By Clint Fillipou, Principal / Managing Director Melbourne

19 June 2023

The largest penalty ever handed down in the history of the Spam Act (2003) Cth was issued to Commonwealth Bank of Australia (“CBA”) this week. At $3.55m, this dwarfs previous penalties, and the Australian Communications and Media Authority (“ACMA”) came down very hard, but why? Was this decision an outlier, was it consistent with past practice, or was it a case of ACMA finally nailing the big target they had been waiting for to send a message to industry? Also, what on earth did CBA get so wrong that one of the most sophisticated and well-resourced businesses in Australia found themselves in this situation?

Spam Act background and basics

As you may be aware, since 2003 the Spam Act has been in force and applies to the sending of commercial electronic messages (“CEMs”), including email, SMS, etc from Australia or to an Australian.

A relatively simple piece of legislation, there are three key requirements under the Spam Act:

1. CEMs must only be sent with the consent of the recipient. Consent can be express or inferred.
2. CEMs must include accurate sender information and contact details.
3. CEMs must contain a functional unsubscribe facility (that actions the request within 5 working days).

What may be less well-known is that the Spam Act was updated in 2021 when the Spam Regulations 2021 were enacted, to expressly forbid the practice of requiring individuals to sign up to an account or log in to an existing account to unsubscribe from receiving CEMs. Indeed, “one-click unsubscribes” are now preferred.

We are frequently asked to advise on the distinction between a CEM and a simple functional/operational service message, which can be tricky to distinguish between at times. Basic functional messages (called “designated commercial electronic messages” under the Spam Act) do not need to have an unsubscribe and do not require consent, so it is an important matter to get right.

Further, while the greyness around “express” and “inferred” consent has always been a contentious issue for business to navigate, more and more we are seeing the management of unsubscribes as a key area of regulatory interest, and it is clear that many businesses and brands simply do not understand their obligations, or (as discussed below) do not have adequate systems in place to manage their database.

What are ACMA’s enforcement powers?

ACMA has an array of weapons in its arsenal when it comes to enforcing the Spam Act.

In brief, ACMA may:

• issue an infringement notice, which depending on conduct may be up to $275,000 per offence;
• apply to the Federal Court for pecuniary penalty orders, which depending on the conduct may amount to 10,000 penalty units, or $2,750,000.  The Court may also, on application, make orders to pay compensation to aggrieved individuals; and/or
• seek injunctions and court enforceable undertakings, such as to review compliance practices and provide ongoing reports to ACMA.

Like many regulators, ACMA exercises its discretion strategically, and will only go with the harder and more impactful enforcement options (i.e. the larger financial penalties, injunctions and court enforceable undertakings etc) when they know they have a very good case, and seemingly where ACMA thinks the relevant business deserves it. ACMA can trigger an investigation upon receipt of a single complaint, or instigate their own investigations. Usually, Spam Act compliance activity will start with ACMA issuing a “Spam Compliance Alert” to the relevant business.

To be clear, ACMA’s stated position, one that is borne out over and over again in recent enforcement examples, is that the issue of a Spam Compliance Alert is essentially a warning to check your systems.  In our experience, how the relevant business reacts to receiving one of these alerts is crucial to what may happen next.

So, ACMA will give you a chance to look into your systems (i.e. your processes, your IT set up, your database management, your electronic message service providers, the individual case of each complainant, etc), as a precursor to possible future investigation.  Businesses ignore these alerts at their own peril. While a business may well think all is in order, many times they have an underlying problem that they are not yet aware of, and failure to fix it can be extremely costly, as CBA found out.

What did CBA do that was so bad compared to other examples?

CBA was found to have sent 65 million (no, that is not a typo) emails in breach of the Spam Act, specifically, they sent 61 million emails that required the recipient to log in to an account so as to unsubscribe, which as detailed above, is unlawful. In addition, the bank sent another 4 million CEMs that did not have a functional unsubscribe facility, and a further 5,000 CEMs to customers that had previously asked to be unsubscribed from CEMs.

ACMA’s Chair Nerida O’Loughlin was extremely clear and gave great insight into ACMA’s priorities when she remarked of the CBA case: “The scale and duration of the breaches by the CBA is alarming, especially when the ACMA gave it early warnings it might have some issues and the steps it took were ineffective”.  In other words, “we gave the CBA plenty of chances, they are a big business with a lot of resources, and they didn’t take us seriously enough”.

Recent similar examples included Binance Australia, who were fined over $2m in December 2022 for similar offences but that impacted far less recipients. Sportsbet was also fined over $2.5m and ordered to pay compensation of over $1.2m for similar breaches. Court enforceable undertakings were also given in each case. And, in both the Binance and Sportsbet situations, just like CBA, ACMA’s early attempts to communicate with the brands and have them correct their issues were either rebuffed, ignored, or just not taken seriously enough or dealt with adequately.

How do businesses get themselves into these situations, and what do we need to learn from this case?

From experience, what is clear is that many businesses lack a clear understanding of their up-to-date compliance obligations when it comes to Spam Act compliance. Ongoing training, like the type provided by Anisimoff Legal, is vital.

In addition, we see many businesses using a collection of disparate technologies to manage their opt-ins and customer databases, and sometimes these systems create issues.  In one recent example, a client’s back-end IT systems update triggered a swathe of unseen database preference changes to be reversed, and it was not noticed until months later.

Finally, perhaps given the simplicity of the framework of the Spam Act, brands are lulled into a false sense of confidence that they know what they are doing, Spam Act compliance is somewhat a “set and forget” situation, and all is well. Also, in some instances we see businesses take a more laissez-faire approach to Spam Act compliance, assuming that if a recipient doesn’t want to receive an email they will just unsubscribe, so they just send them a CEM and “we will unsubscribe them later if they ask us to”.

Some key takeaways when it comes to Spam Act compliance are detailed below:

1. The Spam Act is a simple piece of legislation, but one that can get businesses in considerable trouble if they don’t take compliance seriously;
2. The bigger the target (i.e. the more prominent a brand), the more interested ACMA will be in taking enforcement action if the brand gets it wrong;
3. The more egregious the compliance failings, the more interested ACMA will be;
4. The sooner you act to correct issues and the more willing you are to take real steps towards compliance, the better this will be for you when dealing with ACMA (and your customers!) in the long run; and
5. Your people must be up-to-date with all the latest Spam Act compliance considerations, and ongoing training is crucial. Similarly, your database and IT systems (especially those connected to marketing preferences, opt-ins, etc) must be up-to-date, compliant with current legislation and tested routinely to ensure they are operating properly.

Contact us

If you would like further information on Spam Act compliance or having your team kept up-to-date through Anisimoff Legal’s training sessions, please contact us.