Complying with the Spam Act

By Lynda Dowling, Chief Compliance Officer, Webull Securities (Australia) Pty Ltd

In the heavily regulated financial services sector, we know we have a number of various laws and legislation to comply with in order to provide our financial services to our clients.  Examples being:

  • The Corporations Act 2001 and Regulations;
  • The Australian Privacy Act 1988;
  • The Australian Anti-Money Laundering and Counter Terrorism Financing Act;
  • ASIC Market Integrity Rules (where applicable); and
  • Relevant Exchange Operating Rules and Procedures (where applicable).

However, there is one form of legislation that has recently been gaining traction and that is the Spam Act 2003 (‘Spam Act’).  Some of have even named it the ‘forgotten law’!

This article provides a brief overview of key elements of the Spam Act 2003 that firms need to comply with.

The Australian Communications and Media Authority (‘the ACMA’) is an independent Commonwealth statutory authority who regulate communications and media services in Australia and as such regulate the below laws:

  • The Broadcasting Services Act 1992
  • Radio Communications Act 1992
  • Telecommunications Act 1997
  • Spam Act 2003 (‘Spam Act’)
  • Do Not Call Register Act 2006

Who does the Spam Act apply to?

The Spam Act applies to Australian businesses who send Commercial Electronic Messages. Whereas the Spam Act focuses on conduct such as marketing and sales campaigns other items such as disclosure, distribution and education can also be captured under the Spam Act.

What exactly is deemed a CEM?

Subject to section 6 of the Spam Act a CEM is defined as below:

An electronic message that is commercial having regard to the content, the way in which the message is presented and the context of the message.

CEMs are deemed commercial if the CEM is motivated by a commercial purpose. An example here would be a link to an account opening section on a financial services firm’s landing page

The key requirements of the Spam Act

Below outlines the key requirements of the Spam Act that relevant businesses must adhere to. Failure of these items below are deemed a breach of the Spam Act:

  1. Consent 
  • s16(1) of the Spam Act – prohibits the sending of ‘commercial electronic messages’ without first obtaining consent from the person who will receive them.

It is important to note that firms cannot use a CEM to seek a person’s consent.

  1. Identification
  • s17(1)(b) of the Spam Actall CEMs must have an Australian link 
  • The message clearly and accurately identifies the individual/organisation that sent the message;
  • The message includes accurate information about how the recipient can readily contact that individual/organisation;
  • The information complies with condition/s (if any) specified in the regulations; and
  • The information is valid for at least 30 days after the message is sent.
  1. Unsubscribe Function
  • 18(1) of the Spam Act – requires that a functioning unsubscribe facility must be in place

This particular item has been a common breach of the Spam Act. Firms must ensure that all CEMs contain a functioning unsubscribe function at all times with clear instructions on how to unsubscribe.

  1. Address Harvesting Software
  • In accordance with sections 20-22 of the Spam Act – these require that no address-harvesting software and harvested address lists must not be supplied, acquired, or used. 

Breaching the Spam Act

Should a firm breach the Spam Act and is identified by the ACMA either by a complaint or another manner, the Regulator issues the relevant financial services firm with a Compliance Breach Notification which will contain questions pertaining to the matter in order for the ACMA to determine what course of action to take against the firm for the breach of the Spam Act.  Severe courses of action can be imposed by ACMA on a firm for even a once off breach of the Spam Act.

It should be noted that whereas the Regulator may issue a formal warning to a firm for breaching the Spam Act the ACMA can also undertake any of the following actions:

  • A thorough investigation is undertaken on the firm with usually a large fine imposed afterwards;
  • The ACMA commences civil proceedings against the firm and key executives through the Australian Federal Courts (civil proceedings in a court of law can end up heavily penalised or even a prison sentence) or
  • The firm is invited to accept an Enforceable Undertaking (‘EU’) from the ACMA whereby the firm must pay for all costs to appoint an Independent Expert (‘IE’) to come in and undertake relevant tasks set by the ACMA in the firm’s EU.

Key cases of breaches of the Spam Act where firms have incurred large fines:

June 2023 – Commonwealth Bank of Australia – fined $3.5m for issuing out 61million marketing emails to customers that unlawfully required the Bank’s customers to login order to unsubscribe. In addition, the Bank sent out a further 4 million marketing messages that failed to have a functioning unsubscribe facility. An Enforceable Undertaking was also imposed. 

December 2022 – Binance Australia – fined just over $2m and a three-year EU for sending out 5.7million commercial emails that made it difficult for consumers to opt-out by requiring them to log into an account. In addition, Binance sent out 25 emails without the consent of the recipients.

Helpful tips to assist firms avoiding breaching the Spam Act

At a minimum, firms ideally should have in place the following:

  • A Spam Policy;
  • Policies and procedures in relation to any function that undertakes commercial business and as such issues CEMs;
  • Monitoring controls in place; and
  • Training programmes in place to ensure employees are aware of the Spam Act requirements.