Spam Act 2003

Australian Business & Compliance

Also: Spam Act · Australian Spam Act

GovernsCommercial email, SMS and instant messages
Three rulesConsent, identify, unsubscribe
Enforced byThe communications regulator, ACMA
Applies toMessages with an Australian link

Quick definition

The Spam Act 2003 is the Australian law that governs commercial electronic messages, including email, SMS and instant messaging. It requires three things: consent to send, clear identification of the sender, and a working unsubscribe in every message. It is enforced by the Australian Communications and Media Authority.

How it varies across Australia

Most Australian email penalties come from the same few failures. Buying or scraping lists, hiding who sent the message, and unsubscribe links that do not work fast enough. Businesses that treat consent as a real record rather than an assumption almost never get caught out.

See how email and retention maturity vary across Australian industries

What it actually means

The Spam Act 2003 is the rulebook for sending commercial electronic messages in Australia. A commercial message is anything that markets or promotes, and it covers email, SMS and instant messaging. If a message has an Australian link, sender or recipient, the Act applies.

There are three obligations and they are not complicated. First, consent. You need permission to send, either express, where the person opted in, or inferred, where there is a genuine and current business relationship. Second, identify. Every message must make clear who sent it and how to contact them. Third, unsubscribe. Every message needs a working opt-out that stays live and is honoured quickly.

The Act is enforced by the Australian Communications and Media Authority, which has handed out some of the largest marketing fines in the country to businesses that bought lists, sent without consent, or ignored unsubscribe requests.

For marketers the practical version is simple. Keep a record of how every contact came onto your list, put your identity in every send, and make leaving easy and instant. Do that and the Act is a non-event. Treat consent as something you can assume and it becomes the most expensive shortcut in your stack.

The Spam Act is three rules. Get consent, say who you are, and let people leave. Almost every breach is one of those three.

How it shows up

Compliance shows up in three records you should be able to produce on demand: how each contact consented, what identifies you in every send, and how fast unsubscribes are processed. Trouble shows up as rising spam complaints and deliverability falling, which is usually the first sign consent has drifted.

The Australian context

The Spam Act is the Australian regime and it sits alongside the Do Not Call Register for telemarketing and the Privacy Act for how you store the personal information behind your list. It differs from the United States CAN-SPAM regime in one important way. Australia is consent-based, so you generally need permission before you send, rather than permission to keep sending after the fact. An imported United States playbook that sends first and lets people opt out can breach the Australian rules.

Where people get this wrong

Treating a purchased or scraped list as a usable list.Consent does not transfer. The people on a bought list never gave you permission, so sending to them breaches the Act from the first message.
Assuming inferred consent lasts forever.Inferred consent depends on a current relationship. A contact who has not engaged in a long time can no longer be assumed to want your messages.
Running an unsubscribe that is slow or broken.The opt-out must work and be honoured promptly. A link that fails, or a request that still gets a send days later, is one of the most common breaches.

Related terms

Consent under the Spam ActAustralian Business & ComplianceUnsubscribe obligationAustralian Business & ComplianceDo Not Call RegisterAustralian Business & ComplianceEmail MarketingEmail MarketingPrivacy Act 1988Australian Business & Compliance

Common questions

What does the Spam Act actually require?

Three things in every commercial electronic message: consent to send, clear identification of who sent it, and a working unsubscribe that is honoured promptly. It covers email, SMS and instant messaging with an Australian connection, and is enforced by the Australian Communications and Media Authority.

Is the Spam Act the same as the United States CAN-SPAM Act?

No. Australia is consent-based, so you generally need permission before you send. CAN-SPAM is closer to an opt-out model where you can send first. A United States playbook that messages cold and waits for opt-outs can breach the Australian rules.

Can I email a list I bought?

No. Consent does not transfer between businesses. The people on a purchased or scraped list never gave you permission, so sending to them breaches the Act. Build your own list with a clear opt-in instead.

What is inferred consent?

It is permission implied by a genuine and current business relationship, such as a recent customer. It is weaker than express opt-in and it expires. A contact who has not engaged in a long time can no longer be assumed to consent.

Keep exploring

About New Rebellion

New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.

How we think →