A Guide to the 2003 Spam Act

Reading Time 5 min.

Spam. It’s something that many of us are all too familiar with in the 21st Century, but did you know that the Australian Government created an Act in the early-00s in an attempt to cut down on the number of unsolicited emails sent to inboxes? Named the Spam Act, this legislation was passed in 2003, and aims to help protect people from receiving unsolicited commercial messages within the electronic landscape. 

In this article, we explain a little bit about what The Spam Act entails and how you can ensure your email marketing is following the set standard outlined by the 2003 legislation. 

Tip: Before sending an email using our CleverReach® newsletter software, find out if it is classified as spam with our design and spam test! 

Spam Act 2003 - CleverReach

What does “spam” mean?

In The Spam Act, spam is referred to as “unsolicited commercial electronic messaging”, which includes emails, SMS, and instant messaging. When a message is sent for commercial purposes, without the consent of the recipient, then it may be considered spam. 

Emailing is the most common form of spam. There are many different types of spam, from phishing emails, emails containing malware and viruses, and unsolicited emails from commercial outlets. Each comes with varying levels of risk and annoyance, with some being more dangerous to unsuspecting clickers than others.

Brian Michaels, CEO of Comvergence says “Businesses are leaving themselves vulnerable to cyber attacks by not considering the basic safety risks.

Most people believe that the most sophisticated cyber attacks are the biggest threats to any organisation. However, the biggest cybersecurity threat to a business is the people that work there. It is the responsibility of companies to educate their employees on cyber security and best practices to minimise the risk.”


What does the Act cover?

The focus of The Spam Act is commercial electronic messages, including those sent from applications such as short message service (SMS), multimedia message service (MMS), instant messaging (IM), and email.

The Spam Act specifically relates to “commercial electronic messages” which are sent to Australian email addresses – whether the email originated in Australia or overseas. Just a single email can be considered as spam, it does not need to form part of a mass email list.  

However, the following materials are not covered by the Spam Act, but may be governed by different laws: 

  • Traditional media – snail mail, paper flyers
  • Telemarketing – via phone
  • Non-commercial emails – those not containing links or direct users to a commercial website or address


3 steps to follow when using email marketing:

If you have a business that uses email marketing, familiarising yourself with and following these three steps can help ensure you do not breach The Spam Act.

1. Consent

Electronic messages sent with commercial intent should only be sent to recipients who have given consent to receive them. There are two types of consent in relation to The Spam Act. These are express consent and inferred consent. 

  • Express consent

This form of consent refers to when an individual gives a direct indication that they are happy to receive your commercial email. One type of expressed consent is when an individual signs up to your mailing list. 

  • Inferred consent

Sometimes an individual may not have directly stated they wish to receive a message, but you may be able to infer their permission to do so by considering the conduct of the recipient and their relationship to you or your business. An example of this is when an addressee has provided their business card with their electronic address printed on it. In this example, it can be inferred that messages relevant to the line of work of the individual can be sent to the individual, but not those unrelated to their work. 


What about…

Using public directories?

Just because contact information is available on a public directory does not instantly count as inferred consent for use. A strong link needs to be made between the service or product you/your business are advertising and the receiver of the message. Some requirements the Spam Act discusses with regards to inferring consent from addresses in public directories include:

  • Ensuring the message is for a specific individual
  • Ensuring the message sent is relevant to the position of the recipient
  • Ensuring the message is not sent to an address that was published alongside a statement saying they did not wish to receive messages

Purchased contact lists?

Purchased contact lists are okay as long as the addresses meet the requirements of the Spam Act, and the addresses have been obtained consensually. 

Address-harvesting software?

Address-harvesting software and harvested-address lists must not be used to send spam. Manually-generated lists are not prohibited by the Spam Act, as long as the addressees do not have a statement next to their addresses stating they do not wish to receive such messages. 

Old contact lists?

The Spam Act states that it does not matter when the contacts were gathered, as long as they were done so consensually (whether express or inferred). 

Subscribing on another person’s behalf?

If an addressee did not submit a request to receive information themselves, then consent requirements may not have been met. One example of an individual subscribing on another’s behalf is if a person asks for a commercial electronic message to be sent to an individual other than themselves. In this case, contact should be made with the addressee to ascertain that they consent to receive commercial electronic messages from you/your business. 


2. Identify

When sending a commercial electronic message, the Spam Act states that you must ensure it includes identifying information about your business. This includes identifying who you are (such as your business’ registered trading name) and how the recipient can get in contact with you (such as an email address, physical address, phone number). 

If you are using a third party to send commercial electronic messages on your behalf, you must still ensure your relevant contact information is included in the messages. The third party’s information does not have to be included unless you wish for it to be. 

According to the Spam Act, your information must be “reasonably likely to be accurate” for a minimum of 30 days after the day your message is sent. If you are aware that your information will be changing within this timeframe, you could either include both the present and future contact information or make arrangements for communications to be redirected to the new address or number. 


3. Unsubscribe

Any commercial electronic messages that you send must include an unsubscribe facility, for recipients to opt-out of future messages if they so choose. This function should be clearly displayed, simple for users to navigate, and must be “reasonably likely to be functional” for a minimum of 30 days after the day the message is sent. Unsubscribe requests must be dealt with promptly, and the Spam Act states a request to opt-out of receiving messages must be actioned in five business days. 


What can happen if the act is breached?

The Spam Act is enforced by the Australian Communications and Media Authority (ACMA), who then works closely with other law enforcement and regulators on the issue. There are several actions that the ACMA may take against spam. They may issue a formal warning, an infringement notice, or choose to initiate a full court proceeding. There are financial penalties that can come with the breach of the Act. A single breach can incur fines of up to $220,000, with subsequent breaches receiving higher fines. The maximum penalty for breaching the Act is $2.1 million per breach, per day. 


What are other countries doing about spam?

Many countries around the world have legislation in place to help protect their people against spam. Some examples of these laws include the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003, America’s CAN-SPAM Act of 2003, and Canada’s CASL (Canada’s Anti-Spam Legislation). Along with Australia’s Spam Act, it’s important to familiarise yourself with other countries’ laws if you are looking to send commercial electronic messages to addresses in other countries. 

Last year, the European Union introduced the EU General Data Protection Regulation (GDPR). These are strict laws for obtaining user data and sending commercial emails to European individuals without obtaining consent. If you’re not sure whether your email marketing campaigns comply with these rules, you can use our 6 point GDPR checklist!



Australian Government – Federal Register for Legislation – Spam Act 2003

Australian Media and Communications Authority (ACMA) – Spam: Industry Obligations

Susanne Eberl

Online Redakteurin bei CleverReach®; liebt es, Tech-Themen verständlich zu erklären.