By keeping clear and accurate records.

Any good autoresponder/email marketing software manages and keeps these details for you if you use a double opt-in process. This is another reason that if you are going to send out marketing emails or newsletters to clients, that you get an external system to manage it for you.

You can also prove it through an old-fashioned paper trail – copies of ticked forms or notated business cards are also proof of consent.

Some ways you CAN’T get consent:

• Sending an unsolicited email asking someone to give consent to receive commercial messages from you.
• Getting connected via LinkedIn and assuming that means the other person would love to be added to your mailing list.
• Pre-ticking boxes for people to join your mailing list (either on paper or on websites).
• Assuming silence means consent – adding someone to a list and assuming because they didn’t object that everything is hunky-dory.
• Getting someone else to consent on their behalf.
• Picking up business cards or brochures from a networking event from someone you didn’t meet and verbally get consent from, and assuming this gives you consent to email them.
• If they didn’t know what they were consenting or were not capable of making a decision of whether or not to consent.

A Word About Purchased Lists & Consent

If you have bought a mailing list to market to, you legally carry the onus of proof that each person you are mailing to has given their consent to hear from third parties.

Before you buy any list, you need to know: how the information on the list was gathered, what exactly did the people on the list consent to, and when did they consent?

If the list was gathered by electronic harvesting software or bots, then run like the wind! Lists gathered by bots are illegal.

Don’t just take the list vendors word for it that everything is cool, and the person really won’t mind hearing from you. If you buy a bad list, then your business reputation is on the line (as is your legal liability before the courts), so do your due diligence to make sure that the risks are minimised.

A Word About Your Own Customer Lists & Consent

Many small businesses take a while to buy electronic newsletter systems, and manually collect their customer’s and supplier’s details in their Outlook or other email system. When they finally subscribe to a system, they think they can simply export the details and then import them into the system.

Wrong. They bump up against all of the same issues that purchased lists have.

How were the email addresses gathered? Did the people know at the time they gave you their details that they would be joining your mailing list – generally the answer to this is no.

How current is your list? Unless they regularly hear from you, people forget about you. Unless people gave you their information AND consented to hear from you less than 3 months ago, then you need to start the whole process of getting consent once again before you can add them to your electronic system.

Remember also that you can’t email someone just to ask for their consent to add them to your new system or marketing list – which makes getting people onto your list a bit challenging.

There are some ways you can use your exported list in remarketing via social media, but in many cases you need to start from scratch and either phone each person, post a traditional letter to someone, or simply write off the old contacts as not being able to be imported into your system.

That’s why it’s important to get a newsletter/autoresponder system earlier rather than later in your small business – so you don’t throw away all your hard work!

Identification of Yourself as Sender

Aside from the issue of consent, every commercial message is required to have clear identification of who sent it or authorised it to be sent.

Clear identification includes: 

• The correct business or legal trading name of the business or individual.
• How the business can be contacted – address or phone number or email.  

If someone else sends messages on your behalf, the message must still identify you as the business that authorised the message. Use the correct legal name of your business, or your name and your ABN.

Unsubscribe Facility

If you send out a commercial message, you need to also include a functional, easy to use and legitimate unsubscribe facility. This is an electronic address that the user can use to tell you that they don’t want to hear from you.

There are a few rules around the unsubscribe facility:

• This address must remain functional for 30 days after the original message.
• It must give clear instructions on how to unsubscribe.
• It must be easy to use.
• All requests to unsubscribe must be honoured within 5 working days.
• All unsubscribe requests must be at no cost to the user.

You cannot force people to give extra personal information or make them create or log into an account to unsubscribe from marketing messages.

Think of this as the person wants to tell you no. You need to make it easy for them to say no, and you must honour their “no means no” request. 

Read more about unsubscribing and updating details.

Who Is Exempt From the Spam Act?

The Act does make a number of exemptions to the Act, which means these groups or individuals don’t have to comply with the legislation.

These groups don’t need to comply with the consent and subscribe/unsubscribe requirements, provided the information they are sending relates to goods and services that their organisation supplies.

• Registered political parties (which is why we all get bombarded by messages from a particular party that likes the colour yellow during elections).
• Registered charities
• Educational institutions (for messages sent to current and former students)

Purely factual messages also fall outside of the scope of the Act. These are pieces of information with no marketing element and can include things like meeting minutes, safety recall notices and an email sent to a business requesting a quote or price list. However, sending a factual piece of information does NOT mean you can add their details to a mailing list or send them future marketing information!

You can also send an unsolicited resume if you are looking for a job, without falling foul of the Spam Act.

Penalties for Breaching the Spam Act

No business is too small or too big to escape a penalty if you breach the Spam Act. Penalties range from formal warnings through to infringement notices and Federal Court cases.

Fines can quickly rack up as they are based on single unsolicited emails. If you send out bulk emails, then the numbers quickly can hit maximum penalties.

According to the ACMA, “the penalty units referred to in the Spam Act are currently equal to $222 each. For example, the penalty under section 25(5)(b) of the Spam Act for a company with a previous record of spamming and who sent two or more spam messages on a given day without consent is a maximum fine of 10,000 penalty units. This equates to a maximum penalty of $2,220,000 per day.”

Other penalties can include surrendering any financial benefit you gained as well as seizure of property.

The ACMA publishes a list of organisations penalised under the Spam Act and the amounts. Some noteable recent penalties include $2,508,600 for Sportsbet in 2022.

But it isn’t just large organisations that have been penalised:

• $26,640 to Phoenix Securities in 2021
• $100,800 for Kalkine Media in 2021
• $79,800 for Telco First in 2021

The ACMA has announced in 2022-2023 that they will be targeting SMS and email unsubscribe rules – concentrating on businesses that take no notice of customers unsubscribe request or make it hard for them to unsubscribe. 

Wrapping Up

Marketing to someone should be the start of a positive relationship. Relationships founded on forced consent rarely end up in a positive way.

If you are going to send an email or another electronic marketing message to someone, remember:

• Get clear and explicit consent
• Identify yourself
• Let them say no through easy to use unsubscribe options.

If you do these three things, you will generally stay on the right side of the Spam Act.

Of course, there are a raft of other pieces of legislation you need to comply with in your marketing to stay on the right side of the law. If you need legal advice about this or any other legal issue, talk with your lawyer.

Want to know how to stop spammers using your contact form to send you spam? Check out our article.