Consent under the Spam Act

Australian Business & Compliance

Also: Express consent · Inferred consent

Two kindsExpress opt-in and inferred
InferredDepends on a current relationship, and expires
BurdenYou must be able to prove consent
Best practiceKeep a dated record of how each contact opted in

Quick definition

Consent is the foundation of the Spam Act. To send commercial electronic messages in Australia you need either express consent, where the person actively opted in, or inferred consent, where a current business relationship makes contact reasonable. The burden of proof sits with you, and inferred consent weakens over time as the relationship ages.

How it varies across Australia

The lists that hold up under scrutiny share one habit: a dated record of how every contact gave consent. The lists that get businesses fined rely on assumption, scraped contacts and a vague belief that an old relationship still counts. The difference is documentation, not list size.

See how email and retention maturity varies across Australian industries

What it actually means

Consent is the permission the Spam Act requires before you send a commercial electronic message. It comes in two forms, and the difference matters.

Express consent is the strong kind. The person actively agreed to receive your messages, by ticking a box, entering an email to subscribe, or otherwise opting in. It is clear, durable and easy to defend.

Inferred consent is weaker and conditional. It applies where the circumstances make contact reasonable, usually a genuine, current business relationship. A recent customer who gave you their email to complete a purchase can often be contacted on inferred consent. But it depends on the relationship being current, and it fades. Someone who bought once a long time ago and never engaged again can no longer be assumed to consent.

The critical point is the burden of proof. If a complaint is made, you have to show the consent existed. That makes documentation the whole game. A list with a dated record of how each contact opted in is defensible. A list built on assumption, purchased data, or relationships that have gone cold is not, regardless of how well it performs.

Under the Spam Act, consent you cannot prove is consent you do not have.

How it shows up

Consent shows up as the records behind your list: for each contact, how and when they opted in, and whether any inferred consent is still current. A healthy list can produce that on demand. Rising spam complaints are usually the first sign that consent has aged or was never solid.

The Australian context

The express and inferred consent distinction is specific to the Australian Spam Act, enforced by the Australian Communications and Media Authority. It differs from markets with weaker opt-in requirements. An imported list or a send-first playbook that relies on opt-out after the fact does not meet the Australian consent standard, so any Australian email or SMS programme needs consent captured before sending.

Where people get this wrong

Treating inferred consent as permanent.Inferred consent depends on a current relationship and fades as it ages. A contact who has not engaged in a long time can no longer be assumed to want your messages.
Failing to record how consent was given.The burden of proof is on you. Consent you cannot evidence is consent you effectively do not have, so a list without dated opt-in records is exposed even if the consent was real.
Assuming a purchased list carries consent.Consent does not transfer between businesses. People on a bought list opted in, at best, to someone else. Sending to them has no valid consent behind it.

Related terms

Spam Act 2003Australian Business & ComplianceUnsubscribe obligationAustralian Business & ComplianceACMAAustralian Business & ComplianceEmail MarketingEmail MarketingOpt-InEmail Marketing

Common questions

What counts as consent under the Spam Act?

Either express consent, where the person actively opted in, or inferred consent, where a genuine current business relationship makes contact reasonable. Express consent is strong and durable. Inferred consent is weaker and depends on the relationship still being current.

Does inferred consent last forever?

No. It depends on a current relationship and weakens as that relationship ages. A long-ago customer who has not engaged since can no longer be assumed to consent, so relying on stale inferred consent is risky.

Who has to prove consent existed?

You do. The burden of proof sits with the sender. If a complaint is made, you must be able to show the consent, which is why a dated record of how each contact opted in is essential.

Can I rely on consent from a purchased list?

No. Consent does not transfer between businesses. People on a bought list never gave you permission, so there is no valid consent behind sending to them, however the list is described by the seller.

Keep exploring

About New Rebellion

New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.

How we think →