By Rohan Vasudevan, Solicitor
23 November 2023
As you may recall, in a recent article we discussed the largest spam-related penalty ever handed down by the Australian Communications and Media Authority (“ACMA”), which was issued to Commonwealth Bank of Australia (“CBA”) for its breaches of the Spam Act 2003 (Cth) (the “Spam Act”). Well, we have seen even more fines – this time the companies who have found themselves in hot water for breaching Australia’s spam laws include Ticketek, Kmart, DoorDash and MyCar Tyre & Auto. This list continues to grow as ACMA recently issued a series of fines to other well-known companies for failures to comply with the Spam Act. The infringements serve as a wake-up call for businesses across the country, highlighting the importance of compliance with anti-spam regulations. So what are the recent developments and why are more and more companies finding themselves in so much trouble?
Spam spam and more spam
For many Australians, spam is a major nuisance. It clogs up email inboxes, wastes time and only so much of it is filtered out by e-mail servers, never to be seen again. It is no surprise then that ACMA takes laws pertaining to spam very seriously. This is especially so given the ubiquity and importance of electronic communication in modern society.
However, you may be aware that not all electronic communication is the same under the eyes of the law. There is a key difference between commercial electronic messages (“CEMs”) and operational electronic communications (which the Spam Act calls “designated commercial electronic messages” (“DCEMs”)) such as messages which only contain factual information. For instance, if a company wanted to inform a customer that a concert had been cancelled, and the message was purely factual, then this message will likely be a DCEM meaning specific requirements of the Spam Act will not apply.
If sending a CEM however, companies must identify themselves, provide contact details, include an unsubscribe link and importantly, only send CEMs if they have recipients’ express or implied consent. However consent is not required for DCEMs and ‘unsubscribe’ functionality also does not need to be provided. This means that customers who have “unsubscribed” should not be receiving CEMs but may receive DCEMs. The small but key difference between the two were highlighted in a recent investigation involving one of Australia’s biggest ticketing companies, Ticketek Pty Ltd (“Ticketek”).
Get your tickets!
Alongside large companies like CBA and Binance Australia, Ticketek have found themselves on the wrong side of the regulator. Just like in previous situations, ACMA actually sent Ticketek communications about alleged breaches of the Spam Act, in the form of a formal warning in 2019. In this warning, ACMA cited that Ticketek may have made “a number of contraventions” of the Spam Act, namely sending CEMs after account holders had withdrawn consent to receive such messages (i.e. unsubscribed).
Albeit, this warning looks to have been overlooked (or ignored) by Ticketek and ACMA launched a formal investigation into the company in October 2022. ACMA found that Ticketek sent about 98,000 CEMs to customers who had previously unsubscribed (i.e. the messages were sent without the consent of the recipient).
Interestingly, these messages from Ticketek did contain event information for ticketholders which, on its own, may have been sufficient to be considered DCEMs. For this reason, Ticketek outlined that the messages sent fell within an exception to the rules codified in the Spam Act and consent to receive the messages was not required. However, while ACMA did not dispute that the messages in question did, in fact, contain event information/factual information for ticketholders, ACMA found that the messages were also being used to advertise/promote goods and services offered by Ticketek, going above and beyond what is accepted in DCEMs. It was clear that the adding of a discount or other promotional message into what would otherwise be a DCEM is enough to turn that DCEM into a CEM, and trigger these compliance breaches.
ACMA’s Chair Nerida O’Loughlin said: “Australians are fed up with these types of intrusions on their privacy and Ticketek has no excuses given it was on notice after our previous action”. Ms O’Loughlin also stated: “even if the purpose of a message is to provide factual information to customers, if it also includes marketing content, or links to marketing content, it can only be sent with consent”. Ticketek’s conduct resulted in $515,040 worth of penalties.
Call an Uber
Another company that was caught for breaching the Spam Act was UBER Australia Pty Ltd (“Uber”). Uber is best known for owning and operating the popular ‘Uber’ ridesharing app in Australia.
AMCA received numerous complaints from customers claiming that they had received marketing communications from Uber despite unsubscribing. AMCA’s investigation found that Uber sent more than 2 million messages without an unsubscribe function during the period August 2022 to January 2023, with more than 500,000 of these messages going to customers who had previously unsubscribed. Uber sent the CEMs to customers to promote Uber’s “Bar in a Car” campaign. In a response to ACMA, Uber alleged that these CEMs were mischaracterised as DCEMs due to ‘human error’ but admitted that the messages were sent in breach of the Spam Act. Uber paid $412,500 in penalties, however Ms O’Loughlin did note that “We (ACMA) are actively monitoring Uber’s compliance and will not hesitate to take stronger action if it doesn’t comply in the future”.
The dart that hit Kmart
The penalties paid by Uber and Ticketek were surpassed by Kmart Australia Limited (“Kmart”), who paid over $1.3 million, and as is commonly the case, ACMA appears to have imposed sizeable penalties due to Kmart’s overall conduct, including what occurred in response to ACMA’s formal investigation.
ACMA found that between July 2022 and May 2023, Kmart had sent more than 200,000 messages to customers who had unsubscribed. Similar to what happened with Ticketek, Kmart was alerted by ACMA of the specific conduct before any detailed investigations were undertaken. If Kmart had taken these alerts more seriously, ACMA noted that an investigation would likely not have taken place. However, since there was no apparent course correction, ACMA specifically noted it was concerning that for almost 1 year, CEMs were continuing to be sent by Kmart which were in breach of the Spam Act and despite being aware of the infringing behaviour, Kmart continued as is. While ACMA’s investigation into Kmart found that the breaches occurred because of technology and system failures as well as procedural failures, the regulator noted that this was not a valid excuse, and penalties were issued. We are indeed seeing that, more and more, system failures such as software updates, glitches, and security patches are causing many database and CRM management issues, and causing significant spam compliance failures. It is an important point to be aware of and is a reminder to check in with your own systems and IT teams to run rigorous compliance and system health checks on a routine basis. It is especially important to respond in a timely fashion to any ACMA correspondence.
Back to Kmart, not only must Kmart pay a financial penalty, but the company has also been ordered to appoint an independent consultant to review Kmart’s compliance with spam regulations and make changes where required over the next two years (including sending ongoing reports to ACMA). As we outlined in our previous article, ACMA’s range of enforcement powers include the ability to issue infringement notices of up to $275,000 per offence as well as the power to seek injunctions and court enforceable undertakings, including to have compliance practices reviewed and ongoing reports provided to ACMA, such as in the Kmart case.
What does it all mean?
The recent slew of enforcements by ACMA shows the proclivity for the regulator to hit businesses hard where they have not been taking compliance seriously. It is also clear that the fluidity of system changes, database software problems and other IT glitches have the potential to creep in over time and cause companies to fall foul of the law. The issue with these glitches is that companies are generally of the view that their systems are sound, so tend to take a relaxed approach to ACMA warnings, when they should be using them as a trigger to conduct rigorous internal checks.
While some companies may have not acted maliciously, best intentions are no excuse for non-compliance. Ms O’Loughlin has specifically said that: “All businesses conducting e-marketing should be actively and regularly reviewing whether their marketing complies with the law”. Businesses must ensure that, for example, unsubscribe requests are actioned and spam policies are up-to-date, and as flagged above, that their systems remain sound. Also, businesses should know the different requirements required when sending CEMs compared with CEMs as different requirements apply else potentially facing harsh repercussions.
If you would like further information on Spam Act compliance, including best industry practices, please contact one of our experts.