ACMA goes ham on spam Is your business in breach of the Spam Act
14 December 2021
14 December 2021
As businesses increasingly adopt new technological developments to push offers, services and products on consumers using email, SMS, push notifications, live chat, and other instant electronic messages, the risk of inadvertent Spam breaches increases and it becomes increasingly complex to manage those risks.
In 2020, Optus was fined $504,000 for sending unsolicited marketing to consumers who had opted out of receiving such communications.
More recently, in January 2021, Kogan agreed to a court-enforceable undertaking and paid over $310,000 in fines after an ACMA investigation, prompted by consumer complaints, found that Kogan had sent more than 42 million emails to consumers from which they could not easily unsubscribe.
Specifically, Kogan was requiring consumers who sought to unsubscribe from receiving marketing emails to take additional steps including setting a password and logging into a Kogan account in order to successfully unsubscribe, in breach of the requirement under the Spam Act for marketing messages to include a "functional unsubscribe facility".
Given ACMA’s increasing activity in this space, and the introduction of the new Spam Regulations 2021 in April, it is timely to remind businesses how the Spam Act operates, and how they can avoid the ire of the regulator.
The Spam Act regulates when and how Australian companies can send “commercial electronic messages”, including marketing emails, SMS, MMS, push notifications, instant messages, and live chat messages in particular circumstances.
The types of messages captured as CEMs under the Spam Act are very broad. In summary, a message will be a CEM if:
1. it is an “electronic message”
The meaning of “electronic message” is broad, and likely to capture emails, SMSs, MMSs, push notifications, instant messages and live chat messages in particular circumstances.
The only express exception from the definition of “electronic message” are voice calls, including by way of synthetic voice or human voice recording. It follows that telephone calls and recorded menu options are not captured by the Spam Act. However, businesses should keep in mind that there are separate obligations in relation to voice calls under the Do Not Call Register Act; and
2. having regard to the content of the message, and the way it is presented, including any links contained in the content, it can be concluded that at least one of the purposes of the message is to offer to supply goods or services, advertise or promote goods or services, or advertise or promote a supplier of goods or services (amongst other purposes).
The Spam Act prohibits the sending of CEMs, unless an applicable exception applies.
One such exception is that a CEM may be sent with a recipient’s express or inferred consent. A common example of express consent is a customer proactively ticking a box to receive marketing emails in a sign-up flow. Consent can also be inferred, including from the nature of the customer-business relationship. Importantly, notwithstanding the existence of a customer-business relationship, if a recipient has opted out of receiving marketing messages, the business cannot send a CEM (nor can the business send a message seeking consent to receive marketing, as this in itself is a CEM).
In addition to recipient consent, to lawfully send a CEM, the Spam Act requires the CEM to contain:
1. a functional unsubscribe facility which allows the recipient to easily unsubscribe from receiving any further CEMs.
The facility must be presented in a clear and conspicuous manner, and cannot be hidden in the CEM.
Additionally, in the wake of Kogan’s breach of the Spam Act, Parliament introduced the new Spam Regulations 2021. The new regulations prohibit businesses requiring CEM recipients from logging into an account, or signing up for an account, to unsubscribe from receiving CEMs. The intention is to protect customers from onerous unsubscribe processes designed to discourage them from unsubscribing; and
2. accurate sender details and contact information.
Another exception to the prohibition against sending unsolicited CEMs is where the message is a "designated commercial electronic message" (DCEM). A DCEM is what businesses often internally call a "service message", “transactional email” or “transactional message”. DCEMs do not require recipient consent, and are not required to contain a functional unsubscribe facility but are required to include accurate sender details and contact information.
To be regarded as a DCEM, the message must consist of no more than factual information, and may include certain additional factual details specified in the legislation, such as the name, logo and contact details of the individual or organisation who authorised the sending of the message, and/or the name and contact details of the author or the authors' employer, organisation, partnership or sponsor.
Common examples of DCEMs include administrative communications such as emails confirming a consumer’s purchase of a product or an email to reset a password.
Businesses should take care when classifying messages as DCEMs, as even if the message has a legitimate factual purpose, if it is presented in a manner, or combined with any other content such as hyperlinks (including in headers or footers) or images which could be taken to have the purpose of offering to advertise, promote or supply goods or services, the message will be a CEM for the purposes of the Spam Act. In those circumstances, it will need to comply with all the requirements for the sending of a CEM.
It is not uncommon for a business’ communications to consumers to change frequently to reflect new offerings or changes to products or services. Accordingly, it is important for businesses to ensure their CEM templates are compliant with the Spam Act, are only sent to consumers who have given their express or inferred consent and that the CEMs are otherwise compliant with the Spam Act. We also recommend that businesses regularly test that unsubscribe facilities contained in CEMs are operational and effective.
Furthermore, reviews should also be conducted in relation to messages sent to consumers that are considered to be DCEMs, to ensure that they are free from any content which could result in them being regarded as a CEM.