One click: what the new Spam Regulations mean for your electronic business marketing communications

The new Spam Regulations 2021 (Cth) confirm and clarify that companies must ensure their marketing communications contain a simple and easily navigable unsubscribe facility. Such facilities must not request the recipient provide personal information, log in or create an account with the company to unsubscribe.

The new Spam Regulations 2021 (Cth) (2021 Regulations), which have been effective from 1 April 2021, mandate simple and accessible ‘unsubscribe’ facilities in electronic business marketing communications (i.e. ‘commercial electronic messages’).

The 2021 Regulations repeal and replace their predecessor Spam Regulations 2004 (Cth) (2004 Regulations) with strengthened obligations. The main difference is that electronic commercial message recipients must be able to unsubscribe from marketing messages without providing personal information or by logging in to or creating an account with the company who sent the message in order to do so.

What kinds of communications are impacted by these changes?

These changes apply to commercial electronic messages sent on or after 1 April 2021 and intend to address the growing number of consumer complaints directed to the Australian Communications and Media Authority (ACMA) and the Australian Competition and Consumer Commission (ACCC) in respect of often complicated and burdensome unsubscribe processes.

These regulatory changes apply to ‘commercial electronic messages’, broadly defined in the Spam Act 2003 (Cth) (Spam Act) as messages sent for the purpose of advertising or promoting the sale or supply of goods, services, land and/or business/investment opportunities sent via email, SMS, an instant messaging service or similar.

How do these new requirements for unsubscribe facilities interact with the existing Australian privacy laws?

Section 18 of the Spam Act requires that companies sending commercial electronic messages must provide a clear and functional unsubscribe facility, by which the message recipient may opt out of receiving such communications in the future. The 2021 Regulations seek to clarify the apparent existing ambiguity surrounding how to provide this facility and the extent to which personal information can be solicited by companies as part of the unsubscribe process. Regulation 7(6) prescribes that no personal information, except for the electronic address to which the message was sent, may be requested.

Companies must continue to adhere to APP 7 when processing the personal information of their customers. Additionally, companies remain obligated to ensure the unsubscribe function is presented in a clear and conspicuous manner, but now (we suggest even for other than commercial electronic messages), they must also ensure it is easy to use and does not require customers to provide personal information, log in to or create an account with the company who sent the message.

Consequences of non-compliance

Fines will be issued by the ACMA to companies who fail to comply with the above requirements. Since 2019 ACMA has issued more than $2 million in fines for breaches of the Spam Act and is cracking down on non-compliant commercial electronic messages.

Notably, in January 2021 (before the 2021 Regulations came into force) ACMA issued a $310,800 fine to a major Australian online retailer for failing to incorporate an easily navigable unsubscribe option in their commercial electronic messages (i.e. emails) to 42 million customers. The online retailer required recipients to take onerous steps setting up an account to unsubscribe. This conduct is now expressly prohibited under the 2021 Regulations.

What must companies do to comply with the 2021 Regulations?

Companies must ensure that they continue to provide an unsubscribe facility on all commercial electronic messages. They must ensure that they present unsubscribe instructions clearly and that those instructions:

• are intuitive, simple and easy to navigate;
• do not require recipients to use a premium electronic address service;
• do not cost recipients more than what they would normally pay to use the electronic address;
• do not require recipients to pay a fee to the company; and
• action the recipients’ requests to unsubscribe immediately.

In addition, companies are now barred from requiring recipients to provide personal information (except the electronic address to which the message was sent) or to log into or create an account for the purposes of unsubscribing from receiving commercial electronic messages.

We suggest that companies review their marketing practices and test the effectiveness and usability of unsubscribe facilities to ensure they comply with the latest regulatory changes, to avoid the potential for infringement notices and hefty fines. Repeat corporate offenders can face court-imposed penalties of up to $1.11 million per day.