The Spam Act 2003 (Cth) isn’t a new piece of legislation, and it has arguably been a relatively benign part of the Australian privacy and communications regulatory framework – until now.
Last week the Australian Communications and Media Authority (ACMA) handed down the largest fine in its history – AUD 1 million – against a retail supermarket giant for unlawfully spamming more than 1.2 million customers via email.
The ACMA found that the retailer was in breach of Australia’s anti-spam laws when it “sent marketing emails to consumers after they had unsubscribed from previous messages" between October 2018 and July 2019. The ACMA commented that it was “inexcusable” for a large and sophisticated organisation to actively engage in this sort of non-compliance. The record-breaking fine was in part due to the retailer's failure to act even after the ACMA had warned it of potential Spam Act compliance issues, and multiple customer complaints.
The Spam Act is simple – if an organisation (or someone on behalf of an organisation) is sending out marketing messages or emails, it must first have permission from the person who receives them. Once an organisation has a person’s permission, the message must:
Permission can be express or inferred.
Perhaps more interesting is the specificity of the ACMA’s decision, which makes it clear that it expects all communications to an email address to stop where such a request has been made by an individual (even where the email address itself may be shared with others). This shows that companies must be vigilant when it comes to their user databases, and in particular which information belongs to which individuals. The retailer's defence of “technical and systems issues” also did not find favour with the ACMA.
The retailer has already paid its fine, and is now subject to a three-year enforceable undertaking which includes actions such as appointing an independent consultant to review and audit its current Spam Act compliance procedures, report regularly to the ACMA, and conduct comprehensive staff training on the nature of its communications.
This latest compliance blitz comes hot off the heels of the ACMA’s penalty issued to Optus earlier this year; a clear sign that the Spam Act’s unofficial 17 year grace period has well and truly ended.
This regulatory compliance activity naturally compliments efforts being undertaken by various data protection regulators (including the OAIC, ACCC, APRA, and ASIC). It highlights the ongoing need for organisations to ensure that they can demonstrate compliance with best practice data governance requirements, which is becoming increasingly important – beyond the confines of the Spam Act.
In an age where consumer protection and privacy are more important than ever, the price of unauthorised spamming is one that organisations cannot ignore.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 1,000 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on: